Update LDR privileges for v25.2

[katmayb]

Fixes DOC-12962, DOC-12786

This PR updates the LDR privileges for v25.2.

Adds the REPLICATIONDEST and REPLICATIONSOURCE privilege. Deprecates the REPLICATION privilege.

Updates the SQL ref pages, tutorial for LDR, and general Auth page of privileges.

The tutorial content required some shuffling round to ensure the privilege instructions made logical sense.

Preview

Tutorial
Create logical replication stream
Create logically replicated

[github-actions]

Files changed:

• src/current/_includes/v25.2/sql/privileges.md:
• src/current/v25.2/revoke.md
• src/current/v25.2/security-reference/authorization.md
• src/current/v25.2/grant.md
• src/current/v25.2/create-logical-replication-stream.md
• src/current/v25.2/create-logically-replicated.md
• src/current/v25.2/set-up-logical-data-replication.md

[netlify]

✅ Deploy Preview for cockroachdb-interactivetutorials-docs canceled.

Name	Link
🔨 Latest commit	1a73f1e
🔍 Latest deploy log	https://app.netlify.com/sites/cockroachdb-interactivetutorials-docs/deploys/67f977edbc44c0000812a50a

[netlify]

✅ Deploy Preview for cockroachdb-api-docs canceled.

Name	Link
🔨 Latest commit	1a73f1e
🔍 Latest deploy log	https://app.netlify.com/sites/cockroachdb-api-docs/deploys/67f977ed79d88100085a6630

[katmayb]

This is not new content, I moved this up from one of the steps. Since the privilege instructions would have preceded these syntax descriptions, it made sense to pull this Syntax section up to the introduction.

[netlify]

✅ Netlify Preview

Name	Link
🔨 Latest commit	1a73f1e
🔍 Latest deploy log	https://app.netlify.com/sites/cockroachdb-docs/deploys/67f977ed8ca67700083ede7d
😎 Deploy Preview	https://deploy-preview-19518--cockroachdb-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[alicia-l2]

This LGTM - I have a bit of confusion about which user needs which privilege - I'm going to let Michael have the final say on that though.

[alicia-l2]

Do you mean that the user provided in the source must have this privilege? This line doesn't have a bullet point on it so it was a bit confusing to read.

[alicia-l2]

do we also need to call out that the user here should have the privilege?

[msbutler]

Thank you for doing this and sorry for such a slow review! I've been a bit under water lately.

[msbutler]

the CREATE LOGICAL REPLICATION STREAM syntax does not automatically set up a reverse stream. so i think this line can be rephrased. For "manually set up" bidi replication, the user essentially has to do the same auth exercises on both sides. E.g.

For setting up the stream from A to B, the user passed in for the URI to A must have the REPLICATIONSOURCE priv, and the user executing the command from B, needs to have the REPLICATIONDEST priv.

For setting up the stream from B to A, the user passed in for the URI to B must have the REPLICATIONSOURCE priv, and the user executing the command from A, needs to have the REPLICATIONDEST priv.

[msbutler]

we should also document that the user provided in the Dest URI must be the same user executing the CREATE LOGICALLY REPLICATED table cmd. For example, in this unit test:
https://github.com/jeffswenson/cockroach/blob/jeffswenson-workload-generate-decimals/pkg/crosscluster/logical/logical_replication_job_test.go#L2180
CREATE LOGICALLY REPLICATED TABLES (tab_clone_2, tab2_clone_2) FROM TABLES (tab, tab2) ON $1 WITH BIDIRECTIONAL ON $2
the user in the URI supplied at $2 must be the same user executing the CREATE LOGICALLY REPLICATED table cmd.

(I need to add a quick patch to assert this but higher priority things have gotten in the way)

[msbutler]

given my comments above on the slightly different reverse stream auth stories for bidi replication, I think this callout could be rephrased.