[DRAFT]

Author: sinclert-canonical

lib/charms/mysql/v0/mysql.py

@@ -158,12 +158,13 @@ def wait_until_mysql_connection(self) -> None:
 ROLE_READ = "charmed_read"
 ROLE_STATS = "charmed_stats"
 ROLE_BACKUP = "charmed_backup"
+ROLE_MAX_LENGTH = 32
 
 # TODO:
 #   Remove legacy role when migrating to MySQL 8.4
 #   (when breaking changes are allowed)
 LEGACY_ROLE_ROUTER = "mysqlrouter"
-MODERN_ROLE_ROUTER = "charmed_mysqlrouter"
+MODERN_ROLE_ROUTER = "charmed_router"
 
 FORBIDDEN_EXTRA_ROLES = {
     ROLE_BACKUP,
@@ -1166,7 +1167,7 @@ def configure_mysql_system_roles(self) -> None:
             ROLE_STATS: [
                 f"CREATE ROLE {ROLE_STATS}",
                 f"GRANT SELECT ON performance_schema.* TO {ROLE_STATS}",
-                f"GRANT PROCESS, REPLICATION CLIENT ON *.* TO {ROLE_STATS}",
+                f"GRANT PROCESS, RELOAD, REPLICATION CLIENT ON *.* TO {ROLE_STATS}",
             ],
             ROLE_BACKUP: [
                 f"CREATE ROLE {ROLE_BACKUP}",
@@ -1177,15 +1178,15 @@ def configure_mysql_system_roles(self) -> None:
             ROLE_DDL: [
                 f"CREATE ROLE {ROLE_DDL}",
                 f"GRANT charmed_dml TO {ROLE_DDL}",
-                f"GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TABLESPACE, CREATE VIEW, SHOW_ROUTINE, SHOW VIEW, INDEX, REFERENCES, TRIGGER, LOCK TABLES ON *.* TO {ROLE_DDL}",
+                f"GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TABLESPACE, CREATE VIEW, DROP, INDEX, LOCK TABLES, REFERENCES, SHOW_ROUTINE, SHOW VIEW, TRIGGER ON *.* TO {ROLE_DDL}",
             ],
             ROLE_DBA: [
                 f"CREATE ROLE {ROLE_DBA}",
                 f"GRANT charmed_dml TO {ROLE_DBA}",
                 f"GRANT charmed_stats TO {ROLE_DBA}",
                 f"GRANT charmed_backup TO {ROLE_DBA}",
                 f"GRANT charmed_ddl TO {ROLE_DBA}",
-                f"GRANT EVENT, FILE, SHOW DATABASES, SHUTDOWN ON *.* TO {ROLE_DBA}",
+                f"GRANT EVENT, SHOW DATABASES, SHUTDOWN ON *.* TO {ROLE_DBA}",
                 f"GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON *.* TO {ROLE_DBA}",
                 f"GRANT AUDIT_ADMIN, CONNECTION_ADMIN, SYSTEM_VARIABLES_ADMIN ON *.* TO {ROLE_DBA}",
             ],
@@ -1427,16 +1428,30 @@ def configure_mysqlrouter_user(
 
     def create_database(self, database: str) -> None:
         """Create an application database."""
+        role_name = f"charmed_dba_{database}"
+
+        if len(database) >= ROLE_MAX_LENGTH:
+            logger.error(f"Failed to create application database {database}")
+            raise MySQLCreateApplicationDatabaseError("Name longer than 32 characters")
+        if len(role_name) >= ROLE_MAX_LENGTH:
+            logger.warning(f"Pruning application database role name {role_name}")
+            role_name = role_name[:ROLE_MAX_LENGTH]
+
         create_database_commands = (
             "shell.connect_to_primary()",
             f'session.run_sql("CREATE DATABASE IF NOT EXISTS `{database}`;")',
             f'session.run_sql("GRANT SELECT ON `{database}`.* TO {ROLE_READ};")',
             f'session.run_sql("GRANT SELECT, INSERT, DELETE, UPDATE ON `{database}`.* TO {ROLE_DML};")',
         )
+        create_dba_role_commands = (
+            f'session.run_sql("CREATE ROLE IF NOT EXISTS `{role_name}`;")',
+            f'session.run_sql("GRANT SELECT, INSERT, DELETE, UPDATE, EXECUTE ON `{database}`.* TO {role_name};")',
+            f'session.run_sql("GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE VIEW, DROP, INDEX, LOCK TABLES, REFERENCES, TRIGGER ON `{database}`.* TO {role_name};")',
+        )
 
