Adapt Charmed read / dml roles

sinclert-canonical · sinclert-canonical · commit d6ef3e29136f · 2025-07-28T10:29:13.000+02:00
diff --git a/lib/charms/mysql/v0/mysql.py b/lib/charms/mysql/v0/mysql.py
@@ -1239,11 +1239,9 @@ def configure_mysql_system_roles(self) -> None:
         role_to_queries = {
             ROLE_READ: [
                 f"CREATE ROLE {ROLE_READ}",
-                f"GRANT SELECT ON mysql.* TO {ROLE_READ}",
             ],
             ROLE_DML: [
                 f"CREATE ROLE {ROLE_DML}",
-                f"GRANT INSERT, DELETE, UPDATE ON mysql.* TO {ROLE_DML}",
             ],
             ROLE_STATS: [
                 f"CREATE ROLE {ROLE_STATS}",
@@ -1258,13 +1256,11 @@ def configure_mysql_system_roles(self) -> None:
             ],
             ROLE_DDL: [
                 f"CREATE ROLE {ROLE_DDL}",
-                f"GRANT charmed_read TO {ROLE_DDL}",
                 f"GRANT charmed_dml TO {ROLE_DDL}",
                 f"GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TABLESPACE, CREATE VIEW, SHOW_ROUTINE, SHOW VIEW, INDEX, REFERENCES, TRIGGER, LOCK TABLES ON *.* TO {ROLE_DDL}",
             ],
             ROLE_DBA: [
                 f"CREATE ROLE {ROLE_DBA}",
-                f"GRANT charmed_read TO {ROLE_DBA}",
                 f"GRANT charmed_dml TO {ROLE_DBA}",
                 f"GRANT charmed_stats TO {ROLE_DBA}",
                 f"GRANT charmed_backup TO {ROLE_DBA}",
@@ -1515,7 +1511,7 @@ def create_database(self, database: str) -> None:
             "shell.connect_to_primary()",
             f'session.run_sql("CREATE DATABASE IF NOT EXISTS `{database}`;")',
             f'session.run_sql("GRANT SELECT ON `{database}`.* TO {ROLE_READ};")',
-            f'session.run_sql("GRANT INSERT, DELETE, UPDATE ON `{database}`.* TO {ROLE_DML};")',
+            f'session.run_sql("GRANT SELECT, INSERT, DELETE, UPDATE ON `{database}`.* TO {ROLE_DML};")',
         )
 
         try:
diff --git a/tests/integration/test_predefined_roles.py b/tests/integration/test_predefined_roles.py
@@ -92,7 +92,7 @@ async def test_charmed_read_role(ops_test: OpsTest):
     data_integrator_unit = ops_test.model.applications[f"{INTEGRATOR_APP_NAME}1"].units[0]
     results = await juju_.run_action(data_integrator_unit, "get-credentials")
 
-    logger.info("Checking that the charmed_read role can read from the database")
+    logger.info("Checking that the charmed_read role can read from an existing table")
     rows = await execute_queries_on_unit(
         primary_unit_address,
         results["mysql"]["username"],
@@ -107,26 +107,26 @@ async def test_charmed_read_role(ops_test: OpsTest):
         "test_data_2",
     ]), "Unexpected data in charmed_read_database with charmed_read role"
 
-    logger.info("Checking that the charmed_read role cannot create a new table")
+    logger.info("Checking that the charmed_read role cannot write into an existing table")
     with pytest.raises(ProgrammingError):
         await execute_queries_on_unit(
             primary_unit_address,
             results["mysql"]["username"],
             results["mysql"]["password"],
             [
-                "CREATE TABLE charmed_read_database.new_table (`id` SERIAL PRIMARY KEY, `data` TEXT)",
+                "INSERT INTO charmed_read_database.test_table (`data`) VALUES ('test_data_3')",
             ],
             commit=True,
         )
 
