Do not treat a superuser as a member of every role for HBA purposes.

This makes it possible to use reject lines with group roles. Andrew Dunstan, reviewd by Robert Haas.
2025-07-28 23:42:10 +03:00 · 2011-11-03 12:45:02 -04:00
parent 3b06105c7d
commit 94cd0f1ad8
2 changed files with 11 additions and 3 deletions
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@ -210,7 +210,10 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
       in <productname>PostgreSQL</>; a <literal>+</> mark really means
       <quote>match any of the roles that are directly or indirectly members
       of this role</>, while a name without a <literal>+</> mark matches
-       only that specific role.)
+       only that specific role.) For this purpose, a superuser is only
+       considered to be a member of a role if they are explicitly a member
+       of the role, directly or indirectly, and not just by virtue of
+       being a superuser.
       Multiple user names can be supplied by separating them with commas.
       A separate file containing user names can be specified by preceding the
       file name with <literal>@</>.