RatticDB: Python password management service
RatticDB is an open source Python/Django based password management database. This service was developed to simplify the password management for humans and their teams. It was achieved using a simple ACL scheme and a useful tool that helps to determine which passwords to change when users leave or change teams. RatticDB has an API that can be applied for programmatic access to the stored data by the outside programs, e.g. read access for credential. RatticDB can work with any database Django can.
RatticDB doesn’t include encryption in the application, since it was developed as 'Password Lifecycle Management' system and not just a 'Password Storage Engine'. Encryption is difficult to do right and it increases complexity. A good alternative is an encryption done in the filesystem. You should make sure to install RatticDB in such a way that the database is on an encrypted filesystem. The webpage should be served over HTTPS.
Among other useful features there is a "Change Queue" - tool that allows tracking when and which passwords should be changed. RatticDB’s tagging system helps to organise passwords in several different organisation schemes. As for authentication to RatticDB there are two options:
- to use session authentication - sessions keys require users to be logged in with their username, password and configured one time pad device;
- to use API Key authentication - API keys are static values that are created for systems with no interactive access.
RatticDB provides audit logs for all actions performed on a credential to ensure full accountability. Auditing functionality enables users with staff access to see the audit logs on the credentials pages and the user details page. They can also access the audit log pages and audit by user, credential or view all audit entries for some period of time. This helps staff members to analyse users’ activity - who has seen what passwords and when they have been edited. Audit logs are rather detailed and offer the following audit types: Added, Only Metadata Changed, Changed, Only Details Viewed, Password Viewed, Exported, Deleted, Scheduled For Change.
RatticDB offers certain permission system to ensure the password management productivity:
- Only admins can create groups.
- Users can be in any number of groups and groups can include any number of members.
- Credentials have to belong only to one single group. Users can add new credentials to any group they are in.
- Users can fully access any credential of the groups they are members of, including moving it to another group they are in.
- Permissions affect both credential and all its historical versions. Users may or may not have right to access credential and its historical versions depending on the latest permission applied.
- Tags are used for organisation and search simplification only, thus they do not influence permissions.
If you are looking for an open source password management system that suits team access, then RatticDB might be for you. It is written in Python, user-friendly and fully functional software. Find out more on rattic.org.