From b10869eb671fbbc998e8502cebfbca31b77e24a2 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Thu, 14 Dec 2023 21:05:18 +0700 Subject: [PATCH] Add PKIDeployer.setup_replication() The code that sets up replication in PKIDeployer.setup_database() has been moved into PKIDeployer.setup_replication(). --- .../python/pki/server/deployment/__init__.py | 263 +++++++++--------- 1 file changed, 133 insertions(+), 130 deletions(-) diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py index 7eb71206b33..2cd2d217952 100644 --- a/base/server/python/pki/server/deployment/__init__.py +++ b/base/server/python/pki/server/deployment/__init__.py @@ -1568,169 +1568,172 @@ def setup_database(self, subsystem, master_config): if config.str2bool(self.mdict['pki_clone']) and \ config.str2bool(self.mdict['pki_clone_setup_replication']): + self.setup_replication(subsystem, master_config) - logger.info('Setting up replication') + # For security a PKI subsystem can be configured to use a database user + # that only has a limited access to the database (instead of cn=Directory + # Manager that has a full access to the database). + # + # The default database user is uid=pkidbuser,ou=people,. + # However, if the subsystem is configured to share the database with another + # subsystem (pki_share_db=True), it can also be configured to use the same + # database user (pki_share_dbuser_dn). - master_replication_port = self.mdict['pki_clone_replication_master_port'] - logger.info('- master replication port: %s', master_replication_port) + if config.str2bool(self.mdict['pki_share_db']): + dbuser = self.mdict['pki_share_dbuser_dn'] + else: + dbuser = 'uid=pkidbuser,ou=people,' + self.mdict['pki_ds_base_dn'] - replica_replication_port = self.mdict['pki_clone_replication_clone_port'] - logger.info('- replica replication port: %s', replica_replication_port) + subsystem.grant_database_access(dbuser) - ds_port = subsystem.config['internaldb.ldapconn.port'] - logger.info('- internaldb.ldapconn.port: %s', ds_port) + subsystem.add_vlv() + subsystem.reindex_vlv() - secure_conn = subsystem.config['internaldb.ldapconn.secureConn'] - logger.info('- internaldb.ldapconn.secureConn: %s', secure_conn) + def setup_replication(self, subsystem, master_config): - if replica_replication_port == ds_port and secure_conn == 'true': - replication_security = 'SSL' + logger.info('Setting up replication') - else: - replication_security = self.mdict['pki_clone_replication_security'] - if not replication_security: - replication_security = 'None' + master_replication_port = self.mdict['pki_clone_replication_master_port'] + logger.info('- master replication port: %s', master_replication_port) - logger.info('- replication security: %s', replication_security) + replica_replication_port = self.mdict['pki_clone_replication_clone_port'] + logger.info('- replica replication port: %s', replica_replication_port) - # get master database config + ds_port = subsystem.config['internaldb.ldapconn.port'] + logger.info('- internaldb.ldapconn.port: %s', ds_port) - master_ldap_config = {} - for name in master_config['Properties']: + secure_conn = subsystem.config['internaldb.ldapconn.secureConn'] + logger.info('- internaldb.ldapconn.secureConn: %s', secure_conn) - match = re.match(r'internaldb\.(.*)$', name) + if replica_replication_port == ds_port and secure_conn == 'true': + replication_security = 'SSL' - if not match: - continue + else: + replication_security = self.mdict['pki_clone_replication_security'] + if not replication_security: + replication_security = 'None' - new_name = match.group(1) # strip internaldb prefix + logger.info('- replication security: %s', replication_security) - if new_name == 'replication.password': # unused - continue + # get master database config - elif new_name == 'ldapauth.bindPWPrompt': # unused - continue + master_ldap_config = {} + for name in master_config['Properties']: - elif new_name.startswith('_'): # comments - continue + match = re.match(r'internaldb\.(.*)$', name) - elif new_name == 'ldapauth.password': # rename - new_name = 'ldapauth.bindPassword' + if not match: + continue - value = master_config['Properties'][name] + new_name = match.group(1) # strip internaldb prefix - master_ldap_config[new_name] = value + if new_name == 'replication.password': # unused + continue - # get replica database config + elif new_name == 'ldapauth.bindPWPrompt': # unused + continue - replica_ldap_config = {} - for name in subsystem.config: + elif new_name.startswith('_'): # ignore comments + continue - match = re.match(r'internaldb\.(.*)$', name) + elif new_name == 'ldapauth.password': # rename + new_name = 'ldapauth.bindPassword' - if not match: - continue + value = master_config['Properties'][name] - new_name = match.group(1) # strip internaldb prefix + master_ldap_config[new_name] = value - if new_name.startswith('_'): # comments - continue + # get replica database config - elif new_name == 'ldapauth.bindPWPrompt': # replace - new_name = 'ldapauth.bindPassword' - value = self.instance.get_password('internaldb') + replica_ldap_config = {} + for name in subsystem.config: - else: - value = subsystem.config[name] + match = re.match(r'internaldb\.(.