Doc: Outline REPLICATION before SUPERUSER privilege

The following docs are updated:
- High-availaility section
- pg_basebackup
- pg_receivewal

Per the principle of least privilege, we want to encourage users to
interact with those areas using roles that have replication rights, but
superusers were mentioned first.

Author: Daniel Gustafsson
Reviewed-by: Fujii Masao, Michael Paquier
Discussion: https://postgr.es/m/ECEBD212-7101-41EB-84F3-2F356E4B6401@yesql.se

doc/src/sgml/high-availability.sgml

@@ -827,12 +827,14 @@ archive_cleanup_command = 'pg_archivecleanup /path/to/archive %r'
      It is very important that the access privileges for replication be set up
      so that only trusted users can read the WAL stream, because it is
      easy to extract privileged information from it.  Standby servers must
-     authenticate to the primary as a superuser or an account that has the
+     authenticate to the primary as an account that has the
-     <literal>REPLICATION</literal> privilege. It is recommended to create a
+     <literal>REPLICATION</literal> privilege or a superuser. It is
-     dedicated user account with <literal>REPLICATION</literal> and <literal>LOGIN</literal>
+     recommended to create a dedicated user account with
-     privileges for replication. While <literal>REPLICATION</literal> privilege gives
+     <literal>REPLICATION</literal> and <literal>LOGIN</literal>
-     very high permissions, it does not allow the user to modify any data on
+     privileges for replication. While <literal>REPLICATION</literal>
-     the primary system, which the <literal>SUPERUSER</literal> privilege does.
+     privilege gives very high permissions, it does not allow the user to
+     modify any data on the primary system, which the
+     <literal>SUPERUSER</literal> privilege does.
     </para>
 
     <para>

doc/src/sgml/ref/pg_basebackup.sgml

@@ -51,8 +51,8 @@ PostgreSQL documentation
   <para>
    The backup is made over a regular <productname>PostgreSQL</productname>
    connection, and uses the replication protocol. The connection must be made
-   with a superuser or a user having <literal>REPLICATION</literal>
+   with a user having <literal>REPLICATION</literal> permissions
-   permissions (see <xref linkend="role-attributes"/>),
+   (see <xref linkend="role-attributes"/>) or a superuser,
    and <filename>pg_hba.conf</filename> must explicitly permit the replication
    connection. The server must also be configured
    with <xref linkend="guc-max-wal-senders"/> set high enough to leave at least

doc/src/sgml/ref/pg_receivewal.sgml

@@ -68,12 +68,13 @@ PostgreSQL documentation
   <para>
    The write-ahead log is streamed over a regular
    <productname>PostgreSQL</productname> connection and uses the replication
-   protocol. The connection must be made with a superuser or a user
+   protocol. The connection must be made with a user having 
-   having <literal>REPLICATION</literal> permissions (see
+   <literal>REPLICATION</literal> permissions (see
-   <xref linkend="role-attributes"/>), and <filename>pg_hba.conf</filename>
+   <xref linkend="role-attributes"/>) or a superuser, and
-   must permit the replication connection. The server must also be
+   <filename>pg_hba.conf</filename> must permit the replication connection.
-   configured with <xref linkend="guc-max-wal-senders"/> set high enough to
+   The server must also be configured with
-   leave at least one session available for the stream.
+   <xref linkend="guc-max-wal-senders"/> set high enough to leave at least
+   one session available for the stream.
   </para>
 
   <para>