diff --git a/.github/workflows/pytest.yml b/.github/workflows/pytest.yml index a6b1f44f2..16207e7ad 100644 --- a/.github/workflows/pytest.yml +++ b/.github/workflows/pytest.yml @@ -71,7 +71,11 @@ jobs: - name: Initiate MariaDB database if: matrix.db == 'mariadb' run: | - mysql --host 127.0.0.1 --port ${{ job.services.mariadb.ports['3306'] }} -uroot -ppasswd -e "GRANT ALL PRIVILEGES ON *.* TO 'romm_test'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;" + # Grant on the `romm_test%` namespace so the test user can create the + # per-worker databases (romm_test_gw0, ...) used under pytest-xdist, + # without granting it global privileges. The backticks are escaped so + # the shell doesn't treat them as command substitution. + mysql --host 127.0.0.1 --port ${{ job.services.mariadb.ports['3306'] }} -uroot -ppasswd -e "GRANT ALL PRIVILEGES ON \`romm\_test%\`.* TO 'romm_test'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;" - name: Run python tests env: diff --git a/backend/romm_test/setup.sql b/backend/romm_test/setup.sql index 91d1674a9..625b5a909 100644 --- a/backend/romm_test/setup.sql +++ b/backend/romm_test/setup.sql @@ -1,6 +1,9 @@ CREATE DATABASE IF NOT EXISTS romm_test; CREATE USER IF NOT EXISTS 'romm_test'@'%' IDENTIFIED BY 'passwd'; --- Grant on *.* (not just romm_test.*) so the test user can create the --- per-worker databases (romm_test_gw0, ...) used when running under pytest-xdist. -GRANT ALL PRIVILEGES ON *.* TO 'romm_test'@'%' WITH GRANT OPTION; +-- Grant on the `romm_test%` namespace (the base DB plus the per-worker +-- `romm_test_gw0`, ... databases created under pytest-xdist). A database-level +-- grant on a wildcard pattern also lets the user CREATE matching databases, +-- while confining it to that namespace on a shared instance. The `\_` escapes +-- the underscore so it is matched literally rather than as a single-char wildcard. +GRANT ALL PRIVILEGES ON `romm\_test%`.* TO 'romm_test'@'%' WITH GRANT OPTION; FLUSH PRIVILEGES;