Re: superusers are members of all roles? - Mailing list pgsql-hackers

From Josh Berkus
Subject Re: superusers are members of all roles?
Date
Msg-id 4D9D3BE6.7000303@agliodbs.com
Whole thread Raw
In response to Re: superusers are members of all roles?  (Robert Haas <robertmhaas@gmail.com>)
List pgsql-hackers
> See bug #5763, and subsequent emails.  Short version: Tom argued it
> wasn't a bug; Peter and I felt that it was.

Add my vote: it's a bug.

Users who fall afoul of this will spend *hours* trying to debug this
before they stumble on the correct answer.  pg_hba.conf is confusing
enough as it is.

The only reason we don't get more bug reports on this is that not very
many users know about using group roles in pg_hba.conf (and few enough
users are using group roles in the first place).

If we're not going to fix this, then we need a big warning in the docs
and the pg_hba.conf file:

"NOTE: Please make sure that at least one rule in pg_hba.conf matches
superuser access before any reject rules"

-- 
Josh Berkus
PostgreSQL Experts Inc.
http://pgexperts.com


pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: too many dotted names
Next
From: Tom Lane
Date:
Subject: Re: superusers are members of all roles?