# Cap√≠tulo 04: Secrets para Databases

Gerenciamento de secrets para conex√µes com databases relacionais: MySQL e PostgreSQL, incluindo configura√ß√µes SSL e queries cross-database.


## üì¶ Instala√ß√£o de Depend√™ncias


In [None]:
!pip install -q duckdb


## üìö Imports


In [None]:
import duckdb
import os


## üìù Bloco 1: Exemplo 1


In [None]:
import duckdb

con = duckdb.connect()
con.execute("INSTALL mysql_scanner; LOAD mysql_scanner;")

# MySQL secret b√°sico
con.execute("""
    CREATE SECRET mysql_basic (
        TYPE mysql,
        HOST 'localhost',
        PORT 3306,
        DATABASE 'mydb',
        USER 'myuser',
        PASSWORD 'mypassword'
    )
""")

print("Secret MySQL criado!")

# Verificar
info = con.execute("""
    SELECT name, type, provider
    FROM duckdb_secrets()
    WHERE name = 'mysql_basic'
""").df()

print("\nInforma√ß√µes do secret:")
print(info)


## üìù Bloco 2: Exemplo 2


In [None]:
import duckdb

con = duckdb.connect()
con.execute("INSTALL mysql_scanner; LOAD mysql_scanner;")

# Connection string completa
con.execute("""
    CREATE SECRET mysql_uri (
        TYPE mysql,
        CONNECTION_STRING 'mysql://user:password@localhost:3306/database'
    )
""")

print("Secret MySQL com connection string criado!")

# Com par√¢metros adicionais na URI
con.execute("""
    CREATE SECRET mysql_uri_full (
        TYPE mysql,
        CONNECTION_STRING 'mysql://user:password@host:3306/db?charset=utf8mb4&timeout=30'
    )
""")

print("Secret com par√¢metros adicionais na URI criado!")


## üìù Bloco 3: Exemplo 3


In [None]:
import duckdb

con = duckdb.connect()
con.execute("INSTALL mysql_scanner; LOAD mysql_scanner;")

# Criar secret
con.execute("""
    CREATE SECRET mysql_prod (
        TYPE mysql,
        HOST 'mysql.example.com',
        PORT 3306,
        DATABASE 'production',
        USER 'readonly_user',
        PASSWORD 'secure_password'
    )
""")

# ATTACH MySQL database
con.execute("""
    ATTACH 'mysql:production' AS mysql_prod (TYPE mysql, SECRET mysql_prod)
""")

print("MySQL database attached!")

# Listar tabelas do MySQL
try:
    tables = con.execute("""
        SELECT table_schema, table_name
        FROM mysql_prod.information_schema.tables
        WHERE table_schema = 'production'
        LIMIT 5
    """).df()

    print("\nTabelas dispon√≠veis:")
    print(tables)
except Exception as e:
    print(f"\nNota: {e}")
    print("(Exemplo te√≥rico - requer MySQL real)")


## üìù Bloco 4: Exemplo 4


In [None]:
import duckdb

con = duckdb.connect()
con.execute("INSTALL mysql_scanner; LOAD mysql_scanner;")

# Setup (te√≥rico)
con.execute("""
    CREATE SECRET mysql_db (
        TYPE mysql,
        HOST 'localhost',
        DATABASE 'sales',
        USER 'app_user',
        PASSWORD 'app_pass'
    )
""")

con.execute("""
    ATTACH 'mysql:sales' AS mysql_sales (TYPE mysql, SECRET mysql_db)
""")

# Query direto em tabela MySQL
query = """
    SELECT
        customer_id,
        COUNT(*) as order_count,
        SUM(total_amount) as total_spent
    FROM mysql_sales.orders
    WHERE order_date >= '2024-01-01'
    GROUP BY customer_id
    ORDER BY total_spent DESC
    LIMIT 10
"""

print("Query exemplo:")
print(query)
print("\n(Executaria se MySQL estivesse conectado)")


## üìù Bloco 5: Exemplo 5


In [None]:
import duckdb

con = duckdb.connect()
con.execute("INSTALL mysql_scanner; LOAD mysql_scanner;")

# MySQL com SSL b√°sico
con.execute("""
    CREATE SECRET mysql_ssl (
        TYPE mysql,
        HOST 'mysql.example.com',
        PORT 3306,
        DATABASE 'secure_db',
        USER 'secure_user',
        PASSWORD 'secure_password',
        SSL_MODE 'REQUIRED'
    )
""")

print("Secret MySQL com SSL criado!")

