organize a bit and document configuration #13
Comments
|
most of the time, location of the module is user as root for searching config |
volodymyrss
added
documentation
|
there is a separate point of secret handling. currently, we store some secrets in config. it is not uncommon to do so. auth_secret: $ODA_DISPATCHER_OAUTH_SECRETdispatcher would need to interpret this in the config, substituing actual env variable. similarly, it can be file to read it from. etc. |
|
As far as I understood, this will be stored within a record in a table in the DB of a certain deployment. So the configuration could provide the database access credential and point to the table containing the desired data. |
yes, that's an option! But it's also good that dispatcher does not depend on frontend database. For now - it still does not. This way it is more decoupled and more reliable. Also we currently can run dispatcher without frontend database. At least there should be an option preserve this behavior. Also for testing. So maybe we could have several possibilities?
|
A third option could be based on the setup a DB specific for the dispatcher: this would be populated during the deployment, perhaps it could be used ful for other purposes... |
to store secret in the DB? as an option - sure, but still, I think it should still be referenced in the config. to have single central source of configuration - with references to other sources (DBs, variables, files) when needed. ok? the only concern is that it should not be more complex than necessary. by the way, there is a redis db there, indeed used for other purposes, e.g. for celery there. |
Exactly, it only makes sense if it can be used for more purposes than just storing the secret key, if that is the only use we would make of it...no need to struggle too much with another bunch of configuraiton
thanks |
Indeed! Which is why I thought the first option - simply keeping it in the config - is pretty functional. It is what is done now for sentry and logstash, and is probably just fine. The disadvantage of this approach is that the entire config has to be secret, or has to be constructed on deployment from secret and other parts. This is a bit annoying and causes rightfully misunderstandings, such as this. Hence, suggestion to slightly complicate the config, by following another common approach: make reference in the config to some other locations, reserved for secrets. Variables or files would be just fine. They are easy to safely create on deployment too. I would see is as nice-to-have feature, which would improve our life. Whether it is worth addressing it, depends on:
|
|
look, I added this bde01f6 Note that this issue is marked as "refactoring" - it is not of the immediate need. We should appreciated that refactoring takes time, not with benefit which is not immediately obvious to the users/stakeholders. So we can not spend too much on it, but we should do it regularly. Still, we should focus to provide features regularly. E.g. maybe it is better to start by putting the secret plain in the config, and doing that part - and only after proceeding to improve. This issue here is also marked as documentation - since we made effort to understand and improve, we can explain it, it will save us time. |
|
Let's indeed go for a step-by-step approac, putting first the secret clear-text within the config (config_env.yaml). It is indeed importanto for the future and for providing a more structured plastform |
No description provided.
The text was updated successfully, but these errors were encountered: