Re: Decoupling Postgres database credentials in django for deployment.

[Mike Dewhirst]

On 3/04/2018 8:49 AM, Mike Dewhirst wrote:
On 2/04/2018 7:59 PM, Cictani wrote:
Hi,
You could rename your dev settings file to for example 
'settings_dev.py' and only commit this file (add settings.py to 
.gitignore).

I wrote a tiny utility to read a file and retrieve credentials for any 
purpose but especially for keeping database credentials out of the 
repository.

It means I have to store the credentials files (separate file for each 
eg database, email etc) in a place accessible to the web server but 
out of the doc root.

The settings file only contains calls to the utility like this ...

# production.py

from .base import *



SITE_ID = 1  # prd



ALLOWED_HOSTS += ['redacted',]



# Databases  # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
# # # # #

dbdefault = getcreds(fname='db.host', project="{0}-prd".format(PROJECT))

DATABASES = {

    'default': {

        'ENGINE': 'django.db.backends.postgresql_psycopg2',

        'NAME': PROJECT,

        'USER': dbdefault[0],

        'PASSWORD': dbdefault[1],

        'HOST': dbdefault[2],

        'PORT': dbdefault[3],

    }

}



email_creds = getcreds(fname='smtp.host', 
project="{0}-prd".format(PROJECT))

EMAIL_HOST = email_creds[0]

EMAIL_PORT = email_creds[1]

EMAIL_HOST_USER = email_creds[2]

EMAIL_HOST_PASSWORD = email_creds[3]

DEFAULT_FROM_EMAIL = email_creds[4]

#EMAIL_USE_TLS = True

EMAIL_BACKEND = 'django.core.mail.backends.smtp.EmailBackend'

DEFAULT_CHARSET = 'utf-8'


And for local testing ...

# mike-test.py

from .local import *



SITE_ID = 3

DEBUG = True

SESSION_COOKIE_SECURE = False

CSRF_COOKIE_SECURE = False

SECURE_BROWSER_XSS_FILTER = False

SECURE_SSL_REDIRECT = False



TEMPLATES[0]['OPTIONS']['debug'] = DEBUG

TEST_RUNNER = 'django.test.runner.DiscoverRunner'



INSTALLED_APPS = DEFAULT_APPS + THIRD_PARTY_APPS + LOCAL_APPS



# # # # # # # # # # IN-MEMORY TEST DATABASE

dbdefault = getcreds(fname='db.host', 
project="{0}-local".format(PROJECT))

Just realised I don't need to make that call for the in-memory database. 
I should have posted the local.py settings which uses a local postgres 
database. But you get the idea. Apologies for wasting space on the list.

M.


DATABASES = {

    'default': {

        "ENGINE": "django.db.backends.sqlite3",

        "NAME": ":memory:",

        "USER": "",

        "PASSWORD": "",

        "HOST": "",

        "PORT": "",

    }

}



EMAIL_BACKEND = 'django.core.mail.backends.locmem.EmailBackend'


And here is the utility ...

#getcreds.py

from __future__ import unicode_literals, absolute_import, division



import os





def getcreds(fname, project, credsroot='/var/www/creds', credsdir=None):

    """ return a list of userid and password and perhaps other data """

    if credsdir is None:

        credsdir = os.path.join(credsroot, project)

    creds = list()

    fname = os.path.join(credsdir, fname).replace("\\", "/")

    with open(fname, 'r') as f:

        for line in f:

            # remove leading/trailing whitespace and append to list

            creds.append(line.strip())

    assert creds, "The list of credentials is empty"

    return creds







On your Linux Server you could create a new directory in /etc

like:

/etc/django

/etc/django/app1
/etc/django/app2
...

There you store your production 'settings.py'

In your app directory you can create a symbolic link to these files:

|
ln -s /etc/django/app1/settings.py /path/to/app1/app1/
|

You have to make sure the directory in /etc is readably by www-data 
or whatever user you run your webserver with:

Now you can change the settings in the /etc directory and the 
settings are quite secure since only root will be able to change them 
by default. And you now do it the Linux way by storing all settings 
in /etc

Since you added settings.py to .gitignore it won't get overwritten. 
You should make backups of your whole /etc directory anyways so your 
django settings also get saved.

--
You received this message because you are subscribed to the Google 
Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, 
send an email to django-users+unsubscr...@googlegroups.com 
<mailto:django-users+unsubscr...@googlegroups.com>.
To post to this group, send email to django-users@googlegroups.com 
<mailto:django-users@googlegroups.com>.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/8f3d6ebb-9db1-455e-99e3-d337490ffab5%40googlegroups.com 
<https://groups.google.com/d/msgid/django-users/8f3d6ebb-9db1-455e-99e3-d337490ffab5%40googlegroups.com?utm_medium=email&utm_source=footer>. 

For more options, visit https://groups.google.com/d/optout.


--
You received this message because you are subscribed to the Google Groups "Django 
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-users/2279e780-eade-e9d1-362f-0074ade6937c%40dewhirst.com.au.
For more options, visit https://groups.google.com/d/optout.