[Django] #31890: if SECRET_KEY is not set and "keyring" is installed, use "keyring" to get_or_create a secret key

10 views
Skip to first unread message

Django

unread,
Aug 15, 2020, 6:26:47 AM8/15/20
to django-...@googlegroups.com
#31890: if SECRET_KEY is not set and "keyring" is installed, use "keyring" to
get_or_create a secret key
-------------------------------------------+------------------------
Reporter: Thomas Grainger | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 3.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------------+------------------------
managing the django SECRET_KEY for new projects is a bit of a pain and
easy to end up either committing the SECRET_KEY to source control or
copying a SECRET_KEY from a blog post.

Generating and storing a secret key in the system keyring adds some
complexity, but it a much more sensible default

using some code like this:

{{{

from django.core.management.utils import get_random_secret_key

import keyring

def _get(settings_module):
return keyring.get_password(settings_module, "SECRET_KEY")


def _create():
password = get_random_secret_key()
keyring.set_password(settings_module, "SECRET_KEY", password)
return password


def get_or_create(settings_module):
return _get(settings_module) or _create(settings_module)
}}}


it can be used explicitly in a settings module like:


{{{
SECRET_KEY = get_or_create(__name__)
}}}


or in the LazySettings like this

{{{

elif name == 'SECRET_KEY' and not val:
return get_or_create(self._wrapped.SETTINGS_MODULE)
# raise ImproperlyConfigured("The SECRET_KEY setting must not
be empty.")

}}}


while this is mostly useful in development, it's also useful in production
where you can plug a credential provider into keyring such as
https://github.com/FindHotel/s3keyring

--
Ticket URL: <https://code.djangoproject.com/ticket/31890>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Aug 15, 2020, 6:38:03 AM8/15/20
to django-...@googlegroups.com
#31890: if SECRET_KEY is not set and "keyring" is installed, use "keyring" to
get_or_create a secret key
---------------------------------+--------------------------------------

Reporter: Thomas Grainger | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 3.1
Severity: Normal | Resolution:

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+--------------------------------------

Comment (by Thomas Grainger):

Other options include raising:

{{{
raise ImproperlyConfigured(
"The SECRET_KEY setting must not be empty, "
"and a system keyring SECRET_KEY could not be found, set one with: "
"manage.py setsecretkey"
)
}}}

if `get_password` doesn't work and using a management command
`setsecretkey` to run `keyring.set_password`, as this would sidestep any
concurrency issues and be less surprising than silently working in most
cases and then failing when deploying to machines without a system
keyring.

--
Ticket URL: <https://code.djangoproject.com/ticket/31890#comment:1>

Django

unread,
Aug 16, 2020, 9:15:29 AM8/16/20
to django-...@googlegroups.com
#31890: if SECRET_KEY is not set and "keyring" is installed, use "keyring" to
get_or_create a secret key
---------------------------------+--------------------------------------

Reporter: Thomas Grainger | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 3.1
Severity: Normal | Resolution:

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+--------------------------------------

Comment (by Adam (Chainz) Johnson):

The keyring module you refer to is: https://pypi.org/project/keyring/

I've not worked on any projects using the system keyring like this. It
looks neat but I think some evidence of use in the Django ecosystem via a
third party package would be warranted before merging to core.

--
Ticket URL: <https://code.djangoproject.com/ticket/31890#comment:2>

Django

unread,
Aug 17, 2020, 12:34:56 AM8/17/20
to django-...@googlegroups.com
#31890: Use keyring for setting SECRET_KEY.
---------------------------------+--------------------------------------

Reporter: Thomas Grainger | Owner: nobody
Type: New feature | Status: closed
Component: Core (Other) | Version: 3.1
Severity: Normal | Resolution: wontfix

Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
---------------------------------+--------------------------------------
Changes (by felixxm):

* status: new => closed
* resolution: => wontfix
* type: Uncategorized => New feature
* component: Uncategorized => Core (Other)


Comment:

Thanks for this ticket, however there are many possible solutions and I
don't think that we should include a few lines hook to recommend any of
them. You can start a discussion on DevelopersMailingList if you don't
agree.


I've also never used `keyring`, but that's only a comment, not an argument
for closing this ticket.

--
Ticket URL: <https://code.djangoproject.com/ticket/31890#comment:3>

Reply all
Reply to author
Forward
0 new messages