[DRAFT]

Author: sinclert-canonical

lib/charms/mysql/v0/mysql.py

@@ -32,6 +32,7 @@
     MySQLAddInstanceToClusterError,
     MySQLCharmBase,
     MySQLConfigureInstanceError,
+    MySQLConfigureMySQLRolesError,
     MySQLConfigureMySQLUsersError,
     MySQLCreateClusterError,
     MySQLCreateClusterSetError,
@@ -326,6 +327,9 @@ def _on_start(self, event: StartEvent) -> None:
 
         try:
             self.workload_initialise()
+        except MySQLConfigureMySQLRolesError:
+            self.unit.status = BlockedStatus("Failed to initialize MySQL roles")
+            return
         except MySQLConfigureMySQLUsersError:
             self.unit.status = BlockedStatus("Failed to initialize MySQL users")
             return
@@ -350,19 +354,7 @@ def _on_start(self, event: StartEvent) -> None:
             self.unit_peer_data["member-state"] = "waiting"
             return
 
-        try:
-            # Create the cluster and cluster set from the leader unit
-            logger.info(f"Creating cluster {self.app_peer_data['cluster-name']}")
-            self.create_cluster()
-            self._open_ports()
-            self.unit.status = ActiveStatus(self.active_status_message)
-        except (
-            MySQLCreateClusterError,
-            MySQLCreateClusterSetError,
-            MySQLInitializeJujuOperationsTableError,
-        ) as e:
-            logger.exception("Failed to create cluster")
-            raise e
+        self._create_cluster()
 
     def _on_peer_relation_changed(self, event: RelationChangedEvent) -> None:
         """Handle the peer relation changed event."""
@@ -769,7 +761,9 @@ def workload_initialise(self) -> None:
         self._mysql.write_mysqld_config()
         self.log_rotation_setup.setup()
         self._mysql.reset_root_password_and_start_mysqld()
-        self._mysql.configure_mysql_users()
+        self._mysql.configure_mysql_router_roles()
+        self._mysql.configure_mysql_system_roles()
+        self._mysql.configure_mysql_system_users()
 
         if self.config.plugin_audit_enabled:
             self._mysql.install_plugins(["audit_log"])
@@ -805,16 +799,6 @@ def update_endpoints(self) -> None:
         self.database_relation._update_endpoints_all_relations(None)
         self._on_update_status(None)
 
-    def _open_ports(self) -> None:
-        """Open ports.
-
-        Used if `juju expose` ran on application
-        """
-        try:
-            self.unit.set_ports(3306, 33060)
-        except ops.ModelError:
-            logger.exception("failed to open port")
-
     def _can_start(self, event: StartEvent) -> bool:
         """Check if the unit can start.
 
@@ -864,6 +848,22 @@ def _can_start(self, event: StartEvent) -> bool:
 
         return True
 
+    def _create_cluster(self) -> None:
+        """Creates the InnoDB cluster and sets up the ports."""
+        try:
+            # Create the cluster and cluster set from the leader unit
+            logger.info(f"Creating cluster {self.app_peer_data['cluster-name']}")
+            self.create_cluster()
+            self.unit.set_ports(3306, 33060)
+            self.unit.status = ActiveStatus(self.active_status_message)
+        except (
+            MySQLCreateClusterError,
+            MySQLCreateClusterSetError,
+            MySQLInitializeJujuOperationsTableError,
+        ) as e:
+            logger.exception("Failed to create cluster")
+            raise e
+
     def _is_unit_waiting_to_join_cluster(self) -> bool:
         """Return if the unit is waiting to join the cluster."""
         # alternatively, we could check if the instance is configured

src/charm.py

@@ -53,6 +53,7 @@
     MYSQLD_DEFAULTS_CONFIG_FILE,
     MYSQLD_SOCK_FILE,
     ROOT_SYSTEM_USER,
+    ROOT_USERNAME,
     XTRABACKUP_PLUGIN_DIR,
 )
 
@@ -803,7 +804,7 @@ def _run_mysqlsh_script(
     def _run_mysqlcli_script(
         self,
         script: tuple[Any, ...] | list[Any],
-        user: str = "root",
+        user: str = ROOT_USERNAME,
         password: str | None = None,
         timeout: int | None = None,
         exception_as_warning: bool = False,

src/mysql_vm_helpers.py

@@ -11,7 +11,8 @@
 from charms.mysql.v0.mysql import (
     MySQLCheckUserExistenceError,
     MySQLConfigureRouterUserError,
-    MySQLCreateApplicationDatabaseAndScopedUserError,
+    MySQLCreateApplicationDatabaseError,
+    MySQLCreateApplicationScopedUserError,
     MySQLDeleteUsersForUnitError,
     MySQLGetClusterPrimaryAddressError,
 )
@@ -124,8 +125,8 @@ def _create_requested_users(
         Raises:
             MySQLCheckUserExistenceError if there is an issue checking a user's existence
             MySQLConfigureRouterUserError if there is an issue configuring the mysqlrouter user
-            MySQLCreateApplicationDatabaseAndScopedUserError if there is an issue creating a
-                user or said user scoped database
+            MySQLCreateApplicationDatabaseError if there is an issue creating the database
+            MySQLCreateApplicationScopedUserError if there is an issue creating the database user
         """
         user_passwords = {}
         requested_user_applications = set()
@@ -141,7 +142,8 @@ def _create_requested_users(
                         requested_user.username, password, requested_user.hostname, user_unit_name
                     )
                 else:
-                    self.charm._mysql.create_application_database_and_scoped_user(
+                    self.charm._mysql.create_database(requested_user.database)
+                    self.charm._mysql.create_scoped_user(
                         requested_user.database,
                         requested_user.username,
                         password,
@@ -227,7 +229,8 @@ def _on_db_router_relation_changed(self, event: RelationChangedEvent) -> None:
         except (
             MySQLCheckUserExistenceError,
             MySQLConfigureRouterUserError,
-            MySQLCreateApplicationDatabaseAndScopedUserError,
+            MySQLCreateApplicationDatabaseError,
+            MySQLCreateApplicationScopedUserError,
         ):
             self.charm.unit.status = BlockedStatus("Failed to create app user or scoped database")
             return

src/relations/db_router.py

@@ -10,7 +10,8 @@
 
 from charms.mysql.v0.mysql import (
     MySQLCheckUserExistenceError,
-    MySQLCreateApplicationDatabaseAndScopedUserError,
+    MySQLCreateApplicationDatabaseError,
+    MySQLCreateApplicationScopedUserError,
     MySQLDeleteUsersForUnitError,
     MySQLGetClusterPrimaryAddressError,
 )
@@ -194,7 +195,8 @@ def _on_mysql_relation_created(self, event: RelationCreatedEvent) -> None:
         password = self._get_or_set_password_in_peer_secrets(username)
 
         try:
-            self.charm._mysql.create_application_database_and_scoped_user(
+            self.charm._mysql.create_database(database)
+            self.charm._mysql.create_scoped_user(
                 database,
                 username,
                 password,
@@ -203,9 +205,9 @@ def _on_mysql_relation_created(self, event: RelationCreatedEvent) -> None:
             )
 
             primary_address = self.charm._mysql.get_cluster_primary_address()
-
         except (
-            MySQLCreateApplicationDatabaseAndScopedUserError,
+            MySQLCreateApplicationDatabaseError,
+            MySQLCreateApplicationScopedUserError,
             MySQLGetClusterPrimaryAddressError,
         ):
             self.charm.unit.status = BlockedStatus("Failed to initialize `mysql` relation")

src/relations/mysql.py

@@ -8,19 +8,21 @@
 
 from charms.data_platform_libs.v0.data_interfaces import DatabaseProvides, DatabaseRequestedEvent
 from charms.mysql.v0.mysql import (
+    LEGACY_ROLE_ROUTER,
+    MODERN_ROLE_ROUTER,
     MySQLClientError,
-    MySQLCreateApplicationDatabaseAndScopedUserError,
+    MySQLCreateApplicationDatabaseError,
+    MySQLCreateApplicationScopedUserError,
     MySQLDeleteUserError,
     MySQLDeleteUsersForRelationError,
     MySQLGetClusterEndpointsError,
     MySQLGetClusterMembersAddressesError,
     MySQLGetMySQLVersionError,
-    MySQLGrantPrivilegesToUserError,
     MySQLRemoveRouterFromMetadataError,
 )
 from ops.charm import RelationBrokenEvent, RelationDepartedEvent, RelationJoinedEvent
 from ops.framework import Object
-from ops.model import BlockedStatus
+from ops.model import ActiveStatus, BlockedStatus
 
 from constants import DB_RELATION_NAME, PASSWORD_LENGTH, PEER
 from utils import generate_random_password
@@ -220,16 +222,17 @@ def _on_database_requested(self, event: DatabaseRequestedEvent):
 
         # get base relation data
         relation_id = event.relation.id
+        app_name = event.app.name
         db_name = event.database
+
         extra_user_roles = []
         if event.extra_user_roles:
             extra_user_roles = event.extra_user_roles.split(",")
+
         # user name is derived from the relation id
         db_user = self._get_username(relation_id)
         db_pass = self._get_or_set_password(event.relation)
 
-        remote_app = event.app.name
-
         # Update endpoint addresses
         self.charm.update_endpoint_address(DB_RELATION_NAME)
 
@@ -242,31 +245,26 @@ def _on_database_requested(self, event: DatabaseRequestedEvent):
             self.database.set_version(relation_id, db_version)
             self.database.set_read_only_endpoints(relation_id, ro_endpoints)
 
-            if "mysqlrouter" in extra_user_roles:
-                self.charm._mysql.create_application_database_and_scoped_user(
-                    db_name,
-                    db_user,
-                    db_pass,
-                    "%",
-                    # MySQL Router charm does not need a new database
-                    create_database=False,
-                )
-                self.charm._mysql.grant_privileges_to_user(
-                    db_user, "%", ["ALL PRIVILEGES"], with_grant_option=True
-                )
-            else:
-                # TODO:
-                # add setup of tls, tls_ca and status
-                self.charm._mysql.create_application_database_and_scoped_user(
-                    db_name, db_user, db_pass, "%"
-                )
-
-            logger.info(f"Created user for app {remote_app}")
+            if not any([
+                LEGACY_ROLE_ROUTER in extra_user_roles,
+                MODERN_ROLE_ROUTER in extra_user_roles,
+            ]):
+                self.charm._mysql.create_database(db_name)
+
+            self.charm._mysql.create_scoped_user(
+                db_name,
+                db_user,
+                db_pass,
+                "%",
+                extra_roles=extra_user_roles,
+            )
+            logger.info(f"Created user for app {app_name}")
+            self.charm.unit.status = ActiveStatus()
         except (
-            MySQLCreateApplicationDatabaseAndScopedUserError,
+            MySQLCreateApplicationDatabaseError,
+            MySQLCreateApplicationScopedUserError,
             MySQLGetMySQLVersionError,
             MySQLGetClusterMembersAddressesError,
-            MySQLGrantPrivilegesToUserError,
             MySQLClientError,
         ) as e:
             logger.exception("Failed to set up database relation", exc_info=e)

src/relations/mysql_provider.py

@@ -7,7 +7,8 @@
 import typing
 
 from charms.mysql.v0.mysql import (
-    MySQLCreateApplicationDatabaseAndScopedUserError,
+    MySQLCreateApplicationDatabaseError,
+    MySQLCreateApplicationScopedUserError,
     MySQLGetClusterPrimaryAddressError,
 )
 from ops.charm import LeaderElectedEvent, RelationChangedEvent, RelationDepartedEvent
@@ -153,8 +154,13 @@ def _on_shared_db_relation_changed(self, event: RelationChangedEvent) -> None:
         remote_host = event.relation.data[event.unit].get("private-address")
 
         try:
-            self._charm._mysql.create_application_database_and_scoped_user(
-                database_name, database_user, password, remote_host, unit_name=joined_unit
+            self._charm._mysql.create_database(database_name)
+            self._charm._mysql.create_scoped_user(
+                database_name,
+                database_user,
+                password,
+                remote_host,
+                unit_name=joined_unit,
             )
 
