2. Configuration¶

AD_BASE_DN¶

Type: str()

Default: override_me

A base DN of the form ‘dc=mgrid,dc=net’ that is used as the root for all queries.

AD_ENABLED¶

Type: bool()

Default: False

Enable or disable Active Directory integration.

AD_PASSWORD¶

Type: password()

Default: override_me

AD administrator password.

AD_URL¶

Type: str()

Default: ldap://ad.example.com:389

An url of the form ‘ldap://ad:389’ that describes the location of the Active Directory. Note that in the query active directory mannerisms are used, so a normal ldap will not suffice.

AD_USER_DOMAIN¶

Type: str()

Default: override_me

A user domain that is added to all user names when they authenticate without a backslash or at sign in the username. Typical example MGRID\

AD_USER¶

Type: str()

Default: override_me

AD administrator account. This account is used to retrieve user information after login, when the user password is no longer in context and available.

API_URL¶

Type: url()

Default: https://example.com/api/v1

The URL for the API, e.g. https://querybuilder.example.com/api/v1.

APP_DB_HOST¶

Type: str()

Default: override_me

The hostname of the application model database, e.g. postgres.

APP_DB_NAME¶

Type: str()

Default: override_me

The name of the application model database, e.g. querybuilder.

APP_DB_PASSWORD¶

Type: password()

Default: override_me

The password for the application model database, e.g. secret.

APP_DB_PORT¶

Type: int()

Default: 5432

The port number of the application model database, e.g. 5432.

APP_DB_USER¶

Type: str()

Default: override_me

The username for the application model database, e.g. querybuilder.

AUDIT_APPLICATION_CODE¶

Type: str()

Default: querybuilder

Name of the application to send to the central FluentD server.

AUDIT_APPLICATION_INSTANCE¶

Type: str()

Default: default

Instance name of the application to send to the central FluentD server.

AUDIT_APPLICATION_IP¶

Type: ip()

Default: 127.0.0.1

IP address of the application instance to send to the central FluentD server.

AUDIT_ENABLED¶

Type: bool()

Default: False

Enable or disable audit logging to a central FluentD server.

AUDIT_LABEL¶

Type: str()

Default: log

Label used for all logs sent to the central FluentD server.

AUDIT_PORT¶

Type: int()

Default: 24224

Port number of the central FluentD server.

AUDIT_SERVER¶

Type: str()

Default: override_me

Hostname of the central FluentD server.

AUDIT_TAG¶

Type: str()

Default: audit

Tag used for all logs sent to the central FluentD server.

AUTH_METHOD¶

Type: enum('local', 'ad', 'azure')

Default: ad

Authentication method for users.

AZURE_BLOB_ENABLED¶

Type: bool()

Default: False

Enable or disable the use of Azure Blob Storage export targets.

AZURE_CLIENT_ID¶

Type: str()

Default: override_me

Identifier for the Azure client.

AZURE_CLIENT_SECRET¶

Type: password()

Default: override_me

Secret for the Azure client.

AZURE_GRAPH_API_URL¶

Type: url()

Default: https://graph.microsoft.com

The url of the Graph API.

AZURE_GRAPH_AUTH_URL¶

Type: url()

Default: https://login.microsoftonline.com/example.onmicrosoft.com

The url where QueryBuilder asks for an access_token to be able to fetch data from the Graph API.

AZURE_GRAPH_QUERY_URL¶

Type: url()

Default: https://graph.microsoft.com/v1.0/myorganization/users/{user_id}/memberOf?$select=displayName

The url for asking group membership of a specific user. Ensure there is a {user_id} part which will be substituted with the actual user id.

AZURE_KEYS_URL¶

Type: url()

Default: https://example.b2clogin.com/example.onmicrosoft.com/discovery/v2.0/keys?p=B2C_1_signuplogin

The url for fetching the public key the id_token is signed with. This value only needs to be set when AZURE_VERIFY_ID_TOKEN is true.

AZURE_LOGOUT_URI¶

Type: url()

Default: https://example.b2clogin.com/example.onmicrosoft.com/B2C_1_signuplogin/oauth2/v2.0/logout

The uri where the user is redirected to when logout is clicked.

AZURE_REDIRECT_URI¶

Type: url()

Default: https://querybuilder.mgrid.dev:8443/auth

The uri where the user is redirected to when the login was successful.

AZURE_USER_AUTH_URL¶

Type: url()

Default: https://example.b2clogin.com/example.onmicrosoft.com/B2C_1_signuplogin/oauth2/v2.0/authorize

The url for user authentication. This is where the user will be redirected to for logging in.

AZURE_VERIFY_ID_TOKEN¶

Type: bool()

Default: True

Whether to verify the id_token received from the Azure login page.

BASE_URL¶

Type: url()

Default: https://example.com

The base URL of the application.

BUTTON_APPROVAL¶

Type: str()

Default: Request Approval

Text for the request approval button.

BUTTON_EXPORT¶

Type: str()

Default: Perform Transfer

Test for the perform transfer button.

BUTTON_SCHEDULE¶

Type: str()

Default: Schedule Transfer

Text for the schedule transfer button.

CONTACT_EMAIL¶

Type: email()

Default: info@example.com

Support email address for e.g. users having trouble logging in.

DAS_DEBUG¶

Type: bool()

Default: False

Enable or disable debugging calls to the DAS.

DAS_ENABLED¶

Type: bool()

Default: True

Enable or disable DAS support.

DAS_PASSWORD¶

Type: password()

Default: override_me

Password for calls to the DAS.

DAS_SSL_VERIFY¶

Type: bool()

Default: True

Enable or disable SSL verification of calls to the DAS.

DAS_TIMEOUT¶

Type: int()

Default: 10

Timeout in seconds of calls to the DAS.

DAS_URL¶

Type: url()

Default: https://das.example.com/api/v1

URL of the DAS server.

DDS_DEBUG¶

Type: bool()

Default: False

Enable or disable debugging DDS calls.

DDS_ENABLED¶

Type: bool()

Default: True

Enable or disable integration with the DDS.

DDS_PASSWORD¶

Type: password()

Default: override_me

Password for calls to the DDS.

DDS_SSL_VERIFY¶

Type: bool()

Default: True

Enable or disable SSL verification of calls to the DDS.

DDS_TIMEOUT¶

Type: int()

Default: 10

Timeout in seconds of calls to the DDS.

DDS_URL¶

Type: url()

Default: https://dds.example.com/api/v1

URL of the DDS server.

DUO_APIHOSTNAME¶

Type: domain()

Default: api-00000000.duosecurity.com

Hostname of the DUO server to interact with, e.g. api-ffffffff.duosecurity.com.

DUO_ENABLED¶

Type: bool()

Default: False

Enable or disable DUO 2 factor authentication.

DUO_IKEY¶

Type: password()

Default: override_me

One of the keys needed to interact with the DUO servers.

DUO_SKEY¶

Type: password()

Default: override_me

One of the keys needed to interact with the DUO servers.

EXEC_RECIPE_MODULE¶

Type: path()

Default: app.recipes.override_me

Path to a recipe file, e.g. app.recipes.example. In this example there should be a file named example.py in the app/recipes directory.

GLOBAL_OWNER_EMAIL¶

Type: email()

Default: datasteward@example.com

Email address of a datasteward who is authorized to approve for all projects. If this setting is not used, individual projects must be provisioned with an owner email address.

HOST¶

Type: ip()

Default: 0.0.0.0

IP address the server binds to.

IMG_LOGO¶

Type: any(path(), url())

Default: /static/images/mgrid_logo.svg

Location of the logo image for the UI. May be a relative path, e.g. /static/images/mgrid_logo.svg if the logo is present in the QueryBuilder Docker image, or an absolute URL, e.g. https://querybuilder.example.com/logo.png. In the case of an absolute URL, make sure that the CORS settings of the nginx proxy in the Docker image allow this URL.

IMG_LOGO_LARGE¶

Type: any(path(), url())

Default: /static/images/mgrid_logo.svg

Location of the large logo image for the UI. May be a relative path, e.g. /static/images/mgrid_logo.svg if the logo is present in the QueryBuilder Docker image, or an absolute URL, e.g. https://querybuilder.example.com/logo.png. In the case of an absolute URL, make sure that the CORS settings of the nginx proxy in the Docker image allow this URL.

JWT_ALGORITHM¶

Type: str()

Default: HS512

Which algorithm to sign the JWT with. See https://pyjwt.readthedocs.io/en/latest/algorithms.html for the available algorithms.

JWT_HEADER_NAME¶

Type: str()

Default: Authorization

What header should contain the JWT in a request.

JWT_HEADER_TYPE¶

Type: str()

Default: Bearer

What type of header the JWT is in.

JWT_IDENTITY_CLAIM¶

Type: str()

Default: identity

The claim in a JWT that is used as the source of identity.

JWT_SECRET_KEY¶

Type: password()

Default: override_me

The JWT secret key that is used to authenticate requests to the management API

JWT_TOKEN_LOCATION¶

Type: enum('headers', 'cookies', 'query_string', 'json')

Default: headers

Where to look for a JWT when processing a request.

LOCAL_TIMEZONE¶

Type: str()

Default: Europe/Amsterdam

Timestamps are stored in UTC and this setting is used to translate to the local timezone of the users.

LOG_LEVEL¶

Type: enum('debug', 'info', 'warning', 'error', 'critical')

Default: warning

Log level of the application.

LOGO_URL¶

Type: url()

Default: https://querybuilder.example.com/projects

The URL where the browser is directed to when the user clicks on the logo.

MODAL_APPROVAL¶

Type: str()

Default: Requested approval for:

Text for the modal when requesting approval.

MODAL_EXPORT¶

Type: str()

Default: Performing transfer for:

Text for the modal when performing transfer.

