[DPE-6899] User->database pg_hba rules

.gitignore

@@ -1,6 +1,7 @@
 venv/
 build/
 *.charm
+.idea/
 .tox/
 .coverage
 coverage.xml

src/relations/backend_database.py

@@ -45,7 +45,7 @@
     DatabaseRequires,
 )
 from charms.pgbouncer_k8s.v0 import pgb
-from charms.postgresql_k8s.v0.postgresql import PostgreSQL
+from charms.postgresql_k8s.v0.postgresql import ACCESS_GROUP_RELATION, PostgreSQL
 from ops.charm import CharmBase, RelationBrokenEvent, RelationDepartedEvent
 from ops.framework import Object
 from ops.model import (
@@ -294,7 +294,11 @@ def _on_database_created(self, event: DatabaseCreatedEvent) -> None:
         hashed_password = pgb.get_hashed_password(self.auth_user, plaintext_password)
         # create authentication user on postgres database, so we can authenticate other users
         # later on
-        self.postgres.create_user(self.auth_user, hashed_password, admin=True)
+        extra_user_roles = None
+        if ACCESS_GROUP_RELATION in self.postgres.list_access_groups():
+            # We have access groups, so we need to add the access group role to the auth user
+            extra_user_roles = [ACCESS_GROUP_RELATION]
+        self.postgres.create_user(self.auth_user, hashed_password, admin=True, extra_user_roles=extra_user_roles)
         self.initialise_auth_function(self.collect_databases())
 
         # Add the monitoring user.

src/relations/db.py

@@ -61,6 +61,7 @@
 
 from charms.pgbouncer_k8s.v0 import pgb
 from charms.postgresql_k8s.v0.postgresql import (
+    ACCESS_GROUP_RELATION,
     PostgreSQLCreateDatabaseError,
     PostgreSQLCreateUserError,
 )
@@ -273,7 +274,11 @@ def _on_relation_joined(self, join_event: RelationJoinedEvent):
             self.charm.unit.status = MaintenanceStatus(init_msg)
             logger.info(init_msg)
 
-            self.charm.backend.postgres.create_user(user, password, admin=self.admin)
+            extra_user_roles = None
+            if ACCESS_GROUP_RELATION in self.charm.backend.postgres.list_access_groups():
+                # We have access groups, so we need to add the access group role to the auth user
+                extra_user_roles = [ACCESS_GROUP_RELATION]
+            self.charm.backend.postgres.create_user(user, password, admin=self.admin, extra_user_roles=extra_user_roles)
             self.charm.backend.postgres.create_database(
                 database, user, client_relations=self.charm.client_relations
             )

src/relations/pgbouncer_provider.py

@@ -39,6 +39,7 @@
 )
 from charms.pgbouncer_k8s.v0 import pgb
 from charms.postgresql_k8s.v0.postgresql import (
+    ACCESS_GROUP_RELATION,
     PERMISSIONS_GROUP_ADMIN,
     PostgreSQLCreateDatabaseError,
     PostgreSQLCreateUserError,
@@ -123,6 +124,9 @@ def _on_database_requested(self, event: DatabaseRequestedEvent) -> None:
 
         # Make sure that certain groups are not in the list
         extra_user_roles = self.sanitize_extra_roles(event.extra_user_roles)
+        if ACCESS_GROUP_RELATION in self.charm.backend.postgres.list_access_groups():
+            # We have access groups, so we need to add the access group role to the auth user
+            extra_user_roles.append(ACCESS_GROUP_RELATION)
 
         dbs = self.charm.generate_relation_databases()
         dbs[str(rel_id)] = {"name": database, "legacy": False}