Re: superusers are members of all roles?
| От | Stephen Frost |
|---|---|
| Тема | Re: superusers are members of all roles? |
| Дата | |
| Msg-id | 20110407141439.GD4548@tamriel.snowman.net обсуждение исходный текст |
| Ответ на | Re: superusers are members of all roles? (Tom Lane <tgl@sss.pgh.pa.us>) |
| Список | pgsql-hackers |
* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> The problem here is that if Andrew had had the opposite case (a
> positive-logic hba entry requiring membership in some group to get into
> a database), and that had locked out superusers, he'd be on the warpath
> about that too. And with a lot more reason.
I disagree about this. I don't feel that the 'superuser is a member of
every role' behavior is what's really crucial here, it's that a
superuser can 'set role' to any other role and can grant/revoke
role memberships, and read every table, etc.
The fact that we're doing that by making the superuser be a member of
every role feels more like an implementation detail- one which has now
bitten us because it's affecting things that it really shouldn't. The
'+group' list should be derivable from pg_auth_members and not include
'implicit' roles.
Thanks,
Stephen
В списке pgsql-hackers по дате отправления: