Ours are not named with a common identifier and this also needs constant effort ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		devsda on Nov 29, 2023 \| parent \| context \| favorite \| on: My $500M Mars rover mistake Ours are not named with a common identifier and this also needs constant effort to maintain while refactoring and there's still scope for a mistake. ideally devs should not have prod access or their credentials should only have limited access without permissions for destructive actions like drop/truncate etc. But in reality, there's always that one helpful dba/dev who shares admin credentials for a quick prod fix with someone and then those credentials end up in a wiki somewhere as part of an SOP.

masklinn on Nov 29, 2023 [–]

That‘s why you do credentialing via ssh keys, and keys are explained and map to a user, and non-dba keys should expire.

If you need access for a quick prod fix, your key gets added to the machine with that explanation and a week (or lees) lifetime.

Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact