On Tue, Dec 04, 2012 at 08:26:11AM -0500, Aaron Weitekamp wrote:
> I don't have an issue leaving it in place for devel/testing but I'm
> not sure what that would look like. Remove for productization? It
> seems simplest to just remove the default. Devel and test can specify
> the same defaults for convenience.
FWIW, we have a couple of rake tasks for setting this up:
rake dc:create_admin_user # Create user "admin" for CloudEngine
rake dc:site_admin[username] # Grant administrator privileges to
registred user
So I don't see any reason we couldn't ship RPMs that are secure by
default, but leave the tooling around for developers to insert a default
admin account in their development/test setups. I definitely agree with
the notion that we shouldn't ship with insecure defaults just because
it's more convenient for developers. ;)
(Should dc:create_admin_user just prompt for a password, rather than
defaulting to 'password'?)
-- Matt
