Skip to content

Commit

Permalink
Add PKIDeployer.setup_replication()
Browse files Browse the repository at this point in the history 
The code that sets up replication in PKIDeployer.setup_database()
has been moved into PKIDeployer.setup_replication().
  • Loading branch information
@edewata
edewata committed Dec 14, 2023
1 parent 211ebb5 commit b10869e
Showing 1 changed file with 133 additions and 130 deletions.
263 changes: 133 additions & 130 deletions base/server/python/pki/server/deployment/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1568,169 +1568,172 @@ def setup_database(self, subsystem, master_config):

if config.str2bool(self.mdict['pki_clone']) and \
config.str2bool(self.mdict['pki_clone_setup_replication']):
self.setup_replication(subsystem, master_config)

logger.info('Setting up replication')
# For security a PKI subsystem can be configured to use a database user
# that only has a limited access to the database (instead of cn=Directory
# Manager that has a full access to the database).
#
# The default database user is uid=pkidbuser,ou=people,<subsystem base DN>.
# However, if the subsystem is configured to share the database with another
# subsystem (pki_share_db=True), it can also be configured to use the same
# database user (pki_share_dbuser_dn).

master_replication_port = self.mdict['pki_clone_replication_master_port']
logger.info('- master replication port: %s', master_replication_port)
if config.str2bool(self.mdict['pki_share_db']):
dbuser = self.mdict['pki_share_dbuser_dn']
else:
dbuser = 'uid=pkidbuser,ou=people,' + self.mdict['pki_ds_base_dn']

replica_replication_port = self.mdict['pki_clone_replication_clone_port']
logger.info('- replica replication port: %s', replica_replication_port)
subsystem.grant_database_access(dbuser)

ds_port = subsystem.config['internaldb.ldapconn.port']
logger.info('- internaldb.ldapconn.port: %s', ds_port)
subsystem.add_vlv()
subsystem.reindex_vlv()

secure_conn = subsystem.config['internaldb.ldapconn.secureConn']
logger.info('- internaldb.ldapconn.secureConn: %s', secure_conn)
def setup_replication(self, subsystem, master_config):

if replica_replication_port == ds_port and secure_conn == 'true':
replication_security = 'SSL'
logger.info('Setting up replication')

else:
replication_security = self.mdict['pki_clone_replication_security']
if not replication_security:
replication_security = 'None'
master_replication_port = self.mdict['pki_clone_replication_master_port']
logger.info('- master replication port: %s', master_replication_port)

logger.info('- replication security: %s', replication_security)
replica_replication_port = self.mdict['pki_clone_replication_clone_port']
logger.info('- replica replication port: %s', replica_replication_port)

# get master database config
ds_port = subsystem.config['internaldb.ldapconn.port']
logger.info('- internaldb.ldapconn.port: %s', ds_port)

master_ldap_config = {}
for name in master_config['Properties']:
secure_conn = subsystem.config['internaldb.ldapconn.secureConn']
logger.info('- internaldb.ldapconn.secureConn: %s', secure_conn)

match = re.match(r'internaldb\.(.*)$', name)
if replica_replication_port == ds_port and secure_conn == 'true':
replication_security = 'SSL'

if not match:
continue
else:
replication_security = self.mdict['pki_clone_replication_security']
if not replication_security:
replication_security = 'None'

new_name = match.group(1) # strip internaldb prefix
logger.info('- replication security: %s', replication_security)

if new_name == 'replication.password': # unused
continue
# get master database config

elif new_name == 'ldapauth.bindPWPrompt': # unused
continue
master_ldap_config = {}
for name in master_config['Properties']:

elif new_name.startswith('_'): # comments
continue
match = re.match(r'internaldb\.(.*)$', name)

elif new_name == 'ldapauth.password': # rename
new_name = 'ldapauth.bindPassword'
if not match:
continue

value = master_config['Properties'][name]
new_name = match.group(1) # strip internaldb prefix

master_ldap_config[new_name] = value
if new_name == 'replication.password': # unused
continue

# get replica database config
elif new_name == 'ldapauth.bindPWPrompt': # unused
continue

replica_ldap_config = {}
for name in subsystem.config:
elif new_name.startswith('_'): # ignore comments
continue

match = re.match(r'internaldb\.(.*)$', name)
elif new_name == 'ldapauth.password': # rename
new_name = 'ldapauth.bindPassword'

if not match:
continue
value = master_config['Properties'][name]

new_name = match.group(1) # strip internaldb prefix
master_ldap_config[new_name] = value

if new_name.startswith('_'): # comments
continue
# get replica database config

elif new_name == 'ldapauth.bindPWPrompt': # replace
new_name = 'ldapauth.bindPassword'
value = self.instance.get_password('internaldb')
replica_ldap_config = {}
for name in subsystem.config:

else:
value = subsystem.config[name]
match = re.match(r'internaldb\.(.*)$', name)

replica_ldap_config[new_name] = value
if not match:
continue

hostname = self.mdict['pki_hostname']
master_agreement_name = 'masterAgreement1-%s-%s' % (hostname, self.instance.name)
replica_agreement_name = 'cloneAgreement1-%s-%s' % (hostname, self.instance.name)