         try:
             self._run_mysqlsh_script(
-                "\n".join(create_database_commands),
+                "\n".join(create_database_commands + create_dba_role_commands),
                 user=self.server_config_user,
                 password=self.server_config_password,
                 host=self.instance_def(self.server_config_user),
@@ -1456,23 +1471,25 @@ def create_scoped_user(
         extra_roles: Optional[List[str]] = None,
     ) -> None:
         """Create an application user scoped to the created database."""
+        if extra_roles is not None and set(extra_roles) & FORBIDDEN_EXTRA_ROLES:
+            logger.error(f"Invalid extra user roles: {extra_roles}")
+            raise MySQLCreateApplicationScopedUserError("invalid role(s) for extra user roles")
+
         attributes = {}
         if unit_name is not None:
-            attributes["unit_name"] = unit_name
+            attributes = {"unit_name": unit_name}
+        if extra_roles is not None:
+            extra_roles = ", ".join(extra_roles)
 
         create_scoped_user_attributes = json.dumps(attributes).replace('"', r"\"")
         create_scoped_user_commands = (
             "shell.connect_to_primary()",
             f"session.run_sql(\"CREATE USER `{username}`@`{hostname}` IDENTIFIED BY '{password}' ATTRIBUTE '{create_scoped_user_attributes}';\")",
         )
 
-        if extra_roles and set(extra_roles) & FORBIDDEN_EXTRA_ROLES:
-            logger.error(f"Invalid extra user roles: {', '.join(extra_roles)}")
-            raise MySQLCreateApplicationScopedUserError("invalid role(s) for extra user roles")
-
         if extra_roles:
             grant_scoped_user_commands = (
-                f"session.run_sql(\"GRANT {','.join(extra_roles)} TO `{username}`@`{hostname}`;\")",
+                f'session.run_sql("GRANT {extra_roles} TO `{username}`@`{hostname}`;")',
             )
         else:
             # Legacy behaviour when no explicit roles were assigned to users

tests/integration/roles/__init__.py

@@ -0,0 +1,2 @@
+# Copyright 2025 Canonical Ltd.
+# See LICENSE file for licensing details.

tests/integration/roles/test_database_dba_role.py

@@ -0,0 +1,147 @@
+#!/usr/bin/env python3
+# Copyright 2025 Canonical Ltd.
+# See LICENSE file for licensing details.
+
+import asyncio
+import logging
+from pathlib import Path
+
+import pytest
+import yaml
+from mysql.connector.errors import ProgrammingError
+from pytest_operator.plugin import OpsTest
+
+from .. import juju_
+from ..helpers import (
+    execute_queries_on_unit,
+    get_primary_unit,
+    get_unit_address,
+)
+
+logger = logging.getLogger(__name__)
+
+METADATA = yaml.safe_load(Path("./metadata.yaml").read_text())
+
+DATABASE_APP_NAME = METADATA["name"]
+INTEGRATOR_APP_NAME = "data-integrator"
+
+
+@pytest.mark.abort_on_fail
+async def test_build_and_deploy(ops_test: OpsTest, charm) -> None:
+    """Simple test to ensure that the mysql and data-integrator charms get deployed."""
+    async with ops_test.fast_forward("10s"):
+        await asyncio.gather(
+            ops_test.model.deploy(
+                charm,
+                application_name=DATABASE_APP_NAME,
+                num_units=3,
+                base="[email protected]",
+                config={"profile": "testing"},
+            ),
+            ops_test.model.deploy(
+                INTEGRATOR_APP_NAME,
+                application_name=f"{INTEGRATOR_APP_NAME}1",
+                base="[email protected]",
+            ),
+            ops_test.model.deploy(
+                INTEGRATOR_APP_NAME,
+                application_name=f"{INTEGRATOR_APP_NAME}2",
+                base="[email protected]",
+            ),
+        )
+
+    await ops_test.model.wait_for_idle(
+        apps=[DATABASE_APP_NAME],
+        status="active",
+    )
+    await ops_test.model.wait_for_idle(
+        apps=[f"{INTEGRATOR_APP_NAME}1", f"{INTEGRATOR_APP_NAME}2"],
+        status="blocked",
+    )
+
+
+@pytest.mark.abort_on_fail
+async def test_charmed_dba_role(ops_test: OpsTest):
+    """Test the database-level DBA role."""
+    await ops_test.model.applications[f"{INTEGRATOR_APP_NAME}1"].set_config({
+        "database-name": "preserved",
+        "extra-user-roles": "",
+    })
+    await ops_test.model.add_relation(f"{INTEGRATOR_APP_NAME}1", DATABASE_APP_NAME)
+    await ops_test.model.wait_for_idle(
+        apps=[f"{INTEGRATOR_APP_NAME}1", DATABASE_APP_NAME],
+        status="active",
+    )
+
+    await ops_test.model.applications[f"{INTEGRATOR_APP_NAME}2"].set_config({
+        "database-name": "throwaway",
+        "extra-user-roles": "charmed_dba_preserved",
+    })
+    await ops_test.model.add_relation(f"{INTEGRATOR_APP_NAME}2", DATABASE_APP_NAME)
+    await ops_test.model.wait_for_idle(
+        apps=[f"{INTEGRATOR_APP_NAME}2", DATABASE_APP_NAME],
+        status="active",
+    )
+
+    mysql_unit = ops_test.model.applications[DATABASE_APP_NAME].units[0]
+    primary_unit = await get_primary_unit(ops_test, mysql_unit, DATABASE_APP_NAME)
+    primary_unit_address = await get_unit_address(ops_test, primary_unit.name)
+
+    data_integrator_2_unit = ops_test.model.applications[f"{INTEGRATOR_APP_NAME}2"].units[0]
+    results = await juju_.run_action(data_integrator_2_unit, "get-credentials")
+
+    logger.info("Checking that the database-level DBA role cannot create new databases")
+    with pytest.raises(ProgrammingError):
+        execute_queries_on_unit(
+            primary_unit_address,
+            results["mysql"]["username"],
+            results["mysql"]["password"],
+            ["CREATE DATABASE IF NOT EXISTS test"],
+            commit=True,
+        )
+
+    logger.info("Checking that the database-level DBA role can see all databases")
+    execute_queries_on_unit(
+        primary_unit_address,
+        results["mysql"]["username"],
+        results["mysql"]["password"],
+        ["SHOW DATABASES"],
+        commit=True,
+    )
+
+    logger.info("Checking that the database-level DBA role can create a new table")
+    execute_queries_on_unit(
+        primary_unit_address,
+        results["mysql"]["username"],
+        results["mysql"]["password"],
+        [
+            "CREATE TABLE preserved.test_table (`id` SERIAL PRIMARY KEY, `data` TEXT)",
+        ],
+        commit=True,
+    )
+
+    logger.info("Checking that the database-level DBA role can write into an existing table")
+    execute_queries_on_unit(
+        primary_unit_address,
+        results["mysql"]["username"],
+        results["mysql"]["password"],
+        [
+            "INSERT INTO preserved.test_table (`data`) VALUES ('test_data_1'), ('test_data_2')",
+        ],
+        commit=True,
+    )
+
+    logger.info("Checking that the database-level DBA role can read from an existing table")
+    rows = execute_queries_on_unit(
+        primary_unit_address,
+        results["mysql"]["username"],
+        results["mysql"]["password"],
+        [
+            "SELECT `data` FROM preserved.test_table",
+        ],
+        commit=True,
+    )
+    assert sorted(rows) == sorted([
+        "test_data_1",
+        "test_data_2",
+    ]), "Unexpected data in preserved with charmed_dba_preserved role"

