Developer documentation for Agave, Abaco, and other TACC APIs
Alway use SSL. Agave services will force SSL if you don't specify it, but it's best to protect your application with SSL as a best practice.
Use restricted SSH keys whenever possible.
Use SSH keys rather than passwords whenever possible.
Use a MyProxy Gateway service whenever available rather than a stock MyProxy service to avoid password exposure.
Always configure a default storage system for your organization. This provides tremendous benefit to users who don't want to think about the makeup of your infrastructure.
Use contextual naming for systems. nryan-vm-sftp-prod is favorable to my-vm. DNS is also a good approach to naming, but you will still need to contextualize it with something like a username since multiple users may want to register the same system.
Grant the minimum sufficient role for a user that enables them to do what you want them to do. Don't grant a PUBLISHER role when a GUEST role will suffice. Don't grant an ADMIN role when a USER role will get the job done.
Always explicitly specify a scratchDir for your execution systems. This will allow you easily see where your job data will go and avoids systems where your home directory has a smaller quota than other areas of your system.
Always favor the full canonical URL over assuming default systems. Default systems may change on a user-to-user basis, but canonical URLs will always be the same.
Error on the side of privacy by granting permissions to single users and groups over making data public.
Avoid over-sharing by granting permissions on specific files or minimum subtrees rather than sharing entire home folders.
Always limit the lifetime of a postit by specifying either the maximum number of uses or an expiration date. This will prevent people from accessing resources long after you intended for them to do so.