How do you avoid storing passwords in version control?

后端 未结 6 1451
醉酒成梦
醉酒成梦 2020-12-09 09:24

What strategy do you use to avoid storing passwords in version control?

Currently, I have development/test/production passwords saved in three different files and th

相关标签:
6条回答
  • 2020-12-09 09:57

    Environment-specific configuration properties I tend to put in, say, a properties file that isn't in source control and isn't part of the build process. When setting up a new environment, part of that setup is to put create that properties file that includes things like database addresses, credentials and names, names of relevant remote hosts and so on.

    In Spring you use the PropertyPlaceholderConfigurer to load the properties file. It just needs to be findable by Spring, which usually just means putting it in an appropriate directory under the application server.

    Alternatively, you use wrapper to run the application server and the JVM startup options include adding these properties files to the classpath so Spring can find them.

    0 讨论(0)
  • 2020-12-09 10:01

    I think it's good to have a local_settings outside of the repository.

    https://stackoverflow.com/a/21570849/1675586

    0 讨论(0)
  • 2020-12-09 10:11

    Instead of not storing them, you could store them in encrypted form. So you dont have the pain of sending credentials files via IM or EMail all the time a new developer starts ... You just need to tell them the project specific master-password once so they can encrypt the credentials.

    0 讨论(0)
  • 2020-12-09 10:19

    Put the passwords in o/s user environment variables.

    Only that user or root can read the value, same as a file, but with zero chance of it getting checked into source control.

    0 讨论(0)
  • 2020-12-09 10:20

    This doesn't work in all cases, but this is where the gloriousness of using NT AUTHORITY\NETWORK SERVICE as the identity of your services comes in. If you use this identity, you don't need to maintain a password for it -- you can just use the Computer's AD credentials in the form of DOMAINNAME\MACHINENAME$ to do your protected network and database access.

    There are, of course, some key things to watch out for -- not the least of which is that no two apps which share a security boundary are hosted like this on the same server.

    0 讨论(0)
  • 2020-12-09 10:24

    I've seen two approaches to this:

    • Move the passwords into another tree of source control that developers don't have access to.
    • Don't put any passwords into source control, and the dedicated build manager person needs to type in the passwords every time a deploy is done. This was in a bank where there was a full time guy working on build processes / merging / releases.
    0 讨论(0)
提交回复
热议问题