[DPE-6899] User->databases pg_hba rules #919

marceloneppel · 2025-04-08T17:58:11Z

Issue

Database access is not restricted through the pg_hba.conf file.

Solution

Retrieve the list that each user should have access to and rebuild the pg_hba.conf file rules based on that list, while keeping access to all the databases for the system users and superusers.

For the users created by this charm, some calls to the update_config method were added to the client relations files (src/relations/db.py and src/relations/postgresql_provider.py) to rebuild the pg_hba.conf file rules.

For the users created by the PgBouncer charm, the PostgreSQL charm needs to gather that information in some way because the data_interfaces doesn't share it yet. For that, an event trigger is used. That should be removed after we improve the interface.

An observer process (like the one we have in the VM charm) was created to update the list of users->databases in the replicas because the event trigger is fired only in the primary.

An integration test (tests/integration/test_pg_hba.py) was created to validate users created by both this and an external charms (PgBouncer is simulated through creating users by using the Data Integration relation user).

Still in progress (while you review the PR): fixing the failing integration tests and increasing coverage.

Checklist

I have added or updated any relevant documentation.
I have cleaned any remaining cloud resources from my accounts.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

codecov · 2025-04-08T17:59:17Z

Codecov Report

Attention: Patch coverage is 30.55556% with 100 lines in your changes missing coverage. Please review.

Project coverage is 73.02%. Comparing base (fcfa631) to head (db78f37).
Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
scripts/authorisation_rules_observer.py	0.00%	51 Missing ⚠️
src/authorisation_rules_observer.py	45.83%	24 Missing and 2 partials ⚠️
src/relations/postgresql_provider.py	33.33%	10 Missing ⚠️
src/charm.py	63.15%	6 Missing and 1 partial ⚠️
src/relations/db.py	50.00%	5 Missing ⚠️
src/upgrade.py	0.00%	1 Missing ⚠️

❌ Your patch status has failed because the patch coverage (30.55%) is below the target coverage (33.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #919      +/-   ##
==========================================
- Coverage   74.65%   73.02%   -1.64%     
==========================================
  Files          13       15       +2     
  Lines        3729     3870     +141     
  Branches      550      564      +14     
==========================================
+ Hits         2784     2826      +42     
- Misses        738      834      +96     
- Partials      207      210       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

…d db-admin relations Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

…e-hba-rules Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

Signed-off-by: Marcelo Henrique Neppel <marcelo.neppel@canonical.com>

marceloneppel · 2025-04-23T13:31:41Z

lib/charms/postgresql_k8s/v0/postgresql.py

+                )
+                if cursor.fetchone() is None:
+                    cursor.execute("""
+CREATE OR REPLACE FUNCTION update_pg_hba()


Function used to update the pg_hba file when PgBouncer creates or deletes an user.