pg-upgrade fails when gitlab-psql can't su

Summary

When upgrading gitlab from 10.x to 11.x or higher, the following error is reported:

STDERR: su: cannot open session: Permission denied

Steps to reproduce

Running

gitlab-ctl pg-upgrade

or

yum upgrade gitlab-ce-11.11.8

AND the system has implemented the /etc/security/access.conf. Unless the gitlab-psql user is explicitly listed in the access.conf file, the upgrade will fail. I haven't run into any other case where that user needs to login therefore adding that user to the access.conf file seems like overkill in our environments that strictly enforce least privilege.

What is the current bug behavior?

An upgrade will report:

STDERR: su: cannot open session: Permission denied

Possible fixes

Rather than using su, perhaps the sg command can be used instead.