Re: superusers are members of all roles?

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: Christian Ullrich <chris(at)chrullrich(dot)net>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: superusers are members of all roles?
Date: 2011-04-07 12:01:16
Message-ID: 4D9DA78C.6030604@dunslane.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On 04/07/2011 07:33 AM, Christian Ullrich wrote:
> * Andrew Dunstan wrote:
>
>> On 04/07/2011 03:48 AM, Alastair Turner wrote:
>
>>> Is the solution possibly to assign positive entries on the basis of
>>> the superuser being a member of all groups but require negative
>>> entries to explicitly specify that they apply to superuser?
>
>> I think that's just about guaranteed to produce massive confusion. +foo
>> should mean one thing, regardless of the rule type. I seriously doubt
>> that very many people who work with this daily would agree with Tom's
>> argument about what that should be.
>
> What about adding a second group syntax that only evaluates explicit
> memberships? That way, everyone could pick which behavior they liked
> better, and Alastair's suggestion could be done that way, too:
>
> host all *personae_non_gratae 0.0.0.0/0 reject
> host all +foo 0.0.0.0/0 md5
>
> If, as Josh said, few users even know about the old syntax, there
> should not be much potential for confusion in adding a new one.

I thought about that. What I'd like to know is how many people actually
want and use and expect the current behaviour. If it's more than a
handful (which I seriously doubt) then that's probably the way to go.
Otherwise it seems more trouble than it's worth.

>
> Additionally, most things that can be done with groups in pg_hba.conf
> can also be done using CONNECT privilege on databases.

In my case this won't work at all, since what I need is to allow the
group access on a hot standby but prevent it on the master, and the
CONNECT privs will be the same on both. We also don't have negative
privileges analogous to "reject" lines.

cheers

aqndrew

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2011-04-07 13:58:30 pg_upgrade fix for pg_largeobject_metadata
Previous Message Craig Ringer 2011-04-07 11:36:02 Re: Failed assert ((data - start) == data_size) in heaptuple.c