# MySQL com certificados SSL
con.execute("""
    CREATE SECRET mysql_ssl_certs (
        TYPE mysql,
        HOST 'mysql.example.com',
        PORT 3306,
        DATABASE 'secure_db',
        USER 'secure_user',
        PASSWORD 'secure_password',
        SSL_MODE 'VERIFY_CA',
        SSL_CA '/path/to/ca-cert.pem',
        SSL_CERT '/path/to/client-cert.pem',
        SSL_KEY '/path/to/client-key.pem'
    )
""")

print("Secret MySQL com certificados SSL criado!")

print("""
SSL Modes:
‚îå‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚î¨‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îê
‚îÇ DISABLED        ‚îÇ Sem SSL (n√£o recomendado)            ‚îÇ
‚îÇ PREFERRED       ‚îÇ SSL se dispon√≠vel (padr√£o)           ‚îÇ
‚îÇ REQUIRED        ‚îÇ SSL obrigat√≥rio                      ‚îÇ
‚îÇ VERIFY_CA       ‚îÇ SSL + verifica certificado CA        ‚îÇ
‚îÇ VERIFY_IDENTITY ‚îÇ SSL + verifica hostname              ‚îÇ
‚îî‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚î¥‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îò
""")


## üìù Bloco 6: Exemplo 6


In [None]:
import duckdb

con = duckdb.connect()
con.execute("INSTALL mysql_scanner; LOAD mysql_scanner;")

# MySQL com configura√ß√µes de conex√£o
con.execute("""
    CREATE SECRET mysql_pool (
        TYPE mysql,
        HOST 'mysql.example.com',
        PORT 3306,
        DATABASE 'app_db',
        USER 'app_user',
        PASSWORD 'app_password',
        CONNECT_TIMEOUT 30,
        READ_TIMEOUT 60,
        WRITE_TIMEOUT 60
    )
""")

print("""
Secret MySQL com timeouts configurados!

Timeouts (segundos):
- CONNECT_TIMEOUT: Tempo para estabelecer conex√£o
- READ_TIMEOUT: Tempo para ler dados
- WRITE_TIMEOUT: Tempo para escrever dados

Recomenda√ß√µes:
‚îå‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚î¨‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚î¨‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚î¨‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îê
‚îÇ Ambiente           ‚îÇ Connect ‚îÇ Read     ‚îÇ Write    ‚îÇ
‚îú‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îº‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îº‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îº‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚î§
‚îÇ Local (LAN)        ‚îÇ   10s   ‚îÇ   30s    ‚îÇ   30s    ‚îÇ
‚îÇ Cloud (mesma DC)   ‚îÇ   20s   ‚îÇ   60s    ‚îÇ   60s    ‚îÇ
‚îÇ Cross-region       ‚îÇ   30s   ‚îÇ  120s    ‚îÇ  120s    ‚îÇ
‚îÇ Internet p√∫blico   ‚îÇ   40s   ‚îÇ  180s    ‚îÇ  180s    ‚îÇ
‚îî‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚î¥‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚î¥‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚î¥‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îò
""")


## üìù Bloco 7: Exemplo 7


In [None]:
import duckdb

con = duckdb.connect()
con.execute("INSTALL postgres_scanner; LOAD postgres_scanner;")

# PostgreSQL secret b√°sico
con.execute("""
    CREATE SECRET postgres_basic (
        TYPE postgres,
        HOST 'localhost',
        PORT 5432,
        DATABASE 'mydb',
        USER 'postgres',
        PASSWORD 'password'
    )
""")

print("Secret PostgreSQL criado!")

# Com schema espec√≠fico
con.execute("""
    CREATE SECRET postgres_schema (
        TYPE postgres,
        HOST 'localhost',
        PORT 5432,
        DATABASE 'mydb',
        USER 'postgres',
        PASSWORD 'password',
        SCHEMA 'public'
    )
""")

print("Secret com schema espec√≠fico criado!")


## üìù Bloco 8: Exemplo 8


In [None]:
import duckdb

con = duckdb.connect()
con.execute("INSTALL postgres_scanner; LOAD postgres_scanner;")

# Connection string simples
con.execute("""
    CREATE SECRET postgres_uri (
        TYPE postgres,
        CONNECTION_STRING 'postgresql://user:password@localhost:5432/dbname'
    )
""")

print("Secret PostgreSQL com connection string criado!")

# Connection string com par√¢metros
con.execute("""
    CREATE SECRET postgres_uri_full (
        TYPE postgres,
        CONNECTION_STRING 'postgresql://user:pass@host:5432/db?sslmode=require&connect_timeout=10'
    )
""")

print("Secret com par√¢metros na URI criado!")

# Connection string com URL encoding
con.execute("""
    CREATE SECRET postgres_uri_encoded (
        TYPE postgres,
        CONNECTION_STRING 'postgresql://user:p%40ssw%23rd@host:5432/db'
    )
""")

print("Secret com senha URL-encoded criada!")
print("Nota: @ ‚Üí %40, # ‚Üí %23")


## üìù Bloco 9: Exemplo 9


In [None]:
import duckdb

con = duckdb.connect()
con.execute("INSTALL postgres_scanner; LOAD postgres_scanner;")

# Criar secret
con.execute("""
    CREATE SECRET postgres_prod (
        TYPE postgres,
        HOST 'postgres.example.com',
        PORT 5432,
        DATABASE 'production',
        USER 'readonly_user',
        PASSWORD 'secure_password',
        SSLMODE 'require'
    )
""")

# ATTACH PostgreSQL database
con.execute("""
    ATTACH 'postgres:production' AS pg_prod (TYPE postgres, SECRET postgres_prod)
""")

print("PostgreSQL database attached!")

# Listar schemas
try:
    schemas = con.execute("""
        SELECT schema_name
        FROM pg_prod.information_schema.schemata
        WHERE schema_name NOT IN ('pg_catalog', 'information_schema')
    """).df()

    print("\nSchemas dispon√≠veis:")
    print(schemas)
except Exception as e:
    print(f"\nNota: {e}")
    print("(Exemplo te√≥rico - requer PostgreSQL real)")


## üìù Bloco 10: Exemplo 10


In [None]:
import duckdb

con = duckdb.connect()
con.execute("INSTALL postgres_scanner; LOAD postgres_scanner;")

# Setup
con.execute("""
    CREATE SECRET pg_analytics (
        TYPE postgres,
        HOST 'localhost',
        DATABASE 'analytics',
        USER 'analyst',
        PASSWORD 'analyst_pass'
    )
""")

con.execute("""
    ATTACH 'postgres:analytics' AS pg_analytics (TYPE postgres, SECRET pg_analytics)
""")

# Query com JOIN entre DuckDB e PostgreSQL
query = """
    -- Tabela local no DuckDB
    WITH local_data AS (
        SELECT customer_id, discount_tier
        FROM customers_discount
    )
    -- JOIN com tabela PostgreSQL
    SELECT
        pg.customer_id,
        pg.customer_name,
        pg.total_orders,
        ld.discount_tier,
        pg.total_spent * (1 - ld.discount_tier) as discounted_total
    FROM pg_analytics.customers pg
    JOIN local_data ld ON pg.customer_id = ld.customer_id
    WHERE pg.total_spent > 1000
    ORDER BY discounted_total DESC
"""

print("Query cross-database exemplo:")
print(query)
print("\n(Executaria se PostgreSQL estivesse conectado)")


## üìù Bloco 11: Exemplo 11


In [None]:
import duckdb

con = duckdb.connect()
con.execute("INSTALL postgres_scanner; LOAD postgres_scanner;")

# PostgreSQL com SSL b√°sico
con.execute("""
    CREATE SECRET postgres_ssl (
        TYPE postgres,
        HOST 'postgres.example.com',
        PORT 5432,
        DATABASE 'secure_db',
        USER 'secure_user',
        PASSWORD 'secure_password',
        SSLMODE 'require'
    )
""")

print("Secret PostgreSQL com SSL criado!")

# PostgreSQL com certificados SSL completos
con.execute("""
    CREATE SECRET postgres_ssl_verify (
        TYPE postgres,
        HOST 'postgres.example.com',
        PORT 5432,
        DATABASE 'secure_db',
        USER 'secure_user',
        PASSWORD 'secure_password',
        SSLMODE 'verify-full',
        SSLROOTCERT '/path/to/root.crt',
        SSLCERT '/path/to/client.crt',
        SSLKEY '/path/to/client.key'
    )
""")

print("Secret PostgreSQL com verifica√ß√£o SSL completa criado!")

