| From: | Christian Ullrich <chris(at)chrullrich(dot)net> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: superusers are members of all roles? |
| Date: | 2011-04-07 11:33:48 |
| Message-ID: | ink7es$4ub$1@dough.gmane.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Andrew Dunstan wrote:
> On 04/07/2011 03:48 AM, Alastair Turner wrote:
>> Is the solution possibly to assign positive entries on the basis of
>> the superuser being a member of all groups but require negative
>> entries to explicitly specify that they apply to superuser?
> I think that's just about guaranteed to produce massive confusion. +foo
> should mean one thing, regardless of the rule type. I seriously doubt
> that very many people who work with this daily would agree with Tom's
> argument about what that should be.
What about adding a second group syntax that only evaluates explicit
memberships? That way, everyone could pick which behavior they liked
better, and Alastair's suggestion could be done that way, too:
host all *personae_non_gratae 0.0.0.0/0 reject
host all +foo 0.0.0.0/0 md5
If, as Josh said, few users even know about the old syntax, there should
not be much potential for confusion in adding a new one.
Additionally, most things that can be done with groups in pg_hba.conf
can also be done using CONNECT privilege on databases.
--
Christian
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Craig Ringer | 2011-04-07 11:36:02 | Re: Failed assert ((data - start) == data_size) in heaptuple.c |
| Previous Message | Fujii Masao | 2011-04-07 11:29:17 | Re: .ini support for .pgpass |