1

I am trying to understand some basic concepts as I am still new to the concept of service discovery and cloud programming (excuse the cliché). A question that has been in my head for some time is: are service discovery solutions like Consul, etcd & Zookeeper responsible for providing service credentials as well?

For example, if we have a web application which queries information about the location of database server(s), who is responsible for providing it with the credentials (username, password) for connecting to it? I do know that this is probably subjective but I would be glad to learn more about best practices related to that.

4

2 回答 2

1

确实,请参阅 Consul 和 Vault。现在,出于某种原因:服务注册中心通常不会附带一套完整的 ACL 等来保护机密,而且它们会在网络上散布所说的机密,将它们左右转储到磁盘上——这是一场安全噩梦。您要确保访问权限尽可能有限,严格根据需要知道。因此,请使用一些特定工具来执行此操作 - 硬件安全模块、Vault、Chef 加密数据包等。

于 2016-01-14T19:59:44.223 回答
1

Consul 和 Vault 工具完全按照您的建议进行拆分:Consul用于服务发现,Vault用于共享秘密(并实现诸如租约和动态秘密之类的东西)。

请阅读这两个工具,看看这个概念是否适合您。

于 2016-01-14T14:03:39.833 回答