Stephen Frost <sfrost@snowman.net> writes:
> On Thu, Jan 2, 2020 at 15:50 Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> To cover the proposed functionality, you'd still need some way to
>> select not-superuser. So I don't think this fully answers the need
>> even if we wanted to do it.
> Sorry- why do we need that..? The first match for a pg_hba line wins, so
> you can define all the access methods that superuser accounts are allowed
> to use first, then a “reject” line for superuser accounts, and then
> whatever else you want after that.
Seems kind of awkward. Or more to the point: you can already do whatever
you want in pg_hba.conf, as long as you're willing to be verbose enough
(and, perhaps, willing to maintain group memberships to fit your needs).
The discussion here, IMO, is about offering useful shorthands.
So a facility like "!role" seems potentially useful. Maybe it's not
really, but I don't think we should reject it just because there's
a verbose and non-obvious way to get the same result.
regards, tom lane