Upload
perforce
View
224
Download
0
Embed Size (px)
Citation preview
Granular Protections Management with TriggersAmy KendziorskiDesign Methodology EngineerCirrus Logic
2
Who is Excited?
Managing the protections table with triggers
4
Agenda
What is the “Protections Table”?What’s wrong with it?
How to fix it A real life Example
The Payoff
5
Protections Table Basics
Perforce provides a protection scheme to prevent unauthorized or inadvertent access to files in
the depot. The protections determine which Perforce commands can be run, on which files, by whom, and from which host. You configure protections with the p4
protect command.
6
Protections Example
Protections: read user emily * //depot/elm_proj/... write group devgrp * //... write user * 195.3.24.0/24 -//... write user joe * -//... write user lisag * -//depot/... write user lisag * //depot/doc/... super user edk * //...
7
What’s wrong with it?
Comments not allowed No change history Multiple users can override changes Difficult to keep clean Requires super permissions to view or edit Time drain on admins to maintain table
File Based Protections
Table
Multi-File Based
Management
8
Solution: File Based Protections Table
Manage protections with a file Trigger or manual process to update table Users can modify entire table
9
Solution: Multi-File Based Management
Manage protections with multiple files Triggers automatically update the protects table Restrict users to which sections of the table to modify
Example
11
12
Protections Table Division
Admin Header
Admin Footer
Project A
Project B
Project C
13
Projects Depot
Each project has a permissions file Read/Write of projects depot granted to all users Trigger gates submit of permissions file
//projects/abc/ permissions//projects/xyz/ permissions
14
Granular Permissions Management
Contains a list of projects, depots, and allowed users Project name maps to //projects/<name> //admin/protects/projectaccess
# project depot usersabc //abc akendz,moneal,zbehrxyz //xyz akendz,moneal,jrhode
small_ip //ip/small akendz,monealbig_ip //ip/big akendz,moneal
15
Admin Depot
Accessible by users in the “admin” group Trigger scripts Protections header/footer files File to manage granular permissions
//admin/triggers/ protects_update.rb//admin/protects/ header footer projectaccess
16
Protects Header (optional)
Setup default permissions Manage old projects //admin/protects/header# grant read permissions to all cirrusread group cirrus * //cirrus-ip/...# the validation team has a special depotread group read-qa * //depot/qa/...write group qa * //depot/qa/...
17
Protects Body
Concatenation of projects permissions file //projects/*/permissions# comment from abc permissions fileread group read-abc * //abc/...Write group abc * //abc/...# comment from xyz permissions fileread group read-xyz * //xyz/...write group xyz * //xyz/main/...write group xyz * //xyz/dev-*/...
18
Protects Footer
Setup super users Hide restricted projects Non-chip depot management //admin/protects/footerwrite group admin * //admin/...list user * * -//super_secret/...admin user swarm * //...super user superamy * //...
Triggering Updates
20
Triggers
Pre-submit• change-content //projects/*/permissions
Post-submit• change-commit //projects/*/permissions• change-commit //admin/protects/...
21
Pre-Submit Trigger
Confirms that user has been granted permission to submit Checks for common syntax errors Only allowed depot can be present in file
22
Post-Submit Trigger
Concatenates files and updates the protections table• p4 print -q //admin/protects/header• p4 print -q //projects/*/permissions• p4 print -q //admin/protects/footer
23
Protects Table
Old Flow
User A
User B
User C
Miles
24
Protects Tablepre-commit
trigger
New Flow with Triggers
project files
post-committrigger
commit
25
Only Downside: What about Miles?
Miles
26
Implementation Issues
Initial Setup Cost• Additional steps required to setup project permissions• Solution: Automated with scripts
User Education• More users require protections table knowledge• Solution: Provided examples to all users
27
ThePayoff
28
Benefits
No more downtime from protections table “oopsies” All changes are instantly communicated All users can see relevant protections entries Managers maintain their own project protections Dramatically decreased number of admin requests
Contact: