3. Settings¶
3.1. General settings¶
-
ROOT_URL
¶ The root URL for the application, e.g.
https://das.example.com/api/v1
.
-
UI_URL
¶ The URL for the UI, e.g.
https://das.example.com/api/v1/ui
.
-
CONTACT_EMAIL
¶ Support email address for e.g. users having trouble logging in.
-
LOGO_UI
¶ Location of the logo image for the UI. May be a relative path, e.g.
/static/images/mgrid_logo.svg
if the logo is present in the DAS Docker image, or an absolute URL, e.g.https://das.example.com/logo.png
. In the case of an absolute URL, make sure that the CORS settings of the nginx proxy in the Docker image allow this URL.
-
LOGO_EMAIL
¶ Location of the logo image for emails that are sent out, e.g.
https://das.example.com/logo.png
. Depending on the mail client that receives the email message, this may show as the actual logo, a broken image or not show up at all. If set toNone
, the logo will not be included in email messages.
3.2. Concurrency settings¶
-
WORKERS
¶ The number of worker processes that will be forked to handle incoming requests. Setting this is optional, but may be required in environments where the default value of 2 is not sufficient.
-
SQLALCHEMY_ENGINE_OPTIONS
¶ A dictionary that can contain options for the model database engine, most notably to change the connection pool characteristics.
pool_size
: The size of the connection pool that is held per worker process towards the model database. Default is 1.pool_timeout
: The number of seconds to wait before giving up on returning a connection. Defaults to 30.pool_recycle
: The number of seconds between which to allow connection reuse, since it was used last. Defaults to -1, which indicates off.pool_pre_ping
: Boolean to indicate that a pooled connection needs to be checked before actual use. Default is True.
Example configuration fragment:
SQLALCHEMY_ENGINE_OPTIONS = { 'pool_size' : 2, 'pool_recycle': 120, 'pool_pre_ping': True }
3.3. Security settings¶
-
SECRET_KEY
¶ The secret key that is used to authenticate requests to the UI, e.g.
secret
.
-
JWT_SECRET_KEY
¶ The JWT secret key that is used to authenticate requests to the management API, e.g.
jwt_secret
.
-
AD_URL
¶ An url of the form ‘ldap://ad:389’ that describes the location of the Active Directory. Note that in the query active directory mannerisms are used, so a normal ldap will not suffice.
-
AD_USER
¶ AD administrator account. This account is used to retrieve user information after login, when the user password is no longer in context and available.
-
AD_PASSWORD
¶ AD administrator password.
-
AD_BASE_DN
¶ A base DN of the form ‘dc=mgrid,dc=net’ that is used as the root for all queries.
-
AD_USER_DOMAIN
¶ A user domain that is added to all user names when they authenticate without a backslash or at sign in the username. Typical example MGRID\
-
AZURE_CLIENT_ID
¶ Identifier for the Azure client.
-
AZURE_CLIENT_SECRET
¶ Secret for the Azure client.
-
AZURE_USER_AUTH_URL
¶ The url for user authentication. This is where the user will be redirected to for logging in, e.g.
https://mgrid.b2clogin.com/mgrid.onmicrosoft.com/B2C_1_signuplogin/oauth2/v2.0/authorize
-
AZURE_REDIRECT_URI
¶ The uri where the user is redirected to when the login was successful. Typical value is
https://das/api/v1/auth/azure
-
AZURE_GRAPH_AUTH_URL
¶ The url where DAS asks for an
access_token
to be able to fetch data from the Graph API, e.g.https://login.microsoftonline.com/mgrid.onmicrosoft.com
-
AZURE_GRAPH_API_URL
¶ The url of the Graph API, e.g.
https://graph.microsoft.com
-
AZURE_GRAPH_QUERY_URL
¶ The url for asking group membership of a specific user, e.g.
https://graph.microsoft.com/v1.0/myorganization/users/{user_id}/memberOf?$select=displayName
. Ensure there is a{user_id}
part which will be substituted with the actual user id.
-
AZURE_VERIFY_ID_TOKEN
¶ Whether to verify the
id_token
received from the Azure login page. Default value isTrue
.
-
AZURE_KEYS_URL
¶ The url for fetching the public key the
id_token
is signed with, e.g.https://mgrid.b2clogin.com/mgrid.onmicrosoft.com/discovery/v2.0/keys?p=B2C_1_signuplogin
. This value only needs to be set whenAZURE_VERIFY_ID_TOKEN
is true.
-
AZURE_LOGOUT_URI
¶ The uri where the user is redirected to when logout is clicked. Typical value is
https://mgrid.b2clogin.com/mgrid.onmicrosoft.com/B2C_1_signuplogin/oauth2/v2.0/logout
-
DUO_ENABLED
¶ Boolean; set to
True
to enable,False
to disable.
-
DUO_IKEY
¶ One of the keys needed to interact with the DUO servers.
-
DUO_SKEY
¶ One of the keys needed to interact with the DUO servers.
-
DUO_APIHOSTNAME
¶ Hostname of the DUO server to interact with, e.g.
api-ffffffff.duosecurity.com
.
3.4. Database settings¶
-
DB_HOST
¶ The hostname of the application model database, e.g.
postgres
.
-
DB_PORT
¶ The port number of the application model database, e.g.
5432
.
-
DB_USER
¶ The username for the application model database, e.g.
das
.
-
DB_PASSWORD
¶ The password for the application model database, e.g.
secret
.
-
DB_NAME
¶ The name of the application model database, e.g.
das
.
-
SQLALCHEMY_DATABASE_URI
¶ The URL of the application model database, e.g.
postgresql://das:secret@postgres:5432/das
. In the default configuration file, this is built up by theDB_*
settings.
3.5. Audit settings¶
-
AUDIT_ENABLED
¶ Enable or disable audit logging to a central FluentD server, e.g.
True
.
-
AUDIT_SERVER
¶ Hostname of the central FluentD server, e.g.
fluent
.
-
AUDIT_PORT
¶ Optional. Port number of the central FluentD server, default is
24224
.
-
AUDIT_TAG
¶ Optional. Tag used for all logs sent to the central FluentD server, default is
audit
.
-
AUDIT_LABEL
¶ Optional. Label used for all logs sent to the central FluentD server, default is
log
.
-
AUDIT_APPLICATION_CODE
¶ Optional. Name of the application, default is
das
.
-
AUDIT_APPLICATION_INSTANCE
¶ Optional. Instance name of the application, default is
default
.
-
AUDIT_APPLICATION_IP
¶ Optional. IP address of the application instance, default is
127.0.0.1
.
3.6. Mail settings¶
-
MAIL_SERVER
¶ Hostname of the mailserver, e.g.
mail.example.com
.
-
MAIL_PORT
¶ SMTP port of the mailserver, e.g.
25
.
-
MAIL_USERNAME
¶ Username for authentication with the mail server. May be set to
None
if no authentication is needed.
-
MAIL_PASSWORD
¶ Password for authentication with the mail server. May be set to
None
if no authentication is needed.