Merge pull request #141 from datajoint/docs/production-deployment

docs: add production deployment how-to guide

Author: MilagrosMarin

scripts/gen_api_pages.py

@@ -24,7 +24,6 @@
     "datajoint.blob",
     "datajoint.hash_registry",
     "datajoint.jobs",
-    "datajoint.admin",
     "datajoint.migrate",
 ]
 
@@ -44,7 +43,6 @@
     "datajoint.blob": ("Blob", "Binary serialization"),
     "datajoint.hash_registry": ("Hash Registry", "Content hashing for external storage"),
     "datajoint.jobs": ("Jobs", "Job queue for AutoPopulate"),
-    "datajoint.admin": ("Admin", "Administrative functions"),
     "datajoint.migrate": ("Migrate", "Schema migration utilities"),
 }
 

src/how-to/deploy-production.md

@@ -144,12 +144,17 @@ ephys_schema = dj.Schema(prefix + 'ephys')       # myproject_ephys
 
 ```sql
 -- Grant access to all schemas with prefix
-GRANT ALL PRIVILEGES ON `myproject\_%`.* TO 'developer'@'%';
+GRANT ALL PRIVILEGES ON `myproject_%`.* TO 'developer'@'10.0.0.%';
 
 -- Read-only access to another project
-GRANT SELECT ON `otherproject\_%`.* TO 'developer'@'%';
+GRANT SELECT ON `otherproject_%`.* TO 'developer'@'10.0.0.%';
 ```
 
+!!! warning "Restrict Host Access"
+    Avoid using `'%'` for the host in production GRANT statements—this allows
+    connections from any IP address. Use specific IP addresses or subnet patterns
+    like `'10.0.0.%'` to limit access to your internal network.
+
 ## Environment-Based Configuration
 
 Use different configurations for development, staging, and production.
@@ -200,20 +205,49 @@ export DJ_SAFEMODE=false
 
 ### Docker/Kubernetes Example
 
+DataJoint automatically loads credentials from `/run/secrets/datajoint/` when that directory exists (standard Docker/Kubernetes secrets mount point).
+
 ```yaml
 # docker-compose.yaml
 services:
   worker:
     image: my-pipeline:latest
     environment:
       - DJ_HOST=db.example.com
-      - DJ_USER_FILE=/run/secrets/db_user
-      - DJ_PASS_FILE=/run/secrets/db_password
       - DJ_CREATE_TABLES=false
       - DJ_SCHEMA_PREFIX=prod_
-    secrets:
-      - db_user
-      - db_password
+    volumes:
+      # Mount secrets directory
+      - type: bind
+        source: ./secrets
+        target: /run/secrets/datajoint
+        read_only: true
+```
+
+Create the secrets directory with credential files:
+
+```bash
+mkdir -p secrets
+echo "prod_user" > secrets/database.user
+echo "prod_password" > secrets/database.password
+chmod 600 secrets/*
+```
+
+For Kubernetes, use a Secret mounted to `/run/secrets/datajoint/`:
+
+```yaml
+# kubernetes deployment
+spec:
+  containers:
+    - name: worker
+      volumeMounts:
+        - name: dj-secrets
+          mountPath: /run/secrets/datajoint
+          readOnly: true
+  volumes:
+    - name: dj-secrets
+      secret:
+        secretName: datajoint-credentials
 ```
 
 ## Complete Production Configuration

src/tutorials/basics/06-object-storage.ipynb

@@ -21,7 +21,7 @@
   },
   {
    "cell_type": "code",
-   "execution_count": 1,
+   "execution_count": null,
    "id": "cell-1",
    "metadata": {
     "execution": {
@@ -31,21 +31,8 @@
      "shell.execute_reply": "2026-01-24T03:27:42.261846Z"
     }
    },
-   "outputs": [
-    {
-     "name": "stderr",
-     "output_type": "stream",
-     "text": [
-      "[2026-01-23 21:27:42,256][INFO]: DataJoint 2.1.0a7 connected to postgres@127.0.0.1:5432\n"
-     ]
-    }
-   ],
-   "source": [
-    "import datajoint as dj\n",
-    "import numpy as np\n",
-    "\n",
-    "schema = dj.Schema('tutorial_oas')"
-   ]
+   "outputs": [],
+   "source": "import datajoint as dj\nimport numpy as np\n\nschema = dj.Schema('tutorial_oas')\n\n# Clean slate: drop existing schema if re-running\nschema.drop(prompt=False)\nschema = dj.Schema('tutorial_oas')"
   },
   {
    "cell_type": "markdown",
@@ -1807,4 +1794,4 @@
  },
  "nbformat": 4,
  "nbformat_minor": 5
-}
+}