We have our cap deploy setup to take a new app server from zero to working, all automatically.
One issue we're getting stuck with is: Where to store the database password? I'll show you what we thought of, and why we don't like it. I'm sure some of the pros here have already grappled with this, so I'd like to here what you say. 1. Store in cap deploy files. PROBLEM: We don't want every developer who ever had access to cap deploy source to know the passwords. 2. Store in file on each server. PROBLEM: This would require manual setup of a new server. PROBLEM: Even if we accept to do it manually, in the course of doing so, it's quite likely that the password will get emailed around. "Anyone remember the pw to setup a new server? The box is down and I need to do a replacement quick." 3. Use a nonpassword system Windows supports authentication via user account on a known machine. I'm not sure how it works, or how secure it is. Haven't found any simple, secure way to do this via Linux. The ideal would be to tell the database server "If user rails_app on any of the local machines wants to connect, they don't need a password." But I'm not sure if there is a simple and secure way to do this. 4. Use some type of encryption I'm not sure how to use this to solve problems. The key needs to go somewhere, and so we're back to square one, on where to store the key. What do you do? Is there a best practice? What do the large enterprise / J2EE shops do? --~--~---------~--~----~------------~-------~--~----~ To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/capistrano -~----------~----~----~----~------~----~------~--~---