-    logger.info("Checking that the charmed_read role cannot write to an existing table")
+    logger.info("Checking that the charmed_read role cannot create a new table")
     with pytest.raises(ProgrammingError):
         await execute_queries_on_unit(
             primary_unit_address,
             results["mysql"]["username"],
             results["mysql"]["password"],
             [
-                "INSERT INTO charmed_read_database.test_table (`data`) VALUES ('test_data_3'), ('test_data_4')",
+                "CREATE TABLE charmed_read_database.new_table (`id` SERIAL PRIMARY KEY, `data` TEXT)",
             ],
             commit=True,
         )
@@ -191,6 +191,22 @@ async def test_charmed_dml_role(ops_test: OpsTest):
     data_integrator_2_unit = ops_test.model.applications[f"{INTEGRATOR_APP_NAME}2"].units[0]
     results = await juju_.run_action(data_integrator_2_unit, "get-credentials")
 
+    logger.info("Checking that the charmed_dml role can read from an existing table")
+    rows = await execute_queries_on_unit(
+        primary_unit_address,
+        results["mysql"]["username"],
+        results["mysql"]["password"],
+        [
+            "SELECT `data` FROM charmed_dml_database.test_table",
+        ],
+        commit=True,
+    )
+
+    assert sorted(rows) == sorted([
+        "test_data_1",
+        "test_data_2",
+    ]), "Unexpected data in charmed_read_database with charmed_read role"
+
     logger.info("Checking that the charmed_dml role can write into an existing table")
     await execute_queries_on_unit(
         primary_unit_address,
@@ -202,14 +218,14 @@ async def test_charmed_dml_role(ops_test: OpsTest):
         commit=True,
     )
 
-    logger.info("Checking that the charmed_dml role cannot read from an existing table")
+    logger.info("Checking that the charmed_dml role cannot create a new table")
     with pytest.raises(ProgrammingError):
         await execute_queries_on_unit(
             primary_unit_address,
             results["mysql"]["username"],
             results["mysql"]["password"],
             [
-                "SELECT `data` FROM charmed_dml_database.test_table",
+                "CREATE TABLE charmed_dml_database.new_table (`id` SERIAL PRIMARY KEY, `data` TEXT)",
             ],
             commit=True,
         )
diff --git a/tests/unit/test_mysql.py b/tests/unit/test_mysql.py
@@ -180,10 +180,8 @@ def test_configure_mysql_system_roles(self, _run_mysqlcli_script, _list_mysql_ro
         _expected_configure_roles_commands = [
             # Charmed read queries
             f"CREATE ROLE {ROLE_READ}",
-            f"GRANT SELECT ON mysql.* TO {ROLE_READ}",
             # Charmed DML queries
             f"CREATE ROLE {ROLE_DML}",
-            f"GRANT INSERT, DELETE, UPDATE ON mysql.* TO {ROLE_DML}",
             # Charmed stats queries
             f"CREATE ROLE {ROLE_STATS}",
             f"GRANT SELECT ON performance_schema.* TO {ROLE_STATS}",
@@ -195,7 +193,6 @@ def test_configure_mysql_system_roles(self, _run_mysqlcli_script, _list_mysql_ro
             f"GRANT BACKUP_ADMIN, CONNECTION_ADMIN ON *.* TO {ROLE_BACKUP}",
             # Charmed DDL queries
             f"CREATE ROLE {ROLE_DDL}",
-            f"GRANT charmed_read TO {ROLE_DDL}",
             f"GRANT charmed_dml TO {ROLE_DDL}",
             f"GRANT ALTER, ALTER ROUTINE, CREATE, CREATE ROUTINE, CREATE TABLESPACE, CREATE VIEW, SHOW_ROUTINE, SHOW VIEW, INDEX, REFERENCES, TRIGGER, LOCK TABLES ON *.* TO {ROLE_DDL}",
         ]
@@ -368,7 +365,7 @@ def test_create_application_database(self, _run_mysqlsh_script):
             "shell.connect_to_primary()",
             'session.run_sql("CREATE DATABASE IF NOT EXISTS `test-database`;")',
             'session.run_sql("GRANT SELECT ON `test-database`.* TO charmed_read;")',
-            'session.run_sql("GRANT INSERT, DELETE, UPDATE ON `test-database`.* TO charmed_dml;")',
+            'session.run_sql("GRANT SELECT, INSERT, DELETE, UPDATE ON `test-database`.* TO charmed_dml;")',
         ))
 
         self.mysql.create_database("test-database")
