You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Originally created by @joshlambert on 2018-06-05 22:01:41
We have locked down access to the protected secrets, which prevents users from having direct access to them. However we still make them available for review apps, which means any developer can alter the .gitlab-ci.yml, print the secrets, and then view the build log to retrieve them. This means that any user with developer rights has access to all of the secrets for all of the data sources, which is a concern especially as we move into more sensitive data sources.
Some possible solutions:
Test harness (https://gitlab.com/meltano/meltano/issues/86): Utilize something like vcr to provide an automated API mock for review branches. This way the real secrets could only be available on protected branches, and we'd also not consume API quotas on review branches.
Some type of forward proxy, which held the secrets and performs the authentication. This seems unrealistic, I'm not sure if something like this even exists.
Something like a KMS won't really help address these isues, because of the review app problem noted above, but could help to further secure the secrets themselves.
The text was updated successfully, but these errors were encountered:
Migrated from GitLab: https://gitlab.com/meltano/meltano/-/issues/21
Originally created by @joshlambert on 2018-06-05 22:01:41
We have locked down access to the protected secrets, which prevents users from having direct access to them. However we still make them available for review apps, which means any developer can alter the
.gitlab-ci.yml
, print the secrets, and then view the build log to retrieve them. This means that any user with developer rights has access to all of the secrets for all of the data sources, which is a concern especially as we move into more sensitive data sources.Some possible solutions:
Something like a KMS won't really help address these isues, because of the review app problem noted above, but could help to further secure the secrets themselves.
The text was updated successfully, but these errors were encountered: