Change logical replication pg_hba.conf use

petere · petere · commit 8df9bd0b445f · 2017-03-22T11:19:30.000-04:00
Logical replication no longer uses the "replication" keyword.  It just
matches database entries in the normal way.  The "replication" keyword
now only applies to physical replication.

Reviewed-by: Petr Jelinek &lt;petr.jelinek@2ndquadrant.com&gt;
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
@@ -193,7 +193,7 @@ hostnossl  <replaceable>database</replaceable>  <replaceable>user</replaceable>
        members of the role, directly or indirectly, and not just by
        virtue of being a superuser.
        The value <literal>replication</> specifies that the record
-       matches if a replication connection is requested (note that
+       matches if a physical replication connection is requested (note that
        replication connections do not specify any particular database).
        Otherwise, this is the name of
        a specific <productname>PostgreSQL</productname> database.
diff --git a/doc/src/sgml/logical-replication.sgml b/doc/src/sgml/logical-replication.sgml
@@ -295,11 +295,9 @@
   <title>Security</title>
 
   <para>
-   Logical replication connections occur in the same way as with physical streaming
-   replication.  It requires access to be explicitly given using
-   <filename>pg_hba.conf</filename>.  The role used for the replication
-   connection must have the <literal>REPLICATION</literal> attribute.  This
-   gives a role access to both logical and physical replication.
+   The role used for the replication connection must have
+   the <literal>REPLICATION</literal> attribute.  Access for the role must be
+   configured in <filename>pg_hba.conf</filename>.
   </para>
 
   <para>
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
@@ -612,9 +612,9 @@ check_db(const char *dbname, const char *role, Oid roleid, List *tokens)
 	foreach(cell, tokens)
 	{
 		tok = lfirst(cell);
-		if (am_walsender)
+		if (am_walsender && !am_db_walsender)
 		{
-			/* walsender connections can only match replication keyword */
+			/* physical replication walsender connections can only match replication keyword */
 			if (token_is_keyword(tok, "replication"))
 				return true;
 		}

Original file line number	Diff line number	Diff line change
`@@ -612,9 +612,9 @@ check_db(const char dbname, const char role, Oid roleid, List *tokens)`
`612`	`612`	`foreach(cell, tokens)`
`613`	`613`	`{`
`614`	`614`	`tok = lfirst(cell);`
`615`		`- if (am_walsender)`
	`615`	`+ if (am_walsender && !am_db_walsender)`
`616`	`616`	`{`
`617`		`- /* walsender connections can only match replication keyword */`
	`617`	`+ /* physical replication walsender connections can only match replication keyword */`
`618`	`618`	`if (token_is_keyword(tok, "replication"))`
`619`	`619`	`return true;`
`620`	`620`	`}`