3. Configuration¶

AD_BASE_DN¶

Type: str()

Default: override_me

A base DN of the form ‘dc=mgrid,dc=net’ that is used as the root for all queries.

AD_ENABLED¶

Type: bool()

Default: False

Enable or disable Active Directory integration.

AD_PASSWORD¶

Type: password()

Default: override_me

AD administrator password.

AD_URL¶

Type: str()

Default: override_me

An url of the form ‘ldap://ad:389’ that describes the location of the Active Directory. Note that in the query active directory mannerisms are used, so a normal ldap will not suffice.

AD_USER_DOMAIN¶

Type: str()

Default: override_me

A user domain that is added to all user names when they authenticate without a backslash or at sign in the username. Typical example MGRID\

AD_USER¶

Type: str()

Default: override_me

AD administrator account. This account is used to retrieve user information after login, when the user password is no longer in context and available.

AUDIT_APPLICATION_CODE¶

Type: str()

Default: das

Name of the application to send to the central FluentD server.

AUDIT_APPLICATION_INSTANCE¶

Type: str()

Default: default

Instance name of the application to send to the central FluentD server.

AUDIT_APPLICATION_IP¶

Type: ip()

Default: 127.0.0.1

IP address of the application instance to send to the central FluentD server.

AUDIT_ENABLED¶

Type: bool()

Default: False

Enable or disable audit logging to a central FluentD server.

AUDIT_LABEL¶

Type: str()

Default: log

Label used for all logs sent to the central FluentD server.

AUDIT_PORT¶

Type: int()

Default: 24224

Port number of the central FluentD server.

AUDIT_SERVER¶

Type: str()

Default: override_me

Hostname of the central FluentD server.

AUDIT_TAG¶

Type: str()

Default: audit

Tag used for all logs sent to the central FluentD server.

AZURE_CLIENT_ID¶

Type: str()

Default: override_me

Identifier for the Azure client.

AZURE_CLIENT_SECRET¶

Type: password()

Default: override_me

Secret for the Azure client.

AZURE_USER_AUTH_URL¶

Type: url()

Default: https://mgrid.b2clogin.com/mgrid.onmicrosoft.com/B2C_1_signuplogin/oauth2/v2.0/authorize

The url for user authentication. This is where the user will be redirected to for logging in.

AZURE_REDIRECT_URI¶

Type: url()

Default: https://das.example.com/api/v1/auth/azure

The uri where the user is redirected to when the login was successful.

AZURE_GRAPH_AUTH_URL¶

Type: url()

Default: https://login.microsoftonline.com/mgrid.onmicrosoft.com

The url where DAS asks for an access_token to be able to fetch data from the Graph API.

AZURE_GRAPH_API_URL¶

Type: url()

Default: https://graph.microsoft.com

The url of the Graph API.

AZURE_GRAPH_QUERY_URL¶

Type: str()

Default: https://graph.microsoft.com/v1.0/myorganization/users/{user_id}/memberOf?$select=displayName

The url for asking group membership of a specific user. Ensure there is a {user_id} part which will be substituted with the actual user id.

AZURE_VERIFY_ID_TOKEN¶

Type: bool()

Default: True

Whether to verify the id_token received from the Azure login page.

AZURE_KEYS_URL¶

Type: url()

Default: https://mgrid.b2clogin.com/mgrid.onmicrosoft.com/discovery/v2.0/keys?p=B2C_1_signuplogin

The url for fetching the public key the id_token is signed with. This value only needs to be set when AZURE_VERIFY_ID_TOKEN is true.

AZURE_LOGOUT_URI¶

Type: url()

Default: https://mgrid.b2clogin.com/mgrid.onmicrosoft.com/B2C_1_signuplogin/oauth2/v2.0/logout

The uri where the user is redirected to when logout is clicked.

CONTACT_EMAIL¶

Type: email()

Default: support@example.com

Support email address for e.g. users having trouble logging in.

DB_HOST¶

Type: str()

Default: override_me

The hostname of the application model database, e.g. postgres.

DB_NAME¶

Type: str()

Default: override_me

The name of the application model database, e.g. das.

DB_PASSWORD¶

Type: password()

Default: override_me

The password for the application model database, e.g. secret.

DB_PORT¶

Type: int()

Default: 5432

The port number of the application model database, e.g. 5432.

DB_USER¶

Type: str()

Default: override_me

The username for the application model database, e.g. das.

DUO_APIHOSTNAME¶

Type: domain()

Default: api-00000000.duosecurity.com

Hostname of the DUO server to interact with, e.g. api-ffffffff.duosecurity.com.

DUO_ENABLED¶

Type: bool()

Default: False

Enable or disable DUO 2 factor authentication.

