From 94cd0f1ad8af722a48a30a1087377b52ca99d633 Mon Sep 17 00:00:00 2001
From: Andrew Dunstan <andrew@dunslane.net>
Date: Thu, 3 Nov 2011 12:45:02 -0400
Subject: Do not treat a superuser as a member of every role for HBA purposes.

This makes it possible to use reject lines with group roles.

Andrew Dunstan, reviewd by Robert Haas.
---
 doc/src/sgml/client-auth.sgml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'doc/src')

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index f6f858d4740..6493d302c7f 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -210,7 +210,10 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
        in <productname>PostgreSQL</>; a <literal>+</> mark really means
        <quote>match any of the roles that are directly or indirectly members
        of this role</>, while a name without a <literal>+</> mark matches
-       only that specific role.)
+       only that specific role.) For this purpose, a superuser is only
+       considered to be a member of a role if they are explicitly a member
+       of the role, directly or indirectly, and not just by virtue of
+       being a superuser.
        Multiple user names can be supplied by separating them with commas.
        A separate file containing user names can be specified by preceding the
        file name with <literal>@</>.
-- 
cgit v1.2.3