On 04/07/2011 03:48 AM, Alastair Turner wrote:
The problem here is that if Andrew had had the opposite case (a
positive-logic hba entry requiring membership in some group to get into
a database), and that had locked out superusers, he'd be on the warpath
about that too. And with a lot more reason.
In such a case I could add the superusers to the role explicitly, or make
the rule cover superusers as well. But as the situation is now, any rule
covering a group covers superusers, whether I want it to or not. I'd rather
have a choice in the matter (and it's clear I'm not alone in that).
The introduction of hot standby has made this pattern more likely to occur.
It happened here because we have a bunch of users that are allowed to
connect to the standby but not to the master, and the rules I was trying to
implement were designed to enforce that exclusion.
Is the solution possibly to assign positive entries on the basis of
the superuser being a member of all groups but require negative
entries to explicitly specify that they apply to superuser?
That would provide least surprise for the simplistic concept of
superuser - a user who can do anything any other user can - and allow
for superuser remote access to be restricted if desired.
I think that's just about guaranteed to produce massive confusion. +foo
should mean one thing, regardless of the rule type. I seriously doubt
that very many people who work with this daily would agree with Tom's
argument about what that should be.
cheers
andrew
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
