From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Kaiting Chen <kaitocracy(at)gmail(dot)com>, pgsql-bugs(at)postgresql(dot)org |
Subject: | Re: BUG #5763: pg_hba.conf not honored |
Date: | 2010-11-28 12:56:37 |
Message-ID: | AANLkTik1TCt3oX=cUZ0UiqAe2XdeDc5uX18z4xCFsqgx@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
On Tue, Nov 23, 2010 at 10:29 AM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> "Kaiting Chen" <kaitocracy(at)gmail(dot)com> writes:
>> From this pg_hba configuration as the user 'kaiting.chen' is not in role
>> 'service' the second entry in the table should be skipped and he should
>> authenticate via GSSAPI. However this does not happen.
>
> I believe the definition of "in role" we use here is "has the privileges
> of role". Since kaiting.chen is a superuser, all privilege tests will
> succeed for him, including that one. IOW, a superuser is automatically
> a member of every role. This isn't a bug.
I guess it's not a bug if we did it that way on purpose, but it seems
like testing for actual group membership would be less surprising.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Robert Haas | 2010-11-28 13:05:12 | Re: Documentation bug: Chapter 35.4, paragraph 4 |
Previous Message | Balamurugan Mahendran | 2010-11-28 08:01:00 | Re: BUG #5773: DEBUG: reaping dead processes DEBUG: server process (PID 10007) was terminated by signal 11: Segme |