Re: superusers are members of all roles?
Bruce Momjian <bruce@momjian.us>
From: Bruce Momjian <bruce@momjian.us>
To: Andrew Dunstan <andrew@dunslane.net>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, pgsql-hackers@postgresql.org
Date: 2011-05-08T03:42:57Z
Lists: pgsql-hackers
Andrew Dunstan wrote: > > > On 04/07/2011 11:01 AM, Tom Lane wrote: > > Andrew Dunstan<andrew@dunslane.net> writes: > >> I thought about that. What I'd like to know is how many people actually > >> want and use and expect the current behaviour. If it's more than a > >> handful (which I seriously doubt) then that's probably the way to go. > >> Otherwise it seems more trouble than it's worth. > > Well, the point here is that "is_member_of" is currently considered > > to be a kind of privilege test, and of course superusers should > > automatically pass every privilege test. If you want it to not act > > that way in some circumstances, we need a fairly clear theory as to > > which circumstances it should act which way in. > > > > > > Personally, other things being equal I would expect things to operate > similarly to Unix groups, where root can do just about anything but is > only actually a member of a small number of groups: > > [root@emma ~]# groups > root bin daemon sys adm disk wheel > > I bet most DBAs and SAs would expect the same. > > The HBA file is the most obvious context in which this actually matters, > and off hand I can't think of another. Is this a TODO? -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + It's impossible for everything to be true. +