standby promote: fall back to "pg_ctl promote" if necessary

From PostgreSQL 12, the SQL-level function "pg_promote()" can be used
to promote a PostgreSQL instance, however usage is restricted to
superusers and users to whom explicit execution permission for this
function has been granted.

Therefore, if execution permission is not available, fall back to
"pg_ctl promote".

HISTORY

@@ -12,6 +12,8 @@
         repmgr: add replication configuration file ownership check to
           "standby switchover" (Ian)
         repmgr: consolidate replication connection code (Ian)
+        repmgr: check permissions for "pg_promote()" and fall back to pg_ctl
+          if necessary (Ian)
 
 5.0     2019-10-15
         general: add PostgreSQL 12 support (Ian)

dbutils.c

@@ -1723,6 +1723,43 @@ get_timeline_history(PGconn *repl_conn, TimeLineID tli)
 /* user/role information functions */
 /* =============================== */
 
+
+bool
+can_execute_pg_promote(PGconn *conn)
+{
+	PQExpBufferData query;
+	PGresult   *res;
+	bool		has_pg_promote= false;
+
+	/* pg_promote() available from PostgreSQL 12 */
+	if(PQserverVersion(conn) < 120000)
+		return false;
+
+	initPQExpBuffer(&query);
+	appendPQExpBufferStr(&query,
+						 " SELECT pg_catalog.has_function_privilege( "
+						 "    CURRENT_USER, "
+						 "    'pg_catalog.pg_promote(bool,int)', "
+						 "    'execute' "
+						 " )");
+
+	res = PQexec(conn, query.data);
+
+	if (PQresultStatus(res) != PGRES_TUPLES_OK)
+	{
+		log_db_error(conn, query.data,
+					 _("can_execute_pg_promote(): unable to query user function privilege"));
+	}
+	else
+	{
+		has_pg_promote = atobool(PQgetvalue(res, 0, 0));
+	}
+	termPQExpBuffer(&query);
+
+	return has_pg_promote;
+}
+
+
 bool
 connection_has_pg_settings(PGconn *conn)
 {

dbutils.h

@@ -441,6 +441,7 @@ uint64		system_identifier(PGconn *conn);
 TimeLineHistoryEntry *get_timeline_history(PGconn *repl_conn, TimeLineID tli);
 
 /* user/role information functions */
+bool		can_execute_pg_promote(PGconn *conn);
 bool		connection_has_pg_settings(PGconn *conn);
 bool		is_replication_role(PGconn *conn, char *rolname);
 bool		is_superuser_connection(PGconn *conn, t_connection_user *userinfo);

doc/appendix-release-notes.xml

@@ -88,6 +88,16 @@
             </para>
           </listitem>
 
+          <listitem>
+            <para>
+              <link linkend="repmgr-standby-promote"><command>repmgr standby promote</command></link>
+              will check if the <literal>repmgr</literal> user has permission to execute
+              <function>pg_promote()</function> and fall back to <command>pg_ctl promote</command> if
+              necessary.
+            </para>
+          </listitem>
+
+
           <listitem>
             <para>
               Fix situation where replication connections were not created correctly, which

doc/repmgr-standby-promote.xml

@@ -106,20 +106,22 @@
     <title>User permission requirements</title>
     <para><emphasis>pg_promote() (PostgreSQL 12)</emphasis></para>
     <para>
-      From PostgreSQL 12, &repmgr; uses the <command>pg_promote()</command> function to promote a standby
-      to primary.
+      From PostgreSQL 12, &repmgr; will attempt to use the <function>pg_promote()</function> function
+      to promote a standby to primary.
     </para>
     <para>
-      By default, execution of <command>pg_promote()</command> is restricted to superusers.
-      If the <literal>repmgr</literal> use is not a superuser, execution permission for this
-      function must be granted with e.g.:
-      <programlisting>
+      By default, execution of <function>pg_promote()</function> is restricted to superusers.
+      If the <literal>repmgr</literal> user does not have permission to execute
+      <function>pg_promote()</function>, &repmgr; will fall back to using <command>pg_ctl promote</command>.
+    </para>
+    <tip>
+      <para>
+        If the <literal>repmgr</literal> user is not a superuser, execution permission for this
+        function can be granted with e.g.:
+        <programlisting>
     GRANT EXECUTE ON FUNCTION pg_catalog.pg_promote TO repmgr</programlisting>
-    </para>
-    <para>
-      A future &repmgr; release will relax this restriction by falling back to
-      <command>pg_ctl promote</command>, as used for pre-PostgreSQL 12 versions.
-    </para>
+      </para>
+    </tip>
   </refsect1>
 
