
Why I'll never provision another database user - sbrown12
http://borgified.github.io/strongdm/2017/06/20/user-account-creation.html
======
kelnos
> Others embraced it quickly, recognizing the simplicity of being able to
> connect to localhost:3306 and have instant access to production data.

Well that seems like a huge production outage just waiting to happen.

------
zie
or use an OSS solution:
[https://www.vaultproject.io/docs/secrets/databases/index.htm...](https://www.vaultproject.io/docs/secrets/databases/index.html)
and it conveniently does a lot more than just DB auth.

~~~
jldugger
Or LDAP?

[https://dev.mysql.com/doc/refman/5.5/en/pam-pluggable-
authen...](https://dev.mysql.com/doc/refman/5.5/en/pam-pluggable-
authentication.html#pam-authentication-ldap-without-proxy)

~~~
zie
True, a valid option for MySQL. Not every database handles LDAP, and Vault
gives you dynamically created credentials to your DB, so the accounts are
created and deleted _AS NEEDED_.

------
sbierwagen
Submission title doesn't seem to have anything to do with the content? The
post is mostly about semiautomated user account management, from the title I
was expecting some kind of postmortem where provisioning a database user
caused some kind of disaster.

------
deepsun
Or, if you use Google Apps (aka G Suite now), use Google Identity-Aware Proxy
[1]

Basically, all it does is adding couple of headers, like user-id, to every
single HTTP request. And as soon as you delete user's account in your Google
Apps console -- they will lose access to your corporate services.

Drawbacks are:

1\. This require cooperation from the services. E.g. you have Jenkins -- it
needs to check those headers. I don't know if Jenkins has a plugin for that
yet.

2\. The service must run on GCP, so Google can proxy requests to it.

[1] [https://cloud.google.com/iap/](https://cloud.google.com/iap/)

~~~
deepsun
Correction: the accounts for the proxy are managed in GCP IAM, not in Google
Apps.

------
welder
How's this different from
[https://www.onelogin.com/](https://www.onelogin.com/)?

------
idrism
strongDM looks like an alternative to Vault for this one use case. Does anyone
have any idea what strongDM's pricing is like?

~~~
gerdesj
I can't help but notice that the script link to GitHub (seriously?) in the OP
topic contains something involving NRPE and NSCLIENT++ - that's part of a
bloody monitoring system.

There are APIs, connectors and the good $DEITY knows what in so many languages
it isn't funny anymore that you decide to re-purpose a monitoring agent to
delete an account? I'm no programmer but even I could whip up a link between
MySQL/MariaDB and say AD with PHP, Python or Perl

Actually the more I bother clicking on the links in the GH repo and idly
browsing the more I wonder what is going on.

Soz: What's Vault?

~~~
zie
[https://www.vaultproject.io](https://www.vaultproject.io)

It's like a one-stop shop for most your security needs. They label it as "A
Tool for Managing Secrets" which it does, but it does a lot more than that
too. One of the things it does (and what applies here) is dynamically create
DB accounts _AS NEEDED_ with random usernames and passwords, which auto-expire
and are deleted as soon as they are not needed anymore. which is more than
strongDM seems to do.