print("""
PostgreSQL SSL Modes:
‚îå‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚î¨‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îê
‚îÇ disable      ‚îÇ Sem SSL                                   ‚îÇ
‚îÇ allow        ‚îÇ Tenta SSL, aceita n√£o-SSL                ‚îÇ
‚îÇ prefer       ‚îÇ Prefere SSL, aceita n√£o-SSL (padr√£o)     ‚îÇ
‚îÇ require      ‚îÇ SSL obrigat√≥rio, sem verifica√ß√£o         ‚îÇ
‚îÇ verify-ca    ‚îÇ SSL + verifica certificado CA            ‚îÇ
‚îÇ verify-full  ‚îÇ SSL + verifica CA + hostname             ‚îÇ
‚îî‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚î¥‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îÄ‚îò

Recomenda√ß√µes:
‚úì Produ√ß√£o: verify-full
‚úì Staging: require ou verify-ca
‚úì Desenvolvimento local: prefer ou disable
""")


## üìù Bloco 12: Exemplo 12


In [None]:
import duckdb

con = duckdb.connect()
con.execute("INSTALL postgres_scanner; LOAD postgres_scanner;")

# Master (write)
con.execute("""
    CREATE SECRET pg_master (
        TYPE postgres,
        HOST 'postgres-master.example.com',
        PORT 5432,
        DATABASE 'production',
        USER 'app_user',
        PASSWORD 'app_password',
        SSLMODE 'require'
    )
""")

# Read replica
con.execute("""
    CREATE SECRET pg_replica (
        TYPE postgres,
        HOST 'postgres-replica.example.com',
        PORT 5432,
        DATABASE 'production',
        USER 'readonly_user',
        PASSWORD 'readonly_password',
        SSLMODE 'require'
    )
""")

print("""
Configura√ß√£o Master-Replica criada!

Uso:
- pg_master: Queries que precisam dados mais recentes
- pg_replica: Queries anal√≠ticas, relat√≥rios (pode ter lag)

Vantagens:
‚úì Reduz carga no master
‚úì Melhor performance para analytics
‚úì Separa√ß√£o de workloads (OLTP vs OLAP)
""")


## üìù Bloco 13: Exemplo 13


In [None]:
import duckdb

con = duckdb.connect()
con.execute("INSTALL mysql_scanner; LOAD mysql_scanner;")
con.execute("INSTALL postgres_scanner; LOAD postgres_scanner;")

# Setup secrets
con.execute("""
    CREATE SECRET mysql_orders (
        TYPE mysql,
        HOST 'mysql.example.com',
        DATABASE 'orders_db',
        USER 'user',
        PASSWORD 'pass'
    )
""")

con.execute("""
    CREATE SECRET postgres_customers (
        TYPE postgres,
        HOST 'postgres.example.com',
        DATABASE 'customers_db',
        USER 'user',
        PASSWORD 'pass'
    )
""")

# Attach databases
con.execute("""
    ATTACH 'mysql:orders_db' AS mysql_orders (TYPE mysql, SECRET mysql_orders)
""")

con.execute("""
    ATTACH 'postgres:customers_db' AS pg_customers (TYPE postgres, SECRET postgres_customers)
""")

# Cross-database query
query = """
    SELECT
        c.customer_id,
        c.customer_name,
        c.email,
        COUNT(o.order_id) as total_orders,
        SUM(o.amount) as total_spent,
        MAX(o.order_date) as last_order_date
    FROM pg_customers.customers c
    LEFT JOIN mysql_orders.orders o ON c.customer_id = o.customer_id
    WHERE c.created_at >= '2024-01-01'
    GROUP BY c.customer_id, c.customer_name, c.email
    HAVING total_orders > 5
    ORDER BY total_spent DESC
    LIMIT 100
"""

print("Cross-database query (PostgreSQL + MySQL):")
print(query)


## üìù Bloco 14: Exemplo 14


In [None]:
import duckdb

# Query exemplo: Consolidar dados de m√∫ltiplas fontes
query = """
    -- Dados de vendas do MySQL
    WITH mysql_sales AS (
        SELECT
            DATE_TRUNC('month', order_date) as month,
            'MySQL' as source,
            SUM(amount) as total
        FROM mysql_orders.sales
        WHERE order_date >= '2024-01-01'
        GROUP BY 1
    ),
    -- Dados de vendas do PostgreSQL
    postgres_sales AS (
        SELECT
            DATE_TRUNC('month', sale_date) as month,
            'PostgreSQL' as source,
            SUM(total_amount) as total
        FROM pg_customers.transactions
        WHERE sale_date >= '2024-01-01'
        GROUP BY 1
    ),
    -- Dados locais do DuckDB
    duckdb_sales AS (
        SELECT
            DATE_TRUNC('month', date) as month,
            'DuckDB' as source,
            SUM(value) as total
        FROM local_sales
        WHERE date >= '2024-01-01'
        GROUP BY 1
    )
    -- Consolida√ß√£o
    SELECT
        month,
        SUM(CASE WHEN source = 'MySQL' THEN total ELSE 0 END) as mysql_total,
        SUM(CASE WHEN source = 'PostgreSQL' THEN total ELSE 0 END) as postgres_total,
        SUM(CASE WHEN source = 'DuckDB' THEN total ELSE 0 END) as duckdb_total,
        SUM(total) as grand_total
    FROM (
        SELECT * FROM mysql_sales
        UNION ALL
        SELECT * FROM postgres_sales
        UNION ALL
        SELECT * FROM duckdb_sales
    )
    GROUP BY month
    ORDER BY month
"""

