Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit94cd0f1

Browse files
committed
Do not treat a superuser as a member of every role for HBA purposes.
This makes it possible to use reject lines with group roles.Andrew Dunstan, reviewd by Robert Haas.
1 parent3b06105 commit94cd0f1

File tree

2 files changed

+11
-3
lines changed

2 files changed

+11
-3
lines changed

‎doc/src/sgml/client-auth.sgml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -210,7 +210,10 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
210210
in <productname>PostgreSQL</>; a <literal>+</> mark really means
211211
<quote>match any of the roles that are directly or indirectly members
212212
of this role</>, while a name without a <literal>+</> mark matches
213-
only that specific role.)
213+
only that specific role.) For this purpose, a superuser is only
214+
considered to be a member of a role if they are explicitly a member
215+
of the role, directly or indirectly, and not just by virtue of
216+
being a superuser.
214217
Multiple user names can be supplied by separating them with commas.
215218
A separate file containing user names can be specified by preceding the
216219
file name with <literal>@</>.

‎src/backend/libpq/hba.c

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -442,8 +442,13 @@ is_member(Oid userid, const char *role)
442442
if (!OidIsValid(roleid))
443443
return false;/* if target role not exist, say "no" */
444444

445-
/* See if user is directly or indirectly a member of role */
446-
returnis_member_of_role(userid,roleid);
445+
/*
446+
* See if user is directly or indirectly a member of role.
447+
* For this purpose, a superuser is not considered to be automatically
448+
* a member of the role, so group auth only applies to explicit
449+
* membership.
450+
*/
451+
returnis_member_of_role_nosuper(userid,roleid);
447452
}
448453

449454
/*

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp