Re: superusers are members of all roles?

From: Josh Berkus <josh(at)agliodbs(dot)com>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Re: superusers are members of all roles?
Date: 2011-04-07 04:21:58
Message-ID: 4D9D3BE6.7000303@agliodbs.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers


> See bug #5763, and subsequent emails. Short version: Tom argued it
> wasn't a bug; Peter and I felt that it was.

Add my vote: it's a bug.

Users who fall afoul of this will spend *hours* trying to debug this
before they stumble on the correct answer. pg_hba.conf is confusing
enough as it is.

The only reason we don't get more bug reports on this is that not very
many users know about using group roles in pg_hba.conf (and few enough
users are using group roles in the first place).

If we're not going to fix this, then we need a big warning in the docs
and the pg_hba.conf file:

"NOTE: Please make sure that at least one rule in pg_hba.conf matches
superuser access before any reject rules"

--
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Tom Lane 2011-04-07 04:29:17 Re: superusers are members of all roles?
Previous Message Robert Haas 2011-04-07 04:11:58 Re: too many dotted names