DUO_IKEY¶

Type: password()

Default: override_me

One of the keys needed to interact with the DUO servers.

DUO_SKEY¶

Type: password()

Default: override_me

One of the keys needed to interact with the DUO servers.

HOST¶

Type: ip()

Default: 0.0.0.0

IP address the server binds to.

JWT_ACCESS_TOKEN_EXPIRES¶

Type: int()

Default: 300

How long an access token should be valid before it expires.

JWT_ALGORITHM¶

Type: str()

Default: HS512

Which algorithm to sign the JWT with. See https://pyjwt.readthedocs.io/en/latest/algorithms.html for the available algorithms.

JWT_HEADER_NAME¶

Type: str()

Default: Authorization

What header should contain the JWT in a request.

JWT_HEADER_TYPE¶

Type: str()

Default: Bearer

What type of header the JWT is in.

JWT_SECRET_KEY¶

Type: password()

Default: override_me

The JWT secret key that is used to authenticate requests to the management API

JWT_TOKEN_LOCATION¶

Type: enum('headers', 'cookies', 'query_string', 'json')

Default: headers

Where to look for a JWT when processing a request.

LOGO_EMAIL¶

Type: url()

Default: https://example.com/logo.svg

Location of the logo image for emails that are sent out, e.g. https://das.example.com/logo.png. Depending on the mail client that receives the email message, this may show as the actual logo, a broken image or not show up at all. If set to None, the logo will not be included in email messages.

LOGO_UI¶

Type: any(path(), url())

Default: /static/images/mgrid_logo.svg

Location of the logo image for the UI. May be a relative path, e.g. /static/images/mgrid_logo.svg if the logo is present in the DAS Docker image, or an absolute URL, e.g. https://das.example.com/logo.png. In the case of an absolute URL, make sure that the CORS settings of the nginx proxy in the Docker image allow this URL.

MAIL_DEBUG¶

Type: bool()

Default: False

Enable or disable debugging of mail.

MAIL_DEFAULT_SENDER¶

Type: email()

Default: no-reply@example.com

E-mail address of default sender.

MAIL_PASSWORD¶

Type: password()

Default: override_me

Password for authentication with the mail server. May be set to None if no authentication is needed.

MAIL_PORT¶

Type: int()

Default: 25

SMTP port of the mailserver.

MAIL_SERVER¶

Type: ip()

Default: 0.0.0.0

Hostname of the mailserver.

MAIL_SUPPRESS_SEND¶

Type: bool()

Default: False

MAIL_USERNAME¶

Type: str()

Default: override_me

Username for authentication with the mail server. May be set to None if no authentication is needed.

PERMANENT_SESSION_LIFETIME¶

Type: int()

Default: 3600

The cookie’s expiration will be set this number of seconds in the future.

PORT¶

Type: int()

Default: 5000

IP port the server binds to.

ROOT_URL¶

Type: url()

Default: https://example.com/api/v1

The root URL for the application.

SECRET_KEY¶

Type: password()

Default: override_me

The secret key that is used to authenticate requests to the UI.

SESSION_COOKIE_HTTPONLY¶

Type: bool()

Default: True

Browsers will not allow JavaScript access to cookies marked as “HTTP only” for security.

SESSION_COOKIE_NAME¶

Type: str()

Default: session

The name of the session cookie.

SESSION_COOKIE_PATH¶

Type: path()

Default: /

The path that the session cookie will be valid for.

SESSION_COOKIE_SECURE¶

Type: bool()

Default: True

Browsers will only send cookies with requests over HTTPS if the cookie is marked “secure”.

SESSION_COPY_PROTECTION¶

Type: bool()

Default: True

Enable or disable session protection.

SESSION_FILE_DIR¶

Type: path()

Default: /tmp/flask_session

The directory where session files are stored.

SESSION_TYPE¶

Type: enum('null', 'filesystem', 'sqlalchemy')

Default: filesystem

Specifies which type of session interface to use.

SQLALCHEMY_ENGINE_OPTIONS¶

Type: map()

Default: {'pool_pre_ping': True, 'pool_size': 1}

A dictionary that can contain options for the model database engine, most notably to change the connection pool characteristics.

SQLALCHEMY_TRACK_MODIFICATIONS¶

Type: bool()

Default: False

If set to True, Flask-SQLAlchemy will track modifications of objects and emit signals.

SSL_ENABLED¶

Type: bool()

Default: False

Enable or disable SSL. There is an NGINX instance of front of this application that handles SSL, so this should be set to false.

UI_URL¶

Type: url()

Default: https://example.com/ui

The URL for the UI.

WORKERS¶

Type: int()

Default: 2

The number of worker processes that will be forked to handle incoming requests. Setting this is optional, but may be required in environments where the default value of 2 is not sufficient.