Plugin::Database - suggestion to read username/password from a different file
Hello Dancers, Somewhat related to the "sensitive" config data in SCM" topic discussed recently, I would like to suggest the followng small patch to "Dancer::Plugin::Database" : Instead of specifying "username/password" in your yml config file, I've added a new setting called "credentials". This one points to a simple text file that would contain the user name and password. With this one can checkin all the configuration files, never worrying about passwords. Samba uses similar option in "smbclient" . So my new config looks like this: ==== plugins: Database: driver: 'mysql' database: 'devdb' credentials: 'database.secret' ===== And the username password are stored in "database.secret": ===== $ cat database.secret username=myuser password=mypassword ==== The patch is available here: https://github.com/agordon/Dancer-Plugin-Database/commit/5564d0c729899c45b86... Comments are welcomed, -gordon
2011/9/22 Assaf Gordon <gordon@cshl.edu>:
Instead of specifying "username/password" in your yml config file, I've added a new setting called "credentials". This one points to a simple text file that would contain the user name and password. Cool it's a good idea.
So my new config looks like this: ==== plugins: Database: driver: 'mysql' database: 'devdb' credentials: 'database.secret' ===== And the username password are stored in "database.secret": ===== $ cat database.secret username=myuser password=mypassword ====
Ok.
The patch is available here: https://github.com/agordon/Dancer-Plugin-Database/commit/5564d0c729899c45b86... Thanks.
-- \0/ Hobbestigrou site web: erakis.im
On Thursday 22 September 2011 22:35:20 Assaf Gordon wrote:
Hello Dancers,
Somewhat related to the "sensitive" config data in SCM" topic discussed recently, I would like to suggest the followng small patch to "Dancer::Plugin::Database" :
Instead of specifying "username/password" in your yml config file, I've added a new setting called "credentials". This one points to a simple text file that would contain the user name and password.
That sounds like a sensible idea - allowing the less sensitive config data in config.yml to be checked in to version control, without worrying about the database connection details being leaked. Thanks for this idea and patch - sorry for the slow reply, I will get this new feature incorporated soon. Cheers Dave P -- David Precious ("bigpresh") http://www.preshweb.co.uk/ "Programming is like sex. One mistake and you have to support it for the rest of your life". (Michael Sinz)
Well, but from other side app can use some external http api instead of mysql, config file will contain some api key in this case, and config file can contain some other passwords, from smtp server, for example. It's not possible to move all passwords in such files (and it is not good idea anyway). May be it's better to write more clear documentation about different environment' configs and use them as they should be used instead of implementing square wheel? 26.09.2011 0:12, David Precious пишет:
On Thursday 22 September 2011 22:35:20 Assaf Gordon wrote:
Hello Dancers,
Somewhat related to the "sensitive" config data in SCM" topic discussed recently, I would like to suggest the followng small patch to "Dancer::Plugin::Database" :
Instead of specifying "username/password" in your yml config file, I've added a new setting called "credentials". This one points to a simple text file that would contain the user name and password.
That sounds like a sensible idea - allowing the less sensitive config data in config.yml to be checked in to version control, without worrying about the database connection details being leaked.
Thanks for this idea and patch - sorry for the slow reply, I will get this new feature incorporated soon.
Cheers
Dave P
-- Best Regards, Nick Knutov http://knutov.com ICQ: 272873706 Voice: +7-904-84-23-130
2011/9/25 Nick Knutov <mail@knutov.com>:
Well, but from other side app can use some external http api instead of mysql, config file will contain some api key in this case, and config file can contain some other passwords, from smtp server, for example. It's not possible to move all passwords in such files (and it is not good idea anyway). I think it's a good idea, to seperate the main config file and the username and password, and it's a best practice. Maybe it's possible to make a generic module to do that.
May be it's better to write more clear documentation about different environment' configs and use them as they should be used instead of implementing square wheel? I'm not sure I understand all do you mean.
