在公共轨道应用程序中存储敏感数据的位置? [英] Where to store sensitive data in public rails app?

问题描述

我的个人 Rails 项目使用了一些 API，我将 API 密钥/秘密存储在 config/environments/production.yml 和 development.yml 作为全局变量.我现在想将这个项目推送到 github 供其他人使用，但我不希望他们拥有那些敏感数据.我也不希望这个文件位于 .gitignore 中，因为它是应用程序运行所必需的.我已经考虑将它们放在数据库中的某个地方，但我希望找到更好的解决方案.

My personal rails project uses a few API's for which I store the API keys/secrets in config/environments/production.yml and development.yml as global variables. I now want to push this project to github for others to use, but I don't want them to have those bits of sensitive data. I also don't want this file in .gitignore because it's required for the app to run. I've considered putting them in the DB somewhere, but am hoping to find a better solution.

推荐答案

TLDR:使用环境变量！

我认为@Bryce 的评论 提供了一个答案，我将把它冲洗掉.Heroku 建议 似乎一种方法是使用环境变量来存储敏感信息(API 密钥字符串、数据库密码).所以调查你的代码，看看你有哪些敏感数据.然后创建存储敏感数据值的环境变量(例如在 .bashrc 文件中).例如对于您的数据库:

I think @Bryce's comment offers an answer, which I'll just flush out. It seems one approach Heroku recommends is to use environment variables to store sensitive information (API key strings, database passwords). So survey your code and see in which you have sensitive data. Then create environment variables (in your .bashrc file for example) that store the sensivite data values. For example for your database:

export MYAPP_DEV_DB_DATABASE=myapp_dev
export MYAPP_DEV_DB_USER=username
export MYAPP_DEV_DB_PW=secret

现在，在您的本地框中，您只需在需要敏感数据时引用环境变量即可.例如在 database.yml 中:

Now, in your local box, you just refer to the environment variables whenever you need the sensitive data. For example in database.yml :

development:
  adapter: mysql2
  encoding: utf8
  reconnect: false
  database: <%= ENV["MYAPP_DEV_DB_DATABASE"] %>
  pool: 5
  username: <%= ENV["MYAPP_DEV_DB_USER"] %>
  password: <%= ENV["MYAPP_DEV_DB_PW"] %>
  socket: /var/run/mysqld/mysqld.sock

我认为 database.yml 只会在应用程序初始化或重启时被解析，所以这不会影响性能.因此，这将为您的本地开发和公开存储库解决此问题.去除敏感数据后，您现在可以像私下一样为公众使用相同的存储库.如果您使用的是 VPS，它也可以解决问题.只需 ssh 到它并像在开发箱中一样在生产主机上设置环境变量.

I think database.yml gets parsed just at the app's initialization or restart so this shouldn't impact performance. So this would solve it for your local development and for making your repository public. Stripped of sensitive data, you can now use the same repository for the public as you do privately. It also solves the problem if you are on a VPS. Just ssh to it and set up the environment variables on your production host as you did in your development box.

同时，如果您的生产设置涉及无法通过 ssh 连接到生产服务器的手动部署，就像 Heroku 那样，您需要查看如何远程设置环境变量.对于 Heroku，这是通过 heroku config:add 完成的.因此，根据同一篇文章，如果您将 S3 集成到您的应用中并且您有来自环境变量的敏感数据:

Meanwhile, if your production setup involves a hands off deployment where you can't ssh to the production server, like Heroku's does, you need to look at how to remotely set up environment variables. For Heroku this is done with heroku config:add. So, per the same article, if you had S3 integrated into your app and you had the sensitive data coming in from the environment variables:

AWS::S3::Base.establish_connection!(
  :access_key_id     => ENV['S3_KEY'],
  :secret_access_key => ENV['S3_SECRET']
)

只需让 Heroku 为其创建环境变量:

Just have Heroku create environment variables for it:

heroku config:add S3_KEY=8N022N81 S3_SECRET=9s83159d3+583493190

该解决方案的另一个优点是它是语言中立的，而不仅仅是 Rails.适用于任何应用程序，因为它们都可以获取环境变量.

Another pro of this solution is that it's language neutral, not just Rails. Works for any app since they can all acquire the environment variables.

这篇关于在公共轨道应用程序中存储敏感数据的位置?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！