[DPE-7500] Create catalog/database level roles

src/charm.py

@@ -1712,7 +1712,7 @@ def _start_primary(self, event: StartEvent) -> None:  # noqa: C901
             return
 
         try:
-            self.postgresql.create_predefined_roles()
+            self.postgresql.create_predefined_instance_roles()
         except PostgreSQLCreatePredefinedRolesError as e:
             logger.exception(e)
             self.unit.status = BlockedStatus("Failed to create pre-defined roles")

src/relations/postgresql_provider.py

@@ -110,12 +110,13 @@ def _on_database_requested(self, event: DatabaseRequestedEvent) -> None:
         try:
             # Creates the user and the database for this specific relation.
             user = f"relation-{event.relation.id}"
-            password = new_password()
-            self.charm.postgresql.create_user(user, password, extra_user_roles=extra_user_roles)
             plugins = self.charm.get_plugins()
 
-            self.charm.postgresql.create_database(
-                database, user, plugins=plugins, client_relations=self.charm.client_relations
+            self.charm.postgresql.create_database(database, plugins=plugins)
+
+            password = new_password()
+            self.charm.postgresql.create_user(
+                user, password, extra_user_roles=extra_user_roles, in_role=f"{database}_admin"
             )
 
             # Share the credentials with the application.

templates/patroni.yml.j2

@@ -97,6 +97,7 @@ bootstrap:
         logging_collector: 'on'
         wal_level: logical
         shared_preload_libraries: 'timescaledb,pgaudit,set_user'
+        session_preload_libraries: 'login_hook'
         set_user.block_log_statement: 'on'
         set_user.exit_on_error: 'on'
         set_user.superuser_allowlist: '+charmed_dba'
@@ -136,6 +137,7 @@ postgresql:
   data_dir: {{ data_path }}
   parameters:
     shared_preload_libraries: 'timescaledb,pgaudit,set_user'
+    session_preload_libraries: 'login_hook'
     set_user.block_log_statement: 'on'
     set_user.exit_on_error: 'on'
     set_user.superuser_allowlist: '+charmed_dba'

tests/integration/helpers.py

@@ -14,6 +14,7 @@
 
 import botocore
 import psycopg2
+import pytest
 import requests
 import yaml
 from juju.model import Model
@@ -755,6 +756,63 @@ def check_connected_user(
         assert False, "No result returned from the query"
 
 
+async def check_roles_and_their_permissions(
+    ops_test: OpsTest, relation_endpoint: str, database_name: str
+) -> None:
+    action = await ops_test.model.units[f"{DATA_INTEGRATOR_APP_NAME}/0"].run_action(
+        action_name="get-credentials"
+    )
+    result = await action.wait()
+    data_integrator_credentials = result.results
+    username = data_integrator_credentials[relation_endpoint]["username"]
+    uris = data_integrator_credentials[relation_endpoint]["uris"]
+    connection = None
+    try:
+        connection = psycopg2.connect(uris)
+        connection.autocommit = True
+        with connection.cursor() as cursor:
+            logger.info(
+                "Checking that the relation user is automatically escalated to the database owner user"
+            )
+            check_connected_user(cursor, username, f"{database_name}_owner")
+            logger.info("Creating a test table and inserting data")
+            cursor.execute("CREATE TABLE test_table (id INTEGER);")
+            logger.info("Inserting data into the test table")
+            cursor.execute("INSERT INTO test_table(id) VALUES(1);")
+            logger.info("Reading data from the test table")
+            cursor.execute("SELECT * FROM test_table;")
+            result = cursor.fetchall()
+            assert len(result) == 1, "The database owner user should be able to read the data"
+
+            logger.info("Checking that the database owner user can't create a database")
+            with pytest.raises(psycopg2.errors.InsufficientPrivilege):
+                cursor.execute(f"CREATE DATABASE {database_name}_2;")
+
+            logger.info("Checking that the relation user can't create a table")
+            cursor.execute("RESET ROLE;")
+            check_connected_user(cursor, username, username)
+            with pytest.raises(psycopg2.errors.InsufficientPrivilege):
+                cursor.execute("CREATE TABLE test_table_2 (id INTEGER);")
+    finally:
+        if connection is not None:
+            connection.close()
+
+    connection_string = f"host={data_integrator_credentials[relation_endpoint]['read-only-endpoints'].split(':')[0]} dbname={data_integrator_credentials[relation_endpoint]['database']} user={username} password={data_integrator_credentials[relation_endpoint]['password']}"
+    connection = None
+    try:
+        connection = psycopg2.connect(connection_string)
+        with connection.cursor() as cursor:
+            logger.info("Checking that the relation user can read data from the database")
+            check_connected_user(cursor, username, username, primary=False)
+            logger.info("Reading data from the test table")
+            cursor.execute("SELECT * FROM test_table;")
+            result = cursor.fetchall()
+            assert len(result) == 1, "The relation user should be able to read the data"
+    finally:
+        if connection is not None:
+            connection.close()
+
+
 async def check_tls(ops_test: OpsTest, unit_name: str, enabled: bool) -> bool:
     """Returns whether TLS is enabled on the specific PostgreSQL instance.
 
@@ -918,6 +976,14 @@ async def primary_changed(ops_test: OpsTest, old_primary: str) -> bool:
     return primary != old_primary
 
 
+def relations(ops_test: OpsTest, provider_app: str, requirer_app: str) -> list:
+    return [
+        relation
+        for relation in ops_test.model.applications[provider_app].relations
+        if not relation.is_peer and relation.requires.application_name == requirer_app
+    ]
+
+
 async def restart_machine(ops_test: OpsTest, unit_name: str) -> None:
     """Restart the machine where a unit run on.
 

tests/integration/new_relations/test_new_relations_1.py

@@ -225,26 +225,6 @@ async def test_filter_out_degraded_replicas(ops_test: OpsTest):
     )
 
 
-async def test_user_with_extra_roles(ops_test: OpsTest):
-    """Test superuser actions and the request for more permissions."""
-    # Get the connection string to connect to the database.
-    connection_string = await build_connection_string(
-        ops_test, APPLICATION_APP_NAME, FIRST_DATABASE_RELATION_NAME
-    )
-
-    # Connect to the database.
-    connection = psycopg2.connect(connection_string)
-    connection.autocommit = True
-    cursor = connection.cursor()
-
-    # Test the user can create a database and another user.
-    cursor.execute("CREATE DATABASE another_database;")
-    cursor.execute("CREATE USER another_user WITH ENCRYPTED PASSWORD 'test-password';")
-
-    cursor.close()
-    connection.close()
-
-
 async def test_two_applications_doesnt_share_the_same_relation_data(ops_test: OpsTest):
     """Test that two different application connect to the database with different credentials."""
     # Set some variables to use in this test.
@@ -394,7 +374,7 @@ async def test_relation_data_is_updated_correctly_when_scaling(ops_test: OpsTest
         # Add two more units.
         await ops_test.model.applications[DATABASE_APP_NAME].add_units(2)
         await ops_test.model.wait_for_idle(
-            apps=[DATABASE_APP_NAME], status="active", timeout=1500, wait_for_exact_units=4
+            apps=[DATABASE_APP_NAME], status="active", timeout=3000, wait_for_exact_units=4
         )
 
         assert_sync_standbys(