tests/integration/test_predefined_dba_role.py renamed to tests/integration/roles/test_instance_dba_role.py

@@ -9,8 +9,8 @@
 import yaml
 from pytest_operator.plugin import OpsTest
 
-from . import juju_
-from .helpers import (
+from .. import juju_
+from ..helpers import (
     execute_queries_on_unit,
     get_primary_unit,
     get_server_config_credentials,

tests/integration/test_predefined_roles.py renamed to tests/integration/roles/test_instance_roles.py

@@ -11,8 +11,8 @@
 from mysql.connector.errors import ProgrammingError
 from pytest_operator.plugin import OpsTest
 
-from . import juju_
-from .helpers import (
+from .. import juju_
+from ..helpers import (
     execute_queries_on_unit,
     get_primary_unit,
     get_server_config_credentials,

tests/spread/test_predefined_dba_role.py/task.yaml renamed to tests/spread/test_database_dba_role.py/task.yaml

@@ -1,6 +1,6 @@
-summary: test_predefined_dba_role.py
+summary: test_database_dba_role.py
 environment:
-  TEST_MODULE: test_predefined_dba_role.py
+  TEST_MODULE: roles/test_database_dba_role.py
 execute: |
   tox run -e integration -- "tests/integration/$TEST_MODULE" --model testing --alluredir="$SPREAD_TASK/allure-results"
 artifacts:

tests/spread/test_instance_dba_role.py/task.yaml

@@ -0,0 +1,7 @@
+summary: test_instance_dba_role.py
+environment:
+  TEST_MODULE: roles/test_instance_dba_role.py
+execute: |
+  tox run -e integration -- "tests/integration/$TEST_MODULE" --model testing --alluredir="$SPREAD_TASK/allure-results"
+artifacts:
+  - allure-results

tests/spread/test_predefined_roles.py/task.yaml renamed to tests/spread/test_instance_roles.py/task.yaml

@@ -1,6 +1,6 @@
-summary: test_predefined_roles.py
+summary: test_instance_roles.py
 environment:
-  TEST_MODULE: test_predefined_roles.py
+  TEST_MODULE: roles/test_instance_roles.py
 execute: |
   tox run -e integration -- "tests/integration/$TEST_MODULE" --model testing --alluredir="$SPREAD_TASK/allure-results"
 artifacts: