Extending read-only DB configuration (#7139)

Author: galvana

CHANGELOG.md

@@ -35,6 +35,7 @@ Changes can also be flagged with a GitHub label for tracking purposes. The URL o
 - Increasing default async DB pool size to 50 pooled connections and 50 overflow connections [#7126](https://github.com/ethyca/fides/pull/7126)
 - Track active taxonomy in URL in taxonomy screen [#7113](https://github.com/ethyca/fides/pull/7113)
 - Updated status labels for the Action Center [#7098](https://github.com/ethyca/fides/pull/7098)
+- Extending read-only DB configuration [#7139](https://github.com/ethyca/fides/pull/7139)
 
 ### Developer Experience
 - Migrated consent settings tables to Ant Design [#7084](https://github.com/ethyca/fides/pull/7084)

src/fides/api/api/deps.py

@@ -56,6 +56,28 @@ def get_autoclose_db_session() -> Generator[Session, None, None]:
         db.close()
 
 
+@contextmanager
+def get_readonly_autoclose_db_session() -> Generator[Session, None, None]:
+    """
+    Return a read-only database session as a context manager that automatically closes.
+    Falls back to primary database session if read-only is not configured.
+
+    Use this when you need manual control over the session lifecycle outside of API endpoints.
+    """
+    if not CONFIG.database.sqlalchemy_readonly_database_uri:
+        # If read-only not configured, use primary session
+        with get_autoclose_db_session() as db:
+            yield db
+        return
+
+    # Create read-only session using existing get_readonly_api_session
+    try:
+        db = get_readonly_api_session()
+        yield db
+    finally:
+        db.close()
+
+
 def get_api_session() -> Session:
     """Gets the shared database session to use for API functionality"""
     global _engine  # pylint: disable=W0603

src/fides/api/db/ctl_session.py

@@ -1,5 +1,5 @@
 import ssl
-from typing import Any, AsyncGenerator, Dict
+from typing import Any, AsyncGenerator, Callable, Dict
 
 from sqlalchemy import create_engine
 from sqlalchemy.ext.asyncio import AsyncSession, create_async_engine
@@ -41,6 +41,53 @@
 )
 async_session = sessionmaker(async_engine, class_=AsyncSession, expire_on_commit=False)
 
+# Read-only async engine and session
+# Only created if read-only database URI is configured
+readonly_async_engine: Any = None
+readonly_async_session: Callable[[], AsyncSession]
+
+# Initialize readonly_async_session (will be overridden if readonly DB is configured)
+readonly_async_session = async_session
+
+if CONFIG.database.async_readonly_database_uri:
+    # Build connect_args for readonly (similar to primary)
+    readonly_connect_args: Dict[str, Any] = {}
+    readonly_params = CONFIG.database.readonly_params or {}
+
+    if readonly_params.get("sslrootcert"):
+        ssl_ctx = ssl.create_default_context(cafile=readonly_params["sslrootcert"])
+        ssl_ctx.verify_mode = ssl.CERT_REQUIRED
+        readonly_connect_args["ssl"] = ssl_ctx
+
+    if CONFIG.database.api_async_engine_keepalives_idle:
+        readonly_connect_args["keepalives_idle"] = (
+            CONFIG.database.api_async_engine_keepalives_idle
+        )
+    if CONFIG.database.api_async_engine_keepalives_interval:
+        readonly_connect_args["keepalives_interval"] = (
+            CONFIG.database.api_async_engine_keepalives_interval
+        )
+    if CONFIG.database.api_async_engine_keepalives_count:
+        readonly_connect_args["keepalives_count"] = (
+            CONFIG.database.api_async_engine_keepalives_count
+        )
+
+    readonly_async_engine = create_async_engine(
+        CONFIG.database.async_readonly_database_uri,
+        connect_args=readonly_connect_args,
+        echo=False,
+        hide_parameters=not CONFIG.dev_mode,
+        logging_name="ReadOnlyAsyncEngine",
+        json_serializer=custom_json_serializer,
+        json_deserializer=custom_json_deserializer,
+        pool_size=CONFIG.database.api_async_engine_pool_size,
+        max_overflow=CONFIG.database.api_async_engine_max_overflow,
+        pool_pre_ping=CONFIG.database.api_async_engine_pool_pre_ping,
+    )
+    readonly_async_session = sessionmaker(
+        readonly_async_engine, class_=AsyncSession, expire_on_commit=False
+    )
+
 # TODO: this engine and session are only used in test modules,
 # and they do not respect engine settings like pool_size, max_overflow, etc.
 # these should be removed, and we should standardize on what's provided in `session.py`

src/fides/config/database_settings.py

@@ -6,7 +6,13 @@
 from typing import Dict, Optional, cast
 from urllib.parse import quote, quote_plus, urlencode
 
-from pydantic import Field, PostgresDsn, ValidationInfo, field_validator
+from pydantic import (
+    Field,
+    PostgresDsn,
+    ValidationInfo,
+    field_validator,
+    model_validator,
+)
 from pydantic_settings import SettingsConfigDict
 
 from fides.config.utils import get_test_mode
@@ -101,12 +107,26 @@ class DatabaseSettings(FidesSettings):
         default=None,
         description="The hostname of the application read database server.",
     )
-
-    # TODO (LJ-663): add optional readonly_user
-    # TODO (LJ-663): add optional readonly_password
-    # TODO (LJ-663): add optional readonly_port
-    # TODO (LJ-663): add optional readonly_params
-    # TODO (LJ-663): add optional readonly_db
+    readonly_user: Optional[str] = Field(
+        default=None,
+        description="The database user for read-only database connections. If not provided and readonly_server is set, uses 'user'.",
+    )
+    readonly_password: Optional[str] = Field(
+        default=None,
+        description="The password for read-only database connections. If not provided and readonly_server is set, uses 'password'.",
+    )
+    readonly_port: Optional[str] = Field(
+        default=None,
+        description="The port for read-only database connections. If not provided and readonly_server is set, uses 'port'.",
+    )
+    readonly_db: Optional[str] = Field(
+        default=None,
+        description="The database name for read-only database connections. If not provided and readonly_server is set, uses 'db'.",
+    )
+    readonly_params: Dict = Field(
+        default={},
+        description="Additional connection parameters for read-only database connections. If not provided and readonly_server is set, uses 'params'.",
+    )
 
     task_engine_pool_size: int = Field(
         default=50,
@@ -172,6 +192,11 @@ class DatabaseSettings(FidesSettings):
         description="Programmatically created synchronous connection string for the configured database (either application or test).",
         exclude=True,
     )
+    async_readonly_database_uri: Optional[str] = Field(
+        default=None,
+        description="Programmatically created asynchronous connection string for the read-only application database.",
+        exclude=True,
+    )
 
     @field_validator("password", mode="before")
     @classmethod
@@ -181,6 +206,39 @@ def escape_password(cls, value: Optional[str]) -> Optional[str]:
             return quote_plus(value)
         return value
 
+    @model_validator(mode="before")
+    @classmethod
+    def resolve_readonly_fields(cls, values: Dict) -> Dict:
+        """
+        If readonly_server is set but readonly fields are not provided,
+        fall back to primary database values.
+        """
+        if values.get("readonly_server"):
+            # Fall back to primary user if readonly_user not provided
+            if values.get("readonly_user") is None:
+                values["readonly_user"] = values.get("user")
+
+            # Fall back to primary password if readonly_password not provided
+            if values.get("readonly_password") is None:
+                values["readonly_password"] = values.get("password")
+            # If readonly_password was provided directly, escape it
+            elif isinstance(values.get("readonly_password"), str):
+                values["readonly_password"] = quote_plus(values["readonly_password"])
+
+            # Fall back to primary port if readonly_port not provided
+            if values.get("readonly_port") is None:
+                values["readonly_port"] = values.get("port")
+
+            # Fall back to primary db if readonly_db not provided
+            if values.get("readonly_db") is None:
+                values["readonly_db"] = values.get("db")
+
+            # Fall back to primary params if readonly_params not provided
+            if not values.get("readonly_params"):
+                values["readonly_params"] = values.get("params", {})
+
+        return values
+
     @field_validator("sync_database_uri", mode="before")
     @classmethod
     def assemble_sync_database_uri(
@@ -281,25 +339,68 @@ def assemble_readonly_db_connection(
         if not info.data.get("readonly_server"):
             return None
         port: int = port_integer_converter(info)
+        readonly_port: int = (
+            port_integer_converter(info, "readonly_port")
+            if info.data.get("readonly_port")
+            else port
+        )
         return str(
-            # TODO: support optional readonly params for user, password, etc.
             PostgresDsn.build(  # pylint: disable=no-member
-                scheme="postgresql",
-                username=info.data.get("user"),
-                password=info.data.get("password"),
+                scheme="postgresql+psycopg2",
+                username=info.data.get("readonly_user") or info.data.get("user"),
+                password=info.data.get("readonly_password")
+                or info.data.get("password"),
                 host=info.data.get("readonly_server"),
-                port=port,
-                path=f"{info.data.get('db') or ''}",
+                port=readonly_port,
+                path=f"{info.data.get('readonly_db') or info.data.get('db') or ''}",
                 query=(
                     urlencode(
-                        cast(Dict, info.data.get("params")), quote_via=quote, safe="/"
+                        cast(Dict, info.data.get("readonly_params")),
+                        quote_via=quote,
+                        safe="/",
                     )
-                    if info.data.get("params")
+                    if info.data.get("readonly_params")
                     else None
                 ),
             )
         )
 
+    @field_validator("async_readonly_database_uri", mode="before")
+    @classmethod
+    def assemble_async_readonly_db_connection(
+        cls, v: Optional[str], info: ValidationInfo
+    ) -> Optional[str]:
+        """Join DB connection credentials into an async read-only connection string."""
+        if isinstance(v, str) and v:
+            return v
+        if not info.data.get("readonly_server"):
+            return None
+
+        # Handle SSL params for asyncpg (same as async_database_uri)
+        params = cast(Dict, deepcopy(info.data.get("readonly_params", {})))
+        if "sslmode" in params:
+            params["ssl"] = params.pop("sslmode")
+        params.pop("sslrootcert", None)
+
+        port: int = port_integer_converter(info)
+        readonly_port: int = (
+            port_integer_converter(info, "readonly_port")
+            if info.data.get("readonly_port")
+            else port
+        )
+        return str(
+            PostgresDsn.build(  # pylint: disable=no-member
+                scheme="postgresql+asyncpg",
+                username=info.data.get("readonly_user") or info.data.get("user"),
+                password=info.data.get("readonly_password")
+                or info.data.get("password"),
+                host=info.data.get("readonly_server"),
+                port=readonly_port,
+                path=f"{info.data.get('readonly_db') or info.data.get('db') or ''}",
+                query=urlencode(params, quote_via=quote, safe="/") if params else None,
+            )
+        )
+
     @field_validator("sqlalchemy_test_database_uri", mode="before")
     @classmethod
     def assemble_test_db_connection(cls, v: Optional[str], info: ValidationInfo) -> str: