add notes on graph store passwords and dynamic variables

neurobagel · Jan 13, 2025 · 85cc37f · 85cc37f
1 parent b850cf7
commit 85cc37f
Showing 1 changed file with 12 additions and 9 deletions.
diff --git a/docs/user_guide/config.md b/docs/user_guide/config.md
@@ -88,33 +88,36 @@ Below are all the possible Neurobagel environment variables that can be set in `
 
 For security and best practice purposes, follow the below additional steps to configure your node if you are using a deployment profile that includes a graph store:
 
-1. **Change the values** of the following variables in `.env`:
+1. **Change the values** of the following variables in `.env` from their defaults:
     - `NB_GRAPH_USERNAME`
     - `NB_GRAPH_DB`
 
-2. **Change the default passwords** for the `admin` superuser and the newly created graph database user (`NB_GRAPH_USERNAME`) for your graph store. 
+2. **Replace the default passwords** for the `admin` superuser and the newly created graph database user (`NB_GRAPH_USERNAME`) for your graph store with your own secure passwords. 
 
     - These passwords are set using the contents of files named `NB_GRAPH_ADMIN_PASSWORD.txt` and `NB_GRAPH_PASSWORD.txt`, respectively. 
     The default location of these files is [`./secrets`](https://github.com/neurobagel/recipes/tree/main/secrets) in the Neurobagel [`recipes`](https://github.com/neurobagel/recipes) repo.
-    - Make sure to use secure passwords for `NB_GRAPH_ADMIN_PASSWORD.txt` and `NB_GRAPH_PASSWORD.txt`. 
-
-        To generate a random password in the terminal, you can use:
-          ```bash
-          openssl rand -hex 16
-          ```
+    - To generate a random password in the terminal, you can use:
+      ```bash
+      openssl rand -hex 16
+      ```
 
     - (Optional) Change the location of your password files to a more secure directory using the variable `NB_GRAPH_SECRETS_PATH`.
 
+    ??? info "Graph store passwords are not meant for use by node query users"
+        The passwords specified in the deployment recipe are only used internally by the scripts that (automatically) set up and update the graph store, or to interact directly with the graph store (e.g., to modify database configuration or data).
+
     ??? info "Passwords are handled as Docker secrets"
 
         The contents of `NB_GRAPH_ADMIN_PASSWORD.txt` and `NB_GRAPH_PASSWORD.txt` are passed to Neurobagel containers as [Docker secrets](https://docs.docker.com/reference/compose-file/secrets/).
         This ensures that your passwords are not exposed in the container logs or in the `docker-compose.yml` file.
 
         Make sure to not share your password files with others.
 
-2. **Review and change as necessary** values of the following variables in `.env` based on your data sharing requirements:
+2. **Review and change as necessary** values of the following variables in `.env` from their defaults, based on your data sharing requirements:
     - `NB_RETURN_AGG`
     - `NB_MIN_CELL_SIZE`
+    !!! info
+        You can change these values at any time.
 
 
 ## Configuring local node names and URLs for federation