[DRAFT]

sinclert-canonical · sinclert-canonical · commit e9ba0fb65b46 · 2025-08-06T10:12:25.000+02:00
diff --git a/lib/charms/mysql/v0/mysql.py b/lib/charms/mysql/v0/mysql.py
@@ -152,6 +152,7 @@ def wait_until_mysql_connection(self) -> None:
 ROLE_READ = "charmed_read"
 ROLE_STATS = "charmed_stats"
 ROLE_BACKUP = "charmed_backup"
+ROLE_MAX_LENGTH = 32
 
 # TODO:
 #   Remove legacy role when migrating to MySQL 8.4
@@ -1251,15 +1252,15 @@ def configure_mysql_system_roles(self) -> None:
             ROLE_DDL: [
                 f"CREATE ROLE {ROLE_DDL}",
                 f"GRANT charmed_dml TO {ROLE_DDL}",
-                f"GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TABLESPACE, CREATE VIEW, SHOW_ROUTINE, SHOW VIEW, INDEX, REFERENCES, TRIGGER, LOCK TABLES ON *.* TO {ROLE_DDL}",
+                f"GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TABLESPACE, CREATE VIEW, DROP, INDEX, LOCK TABLES, REFERENCES, SHOW_ROUTINE, SHOW VIEW, TRIGGER ON *.* TO {ROLE_DDL}",
             ],
             ROLE_DBA: [
                 f"CREATE ROLE {ROLE_DBA}",
                 f"GRANT charmed_dml TO {ROLE_DBA}",
                 f"GRANT charmed_stats TO {ROLE_DBA}",
                 f"GRANT charmed_backup TO {ROLE_DBA}",
                 f"GRANT charmed_ddl TO {ROLE_DBA}",
-                f"GRANT EVENT, FILE, SHOW DATABASES, SHUTDOWN ON *.* TO {ROLE_DBA}",
+                f"GRANT EVENT, SHOW DATABASES, SHUTDOWN ON *.* TO {ROLE_DBA}",
                 f"GRANT SELECT, INSERT, UPDATE, DELETE, EXECUTE ON *.* TO {ROLE_DBA}",
                 f"GRANT AUDIT_ADMIN, CONNECTION_ADMIN, SYSTEM_VARIABLES_ADMIN ON *.* TO {ROLE_DBA}",
             ],
@@ -1501,16 +1502,30 @@ def configure_mysqlrouter_user(
 
     def create_database(self, database: str) -> None:
         """Create an application database."""
+        role_name = f"charmed_dba_{database}"
+
+        if len(database) >= ROLE_MAX_LENGTH:
+            logger.error(f"Failed to create application database {database}")
+            raise MySQLCreateApplicationDatabaseError("Name longer than 32 characters")
+        if len(role_name) >= ROLE_MAX_LENGTH:
+            logger.warning(f"Pruning application database role name {role_name}")
+            role_name = role_name[:ROLE_MAX_LENGTH]
+
         create_database_commands = (
             "shell.connect_to_primary()",
             f'session.run_sql("CREATE DATABASE IF NOT EXISTS `{database}`;")',
             f'session.run_sql("GRANT SELECT ON `{database}`.* TO {ROLE_READ};")',
             f'session.run_sql("GRANT SELECT, INSERT, DELETE, UPDATE ON `{database}`.* TO {ROLE_DML};")',
         )
+        create_dba_role_commands = (
+            f'session.run_sql("CREATE ROLE IF NOT EXISTS `{role_name}`;")',
+            f'session.run_sql("GRANT SELECT, INSERT, DELETE, UPDATE, EXECUTE ON `{database}`.* TO {role_name};")',
+            f'session.run_sql("GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE VIEW, DROP, INDEX, LOCK TABLES, REFERENCES, TRIGGER ON `{database}`.* TO {role_name};")',
+        )
 
         try:
             self._run_mysqlsh_script(
-                "\n".join(create_database_commands),
+                "\n".join(create_database_commands + create_dba_role_commands),
                 user=self.server_config_user,
                 password=self.server_config_password,
                 host=self.instance_def(self.server_config_user),
@@ -1530,23 +1545,25 @@ def create_scoped_user(
         extra_roles: list[str] | None = None,
     ) -> None:
         """Create an application user scoped to the created database."""
+        if extra_roles is not None and set(extra_roles) & FORBIDDEN_EXTRA_ROLES:
+            logger.error(f"Invalid extra user roles: {extra_roles}")
+            raise MySQLCreateApplicationScopedUserError("invalid role(s) for extra user roles")
+
         attributes = {}
         if unit_name is not None:
-            attributes["unit_name"] = unit_name
+            attributes = {"unit_name": unit_name}
+        if extra_roles is not None:
+            extra_roles = ", ".join(extra_roles)
 
