| From: | Glyn Astill <glynastill(at)yahoo(dot)co(dot)uk> |
|---|---|
| To: | Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | "pgsql-admin(at)postgresql(dot)org" <pgsql-admin(at)postgresql(dot)org> |
| Subject: | Re: Adding line to pg_hba.conf for a specific group makes superuser authentication fail in 9.0? |
| Date: | 2011-07-27 20:22:29 |
| Message-ID: | 1311798149.1639.YahooMailNeo@web26004.mail.ukl.yahoo.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
> From: Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>
>Glyn Astill <glynastill(at)yahoo(dot)co(dot)uk> wrote:
>
>> How can I specifically catch superusers?
>
> Create a group (nobody?) that you don't grant to any users. Only
> superusers will be a member of it.
>
Ah of course, simple, thanks Kevin.
I can't help but feel that there should be something in the docs for 9.0 to specify this, since it is a behaviour difference from 8.4 and earlier.
The docs (http://www.postgresql.org/docs/9.0/interactive/auth-pg-hba-conf.html) do say:
"Recall that there is no real distinction between users and groups in PostgreSQL; a + mark really means "match any of the roles that are directly or indirectly members of this role", while a name without a + mark matches only that specific role"
Maybe the docs should be embellished to also say "since a superuser is automatically considered a member of any group, it should be taken into account that names with a + mark will affect all superusers (although this was not the case prior to 9.0)" or something along those lines.
Glyn
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Kevin Grittner | 2011-07-27 20:37:46 | Re: Adding line to pg_hba.conf for a specific group makes superuser authentication fail in 9.0? |
| Previous Message | Kevin Grittner | 2011-07-27 17:25:58 | Re: test commit_delay |