diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index bbd52a5418d..d6b8c04edc5 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -193,7 +193,7 @@ hostnossl database user
members of the role, directly or indirectly, and not just by
virtue of being a superuser.
The value replication specifies that the record
- matches if a replication connection is requested (note that
+ matches if a physical replication connection is requested (note that
replication connections do not specify any particular database).
Otherwise, this is the name of
a specific PostgreSQL database.
diff --git a/doc/src/sgml/logical-replication.sgml b/doc/src/sgml/logical-replication.sgml
index a6c04e923da..6da39d25e38 100644
--- a/doc/src/sgml/logical-replication.sgml
+++ b/doc/src/sgml/logical-replication.sgml
@@ -295,11 +295,9 @@
Security
- Logical replication connections occur in the same way as with physical streaming
- replication. It requires access to be explicitly given using
- pg_hba.conf. The role used for the replication
- connection must have the REPLICATION attribute. This
- gives a role access to both logical and physical replication.
+ The role used for the replication connection must have
+ the REPLICATION attribute. Access for the role must be
+ configured in pg_hba.conf.
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
index 3817d249c44..7abcae618db 100644
--- a/src/backend/libpq/hba.c
+++ b/src/backend/libpq/hba.c
@@ -612,9 +612,9 @@ check_db(const char *dbname, const char *role, Oid roleid, List *tokens)
foreach(cell, tokens)
{
tok = lfirst(cell);
- if (am_walsender)
+ if (am_walsender && !am_db_walsender)
{
- /* walsender connections can only match replication keyword */
+ /* physical replication walsender connections can only match replication keyword */
if (token_is_keyword(tok, "replication"))
return true;
}