Backend Installation & Configuration¶
Demo/Quickstart/Development¶
If you’re just wanting to quickly evaluate or demo Seizu, please see the quickstart documentation.
Installation using docker image¶
# first setup your environment in an env file, according to the configuration instructions
docker pull ghcr.io/paypay/seizu:latest
docker run --env-file <your-env-file> ghcr.io/paypay/seizu:latest
Backend configuration¶
Basic configuration¶
When using the docker image, the defaults should be sufficient for basic configuration.
DEBUG
: Whether or not seizu is run in debug mode. This should never be set outside of development; default:False
HOST
: IP address to listen on; default:0.0.0.0
PORT
: Port to listen on; default:8080
STATIC_FOLDER
: location of the react app build directory; default:/build
Frontend configuration¶
seizu will pass configuration to the backend via a configuration endpoint.
It uses this configuration to build the dashboard, reports, and to connect to Neo4j.
When using the docker image, the defaults for the reporting configuration file and schema file should be sufficient, but you will want to bind mount in the configuration file to the location defined in REPORTING_CONFIG_FILE
.
REPORTING_CONFIG_FILE
: location to the dashboard configuration; default:/reporting-dashboard.conf
REPORTING_CONFIG_SCHEMA_FILE
: location to the dashboard configuration jsonschema; default:/reporting-dashboard.schema.json
NEO4J_USER_PROTOCOL
: The protocol to use, from the frontend, to connect to Neo4j; default:bolt+s
NEO4J_USER_PORT
: The port to use, from the frontend, to connect to Neo4j; default:7687
NEO4J_USER_HOSTNAME
: The hostname to use, from the frontend, to connect to Neo4j; default:localhost
NEO4J_CONSOLE_URL
: The link to the Neo4j console, to provide to users, in the frontend; default:https://localhost:7473
SECRET_KEY
: Flask session secret key for for sessions and CSRF. Set to some long, random string; default:None
Neo4j configuration¶
If you wish you use any of the workers, or SSO, it’s necessary to configure access from the backend to Neo4j.
NEO4J_URI
: the URL to connect to neo4j; default:bolt://localhost:7687
NEO4J_USER
: the username to use to connect; default:None
NEO4J_PASSWORD
: the password to use to connect; default:None
Auth configuration¶
Password auth configuration¶
If you are managing your own neo4j user credentials, and want to directly authenticate against neo4j, you can adjust the AUTH_MODE
to defer to the client.
AUTH_MODE
: The mode to use for authentication. In this case,client
should be set; default:auto
SSO configuration¶
seizu, when placed behind a load balancer or API gateway that handles OAuth2 and provides a JWT, can automatically create short-lived users in neo4j, and auto-clean them when expired. When users access the UI, the UI will fetch Neo4j credentials from the backend. This currently requires Dynamodb, to track the users.
GENERATED_PASSWORD_LENGTH
: Length of password in bytes to auto-generate for users; default:50
PASSWORD_EXPIRATION_TIME
: Time in seconds until generated passwords expire; default:86400
(24 hours)USER_SCAN_FREQUENCY
: The frequency in seconds for how often we’ll scan for expired users; default:10
USERS_EXCEMPT_FROM_EXPIRATION
: A comma separated list of users that shouldn’t be tracked for expiration (permanent users); default:neo4j
AWS_DEFAULT_REGION
: Must be set to the region the server is running; default:ap-northeast-1
DYNAMODB_TABLE
: Name of the dynamodb table used to track user password time expirations; default:seizu
DYNAMODB_URL
: Override for the default dynamodb (to use local dynamodb in development); default:None
DYNAMODB_CREATE_TABLE
: Whether or not to auto-create the dynamodb table (for development); default:False
JWKS_URL
: JWKS location to use to validate JWT.{AWS_DEFAULT_REGION}
and{kid}
can be used as template variables; default:https://public-keys.auth.elb.{AWS_DEFAULT_REGION}.amazonaws.com/{kid}
JWKS_URL_FOR_ALB
: AWS ALBs use a URL that fetches a KID directly, while other providers use a URL that has a JSON file with a list of keys. If using an ALB, this should be false, if using a standard JSON file with a list of keys, this should be true; default:True
ALLOWED_JWT_ALGORITHMS
: A comma separated list of algorithms we allow for JWT signing; default:ES256,ES512
DEVELOPMENT_ONLY_REQUIRE_AUTH
: Whether or not to require authentication. This option should only be changed in development; default:True
DEVELOPMENT_ONLY_AUTH_USER_EMAIL
: The email address of the fake user when authentication is disabled. This option should only be changed in development; default:testuser
AUTH_MODE
: The mode to use for authentication. In this case,auto
should be set; default:auto
Scheduled queries¶
ENABLE_SCHEDULED_QUERIES
: Whether or not scheduled queries should be enabled. Note that if the worker is not running, scheduled queries will not run, even if this is set to true; default:True
SCHEDULED_QUERY_FREQUENCY
: The frequency in seconds for how often we’ll attempt to run scheduled queries; default:20
SCHEDULED_QUERY_MODULES
: A comma separated list of python import locations for available scheduled query modules; default:reporting.scheduled_query_modules.sqs,reporting.scheduled_query_modules.slack
Statsd configuration¶
Through the stats worker, seizu can send the results of queries configured in the dashboard configuration to your time series service, via statsd. Note that the statsd support uses tags, so your time series database must also support tagging (like datadog, new relic, etc), and the statsd server your sending to must also support tags (like telegraf, with datadog extensions enabled).
STATSD_HOST
: The hostname of the statsd server; default:None
STATSD_PORT
: The port of the statsd server; default:8125
STATSD_CONSTANT_TAGS
: A comma separated list oftag_name:tag_value
tags to apply to every stat; default:None
DASHBOARD_STATS_MAX_INPUT_RESULTS
: When sending stats for panels that have an input, only send stats if the number of values in the input is less than this number; default:100
;
Logging configuration¶
seizu ships with a sane json structured logging configuration, and good defaults, but you can override them via a config file. Note that this setting is for the workers. You’ll also need to change gunicorn’s logging configuration file setting to change the web process.
LOG_CONFIG_FILE
: Location of the logging configuration file; default:/home/seizu/seizu/logging.conf