Does Security in DVCS Affect all Synchronized servers?

[tom.peters]

Good Day -

We are running a fully distributed development environment and I need to start setting some permissions on certain folders within a repository.

If I setup groups/user and folder item permissions on the central repository, will these be picked up by the developer servers when they sync? I ask because I do not want each developer to setup their own server's permissions. I want to be the one to do this and I'd hate to have to actually set it up for each and every developer.

Thanks,

Tom

[manu]

Hello Tom.

yes, the permissions are propagated along with the replication operation.

Some of our customers are not comfortable with this feature and they use the "--noacl" parameter to use the "cm replicate" command without the ACL propagation.

[tom.peters]

Brilliant! Thank you, very much!

[tom.peters]

Another question... Does this mean that the groups will be replicated, as well? Because we are fully-distributed, each developer has his/her own Plastic server. This means the security, therein, must be setup, properly, or this will not work...correct?

Example:

Group 'Developers' on the central repository is allowed to check-in, checkout on folders X and Y

Group 'Testers' on the central repository is allowed to check-in, checkout only on folder Y

Jim is a brand developer with his own local Plastic server. He only has ALL_USERS, right now. When he pulls the source from the central repository (thereby getting the ACL), will the Groups come over, too? If not, do we need to create a Group named 'Developers' on his server and, if so, will the replication recognize this group by name?

I apologize for the seemingly endless questions, but the security guide does not discuss DVCS (and, if it does, I missed it).

Thanks,

Tom

[manu]

The scenario is going to work is the authentication is a central one, for example LDAP or AD. Can you tell me which kind of authentication are you using in your setup?

[tom.peters]

We are using UP.

[manu]

In that case I think it will be enough if you send your "users.conf" and groups.conf" files to your coworkers. Then, they need to copy them into their distributed servers directory and restart the server. That's all.

[tom.peters]

OK, so let's see if I got this right...

If I setup everyone on the central repository (users and groups) and then distribute these files (users.conf and groups.conf), the users can restart their server and they will see all of the users/groups I setup on the central server.

As permissions are changed on the central server, the users will pick up these permission changes when they pull from the repository.

Is this correct?

[manu]

Yep!

[tom.peters]

I told you you guys were the coolest! Thanks!

[manu]

Tell me if everything works as expected!

[tom.peters]

Hi Manu -

We are, currently, mapping out how we are going to implement permissions. This raised another question: If I deny permissions on the /main branch, will those permissions automatically be inherited by all descendants (child branches)?

We have a group that can only check-in on specific branches which we will identify as they come up. I'd like to set that group to have no check-in permissions on all branches and then, as needed, grant check-in permission on specific branches.

So, we have many branches and I was hoping that denying check-in to that group on /main would, thereby, deny it on all child branches.

Thanks,

Tom

[manu]

Hi Tom,

I would recommend you to wait a little bit, we are about to release the new ACL system for Plastic SCM 4 and it will be much easier than the current one, we hope to have it released next week!

But if you are really in a hurry we can speak about your scenario with the current system.