I am trying to edit certain attributes in a chef repo.
I see the following (probably default) text in readme of chef-solo:
Absolutely no sensitive values should be kept in the git repo. All secrets should be kept in the password vault. Capistrano will register servers with the vault as needed.
I am not sure which values really should NOT be there in the repo. Can anyone please help with some examples?
Also, I see a statement in one of the roles files in override_attributes section which I do not fully understand but probably is related to above text:
use_vault : true
I understand that this is a vague question but this is all I can give away. Thanks in advance for the help!!
I'd like to clarify something that was confusing me in the first place. Your question is basically analogue to this one: "Should I use fork or teaspoon so I wouldn't harm my child while feeding it with poisonous berries?" And the answer is: "Nevermind the tool, it's berries you should worry about!"
Now, let's separate override_attributes problem (tool), from the risk of exposure of sensitive data (berries).
Override attributes are being used only when we are not sure where the data will come from and we need to override them forcefully. What you're seeing is just that. Writer of that recipe ensured that vault will be used.
Message you posted regarding sensitive data has nothing to do with override_attributes. I presume you wouldn't like to put your private keys, passwords, or your credit card credentials into files and have it pushed to github, public git repo, or make it public in any other way. Message is just there to remind you. So, where should sensitive data be placed? There's no answer but the one you got All secrets should be kept in the password vault.. Thing you should also keep in mind before storing sensitive data on a certain place, are the architecture of a system and privileges of it's users. You want to keep it out of reach of people who doesn't need to know it. All this talk is about keeping your vulnerable, precious, sensitive data as secure as possible, and there's no Q&A recipe for that.
Hope this vague answer helped. If anyone knows how it might be more clear, please comment or edit, I'll be happy to see it improved.
Related
I've been using Bitbucket for a week now. It seems like a capable platform. Personally in my development activities, I keep a daily "journal" of whatever I need to keep track of separately from any commits to the Git repo. It gives me a place to keep all my "thoughts and ideas" in one place.
Before I end a day's work, or I jot down what I last worked on and any thoughts I think I'll need on the following day. And before I begin each day's work, I just flip to the last page of my journal and it quickly brings me back up to speed of where I was at yesterday, no matter how little sleep I got. :-)
I see Bitbucket has "Comments", "Work Log", "History" and "Activity", but they seem to be tied only to user stories, todos and the like.
Does anyone know of a way where I can have something like a "Work Log" tied directly to my user account? I'm thinking I could use it for my personal "Journal".
Note: I'm using a locally installed Bitbucket server.
If you're using the online https://bitbucket.org (not specified in the question) rather than a hosted instance then you can do a couple of things.
1 Wiki
Create a repository which will act as your work log
Obviously if you want to keep notes with the same code base just enable the wiki for that repository. The question seemed to suggest you may want to be repository/project agnostic
Update the settings of the repository to enable a private or public wiki
This is probably the simplest and richest replacement to your note pad
2 Use a repository
Create a repository which will act as your work log
commit Markdown (i.e readme.md or index.md) files
Note: in the case of a hosted instance this could even be a repository associated to your user rather than a project.
This is very manual, though it does mean you can have an offline version of your "pad" that you can edit/search in your IDE with some IDE autocomplete. Just like the wiki you can use the code backtick escapes with syntax highlighting. Last I checked the these were rendered pretty well in the browser through bitbucket.org as well as any editor/IDE you might use.
Regarding todo's
I've found the best cheap todo solution for me is using a gist as described on life hacker. They are low ceremony and versioned which checks all my boxes (excuse the pun). If you couple that with the above you may actually be able to embed it into your bitbucket wiki, though I've not tried.
If you are using JIRA and Bitbucket already, maybe consider Confluence? Confluence has some convenient and easy to manage TODO functionality and it lets you expand on those thoughts with all the power of a wiki when you are done.
I keep a "TODO" page and additionally put the checkbox on any tasks in other pages. They are all aggregated together in a tasks view.
