def _validate_postgres_ssl_certificates_provided():
error_msg = 'If Postgresql requires SSL communication {0} ' \
'for Postgresql must be provided in ' \
'config.yaml in {1}'
if is_installed(DATABASE_SERVICE):
if not (config['postgresql_server']['cert_path']
and config['postgresql_server']['key_path']
and config['postgresql_server']['ca_path']):
if config[POSTGRESQL_SERVER][SSL_ENABLED] or \
config[POSTGRESQL_SERVER]['cluster']['nodes']:
raise ValidationError(
error_msg.format(
'a CA certificate, a certificate and a key',
'postgresql_server.cert_path, '
'postgresql_server.key_path, '
'and postgresql_server.ca_path'))
elif not (config[SSL_INPUTS]['postgresql_client_cert_path']
and config[SSL_INPUTS]['postgresql_client_key_path']
and config['postgresql_server']['ca_path']):
if config[POSTGRESQL_CLIENT][SSL_CLIENT_VERIFICATION]:
raise ValidationError(
error_msg.format(
'with client verification, a CA certificate, '
'a certificate and a key ',
'ssl_inputs.postgresql_client_cert_path, '
'ssl_inputs.postgresql_client_key_path, '
'and postgresql_server.ca_path'))
elif is_installed(MANAGER_SERVICE):
if not config['postgresql_server']['ca_path'] and not \
config['postgresql_client']['ca_path']:
# Do not allow external postgres without SSL
raise ValidationError(
error_msg.format(
'a CA certificate', 'postgresql_server.ca_path or '
'postgresql_client.ca_path'))
def _validate_external_postgres():
pg_conf = config[POSTGRESQL_SERVER]
if is_installed(DATABASE_SERVICE) and is_installed(MANAGER_SERVICE):
if pg_conf['cluster']['nodes']:
raise ValidationError('Postgres cluster nodes cannot be '
'installed on manager nodes.')
else:
# Local DB, no need to conduct external checks
return
if is_installed(DATABASE_SERVICE):
if pg_conf['cluster']['nodes']:
problems = []
if len(pg_conf['cluster']['nodes']) < 2:
problems.append('There must be at least 2 DB cluster nodes.')
elif len(pg_conf['cluster']['nodes']) < 3:
logger.warning(
'At least 3 nodes are recommended for DB clusters.')
etcd_conf = pg_conf['cluster']['etcd']
if not all(
etcd_conf.get(entry)
for entry in ('cluster_token', 'root_password',
'patroni_password')):
problems.append(
'Etcd cluster token and passwords must be set.')
patroni_conf = pg_conf['cluster']['patroni']
if not all(
patroni_conf.get(entry)
for entry in ('rest_user', 'rest_password')):
problems.append(
'Patroni rest username and password must be set.')
if not pg_conf['cluster']['postgres']['replicator_password']:
problems.append('Postgres replicator password must be set.')
if problems:
raise ValidationError(
'Problems detected in postgresql_server.cluster '
'configuration: {problems}'.format(
problems=' '.join(problems), ))
def _validate_postgres_inputs():
"""
Validating that an external DB will always listen to remote connections
and, that a postgres password is set - needed for remote connections
"""
if is_installed(DATABASE_SERVICE) and is_installed(MANAGER_SERVICE):
if config[POSTGRESQL_CLIENT]['host'] not in ('localhost', '127.0.0.1'):
raise ValidationError('Cannot install database_service when '
'connecting to an external database')
elif config[POSTGRESQL_SERVER]['cluster']['nodes']:
raise ValidationError('Cannot install database_service when '
'connecting to a Postgres Cluster')
if is_installed(DATABASE_SERVICE) and not is_installed(MANAGER_SERVICE):
if config[POSTGRESQL_SERVER]['cluster']['nodes']:
if not config[POSTGRESQL_SERVER][POSTGRES_PASSWORD]:
raise ValidationError('When using an external database with '
'a Postgres Cluster, postgres_password '
'must be set to a non-empty value')
elif config[POSTGRESQL_SERVER][ENABLE_REMOTE_CONNECTIONS] and \
not config[POSTGRESQL_SERVER][POSTGRES_PASSWORD] \
or \
not config[POSTGRESQL_SERVER][ENABLE_REMOTE_CONNECTIONS] and \
config[POSTGRESQL_SERVER][POSTGRES_PASSWORD]:
raise ValidationError('When using an external database, both '
'enable_remote_connections and '
'postgres_password must be set')
if is_installed(MANAGER_SERVICE) and not is_installed(DATABASE_SERVICE):
postgres_host = config[POSTGRESQL_CLIENT]['host'].rsplit(':', 1)[0]
if postgres_host in ('localhost', '127.0.0.1', '::1') and \
not config[POSTGRESQL_CLIENT][SERVER_PASSWORD]:
raise ValidationError('When using an external database, '
'postgres_password must be set')
if config[POSTGRESQL_SERVER]['cluster']['nodes']:
_validate_postgres_cluster_configuration()
if (config[POSTGRESQL_SERVER][SSL_CLIENT_VERIFICATION]
and not config[POSTGRESQL_SERVER]['ssl_only_connections']):
raise ValidationError(
'When using ssl_client_verification, ssl_only_connections '
'must be enabled to ensure client verification takes place.')
_validate_postgres_azure_configuration()
_validate_postgres_server_and_cloudify_input_difference()