diff --git a/scripts/gen_api_pages.py b/scripts/gen_api_pages.py index 4fe22b14..f297049a 100644 --- a/scripts/gen_api_pages.py +++ b/scripts/gen_api_pages.py @@ -24,7 +24,6 @@ "datajoint.blob", "datajoint.hash_registry", "datajoint.jobs", - "datajoint.admin", "datajoint.migrate", ] @@ -44,7 +43,6 @@ "datajoint.blob": ("Blob", "Binary serialization"), "datajoint.hash_registry": ("Hash Registry", "Content hashing for external storage"), "datajoint.jobs": ("Jobs", "Job queue for AutoPopulate"), - "datajoint.admin": ("Admin", "Administrative functions"), "datajoint.migrate": ("Migrate", "Schema migration utilities"), } diff --git a/src/how-to/deploy-production.md b/src/how-to/deploy-production.md index 9e7c7e95..c54ca544 100644 --- a/src/how-to/deploy-production.md +++ b/src/how-to/deploy-production.md @@ -144,12 +144,17 @@ ephys_schema = dj.Schema(prefix + 'ephys') # myproject_ephys ```sql -- Grant access to all schemas with prefix -GRANT ALL PRIVILEGES ON `myproject\_%`.* TO 'developer'@'%'; +GRANT ALL PRIVILEGES ON `myproject_%`.* TO 'developer'@'10.0.0.%'; -- Read-only access to another project -GRANT SELECT ON `otherproject\_%`.* TO 'developer'@'%'; +GRANT SELECT ON `otherproject_%`.* TO 'developer'@'10.0.0.%'; ``` +!!! warning "Restrict Host Access" + Avoid using `'%'` for the host in production GRANT statements—this allows + connections from any IP address. Use specific IP addresses or subnet patterns + like `'10.0.0.%'` to limit access to your internal network. + ## Environment-Based Configuration Use different configurations for development, staging, and production. @@ -200,6 +205,8 @@ export DJ_SAFEMODE=false ### Docker/Kubernetes Example +DataJoint automatically loads credentials from `/run/secrets/datajoint/` when that directory exists (standard Docker/Kubernetes secrets mount point). + ```yaml # docker-compose.yaml services: @@ -207,13 +214,40 @@ services: image: my-pipeline:latest environment: - DJ_HOST=db.example.com - - DJ_USER_FILE=/run/secrets/db_user - - DJ_PASS_FILE=/run/secrets/db_password - DJ_CREATE_TABLES=false - DJ_SCHEMA_PREFIX=prod_ - secrets: - - db_user - - db_password + volumes: + # Mount secrets directory + - type: bind + source: ./secrets + target: /run/secrets/datajoint + read_only: true +``` + +Create the secrets directory with credential files: + +```bash +mkdir -p secrets +echo "prod_user" > secrets/database.user +echo "prod_password" > secrets/database.password +chmod 600 secrets/* +``` + +For Kubernetes, use a Secret mounted to `/run/secrets/datajoint/`: + +```yaml +# kubernetes deployment +spec: + containers: + - name: worker + volumeMounts: + - name: dj-secrets + mountPath: /run/secrets/datajoint + readOnly: true + volumes: + - name: dj-secrets + secret: + secretName: datajoint-credentials ``` ## Complete Production Configuration diff --git a/src/tutorials/basics/06-object-storage.ipynb b/src/tutorials/basics/06-object-storage.ipynb index 317626c5..07bddc57 100644 --- a/src/tutorials/basics/06-object-storage.ipynb +++ b/src/tutorials/basics/06-object-storage.ipynb @@ -21,7 +21,7 @@ }, { "cell_type": "code", - "execution_count": 1, + "execution_count": null, "id": "cell-1", "metadata": { "execution": { @@ -31,21 +31,8 @@ "shell.execute_reply": "2026-01-24T03:27:42.261846Z" } }, - "outputs": [ - { - "name": "stderr", - "output_type": "stream", - "text": [ - "[2026-01-23 21:27:42,256][INFO]: DataJoint 2.1.0a7 connected to postgres@127.0.0.1:5432\n" - ] - } - ], - "source": [ - "import datajoint as dj\n", - "import numpy as np\n", - "\n", - "schema = dj.Schema('tutorial_oas')" - ] + "outputs": [], + "source": "import datajoint as dj\nimport numpy as np\n\nschema = dj.Schema('tutorial_oas')\n\n# Clean slate: drop existing schema if re-running\nschema.drop(prompt=False)\nschema = dj.Schema('tutorial_oas')" }, { "cell_type": "markdown", @@ -1807,4 +1794,4 @@ }, "nbformat": 4, "nbformat_minor": 5 -} +} \ No newline at end of file