Role membership of superusers is only by explicit membership for HBA.

Document that this rule applies to 'samerole' as well as to named roles.

Per gripe from Tom Lane.

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 6493d302c7ff5de359aa213e29155239e0e5efd7..31ce45d4ca2e279697f1dad83e49e02469411039 100644 (file)
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -186,6 +186,10 @@ hostnossl  database  user
        the requested user must be a member of the role with the same
        name as the requested database.  (samegroup is an
        obsolete but still accepted spelling of samerole.)
+       Superusers are not considered to be members of a role for the
+       purposes of samerole unless they are explicitly
+       members of the role, directly or indirectly, and not just by 
+       virtue of being a superuser.
        The value replication specifies that the record
        matches if a replication connection is requested (note that
        replication connections do not specify any particular database).