* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> The problem here is that if Andrew had had the opposite case (a
> positive-logic hba entry requiring membership in some group to get into
> a database), and that had locked out superusers, he'd be on the warpath
> about that too. And with a lot more reason.
I disagree about this. I don't feel that the 'superuser is a member of
every role' behavior is what's really crucial here, it's that a
superuser can 'set role' to any other role and can grant/revoke
role memberships, and read every table, etc.
The fact that we're doing that by making the superuser be a member of
every role feels more like an implementation detail- one which has now
bitten us because it's affecting things that it really shouldn't. The
'+group' list should be derivable from pg_auth_members and not include
'implicit' roles.
Thanks,
Stephen