On 10/4/21, 7:08 PM, "Stephen Frost" <sfrost@snowman.net> wrote:
> I really think we need to stop addressing roles explicitly as
> 'superuser' vs. 'non-superuser', because a non-superuser role can be
> GRANT'd a superuser role, which makes that distinction really not
> sensible. This has continued to be a problem and we need to cleanly
> address it. Not sure exactly how to do that today but it's certainly an
> issue.
Agreed. Maybe one option is to convert most of the role attributes to
be predefined roles. Then we could just check for membership in
pg_superuser instead of trying to deal with membership in roles that
have the SUPERUSER attribute.
Nathan