Change logical replication pg_hba.conf use

Logical replication no longer uses the "replication" keyword.  It just
matches database entries in the normal way.  The "replication" keyword
now only applies to physical replication.

Reviewed-by: Petr Jelinek <petr.jelinek@2ndquadrant.com>

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index bbd52a5418d93771d35839654350e77d8b7f1519..d6b8c04edc5387ea23f7cb5ac2aa3dacc5f5be41 100644 (file)
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -193,7 +193,7 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
        members of the role, directly or indirectly, and not just by
        virtue of being a superuser.
        The value <literal>replication</> specifies that the record
-       matches if a replication connection is requested (note that
+       matches if a physical replication connection is requested (note that
        replication connections do not specify any particular database).
        Otherwise, this is the name of
        a specific <productname>PostgreSQL</productname> database.

diff --git a/doc/src/sgml/logical-replication.sgml b/doc/src/sgml/logical-replication.sgml
index a6c04e923da67ed1663bb1da93970d924cb83241..6da39d25e38d3d8361199e7d8108d9ab6eeb5f21 100644 (file)
--- a/doc/src/sgml/logical-replication.sgml
+++ b/doc/src/sgml/logical-replication.sgml
@@ -295,11 +295,9 @@
   <title>Security</title>
 
   <para>
-   Logical replication connections occur in the same way as with physical streaming
-   replication.  It requires access to be explicitly given using
-   <filename>pg_hba.conf</filename>.  The role used for the replication
-   connection must have the <literal>REPLICATION</literal> attribute.  This
-   gives a role access to both logical and physical replication.
+   The role used for the replication connection must have
+   the <literal>REPLICATION</literal> attribute.  Access for the role must be
+   configured in <filename>pg_hba.conf</filename>.
   </para>
 
   <para>

diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 3817d249c44533d1daee7e9b6d985de41e3f4776..7abcae618db5ece859c1c4f1456c6bacebd7e045 100644 (file)
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -612,9 +612,9 @@ check_db(const char *dbname, const char *role, Oid roleid, List *tokens)
        foreach(cell, tokens)
        {
                tok = lfirst(cell);
-               if (am_walsender)
+               if (am_walsender && !am_db_walsender)
                {
-                       /* walsender connections can only match replication keyword */
+                       /* physical replication walsender connections can only match replication keyword */
                        if (token_is_keyword(tok, "replication"))
                                return true;
                }