<a href="https://colab.research.google.com/github/everestso/summer25/blob/main/Neon___Create_Readonly_Classroom_Role.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# Neon: Create/Rotate a Read‑Only Classroom Role

This Colab sets up a **read‑only** role (e.g., `student_ro`) on a Neon Postgres database.

**What it does**
1. Installs dependencies (SQLAlchemy + psycopg3).
2. Asks for your Neon **OWNER** connection URL and a password for the classroom role.
3. Creates the role if missing or rotates its password if it exists.
4. Grants read‑only privileges on a target schema (default: `public`).

**Notes**
- Use your Neon *owner* connection string (has create/alter privileges). Find it in Neon Console → Project → Branch → Connection Details → Role: `neondb_owner` (or similar).
- Grants are idempotent and safe to re‑run.
- If you want per‑team roles, just change `ROLE_NAME` per team.


In [1]:
!pip -q install SQLAlchemy psycopg --upgrade
print('✅ Dependencies installed')

[?25l   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m0.0/206.6 kB[0m [31m?[0m eta [36m-:--:--[0m[2K   [91m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m[91m╸[0m [32m204.8/206.6 kB[0m [31m21.1 MB/s[0m eta [36m0:00:01[0m[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m206.6/206.6 kB[0m [31m3.6 MB/s[0m eta [36m0:00:00[0m
[?25h✅ Dependencies installed


## Configure
Fill in these values. You can paste the full **owner** URL when prompted.


In [10]:
from getpass import getpass

# --- Editable settings ---
ROLE_NAME = 'student_ro2'     # e.g., change to 'team01_ro'
TARGET_DB = 'neondb'         # your database name
TARGET_SCHEMA = 'public'     # schema to grant read‑only access on

# Paste your Neon OWNER connection URL when prompted (hidden input)
# Example format (psycopg3 driver):
#   postgresql+psycopg://USER:PASSWORD@HOST/DB?sslmode=require
## OWNER_DB_URL = getpass('Paste Neon OWNER connection URL (hidden): ')

# Set/rotate password for the classroom role
ROLE_PASSWORD = getpass(f"Set password for role '{ROLE_NAME}': ")
print('Inputs captured securely.')

Paste Neon OWNER connection URL (hidden): ··········
Set password for role 'student_ro2': ··········
Inputs captured securely.


In [21]:
# Convert a Neon "psql 'postgresql://...'" string into a SQLAlchemy psycopg3 URL.
# Works with:
#   - psql 'postgresql://user:pass@host/db?sslmode=require&channel_binding=require'
#   - postgresql://user:pass@host/db?...
#   - postgres://user:pass@host/db?...
# Produces:
#   postgresql+psycopg://user:pass@host/db?sslmode=require   (channel_binding stripped)

from sqlalchemy.engine import make_url
from urllib.parse import urlencode
import re

def neon_to_sqlalchemy_psycopg(raw: str) -> str:
    s = (raw or "").strip()
    m = re.search(r"""psql\s+['"]([^'"]+)['"]""", s)
    if m:
        s = m.group(1).strip()
    if (s.startswith("'") and s.endswith("'")) or (s.startswith('"') and s.endswith('"')):
        s = s[1:-1].strip()

    if s.startswith("postgres://"):
        s = "postgresql+psycopg://" + s[len("postgres://"):]
    elif s.startswith("postgresql://"):
        s = "postgresql+psycopg://" + s[len("postgresql://"):]
    elif not s.startswith("postgresql+psycopg://") and "@" in s and "://" not in s:
        s = "postgresql+psycopg://" + s

    if "sslmode=" not in s:
        s += ("&" if "?" in s else "?") + "sslmode=require"

    s = s.replace("&channel_binding=require", "").replace("?channel_binding=require&", "?").replace("?channel_binding=require", "?")
    _ = make_url(s)  # validate
    return s

def masked_preview(url: str) -> str:
    u = make_url(url)
    user = u.username or "<user>"
    host = u.host or "<host>"
    db   = u.database or "<db>"
    q    = "?" + urlencode(dict(u.query), doseq=True) if getattr(u, "query", None) else ""
    return f"postgresql+psycopg://{user}:***@{host}/{db}{q}"

# ---- Paste your Neon string here ----
raw_from_neon = input("Paste Neon connection (psql 'postgresql://...'): ").strip()

try:
    OWNER_DB_URL = neon_to_sqlalchemy_psycopg(raw_from_neon)
    print("✅ Converted SQLAlchemy URL:")
    print(" ", OWNER_DB_URL)
    print("\n🔎 Masked preview (safe to share in logs/docs):")
    print(" ", masked_preview(OWNER_DB_URL))
except Exception as e:
    print("❌ Could not convert URL:", e)


Paste Neon connection (psql 'postgresql://...'): psql 'postgresql://neondb_owner:npg_ofHrYZA1vsS8@ep-lively-lake-afr3qkpy-pooler.c-2.us-west-2.aws.neon.tech/neondb?sslmode=require&channel_binding=require'
✅ Converted SQLAlchemy URL:
  postgresql+psycopg://neondb_owner:npg_ofHrYZA1vsS8@ep-lively-lake-afr3qkpy-pooler.c-2.us-west-2.aws.neon.tech/neondb?sslmode=require

🔎 Masked preview (safe to share in logs/docs):
  postgresql+psycopg://neondb_owner:***@ep-lively-lake-afr3qkpy-pooler.c-2.us-west-2.aws.neon.tech/neondb?sslmode=require


In [None]:
# Colab cell — convert & mask a Neon URL
from sqlalchemy.engine import make_url
from urllib.parse import urlencode

def normalize_neon_url(neon_psql_url: str) -> str:
    # Accepts "psql 'postgresql://...'" or just "postgresql://..."
    s = neon_psql_url.strip()
    if s.lower().startswith("psql "):
        s = s[5:].strip()
    s = s.strip("'\"")  # trim quotes from the UI copy button
    u = make_url(s)

    # Switch to psycopg driver for SQLAlchemy
    q = dict(u.query or {})
    # psycopg usually doesn't need channel_binding; keep sslmode
    q.pop("channel_binding", None)

    return u.set(drivername="postgresql+psycopg", query=q) \
            .render_as_string(hide_password=False)

def masked_preview(sqlalchemy_url: str) -> str:
    u = make_url(sqlalchemy_url)
    return u.render_as_string(hide_password=True)

raw = input("Paste Neon connection (psql 'postgresql://...'): ")
full_url = normalize_neon_url(raw)
print("✅ Converted SQLAlchemy URL:\n ", full_url)
print("\n🔎 Masked preview (safe to share):\n ", masked_preview(full_url))


## Run: create/rotate role and grant privileges
This cell will:
- Create the role with `LOGIN` if it doesn't exist, or rotate its password if it does.
- Revoke `CREATE` on the target schema from `PUBLIC` (optional hardening; safe to re‑run).
- Grant read‑only privileges on all current and future tables in that schema.

password = Class226_DB!


In [13]:
import re
from sqlalchemy import create_engine, text
from sqlalchemy.exc import SQLAlchemyError

engine = create_engine(OWNER_DB_URL, pool_pre_ping=True, future=True)

# --- helpers ---
_ident_re = re.compile(r"^[A-Za-z_][A-Za-z0-9_]*$")

def check_ident(name: str, label: str):
    if not _ident_re.match(name):
        raise ValueError(f"{label} must match [A-Za-z_][A-Za-z0-9_]* (got: {name!r})")

def sql_str(s: str) -> str:
    # escape single quotes for SQL literals
    return "'" + s.replace("'", "''") + "'"

# validate identifiers up-front
check_ident(ROLE_NAME, "ROLE_NAME")
check_ident(TARGET_DB, "TARGET_DB")
check_ident(TARGET_SCHEMA, "TARGET_SCHEMA")

try:
    with engine.begin() as conn:
        # 1) Create role if missing; otherwise rotate password
        exists = conn.execute(
            text("SELECT 1 FROM pg_roles WHERE rolname = :r LIMIT 1"),
            {"r": ROLE_NAME}
        ).fetchone() is not None

        if not exists:
            # inline password literal (no parameter placeholders)
            conn.execute(
                text(f"CREATE ROLE {ROLE_NAME} LOGIN PASSWORD {sql_str(ROLE_PASSWORD)}")
            )
            action = "created"
        else:
            conn.execute(
                text(f"ALTER ROLE {ROLE_NAME} PASSWORD {sql_str(ROLE_PASSWORD)}")
            )
            action = "password rotated"

        # 2) Lock down schema creation for PUBLIC (optional, recommended)
        conn.execute(text(f"REVOKE CREATE ON SCHEMA {TARGET_SCHEMA} FROM PUBLIC"))

        # 3) Grants for the classroom role (read-only)
        conn.execute(text(f"GRANT CONNECT ON DATABASE {TARGET_DB} TO {ROLE_NAME}"))
        conn.execute(text(f"GRANT USAGE   ON SCHEMA {TARGET_SCHEMA} TO {ROLE_NAME}"))
        conn.execute(text(f"GRANT SELECT  ON ALL TABLES IN SCHEMA {TARGET_SCHEMA} TO {ROLE_NAME}"))
        conn.execute(text(
            f"ALTER DEFAULT PRIVILEGES IN SCHEMA {TARGET_SCHEMA} "
            f"GRANT SELECT ON TABLES TO {ROLE_NAME}"
        ))

    print(f"Role '{ROLE_NAME}' {action} ✓ (read-only on schema '{TARGET_SCHEMA}')")

except SQLAlchemyError as e:
    print("Error while applying grants/role changes:", e)


Role 'student_ro2' created ✓ (read-only on schema 'public')


## Verify (optional)
Connect as the classroom role to confirm access. You'll need the **host** and **database** from your Neon connection details.


