def _validate_postgres_ssl_certificates_provided(): error_msg = 'If Postgresql requires SSL communication {0} ' \ 'for Postgresql must be provided in ' \ 'config.yaml in {1}' if is_installed(DATABASE_SERVICE): if not (config['postgresql_server']['cert_path'] and config['postgresql_server']['key_path'] and config['postgresql_server']['ca_path']): if config[POSTGRESQL_SERVER][SSL_ENABLED] or \ config[POSTGRESQL_SERVER]['cluster']['nodes']: raise ValidationError( error_msg.format( 'a CA certificate, a certificate and a key', 'postgresql_server.cert_path, ' 'postgresql_server.key_path, ' 'and postgresql_server.ca_path')) elif not (config[SSL_INPUTS]['postgresql_client_cert_path'] and config[SSL_INPUTS]['postgresql_client_key_path'] and config['postgresql_server']['ca_path']): if config[POSTGRESQL_CLIENT][SSL_CLIENT_VERIFICATION]: raise ValidationError( error_msg.format( 'with client verification, a CA certificate, ' 'a certificate and a key ', 'ssl_inputs.postgresql_client_cert_path, ' 'ssl_inputs.postgresql_client_key_path, ' 'and postgresql_server.ca_path')) elif is_installed(MANAGER_SERVICE): if not config['postgresql_server']['ca_path'] and not \ config['postgresql_client']['ca_path']: # Do not allow external postgres without SSL raise ValidationError( error_msg.format( 'a CA certificate', 'postgresql_server.ca_path or ' 'postgresql_client.ca_path'))
def _validate_external_postgres(): pg_conf = config[POSTGRESQL_SERVER] if is_installed(DATABASE_SERVICE) and is_installed(MANAGER_SERVICE): if pg_conf['cluster']['nodes']: raise ValidationError('Postgres cluster nodes cannot be ' 'installed on manager nodes.') else: # Local DB, no need to conduct external checks return if is_installed(DATABASE_SERVICE): if pg_conf['cluster']['nodes']: problems = [] if len(pg_conf['cluster']['nodes']) < 2: problems.append('There must be at least 2 DB cluster nodes.') elif len(pg_conf['cluster']['nodes']) < 3: logger.warning( 'At least 3 nodes are recommended for DB clusters.') etcd_conf = pg_conf['cluster']['etcd'] if not all( etcd_conf.get(entry) for entry in ('cluster_token', 'root_password', 'patroni_password')): problems.append( 'Etcd cluster token and passwords must be set.') patroni_conf = pg_conf['cluster']['patroni'] if not all( patroni_conf.get(entry) for entry in ('rest_user', 'rest_password')): problems.append( 'Patroni rest username and password must be set.') if not pg_conf['cluster']['postgres']['replicator_password']: problems.append('Postgres replicator password must be set.') if problems: raise ValidationError( 'Problems detected in postgresql_server.cluster ' 'configuration: {problems}'.format( problems=' '.join(problems), ))
def _validate_postgres_inputs(): """ Validating that an external DB will always listen to remote connections and, that a postgres password is set - needed for remote connections """ if is_installed(DATABASE_SERVICE) and is_installed(MANAGER_SERVICE): if config[POSTGRESQL_CLIENT]['host'] not in ('localhost', '127.0.0.1'): raise ValidationError('Cannot install database_service when ' 'connecting to an external database') elif config[POSTGRESQL_SERVER]['cluster']['nodes']: raise ValidationError('Cannot install database_service when ' 'connecting to a Postgres Cluster') if is_installed(DATABASE_SERVICE) and not is_installed(MANAGER_SERVICE): if config[POSTGRESQL_SERVER]['cluster']['nodes']: if not config[POSTGRESQL_SERVER][POSTGRES_PASSWORD]: raise ValidationError('When using an external database with ' 'a Postgres Cluster, postgres_password ' 'must be set to a non-empty value') elif config[POSTGRESQL_SERVER][ENABLE_REMOTE_CONNECTIONS] and \ not config[POSTGRESQL_SERVER][POSTGRES_PASSWORD] \ or \ not config[POSTGRESQL_SERVER][ENABLE_REMOTE_CONNECTIONS] and \ config[POSTGRESQL_SERVER][POSTGRES_PASSWORD]: raise ValidationError('When using an external database, both ' 'enable_remote_connections and ' 'postgres_password must be set') if is_installed(MANAGER_SERVICE) and not is_installed(DATABASE_SERVICE): postgres_host = config[POSTGRESQL_CLIENT]['host'].rsplit(':', 1)[0] if postgres_host in ('localhost', '127.0.0.1', '::1') and \ not config[POSTGRESQL_CLIENT][SERVER_PASSWORD]: raise ValidationError('When using an external database, ' 'postgres_password must be set') if config[POSTGRESQL_SERVER]['cluster']['nodes']: _validate_postgres_cluster_configuration() if (config[POSTGRESQL_SERVER][SSL_CLIENT_VERIFICATION] and not config[POSTGRESQL_SERVER]['ssl_only_connections']): raise ValidationError( 'When using ssl_client_verification, ssl_only_connections ' 'must be enabled to ensure client verification takes place.') _validate_postgres_azure_configuration() _validate_postgres_server_and_cloudify_input_difference()