Handle tables ownership (#298)

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

Author: marceloneppel

lib/charms/postgresql_k8s/v0/postgresql.py

@@ -22,7 +22,9 @@
 from typing import Dict, List, Optional, Set, Tuple
 
 import psycopg2
+from ops.model import Relation
 from psycopg2 import sql
+from psycopg2.sql import Composed
 
 # The unique Charmhub library identifier, never change it
 LIBID = "24ee217a54e840a598ff21a079c3e678"
@@ -32,7 +34,7 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 20
+LIBPATCH = 21
 
 INVALID_EXTRA_USER_ROLE_BLOCKING_MESSAGE = "invalid role(s) for extra user roles"
 
@@ -117,13 +119,20 @@ def _connect_to_database(
         connection.autocommit = True
         return connection
 
-    def create_database(self, database: str, user: str, plugins: List[str] = []) -> None:
+    def create_database(
+        self,
+        database: str,
+        user: str,
+        plugins: List[str] = [],
+        client_relations: List[Relation] = [],
+    ) -> None:
         """Creates a new database and grant privileges to a user on it.
 
         Args:
             database: database to be created.
             user: user that will have access to the database.
             plugins: extensions to enable in the new database.
+            client_relations: current established client relations.
         """
         try:
             connection = self._connect_to_database()
@@ -142,29 +151,20 @@ def create_database(self, database: str, user: str, plugins: List[str] = []) ->
                         sql.Identifier(database), sql.Identifier(user_to_grant_access)
                     )
                 )
+            relations_accessing_this_database = 0
+            for relation in client_relations:
+                for data in relation.data.values():
+                    if data.get("database") == database:
+                        relations_accessing_this_database += 1
             with self._connect_to_database(database=database) as conn:
                 with conn.cursor() as curs:
-                    statements = []
                     curs.execute(
                         "SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT LIKE 'pg_%' and schema_name <> 'information_schema';"
                     )
-                    for row in curs:
-                        schema = sql.Identifier(row[0])
-                        statements.append(
-                            sql.SQL(
-                                "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA {} TO {};"
-                            ).format(schema, sql.Identifier(user))
-                        )
-                        statements.append(
-                            sql.SQL(
-                                "GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA {} TO {};"
-                            ).format(schema, sql.Identifier(user))
-                        )
-                        statements.append(
-                            sql.SQL(
-                                "GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA {} TO {};"
-                            ).format(schema, sql.Identifier(user))
-                        )
+                    schemas = [row[0] for row in curs.fetchall()]
+                    statements = self._generate_database_privileges_statements(
+                        relations_accessing_this_database, schemas, user
+                    )
                     for statement in statements:
                         curs.execute(statement)
         except psycopg2.Error as e:
@@ -308,6 +308,55 @@ def enable_disable_extensions(self, extensions: Dict[str, bool], database: str =
             if connection is not None:
                 connection.close()
 
+    def _generate_database_privileges_statements(
+        self, relations_accessing_this_database: int, schemas: List[str], user: str
+    ) -> List[Composed]:
+        """Generates a list of databases privileges statements."""
+        statements = []
+        if relations_accessing_this_database == 1:
+            statements.append(
+                sql.SQL(
+                    """DO $$
+DECLARE r RECORD;
+BEGIN
+  FOR r IN (SELECT statement FROM (SELECT 1 AS index,'ALTER TABLE '|| schemaname || '."' || tablename ||'" OWNER TO {};' AS statement
+FROM pg_tables WHERE NOT schemaname IN ('pg_catalog', 'information_schema')
+UNION SELECT 2 AS index,'ALTER SEQUENCE '|| sequence_schema || '."' || sequence_name ||'" OWNER TO {};' AS statement
+FROM information_schema.sequences WHERE NOT sequence_schema IN ('pg_catalog', 'information_schema')
+UNION SELECT 3 AS index,'ALTER FUNCTION '|| nsp.nspname || '."' || p.proname ||'"('||pg_get_function_identity_arguments(p.oid)||') OWNER TO {};' AS statement
+FROM pg_proc p JOIN pg_namespace nsp ON p.pronamespace = nsp.oid WHERE NOT nsp.nspname IN ('pg_catalog', 'information_schema')
+UNION SELECT 4 AS index,'ALTER VIEW '|| schemaname || '."' || viewname ||'" OWNER TO {};' AS statement
+FROM pg_catalog.pg_views WHERE NOT schemaname IN ('pg_catalog', 'information_schema')) AS statements ORDER BY index) LOOP
+      EXECUTE format(r.statement);
+  END LOOP;
+END; $$;"""
+                ).format(
+                    sql.Identifier(user),
+                    sql.Identifier(user),
+                    sql.Identifier(user),
+                    sql.Identifier(user),
+                )
+            )
+        else:
+            for schema in schemas:
+                schema = sql.Identifier(schema)
+                statements.append(
+                    sql.SQL("GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA {} TO {};").format(
+                        schema, sql.Identifier(user)
+                    )
+                )
+                statements.append(
+                    sql.SQL("GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA {} TO {};").format(
+                        schema, sql.Identifier(user)
+                    )
+                )
+                statements.append(
+                    sql.SQL("GRANT ALL PRIVILEGES ON ALL FUNCTIONS IN SCHEMA {} TO {};").format(
+                        schema, sql.Identifier(user)
+                    )
+                )
+        return statements
+
     def get_postgresql_text_search_configs(self) -> Set[str]:
         """Returns the PostgreSQL available text search configs.
 

src/charm.py

@@ -1479,6 +1479,15 @@ def get_available_memory(self) -> int:
 
         return 0
 
+    @property
+    def client_relations(self) -> List[Relation]:
+        """Return the list of established client relations."""
+        relations = []
+        for relation_name in ["database", "db", "db-admin"]:
+            for relation in self.model.relations.get(relation_name, []):
+                relations.append(relation)
+        return relations
+
 
 if __name__ == "__main__":
     main(PostgresqlOperatorCharm)

src/relations/db.py

@@ -174,7 +174,9 @@ def set_up_relation(self, relation: Relation) -> bool:
                 if self.charm.config[plugin]
             ]
 
-            self.charm.postgresql.create_database(database, user, plugins=plugins)
+            self.charm.postgresql.create_database(
+                database, user, plugins=plugins, client_relations=self.charm.client_relations
+            )
 
         except (PostgreSQLCreateDatabaseError, PostgreSQLCreateUserError) as e:
             logger.exception(e)

src/relations/postgresql_provider.py

@@ -90,7 +90,9 @@ def _on_database_requested(self, event: DatabaseRequestedEvent) -> None:
                 if self.charm.config[plugin]
             ]
 
-            self.charm.postgresql.create_database(database, user, plugins=plugins)
+            self.charm.postgresql.create_database(
+                database, user, plugins=plugins, client_relations=self.charm.client_relations
+            )
 
             # Share the credentials with the application.
             self.database_provides.set_credentials(event.relation.id, user, password)

tests/unit/test_charm.py

@@ -1538,3 +1538,18 @@ def test_juju_run_exec_divergence(self, _juju_version: Mock, _topology_observer:
         harness = Harness(PostgresqlOperatorCharm)
         harness.begin()
         _topology_observer.assert_called_once_with(harness.charm, "/usr/bin/juju-exec")
+
+    def test_client_relations(self):
+        # Test when the charm has no relations.
+        self.assertEqual(self.charm.client_relations, [])
+
+        # Test when the charm has some relations.
+        self.harness.add_relation("database", "application")
+        self.harness.add_relation("db", "legacy-application")
+        self.harness.add_relation("db-admin", "legacy-admin-application")
+        database_relation = self.harness.model.get_relation("database")
+        db_relation = self.harness.model.get_relation("db")
+        db_admin_relation = self.harness.model.get_relation("db-admin")
+        self.assertEqual(
+            self.charm.client_relations, [database_relation, db_relation, db_admin_relation]
+        )

tests/unit/test_db.py

@@ -235,7 +235,9 @@ def test_set_up_relation(
             self.assertTrue(self.harness.charm.legacy_db_relation.set_up_relation(relation))
             user = f"relation-{self.rel_id}"
             postgresql_mock.create_user.assert_called_once_with(user, "test-password", False)
-            postgresql_mock.create_database.assert_called_once_with(DATABASE, user, plugins=[])
+            postgresql_mock.create_database.assert_called_once_with(
+                DATABASE, user, plugins=[], client_relations=[relation]
+            )
             _update_endpoints.assert_called_once()
             _update_unit_status.assert_called_once()
             self.assertNotIsInstance(self.harness.model.unit.status, BlockedStatus)
@@ -260,7 +262,9 @@ def test_set_up_relation(
                 )
             self.assertTrue(self.harness.charm.legacy_db_relation.set_up_relation(relation))
             postgresql_mock.create_user.assert_called_once_with(user, "test-password", False)
-            postgresql_mock.create_database.assert_called_once_with(DATABASE, user, plugins=[])
+            postgresql_mock.create_database.assert_called_once_with(
+                DATABASE, user, plugins=[], client_relations=[relation]
+            )
             _update_endpoints.assert_called_once()
             _update_unit_status.assert_called_once()
             self.assertNotIsInstance(self.harness.model.unit.status, BlockedStatus)
@@ -280,7 +284,7 @@ def test_set_up_relation(
             self.assertTrue(self.harness.charm.legacy_db_relation.set_up_relation(relation))
             postgresql_mock.create_user.assert_called_once_with(user, "test-password", False)
             postgresql_mock.create_database.assert_called_once_with(
-                "application", user, plugins=[]
+                "application", user, plugins=[], client_relations=[relation]
             )
             _update_endpoints.assert_called_once()
             _update_unit_status.assert_called_once()

tests/unit/test_postgresql_provider.py

@@ -124,7 +124,11 @@ def test_on_database_requested(
             postgresql_mock.create_user.assert_called_once_with(
                 user, "test-password", extra_user_roles=EXTRA_USER_ROLES
             )
-            postgresql_mock.create_database.assert_called_once_with(DATABASE, user, plugins=[])
+            database_relation = self.harness.model.get_relation(RELATION_NAME)
+            client_relations = [database_relation]
+            postgresql_mock.create_database.assert_called_once_with(
+                DATABASE, user, plugins=[], client_relations=client_relations
+            )
             postgresql_mock.get_postgresql_version.assert_called_once()
             _update_endpoints.assert_called_once()