Removing SECRET_KEY from settings.py

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Removing SECRET_KEY from settings.py

Tim Chase-7
Just returning to some Django work after a time away, I
(re)started an old project in 1.3 and hit an early issue.  I'd
like to keep my settings.py under revision-control that is
somewhat publicly accessible, but don't want my SECRET_KEY
exposed.  The solution I've opted for is the following excerpt of
my settings.py on which I'm hoping for feedback:

   SECRET_FILE = "secret.txt"
   if os.path.exists(SECRET_FILE):
     SECRET_KEY = file(SECRET_FILE).read()
   else:
     from random import choice
     SECRET_KEY = ''.join([
       choice(
       'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
       ) for i in range(50)])
     f = file(SECRET_FILE, 'w')
     f.write(SECRET_KEY)
     f.close()

(key generation ripped directly from
core/management/commands/startproject.py )

As best I can tell, this should allow me to place secret.txt on
machines I control, while allowing others to freely download the
code and deploy on their end with minimal trouble.

Any input would be greatly appreciated,

-tkc



--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

Reply | Threaded
Open this post in threaded view
|

Re: Removing SECRET_KEY from settings.py

Donald Stufft
$ cat settings.py

….

try:
    from local_settings import *
except ImportError:
    pass


$ cat local_settings.py

….
SECRET_KEY = "blah"

On Friday, September 16, 2011 at 8:54 PM, Tim Chase wrote:

Just returning to some Django work after a time away, I
(re)started an old project in 1.3 and hit an early issue. I'd
like to keep my settings.py under revision-control that is
somewhat publicly accessible, but don't want my SECRET_KEY
exposed. The solution I've opted for is the following excerpt of
my settings.py on which I'm hoping for feedback:

SECRET_FILE = "secret.txt"
if os.path.exists(SECRET_FILE):
SECRET_KEY = file(SECRET_FILE).read()
else:
from random import choice
SECRET_KEY = ''.join([
choice(
'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
) for i in range(50)])
f = file(SECRET_FILE, 'w')
f.write(SECRET_KEY)
f.close()

(key generation ripped directly from
core/management/commands/startproject.py )

As best I can tell, this should allow me to place secret.txt on
machines I control, while allowing others to freely download the
code and deploy on their end with minimal trouble.

Any input would be greatly appreciated,

-tkc



--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Reply | Threaded
Open this post in threaded view
|

Re: Removing SECRET_KEY from settings.py

Rafael Durán Castañeda
In addition you  can add a local_settings.py.template on repository instead of local_settings.py, so for developtment you can add some fixed fake values for testing and edit with production suitable values when needed.

2011/9/17 Donald Stufft <[hidden email]>
$ cat settings.py

….

try:
    from local_settings import *
except ImportError:
    pass


$ cat local_settings.py

….
SECRET_KEY = "blah"

On Friday, September 16, 2011 at 8:54 PM, Tim Chase wrote:

Just returning to some Django work after a time away, I
(re)started an old project in 1.3 and hit an early issue. I'd
like to keep my settings.py under revision-control that is
somewhat publicly accessible, but don't want my SECRET_KEY
exposed. The solution I've opted for is the following excerpt of
my settings.py on which I'm hoping for feedback:

SECRET_FILE = "secret.txt"
if os.path.exists(SECRET_FILE):
SECRET_KEY = file(SECRET_FILE).read()
else:
from random import choice
SECRET_KEY = ''.join([
choice(
'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
) for i in range(50)])
f = file(SECRET_FILE, 'w')
f.write(SECRET_KEY)
f.close()

(key generation ripped directly from
core/management/commands/startproject.py )

As best I can tell, this should allow me to place secret.txt on
machines I control, while allowing others to freely download the
code and deploy on their end with minimal trouble.

Any input would be greatly appreciated,

-tkc



--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
Reply | Threaded
Open this post in threaded view
|

Re: Removing SECRET_KEY from settings.py

DrBloodmoney
In reply to this post by Tim Chase-7
On Fri, Sep 16, 2011 at 8:54 PM, Tim Chase
<[hidden email]> wrote:

> Just returning to some Django work after a time away, I (re)started an old
> project in 1.3 and hit an early issue.  I'd like to keep my settings.py
> under revision-control that is somewhat publicly accessible, but don't want
> my SECRET_KEY exposed.  The solution I've opted for is the following excerpt
> of my settings.py on which I'm hoping for feedback:
>
>  SECRET_FILE = "secret.txt"
>  if os.path.exists(SECRET_FILE):
>    SECRET_KEY = file(SECRET_FILE).read()
>  else:
>    from random import choice
>    SECRET_KEY = ''.join([
>      choice(
>      'abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*(-_=+)'
>      ) for i in range(50)])
>    f = file(SECRET_FILE, 'w')
>    f.write(SECRET_KEY)
>    f.close()
>
> (key generation ripped directly from
> core/management/commands/startproject.py )
>
> As best I can tell, this should allow me to place secret.txt on machines I
> control, while allowing others to freely download the code and deploy on
> their end with minimal trouble.
>
> Any input would be greatly appreciated,
>
> -tkc


settings.py/
    |- __init__.py
    |- base.py
    |- development.py
    |- production.py
    |- secret.py # <== not in version control

then in __init__.py:

from base import *
from secret import *

if DEBUG:
    from development import *
else:
    from production import *

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to [hidden email].
To unsubscribe from this group, send email to [hidden email].
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.