         create_scoped_user_attributes = json.dumps(attributes).replace('"', r"\"")
         create_scoped_user_commands = (
             "shell.connect_to_primary()",
             f"session.run_sql(\"CREATE USER `{username}`@`{hostname}` IDENTIFIED BY '{password}' ATTRIBUTE '{create_scoped_user_attributes}';\")",
         )
 
-        if extra_roles and set(extra_roles) & FORBIDDEN_EXTRA_ROLES:
-            logger.error(f"Invalid extra user roles: {', '.join(extra_roles)}")
-            raise MySQLCreateApplicationScopedUserError("invalid role(s) for extra user roles")
-
         if extra_roles:
             grant_scoped_user_commands = (
-                f"session.run_sql(\"GRANT {','.join(extra_roles)} TO `{username}`@`{hostname}`;\")",
+                f'session.run_sql("GRANT {extra_roles} TO `{username}`@`{hostname}`;")',
             )
         else:
             # Legacy behaviour when no explicit roles were assigned to users
diff --git a/tests/integration/roles/__init__.py b/tests/integration/roles/__init__.py
@@ -0,0 +1,2 @@
+# Copyright 2025 Canonical Ltd.
+# See LICENSE file for licensing details.
diff --git a/tests/integration/roles/test_database_dba_role.py b/tests/integration/roles/test_database_dba_role.py
@@ -0,0 +1,146 @@
+#!/usr/bin/env python3
+# Copyright 2025 Canonical Ltd.
+# See LICENSE file for licensing details.
+
+import asyncio
+import logging
+from pathlib import Path
+
+import pytest
+import yaml
+from mysql.connector.errors import ProgrammingError
+from pytest_operator.plugin import OpsTest
+
+from .. import juju_
+from ..helpers import (
+    execute_queries_on_unit,
+    get_primary_unit,
+)
+
+logger = logging.getLogger(__name__)
+
+METADATA = yaml.safe_load(Path("./metadata.yaml").read_text())
+
+DATABASE_APP_NAME = METADATA["name"]
+INTEGRATOR_APP_NAME = "data-integrator"
+
+
+@pytest.mark.abort_on_fail
+async def test_build_and_deploy(ops_test: OpsTest, charm) -> None:
+    """Simple test to ensure that the mysql and data-integrator charms get deployed."""
+    async with ops_test.fast_forward("10s"):
+        await asyncio.gather(
+            ops_test.model.deploy(
+                charm,
+                application_name=DATABASE_APP_NAME,
+                num_units=3,
+                base="ubuntu@22.04",
+                config={"profile": "testing"},
+            ),
+            ops_test.model.deploy(
+                INTEGRATOR_APP_NAME,
+                application_name=f"{INTEGRATOR_APP_NAME}1",
+                base="ubuntu@24.04",
+            ),
+            ops_test.model.deploy(
+                INTEGRATOR_APP_NAME,
+                application_name=f"{INTEGRATOR_APP_NAME}2",
+                base="ubuntu@24.04",
+            ),
+        )
+
+    await ops_test.model.wait_for_idle(
+        apps=[DATABASE_APP_NAME],
+        status="active",
+    )
+    await ops_test.model.wait_for_idle(
+        apps=[f"{INTEGRATOR_APP_NAME}1", f"{INTEGRATOR_APP_NAME}2"],
+        status="blocked",
+    )
+
+
+@pytest.mark.abort_on_fail
+async def test_charmed_dba_role(ops_test: OpsTest):
+    """Test the database-level DBA role."""
+    await ops_test.model.applications[f"{INTEGRATOR_APP_NAME}1"].set_config({
+        "database-name": "preserved",
+        "extra-user-roles": "",
+    })
+    await ops_test.model.add_relation(f"{INTEGRATOR_APP_NAME}1", DATABASE_APP_NAME)
+    await ops_test.model.wait_for_idle(
+        apps=[f"{INTEGRATOR_APP_NAME}1", DATABASE_APP_NAME],
+        status="active",
+    )
+
+    await ops_test.model.applications[f"{INTEGRATOR_APP_NAME}2"].set_config({
+        "database-name": "throwaway",
+        "extra-user-roles": "charmed_dba_preserved",
+    })
+    await ops_test.model.add_relation(f"{INTEGRATOR_APP_NAME}2", DATABASE_APP_NAME)
+    await ops_test.model.wait_for_idle(
+        apps=[f"{INTEGRATOR_APP_NAME}2", DATABASE_APP_NAME],
+        status="active",
+    )
+
+    mysql_unit = ops_test.model.applications[DATABASE_APP_NAME].units[0]
+    primary_unit = await get_primary_unit(ops_test, mysql_unit, DATABASE_APP_NAME)
+    primary_unit_address = await primary_unit.get_public_address()
+
+    data_integrator_2_unit = ops_test.model.applications[f"{INTEGRATOR_APP_NAME}2"].units[0]
+    results = await juju_.run_action(data_integrator_2_unit, "get-credentials")
+
+    logger.info("Checking that the database-level DBA role cannot create new databases")
+    with pytest.raises(ProgrammingError):
+        await execute_queries_on_unit(
+            primary_unit_address,
+            results["mysql"]["username"],
+            results["mysql"]["password"],
+            ["CREATE DATABASE IF NOT EXISTS test"],
+            commit=True,
+        )
+
+    logger.info("Checking that the database-level DBA role can see all databases")
+    await execute_queries_on_unit(
+        primary_unit_address,
+        results["mysql"]["username"],
+        results["mysql"]["password"],
+        ["SHOW DATABASES"],
+        commit=True,
+    )
+
+    logger.info("Checking that the database-level DBA role can create a new table")
+    await execute_queries_on_unit(
+        primary_unit_address,
+        results["mysql"]["username"],
+        results["mysql"]["password"],
+        [
+            "CREATE TABLE preserved.test_table (`id` SERIAL PRIMARY KEY, `data` TEXT)",
+        ],
+        commit=True,
+    )
+
+    logger.info("Checking that the database-level DBA role can write into an existing table")
+    await execute_queries_on_unit(
+        primary_unit_address,
+        results["mysql"]["username"],
+        results["mysql"]["password"],
+        [
+            "INSERT INTO preserved.test_table (`data`) VALUES ('test_data_1', 'test_data_2')",
+        ],
+        commit=True,
+    )
+
+    logger.info("Checking that the database-level DBA role can read from an existing table")
+    rows = await execute_queries_on_unit(
+        primary_unit_address,
+        results["mysql"]["username"],
+        results["mysql"]["password"],
+        [
+            "SELECT `data` FROM preserved.test_table",
+        ],
+        commit=True,
+    )
+    assert sorted(rows) == sorted([
+        "test_data_1",
+        "test_data_2",
+    ]), "Unexpected data in preserved with charmed_dba_preserved role"
diff --git a/tests/integration/roles/test_instance_dba_role.py b/tests/integration/roles/test_instance_dba_role.py
@@ -3,19 +3,21 @@
 # See LICENSE file for licensing details.
 
