Re: Re: database access - Mailing list pgsql-general

From Tom Lane
Subject Re: Re: database access
Date
Msg-id 23750.984545975@sss.pgh.pa.us
Whole thread Raw
In response to Re: Re: database access  (Tim Frank <tfrank@registrar.uoguelph.ca>)
List pgsql-general
Tim Frank <tfrank@registrar.uoguelph.ca> writes:
> My question would be if I used "sameuser" as the database then would my
> database superusers be allowed to also connect to databases different
> from their usernames?

You're looking at this the wrong way.  Whether you are superuser or not
is immaterial as far as connection privileges go --- that fact is
determined *after* you have connected.

The sort of thing you can set up with the current privilege model is
like this:

    host    sameuser    hostip    hostmask    ident
    host    all        hostip    hostmask    passwd

This essentially says that for connections originating from the
hostip/hostmask part of cyberspace, "ident" authentication will
be used if you are trying to connect to the database named after
your username, otherwise "passwd" authentication will be used.

Obviously you can use two other forms of authentication if you
choose, but that's the basic model.  The first line in pg_hba.conf
that matches your target database and connection origination address
determines the authentication method that is used.  Generally you'd
make the earlier lines describe a tighter match and a looser auth
method than the later lines, but the machine doesn't care...

            regards, tom lane

pgsql-general by date:

Previous
From: Doug McNaught
Date:
Subject: Re: Is v7.1 stable enough?
Next
From: Tom Lane
Date:
Subject: Re: Is v7.1 stable enough?