   <refsect1>

repmgr-action-standby.c

@@ -2476,45 +2476,62 @@ _do_standby_promote_internal(PGconn *conn)
 	 * option so we can't be sure when or if the promotion completes. For now
 	 * we'll poll the server until the default timeout (60 seconds)
 	 *
-	 * For PostgreSQL 12+, use the pg_promote() function - note this is
-	 * experimental
+	 * For PostgreSQL 12+, use the pg_promote() function, unless one of
+	 * "service_promote_command" or "use_pg_ctl_promote" is set.
 	 */
-	log_notice(_("promoting standby to primary"));
-
-	if (PQserverVersion(conn) >= 120000)
 	{
-		log_detail(_("promoting server \"%s\" (ID: %i) using pg_promote()"),
-				   local_node_record.node_name,
-				   local_node_record.node_id);
+		bool use_pg_promote = false;
 
-		/*
-		 * We'll check for promotion success ourselves, but will abort
-		 * if some unrecoverable error prevented the function from being
-		 * executed.
-		 */
-		if (!promote_standby(conn, false, 0))
+
+		if (PQserverVersion(conn) >= 120000)
 		{
-			log_error(_("unable to promote server from standby to primary"));
-			exit(ERR_PROMOTION_FAIL);
+			use_pg_promote = true;
+
+			if (can_execute_pg_promote(conn) == false)
+			{
+				use_pg_promote = false;
+				log_info(_("user \"%s\" does not have permission to execute \"pg_promote()\", falling back to \"pg_ctl promote\""),
+						 PQuser(conn));
+			}
 		}
-	}
-	else
-	{
-		char		script[MAXLEN];
-		int			r;
 
-		get_server_action(ACTION_PROMOTE, script, (char *) data_dir);
+		log_notice(_("promoting standby to primary"));
 
-		log_detail(_("promoting server \"%s\" (ID: %i) using \"%s\""),
-				   local_node_record.node_name,
-				   local_node_record.node_id,
-				   script);
-
-		r = system(script);
-		if (r != 0)
+		if (use_pg_promote == true)
 		{
-			log_error(_("unable to promote server from standby to primary"));
-			exit(ERR_PROMOTION_FAIL);
+			log_detail(_("promoting server \"%s\" (ID: %i) using pg_promote()"),
+					   local_node_record.node_name,
+					   local_node_record.node_id);
+
+			/*
+			 * We'll check for promotion success ourselves, but will abort
+			 * if some unrecoverable error prevented the function from being
+			 * executed.
+			 */
+			if (!promote_standby(conn, false, 0))
+			{
+				log_error(_("unable to promote server from standby to primary"));
+				exit(ERR_PROMOTION_FAIL);
+			}
+		}
+		else
+		{
+			char		script[MAXLEN];
+			int			r;
+
+			get_server_action(ACTION_PROMOTE, script, (char *) data_dir);
+
+			log_detail(_("promoting server \"%s\" (ID: %i) using \"%s\""),
+					   local_node_record.node_name,
+					   local_node_record.node_id,
+					   script);
+
+			r = system(script);
+			if (r != 0)
+			{
+				log_error(_("unable to promote server from standby to primary"));
+				exit(ERR_PROMOTION_FAIL);
+			}
 		}
 	}