Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
ActiveRecord extension to allow multiple database environments (slave, deploy) enabling least privilege when possible.
branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
lib
spec
.gitignore
.travis.yml
Gemfile
LICENSE
readme.md
shackles.gemspec

readme.md

Shackles

About

Shackles allows multiple database environments and environment overrides to ActiveRecord, allowing least-privilege best practices.

Installation

Add gem 'shackles' to your Gemfile (tested with Rails 2.3 and 3.2)

Usage

There are two major use cases for shackles. The first is for master/slave(/deploy) environments. Using a slave is as simple as adding a slave block (underneath your main environment block) in database.yml, then wrapping stuff you want to query the slave in Shackles.activate(:slave) blocks. You can extend this to a deploy environment so that migrations will run as a deploy user that permission to modify schema, while your normal app runs with lower privileges that cannot modify schema. This is defense-in-depth in practice, so that if you happen to have a SQL injection bug, it would be impossible to do something like dropping tables.

The other major use case is more defense-in-depth. By carefully setting up your environment, you can default to script/console sessions for regular users to use their own database user, and the slave.

Example database.yml file:

production:
  adapter: postgresql
  username: myapp
  database: myapp
  host: db-master
  slave:
    host: db-slave
  deploy:
    username: deploy

Using an initializer, you can achieve the default environment settings (in tandem with profile changes):

if ENV['RAILS_DATABASE_ENVIRONMENT']
  Shackles.activate!(ENV['RAILS_DATABASE_ENVIRONMENT'].to_sym)
end
if ENV['RAILS_DATABASE_USER']
  Shackles.apply_config!(:username => ENV['RAILS_DATABASE_USER'])
end
Something went wrong with that request. Please try again.