Another way is to run the application as a custom OS user, and use PostgreSQL's 'peer' authentication to give that OS user permissions to the required database. Then you don't need a password, just "postgresql:///database" or "postgresql://dbuser@/database" (if the OS user can choose from two or more database users). (I had to figure out the DBURIs by trial and error since they're not well documented.)
In another case I needed to access an external service with a password, so we made a separate account for the application to use. On Thu, Feb 27, 2014 at 10:00 AM, Jonathan Vanasco <jonat...@findmeon.com> wrote: > 1. Depending on your database/infrastructure, I don't think the sqlalchemy > url necessarily needs to be protected. Someone would need to gain console > access to one of our servers in order to connect with our DBs, and at that > point... security concerns like that are a lost cause. > > 2. Third-Party APIs and any application passwords definitely do need to be > protected. > > We've tried a few approaches, and ended up with dynamically building out the > production.ini and other 'sensitive' files as part of the deployment > process. the values are locally stored in encrypted files, and they're > decrypted and templated with Fabric on deployment. > > Originally we used the environment variables approach. I would prefer it -- > I do think it's safer. The problem is that we switched from direct UWSGI to > one managed by supervisord -- and that just complicated getting environments > set up correctly. Too many things going on. It's not impossible, it just > couldn't get done in the research hours I allocated to it; and the fallback > is simple. Hopefully I can revisit it. > > Of the options listed above, I like Ansible the most. Fabric is > considerably more limited, but very simple to use. > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to pylons-discuss+unsubscr...@googlegroups.com. > To post to this group, send email to pylons-discuss@googlegroups.com. > Visit this group at http://groups.google.com/group/pylons-discuss. > For more options, visit https://groups.google.com/groups/opt_out. -- Mike Orr <sluggos...@gmail.com> -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pylons-discuss+unsubscr...@googlegroups.com. To post to this group, send email to pylons-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/pylons-discuss. For more options, visit https://groups.google.com/groups/opt_out.
