Greetings, * Robert Haas (robertmh...@gmail.com) wrote: > But, again, we already *have* a way of solving this problem: use > quotes. As Simon pointed out, your proposed solution isn't really a > solution at all, because & can appear in role names. It probably > won't, but there probably also won't be a role name that matches > either of these keywords, so it's just six of one, half a dozen of the > other. The thing that really solves it is quoting.
I really just can't agree with the idea that: "&superuser" and &superuser in pg_hba.conf should mean materially different things and have far reaching security differences. Depending on quoting in pg_hba.conf for this distinction is an altogether bad idea. > Now I admit that if we decide pg_hba.conf keywords have to start with > "pg_" and prevent names beginning with "pg_" from being used as object > names, then we'd have TWO ways of distinguishing between a keyword and > an object name. But I don't think TMTOWTDI is the right design > principle here. There is a *really* big difference here though which makes this not "two ways to do the same thing"- you *can't* create a user starting with "pg_". You *can* create a user with an '&' in it. If we prevented you from being able to create users with '&' in it then I'd be more open to the idea of using '&' to mean something special in pg_hba, and then it really would be two different ways to do the same thing, but that's not actually what's being proposed here. Thanks, Stephen
signature.asc
Description: PGP signature