 import asyncio
+import logging
 from pathlib import Path
 
 import pytest
 import yaml
 from pytest_operator.plugin import OpsTest
 
-from . import juju_
-from .helpers import (
+from .. import juju_
+from ..helpers import (
     execute_queries_on_unit,
     get_primary_unit,
-    get_server_config_credentials,
 )
 
+logger = logging.getLogger(__name__)
+
 METADATA = yaml.safe_load(Path("./metadata.yaml").read_text())
 
 DATABASE_APP_NAME = METADATA["name"]
@@ -46,7 +48,7 @@ async def test_build_and_deploy(ops_test: OpsTest, charm) -> None:
 
 @pytest.mark.abort_on_fail
 async def test_charmed_dba_role(ops_test: OpsTest):
-    """Test the DBA predefined role."""
+    """Test the instance-level DBA role."""
     await ops_test.model.applications[INTEGRATOR_APP_NAME].set_config({
         "database-name": "charmed_dba_database",
         "extra-user-roles": "charmed_dba",
@@ -59,19 +61,23 @@ async def test_charmed_dba_role(ops_test: OpsTest):
     mysql_unit = ops_test.model.applications[DATABASE_APP_NAME].units[0]
     primary_unit = await get_primary_unit(ops_test, mysql_unit, DATABASE_APP_NAME)
     primary_unit_address = await primary_unit.get_public_address()
-    server_config_credentials = await get_server_config_credentials(primary_unit)
 
