On Tue, Nov 23, 2010 at 10:29 AM, Tom Lane <t...@sss.pgh.pa.us> wrote: > "Kaiting Chen" <kaitocr...@gmail.com> writes: >> From this pg_hba configuration as the user 'kaiting.chen' is not in role >> 'service' the second entry in the table should be skipped and he should >> authenticate via GSSAPI. However this does not happen. > > I believe the definition of "in role" we use here is "has the privileges > of role". Since kaiting.chen is a superuser, all privilege tests will > succeed for him, including that one. IOW, a superuser is automatically > a member of every role. This isn't a bug.
I guess it's not a bug if we did it that way on purpose, but it seems like testing for actual group membership would be less surprising. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