print("Query de consolida√ß√£o multi-database:")
print(query)


## üìù Bloco 15: Exemplo 15


In [None]:
import duckdb

con = duckdb.connect()
con.execute("INSTALL postgres_scanner; LOAD postgres_scanner;")

# Setup secret
con.execute("""
    CREATE SECRET pg_source (
        TYPE postgres,
        HOST 'postgres.example.com',
        DATABASE 'source_db',
        USER 'etl_user',
        PASSWORD 'etl_password'
    )
""")

# Attach
con.execute("""
    ATTACH 'postgres:source_db' AS pg_source (TYPE postgres, SECRET pg_source)
""")

# ETL: PostgreSQL ‚Üí Parquet
etl_query = """
    COPY (
        SELECT
            customer_id,
            customer_name,
            email,
            created_at,
            total_orders,
            total_spent,
            last_order_date
        FROM pg_source.customers
        WHERE created_at >= '2024-01-01'
    ) TO 'customers_export.parquet' (FORMAT PARQUET, COMPRESSION 'snappy')
"""

print("ETL Query exemplo (PostgreSQL ‚Üí Parquet):")
print(etl_query)
print("\nResultado: Arquivo customers_export.parquet criado com dados do PostgreSQL")


## üìù Bloco 16: Exemplo 16


In [None]:
import duckdb

con = duckdb.connect()
con.execute("INSTALL postgres_scanner; LOAD postgres_scanner;")

# Criar secret
con.execute("""
    CREATE SECRET pg_test (
        TYPE postgres,
        HOST 'localhost',
        PORT 5432,
        DATABASE 'testdb',
        USER 'testuser',
        PASSWORD 'testpass'
    )
""")

# Testar conex√£o
try:
    con.execute("""
        ATTACH 'postgres:testdb' AS pg_test (TYPE postgres, SECRET pg_test)
    """)

    # Testar query simples
    result = con.execute("SELECT 1 as test FROM pg_test.pg_catalog.pg_database LIMIT 1").fetchone()

    if result:
        print("‚úì Conex√£o PostgreSQL bem-sucedida!")

    # Listar databases
    databases = con.execute("""
        SELECT datname FROM pg_test.pg_catalog.pg_database
    """).df()
    print("\nDatabases dispon√≠veis:")
    print(databases)

except Exception as e:
    print(f"‚úó Erro na conex√£o: {e}")
    print("\nVerifique:")
    print("- Host e porta corretos")
    print("- Database existe")
    print("- Credenciais corretas")
    print("- Firewall permite conex√£o")
    print("- PostgreSQL aceitando conex√µes remotas (postgresql.conf)")


## üìù Bloco 17: Exemplo 17


In [None]:
print("""
Erros Comuns e Solu√ß√µes:

1. Connection refused
   Causa: PostgreSQL/MySQL n√£o est√° rodando ou n√£o aceita conex√µes
   Solu√ß√£o:
   - Verificar se servi√ßo est√° ativo
   - Verificar postgresql.conf: listen_addresses = '*'
   - Verificar firewall

2. Authentication failed
   Causa: Credenciais incorretas
   Solu√ß√£o:
   - Verificar user e password
   - Verificar pg_hba.conf (PostgreSQL)
   - Verificar grants (MySQL)

3. Database does not exist
   Causa: Nome do database incorreto
   Solu√ß√£o:
   - Listar databases: SHOW DATABASES; (MySQL) ou \\l (PostgreSQL)
   - Verificar case-sensitivity

4. SSL required but not supported
   Causa: Servidor requer SSL mas cliente n√£o configurou
   Solu√ß√£o:
   - Adicionar SSLMODE 'require' no secret (PostgreSQL)
   - Adicionar SSL_MODE 'REQUIRED' no secret (MySQL)

