Re: superusers are members of all roles?

Andrew Dunstan <andrew@dunslane.net>

From: Andrew Dunstan <andrew@dunslane.net>
To: Alastair Turner <bell@ctrlf5.co.za>
Cc: Tom Lane <tgl@sss.pgh.pa.us>, Robert Haas <robertmhaas@gmail.com>, Stephen Frost <sfrost@snowman.net>, PostgreSQL-development <pgsql-hackers@postgresql.org>
Date: 2011-04-07T10:33:08Z
Lists: pgsql-hackers

On 04/07/2011 03:48 AM, Alastair Turner wrote:
>>>
>>> The problem here is that if Andrew had had the opposite case (a
>>> positive-logic hba entry requiring membership in some group to get into
>>> a database), and that had locked out superusers, he'd be on the warpath
>>> about that too.  And with a lot more reason.
>> In such a case I could add the superusers to the role explicitly, or make
>> the rule cover superusers as well. But as the situation is now, any rule
>> covering a group covers superusers, whether I want it to or not. I'd rather
>> have a choice in the matter (and it's clear I'm not alone in that).
>>
>> The introduction of hot standby has made this pattern more likely to occur.
>> It happened here because we have a bunch of users that are allowed to
>> connect to the standby but not to the master, and the rules I was trying to
>> implement were designed to  enforce that exclusion.
>>
> Is the solution possibly to assign positive entries on the basis of
> the superuser being a member of all groups but require negative
> entries to explicitly specify that they apply to superuser?
>
> That would provide least surprise for the simplistic concept of
> superuser - a user who can do anything any other user can - and allow
> for superuser remote access to be restricted if desired.
>

I think that's just about guaranteed to produce massive confusion. +foo 
should mean one thing, regardless of the rule type. I seriously doubt 
that very many people who work with this daily would agree with Tom's 
argument about what that should be.

cheers

andrew