3. Settings¶

3.1. General settings¶

ROOT_URL¶: The root URL for the application, e.g. https://das.example.com/api/v1.

UI_URL¶: The URL for the UI, e.g. https://das.example.com/api/v1/ui.

CONTACT_EMAIL¶: Support email address for e.g. users having trouble logging in.

LOGO_UI¶: Location of the logo image for the UI. May be a relative path, e.g. /static/images/mgrid_logo.svg if the logo is present in the DAS Docker image, or an absolute URL, e.g. https://das.example.com/logo.png. In the case of an absolute URL, make sure that the CORS settings of the nginx proxy in the Docker image allow this URL.

LOGO_EMAIL¶: Location of the logo image for emails that are sent out, e.g. https://das.example.com/logo.png. Depending on the mail client that receives the email message, this may show as the actual logo, a broken image or not show up at all. If set to None, the logo will not be included in email messages.

3.2. Concurrency settings¶

WORKERS¶: The number of worker processes that will be forked to handle incoming requests. Setting this is optional, but may be required in environments where the default value of 2 is not sufficient.

SQLALCHEMY_ENGINE_OPTIONS¶

A dictionary that can contain options for the model database engine, most notably to change the connection pool characteristics.

pool_size: The size of the connection pool that is held per worker process towards the model database. Default is 1.
pool_timeout: The number of seconds to wait before giving up on returning a connection. Defaults to 30.
pool_recycle: The number of seconds between which to allow connection reuse, since it was used last. Defaults to -1, which indicates off.
pool_pre_ping: Boolean to indicate that a pooled connection needs to be checked before actual use. Default is True.

Example configuration fragment:

SQLALCHEMY_ENGINE_OPTIONS = {
   'pool_size' : 2,
   'pool_recycle': 120,
   'pool_pre_ping': True
}

3.3. Security settings¶

SECRET_KEY¶: The secret key that is used to authenticate requests to the UI, e.g. secret.

JWT_SECRET_KEY¶: The JWT secret key that is used to authenticate requests to the management API, e.g. jwt_secret.

AD_URL¶: An url of the form ‘ldap://ad:389’ that describes the location of the Active Directory. Note that in the query active directory mannerisms are used, so a normal ldap will not suffice.

AD_USER¶: AD administrator account. This account is used to retrieve user information after login, when the user password is no longer in context and available.

AD_PASSWORD¶: AD administrator password.

AD_BASE_DN¶: A base DN of the form ‘dc=mgrid,dc=net’ that is used as the root for all queries.

AD_USER_DOMAIN¶: A user domain that is added to all user names when they authenticate without a backslash or at sign in the username. Typical example MGRID\

AZURE_CLIENT_ID¶: Identifier for the Azure client.

AZURE_CLIENT_SECRET¶: Secret for the Azure client.

AZURE_USER_AUTH_URL¶: The url for user authentication. This is where the user will be redirected to for logging in, e.g. https://mgrid.b2clogin.com/mgrid.onmicrosoft.com/B2C_1_signuplogin/oauth2/v2.0/authorize

AZURE_REDIRECT_URI¶: The uri where the user is redirected to when the login was successful. Typical value is https://das/api/v1/auth/azure

AZURE_GRAPH_AUTH_URL¶: The url where DAS asks for an access_token to be able to fetch data from the Graph API, e.g. https://login.microsoftonline.com/mgrid.onmicrosoft.com

AZURE_GRAPH_API_URL¶: The url of the Graph API, e.g. https://graph.microsoft.com

AZURE_GRAPH_QUERY_URL¶: The url for asking group membership of a specific user, e.g. https://graph.microsoft.com/v1.0/myorganization/users/{user_id}/memberOf?$select=displayName. Ensure there is a {user_id} part which will be substituted with the actual user id.

AZURE_VERIFY_ID_TOKEN¶: Whether to verify the id_token received from the Azure login page. Default value is True.

AZURE_KEYS_URL¶: The url for fetching the public key the id_token is signed with, e.g. https://mgrid.b2clogin.com/mgrid.onmicrosoft.com/discovery/v2.0/keys?p=B2C_1_signuplogin. This value only needs to be set when AZURE_VERIFY_ID_TOKEN is true.

AZURE_LOGOUT_URI¶: The uri where the user is redirected to when logout is clicked. Typical value is https://mgrid.b2clogin.com/mgrid.onmicrosoft.com/B2C_1_signuplogin/oauth2/v2.0/logout

DUO_ENABLED¶: Boolean; set to True to enable, False to disable.

DUO_IKEY¶: One of the keys needed to interact with the DUO servers.

DUO_SKEY¶: One of the keys needed to interact with the DUO servers.

DUO_APIHOSTNAME¶: Hostname of the DUO server to interact with, e.g. api-ffffffff.duosecurity.com.

3.4. Database settings¶

DB_HOST¶: The hostname of the application model database, e.g. postgres.

DB_PORT¶: The port number of the application model database, e.g. 5432.

DB_USER¶: The username for the application model database, e.g. das.

DB_PASSWORD¶: The password for the application model database, e.g. secret.

DB_NAME¶: The name of the application model database, e.g. das.

SQLALCHEMY_DATABASE_URI¶: The URL of the application model database, e.g. postgresql://das:secret@postgres:5432/das. In the default configuration file, this is built up by the DB_* settings.

3.5. Audit settings¶

AUDIT_ENABLED¶: Enable or disable audit logging to a central FluentD server, e.g. True.

AUDIT_SERVER¶: Hostname of the central FluentD server, e.g. fluent.

AUDIT_PORT¶: Optional. Port number of the central FluentD server, default is 24224.

AUDIT_TAG¶: Optional. Tag used for all logs sent to the central FluentD server, default is audit.

AUDIT_LABEL¶: Optional. Label used for all logs sent to the central FluentD server, default is log.

AUDIT_APPLICATION_CODE¶: Optional. Name of the application, default is das.

AUDIT_APPLICATION_INSTANCE¶: Optional. Instance name of the application, default is default.

AUDIT_APPLICATION_IP¶: Optional. IP address of the application instance, default is 127.0.0.1.

3.6. Mail settings¶

MAIL_SERVER¶: Hostname of the mailserver, e.g. mail.example.com.

MAIL_PORT¶: SMTP port of the mailserver, e.g. 25.

MAIL_USERNAME¶: Username for authentication with the mail server. May be set to None if no authentication is needed.

MAIL_PASSWORD¶: Password for authentication with the mail server. May be set to None if no authentication is needed.