As part of refactoring maintain-dbusers.py, we need a service to run on an NFS server that creates replica.my.cnf in response to an API call.
This server should only need to support two endpoints:
PUT (or POST?) takes a filepath (or shell name?), username, and password and writes the file
GET takes a filepath (or shell name?) and returns the username and password
Proposed dev steps:
- Get the basic code working with local development and testing by hand with curl
- Deploy the tool (how?) on a test nfs server, run as a wsgi service with ngninx
- Add tls so that passwords aren't being transferred in clear text
- Consider auth. The quick and dirty approach would be to just lock this down via firewall rules.
Once all that is set, we can look at refactoring the rest of maintain-dbusers.py so that it talks to this new API.
Sample code to read/write the files can be found in maintain-dbusers.py in the write_replica_cnf() and read_replica_cnf() functions.
I've set up a test server for step 2. It is dbusers-nfs-1.testlabs.eqiad1.wikimedia.cloud. @Slst2020 and @Raymond_Ndibe if you respond here with your developer account names I can get you login access to that host.