Re: superusers are members of all roles?
Andrew Dunstan <andrew@dunslane.net>
From: Andrew Dunstan <andrew@dunslane.net>
To: Alastair Turner <bell@ctrlf5.co.za>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Robert Haas <robertmhaas@gmail.com>, Stephen Frost <sfrost@snowman.net>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2011-04-07T10:33:08Z
Lists: pgsql-hackers
On 04/07/2011 03:48 AM, Alastair Turner wrote: >>> >>> The problem here is that if Andrew had had the opposite case (a >>> positive-logic hba entry requiring membership in some group to get into >>> a database), and that had locked out superusers, he'd be on the warpath >>> about that too. And with a lot more reason. >> In such a case I could add the superusers to the role explicitly, or make >> the rule cover superusers as well. But as the situation is now, any rule >> covering a group covers superusers, whether I want it to or not. I'd rather >> have a choice in the matter (and it's clear I'm not alone in that). >> >> The introduction of hot standby has made this pattern more likely to occur. >> It happened here because we have a bunch of users that are allowed to >> connect to the standby but not to the master, and the rules I was trying to >> implement were designed to enforce that exclusion. >> > Is the solution possibly to assign positive entries on the basis of > the superuser being a member of all groups but require negative > entries to explicitly specify that they apply to superuser? > > That would provide least surprise for the simplistic concept of > superuser - a user who can do anything any other user can - and allow > for superuser remote access to be restricted if desired. > I think that's just about guaranteed to produce massive confusion. +foo should mean one thing, regardless of the rule type. I seriously doubt that very many people who work with this daily would agree with Tom's argument about what that should be. cheers andrew