Everything in storage is encrypted using a CMK (customer master key) automatically
This is done by datomic itself, instead of through the specific aws services
Extending on this, if we would like to also have SSE available on the S3 buckets from a company policy perspective, can datomic support this? Would this affect the way datomic performs? I've ran it in a sandbox environment and it looks like datomic can work with the SSE bucket and objects. Can you maybe confirm this @marshall? Our security department would likes to see that all buckets are encrypted by default, as this makes it from an auditing perspective slightly easier Altering the template is something we already have to do unfortunately to rum datomic in our managed accounts since we are required to implement a role boundary on our iam roles (which works perfectly fine, having it with an automated script.)
Sent you a DM. Sorry I can't help with this issue 😞
> so, if the repository id never changes, and the commit->repo reference never changes, and repo id is always available to the application at tx time (I don’t see how it couldn’t be with this schema design) consider denormalizing by putting the repo id on the commit entity Yeah - I kind of added that external repo-id to simplify the example, but perhaps that just confused things. I had wanted repos to have unique composite tuples made from other attributes too.
We haven’t tested the effects of enabling SSE
Again - we've moved forwards with generating our own unique id attributes for all entities grounded in the attributes of those entities, and this leaves us free to use non-unique composite tuples as we like. This gives us the overall behaviour we like. However, to me, this feels like exactly the sort of constraint problem I want my database to solve for me and doesn't seem unreasonable - at least from the outside. In any case, I'm still wondering which uses cases these unique composite tuples (as they are currently implemented) are suitable for.
Thanks for all your insights! 🙂
they are suitable for ensuring uniqueness violations fail a tx (vs upsert), and for having more-selective lookups
I’m trying to disable some logging on a peer server that’s painfully verbose, but I can’t seem to make any progress with the docs. I have lein project that’s using
datomic-pro , tried to add a
bin/logback.xml but I’m not really sure how I actually configure datomic to pickup on that file (I added the slf4j exclusion so the datomic pro lib using logback), since I’ve changed all the loglevels to warn with no change in the verbosity. Also tried to use
(.setLevel (org.slf4j.LoggerFactory/getLogger "datomic") ch.qos.logback.classic.Level/WARN) with no progress. Let me know if there’s tips on how to disable the
DEBUG logging by default.
If you use the bin/run method of starting, it should have logback.xml on the classpath already
alternatively, you can include the -Dlogback.configurationFile= property to point to your own logback file
wait, do you mean “peer-server” or “peer, that is also a server”?
I got it, just wasn’t familiar with the convention. I added
logback.xml to my
resources dir so it’s in my class path, not using
bin/run, it’s a peer that’s also a server 🙂
ah, ok. that’s different. I recommend always using the property btw instead of putting it on the classpath (except maybe in dev, where you can put the logback in dev-resources)
that’s maybe not especially helpful
Yup, I’m on that page. I’ll add the property on deploy.
I'd like to write a
:where clause which will unify and bind a certain var if the relevant attribute is present, but which won't prevent the whole clause from matching if that attribute isn't present.
Something like this:
Except I want it to match every
:where [?foo-id :foo/id "123"] [?foo-id :foo/bar ?foo-bar]
:foo/idof 123, regardless of whether
:foo/baris present. But if it is present, I'd like to bind it to
?foo-bar. Is this possible?
thanks @marshall , that's good to know - and I can see that CMK now also. - so does this datomic side encrypting happen for both S3 and EFS then?
I'm not sure I understand you correctly, but it sounds like
Also, I noticed there is just a single (CMK) key named datomic, but I have 2 datomic systems in that region - I'm assuming they're just both sharing that same one? is this something that would be a concern if I'm trying to keep those two systems very separate (in terms of access with IAM roles)?
thank you, I’ll check that out