| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | admindb(at)fem(dot)tu-ilmenau(dot)de |
| Cc: | Michael Braun <michael(dot)braun(at)fem(dot)tu-ilmenau(dot)de>, pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: superusers are members of all roles? |
| Date: | 2012-08-14 23:19:25 |
| Message-ID: | 502ADCFD.3020803@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On 08/14/2012 05:03 PM, Michael Braun wrote:
> Hi,
>
> I've just recently upgraded to postgrsql 9.1 and also hit bug #5763.
> Having +group not match all superusers is essential to be able to assign
> different authentication backends to different superusers with needing
> to edit configuration files on the radius host system. E.g. to be able
> to authenticate some against ldap services and some against the password
> stored in the database, so the superusers can opt into the central
> authentication system if they want to. With the old postgresql version,
> all user managers would only need postgresql tcp access, no access to
> files or similar.
>
> Could the different behaviour (superusers matching all/not all group
> entries in hba.conf) perhaps become a configuration item?
>
This is a feature in the upcoming 9.2. IIRC the consensus was not to
backport it. There is no point in making it a configuration item,
really, since the workaround for the old behaviour would be to add the
superusers explicitly to the required groups. If you're interested and
want to apply it to your own build, it's pretty much a one line patch:
See
<https://github.com/postgres/postgres/commit/94cd0f1ad8af722a48a30a1087377b52ca99d633>
cheers
andrew
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Peter Geoghegan | 2012-08-15 01:22:05 | Re: pgsql: Revert "commit_delay" change; just add comment that we don't hav |
| Previous Message | Tom Lane | 2012-08-14 22:53:49 | Re: -Wformat-zero-length |