* Andrew Dunstan wrote:
> On 04/07/2011 03:48 AM, Alastair Turner wrote:
>> Is the solution possibly to assign positive entries on the basis of
>> the superuser being a member of all groups but require negative
>> entries to explicitly specify that they apply to superuser?
> I think that's just about guaranteed to produce massive confusion. +foo
> should mean one thing, regardless of the rule type. I seriously doubt
> that very many people who work with this daily would agree with Tom's
> argument about what that should be.
What about adding a second group syntax that only evaluates explicit
memberships? That way, everyone could pick which behavior they liked
better, and Alastair's suggestion could be done that way, too:
host all *personae_non_gratae 0.0.0.0/0 rejecthost all +foo 0.0.0.0/0 md5
If, as Josh said, few users even know about the old syntax, there should
not be much potential for confusion in adding a new one.
Additionally, most things that can be done with groups in pg_hba.conf
can also be done using CONNECT privilege on databases.
--
Christian