Tom Lane wrote:
> Something else that ought to be considered here is that now that we have
> CONNECT privilege for databases, manipulating privileges is a lot saner
> way to control who-can-connect-where than setting up fancy combinations
> of user and database entries in pg_hba.conf. AFAIR there is no mention
> of this alternative in Chapter 21, but it seems like there ought to be.
> With your proposed reorganization, that would become a forward
> reference; is that OK?
We do have a "Tip" about this in the pg_hba.conf section:
http://developer.postgresql.org/pgdocs/postgres/auth-pg-hba-conf.html
Tip: To connect to a particular database, a user must not only pass the
pg_hba.conf checks, but must have the CONNECT privilege for the
database. If you wish to restrict which users can connect to which
databases, it's usually easier to control this by granting/revoking
CONNECT privilege than to put the rules into pg_hba.conf entries.
Do we need more?
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
