On 04/07/2011 03:48 AM, Alastair Turner wrote:
>>>
>>> The problem here is that if Andrew had had the opposite case (a
>>> positive-logic hba entry requiring membership in some group to get into
>>> a database), and that had locked out superusers, he'd be on the warpath
>>> about that too. And with a lot more reason.
>> In such a case I could add the superusers to the role explicitly, or make
>> the rule cover superusers as well. But as the situation is now, any rule
>> covering a group covers superusers, whether I want it to or not. I'd rather
>> have a choice in the matter (and it's clear I'm not alone in that).
>>
>> The introduction of hot standby has made this pattern more likely to occur.
>> It happened here because we have a bunch of users that are allowed to
>> connect to the standby but not to the master, and the rules I was trying to
>> implement were designed to enforce that exclusion.
>>
> Is the solution possibly to assign positive entries on the basis of
> the superuser being a member of all groups but require negative
> entries to explicitly specify that they apply to superuser?
>
> That would provide least surprise for the simplistic concept of
> superuser - a user who can do anything any other user can - and allow
> for superuser remote access to be restricted if desired.
>
I think that's just about guaranteed to produce massive confusion. +foo
should mean one thing, regardless of the rule type. I seriously doubt
that very many people who work with this daily would agree with Tom's
argument about what that should be.
cheers
andrew