5. Timeout
   Causa: Conex√£o lenta ou servidor n√£o responde
   Solu√ß√£o:
   - Aumentar CONNECT_TIMEOUT
   - Verificar lat√™ncia de rede
   - Verificar carga do servidor

6. Too many connections
   Causa: Limite de conex√µes atingido no servidor
   Solu√ß√£o:
   - Aumentar max_connections no servidor
   - Fechar conex√µes n√£o utilizadas
   - Implementar connection pooling
""")


## üìù Bloco 18: Exemplo 18


In [None]:
import duckdb

print("""
Privil√©gios M√≠nimos - Best Practices:

PostgreSQL:
-----------
-- Criar role apenas com SELECT
CREATE ROLE readonly_user WITH LOGIN PASSWORD 'password';
GRANT CONNECT ON DATABASE mydb TO readonly_user;
GRANT USAGE ON SCHEMA public TO readonly_user;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly_user;

-- Prevenir writes
REVOKE INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public FROM readonly_user;

MySQL:
------
-- Criar user apenas com SELECT
CREATE USER 'readonly_user'@'%' IDENTIFIED BY 'password';
GRANT SELECT ON mydb.* TO 'readonly_user'@'%';
FLUSH PRIVILEGES;

DuckDB Secret:
--------------
""")

con = duckdb.connect()
con.execute("INSTALL postgres_scanner; LOAD postgres_scanner;")

con.execute("""
    CREATE SECRET pg_readonly (
        TYPE postgres,
        HOST 'postgres.example.com',
        DATABASE 'production',
        USER 'readonly_user',  -- User sem permiss√µes de write
        PASSWORD 'secure_password',
        SSLMODE 'verify-full'
    )
""")

print("Secret com privil√©gios m√≠nimos criado!")


## üìù Bloco 19: Exemplo 19


In [None]:
import duckdb
import os

# Ler password de vari√°vel de ambiente
db_password = os.getenv('DB_PASSWORD', 'default_password')

con = duckdb.connect()
con.execute("INSTALL postgres_scanner; LOAD postgres_scanner;")

# Usar password da vari√°vel de ambiente
con.execute(f"""
    CREATE SECRET pg_env (
        TYPE postgres,
        HOST 'postgres.example.com',
        DATABASE 'mydb',
        USER 'myuser',
        PASSWORD '{db_password}',
        SSLMODE 'require'
    )
""")

print("""
Password Management Best Practices:

‚úì Use vari√°veis de ambiente (DB_PASSWORD)
‚úì Use secrets managers (AWS Secrets Manager, Azure Key Vault)
‚úì Nunca commite passwords no c√≥digo
‚úì Use .env files (n√£o commitados no git)
‚úì Rotacione passwords regularmente
‚úì Use passwords fortes e √∫nicos
‚úì Prefira persistent secrets para credenciais permanentes

‚ùå Nunca:
- Hardcode passwords no c√≥digo
- Commite passwords no git
- Compartilhe passwords em texto plano
- Use mesma password em m√∫ltiplos ambientes
""")


## üìù Bloco 20: Exemplo 20


In [None]:
# 1. Crie um secret MySQL com SSL_MODE 'REQUIRED'
# 2. Crie outro com SSL_MODE 'VERIFY_CA' e certificados
# 3. Compare as configura√ß√µes usando duckdb_secrets()
# 4. Tente usar ATTACH (se tiver MySQL dispon√≠vel)

# Sua solu√ß√£o aqui


## üìù Bloco 21: Exemplo 21


In [None]:
# 1. Crie 3 secrets PostgreSQL:
#    - Um com par√¢metros separados
#    - Um com connection string simples
#    - Um com connection string com par√¢metros SSL
# 2. Liste todos e verifique os providers
# 3. Delete todos os secrets

# Sua solu√ß√£o aqui


## üìù Bloco 22: Exemplo 22


In [None]:
# 1. Crie um secret MySQL e um PostgreSQL
# 2. Use ATTACH para ambos
# 3. Crie uma query que faz JOIN entre tabelas dos dois databases
# 4. Use which_secret() para verificar qual secret seria usado

# Sua solu√ß√£o aqui


## üìù Bloco 23: Exemplo 23


In [None]:
# 1. Crie um secret PostgreSQL com SSL verify-full
# 2. Configure timeouts apropriados
# 3. Use uma password de vari√°vel de ambiente
# 4. Documente as decis√µes de seguran√ßa tomadas

# Sua solu√ß√£o aqui
