Hi Dev,
I believe that it would not provide much more security around the details.
Thank you for responding.
Regards
Lance
On 11/13/18 4:55 AM, Devender Kumar wrote:
Hi
Study about LDAP protocol
Regards
Dev
On Tue 13 Nov, 2018, 4:06 AM PASCUAL Eric <eric.pasc...@cstb.fr
<mailto:eric.pasc...@cstb.fr> wrote:
Hi Lance,
Well, I was off topic. Sorry for this :/ I understand your need
better now.
There are chances you've already thought to this option, but what
about storing the sensitive data encrypted with a key based on a
passphrase the user must provide when logging, in addition to the
usual credentials ? This passphrase would not be stored anywhere,
so even if the DB is compromised, the sensitive data would not be
usable.
Eric
------------------------------------------------------------------------
*From:* django-users@googlegroups.com
<mailto:django-users@googlegroups.com>
<django-users@googlegroups.com
<mailto:django-users@googlegroups.com>> on behalf of Lance Haig
<lnh...@gmail.com <mailto:lnh...@gmail.com>>
*Sent:* Monday, November 12, 2018 4:45:50 PM
*To:* django-users@googlegroups.com
<mailto:django-users@googlegroups.com>
*Subject:* Re: How do I store details securely with django?
Hi Eric,
I am sure I have not explained myself properly.
The app does the following.
It presents a user the ability to sign up to a cloud platform for
a sandbox / playground account.
The number of cloud services that are available will change over time.
Each cloud platform has a set of credentials (username, password,
domain etc...) These credentials will have elevated permissions
within their own environments and so should be kept as safe as
possible.
Currently I use secrets and .env files to provide these credentials.
This requires physical access to the platform to add new secrets
etc...
I want to enable editing (e.g. CRUD on the platform credentials)
without having to redeploy the application or update the secrets.
The idea was to enable an admin interface to the DB so that each
cloud platform admin could add more or delete their platform from
the solution.
This requires a place to store secrets that can be updated deleted
and created.
I was hoping that there might be a standard way to store these
that is secure other than adding secrets or updating the .env file.
Thanks for trying to understand my vague question.
Lance
On 11/12/18 10:04 AM, PASCUAL Eric wrote:
Hi Lance,
but I need for people who are admins for a particular cloud to
add their cloud details to the app and then store their
credentials securely.
I'm not sure to understand the need for adding cloud details to
the app for the admins.
The suggestion I made assumed that sensitive information is
managed as K8S secrets. As long as the admins have GCloud (for
instance) credentials set (which are stored and managed at GCloud
level), they can administrate the secrets resources by "applying"
the corresponding YAML descriptors remotely from their
workstation. The sensitive values are thus stored nowhere inside
the application itself, but passed to the containers at runtime
as environment variables.
Maybe I've misunderstood your need and sorry in this case if my
answer is off topic.
Best
Eric
------------------------------------------------------------------------
*From:* django-users@googlegroups.com
<mailto:django-users@googlegroups.com>
<django-users@googlegroups.com>
<mailto:django-users@googlegroups.com> on behalf of Lance Haig
<lnh...@gmail.com> <mailto:lnh...@gmail.com>
*Sent:* Monday, November 12, 2018 9:07:30 AM
*To:* django-users@googlegroups.com
<mailto:django-users@googlegroups.com>
*Subject:* Re: How do I store details securely with django?
Hi Eric,
Thanks for the response.
This idea has an end goal of being deployed in a resilient way so
most probably docker with some form of orchestration, Docker
swarm or Kubernetes.
The credentials are mainly stored in a .env file at the moment
and could be added to the secrets but I need for people who are
admins for a particular cloud to add their cloud details to the
app and then store their credentials securely.
Unfortunately this will need a dynamic storage mechanism which i
don't know how to do yet
Regards
Lance
On 11/12/18 12:03 AM, PASCUAL Eric wrote:
Hi,
It can depend on which deployment option you plan to use for the
application.
For instance, a Docker deployment orchestrated by Kubernetes
gives the option of using secrets for sensitive information,
which a hoster such as GCP manages conveniently. In this kind of
deployment, configuration (and secrets) are passed to the app as
environment variables, on which Kubernetes configuration maps
and secrets are mapped to. Thanks to this, values are stored
nowhere in the app code, companion files or database.
Regards
Eric
------------------------------------------------------------------------
*From:* django-users@googlegroups.com
<mailto:django-users@googlegroups.com>
<django-users@googlegroups.com>
<mailto:django-users@googlegroups.com> on behalf of Mike
Dewhirst <mi...@dewhirst.com.au> <mailto:mi...@dewhirst.com.au>
*Sent:* Sunday, November 11, 2018 11:07:14 PM
*To:* django-users@googlegroups.com
<mailto:django-users@googlegroups.com>
*Subject:* Re: How do I store details securely with django?
