On Fri, Oct 07, 2022 at 07:59:08AM -0400, Robert Haas wrote: > I hadn't noticed this thread before. > > I'm not sure whether this is properly considered a privilege check. It > could even be an anti-privilege, if the pg_hba.conf line in question > is maked "reject". > > I'm not taking the position that what this patch does is wrong, but I > *am* taking the position that it's a judgement call what the correct > behavior is here.
The interpretation can go both ways I guess. Now I find the argument to treat a HBA entry based on privileges and not membership quite appealing in terms of consistency wiht SET ROLE, particularly considering the recent thread with predefined roles. Also, it seems to me here that it would become easier to reason around role hierarchies, one case being HBA entries that include predefined roles for the role(s) to match. -- Michael
signature.asc
Description: PGP signature