+    data_integrator_unit = ops_test.model.applications[INTEGRATOR_APP_NAME].units[0]
+    results = await juju_.run_action(data_integrator_unit, "get-credentials")
+
+    logger.info("Checking that the instance-level DBA role can create new databases")
     await execute_queries_on_unit(
         primary_unit_address,
-        server_config_credentials["username"],
-        server_config_credentials["password"],
+        results["mysql"]["username"],
+        results["mysql"]["password"],
         ["CREATE DATABASE IF NOT EXISTS test"],
         commit=True,
     )
 
     data_integrator_unit = ops_test.model.applications[INTEGRATOR_APP_NAME].units[0]
     results = await juju_.run_action(data_integrator_unit, "get-credentials")
 
+    logger.info("Checking that the instance-level DBA role can see all databases")
     rows = await execute_queries_on_unit(
         primary_unit_address,
         results["mysql"]["username"],
diff --git a/tests/integration/roles/test_instance_roles.py b/tests/integration/roles/test_instance_roles.py
@@ -11,8 +11,8 @@
 from mysql.connector.errors import ProgrammingError
 from pytest_operator.plugin import OpsTest
 
-from . import juju_
-from .helpers import (
+from .. import juju_
+from ..helpers import (
     execute_queries_on_unit,
     get_primary_unit,
     get_server_config_credentials,
@@ -62,7 +62,7 @@ async def test_build_and_deploy(ops_test: OpsTest, charm) -> None:
 
 @pytest.mark.abort_on_fail
 async def test_charmed_read_role(ops_test: OpsTest):
-    """Test the charmed_read predefined role."""
+    """Test the instance-level charmed_read role."""
     await ops_test.model.applications[f"{INTEGRATOR_APP_NAME}1"].set_config({
         "database-name": "charmed_read_database",
         "extra-user-roles": "charmed_read",
@@ -143,7 +143,7 @@ async def test_charmed_read_role(ops_test: OpsTest):
 
 @pytest.mark.abort_on_fail
 async def test_charmed_dml_role(ops_test: OpsTest):
-    """Test the charmed_dml role."""
+    """Test the instance-level charmed_dml role."""
     await ops_test.model.applications[f"{INTEGRATOR_APP_NAME}1"].set_config({
         "database-name": "charmed_dml_database",
         "extra-user-roles": "",
diff --git a/tests/spread/test_database_dba_role.py/task.yaml b/tests/spread/test_database_dba_role.py/task.yaml
@@ -1,6 +1,6 @@
-summary: test_predefined_dba_role.py
+summary: test_database_dba_role.py
 environment:
-  TEST_MODULE: test_predefined_dba_role.py
+  TEST_MODULE: roles/test_database_dba_role.py
 execute: |
   tox run -e integration -- "tests/integration/$TEST_MODULE" --model testing --alluredir="$SPREAD_TASK/allure-results"
 artifacts:
diff --git a/tests/spread/test_instance_dba_role.py/task.yaml b/tests/spread/test_instance_dba_role.py/task.yaml
@@ -0,0 +1,7 @@
+summary: test_instance_dba_role.py
+environment:
+  TEST_MODULE: roles/test_instance_dba_role.py
+execute: |
+  tox run -e integration -- "tests/integration/$TEST_MODULE" --model testing --alluredir="$SPREAD_TASK/allure-results"
+artifacts:
+  - allure-results
diff --git a/tests/spread/test_instance_roles.py/task.yaml b/tests/spread/test_instance_roles.py/task.yaml
@@ -1,6 +1,6 @@
-summary: test_predefined_roles.py
+summary: test_instance_roles.py
 environment:
-  TEST_MODULE: test_predefined_roles.py
+  TEST_MODULE: roles/test_instance_roles.py
 execute: |
   tox run -e integration -- "tests/integration/$TEST_MODULE" --model testing --alluredir="$SPREAD_TASK/allure-results"
 artifacts:
diff --git a/tests/unit/test_mysql.py b/tests/unit/test_mysql.py

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# Copyright 2025 Canonical Ltd.`
	`2`	`+# See LICENSE file for licensing details.`