Re: superusers are members of all roles?
Christian Ullrich <chris@chrullrich.net>
From: Christian Ullrich <chris@chrullrich.net>
To: pgsql-hackers@postgresql.org
Date: 2011-04-07T11:33:48Z
Lists: pgsql-hackers
* Andrew Dunstan wrote: > On 04/07/2011 03:48 AM, Alastair Turner wrote: >> Is the solution possibly to assign positive entries on the basis of >> the superuser being a member of all groups but require negative >> entries to explicitly specify that they apply to superuser? > I think that's just about guaranteed to produce massive confusion. +foo > should mean one thing, regardless of the rule type. I seriously doubt > that very many people who work with this daily would agree with Tom's > argument about what that should be. What about adding a second group syntax that only evaluates explicit memberships? That way, everyone could pick which behavior they liked better, and Alastair's suggestion could be done that way, too: host all *personae_non_gratae 0.0.0.0/0 reject host all +foo 0.0.0.0/0 md5 If, as Josh said, few users even know about the old syntax, there should not be much potential for confusion in adding a new one. Additionally, most things that can be done with groups in pg_hba.conf can also be done using CONNECT privilege on databases. -- Christian