Hi hackers,
I've attached a small patch that allows specifying only direct members
of a group in pg_hba.conf. The "+" prefix offered today matches both
direct and indirect role members, which may complicate some role
setups. For example, if you have one set of roles that are members of
the "pam" role and another set that are members of the "scram-sha-256"
role, granting membership in a PAM role to a SCRAM role might
inadvertently modify the desired authentication method for the
grantee. If only direct membership is considered, no such inadvertent
authentication method change would occur.
I chose "&" as a new group name prefix for this purpose. This choice
seemed as good as any, but I'm open to changing it if anyone has
suggestions. For determining direct role membership, I added a new
function in acl.c that matches other related functions. I added a new
role cache type since it seemed to fit in reasonably well, but it seems
unlikely that there is any real performance benefit versus simply
open-coding the syscache lookup.
I didn't see any existing authentication tests for groups at first
glance. If folks are interested in this functionality, I can work on
adding some tests for this stuff.
Nathan