Role membership of superusers is only by explicit membership for HBA.

Document that this rule applies to 'samerole' as well as to named roles. Per gripe from Tom Lane.

Role membership of superusers is only by explicit membership for HBA.
Document that this rule applies to 'samerole' as well as to named roles. Per gripe from Tom Lane.
f66c8252 · Andrew Dunstan · 84b8fcaa · f66c8252
Commit f66c8252 authored Nov 03, 2011 by Andrew Dunstan
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

doc/src/sgml/client-auth.sgml doc/src/sgml/client-auth.sgml +4 -0

No files found.
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -186,6 +186,10 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
       the requested user must be a member of the role with the same
       name as the requested database.  (<literal>samegroup</> is an
       obsolete but still accepted spelling of <literal>samerole</>.)
+       Superusers are not considered to be members of a role for the
+       purposes of <literal>samerole</> unless they are explicitly
+       members of the role, directly or indirectly, and not just by 
+       virtue of being a superuser.
       The value <literal>replication</> specifies that the record
       matches if a replication connection is requested (note that
       replication connections do not specify any particular database).