Perforce 2008.2 System Administrator's Guide | ||
<< Previous Chapter Administering Perforce: Superuser Tasks |
Table of Contents Index Perforce on the Web |
Next Chapter >> Customizing Perforce: Job Specifications |
The Perforce protections table is stored in the db.protect file in the server root directory; if p4 protect is first run by an unauthorized user, the depot can be brought back to its unprotected state by removing this file.
Protections: |
(The five fields might not line up vertically on your screen; they are aligned here for
readability.)
Note |
If your site is also using the Perforce Proxy, see "P4P and protections" on page 159 to learn how to configure the protections table to require users at remote sites to use the proxy. |
The meanings of these fields are shown in the following table.
Field |
Meaning |
---|---|
Access Level |
Which access level (list, read, open, write, review, admin, or super) or specific right (=read, =open, =write, or =branch) is being granted or denied. Each permission level includes all the permissions above it (except for review). Each permission right (denoted by an =) only includes the specific right and not all of the lesser rights. In general, one typically grants an access level to a user or group, after which, if finer-grained control is required, one or more specific rights may then be denied. |
User/Group |
Does this protection apply to a user or a group? The value must be user or group. |
Name |
The user or group whose protection level is being defined. This field can contain the * wildcard. A * by itself grants this protection to everyone, *e grants this protection to every user (or group) whose username ends with an e. |
Host |
The TCP/IP address of the host being granted access. This must be provided as the numeric address of the host in dotted quad notation (for instance, 192.168.41.2). The host field can also contain the * wildcard. A * by itself means that this protection is being granted for all hosts. The wildcard can be used as in any string, so 192.168.41.* would be equivalent to 192.168.41.0/24, and *3* would refer to any IP address with a 3 in it. Because the client's IP address is provided by the Internet Protocol itself, the host field provides as much security as is provided by the network. You cannot combine the * wildcard with CIDR notation, except at the start of a line when controlling proxy matching. For more about controlling access to a Perforce server via the Perforce Proxy, see "P4P and protections" on page 159. |
Files |
A file specification representing the files in the depot on which permissions are being granted. Perforce wildcards can be used in the specification. "//..." means all files in all depots. |
Each Perforce command is associated with a particular minimum access level. For example, to run p4 sync or p4 print on a particular file, the user must have been granted at least read access on that file. For a full list of the minimum access levels required to run each Perforce command, see "How protections are implemented" on page 88.
The specific rights of =read, =open, =write, and =branch can be used to override the automatic inclusion of lower access levels. This makes it possible to deny individual rights without having to then re-grant lesser rights.
For example, if you want administrators to have the ability to run administrative commands, but to deny them the ability to make changes in certain parts of the depot, you could set up a permissions table as follows:
admin user joe * //... |
In this example, user joe can perform administrative functions, which may include reading or listing files in //depot/build/..., but he is prohibited from opening files for edit (or submitting any changes he may have open.) He can, however, continue to create and modify files outside of the protected //depot/build/... area.
Read access to particular files should be granted to users who never need to edit those files. For example, an engineer might have write permission for source files, but have only read access to the documentation, and managers not working with code might be granted read access to all files.
Because open access enables local editing of files, but does not permit these files to be written to the depot, open access is granted only in unusual circumstances. You might choose open access over write access when users are testing their changes locally but when these changes should not be seen by other users. For instance, bug testers might need to change code in order to test theories as to why particular bugs occur, but these changes are not to be written to the depot. Perhaps a codeline has been frozen, and local changes are to be submitted to the depot only after careful review by the development team. In these cases, open access is granted until the code changes have been approved, after which time the protection level is upgraded to write and the changes submitted.
write user * * //... |
This indicates that write access is granted to all users, on all hosts, to all files. Additionally, the user who first invoked p4 protect (in this case, edk) is granted superuser privileges.
Lisa, whose Perforce username is lisag, is using a workstation with the IP address
195.42.39.17. The protections file reads as follows:
read user * 195.42.39.17 //... |
The union of the first three permissions applies to Lisa. Her username is lisag, and she's
currently using a client workspace on the host specified in lines 1 and 2. Thus, she can write
files located in the depot's elm_proj/doc subdirectory but can only read other files. Lisa
tries the following:
She types p4 edit //depot/elm_proj/doc/elm-help.1, and is successful.
