Adding security considerations (usage of unprivileged accounts)
Compare changes
+ 10
− 6
@@ -2,6 +2,10 @@
Credentials (username and password) of a CERN account, that is used for deploying website content, will be stored in GitLab variables in clear-text. To limit security impact in case of credential exposure, please use a dedicated secondary or service account, with very limited privileges (write access to that particular web site - but ideally no other privileges). **Do not use your primary CERN account, nor any privileged service account.**
@@ -18,21 +22,21 @@ Docker image to be used with GitLab CI to deploy web sites or generic files or b
* `METHOD` (optional): Method to do the synchronization. It can be `rsync` or `xrdcp`. The rsync method relies on connecting to lxplus, and will make sure that the files deleted in source are also deleted on destination. The account (**EOS_ACCOUNT_USERNAME**) used must be able to log in lxplus. On the other hand xrdcp will directly connect to EOS, but will not delete files on the destination. **Default**: `xrdcp`
* `METHOD` (optional): Method to do the synchronization. It can be `rsync` or `xrdcp`. The rsync method relies on connecting to lxplus, and will make sure that the files deleted in source are also deleted on destination. The account (`EOS_ACCOUNT_USERNAME`) used must be able to log in lxplus. On the other hand xrdcp will directly connect to EOS, but will not delete files on the destination. **Default**: `xrdcp`