Mostly Software

  • Monday

    • Private work.
    • Altman / Shear / Ilya / Satya, the whole story crazy.
    • IRA reposition. It’s the same investment mgmt fees for MS, retirement or non-retirement accounts (total AUM). Fees drop with more AUM (~1.5 -> 1). Externally-managed positions may have additional fees.
    • Adobe’s free svg convertor will turn backgrounds black if transparent. Use source images with white backgrounds.
    • Started process for Clear’s NextGen Identity+.
    • Supercontest.
      • I don’t need a general sbsc KMS key.
        • Right now it’s only used to encrypt/decrypt RDS exports to S3.
        • That’s a rare requirement, and I can create the key when needed for that.
        • Every AWS KMS key (that you custom-manage, not aws-managed) costs $1/mo, or 3c/day. Then there are usage costs, but they’re small – 3c for 10k requests.
        • Scheduled deletion. Min holding period of 7 days, can inspect logs for usage, then all data from it is un-decrypt-able.
        • I still have the 6 aws-managed keys.
      • Elasticache.
        • Upgraded elasticache cluster to redis 7.1.
        • 1 shard, 0 replicas. Inherits backup+maintenance schedule from RDS.
        • Implemented with lazy-loading and write-through. No TTL.
        • ElastiCache AUTH has 3 options: IAM, password, none.
        • Redis offers RBAC. You can define users and usergroups in elasticache. Perms are defined by “Access Strings” – eg on ~* +@all, which gives everything.
        • Remember for connectivity: keep resources for (EC2, Lambda, RDS, ElastiCache) in the same VPC.
        • Redis CLI syntax and Python Client syntax for connection/interaction here: https://gitlab.com/bmahlstedt/supercontest/-/issues/225#note_1659547726
        • My redis cache requires encrypted connections (TLS).
        • Remember there’s no connection between cache and db. The app manages access to both.
        • Created a security group to allow TCP traffic on 6582 into the cache.
        • “The system automatically creates a default user that is associated with all user groups when a default user is not provided. This user does not provide secure access control to clusters and is intended only for compatibility. Please replace with a default user that is disabled or uses a strong password.”
          • Added access control to the cache (was none before). Controlled by User Groups and Users. Added the default and supercontest users.
          • Created supercontest user. Important to make the NAME default (bc you must have a default user, and the default default has no pw, and you want auth) and the User ID custom, like supercontest.
          • Created a user group for access to this cache. Added supercontest as the sole user. You must have one user in the group named default.
        • Fully connected from CLI and Python, with auth, with TLS. Played with both a little.
        • Thought a bit about the key design. I’ll probably clean up the data API first so the access patterns are clear. Then easier to cache.
        • Thought a bit about using redis sorted sets for the leaderboards.