Обсуждение: pgsql: Do not treat a superuser as a member of every role for HBA purpo
Do not treat a superuser as a member of every role for HBA purposes. This makes it possible to use reject lines with group roles. Andrew Dunstan, reviewd by Robert Haas. Branch ------ master Details ------- http://git.postgresql.org/pg/commitdiff/94cd0f1ad8af722a48a30a1087377b52ca99d633 Modified Files -------------- doc/src/sgml/client-auth.sgml | 5 ++++- src/backend/libpq/hba.c | 9 +++++++-- 2 files changed, 11 insertions(+), 3 deletions(-)
Andrew Dunstan <andrew@dunslane.net> writes:
> Do not treat a superuser as a member of every role for HBA purposes.
> This makes it possible to use reject lines with group roles.
As committed, this patch also changes the behavior of "samerole", but
the doc update fails to reflect that.
regards, tom lane
On 11/03/2011 03:16 PM, Tom Lane wrote: > Andrew Dunstan<andrew@dunslane.net> writes: >> Do not treat a superuser as a member of every role for HBA purposes. >> This makes it possible to use reject lines with group roles. > As committed, this patch also changes the behavior of "samerole", but > the doc update fails to reflect that. > > I'm happy to update the docs if you think it's necessary. I think this is desired behaviour, for the same reason as for named roles, namely that you can add superusers to the list if necessary. I can't think of a sane case where this would make a difference, but I'm happy to be pedantic if you like. cheers andrew