From: Bruce Momjian <bruce@momjian.us>
Message-Id: <200805071634.m47GY6P24076@momjian.us>
Subject: Re: order of entries in admin docs
In-Reply-To: <27873.1205257019@sss.pgh.pa.us>
To: Tom Lane <tgl@sss.pgh.pa.us>
Date: Wed, 7 May 2008 12:34:06 -0400 (EDT)
CC: Scott Marlowe <scott.marlowe@gmail.com>, pgsql-docs@postgresql.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"

Tom Lane wrote:
> Something else that ought to be considered here is that now that we have
> CONNECT privilege for databases, manipulating privileges is a lot saner
> way to control who-can-connect-where than setting up fancy combinations
> of user and database entries in pg_hba.conf.  AFAIR there is no mention
> of this alternative in Chapter 21, but it seems like there ought to be.
> With your proposed reorganization, that would become a forward
> reference; is that OK?

We do have a "Tip" about this in the pg_hba.conf section:

	http://developer.postgresql.org/pgdocs/postgres/auth-pg-hba-conf.html
	
	Tip:  To connect to a particular database, a user must not only pass the
	pg_hba.conf checks, but must have the CONNECT privilege for the
	database. If you wish to restrict which users can connect to which
	databases, it's usually easier to control this by granting/revoking
	CONNECT privilege than to put the rules into pg_hba.conf entries.

Do we need more?

-- 
  Bruce Momjian  <bruce@momjian.us>        http://momjian.us
  EnterpriseDB                             http://enterprisedb.com

  + If your life is a hard drive, Christ can be your backup. +