Re: superusers are members of all roles?
Andrew Dunstan <andrew@dunslane.net>
From: Andrew Dunstan <andrew@dunslane.net>
To: Christian Ullrich <chris@chrullrich.net>
Cc: pgsql-hackers@postgresql.org
Date: 2011-04-07T12:01:16Z
Lists: pgsql-hackers
On 04/07/2011 07:33 AM, Christian Ullrich wrote: > * Andrew Dunstan wrote: > >> On 04/07/2011 03:48 AM, Alastair Turner wrote: > >>> Is the solution possibly to assign positive entries on the basis of >>> the superuser being a member of all groups but require negative >>> entries to explicitly specify that they apply to superuser? > >> I think that's just about guaranteed to produce massive confusion. +foo >> should mean one thing, regardless of the rule type. I seriously doubt >> that very many people who work with this daily would agree with Tom's >> argument about what that should be. > > What about adding a second group syntax that only evaluates explicit > memberships? That way, everyone could pick which behavior they liked > better, and Alastair's suggestion could be done that way, too: > > host all *personae_non_gratae 0.0.0.0/0 reject > host all +foo 0.0.0.0/0 md5 > > If, as Josh said, few users even know about the old syntax, there > should not be much potential for confusion in adding a new one. I thought about that. What I'd like to know is how many people actually want and use and expect the current behaviour. If it's more than a handful (which I seriously doubt) then that's probably the way to go. Otherwise it seems more trouble than it's worth. > > Additionally, most things that can be done with groups in pg_hba.conf > can also be done using CONNECT privilege on databases. In my case this won't work at all, since what I need is to allow the group access on a hot standby but prevent it on the master, and the CONNECT privs will be the same on both. We also don't have negative privileges analogous to "reject" lines. cheers aqndrew