pg_authid Columns and Password Encryption Details

<structfield>rolcreaterole</structfield> <type>bool</type> </para> <para> Role can create more roles </para></entry> </row> <row> <entry role="catalog_table_entry"><para role="column_definition"> <structfield>rolcreatedb</structfield> <type>bool</type> </para> <para> Role can create databases </para></entry> </row> <row> <entry role="catalog_table_entry"><para role="column_definition"> <structfield>rolcanlogin</structfield> <type>bool</type> </para> <para> Role can log in. That is, this role can be given as the initial session authorization identifier. </para></entry> </row> <row> <entry role="catalog_table_entry"><para role="column_definition"> <structfield>rolreplication</structfield> <type>bool</type> </para> <para> Role is a replication role. A replication role can initiate replication connections and create and drop replication slots. </para></entry> </row> <row> <entry role="catalog_table_entry"><para role="column_definition"> <structfield>rolbypassrls</structfield> <type>bool</type> </para> <para> Role bypasses every row-level security policy, see <xref linkend="ddl-rowsecurity"/> for more information. </para></entry> </row> <row> <entry role="catalog_table_entry"><para role="column_definition"> <structfield>rolconnlimit</structfield> <type>int4</type> </para> <para> For roles that can log in, this sets maximum number of concurrent connections this role can make. -1 means no limit. </para></entry> </row> <row> <entry role="catalog_table_entry"><para role="column_definition"> <structfield>rolpassword</structfield> <type>text</type> </para> <para> Encrypted password; null if none. The format depends on the form of encryption used. </para></entry> </row> <row> <entry role="catalog_table_entry"><para role="column_definition"> <structfield>rolvaliduntil</structfield> <type>timestamptz</type> </para> <para> Password expiry time (only used for password authentication); null if no expiration </para></entry> </row> </tbody> </tgroup> </table> <para> For an MD5 encrypted password, <structfield>rolpassword</structfield> column will begin with the string <literal>md5</literal> followed by a 32-character hexadecimal MD5 hash. The MD5 hash will be of the user's password concatenated to their user name. For example, if user <literal>joe</literal> has password <literal>xyzzy</literal>, <productname>PostgreSQL</productname> will store the md5 hash of <literal>xyzzyjoe</literal>. </para> <warning> <para> Support for MD5-encrypted passwords is deprecated and will be removed in a future release of <productname>PostgreSQL</productname>. Refer to <xref linkend="auth-password"/> for details about migrating to another password type. </para> </warning> <para> If the password is encrypted with SCRAM-SHA-256, it has the format: <synopsis> SCRAM-SHA-256$<replaceable><iteration count></replaceable>:<replaceable><salt></replaceable>$<replaceable><StoredKey></replaceable>:<replaceable><ServerKey></replaceable> </synopsis> where <replaceable>salt</replaceable>, <replaceable>StoredKey</replaceable> and <replaceable>ServerKey</replaceable> are in Base64 encoded format. This format is the same as that specified by <ulink url="https://datatracker.ietf.org/doc/html/rfc5803">RFC 5803</ulink>. </para> </sect1> <sect1 id="catalog-pg-auth-members"> <title><structname>pg_auth_members</structname></title> <indexterm zone="catalog-pg-auth-members"> <primary>pg_auth_members</primary> </indexterm> <para> The catalog <structname>pg_auth_members</structname>

This section details the columns of the pg_authid catalog, including flags for superuser privileges, role creation, database creation, login capability, replication role, and row-level security bypass. It also covers connection limits, encrypted passwords, and password expiry times. The section provides specifics on MD5 and SCRAM-SHA-256 password encryption formats, noting the deprecation of MD5 support.