Adapt MySQL Router role to existing logic

sinclert-canonical · sinclert-canonical · commit 256d8ad6ffcf · 2025-07-31T16:27:58.000+02:00
diff --git a/lib/charms/mysql/v0/mysql.py b/lib/charms/mysql/v0/mysql.py
@@ -1208,12 +1208,13 @@ def configure_mysql_router_roles(self) -> None:
             logger.debug(f"Missing MySQL role {role}")
             configure_role_commands = [
                 f"CREATE ROLE {role}",
-                f"GRANT CREATE USER ON *.* TO {role} WITH GRANT OPTION",
-                f"GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON mysql_innodb_cluster_metadata.* TO {role}",
-                f"GRANT SELECT ON mysql.user TO {role}",
-                f"GRANT SELECT ON performance_schema.replication_group_members TO {role}",
-                f"GRANT SELECT ON performance_schema.replication_group_member_stats TO {role}",
-                f"GRANT SELECT ON performance_schema.global_variables TO {role}",
+                f"GRANT CREATE ON *.* TO {role}",
+                f"GRANT CREATE USER ON *.* TO {role}",
+                # The granting of all privileges to the MySQL Router role
+                # can only be restricted when the privileges to the users
+                # created by such role are restricted as well
+                # https://github.com/canonical/mysql-router-operator/blob/main/src/mysql_shell/__init__.py#L134-L136
+                f"GRANT ALL ON *.* TO {role} WITH GRANT OPTION",
             ]
 
             try:
diff --git a/tests/unit/test_mysql.py b/tests/unit/test_mysql.py
@@ -147,12 +147,9 @@ def test_configure_mysql_router_roles(self, _run_mysqlcli_script, _list_mysql_ro
 
             _expected_configure_role_commands = [
                 f"CREATE ROLE {role}",
-                f"GRANT CREATE USER ON *.* TO {role} WITH GRANT OPTION",
-                f"GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON mysql_innodb_cluster_metadata.* TO {role}",
-                f"GRANT SELECT ON mysql.user TO {role}",
-                f"GRANT SELECT ON performance_schema.replication_group_members TO {role}",
-                f"GRANT SELECT ON performance_schema.replication_group_member_stats TO {role}",
-                f"GRANT SELECT ON performance_schema.global_variables TO {role}",
+                f"GRANT CREATE ON *.* TO {role}",
+                f"GRANT CREATE USER ON *.* TO {role}",
+                f"GRANT ALL ON *.* TO {role} WITH GRANT OPTION",
             ]
 
             self.mysql.configure_mysql_router_roles()
