Configuration
The vast majority of configuration is done using the Graphgrid Config service as documented here which is backed by either Redis or AWS Parameter Store. However, some configuration properties are set using environment variables. All Graphgrid services accept the following environment variables:
| Key | Value | Description |
|---|---|---|
DEBUG | 0/1 | Setting DEBUG=1 will enable remote debugging on port 5005 |
APM_ENABLED | true/false | Whether to enable Application Performance Monitoring (APM). |
ELASTIC_APM_SERVER_URL | URL of APM server | Default is http://apm-server:8200 |
AWS_PARAMSTORE_ENABLED | true/false | Determines if services should connect directly to AWS Parameter Store, or to Graphgrid Config. |
All of these variables are set in data/env/graphgrid.env. Anything specified in the docker-compose.yml file will override these values.
See here for the documentation on Docker Compose environment variables. If you'd like
Graphgrid services to connect to AWS, this file is a good place to set AWS_PROFILE and AWS_REGION in addition to a Docker
volume mount like ${HOME}/.aws:/root/.aws:ro.
Password Generation
GraphGrid contains several services, some of which have default passwords. Many of these default passwords can be replaced by running:
./bin/graphgrid passwords generate
See here for more information about password generation.
The password generation command should be run directly after install, before running GraphGrid for the first time.
Random Password Generation
GraphGrid CDP's package performs random password generation for ONgDB, GraphGrid Config, MinIO, SQL, OpenLDAP, RabbitMQ, and Airflow.
Generally this involves setting redis keys and writing out .env files.
GraphGrid Config will only get set if the config service is down. ONgDB and SQL will only get set if their respective databases have not been created yet.
Airflow will be set once airflow-init is started up after passwords have been generated (
./bin/graphgrid start airflow-init).
Change the Super Admin GraphGrid Password
It is highly recommended changing the default super admin password. To update this password use this security endpoint:
Base URL: /1.0/security/user/{{grn}}/updatePassword
Method: POST
curl --location --request POST "${API_BASE}/1.0/security/user/grn:gg:user:HjdEQDeFQNkkpr0b6Hfo2Iozlil6XT36sJnz6r4OG6LT/updatePassword" \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--data-raw '{
"oldPassword": "12345678",
"newPassword": "1SecureP@ssword"
}'
To quickly find the user grn needed for the updatePassword request, run the checkToken request and the response will return the user's grn.
curl --request POST \
--url "${API_BASE}/1.0/security/oauth/check_token" \
--header "Authorization: Basic ${BASIC_AUTH}
" \
--data "token=${BEARER_TOKEN}"
See the setup guide to learn how to set up shell variables for easier use of the GraphGrid API.
Script Messages
A secure
superadminpassword must be set manually. There is a reminder to change the super admin password if you have not already.The script cannot update passwords for ONgDB or SQL if the databases already exist. Upon creation, if you see an error message ensure that the respective database does not already exist.
Config values are read during startup, so Config should not be running. If you recieve an error that Config is running, you must stop it and run the script again.
Default Client Credentials and OAuth
OAuth requires client authentication in order to request an access
token. To authenticate, generate a Basic Authorization header using client credentials.
Client credentials consist of a client_id and a client_secret.
To generate a basic auth header, separate a client id and secret with a colon and then base64 encode them. Client credentials are configurable, however you may use the default values for a client id and secret:
'CLIENT_ID': '${var.api.auth.defaultClientId}'
'CLIENT_SECRET': '${var.api.auth.defaultClientSecret}'
More information about API clients and endpoint authorization is available here.