On 12/11/2018 12:47 AM, Lance Haig wrote:
> Hi,
>
> I have a project I am working on
https://github.com/lhaig/usery/ and
> part of the roadmap of the project is to add more cloud types
to the
> list.
>
> I wanted to allow admins for these services to login and create
> records for their different clouds in the DB and then use
these when
> people request access to these services.
>
> I need to find a secure way to store these credentials so that
even if
> the DB is compromised that the credentials are safe.
I agree credentials should not be stored in the database but
what are
your other assumptions about the threats?
How many sets of credentials will there be?
In future, will you be using simple credentials or tokens,
certificates,
multi factor auth?
If this is a prototype and only a few sets are involved you can
store
credentials in a file or one file per set and write a method to
fetch
them as required. That will keep them out of the database and
let you
rejig the method after you have decided how it should really work.
>
> Does anyone have suggestions on how I can accomplish this?
>
> I would really appreciate some advice.
>
> Regards
>
> Lance
>
>
>
--
You received this message because you are subscribed to the
Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to django-users+unsubscr...@googlegroups.com
<mailto:django-users+unsubscr...@googlegroups.com>.
To post to this group, send email to
django-users@googlegroups.com
<mailto:django-users@googlegroups.com>.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/c8819341-7c60-56ee-6298-3a6a7897e9b1%40dewhirst.com.au.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the
Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to django-users+unsubscr...@googlegroups.com
<mailto:django-users+unsubscr...@googlegroups.com>.
To post to this group, send email to
django-users@googlegroups.com
<mailto:django-users@googlegroups.com>.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/VI1P193MB043243D0747282C2D96F60E38CC00%40VI1P193MB0432.EURP193.PROD.OUTLOOK.COM
<https://groups.google.com/d/msgid/django-users/VI1P193MB043243D0747282C2D96F60E38CC00%40VI1P193MB0432.EURP193.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the
Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to django-users+unsubscr...@googlegroups.com
<mailto:django-users+unsubscr...@googlegroups.com>.
To post to this group, send email to
django-users@googlegroups.com <mailto:django-users@googlegroups.com>.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/478ff804-4204-54c2-ba62-c0e4f9d64f89%40gmail.com
<https://groups.google.com/d/msgid/django-users/478ff804-4204-54c2-ba62-c0e4f9d64f89%40gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the
Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to django-users+unsubscr...@googlegroups.com
<mailto:django-users+unsubscr...@googlegroups.com>.
To post to this group, send email to
django-users@googlegroups.com <mailto:django-users@googlegroups.com>.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/VI1P193MB0432916809AFE450553011D98CC10%40VI1P193MB0432.EURP193.PROD.OUTLOOK.COM
<https://groups.google.com/d/msgid/django-users/VI1P193MB0432916809AFE450553011D98CC10%40VI1P193MB0432.EURP193.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to django-users+unsubscr...@googlegroups.com
<mailto:django-users+unsubscr...@googlegroups.com>.
To post to this group, send email to django-users@googlegroups.com
<mailto:django-users@googlegroups.com>.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/88270da4-395f-90ff-77ce-b1639b2d39d5%40gmail.com
<https://groups.google.com/d/msgid/django-users/88270da4-395f-90ff-77ce-b1639b2d39d5%40gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to django-users+unsubscr...@googlegroups.com
<mailto:django-users+unsubscr...@googlegroups.com>.
To post to this group, send email to django-users@googlegroups.com
<mailto:django-users@googlegroups.com>.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/VI1P193MB04323838756D4FC42BD744728CC10%40VI1P193MB0432.EURP193.PROD.OUTLOOK.COM
<https://groups.google.com/d/msgid/django-users/VI1P193MB04323838756D4FC42BD744728CC10%40VI1P193MB0432.EURP193.PROD.OUTLOOK.COM?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google
Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to django-users+unsubscr...@googlegroups.com
<mailto:django-users+unsubscr...@googlegroups.com>.
To post to this group, send email to django-users@googlegroups.com
<mailto:django-users@googlegroups.com>.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/CALZ%3DbEKYs7TkjPPbSfB5ogXyGUbswgRkju8%3DitEgu_%2B9cSRD-A%40mail.gmail.com
<https://groups.google.com/d/msgid/django-users/CALZ%3DbEKYs7TkjPPbSfB5ogXyGUbswgRkju8%3DitEgu_%2B9cSRD-A%40mail.gmail.com?utm_medium=email&utm_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-users+unsubscr...@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-users/acc80bb1-6528-d7b3-ce4b-9208e91ca988%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