In [15]:
from sqlalchemy import create_engine
from getpass import getpass

# Build a test URL for the new role
print('Enter connection bits for the role to test connectivity:')
host = input('Host (e.g., ep-...-us-east-2.aws.neon.tech): ').strip()
db   = input(f'Database name [{TARGET_DB}]: ').strip() or TARGET_DB
user = ROLE_NAME
pw   = getpass(f"Password for role '{ROLE_NAME}': ")

test_url = f"postgresql+psycopg://{user}:{pw}@{host}/{db}?sslmode=require"
print('Testing URL (user/host/db shown, password hidden):', f"postgresql+psycopg://{user}:***@{host}/{db}?sslmode=require")

try:
    test_engine = create_engine(test_url, pool_pre_ping=True, future=True)
    with test_engine.connect() as conn:
        res = conn.execute(text(f"select table_name from information_schema.tables where table_schema=:s limit 5"), {"s": TARGET_SCHEMA}).fetchall()
        print('Connected as role. Sample tables:', [r[0] for r in res])
except Exception as e:
    print('Verification failed:', e)

Enter connection bits for the role to test connectivity:
Host (e.g., ep-...-us-east-2.aws.neon.tech): ep-lively-lake-afr3qkpy-pooler.c-2.us-west-2.aws.neon.tech
Database name [neondb]: neondb
Password for role 'student_ro2': ··········
Testing URL (user/host/db shown, password hidden): postgresql+psycopg://student_ro2:***@ep-lively-lake-afr3qkpy-pooler.c-2.us-west-2.aws.neon.tech/neondb?sslmode=require
Connected as role. Sample tables: ['product', 'pc', 'laptop', 'printer']


# Clean-up

In [25]:
# ---- Paste your Neon string here ----
raw_from_neon = input("Paste Neon connection (psql 'postgresql://...'): ").strip()

try:
    OWNER_DB_URL = neon_to_sqlalchemy_psycopg(raw_from_neon)
    print("✅ Converted SQLAlchemy URL:")
    print(" ", OWNER_DB_URL)
    print("\n🔎 Masked preview (safe to share in logs/docs):")
    print(" ", masked_preview(OWNER_DB_URL))
except Exception as e:
    print("❌ Could not convert URL:", e)

Paste Neon connection (psql 'postgresql://...'): psql 'postgresql://neondb_owner:npg_ofHrYZA1vsS8@ep-lively-lake-afr3qkpy-pooler.c-2.us-west-2.aws.neon.tech/neondb?sslmode=require&channel_binding=require'
✅ Converted SQLAlchemy URL:
  postgresql+psycopg://neondb_owner:npg_ofHrYZA1vsS8@ep-lively-lake-afr3qkpy-pooler.c-2.us-west-2.aws.neon.tech/neondb?sslmode=require

🔎 Masked preview (safe to share in logs/docs):
  postgresql+psycopg://neondb_owner:***@ep-lively-lake-afr3qkpy-pooler.c-2.us-west-2.aws.neon.tech/neondb?sslmode=require


In [27]:
# Colab cell — revoke & drop a read-only classroom role
from sqlalchemy import create_engine, text

ROLE_NAME = "student_ro2"
TARGET_DB = "neondb"
TARGET_SCHEMA = "public"

engine = create_engine(OWNER_DB_URL, pool_pre_ping=True, future=True)

with engine.begin() as conn:
    # who created the default privileges earlier (your owner user)
    owner = conn.execute(text("select current_user")).scalar_one()

    # 1) Revoke default privileges that were granted earlier:
    #    ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO ROLE_NAME
    conn.exec_driver_sql(
        f"ALTER DEFAULT PRIVILEGES FOR ROLE {owner} IN SCHEMA {TARGET_SCHEMA} "
        f"REVOKE SELECT ON TABLES FROM {ROLE_NAME}"
    )

    # 2) Revoke object privileges in the schema & database
    conn.exec_driver_sql(
        f"REVOKE SELECT ON ALL TABLES IN SCHEMA {TARGET_SCHEMA} FROM {ROLE_NAME}"
    )
    conn.exec_driver_sql(f"REVOKE USAGE  ON SCHEMA {TARGET_SCHEMA} FROM {ROLE_NAME}")
    conn.exec_driver_sql(f"REVOKE CONNECT ON DATABASE {TARGET_DB} FROM {ROLE_NAME}")

    # (optional) if you granted anything else, revoke it too:
    # conn.exec_driver_sql(f"REVOKE ALL PRIVILEGES ON DATABASE {TARGET_DB} FROM {ROLE_NAME}")
    # conn.exec_driver_sql(f"REVOKE ALL PRIVILEGES ON SCHEMA {TARGET_SCHEMA} FROM {ROLE_NAME}")

    # 3) Finally: drop the role
    conn.exec_driver_sql(f"DROP ROLE IF EXISTS {ROLE_NAME}")

print(f"Role '{ROLE_NAME}' dropped cleanly.")


Role 'student_ro2' dropped cleanly.
