Permissions to deploy to multiple environments with Capistrano
What is the proper way to set up Capistrano to deploy a Rails app to multiple environments with different permissions required for each environment? In other words, imagine a typical scenario where a developer makes changes to code and pushes the changes to a testing environment. After testing, a release manager pushes the changes to production. And so on, with possible additional levels in between. Capistrano (even with the multistage extension in capistrano-ext) seems to be built for a single user having permissions to deploy to any environment. What is the recommended setup for cases where people at the bottom level shouldn't be able to deploy all the w开发者_StackOverfloway to production?
In setting up Capistrano and deployment, there are differences between the user account which is used for deployment and the people with permissions who can deploy.
In Capistrano you setup the user
set :user, 'deploy'
This user account must exist on each machine the Capistrano deploy script connects, each role app
, web
, db
. It is recommend to set it up with SSH key authentication.
When someone uses the cap deploy
it will connect to the machines with SSH-Keys and will work only if you have your public key installed on that account.
This method allows different people to have different access to the machines. For production
, only install the SSH-Keys of the people with admin access to the machines. Then even if someone runs the cap deploy
it will not work since they cannot connect to the remote user.
We allow anyone to have their SSH key on the staging environment, but only a couple of people have access to the production server.
精彩评论