             # set the relation data for consumption
@@ -179,7 +185,10 @@ def _on_shared_db_relation_changed(self, event: RelationChangedEvent) -> None:
                 allowed_units_set
             )
 
-        except MySQLCreateApplicationDatabaseAndScopedUserError:
+        except (
+            MySQLCreateApplicationDatabaseError,
+            MySQLCreateApplicationScopedUserError,
+        ):
             self._charm.unit.status = BlockedStatus("Failed to initialize shared_db relation")
             return
 

src/relations/shared_db.py

@@ -0,0 +1,83 @@
+#!/usr/bin/env python3
+# Copyright 2025 Canonical Ltd.
+# See LICENSE file for licensing details.
+
+import asyncio
+from pathlib import Path
+
+import pytest
+import yaml
+from pytest_operator.plugin import OpsTest
+
+from . import juju_
+from .helpers import (
+    execute_queries_on_unit,
+    get_primary_unit,
+    get_server_config_credentials,
+)
+
+METADATA = yaml.safe_load(Path("./metadata.yaml").read_text())
+
+DATABASE_APP_NAME = METADATA["name"]
+INTEGRATOR_APP_NAME = "data-integrator"
+
+
+@pytest.mark.abort_on_fail
+async def test_build_and_deploy(ops_test: OpsTest, charm) -> None:
+    """Simple test to ensure that the mysql and data-integrator charms get deployed."""
+    async with ops_test.fast_forward("10s"):
+        await asyncio.gather(
+            ops_test.model.deploy(
+                charm,
+                application_name=DATABASE_APP_NAME,
+                num_units=3,
+                base="[email protected]",
+                config={"profile": "testing"},
+            ),
+            ops_test.model.deploy(
+                INTEGRATOR_APP_NAME,
+                base="[email protected]",
+            ),
+        )
+
+    await ops_test.model.wait_for_idle(apps=[DATABASE_APP_NAME], status="active")
+    await ops_test.model.wait_for_idle(apps=[INTEGRATOR_APP_NAME], status="blocked")
+
+
+@pytest.mark.abort_on_fail
+async def test_charmed_dba_role(ops_test: OpsTest):
+    """Test the DBA predefined role."""
+    await ops_test.model.applications[INTEGRATOR_APP_NAME].set_config({
+        "database-name": "charmed_dba_database",
+        "extra-user-roles": "charmed_dba",
+    })
+    await ops_test.model.add_relation(INTEGRATOR_APP_NAME, DATABASE_APP_NAME)
+    await ops_test.model.wait_for_idle(
+        apps=[INTEGRATOR_APP_NAME, DATABASE_APP_NAME], status="active"
+    )
+
+    mysql_unit = ops_test.model.applications[DATABASE_APP_NAME].units[0]
+    primary_unit = await get_primary_unit(ops_test, mysql_unit, DATABASE_APP_NAME)
+    primary_unit_address = await primary_unit.get_public_address()
+    server_config_credentials = await get_server_config_credentials(primary_unit)
+
+    await execute_queries_on_unit(
+        primary_unit_address,
+        server_config_credentials["username"],
+        server_config_credentials["password"],
+        ["CREATE DATABASE IF NOT EXISTS test"],
+        commit=True,
+    )
+
+    data_integrator_unit = ops_test.model.applications[INTEGRATOR_APP_NAME].units[0]
+    results = await juju_.run_action(data_integrator_unit, "get-credentials")
+
+    rows = await execute_queries_on_unit(
+        primary_unit_address,
+        results["mysql"]["username"],
+        results["mysql"]["password"],
+        ["SHOW DATABASES"],
+        commit=True,
+    )
+
+    assert "test" in rows, "Database is not visible to DBA user"