-- \0/ Hobbestigrou site web: erakis.im
There are config files for each environment ('development','production', etc). They should not contain filled password and sensitive information if vcs used. Any local copy of project should contain _copy_ (with _different_ name) of desired config with filled passwords. Another way to do the same is to create an "-example" version of this configs by default and force users to copy them to usual configs ('production-example' to 'production') as Michal Wojciechowski wrote. 26.09.2011 3:35, Natal Ngétal пишет:
May be it's better to write more clear documentation about different environment' configs and use them as they should be used instead of implementing square wheel? I'm not sure I understand all do you mean.
-- Best Regards, Nick Knutov http://knutov.com ICQ: 272873706 Voice: +7-904-84-23-130
On 09/22/2011 11:35 PM, Assaf Gordon wrote:
Somewhat related to the "sensitive" config data in SCM" topic discussed recently, I would like to suggest the followng small patch to "Dancer::Plugin::Database" :
Instead of specifying "username/password" in your yml config file, I've added a new setting called "credentials". This one points to a simple text file that would contain the user name and password.
With this one can checkin all the configuration files, never worrying about passwords.
I don't think that's a such a good idea. There are many other sensitive configuration parameters that could be in the configuration file, like secret API keys, password salts, even e-mail addresses. Following this idea, we'd have to create a separate file for each one of them. I think the de facto standard of what to do with configuration files in version control systems is to create an "-example" version of the file (e.g. config-example.yml) and store that in the repository, instead of the actual configuration file. The example file has all the default settings, and placeholders for sensitive information, such as "password: YOUR_PASSWORD". Most web applications use this method, or a similar one. This also has one "psychological" (so to speak) benefit, as it requires the user to go through the configuration settings and actually configure the application before using it. Anyway, if this idea gets implemented, please don't make it the default :) -- Michal Wojciechowski http://odyniec.net/ | http://search.cpan.org/~odyniec/
On Sun, Sep 25, 2011 at 5:43 PM, Michal Wojciechowski < odyniec@odyniec.eu.org> wrote:
On 09/22/2011 11:35 PM, Assaf Gordon wrote:
Somewhat related to the "sensitive" config data in SCM" topic discussed
recently, I would like to suggest the followng small patch to "Dancer::Plugin::Database" :
Instead of specifying "username/password" in your yml config file, I've added a new setting called "credentials". This one points to a simple text file that would contain the user name and password.
With this one can checkin all the configuration files, never worrying about passwords.
I don't think that's a such a good idea. There are many other sensitive configuration parameters that could be in the configuration file, like secret API keys, password salts, even e-mail addresses. Following this idea, we'd have to create a separate file for each one of them.
I think the de facto standard of what to do with configuration files in version control systems is to create an "-example" version of the file (e.g. config-example.yml) and store that in the repository, instead of the actual configuration file. The example file has all the default settings, and placeholders for sensitive information, such as "password: YOUR_PASSWORD". Most web applications use this method, or a similar one.
This also has one "psychological" (so to speak) benefit, as it requires the user to go through the configuration settings and actually configure the application before using it.
Anyway, if this idea gets implemented, please don't make it the default :)
-- Michal Wojciechowski http://odyniec.net/ | http://search.cpan.org/~**odyniec/<http://search.cpan.org/~odyniec/>
______________________________**_________________ Dancer-users mailing list Dancer-users@perldancer.org http://www.backup-manager.org/**cgi-bin/listinfo/dancer-users<http://www.backup-manager.org/cgi-bin/listinfo/dancer-users>
I don't think this is a particularly good idea either, ... and there are other better ways to handle this. Besides the de facto standard Michal spoke of which I can vouch for, most web devs completely ignore the abilities and benefits of having database e.g. create limited user accounts. You can simply create a restricted user account that only has permission to do what you allow other developers to do and then the user's credentials are no longer that big of a secret, ... then, when its time to go live, ... use a different db user. Ship an additional .sql file with the app in the SCM that creates this user locally for your other developers. Now everyones environment is exactly the same minus the OS, etc. -- Al Newkirk ANAIO
participants (6)
-
Al Newkirk & Associates -
Assaf Gordon -
David Precious -
Michal Wojciechowski -
Natal Ngétal -
Nick Knutov