Обсуждение: Adding line to pg_hba.conf for a specific group makes superuser authentication fail in 9.0?

Hi Guys,

I'm having what's hopefully a fairly trivial issue here with pg_hba.conf in 9.0.4; when I add in the following line

        host    all         +ad_users   10.10.0.0/16          ldap <ldap details>

If I try to log in with a superuser account from the 10.10.0.0/16 network it appears to try to authenticate it against
thatentry via ldap. 

This didn't happen in 8.4.8, what could I be missing?

Thanks
Glyn

Glyn Astill <glynastill@yahoo.co.uk> writes:
> I'm having what's hopefully a fairly trivial issue here with pg_hba.conf in 9.0.4; when I add in the following line

> ������� host    all         +ad_users   10.10.0.0/16          ldap <ldap details>

> If I try to log in with a superuser account from the 10.10.0.0/16 network it appears to try to authenticate it
againstthat entry via ldap. 

> This didn't happen in 8.4.8, what could I be missing?

Well, a superuser is automatically considered a member of any group,
so a match to that line would be expected IMO.  If you don't want that,
you need some more-specific line ahead of it to catch superusers.

            regards, tom lane

> From: Tom Lane <tgl@sss.pgh.pa.us>

>G lyn Astill <glynastill@yahoo.co.uk> writes:
>>  I'm having what's hopefully a fairly trivial issue here with
> pg_hba.conf in 9.0.4; when I add in the following line
>
>>          host    all         +ad_users   10.10.0.0/16          ldap <ldap
> details>
>
>>  If I try to log in with a superuser account from the 10.10.0.0/16 network
> it appears to try to authenticate it against that entry via ldap.
>
>>  This didn't happen in 8.4.8, what could I be missing?
>
> Well, a superuser is automatically considered a member of any group,
> so a match to that line would be expected IMO.  If you don't want that,
> you need some more-specific line ahead of it to catch superusers.
>
>             regards, tom lane
>

Well that's all new to me, surely this is a bug?

How can I specifically catch superusers?

Glyn Astill <glynastill@yahoo.co.uk> wrote:

> How can I specifically catch superusers?

Create a group (nobody?) that you don't grant to any users.  Only
superusers will be a member of it.

-Kevin

> From: Kevin Grittner <Kevin.Grittner@wicourts.gov>

>Glyn Astill <glynastill@yahoo.co.uk> wrote:
>
>>  How can I specifically catch superusers?
>
> Create a group (nobody?) that you don't grant to any users.  Only
> superusers will be a member of it.
>

Ah of course, simple, thanks Kevin.

I can't help but feel that there should be something in the docs for 9.0 to specify this, since it is a behaviour
differencefrom 8.4 and earlier. 

The docs (http://www.postgresql.org/docs/9.0/interactive/auth-pg-hba-conf.html) do say:

"Recall that there is no real distinction between users and groups        in PostgreSQL; a + mark really means "match
anyof the roles that are directly or indirectly members        of this role", while a name without a + mark
matches        onlythat specific role"  

Maybe the docs should be embellished to also say "since a superuser is automatically considered a member of any group,
itshould be taken into account that names with a + mark will affect all superusers (although this was not the case
priorto 9.0)" or something along those lines. 

Glyn 

Glyn Astill <glynastill@yahoo.co.uk> wrote:

> Maybe the docs should be embellished to also say "since a
> superuser is automatically considered a member of any group, it
> should be taken into account that names with a + mark will affect
> all superusers (although this was not the case prior to 9.0)" or
> something along those lines.

That seems like a good idea to me.  I can't help but think that
someone, somewhere is going to create a "suspended" role to assign
to logins which they want temporarily disabled, put that at the top
of pg_hba.conf, and not be amused by the results.

When I dig out from under some other issues, I'll put together a
docs patch to propose something like the above, if nobody beats me
to it.

-Kevin