See:
https://confluence.atlassian.com/conf54/confluence-user-s-guide/managing-changes-and-notifications-and-tasks/managing-tasks-in-confluence
I'm developing a little app in which users can create their own content. Most content is taken from a MYSQL db and images from AWS S3 and brought to the front through regular jquery/php/html. All content a user has created is private and can only be accessed via a login. However, I would like the users to be able to send selected parts of their content to other users and people via links which they can click on and see that selected content. Much like sending a link to a users image on Facebook to someone outside the community.
I have never done this before and have no idea in how to even begin. If anyone could point me in the correct direction it would be highly appreciated. I have searched around about this but don't really know what to search for.
If this is against SO's rules (as it's a general question about a topic and not specialized enough), please let me know and I'll remove it.
I think the best way to achieve this is to have a private bucket in which each user has distinct permissions on his own folder, and be the only one that can access it. This is something you should probably implement on the application level - allowing only the app to access the bucket, and denying every other type of access.
For the public content - you should create a different bucket which will be publicly available for everyone, and move all public content there.
These are my 2 cents, might be better practices in the field, but IMO it's a nice solution which is not to complicated.
I am trying to allow users to create issues from a webpage, just like the Issue Collector. The problem is, there are only three templates provided for the collector and none of them are quite right.
What I want is to have three required fields that then combine to become the description. (Similar to how the first template has "what do you like" "what do you not like" which both go in the description)
The problem is there's no obvious way to edit the popup's contents.
Is there any way I can get at the source code of the collector to create my own modified version? Alternatively, if I just copy the html of the popup using inspect element could I create a working clone?
EDIT: Well, I've managed to get at the source code using a java decompiler, but now I haven't got a clue how to put it back together again...
Do you have a paid license for JIRA? If so, Atlassian will give you a copy of the source code.
From their FAQ's
After an order has been placed, how and when can the license key and source be accessed?
Access to your license key(s) and any
applicable source code is provided only after the successful receipt
and processing of your payment. Once payment is received, the Billing
and Technical contact specified on the order can log into their My
Atlassian account, and view all corresponding license keys.
And instructions on how to "put it all back together" :)
Then you are free to customize to your heart's content.
Of course, you'll need to re-customize every time there's an update from Atlassian ...
See also this post on Atlassian's wiki
I believe this question is platform/technology independent, however I am using Ruby on Rails with the carrierwave gem.
Users upload documents to my site, and I need to keep them private. I am exploring the different options available to me, along with their advantages and disadvantages.
Option 1
Obfuscate urls to images to make them impossible to guess.
This would be relatively simple to implement and fast to serve up. However, if a url was made public by whatever means, security is lost.
Option 2
Have documents accessed through some sort of intermediate step that requires authentication. This would have improved security over option 1, but would place additional load on the server. A page containing previews of a number of uploaded documents would hammer the server.
Are there any other options available to me? Have I made any mistakes with my claims, or missed any important points?
I think the best option you have is to have a "key" for your documents. You can generate a key, with a certain lifetime, and when you go on /document/name/access_key, you find the record matching and return the file associated with the record. Never exposing the real URL.
Current I'm working on an a project using MVC4 in which we have a service reference looking into the Database to return our content. The service reference requires me to provide the username/password each time I make a call.
What would be best practices for this? Should I encrypt the password then save it to a cookie or should I issue the user an Auth Token? Or would there be a third option?
First. Don't. Just don't. NEVER ever ever ever ever ever ever store the users password. Never. I mean it. Never. Under no circumstances. There are no mitigating factors. There is nothing so important that you should ever break this rule. Ever. If your only choice is to break this rule (say, from a third party service that you don't control), then refuse to do it. Make someone, somewhere budge on it. Quit your job if you have to. I'm that serious.
If you save the users password, you are breaking the trust between the user and the software. You're making passwords discoverable, if hacked, and those passwords can be re-used to do nasty things (such as getting into someones bank account and taking all their money). If you save passwords, you are part of the internet security problem as a whole. I don't care how small you think you are, or how irrelevant the data might be. Someones password controls access to many important things you may not know about.
So don't do it. Just don't.
Now, on to solving your real problem. How to deal with this issue varies depending on the situation. Is this service on the same domain as the web server? Is it under your control? Can you change the interface? Are you developing the service? Please explain the circumstances.