I just hit this, which at least violated my sense of least astonishment,
if it's not an outright bug:
After creating a role foo, I added to following lines to my (9.0)
local all +foo reject
host all +foo 0.0.0.0/0 reject
The surprising (to me) consequence was that every superuser was locked
out of the system. I had not granted them (or anyone) the role, but
nevertheless these lines took effect.
If this is intended, it should at least be documented. But if it is
intended then it's ugly anyway, IMNSHO, and we should change it.
pgsql-hackers by date
|Next:||From: Stephen Frost||Date: 2011-04-06 23:54:06|
|Subject: Re: superusers are members of all roles?|
|Previous:||From: Jeff Davis||Date: 2011-04-06 22:39:27|
|Subject: Re: lowering privs in SECURITY DEFINER function|