Role membership of superusers is only by explicit membership for HBA.

Document that this rule applies to 'samerole' as well as to named roles. Per gripe from Tom Lane.
author: Andrew Dunstan 2011-11-03 20:29:41 +0000
committer: Andrew Dunstan 2011-11-03 20:29:41 +0000
commit: f66c8252ab9a64dd49a0af2b481a2621dd008768 (patch)
tree: 49fab9e8ecc09d99bbc14872b5b1012bfd73992a
parent: 84b8fcaa923259d6f7daf228183ecbeb924dc950 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 6493d302c7f..31ce45d4ca2 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -186,6 +186,10 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
        the requested user must be a member of the role with the same
        name as the requested database.  (<literal>samegroup</> is an
        obsolete but still accepted spelling of <literal>samerole</>.)
+       Superusers are not considered to be members of a role for the
+       purposes of <literal>samerole</> unless they are explicitly
+       members of the role, directly or indirectly, and not just by 
+       virtue of being a superuser.
        The value <literal>replication</> specifies that the record
        matches if a replication connection is requested (note that
        replication connections do not specify any particular database).
author	Andrew Dunstan	2011-11-03 20:29:41 +0000
committer	Andrew Dunstan	2011-11-03 20:29:41 +0000
commit	f66c8252ab9a64dd49a0af2b481a2621dd008768 (patch)
tree	49fab9e8ecc09d99bbc14872b5b1012bfd73992a
parent	84b8fcaa923259d6f7daf228183ecbeb924dc950 (diff)