*)$', name) - replica_ldap_config[new_name] = value + if not match: + continue - hostname = self.mdict['pki_hostname'] - master_agreement_name = 'masterAgreement1-%s-%s' % (hostname, self.instance.name) - replica_agreement_name = 'cloneAgreement1-%s-%s' % (hostname, self.instance.name) - - master_hostname = master_ldap_config['ldapconn.host'] - if not master_replication_port: - master_replication_port = master_ldap_config['ldapconn.port'] - master_url = 'ldap://%s:%s' % (master_hostname, master_replication_port) - - master_bind_dn = 'cn=Replication Manager %s,ou=csusers,cn=config' % \ - master_agreement_name - master_bind_password = master_config['Properties']['internaldb.replication.password'] - - replica_hostname = replica_ldap_config['ldapconn.host'] - if not replica_replication_port: - replica_replication_port = ds_port - replica_url = 'ldap://%s:%s' % (replica_hostname, replica_replication_port) - - replica_bind_dn = 'cn=Replication Manager %s,ou=csusers,cn=config' % \ - replica_agreement_name - replica_bind_password = self.instance.get_password('replicationdb') - - logger.info('Enable replication on master') - - # TODO: provide param to specify the replica ID for the master - subsystem.enable_replication( - master_ldap_config, - master_bind_dn, - master_bind_password, - None) - - logger.info('Enable replication on replica') - - # TODO: provide param to specify the replica ID for the replica - subsystem.enable_replication( - replica_ldap_config, - replica_bind_dn, - replica_bind_password, - None) - - logger.info('Adding master replication agreement') - logger.info('- replica URL: %s', replica_url) - - subsystem.add_replication_agreement( - master_agreement_name, - master_ldap_config, - replica_url, - replica_bind_dn, - replica_bind_password, - replication_security) - - logger.info('Adding replica replication agreement') - logger.info('- master URL: %s', master_url) - - subsystem.add_replication_agreement( - replica_agreement_name, - replica_ldap_config, - master_url, - master_bind_dn, - master_bind_password, - replication_security) - - logger.info('Initializing replication agreement') - - subsystem.init_replication_agreement( - master_agreement_name, - master_ldap_config) + new_name = match.group(1) # strip internaldb prefix - # For security a PKI subsystem can be configured to use a database user - # that only has a limited access to the database (instead of cn=Directory - # Manager that has a full access to the database). - # - # The default database user is uid=pkidbuser,ou=people,. - # However, if the subsystem is configured to share the database with another - # subsystem (pki_share_db=True), it can also be configured to use the same - # database user (pki_share_dbuser_dn). + if new_name.startswith('_'): # ignore comments + continue - if config.str2bool(self.mdict['pki_share_db']): - dbuser = self.mdict['pki_share_dbuser_dn'] - else: - dbuser = 'uid=pkidbuser,ou=people,' + self.mdict['pki_ds_base_dn'] + elif new_name == 'ldapauth.bindPWPrompt': # replace + new_name = 'ldapauth.bindPassword' + value = self.instance.get_password('internaldb') - subsystem.grant_database_access(dbuser) + else: + value = subsystem.config[name] - subsystem.add_vlv() - subsystem.reindex_vlv() + replica_ldap_config[new_name] = value + + hostname = self.mdict['pki_hostname'] + master_agreement_name = 'masterAgreement1-%s-%s' % (hostname, self.instance.name) + replica_agreement_name = 'cloneAgreement1-%s-%s' % (hostname, self.instance.name) + + master_hostname = master_ldap_config['ldapconn.host'] + if not master_replication_port: + master_replication_port = master_ldap_config['ldapconn.port'] + master_url = 'ldap://%s:%s' % (master_hostname, master_replication_port) + + master_bind_dn = 'cn=Replication Manager %s,ou=csusers,cn=config' % \ + master_agreement_name + master_bind_password = master_config['Properties']['internaldb.replication.password'] + + replica_hostname = replica_ldap_config['ldapconn.host'] + if not replica_replication_port: + replica_replication_port = ds_port + replica_url = 'ldap://%s:%s' % (replica_hostname, replica_replication_port) + + replica_bind_dn = 'cn=Replication Manager %s,ou=csusers,cn=config' % \ + replica_agreement_name + replica_bind_password = self.instance.get_password('replicationdb') + + logger.info('Enable replication on master') + + # TODO: provide param to specify the replica ID for the master + subsystem.enable_replication( + master_ldap_config, + master_bind_dn, + master_bind_password, + None) + + logger.info('Enable replication on replica') + + # TODO: provide param to specify the replica ID for the replica + subsystem.enable_replication( + replica_ldap_config, + replica_bind_dn, + replica_bind_password, + None) + + logger.info('Adding master replication agreement') + logger.info('- replica URL: %s', replica_url) + + subsystem.add_replication_agreement( + master_agreement_name, + master_ldap_config, + replica_url, + replica_bind_dn, + replica_bind_password, + replication_security) + + logger.info('Adding replica replication agreement') + logger.info('- master URL: %s', master_url) + + subsystem.add_replication_agreement( + replica_agreement_name, + replica_ldap_config, + master_url, + master_bind_dn, + master_bind_password, + replication_security) + + logger.info('Initializing replication agreement') + + subsystem.init_replication_agreement( + master_agreement_name, + master_ldap_config) def is_using_legacy_id_generator(self, subsystem):