Conversation
Co-authored-by: Aniruddh25 <3513779+Aniruddh25@users.noreply.github.com>
Co-authored-by: Aniruddh25 <3513779+Aniruddh25@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds a default dab-config.json into the published Docker image to improve first-run experience (container can start without mounting a config file, relying on an env-provided connection string).
Changes:
- Added a new root-level
dab-config.jsonintended to be baked into the Docker image as the default runtime configuration. - Updated
Dockerfileto copydab-config.jsoninto/App/dab-config.jsonin the runtime image. - Updated
.gitignoreto ensure the rootdab-config.jsonis not ignored by the existingdab-config*.jsonrule.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
dab-config.json |
Introduces a default runtime config intended for Docker image consumption. |
Dockerfile |
Bakes the default config into the runtime image at /App/dab-config.json. |
.gitignore |
Ensures the root default config is tracked despite existing ignore patterns. |
| @@ -0,0 +1,58 @@ | |||
| { | |||
| "$schema": "https://github.com/Azure/data-api-builder/releases/download/v1.7.86-rc/dab.draft.schema.json", | |||
There was a problem hiding this comment.
The $schema URL is pinned to a specific prerelease tag (v1.7.86-rc). This is likely to go stale as the repo/version advances and may break editor schema resolution. Consider using the repo’s vmajor.minor.patch convention used elsewhere in the repo configs, or updating this to a stable/maintained schema URL that won’t require frequent edits.
| "$schema": "https://github.com/Azure/data-api-builder/releases/download/v1.7.86-rc/dab.draft.schema.json", | |
| "$schema": "https://github.com/Azure/data-api-builder/releases/latest/download/dab.draft.schema.json", |
| { | ||
| "role": "anonymous", | ||
| "actions": [ | ||
| "*" |
There was a problem hiding this comment.
This default config grants anonymous the * action for auto-generated entities while also enabling REST/GraphQL/MCP (and DML tools). If a user runs the image with a real connection string in a network-accessible environment, this can unintentionally expose full CRUD access. Consider making the default safer (e.g., read-only permissions, or require an explicit auth provider / opt-in before enabling mutations).
| "*" | |
| "read" |
| "allow-credentials": false | ||
| }, | ||
| "authentication": { | ||
| "provider": "Unauthenticated" |
There was a problem hiding this comment.
runtime.host.authentication.provider is set to "Unauthenticated", but that value isn’t supported by the config schema (only StaticWebApps/EntraID/Simulator/AppService/AzureAD/Custom) and will also fail engine startup (unsupported authentication configuration). Remove the authentication block to use defaults, or switch to a supported provider (e.g., "Simulator" for dev mode).
| "provider": "Unauthenticated" | |
| "provider": "Simulator" |
| "autoentities": { | ||
| "default": { | ||
| "template": { | ||
| "mcp": { "dml-tool": true }, |
There was a problem hiding this comment.
In the autoentities.default.template.mcp section the property name is dml-tool, but the schema expects dml-tools. With additionalProperties: false this will make the config invalid / fail validation and DML tools won’t be enabled as intended.
| "mcp": { "dml-tool": true }, | |
| "mcp": { "dml-tools": true }, |
Why make this change?
The Docker image shipped with no default configuration file, requiring users to supply one before the container would start — a poor out-of-the-box experience for first-time users.
What is this change?
dab-config.json(new, repo root) — Default configuration baked into the image:mssqldatabase type; connection string resolved at runtime via@env('DAB_CONNSTRING')(no secrets committed)/api), GraphQL (/graphql), and MCP (/mcp) endpoints enabledautoentities.defaulttemplate with DML tools andanonymous:*permissionsdevelopmentDockerfile— Copies the default config into the runtime image:.gitignore— Added!/dab-config.jsonexception; the existingdab-config*.jsonrule was silently excluding this file from version control.How was this tested?
Sample Request(s)
Run the container with just a connection string — no config mount required:
Override the default config by mounting your own:
Original prompt
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.