Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Development database credentials best practices?

Tags:

database

mysql

credentials

development-environment

What are the best practices for handling credentials for internal development databases? Both for applications and developers?

Currently we create a separate user/password for every development database and we commit these credentials in our code repository. But we want to move away from storing credentials in our repositories. The problem is that both our developers and the applications need access to the databases.

  • Is it good practice to give developers their own personal account that gives them access to all dev databases? Maybe even all dev and production databases?
  • Should developers use their own personal account in their development environment? Or should they use a different one?
  • If they should use a different account, should every dev database have a separate set of credentials? Or should we create one account that can access all dev databases that developers can use in all their applications?
  • If we should use separate accounts for every dev database, how should developers get these credentials when they set up a new dev environment for themselves? We have found that trying to manually track these (e.g. a wiki) is very error prone and quickly becomes out-of-date.

If it matters, we use MySQL (Percona, to be exact).

like image 691
Sander Marechal Avatar asked Nov 02 '22 05:11

Sander Marechal

1 Answers

First of all make sure that development, staging and production environments are 100% independent. Therefore MySQL accounts should be separate too. It helps to make version upgrades smoothly and it's more secure. In Percona I did a dozen of recovery cases where a developer dropped a production database just because the production and development databases shared his account.

Having said that a developer should have a read-write account on the development database, read-only account on the staging database and read-only on the production.

Create the accounts for each developer, so they are responsible for storing them in secure place. Thus, you don't need to bother how to store/share accounts in safe manner.

Obviously passwords shouldn't be stored in a repository. Keep config templates in the source code tree:

    # cat config.php
    <?php

    $mysql_user="@@MYSQL_USER@";
    $mysql_password="@@MYSQL_PASSWORD@";
    $mysql_host="@@MYSQL_HOST@";
    $mysql_db="@@MYSQL_DB@";

    ?>

To make sure it's not overwritten during an upgrade tell that in .spec file

    %files www
    %config(noreplace) %attr(640, root, apache)  %{_sysconfdir}/%{project_name}/config.php
like image 135
akuzminsky Avatar answered Nov 09 '22 06:11

akuzminsky
Sign in to Comment

Related questions

SQL: Filtering on a computed column
SQL index for deleted_at columns
57, 57 An identification variable must be defined for a JOIN expression
SQL server aggregate function query
Creating Associative Arrays in PHP/MySQL Query
Convert massive MySQL dump file to CSV
Fetch data from database in a tree structure in sqlite
Using database migrations vs workbench
select range when value is higher than in previous value
How to represent a MySQL database schema in C#?
IF ELSE statement in SQL between WHERE AND
How to make my file upload back-end script (PHP, MySQL) thread-safe?
Lightweight SQL server for Raspberry Pi [closed]
List available datatypes in MySQL
How is it possible to correctly nest custom fields in a CakePHP find query?
insert data into database using servlet and jsp in eclipse
how to create database in same location of code?
Fast mysql random weighted choice on big database
get all items of category and its child
Best practice: Import mySQL file in PHP; split queries

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!