Support predefined roles

Author: sinclert-canonical

common/common/mysql_shell/__init__.py

@@ -19,6 +19,9 @@
 if typing.TYPE_CHECKING:
     from ..relations import database_requires
 
+_ROLE_DML = "charmed_dml"
+_ROLE_READ = "charmed_read"
+
 logger = logging.getLogger(__name__)
 
 
@@ -123,17 +126,51 @@ def _get_attributes(self, additional_attributes: dict = None) -> str:
             attributes.update(additional_attributes)
         return json.dumps(attributes)
 
-    def create_application_database_and_user(self, *, username: str, database: str) -> str:
-        """Create database and user for related database_provides application."""
+    # TODO python3.10 min version: Use `set` instead of `typing.Set`
+    def _get_mysql_roles(self, name_pattern: str) -> typing.Set[str]:
+        """Returns a set with the MySQL roles."""
+        logger.debug(f"Getting MySQL roles with {name_pattern=}")
+        output_file = self._container.path("/tmp/mysqlsh_output.json")
+        self._run_code(
+            _jinja_env.get_template("get_mysql_roles_with_pattern.py.jinja").render(
+                name_pattern=name_pattern,
+                output_filepath=output_file.relative_to_container,
+            )
+        )
+        with output_file.open("r") as file:
+            rows = json.load(file)
+        output_file.unlink()
+        logger.debug(f"MySQL roles found for {name_pattern=}: {len(rows)}")
+        return set(rows)
+
+    def create_application_database(self, *, database: str) -> str:
+        """Create database for related database_provides application."""
+        mysql_roles = self._get_mysql_roles("charmed_%")
+        statements = [f"CREATE DATABASE IF NOT EXISTS `{database}`"]
+        if _ROLE_READ in mysql_roles:
+            statements.append(
+                f"GRANT SELECT ON `{database}`.* TO {_ROLE_READ}",
+            )
+        if _ROLE_DML in mysql_roles:
+            statements.append(
+                f"GRANT SELECT, INSERT, DELETE, UPDATE ON `{database}`.* TO {_ROLE_DML}",
+            )
+
+        logger.debug(f"Creating {database=}")
+        self._run_sql(statements)
+        logger.debug(f"Created {database=}")
+        return database
+
+    def create_application_user(self, *, database: str, username: str) -> str:
+        """Create database user for related database_provides application."""
         attributes = self._get_attributes()
-        logger.debug(f"Creating {database=} and {username=} with {attributes=}")
         password = utils.generate_password()
+        logger.debug(f"Creating {username=} with {attributes=}")
         self._run_sql([
-            f"CREATE DATABASE IF NOT EXISTS `{database}`",
             f"CREATE USER `{username}` IDENTIFIED BY '{password}' ATTRIBUTE '{attributes}'",
             f"GRANT ALL PRIVILEGES ON `{database}`.* TO `{username}`",
         ])
-        logger.debug(f"Created {database=} and {username=} with {attributes=}")
+        logger.debug(f"Created {username=} with {attributes=}")
         return password
 
     def add_attributes_to_mysql_router_user(

common/common/mysql_shell/templates/get_mysql_roles_with_pattern.py.jinja

@@ -0,0 +1,12 @@
+import json
+
+result = session.run_sql(
+    "SELECT user FROM mysql.user WHERE user LIKE '{{ name_pattern }}'"
+)
+rows = result.fetch_all()
+# mysqlsh objects are weird—they quack (i.e. duck typing) like standard Python objects (e.g. list,
+# dict), but do not serialize to JSON correctly.
+# Cast to str & load from JSON str before serializing
+rows = json.loads(str(rows))
+with open("{{ output_filepath }}", "w") as file:
+    json.dump(rows, file)

common/common/relations/database_provides.py

@@ -121,9 +121,8 @@ def create_database_and_user(
         shell.delete_user(username, must_exist=False)
         logger.debug("Deleted user if exists before creating user")
 
-        password = shell.create_application_database_and_user(
-            username=username, database=self._database
-        )
+        ________ = shell.create_application_database(database=self._database)
+        password = shell.create_application_user(database=self._database, username=username)
 
         self._set_databag(
             username=username,

kubernetes/tests/unit/conftest.py

@@ -47,6 +47,7 @@ def patch(monkeypatch):
     )
     monkeypatch.setattr("common.workload.RunningWorkload._router_username", "")
     monkeypatch.setattr("common.mysql_shell.Shell._run_code", lambda *args, **kwargs: None)
+    monkeypatch.setattr("common.mysql_shell.Shell._get_mysql_roles", lambda *args, **kwargs: set())
     monkeypatch.setattr(
         "common.mysql_shell.Shell.get_mysql_router_user_for_unit", lambda *args, **kwargs: None
     )

machines/src/relations/deprecated_shared_db_database_provides.py

@@ -147,9 +147,9 @@ def create_database_and_user(
         shell.delete_user(self._username, must_exist=False)
         logger.debug("Deleted user if exists before creating user")
 
-        password = shell.create_application_database_and_user(
-            username=self._username, database=self._database
-        )
+        ________ = shell.create_application_database(database=self._database)
+        password = shell.create_application_user(database=self._database, username=self._username)
+
         self._peer_app_databag[self.peer_databag_password_key] = password
         self.set_databag(password=password)
 

machines/tests/unit/conftest.py

@@ -60,6 +60,7 @@ def patch(monkeypatch):
     )
     monkeypatch.setattr("common.workload.RunningWorkload._router_username", "")
     monkeypatch.setattr("common.mysql_shell.Shell._run_code", lambda *args, **kwargs: None)
+    monkeypatch.setattr("common.mysql_shell.Shell._get_mysql_roles", lambda *args, **kwargs: set())
     monkeypatch.setattr(
         "common.mysql_shell.Shell.get_mysql_router_user_for_unit", lambda *args, **kwargs: None
     )