Avoid writing env variables to config.yml

Right now Tutor saves all configuration to the config.yml file. That includes environment variables defined with TUTOR_* prefix. Is that desirable? Sometimes we want to leave some values (ex: secrets) in the environment only and use them from there. This makes running Tutor in CI/CD difficult as it rewrites the config.yml file.

Do you think it’s a bug? Can we fix this behavior? I will be happy to open a PR. :slight_smile:

I understand that you might want to update the tutor environment without necessarily re-writing the config.yml file. Although some of your reasons puzzle me:

You are aware that these secrets eventually find their way in the tutor environment, right? For instance, the edx-platform secret key is used in the LMS/CMS settings modules. Moreover, environment variables are accessible by any user on the server, which makes them “less” secure than when they are stored in a dedicated file:

$ POUAC=plonk sleep 4000
$ ps aux | grep sleep
regis     185127  0.0  0.0   8092   472 pts/0    S+   10:43   0:00 sleep 4000
$ ps eww 185127
 185127 pts/0    S+     0:00 sleep 4000 POUAC=plonk SHELL=/bin/bash ...

Anyway, I understand that you might want to skip updating the config.yml file in some cases. Would you like to add a -e/--env-only option to tutor config save? That would be a welcome PR.

@regis Thanks for the explanation. I think having an env only mode to skip modification of config.yml would be enough for those cases since the tutor env will get updated anyway.

I’ve opened a PR. Let me know if you face any issues or want any changes to that.


This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.