Role membership of superusers is only by explicit membership for HBA.

Document that this rule applies to 'samerole' as well as to named roles. Per gripe from Tom Lane.
2025-03-07 19:47:50 +08:00 · 2011-11-03 16:29:41 -04:00 · 2011-11-03 16:29:41 -04:00 · f66c8252ab
commit f66c8252ab
parent 84b8fcaa92
1 changed files with 4 additions and 0 deletions
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@ -186,6 +186,10 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
       the requested user must be a member of the role with the same
       name as the requested database.  (<literal>samegroup</> is an
       obsolete but still accepted spelling of <literal>samerole</>.)
+       Superusers are not considered to be members of a role for the
+       purposes of <literal>samerole</> unless they are explicitly
+       members of the role, directly or indirectly, and not just by 
+       virtue of being a superuser.
       The value <literal>replication</> specifies that the record
       matches if a replication connection is requested (note that
       replication connections do not specify any particular database).