Re: Support SECRET_KEY and Database creds as callables

Sun, 25 Jan 2015 15:33:06 -0800 

On 01/24/2015 10:56 AM, Marc Tamlyn wrote:
I'm not sure what the benefit here would be - the settings are evaluated at start up time, not on every request and the server would need to be restarted for it to change. 


A patch to db.connections which allows the username and password to be 
looked up on each new connection might be interesting, although I'd be 
concerned that for any reasonably high traffic site this would be 
happening a *lot*, normally during a user request. Something like 
caching it and then clearing the cache when it changes upstream would 
be more appropriate.



This is addressed already by the system I referred to. I'll submit a 
patch for the database connections.




Marc


On 24 January 2015 at 03:06, 'Andres Mejia' via Django developers 
(Contributions to Django itself) <django-developers@googlegroups.com 
<mailto:django-developers@googlegroups.com>> wrote:


    Hello Django devs,

    I would like to see if Django can support setting the SECRET_KEY
    and database creds as callables. Let me explain my situation.

    Here at Amazon, we use a system to store and fetch secrets such as
    a Django SECRET_KEY and database creds. There's a Python component
    to this system which works something like this.

    SECRET_KEY = get_creds(secret_key_id, type='privatekey')
    . . .
    DATABASES = {
        'default' = {
            . . .
            'USER': get_creds(database_creds_id, type='username'),
            'PASSWORD': get_creds(database_creds_id, type='password'),
        },
        . . .
    }

    Secrets are rotated on a regular schedule or as needed. Often
    times the secrets are rotated without advance notice and therefore
    our various Django powered sites go down (because they can't
    connect to the database) until the web servers are restarted. We
    would prefer it if our web services did not have to be restarted.

    I was going to propose a patch which modifies the force_text and
    force_bytes methods in django.utils.encoding. The modifications
    basically involves adding an if statement.

    if hasattr(s, '__call__'):
        return s()

    This would support setting the SECRET_KEY and database creds as
    callables with no arguments. Example.

    SECRET_KEY = lambda: get_creds(secret_key_id, type='privatekey')
    . . .
    DATABASES = {
        'default' = {
            . . .
            'USER': lambda: get_creds(database_creds_id, type='username'),
            'PASSWORD': lambda: get_creds(database_creds_id,
    type='password'),
        },
        . . .
    }

    My question is, should I submit a patch or might there be some
    other way to address my use case? Also, I'm aware of the various
    examples which call for storing secrets in a separate file. We
    cannot store secrets on the local disk (this is partly the reason
    for the use of the system I explained).


    -- 
    Andres



    -- 
    You received this message because you are subscribed to the Google

    Groups "Django developers  (Contributions to Django itself)" group.
    To unsubscribe from this group and stop receiving emails from it,
    send an email to django-developers+unsubscr...@googlegroups.com
    <mailto:django-developers%2bunsubscr...@googlegroups.com>.
    To post to this group, send email to
    django-developers@googlegroups.com
    <mailto:django-developers@googlegroups.com>.
    Visit this group at http://groups.google.com/group/django-developers.
    To view this discussion on the web visit
    
https://groups.google.com/d/msgid/django-developers/54C30C4D.4030302%40amazon.com.
    For more options, visit https://groups.google.com/d/optout.


--

You received this message because you are subscribed to the Google 
Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to django-developers+unsubscr...@googlegroups.com 
<mailto:django-developers+unsubscr...@googlegroups.com>.
To post to this group, send email to 
django-developers@googlegroups.com 
<mailto:django-developers@googlegroups.com>.

Visit this group at http://groups.google.com/group/django-developers.

To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAMwjO1H2d%3DFiTM%2BKhO1-4ip-SyNHymA5L98pQ6TAA0Kx5UwcPA%40mail.gmail.com 
<https://groups.google.com/d/msgid/django-developers/CAMwjO1H2d%3DFiTM%2BKhO1-4ip-SyNHymA5L98pQ6TAA0Kx5UwcPA%40mail.gmail.com?utm_medium=email&utm_source=footer>.

For more options, visit https://groups.google.com/d/optout.



--
Andres

--
You received this message because you are subscribed to the Google Groups "Django 
developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/54C57D01.5080907%40amazon.com.
For more options, visit https://groups.google.com/d/optout.














    

  • Sup... 'Andres Mejia' via Django developers  (Contributions to Django itself)
    • 

    • 

    • ... Marc Tamlyn
      • 

      • 

      • ... Riccardo Di Virgilio
        • 

        • 

        • ... Riccardo Di Virgilio
          • 

          • 

          • ... 'Andres Mejia' via Django developers  (Contributions to Django itself)
            • 

          • 

        • 

      • ... 'Andres Mejia' via Django developers  (Contributions to Django itself)
        • 

      

    










					Reply via email to