[DPE-7500] Create catalog/database level roles (#921)

* Implement instance level predefined roles

* Fix minor bug introduced while rebasing off of 16/edge

* Add integration test for charmed_read and charmed_dml roles

* Revert all major changes except introduction of predefined roles

* Sweep diff and minor bug fixes

* Avoid creating set_user extension

* Port Carl's fix for broken unit tests

* Create set_up_predefined_catalog_roles_function

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix linting and run function on database creation

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Add login hook function

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Escalate relation users

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Add integration test

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix unit test

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Check for no write permissions for relation user

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Don't set up catalog roles if they already exist

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Test database creation permission

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Improve logs and move cleanup process to the beginning of the test

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Wait for relation to be removed and retrieve primary

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Handle re-relation

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Add test for removing and re-adding relation

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Test roles after database re-creation

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Test table creation failure for charmed_databases_owner user

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Deduplicate relations retrieval code

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Check that the relation user can escalate to the database owner user and create a table

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Check escalation back to charmed_databases_owner

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Test permissions on newly created database

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Check database owner user permissions in the newly created database

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Reduce duplicated code with check_connected_user helper function

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Reduce more duplicated code with check_connected_user helper function

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Bump library

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix test_charmed_read_role

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Remove admin and postgres roles

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Create DBA role

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Bump postgresql charm lib for 16/edge to v1 due to backwards incompatible changes

* Remove admin role test

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Add DBA user test

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Test DBA role in replica

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Grant reset_user function to DBA role

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Test set_user function for unprivileged users

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Reduce duplicate code in check_connected_user helper function

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix charmed_databases_owner permissions

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Fix test_charmed_dba_role

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Re-add mistakenly removed patch statements

* Reset connection to None before creating a new connection

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

* Remove irrelevant test and increase timeout

Signed-off-by: Marcelo Henrique Neppel <[email protected]>

---------

Signed-off-by: Marcelo Henrique Neppel <[email protected]>
Co-authored-by: Shayan Patel <[email protected]>

Author: marceloneppel

lib/charms/postgresql_k8s/v1/postgresql.py

@@ -1712,7 +1712,7 @@ def _start_primary(self, event: StartEvent) -> None:  # noqa: C901
             return
 
         try:
-            self.postgresql.create_predefined_roles()
+            self.postgresql.create_predefined_instance_roles()
         except PostgreSQLCreatePredefinedRolesError as e:
             logger.exception(e)
             self.unit.status = BlockedStatus("Failed to create pre-defined roles")

src/charm.py

@@ -110,12 +110,13 @@ def _on_database_requested(self, event: DatabaseRequestedEvent) -> None:
         try:
             # Creates the user and the database for this specific relation.
             user = f"relation-{event.relation.id}"
-            password = new_password()
-            self.charm.postgresql.create_user(user, password, extra_user_roles=extra_user_roles)
             plugins = self.charm.get_plugins()
 
-            self.charm.postgresql.create_database(
-                database, user, plugins=plugins, client_relations=self.charm.client_relations
+            self.charm.postgresql.create_database(database, plugins=plugins)
+
+            password = new_password()
+            self.charm.postgresql.create_user(
+                user, password, extra_user_roles=extra_user_roles, in_role=f"{database}_admin"
             )
 
             # Share the credentials with the application.

src/relations/postgresql_provider.py

@@ -97,6 +97,7 @@ bootstrap:
         logging_collector: 'on'
         wal_level: logical
         shared_preload_libraries: 'timescaledb,pgaudit,set_user'
+        session_preload_libraries: 'login_hook'
         set_user.block_log_statement: 'on'
         set_user.exit_on_error: 'on'
         set_user.superuser_allowlist: '+charmed_dba'
@@ -136,6 +137,7 @@ postgresql:
   data_dir: {{ data_path }}
   parameters:
     shared_preload_libraries: 'timescaledb,pgaudit,set_user'
+    session_preload_libraries: 'login_hook'
     set_user.block_log_statement: 'on'
     set_user.exit_on_error: 'on'
     set_user.superuser_allowlist: '+charmed_dba'

templates/patroni.yml.j2

@@ -14,6 +14,7 @@
 
 import botocore
 import psycopg2
+import pytest
 import requests
 import yaml
 from juju.model import Model
@@ -755,6 +756,63 @@ def check_connected_user(
         assert False, "No result returned from the query"
 
 
+async def check_roles_and_their_permissions(
+    ops_test: OpsTest, relation_endpoint: str, database_name: str
+) -> None:
+    action = await ops_test.model.units[f"{DATA_INTEGRATOR_APP_NAME}/0"].run_action(
+        action_name="get-credentials"
+    )
+    result = await action.wait()
+    data_integrator_credentials = result.results
+    username = data_integrator_credentials[relation_endpoint]["username"]
+    uris = data_integrator_credentials[relation_endpoint]["uris"]
+    connection = None
+    try:
+        connection = psycopg2.connect(uris)
+        connection.autocommit = True
+        with connection.cursor() as cursor:
+            logger.info(
+                "Checking that the relation user is automatically escalated to the database owner user"
+            )
+            check_connected_user(cursor, username, f"{database_name}_owner")
+            logger.info("Creating a test table and inserting data")
+            cursor.execute("CREATE TABLE test_table (id INTEGER);")
+            logger.info("Inserting data into the test table")
+            cursor.execute("INSERT INTO test_table(id) VALUES(1);")
+            logger.info("Reading data from the test table")
+            cursor.execute("SELECT * FROM test_table;")
+            result = cursor.fetchall()
+            assert len(result) == 1, "The database owner user should be able to read the data"
+
+            logger.info("Checking that the database owner user can't create a database")
+            with pytest.raises(psycopg2.errors.InsufficientPrivilege):
+                cursor.execute(f"CREATE DATABASE {database_name}_2;")
+
+            logger.info("Checking that the relation user can't create a table")
+            cursor.execute("RESET ROLE;")
+            check_connected_user(cursor, username, username)
+            with pytest.raises(psycopg2.errors.InsufficientPrivilege):
+                cursor.execute("CREATE TABLE test_table_2 (id INTEGER);")
+    finally:
+        if connection is not None:
+            connection.close()
+
+    connection_string = f"host={data_integrator_credentials[relation_endpoint]['read-only-endpoints'].split(':')[0]} dbname={data_integrator_credentials[relation_endpoint]['database']} user={username} password={data_integrator_credentials[relation_endpoint]['password']}"
+    connection = None
+    try:
+        connection = psycopg2.connect(connection_string)
+        with connection.cursor() as cursor:
+            logger.info("Checking that the relation user can read data from the database")
+            check_connected_user(cursor, username, username, primary=False)
+            logger.info("Reading data from the test table")
+            cursor.execute("SELECT * FROM test_table;")
+            result = cursor.fetchall()
+            assert len(result) == 1, "The relation user should be able to read the data"
+    finally:
+        if connection is not None:
+            connection.close()
+
+
 async def check_tls(ops_test: OpsTest, unit_name: str, enabled: bool) -> bool:
     """Returns whether TLS is enabled on the specific PostgreSQL instance.
 
@@ -918,6 +976,14 @@ async def primary_changed(ops_test: OpsTest, old_primary: str) -> bool:
     return primary != old_primary
 
 
+def relations(ops_test: OpsTest, provider_app: str, requirer_app: str) -> list:
+    return [
+        relation
+        for relation in ops_test.model.applications[provider_app].relations
+        if not relation.is_peer and relation.requires.application_name == requirer_app
+    ]
+
+
 async def restart_machine(ops_test: OpsTest, unit_name: str) -> None:
     """Restart the machine where a unit run on.
 

tests/integration/helpers.py

@@ -225,26 +225,6 @@ async def test_filter_out_degraded_replicas(ops_test: OpsTest):
     )
 
 
-async def test_user_with_extra_roles(ops_test: OpsTest):
-    """Test superuser actions and the request for more permissions."""
-    # Get the connection string to connect to the database.
-    connection_string = await build_connection_string(
-        ops_test, APPLICATION_APP_NAME, FIRST_DATABASE_RELATION_NAME
-    )
-
-    # Connect to the database.
-    connection = psycopg2.connect(connection_string)
-    connection.autocommit = True
-    cursor = connection.cursor()
-
-    # Test the user can create a database and another user.
-    cursor.execute("CREATE DATABASE another_database;")
-    cursor.execute("CREATE USER another_user WITH ENCRYPTED PASSWORD 'test-password';")
-
-    cursor.close()
-    connection.close()
-
-
 async def test_two_applications_doesnt_share_the_same_relation_data(ops_test: OpsTest):
     """Test that two different application connect to the database with different credentials."""
     # Set some variables to use in this test.
@@ -394,7 +374,7 @@ async def test_relation_data_is_updated_correctly_when_scaling(ops_test: OpsTest
         # Add two more units.
         await ops_test.model.applications[DATABASE_APP_NAME].add_units(2)
         await ops_test.model.wait_for_idle(
-            apps=[DATABASE_APP_NAME], status="active", timeout=1500, wait_for_exact_units=4
+            apps=[DATABASE_APP_NAME], status="active", timeout=3000, wait_for_exact_units=4
         )
 
         assert_sync_standbys(