She types p4 edit //depot/elm_proj/READ.ME, and is told that she doesn't have the
proper permission. She is trying to write to a file to which has only read access. She types p4
sync //depot/elm_proj/READ.ME, and this command succeeds, because only read
access is needed, and this is granted to her on line 1.
Lisa later switches to another machine with IP address 195.42.39.13. She types p4 edit
//depot/elm_proj/doc/elm-help.1, and the command fails; when she's using this host,
only the third permission applies to her, and she only has read privileges.
To use exclusionary mappings properly, it is necessary to understand some of their peculiarities:
An administrator has used p4 protect to set up protections as follows:
write user * * //... |
The first permission looks like it grants write access to all users to all files in all depots, but
this is overruled by later exclusionary protections for certain users.
The third permission denies Joe permission to access any file from any host. No subsequent
lines grant Joe any further permissions; thus, Joe has been effectively locked out of Perforce.
The fourth permission denies Lisa all access to all files on all hosts, but the fifth permission
gives her back write access on all files within a specific directory. If the fourth and fifth lines
were switched, Lisa would be unable to run any Perforce command.
With no options, p4 protects displays the lines in the protections table that apply to the current user. If a file argument is provided, only those lines in the protection table that apply to the named files are displayed. Using the -m flag displays a one-word summary of the maximum applicable access level, ignoring exclusionary mappings.
Perforce superusers can use p4 protects -a to see all lines for all users, or p4 protects -u user, -g group, or -h host flags to see lines for a specific user, group, or host IP address.
Groups are maintained with p4 group, and their protections are assigned with p4 protect. Only Perforce superusers can use these commands.
To add users to a group, add user names in the Users: field of the form generated by the p4 group groupname command. User names are entered under the Users: field header; each user name must be typed on its own line, indented. A single user can be listed in any number of groups.
Groups can contain other groups as well as individual users. To add all users in a previously defined group to the group you're working with, include the group name in the Subgroups: field of the p4 group form. User and group names occupy separate namespaces, so groups and users can have the same names.
This protections table grants list access to all members of the group devgrp, and super
access to user edk:
list group devgrp * //... |
If a user belongs to multiple groups, one permission can override another. For instance, if you use exclusionary mappings to deny access to an area of the depot to members of group1, but grant access to the same area of the depot to members of group2, a user who is a member of both group1 and group2 is either granted or denied access based on whichever line appears last in the protections table. The actual permissions granted to a specific user can be determined by replacing the names of all groups to which a particular user belongs with the user's name within the protections table and applying the rules described earlier in this chapter.
Users' access to files is determined by the following steps:
The first pass determines whether the user is permitted to know if the file exists. This search simply looks for the first line encountered that matches the user name, host IP address, and file argument. If the first matching line found is an inclusionary protection, the user has permission to at least list the file, and Perforce proceeds to the second pass. Otherwise, if the first matching protection found is an exclusionary mapping, or if the top of the protections table is reached without a matching protection being found, the user has no permission to even list the file, and will receive a message such as File not on client.
Suppose the protections table is as follows:
write user * * //... |
If Ed runs p4 print //depot/file.c, Perforce examines the protections table bottom to
top, and first encounters the last line. The files specified there don't match the file that Ed
wants to print, so this line is irrelevant. The second-to-last line is examined next; this line
matches Ed's user name, his IP address, and the file he wants to print; since this line is an
exclusionary mapping, Ed isn't allowed to list the file.
If an inclusionary protection line is the first line encountered that matches the user name, IP address, and file argument, and has an access level greater than or equal to the access level required by the given command, the user is given permission to run the command.
If an exclusionary mapping is the first line encountered that matches according to the above criteria, or if the top of the protections table is reached without finding a matching protection, the user has no permission to run the command, and receives a message such as You don't have permission for this operation.
Commands that list files, such as p4 describe, list only those files to which the user has at least list access.
Some commands (for example, p4 change, when you edit a previously submitted changelist) take a -f flag that can only be used by Perforce superusers. See "Forcing operations with the -f flag" on page 51 for details.
Perforce 2008.2 System Administrator's Guide | ||
<< Previous Chapter Administering Perforce: Superuser Tasks |
Table of Contents Index Perforce on the Web |
Next Chapter >> Customizing Perforce: Job Specifications |