master_hostname = master_ldap_config['ldapconn.host']
if not master_replication_port:
master_replication_port = master_ldap_config['ldapconn.port']
master_url = 'ldap://%s:%s' % (master_hostname, master_replication_port)

master_bind_dn = 'cn=Replication Manager %s,ou=csusers,cn=config' % \
master_agreement_name
master_bind_password = master_config['Properties']['internaldb.replication.password']

replica_hostname = replica_ldap_config['ldapconn.host']
if not replica_replication_port:
replica_replication_port = ds_port
replica_url = 'ldap://%s:%s' % (replica_hostname, replica_replication_port)

replica_bind_dn = 'cn=Replication Manager %s,ou=csusers,cn=config' % \
replica_agreement_name
replica_bind_password = self.instance.get_password('replicationdb')

logger.info('Enable replication on master')

# TODO: provide param to specify the replica ID for the master
subsystem.enable_replication(
master_ldap_config,
master_bind_dn,
master_bind_password,
None)

logger.info('Enable replication on replica')

# TODO: provide param to specify the replica ID for the replica
subsystem.enable_replication(
replica_ldap_config,
replica_bind_dn,
replica_bind_password,
None)

logger.info('Adding master replication agreement')
logger.info('- replica URL: %s', replica_url)

subsystem.add_replication_agreement(
master_agreement_name,
master_ldap_config,
replica_url,
replica_bind_dn,
replica_bind_password,
replication_security)

logger.info('Adding replica replication agreement')
logger.info('- master URL: %s', master_url)

subsystem.add_replication_agreement(
replica_agreement_name,
replica_ldap_config,
master_url,
master_bind_dn,
master_bind_password,
replication_security)

logger.info('Initializing replication agreement')

subsystem.init_replication_agreement(
master_agreement_name,
master_ldap_config)
new_name = match.group(1) # strip internaldb prefix

# For security a PKI subsystem can be configured to use a database user
# that only has a limited access to the database (instead of cn=Directory
# Manager that has a full access to the database).
#
# The default database user is uid=pkidbuser,ou=people,<subsystem base DN>.
# However, if the subsystem is configured to share the database with another
# subsystem (pki_share_db=True), it can also be configured to use the same
# database user (pki_share_dbuser_dn).
if new_name.startswith('_'): # ignore comments
continue

if config.str2bool(self.mdict['pki_share_db']):
dbuser = self.mdict['pki_share_dbuser_dn']
else:
dbuser = 'uid=pkidbuser,ou=people,' + self.mdict['pki_ds_base_dn']
elif new_name == 'ldapauth.bindPWPrompt': # replace
new_name = 'ldapauth.bindPassword'
value = self.instance.get_password('internaldb')

subsystem.grant_database_access(dbuser)
else:
value = subsystem.config[name]

subsystem.add_vlv()
subsystem.reindex_vlv()
replica_ldap_config[new_name] = value

hostname = self.mdict['pki_hostname']
master_agreement_name = 'masterAgreement1-%s-%s' % (hostname, self.instance.name)
replica_agreement_name = 'cloneAgreement1-%s-%s' % (hostname, self.instance.name)

master_hostname = master_ldap_config['ldapconn.host']
if not master_replication_port:
master_replication_port = master_ldap_config['ldapconn.port']
master_url = 'ldap://%s:%s' % (master_hostname, master_replication_port)

master_bind_dn = 'cn=Replication Manager %s,ou=csusers,cn=config' % \
master_agreement_name
master_bind_password = master_config['Properties']['internaldb.replication.password']

replica_hostname = replica_ldap_config['ldapconn.host']
if not replica_replication_port:
replica_replication_port = ds_port
replica_url = 'ldap://%s:%s' % (replica_hostname, replica_replication_port)

replica_bind_dn = 'cn=Replication Manager %s,ou=csusers,cn=config' % \
replica_agreement_name
replica_bind_password = self.instance.get_password('replicationdb')

logger.info('Enable replication on master')

# TODO: provide param to specify the replica ID for the master
subsystem.enable_replication(
master_ldap_config,
master_bind_dn,
master_bind_password,
None)

logger.info('Enable replication on replica')

# TODO: provide param to specify the replica ID for the replica
subsystem.enable_replication(
replica_ldap_config,
replica_bind_dn,
replica_bind_password,
None)

logger.info('Adding master replication agreement')
logger.info('- replica URL: %s', replica_url)

subsystem.add_replication_agreement(
master_agreement_name,
master_ldap_config,
replica_url,
replica_bind_dn,
replica_bind_password,
replication_security)

logger.info('Adding replica replication agreement')
logger.info('- master URL: %s', master_url)

subsystem.add_replication_agreement(
replica_agreement_name,
replica_ldap_config,
master_url,
master_bind_dn,
master_bind_password,
replication_security)

logger.info('Initializing replication agreement')

subsystem.init_replication_agreement(
master_agreement_name,
master_ldap_config)

def is_using_legacy_id_generator(self, subsystem):

Expand Down

0 comments on commit b10869e

Please sign in to comment.