diff options
| author | Andrew Dunstan <andrew@dunslane.net> | 2011-11-03 12:45:02 -0400 |
|---|---|---|
| committer | Andrew Dunstan <andrew@dunslane.net> | 2011-11-03 12:45:02 -0400 |
| commit | 94cd0f1ad8af722a48a30a1087377b52ca99d633 (patch) | |
| tree | 81f19ed3c8699390334c169e7fa9d2d2e8e7bede /doc/src | |
| parent | 3b06105c7d999752177f98fdad20278d57804f8f (diff) | |
| download | postgresql-94cd0f1ad8af722a48a30a1087377b52ca99d633.tar.gz postgresql-94cd0f1ad8af722a48a30a1087377b52ca99d633.zip | |
Do not treat a superuser as a member of every role for HBA purposes.
This makes it possible to use reject lines with group roles.
Andrew Dunstan, reviewd by Robert Haas.
Diffstat (limited to 'doc/src')
| -rw-r--r-- | doc/src/sgml/client-auth.sgml | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index f6f858d4740..6493d302c7f 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -210,7 +210,10 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable> in <productname>PostgreSQL</>; a <literal>+</> mark really means <quote>match any of the roles that are directly or indirectly members of this role</>, while a name without a <literal>+</> mark matches - only that specific role.) + only that specific role.) For this purpose, a superuser is only + considered to be a member of a role if they are explicitly a member + of the role, directly or indirectly, and not just by virtue of + being a superuser. Multiple user names can be supplied by separating them with commas. A separate file containing user names can be specified by preceding the file name with <literal>@</>. |