We have several developers, working on the same application (to be deployed on Heroku).
We know they can open separate Heroku accounts, and share the application using "heroku sharing:add".
But is it possible to use a single "team" account? Are there limitations on people logging in simultaneously from different PC's ? Or any other technical reason to avoid it?
Note we're not worried about them overriding each other's deployments, because it's for development (not production), and it's a small team.
Thanks :)
Although you can grant limited access to multiple Heroku accounts, only one "Owner" account has privileges to modify the account configuration.
If more than one person needs to modify your account/app configuration (ie: changing/provisioning add-ons, etc), it's best to create a shared e-mail/password stored in a secure password manager like 1Password. However, this is a hassle and opens up some vulnerability. It may also be against Heroku's TOS, but isn't likely enforced.
I would recommend using multiple accounts for anyone who needs read-only or deploy access. I would limit a shared Owner account to the privileged users who need full access.
Related
I use Windows 10 Home with a separate Admin account, using a limited account for day to day work. I've installed Docker (community edition) using the admin account, but when I switch to the limited user, it wouldn't let me run it unless my limited account joins the "docker-users" group.
This question isn't to ask how to join that group (see this other question) but instead to to ask why the group is needed. Is this a security measure? Do I open up a vulnerability by using Docker from a limited account?
If it isn't a security measure, what reasons would I have for denying a user membership of this group?
Being able to create docker containers should be considered a privileged action because it allows someone to host new services on the underlying server, including hosting interfaces on low-numbered ports (22, 80, 443 etc).
The "docker-users" group exists to allow non-admin users to perform these privileged actions, bypassing the security control that required an admin user. This exists for the convenience of managing docker containers from a standard user rather than an admin user. The security benefit of this is that you can further lock down your admin account as you no longer need to constantly access it for docker management. The downside is that the compromise of any account in the "docker-users" group could result in a compromise of your whole docker environment.
In the case where you are the only one using your PC, then it doesn't have much impact because if someone were to compromise your account, you would have bigger issues anyway. In shared computer environments, you may have some select users with the privilege to use docker, but allowing all user would significantly increase your attack surface, and allowing no users would mean you have to provide each user that requires access to docker with a privileged account.
I'm using a Google Service Account to push MySQL backups from our webserver to Google Drive using a Google API PHP client script setup as a cron job.
I now want to run the same script across multiple webservers, I'm not sure how to correctly configure the service account for this, should I?
Use the same service account and service account key/credentials across all servers?
OR Use the same service account, but add a service account key/credentials for each server?
OR Setup a separate service account for each server?
Your requirements/needs/whatever may vary, but this generally it won't wont matter how you do it.
Single project
Create a project on Google developer console, and create a single service account key file and share it across the servers.
Is the same as.
Creating a project on google developer console and creating three separate service account credentials with different key files.
You will be bound by the same quota limits because all are under the same project.
Three separate projects.
Now if you created three different projects and create a single service account credential for each of the different servers. Then you would see a difference as they are different projects so should be bound by different quota limits.
quota
The Google drive default quota is so high anyway i'm not sure that it really matters what you do.
Security
Even security wise if you have a different file and you were hacked on one server you would't gain or loose anything by the other servers not having the same or different key files.
So, I have multiple grails apps, but I'd like to package them into a single mega app that manages user login, permissions, which appscan they access, etc. I can already links to the other apps depending on the logged in users role.
I'm using Spring Security with all of the apps, and they already share a database for users and roles. The problem I'm having is that I want the users to be instantly logged in on all of the apps when they log in into the "mega app", I want them all to share a login session.
Right now, I have a login for the users to access the "mega app" where they are linked to the other apps, but they have to manually log in again for each of the different grails apps they are linked to. And I don't like this, I want all apps to share a session, atleast for login. Any way to do this?
Having all the source from all the apps inside one single grails project is not a possibility here, it would be too heavy and some users don't even install all of the apps, since this is installed on their own private servers for them to use in their own local network. Also, login sessions time out after a while of not being used, making the problem even worse.
Help would be greatly appreciated, thank you in advance.
The spring-security-cas plugin is one option; it uses the open source CAS single sign-on server to let you authenticate to any server and be automatically authenticated on all of the others.
My manager keeps talking about how I will be "developing" an Application Express "security module", however from what she told me we need to have, I don't see what there would be to develop, seeing as Apex already has authorization/groups which allow for various groups of people to see various content.
Is there something that I am missing? What does she mean by a "module", or is it just general wording?
APEX provides several different ways to authenticate users. One approach is to use the "Application Express" authentication scheme and just to create APEX users. Another approach is to use the "Database Account" authentication scheme and to create Oracle users. A third option is to create a custom authentication scheme and to implement your own user management functionality.
Application Express authentication tends to be the easiest to deploy for a small application but tends to get unwieldy over time. It's hard, for example, to give an application administrator the ability to create APEX accounts. You can't tie an APEX account in to a single sign-on solution. It's not easy to integrate with the permission management systems that other applications use. If you're deploying an application in a large company, the last thing the security department needs is one more place where they need to create user accounts, manage privileges, de-activate accounts when someone leaves or changes roles, etc.
Database authentication tends to be more scalable than APEX authentication since Oracle database account provisioning is likely already part of your organization's authentication and authorization infrastructure. On the other hand, that still means that you're creating an Oracle database user for every user you want to create in your application which probably involves a call to a DBA (technically, you could create database users from your application, but most DBAs are going to be concerned about the security implications of that). If you intend to create an internet-facing application with tens of thousands of users, database accounts may get unwieldy.
I'd wager that the vast majority of medium to large-scale APEX applications use a custom authentication scheme. That may involve creating a USER table where you store the username & the hash of the password or a query against an LDAP/ AD repository. That sort of approach provides the most flexibility since you can code whatever you'd like into the authentication system. You can hook into whatever custom authentication/ single sign-on solution the organization happens to use. It probably makes creating new users from within the application much easier (obviously depending on how the authentication system is designed).
My assumption is that your manager is expecting that you'll be writing a custom authentication scheme for your APEX applications.
I know there are tools to manage your EC2 environment. I currently use the Eclipse Plugin and the iPhone app iAWSManager. What i'm looking for is a management service that allows you to create multiple users with roles and privileges. I have clients that sign up for EC2 but need help setting up and managing everything. At the very least they should be able to setup multiple logins so they can monitor who is doing what on the account (rather than sharing the single login). Better would be to assign privileges for who could create and launch an instance, create and assign/just assign Elastic IPs/EBS to instances etc.
Since enterprises are supposed to be using EC2 how do they manage this well? How do they create audit trails of activity?
RightScale, YLastic or EnStratus support roles and priviledges. However, they are not for free...
I'll add Scalr to the list, which is a cloud management software like RightScale (disclaimer: I work there). We released our permissions feature last January. It allows you to create different teams and environments and attribute them privileges on a granular basis. It means you can grant different permissions to different people. You can learn more on this blogpost.
Scalr is available as a hosted service which includes support. If you are looking for a free solution, you can download the source code, which is released under the Apache 2 license, and install it your self.
As mentioned earlier, RightScale and enStratus are two other alternatives.