From 8df9bd0b445f9bd6134915d4417efde6e85e3add Mon Sep 17 00:00:00 2001
From: Peter Eisentraut <peter_e@gmx.net>
Date: Mon, 13 Feb 2017 16:50:29 -0500
Subject: [PATCH] Change logical replication pg_hba.conf use

Logical replication no longer uses the "replication" keyword.  It just
matches database entries in the normal way.  The "replication" keyword
now only applies to physical replication.

Reviewed-by: Petr Jelinek <petr.jelinek@2ndquadrant.com>
---
 doc/src/sgml/client-auth.sgml         | 2 +-
 doc/src/sgml/logical-replication.sgml | 8 +++-----
 src/backend/libpq/hba.c               | 4 ++--
 3 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index bbd52a5418..d6b8c04edc 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -193,7 +193,7 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
        members of the role, directly or indirectly, and not just by
        virtue of being a superuser.
        The value <literal>replication</> specifies that the record
-       matches if a replication connection is requested (note that
+       matches if a physical replication connection is requested (note that
        replication connections do not specify any particular database).
        Otherwise, this is the name of
        a specific <productname>PostgreSQL</productname> database.
diff --git a/doc/src/sgml/logical-replication.sgml b/doc/src/sgml/logical-replication.sgml
index a6c04e923d..6da39d25e3 100644
--- a/doc/src/sgml/logical-replication.sgml
+++ b/doc/src/sgml/logical-replication.sgml
@@ -295,11 +295,9 @@
   <title>Security</title>
 
   <para>
-   Logical replication connections occur in the same way as with physical streaming
-   replication.  It requires access to be explicitly given using
-   <filename>pg_hba.conf</filename>.  The role used for the replication
-   connection must have the <literal>REPLICATION</literal> attribute.  This
-   gives a role access to both logical and physical replication.
+   The role used for the replication connection must have
+   the <literal>REPLICATION</literal> attribute.  Access for the role must be
+   configured in <filename>pg_hba.conf</filename>.
   </para>
 
   <para>
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 3817d249c4..7abcae618d 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -612,9 +612,9 @@ check_db(const char *dbname, const char *role, Oid roleid, List *tokens)
 	foreach(cell, tokens)
 	{
 		tok = lfirst(cell);
-		if (am_walsender)
+		if (am_walsender && !am_db_walsender)
 		{
-			/* walsender connections can only match replication keyword */
+			/* physical replication walsender connections can only match replication keyword */
 			if (token_is_keyword(tok, "replication"))
 				return true;
 		}
-- 
2.40.0