Re: superusers are members of all roles?

On 04/07/2011 07:33 AM, Christian Ullrich wrote:
> * Andrew Dunstan wrote:
>
>> On 04/07/2011 03:48 AM, Alastair Turner wrote:
>
>>> Is the solution possibly to assign positive entries on the basis of
>>> the superuser being a member of all groups but require negative
>>> entries to explicitly specify that they apply to superuser?
>
>> I think that's just about guaranteed to produce massive confusion. +foo
>> should mean one thing, regardless of the rule type. I seriously doubt
>> that very many people who work with this daily would agree with Tom's
>> argument about what that should be.
>
> What about adding a second group syntax that only evaluates explicit 
> memberships? That way, everyone could pick which behavior they liked 
> better, and Alastair's suggestion could be done that way, too:
>
>     host    all    *personae_non_gratae    0.0.0.0/0    reject
>     host    all    +foo            0.0.0.0/0    md5
>
> If, as Josh said, few users even know about the old syntax, there 
> should not be much potential for confusion in adding a new one.

I thought about that. What I'd like to know is how many people actually 
want and use and expect the current behaviour. If it's more than a 
handful (which I seriously doubt) then that's probably the way to go. 
Otherwise it seems more trouble than it's worth.

>
> Additionally, most things that can be done with groups in pg_hba.conf 
> can also be done using CONNECT privilege on databases.

In my case this won't work at all, since what I need is to allow the 
group access on a hot standby but prevent it on the master, and the 
CONNECT privs will be the same on both. We also don't have negative 
privileges analogous to "reject" lines.

cheers

aqndrew