From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Andrew Gierth <andrew(at)tao11(dot)riddles(dot)org(dot)uk>, PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>, Robert Haas <robertmhaas(at)gmail(dot)com>, Vik Fearing <vik(dot)fearing(at)2ndquadrant(dot)com> |
Subject: | Re: Recognizing superuser in pg_hba.conf |
Date: | 2020-01-02 21:07:57 |
Message-ID: | 14916.1577999277@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Stephen Frost <sfrost(at)snowman(dot)net> writes:
> On Thu, Jan 2, 2020 at 15:50 Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> To cover the proposed functionality, you'd still need some way to
>> select not-superuser. So I don't think this fully answers the need
>> even if we wanted to do it.
> Sorry- why do we need that..? The first match for a pg_hba line wins, so
> you can define all the access methods that superuser accounts are allowed
> to use first, then a “reject” line for superuser accounts, and then
> whatever else you want after that.
Seems kind of awkward. Or more to the point: you can already do whatever
you want in pg_hba.conf, as long as you're willing to be verbose enough
(and, perhaps, willing to maintain group memberships to fit your needs).
The discussion here, IMO, is about offering useful shorthands.
So a facility like "!role" seems potentially useful. Maybe it's not
really, but I don't think we should reject it just because there's
a verbose and non-obvious way to get the same result.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Peter Geoghegan | 2020-01-02 21:41:25 | Re: _bt_delitems_delete() should use XLogRegisterBufData(), not XLogRegisterData() |
Previous Message | Stephen Frost | 2020-01-02 21:01:43 | Re: Recognizing superuser in pg_hba.conf |