On 28/12/2019 19:07, Tom Lane wrote:
> Vik Fearing <vik.fearing@2ndquadrant.com> writes:
>> It can sometimes be useful to match against a superuser in pg_hba.conf.
> Seems like a reasonable desire.
>
>> Adding another keyword can break backwards compatibility, of course. So
>> that is an issue that needs to be discussed, but I don't imagine too
>> many people are using role names "superuser" and "nonsuperuser". Those
>> who are will have to quote them.
> I'm not very happy about the continuing creep of pseudo-reserved database
> and user names in pg_hba.conf. I wish we'd adjust the notation so that
> these keywords are syntactically distinct from ordinary names. Given
> the precedent that "+" and "@" prefixes change what an identifier means,
> maybe we could use "*" or some other punctuation character as a keyword
> prefix? We'd have to give grandfather exceptions to the existing
> keywords, at least for a while, but we could say that new ones won't be
> recognized without the prefix.
I'm all for this (and even suggested it during the IRC conversation that
prompted this patch). It's rife with bikeshedding, though. My original
proposal was to use '&' and Andrew Gierth would have used ':'.
I will submit two patches, one that recognizes the sigil for all the
other keywords, and then an update of this patch.
--
Vik
