Password rotation policies

galaxy-iuc / standards

Documentation for standards and best practices from the Galaxy IUC

http://galaxy-iuc-standards.readthedocs.io/en/latest/

6 stars 16 forks source link

Password rotation policies #8

Open hexylena opened 9 years ago

hexylena commented 9 years ago

Password rotations should happen every once in a while, eh? Good security practices and whatnot? :) (Not to be draconian about such things...if y'all really don't want to, we don't have to)

This would means that

[ ] bioblend and
[ ] TS would need to support changing passwords via the API (@martenson, @nsoranzo).
[ ] And a jenkins job will have to be created to email the mailing list with it whenever it gets changed.

blankenberg commented 9 years ago

I have to sort of chuckle at the thought of a process to make passwords more secure involves automatically emailing it in a plaintext email...perhaps worthwhile to use pass or something similar and get everyone's public pgp keys, and then have the email just send out a note saying it was changed.

hexylena commented 9 years ago

everyone's public pgp keys

Oh how I long for that day...if everyone has GPG keys, then we'll just gpg encrypt the email and it'll be perfectly simple. Does everyone who cares have GPG Keys?

Thankfully, with the advent of Jenkins+TS Pusher it's becoming less imperative to know the IUC password(s).

(There are, of course, alternate routes like publishing it to a URL that's protected by OAuth and then only people on a whitelist of emails can log in, etc. Huzzah, over-engineering strikes again!)

hexylena commented 9 years ago

User	Key
@erasche	99C605D9
@bgruening	08F720A0
@natefoo	7B1C60D8/751B835F
@nsoranzo	24CA0FA2
@peterjc

Anyone have a problem with requiring GPG keys for this?

peterjc commented 9 years ago

So is this ultimately to allow rotating of the IUC Tool Shed password?

Currently I only ever use that to make a new IUC Tool Shed repository, or to delegate rights for a given Tool Shed repository to my personal account (via the web interface, is this in the API?). I prefer to then push the initial tool release and any updates to the Tool Shed using my personal account.

hexylena commented 9 years ago

@peterjc rotation of the IUC password in general. It's used a number of places (MTS, TTS, Jenkins bot, jenkins bot SSH login, etc). I imagine I would be very unhappy were it to be compromised.

I think that's what most of us use it for, logging into the web to do things that aren't yet automated via bioblend.

Setting ACLs on a repo is not part of the API. It should be. galaxyproject/bioblend#130