Opened 4 years ago
Closed 4 years ago
#31890 closed New feature (wontfix)
Use keyring for setting SECRET_KEY.
| Reported by: | Thomas Grainger | Owned by: | nobody |
|---|---|---|---|
| Component: | Core (Other) | Version: | 3.1 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
managing the django SECRET_KEY for new projects is a bit of a pain and easy to end up either committing the SECRET_KEY to source control or copying a SECRET_KEY from a blog post.
Generating and storing a secret key in the system keyring adds some complexity, but it a much more sensible default
using some code like this:
from django.core.management.utils import get_random_secret_key
import keyring
def _get(settings_module):
return keyring.get_password(settings_module, "SECRET_KEY")
def _create():
password = get_random_secret_key()
keyring.set_password(settings_module, "SECRET_KEY", password)
return password
def get_or_create(settings_module):
return _get(settings_module) or _create(settings_module)
it can be used explicitly in a settings module like:
SECRET_KEY = get_or_create(__name__)
or in the LazySettings like this
elif name == 'SECRET_KEY' and not val:
return get_or_create(self._wrapped.SETTINGS_MODULE)
# raise ImproperlyConfigured("The SECRET_KEY setting must not be empty.")
while this is mostly useful in development, it's also useful in production where you can plug a credential provider into keyring such as https://github.com/FindHotel/s3keyring
Change History (3)
comment:1 by , 4 years ago
comment:2 by , 4 years ago
The keyring module you refer to is: https://pypi.org/project/keyring/
I've not worked on any projects using the system keyring like this. It looks neat but I think some evidence of use in the Django ecosystem via a third party package would be warranted before merging to core.
comment:3 by , 4 years ago
| Component: | Uncategorized → Core (Other) |
|---|---|
| Resolution: | → wontfix |
| Status: | new → closed |
| Summary: | if SECRET_KEY is not set and "keyring" is installed, use "keyring" to get_or_create a secret key → Use keyring for setting SECRET_KEY. |
| Type: | Uncategorized → New feature |
Thanks for this ticket, however there are many possible solutions and I don't think that we should include a few lines hook to recommend any of them. You can start a discussion on DevelopersMailingList if you don't agree.
I've also never used keyring, but that's only a comment, not an argument for closing this ticket.
Other options include raising:
raise ImproperlyConfigured( "The SECRET_KEY setting must not be empty, " "and a system keyring SECRET_KEY could not be found, set one with: " "manage.py setsecretkey" )if
get_passworddoesn't work and using a management commandsetsecretkeyto runkeyring.set_password, as this would sidestep any concurrency issues and be less surprising than silently working in most cases and then failing when deploying to machines without a system keyring.