[#1393] Update Fidesops config with sane defaults where necessary

[seanpreston]

Purpose

This PR addresses some shortcomings in the Fidesops config highlighted by the recent removal of the fidesops.toml from the Docker build. I've not tried to set defaults for any config vars within the [database], [redis], or [security] subsections, since they're either handled separately, or setting a default is an anti-pattern.

This Fideslib PR also aims to clarify which part of config. loading any error has occurred in.

Changes

• Only populate analytics_id if analytics_opt_out is either None or False — this still preserves the behaviour of an explicit opt-out.
• Sets port to 8080
• Sets task_retry_ vars to 0 — this means by default nodes in the Fidesops identity graph traversal will not attempt to retry if they fail.

Checklist

• Update CHANGELOG.md file
  • Merge in main so the most recent CHANGELOG.md file is being appended to
  • Add description within the Unreleased section in an appropriate category. Add a new category from the list at the top of the file if the needed one isn't already there.
  • Add a link to this PR at the end of the description with the PR number as the text. example: #1
• Applicable documentation updated (guides, quickstart, postman collections, tutorial, fidesdemo, database diagram.
• If docs updated (select one):
  • documentation complete, or draft/outline provided (tag docs-team to complete/review on this branch)
  • documentation issue created (tag docs-team to complete issue separately)
• Good unit test/integration test coverage
• This PR contains a DB migration. If checked, the reviewer should confirm with the author that the down_revision correctly references the previous migration before merging
• The Run Unsafe PR Checks label has been applied, and checks have passed, if this PR touches any external services

Ticket

Fixes #1393

[NevilleS]

Thanks - few notes from my end

[NevilleS]

Why not? Our previous defaults for this (set in the TOML) did have nonzero retries, and I think that's helpful behaviour!

[seanpreston]

I think not retrying at all is a sane default given the context of:

• this var. is also used in the CI tests (ultimately we'll overload this) and causes runtimes to increase significantly
• the reporting of what's happening during the retries is opaque (again, we will fix this in a subsequent release)
• it's blanket applied across all datastores, regardless of any specifics — a more sane implementation would allow for datastore level overrides

It can always be overloaded

[NevilleS]

OK, I'll trust you to roll this into future improvements so that our default retry logic is reasonable. I'd argue that we should disable it in CI if we want (we can override this ourselves!) but understand if the retries are surprising right now. We can improve that in our error reporting work

[NevilleS]

This variable can't be set via an ENV option right now, since there isn't a env var prefix set for the top-level config object

[seanpreston]

Good spot!

[NevilleS]

There's a (required!) config variable missing from this schema: fidesops.security.drp_jwt_secret. Can you add it to the schema and ensure it's optional?

[seanpreston]

It's in the Fideslib config already, so we shouldn't specify it twice

[NevilleS]

Ah, I see! I'd like it to have a default though, can't we make that optional?

[seanpreston]

Good spot, have made this update to Fideslib

[sanders41]

Now that this is optional jwt_key: str = config.security.drp_jwt_secret in src/fidesops/ops/api/v1/endpoints/drp_endpoints.py has the wrong type. Interestingly it already handles the None case.

[NevilleS]

One more suggestion: can you bump the fideslib requirement in this PR and ensure the related PR lands? So that this all comes together into the ops codebase and closing the related issue.

[seanpreston]

This is unused, so I'm removing it here as part of this housekeeping.

[seanpreston]

cc @eastandwestwind — this should hopefully fix the client_id generation issue once and for all

[seanpreston]

I'd be open to other ways of doing this than casting to int(...) though it seemed practical for now.

My main gripe is that this could be confusing for users as the env vars are expected to be strings, where port must then be an integer. It's technically possible to run Fidesops with FIDESOPS__PORT="iamastring" and the error message would be along the lines of ValueError: invalid literal for int() with base 10: 'iamastring'.

[sanders41]

The idea here being the user gets a more informative error message?

[sanders41]

Now that this is optional jwt_key: str = config.security.drp_jwt_secret in src/fidesops/ops/api/v1/endpoints/drp_endpoints.py has the wrong type. Interestingly it already handles the None case.

[sanders41]

The idea here being the user gets a more informative error message?

Changes made

[sanders41]

@seanpreston I re-ran my isolated container and everything worked well.

After these updates jwt_key: str = config.security.drp_jwt_secret in src/fidesops/ops/api/v1/endpoints/drp_endpoints.py has the wrong type now. It needs to either be updated to jwt_key: Optional[str] or the type could be removed and use type inference, either way would work. Other than that everything looks good now.

[seanpreston]

After these updates jwt_key: str = config.security.drp_jwt_secret in src/fidesops/ops/api/v1/endpoints/drp_endpoints.py has the wrong type now

I updated that already, you might just need to refresh the diff. Will merge away.

[ThomasLaPiana]

a nit here, but # In seconds doesn't help end-users. If we want to clarify it we should update the variable name to contain the unit, i.e. task_retry_delay_seconds

[sanders41]

You don't think all users are going to read the source code first 😄 ?

Making this change would be a breaking change, task_retry_delay was in previous releases it just gets a default value now. So the question now is it worth it to make a breaking change or could we add something to the docs and that be enough?