MODAL_SCHEDULE¶

Type: str()

Default: Schedule transfer for:

Text for the modal when scheduling transfer.

PERMANENT_SESSION_LIFETIME¶

Type: int()

Default: 14400

The cookie’s expiration will be set this number of seconds in the future.

PORT¶

Type: int()

Default: 5000

IP port the server binds to.

SECRET_KEY¶

Type: password()

Default: override_me

The secret key that is used to authenticate requests to the UI.

SESSION_COOKIE_HTTPONLY¶

Type: bool()

Default: True

Browsers will not allow JavaScript access to cookies marked as “HTTP only” for security.

SESSION_COOKIE_NAME¶

Type: str()

Default: session

The name of the session cookie.

SESSION_COOKIE_PATH¶

Type: path()

Default: /

The path that the session cookie will be valid for.

SESSION_COOKIE_SECURE¶

Type: bool()

Default: True

Browsers will only send cookies with requests over HTTPS if the cookie is marked “secure”.

SESSION_COPY_PROTECTION¶

Type: bool()

Default: True

Enable or disable session protection.

SESSION_FILE_DIR¶

Type: path()

Default: /tmp/flask_session

The directory where session files are stored.

SESSION_TYPE¶

Type: enum('null', 'filesystem', 'sqlalchemy')

Default: filesystem

Specifies which type of session interface to use.

SFTP_ENABLED¶

Type: bool()

Default: False

Enable or disable support for SFTP exports.

SOURCE_DATABASE¶

Type: str()

Default: override_me

Source database name.

SOURCE_MASK¶

Type: bool()

Default: True

A boolean switch that determines if during query construction the output of the query should be masked. If True returns only a count of distinct rows in the output of the query.

SOURCE_PASSWORD¶

Type: password()

Default: override_me

Source database password.

SOURCE_PROHIBIT_PII_FILTERS¶

Type: bool()

Default: False

A boolean switch that prohibits table attributes that are marked with a deid attribute (and are assumed personally identifyable information) to be used in default filter expressions. This restricts the possibility to use information contained in that attribute to formulate a filtering condition. Note that these attributes are always allowed – regardless of this configuration setting – in dataset filter conditions (in dataset, not in dataset) to facilitate dataset joining.

SOURCE_SERVER¶

Type: str()

Default: override_me

Source database hostname.

SOURCE_USERNAME¶

Type: str()

Default: override_me

Source database username. The QueryBuilder source database account needs read-only access to the source schemas as defined in the SOURCE_WORLD.

SOURCE_WORLD¶

Type: path()

Default: override_me

The world definition for the configured source. Should point to a yaml definition that specifies the structure of the schemas, tables, attributes and relationships in the source.

SOURCE¶

Type: enum('psql', 'mssql')

Default: psql

The database type, either psql for PostgreSQL or mssql for Microsoft SQL Server.

SQLALCHEMY_ENGINE_OPTIONS¶

Type: map()

Default: {'pool_pre_ping': True, 'pool_size': 1}

A dictionary that can contain options for the model database engine, most notably to change the connection pool characteristics.

SQLALCHEMY_TRACK_MODIFICATIONS¶

Type: bool()

Default: False

If set to True, Flask-SQLAlchemy will track modifications of objects and emit signals.

SSL_ENABLED¶

Type: bool()

Default: False

Enable or disable SSL. There is an NGINX instance of front of this application that handles SSL, so this should be set to false.

SSL_VERIFY¶

Type: bool()

Default: True

Enable or disable verification of SSL certificates of external programs.

STATUS_APPROVED¶

Type: str()

Default: Ready for transfer

Text in column when query is ready for transfer.

STATUS_EMPTY_QUERY¶

Type: str()

Default: Empty query

Text in column when query is empty.

STATUS_NEED_APPROVAL¶

Type: str()

Default: Need approval for transfer

Text in column when query needs approval for transfer.

STATUS_REQUESTED_APPROVAL¶

Type: str()

Default: Requested approval for transfer

Text in column when approval for transfer has been requested for query.

STATUS_UNKNOWN¶

Type: str()

Default: Approval server offline

Text in column when approval server is offline.

USE_SESSION_FOR_NEXT¶

Type: bool()

Default: True

When the login view is redirected to, it will have a next variable in the query string, which is the page that the user was trying to access. Alternatively, if USE_SESSION_FOR_NEXT is True, the page is stored in the session under the key next.

WORKERS¶

Type: int()

Default: 2

The number of worker processes that will be forked to handle incoming requests. Setting this is optional, but may be required in environments where the default value of 2 is not sufficient.

XAPDEID_ENABLED¶

Type: bool()

Default: False

Enable or disable the XAP DEID server integration.

XAPDEID_PASSWORD¶

Type: password()

Default: override_me

Password for the XAP DEID server.

XAPDEID_URL¶

Type: url()

Default: https://deid.example.com

URL for the XAP DEID server.

XAPDEID_USER¶

Type: str()

Default: override_me

User for the XAP DEID server.