Support SECRET_KEY and Database creds as callables

Sat, 24 Jan 2015 07:30:06 -0800 

Hello Django devs,
I would like to see if Django can support setting the SECRET_KEY and database creds as callables. Let me explain my situation. 


Here at Amazon, we use a system to store and fetch secrets such as a 
Django SECRET_KEY and database creds. There's a Python component to this 
system which works something like this.


SECRET_KEY = get_creds(secret_key_id, type='privatekey')
. . .
DATABASES = {
    'default' = {
        . . .
        'USER': get_creds(database_creds_id, type='username'),
        'PASSWORD': get_creds(database_creds_id, type='password'),
    },
    . . .
}


Secrets are rotated on a regular schedule or as needed. Often times the 
secrets are rotated without advance notice and therefore our various 
Django powered sites go down (because they can't connect to the 
database) until the web servers are restarted. We would prefer it if our 
web services did not have to be restarted.



I was going to propose a patch which modifies the force_text and 
force_bytes methods in django.utils.encoding. The modifications 
basically involves adding an if statement.


if hasattr(s, '__call__'):
    return s()


This would support setting the SECRET_KEY and database creds as 
callables with no arguments. Example.


SECRET_KEY = lambda: get_creds(secret_key_id, type='privatekey')
. . .
DATABASES = {
    'default' = {
        . . .
        'USER': lambda: get_creds(database_creds_id, type='username'),
        'PASSWORD': lambda: get_creds(database_creds_id, type='password'),
    },
    . . .
}


My question is, should I submit a patch or might there be some other way 
to address my use case? Also, I'm aware of the various examples which 
call for storing secrets in a separate file. We cannot store secrets on 
the local disk (this is partly the reason for the use of the system I 
explained).


--
Andres

--
You received this message because you are subscribed to the Google Groups "Django 
developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/54C30C4D.4030302%40amazon.com.
For more options, visit https://groups.google.com/d/optout.














    

  • Sup... 'Andres Mejia' via Django developers  (Contributions to Django itself)
    • 

    • 

    • ... Marc Tamlyn
      • 

      • 

      • ... Riccardo Di Virgilio
        • 

        • 

        • ... Riccardo Di Virgilio
          • 

          • 

          • ... 'Andres Mejia' via Django developers  (Contributions to Django itself)
            • 

          • 

        • 

      • ... 'Andres Mejia' via Django developers  (Contributions to Django itself)
        • 

      

    










					Reply via email to