Re: superusers are members of all roles?

* Andrew Dunstan wrote:

> On 04/07/2011 03:48 AM, Alastair Turner wrote:

>> Is the solution possibly to assign positive entries on the basis of
>> the superuser being a member of all groups but require negative
>> entries to explicitly specify that they apply to superuser?

> I think that's just about guaranteed to produce massive confusion. +foo
> should mean one thing, regardless of the rule type. I seriously doubt
> that very many people who work with this daily would agree with Tom's
> argument about what that should be.

What about adding a second group syntax that only evaluates explicit 
memberships? That way, everyone could pick which behavior they liked 
better, and Alastair's suggestion could be done that way, too:
host    all    *personae_non_gratae    0.0.0.0/0    rejecthost    all    +foo            0.0.0.0/0    md5

If, as Josh said, few users even know about the old syntax, there should 
not be much potential for confusion in adding a new one.

Additionally, most things that can be done with groups in pg_hba.conf 
can also be done using CONNECT privilege on databases.

-- 
Christian