Global Settings & Password Management

Centralized Database Configuration and Password Rotation

Overview

Treasury Analytics Core now includes global settings management for centralizing database configuration across multiple projects and tracking password expiration to ensure security best practices.

Centralized Database Settings

Benefits of Centralized Settings

  • Reduced Duplication: Define database connection parameters once instead of in each project
  • Consistency: Ensure all projects use the same database configuration
  • Security: Store sensitive configuration in a single, secure location
  • Maintainability: Change database configuration in one place when needed

Managing Global Settings

The global settings are stored in a YAML or JSON file in one of these locations (in order of preference): - ~/.nova_fde/settings.yaml - ~/.config/nova_fde/settings.yaml - ~/.nova_fde/settings.json

Creating Global Settings

Use the manage_settings.py script to create global settings:

python -m nova_fde.scripts.manage_settings --create \
  --db-host=your-server.example.com \
  --db-port=5432 \
  --db-name=your_database

Viewing Global Settings

To see your current global settings:

python -m nova_fde.scripts.manage_settings --show

Global Settings Structure

The global settings file has this structure:

database:
  db_host: your-server.example.com
  db_port: 5432
  db_name: your_database
  db_pool_size: 5
  db_max_retries: 3

password_meta:
  last_updated: '2023-07-01T12:00:00'
  expiry_days: 90
  reminder_days: 14
  rotation_history:
    - date: '2023-07-01T12:00:00'
      by: your_username

Using Global Settings in Your Code

The EngineFactory automatically uses global settings when available:

from nova_fde.core.engine_factory import EngineFactory

# Create engine with global settings and password expiration check
engine = EngineFactory.create_with_auto_auth(
    project_root="./my_project",
    check_password_expiry=True
)

You can also programmatically access global settings:

from nova_fde.core.engine_factory import GlobalSettings

# Load global settings
global_settings = GlobalSettings()
settings = global_settings.get_settings()

# Get database settings
db_settings = global_settings.get_db_settings()
print(f"Database host: {db_settings.get('db_host')}")

Password Expiration Tracking

Treasury Analytics Core includes features to track database password expiration and remind you when passwords need to be rotated, helping maintain security best practices.

Password Expiration Policy

The default password expiration policy is: - Expiry Days: 90 days after the last update - Reminder Days: Start warning 14 days before expiration

You can customize these settings:

# Set password to expire after 120 days, with reminders starting 21 days before
python -m nova_fde.scripts.manage_settings --expiry=120 --reminder=21

Recording Password Updates

When you update your database password, record it to start tracking expiration:

python -m nova_fde.scripts.manage_settings --update-password

This will: 1. Record the current date as the last password update 2. Add an entry to the rotation history 3. Reset the expiration timer

Checking Password Expiration

Check the status of your password expiration:

python -m nova_fde.scripts.manage_settings --check

This will display: - When the password was last updated - When the password will expire - How many days remain until expiration - Status: OK, WARNING, or EXPIRED

Automatic Password Expiration Checks

When using the EngineFactory with check_password_expiry=True, the code automatically checks password expiration when connecting to the database:

engine = EngineFactory.create_with_auto_auth(
    project_root="./my_project",
    check_password_expiry=True
)

This will: - Display a warning if the password is about to expire - Show an error if the password has already expired - Prompt you to continue or cancel if the password has expired

Calendar Integration

Create a calendar reminder for password rotation:

python -m nova_fde.scripts.manage_settings --create-reminder

This generates an .ics calendar file that you can import into: - Outlook - Google Calendar - Apple Calendar - Other calendar applications that support iCalendar format

The calendar reminder will: - Remind you 7 days before the password expires - Remind you 1 day before the password expires - Include information about when the password will expire

Project Integration

Creating Projects with Global Settings

When creating new projects with the project creation tool, they automatically use global settings:

python -m nova_fde.scripts.create_project my_project

You can disable global settings if needed:

python -m nova_fde.scripts.create_project --no-global-settings my_local_project

Converting Existing Projects

For existing projects, add this line to your .env file:

NOVA_USE_GLOBAL_SETTINGS=true

Then update your code to use check_password_expiry:

engine = EngineFactory.create_with_auto_auth(
    project_root="./my_project",
    check_password_expiry=True
)

Best Practices

  1. Record Password Updates: Always run --update-password when you update your database password
  2. Check Regularly: Run --check periodically to monitor password expiration
  3. Use Calendar Reminders: Generate and import calendar reminders to avoid missing expiration dates
  4. Set Appropriate Policies: Adjust expiry and reminder days to match your organization’s security policies
  5. Use Global Settings: Create new projects with global settings to ensure consistency

Technical Details

Password Metadata Storage

Password metadata is stored in the global settings file alongside database configuration. The metadata includes: - last_updated: When the password was last changed (ISO format date) - expiry_days: Number of days until password expires - reminder_days: Number of days before expiration to start reminders - rotation_history: List of password update records with dates and usernames

Calendar File Format

The generated calendar file uses the iCalendar format (RFC 5545) with: - VEVENT component for the main reminder - VALARM components for 7-day and 1-day advance reminders - Standard fields for summary, description, dates, and unique identifiers

Security Considerations

  • Global settings files have 0600 permissions (user read/write only) on Unix systems
  • Password history does not store actual passwords, only update records
  • The system integrates with secure credential storage (keyring, credential files) for actual passwords