On 1/6/14 14:34 , Kian-Tat Lim wrote: > Jacek, > >> How about simply keeping the credentials in ~/.my.cnf >> file (I think it'd be useful to can come up with >> lsst-specific name for the file to avoid collisions.) >> I just realized mysql api allows to directly use such >> config file: >> >> db=_mysql.connect(host="outhouse",db="thangs",read_default_file="~/.my.cnf") >> >> (this is from http://mysql-python.sourceforge.net/MySQLdb.html) >> >> It is handy and mysql-compatible. > > I think this is good for MySQL. ~/.my.cnf should already be > read by default, I believe. My only concern is that we don't have a > problem if we have to change RDBMS implementations. The original > ~/.lsst/db-auth.paf was developed to be database-agnostic, but it's > probably not too bad to force people to use database-specific > credential storage, as implementations won't change that frequently. > Would the right thing to do be to store passwords (and all sensitive information, in general), in a wallet? I'm thinking of something like gnome-keyring, or KDE Wallet, or OS X's keychain, etc. They're becoming quite standard these days (in the sense of being present, not interoperable, unfortunately). There are libraries that can abstract them away (e.g., https://bitbucket.org/kang/python-keyring-lib looks very promising, at first blush), plus allow for cleartext backends where appropriate. It's probably not bad to start thinking about security early, esp. if it's not too much effort. Cheers, -- Mario Juric, Data Mgmt. Project Scientist, Large Synoptic Survey Telescope Web : http://research.majuric.org Phone : +1 617 744 9003 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the QSERV-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=QSERV-L&A=1