Re: BUG #5763: pg_hba.conf not honored

On Tue, Nov 23, 2010 at 10:29 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
> "Kaiting Chen" <kaitocracy@gmail.com> writes:
>> From this pg_hba configuration as the user 'kaiting.chen' is not in role
>> 'service' the second entry in the table should be skipped and he should
>> authenticate via GSSAPI. However this does not happen.
>
> I believe the definition of "in role" we use here is "has the privileges
> of role". =A0Since kaiting.chen is a superuser, all privilege tests will
> succeed for him, including that one. =A0IOW, a superuser is automatically
> a member of every role. =A0This isn't a bug.

I guess it's not a bug if we did it that way on purpose, but it seems
like testing for actual group membership would be less surprising.

--=20
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company