Merge branch '16/edge' into sync14to16

Author: dragomirp

lib/charms/operator_libs_linux/v2/snap.py

@@ -102,7 +102,7 @@
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 10
+LIBPATCH = 11
 
 
 # Regex to locate 7-bit C1 ANSI sequences
@@ -577,6 +577,9 @@ def _refresh(
         if revision:
             args.append(f'--revision="{revision}"')
 
+        if self.confinement == 'classic':
+            args.append('--classic')
+
         if devmode:
             args.append("--devmode")
 

lib/charms/postgresql_k8s/v0/postgresql.py

@@ -31,11 +31,11 @@
 LIBID = "24ee217a54e840a598ff21a079c3e678"
 
 # Increment this major API version when introducing breaking changes
-LIBAPI = 0
+LIBAPI = 1
 
 # Increment this PATCH version before using `charmcraft publish-lib` or reset
 # to 0 if you are raising the major API version
-LIBPATCH = 53
+LIBPATCH = 0
 
 # Groups to distinguish HBA access
 ACCESS_GROUP_IDENTITY = "identity_access"
@@ -49,6 +49,11 @@
     ACCESS_GROUP_RELATION,
 ]
 
+ROLE_STATS = "charmed_stats"
+ROLE_READ = "charmed_read"
+ROLE_DML = "charmed_dml"
+ROLE_BACKUP = "charmed_backup"
+
 # Groups to distinguish database permissions
 PERMISSIONS_GROUP_ADMIN = "admin"
 
@@ -129,6 +134,14 @@ class PostgreSQLUpdateUserPasswordError(Exception):
     """Exception raised when updating a user password fails."""
 
 
+class PostgreSQLCreatePredefinedRolesError(Exception):
+    """Exception raised when creating predefined roles."""
+
+
+class PostgreSQLGrantDatabasePrivilegesToUserError(Exception):
+    """Exception raised when granting database privileges to user."""
+
+
 class PostgreSQL:
     """Class to encapsulate all operations related to interacting with PostgreSQL instance."""
 
@@ -335,6 +348,60 @@ def create_user(
             logger.error(f"Failed to create user: {e}")
             raise PostgreSQLCreateUserError() from e
 
+    def create_predefined_roles(self) -> None:
+        """Create predefined roles."""
+        role_to_queries = {
+            ROLE_STATS: [
+                f"CREATE ROLE {ROLE_STATS} NOSUPERUSER NOCREATEDB NOCREATEROLE NOREPLICATION NOLOGIN IN ROLE pg_monitor",
+            ],
+            ROLE_READ: [
+                f"CREATE ROLE {ROLE_READ} NOSUPERUSER NOCREATEDB NOCREATEROLE NOREPLICATION NOLOGIN IN ROLE pg_read_all_data",
+            ],
+            ROLE_DML: [
+                f"CREATE ROLE {ROLE_DML} NOSUPERUSER NOCREATEDB NOCREATEROLE NOREPLICATION NOLOGIN IN ROLE pg_write_all_data",
+            ],
+            ROLE_BACKUP: [
+                f"CREATE ROLE {ROLE_BACKUP} NOSUPERUSER NOCREATEDB NOCREATEROLE NOREPLICATION NOLOGIN IN ROLE pg_checkpoint",
+                f"GRANT {ROLE_STATS} TO {ROLE_BACKUP}",
+                f"GRANT execute ON FUNCTION pg_backup_start TO {ROLE_BACKUP}",
+                f"GRANT execute ON FUNCTION pg_backup_stop TO {ROLE_BACKUP}",
+                f"GRANT execute ON FUNCTION pg_create_restore_point TO {ROLE_BACKUP}",
+                f"GRANT execute ON FUNCTION pg_switch_wal TO {ROLE_BACKUP}",
+            ],
+        }
+
+        _, existing_roles = self.list_valid_privileges_and_roles()
+
+        try:
+            with self._connect_to_database() as connection, connection.cursor() as cursor:
+                for role, queries in role_to_queries.items():
+                    if role in existing_roles:
+                        logger.debug(f"Role {role} already exists")
+                        continue
+
+                    logger.info(f"Creating predefined role {role}")
+
+                    for query in queries:
+                        cursor.execute(SQL(query))
+        except psycopg2.Error as e:
+            logger.error(f"Failed to create predefined roles: {e}")
+            raise PostgreSQLCreatePredefinedRolesError() from e
+
+    def grant_database_privileges_to_user(
+        self, user: str, database: str, privileges: list[str]
+    ) -> None:
+        """Grant the specified priviliges on the provided database for the user."""
+        try:
+            with self._connect_to_database() as connection, connection.cursor() as cursor:
+                cursor.execute(
+                    SQL("GRANT {} ON DATABASE {} TO {};").format(
+                        Identifier(", ".join(privileges)), Identifier(database), Identifier(user)
+                    )
+                )
+        except psycopg2.Error as e:
+            logger.error(f"Faield to grant privileges to user: {e}")
+            raise PostgreSQLGrantDatabasePrivilegesToUserError() from e
+
     def delete_user(self, user: str) -> None:
         """Deletes a database user.
 

poetry.lock

@@ -6,7 +6,7 @@ package-mode = false
 requires-poetry = ">=2.0.0"
 
 [tool.poetry.dependencies]
-python = "^3.10"
+python = "^3.12"
 ops = "^2.22.0"
 boto3 = "^1.38.28"
 pgconnstr = "^1.0.1"
@@ -105,7 +105,7 @@ target-version = ["py38"]
 [tool.ruff]
 # preview and explicit preview are enabled for CPY001
 preview = true
-target-version = "py310"
+target-version = "py312"
 src = ["src", "."]
 line-length = 99
 

pyproject.toml

@@ -6,6 +6,6 @@ name = "charmed-postgresql"
 
 [snap.revisions]
 # amd64
-x86_64 = "170"
+x86_64 = "182"
 # arm64
-aarch64 = "169"
+aarch64 = "181"

refresh_versions.toml

@@ -11,7 +11,7 @@
 import shutil
 import tempfile
 import time
-from datetime import datetime, timezone
+from datetime import UTC, datetime
 from io import BytesIO
 from pathlib import Path
 from subprocess import TimeoutExpired, run
@@ -27,7 +27,6 @@
 from jinja2 import Template
 from ops.charm import ActionEvent, HookEvent
 from ops.framework import Object
-from ops.jujuversion import JujuVersion
 from ops.model import ActiveStatus, MaintenanceStatus
 from tenacity import RetryError, Retrying, stop_after_attempt, wait_fixed
 
@@ -422,9 +421,7 @@ def _generate_backup_list_output(self) -> str:
                 backup_reference, _ = self._parse_backup_id(backup["reference"][-1])
             lsn_start_stop = f"{backup['lsn']['start']} / {backup['lsn']['stop']}"
             time_start, time_stop = (
-                datetime.strftime(
-                    datetime.fromtimestamp(stamp, timezone.utc), "%Y-%m-%dT%H:%M:%SZ"
-                )
+                datetime.strftime(datetime.fromtimestamp(stamp, UTC), "%Y-%m-%dT%H:%M:%SZ")
                 for stamp in backup["timestamp"].values()
             )
             backup_timeline = (
@@ -527,7 +524,7 @@ def _list_timelines(self) -> dict[str, tuple[str, str]]:
 
         return dict[str, tuple[str, str]]({
             datetime.strftime(
-                datetime.fromtimestamp(timeline_object["time"], timezone.utc),
+                datetime.fromtimestamp(timeline_object["time"], UTC),
                 BACKUP_ID_FORMAT,
             ): (
                 timeline.split("/")[1],
@@ -575,8 +572,8 @@ def _parse_psql_timestamp(self, timestamp: str) -> datetime:
         t = re.sub(r"\.(\d+)", lambda x: f".{x[1]:06}", t)
         dt = datetime.fromisoformat(t)
         # Convert to the timezone-naive
-        if dt.tzinfo is not None and dt.tzinfo is not timezone.utc:
-            dt = dt.astimezone(tz=timezone.utc)
+        if dt.tzinfo is not None and dt.tzinfo is not UTC:
+            dt = dt.astimezone(tz=UTC)
         return dt.replace(tzinfo=None)
 
     def _parse_backup_id(self, label) -> tuple[str, str]:
@@ -893,12 +890,11 @@ def _on_create_backup_action(self, event) -> None:
 
         # Test uploading metadata to S3 to test credentials before backup.
         datetime_backup_requested = datetime.now().strftime("%Y-%m-%dT%H:%M:%SZ")
-        juju_version = JujuVersion.from_environ()
         metadata = f"""Date Backup Requested: {datetime_backup_requested}
 Model Name: {self.model.name}
 Application Name: {self.model.app.name}
 Unit Name: {self.charm.unit.name}
-Juju Version: {juju_version!s}
+Juju Version: {self.charm.model.juju_version!s}
 """
         if not self._upload_content_to_s3(
             metadata,