ChonkyBiscuit Posted October 12, 2018 Report Share Posted October 12, 2018 Server version: 7.0.16.2596 Windows Client version: 7.0.16.2421 I'm looking to use the server-side merge to automate merging main to a different branch, and it seems like it requires the `replicatewrite` permission to do so. If I try to merge server-side without that permission, it fails with the error 'You do not have permissions for operation mergefrom', even though I have that permission on the repo. Is this expected behavior? These are the commands I run to merge: cm merge br:/main@foo --to=br:/main/example@foo --merge --shelve -c="Local Shelve created for example branch" cm merge sh:## --to=br:/main/example@foo --merge Link to comment Share on other sites More sharing options...
psantosl Posted October 12, 2018 Report Share Posted October 12, 2018 I'm going to check but "replicatewrite" definitely shouldn't have nothing to do here ? Link to comment Share on other sites More sharing options...
Borja Posted October 15, 2018 Report Share Posted October 15, 2018 Hi, I checked your case (using your versions) but I couldn't reproduce it. A merge-to can be done without any problem without the permission 'replicationwrite'. I reviewed the code and as far as I see the ' replicationwrite ' permission is not checked during the merge-to operation. This permission is only used by the replication and the tube. Could you attach the client and the server log with the error? Maybe we can see anything on them. Best regards Borja Link to comment Share on other sites More sharing options...
ChonkyBiscuit Posted October 15, 2018 Author Report Share Posted October 15, 2018 The client logs don't seem to show much, and I'm attempting to get the server logs from the repository owner now. I can't reproduce this on my local server either, so I'm wondering if there is a 'deny' somewhere that I can't see? The solution that worked in this case was adding my user to br:/main (the branch to mergefrom) and the attached file has the list of permissions of the main branch. I was originally in the Plastic_Project_RW LDAP group, I am in no others that were listed. Relevant portions of the client debug log: 2018-10-11 14:42:21,904 DOMAIN\thisUser DEBUG PlasticPipe - sentb: 140|recb: 68|prt: 0|CalculateMerge|plastic-server:8087 2018-10-11 14:42:21,907 DOMAIN\thisUser DEBUG CmProxy - Error invoking CalculateMerge. You don't have permissions for operation mergefrom.. at c6.a(oo A_0, PlasticMethods A_1, Credentials A_2, w A_3, w A_4, Boolean A_5, abl& A_6) at c6.a(oo A_0, PlasticMethods A_1, Credentials A_2, w A_3, w A_4, abl& A_5) at c6.a(oo A_0, PlasticMethods A_1, Credentials A_2, w A_3, w A_4) at en.a.a(oo A_0, Credentials A_1) 2018-10-11 14:42:23,451 DOMAIN\thisUser ERROR plastic - Plastic SCM client version: 7.0.16.2562 2018-10-11 14:42:23,451 DOMAIN\thisUser ERROR plastic - Error message: You don't have permissions for operation mergefrom. 2018-10-11 14:42:23,492 DOMAIN\thisUser DEBUG plastic - StackTrace: at c6.a(oo A_0, PlasticMethods A_1, Credentials A_2, w A_3, w A_4, Boolean A_5, abl& A_6) at c6.a(oo A_0, PlasticMethods A_1, Credentials A_2, w A_3, w A_4, abl& A_5) at c6.a(oo A_0, PlasticMethods A_1, Credentials A_2, w A_3, w A_4) at en.a.a(oo A_0, Credentials A_1) at acm.a(a A_0, oo A_1, String A_2, b A_3, a A_4, UserInfo A_5, aft A_6, Boolean A_7) at acm.Invoke(a A_0, oo A_1, String A_2, b A_3, a A_4, UserInfo A_5, aft A_6) at en.a(oo A_0, PlasticMethods A_1, w A_2, w A_3) at qh.a(SerializedMergeSource A_0) at aiy.a(WorkspaceInfo A_0, MergeSource A_1) at k.a(MergeSource A_0, MountPointWithPath A_1) at qb.a(MergeSource A_0, MountPointWithPath A_1) at qb.a(Boolean A_0) repoPermissionsN.xml Link to comment Share on other sites More sharing options...
rodgeralley Posted October 16, 2018 Report Share Posted October 16, 2018 Below are a few separate instances of the same error from @ChonkyBiscuit. Additionally, I've gone through the branches and checked the permissions individually. The group she's in has the following permissions to the entire repo: The group has the following privileges on the /main branch: And then she was provided individualized privileges to "replicatewrite" afterwards. When given the privilege to "replicatewrite" she is able to "mergefrom." But otherwise, her permissions are restricted. From the Plastic.errors.log: 2018-10-11 14:42:21,387 PC-0960 ERROR Operations - OnError catching exception [You don't have permissions for operation mergefrom.] - Plastic server version: 7.0.16.2596 2018-10-11 14:42:21,387 ERROR PlasticProto.ConnectionFromClient - conn 94456. Error in ProcessMethodCall for method CalculateMerge. You don't have permissions for operation mergefrom. 2018-10-11 16:59:10,120 PC-0960 ERROR Operations - OnError catching exception [You don't have permissions for operation mergefrom.] - Plastic server version: 7.0.16.2596 2018-10-11 16:59:10,120 ERROR PlasticProto.ConnectionFromClient - conn 96374. Error in ProcessMethodCall for method CalculateMerge. You don't have permissions for operation mergefrom. 2018-10-11 17:05:21,782 PC-0960 ERROR Operations - OnError catching exception [You don't have permissions for operation mergefrom.] - Plastic server version: 7.0.16.2596 2018-10-11 17:05:21,782 ERROR PlasticProto.ConnectionFromClient - conn 96400. Error in ProcessMethodCall for method CalculateMerge. You don't have permissions for operation mergefrom. 2018-10-11 17:05:46,923 PC-0960 ERROR Operations - OnError catching exception [You don't have permissions for operation chgperm.] - Plastic server version: 7.0.16.2596 2018-10-11 17:05:46,923 ERROR PlasticProto.ConnectionFromClient - conn 96402. Error in ProcessMethodCall for method SetPermissions. You don't have permissions for operation chgperm. From the plastic.debug.log: 2018-10-11 14:42:21,371 37 DEBUG WorkerThread - WorkerThread.Run: Work retrieved. Id: 37. 1594 ms 2018-10-11 14:42:21,371 37 00000000-0000-0000-0000-000000000000 PC-0960 INFO Operations - Get info for branch /main at repository ID 135 2018-10-11 14:42:21,371 37 00000000-0000-0000-0000-000000000000 PC-0960 DEBUG Transaction - Begin implicit transaction rep_135 2018-10-11 14:42:21,371 37 00000000-0000-0000-0000-000000000000 PC-0960 DEBUG Transaction - Commiting implicit transaction 2018-10-11 14:42:21,371 37 00000000-0000-0000-0000-000000000000 PC-0960 DEBUG Transaction - Commit implicit transaction rep_135 2018-10-11 14:42:21,371 37 INFO ChannelCall - conn: 94456 protocol:plasticproto recb: 16|rect: 0|sentb: 123|sendt: 0|queuedt: 0|prt: 0|th: 37|dest: 0|mt: 0|sert: 0|zip: 0|cpu: 0| 10.10.8.134|user::UsersSID|GetBranchInfoByName 2018-10-11 14:42:21,371 37 DEBUG WorkerThread - WorkerThread.Run: Going to GetWork. Id: 37 2018-10-11 14:42:21,371 20 DEBUG PlasticProto.ConnectionFromClient - conn 94456. ReceiveAsync 2018-10-11 14:42:21,371 26 DEBUG PlasticProto.ConnectionFromClient - conn 94456. awaked. total 1 2018-10-11 14:42:21,371 33 DEBUG WorkerThread - WorkerThread.Run: Work retrieved. Id: 33. 657 ms 2018-10-11 14:42:21,371 33 00000000-0000-0000-0000-000000000000 PC-0960 INFO Operations - Get info for branch /main/ChildBranch at repository ID 135 2018-10-11 14:42:21,371 33 00000000-0000-0000-0000-000000000000 PC-0960 DEBUG Transaction - Begin implicit transaction rep_135 2018-10-11 14:42:21,371 33 00000000-0000-0000-0000-000000000000 PC-0960 DEBUG Transaction - Commiting implicit transaction 2018-10-11 14:42:21,371 33 00000000-0000-0000-0000-000000000000 PC-0960 DEBUG Transaction - Commit implicit transaction rep_135 2018-10-11 14:42:21,371 20 DEBUG PlasticProto.ConnectionFromClient - conn 94456. ReceiveAsync 2018-10-11 14:42:21,387 33 INFO ChannelCall - conn: 94456 protocol:plasticproto recb: 51|rect: 0|sentb: 189|sendt: 0|queuedt: 0|prt: 15|th: 33|dest: 0|mt: 0|sert: 0|zip: 0|cpu: 15| 10.10.8.134|user::UsersSID|GetBranchInfoByName 2018-10-11 14:42:21,387 33 DEBUG WorkerThread - WorkerThread.Run: Going to GetWork. Id: 33 2018-10-11 14:42:21,387 26 DEBUG PlasticProto.ConnectionFromClient - conn 94456. awaked. total 1 2018-10-11 14:42:21,387 46 DEBUG WorkerThread - WorkerThread.Run: Work retrieved. Id: 46. 672 ms 2018-10-11 14:42:21,387 20 DEBUG PlasticProto.ConnectionFromClient - conn 94456. ReceiveAsync 2018-10-11 14:42:21,387 46 00000000-0000-0000-0000-000000000000 PC-0960 DEBUG Transaction - Begin implicit transaction rep_135 2018-10-11 14:42:21,387 46 00000000-0000-0000-0000-000000000000 PC-0960 WARN Security - Access denied. Object id:3@rep:135. SEID UsersSID. Permissions mergefrom 2018-10-11 14:42:21,387 46 00000000-0000-0000-0000-000000000000 PC-0960 ERROR Operations - OnError catching exception [You don't have permissions for operation mergefrom.] - Plastic server version: 7.0.16.2596 2018-10-11 14:42:21,387 46 00000000-0000-0000-0000-000000000000 PC-0960 DEBUG Operations - OnError catching exception You don't have permissions for operation mergefrom. at SecurityManager.SecurityHandler.ThrowSecurityAclException(RepId repId, Int64 objId, String permission) at bc.b(RepId A_0, Int64 A_1) at bc.a(MergeSource A_0, IItemHandler A_1) at Codice.CM.Server.SecuredItemHandler.CalculateMerge(SerializedMergeSource source) at Codice.CM.Server.TransactionInterceptor.CalculateMerge(SerializedMergeSource source) 2018-10-11 14:42:21,387 46 00000000-0000-0000-0000-000000000000 PC-0960 DEBUG Transaction - Rollback implicit transaction rep_135 2018-10-11 14:42:21,387 46 551855dd-ce88-4db5-b07a-e76125c78a5c Server:PLASTIC-SERVER INFO Transaction - Commit transaction 551855dd-ce88-4db5-b07a-e76125c78a5c. Transaction time 0 ms 2018-10-11 14:42:21,387 46 ERROR PlasticProto.ConnectionFromClient - conn 94456. Error in ProcessMethodCall for method CalculateMerge. You don't have permissions for operation mergefrom. 2018-10-11 14:42:21,387 46 DEBUG PlasticProto.ConnectionFromClient - at Codice.CM.Server.TriggerInterceptor.CalculateMerge(SerializedMergeSource mergeSource) at g8.ad(PlasticBinaryReader A_0, qq A_1) at g8.a(PlasticMethods A_0, PlasticBinaryReader A_1, qq A_2) at g2.a(PlasticMethods A_0, PlasticBinaryReader A_1, jk A_2, d A_3) at g2.d() Link to comment Share on other sites More sharing options...
rodgeralley Posted October 16, 2018 Report Share Posted October 16, 2018 16 hours ago, ChonkyBiscuit said: The client logs don't seem to show much, and I'm attempting to get the server logs from the repository owner now. I can't reproduce this on my local server either, so I'm wondering if there is a 'deny' somewhere that I can't see? The solution that worked in this case was adding my user to br:/main (the branch to mergefrom) and the attached file has the list of permissions of the main branch. I was originally in the Plastic_Project_RW LDAP group, I am in no others that were listed. Relevant portions of the client debug log: 2018-10-11 14:42:21,904 DOMAIN\thisUser DEBUG PlasticPipe - sentb: 140|recb: 68|prt: 0|CalculateMerge|plastic-server:8087 2018-10-11 14:42:21,907 DOMAIN\thisUser DEBUG CmProxy - Error invoking CalculateMerge. You don't have permissions for operation mergefrom.. at c6.a(oo A_0, PlasticMethods A_1, Credentials A_2, w A_3, w A_4, Boolean A_5, abl& A_6) at c6.a(oo A_0, PlasticMethods A_1, Credentials A_2, w A_3, w A_4, abl& A_5) at c6.a(oo A_0, PlasticMethods A_1, Credentials A_2, w A_3, w A_4) at en.a.a(oo A_0, Credentials A_1) 2018-10-11 14:42:23,451 DOMAIN\thisUser ERROR plastic - Plastic SCM client version: 7.0.16.2562 2018-10-11 14:42:23,451 DOMAIN\thisUser ERROR plastic - Error message: You don't have permissions for operation mergefrom. 2018-10-11 14:42:23,492 DOMAIN\thisUser DEBUG plastic - StackTrace: at c6.a(oo A_0, PlasticMethods A_1, Credentials A_2, w A_3, w A_4, Boolean A_5, abl& A_6) at c6.a(oo A_0, PlasticMethods A_1, Credentials A_2, w A_3, w A_4, abl& A_5) at c6.a(oo A_0, PlasticMethods A_1, Credentials A_2, w A_3, w A_4) at en.a.a(oo A_0, Credentials A_1) at acm.a(a A_0, oo A_1, String A_2, b A_3, a A_4, UserInfo A_5, aft A_6, Boolean A_7) at acm.Invoke(a A_0, oo A_1, String A_2, b A_3, a A_4, UserInfo A_5, aft A_6) at en.a(oo A_0, PlasticMethods A_1, w A_2, w A_3) at qh.a(SerializedMergeSource A_0) at aiy.a(WorkspaceInfo A_0, MergeSource A_1) at k.a(MergeSource A_0, MountPointWithPath A_1) at qb.a(MergeSource A_0, MountPointWithPath A_1) at qb.a(Boolean A_0) repoPermissionsN.xml Furthermore, I went through and checked the permissions of her group on both the main branch, and the child branch she was merging to. Both permissions are set the same. I don't allow specific denials. If anything, I'll just override by overriding and un-checking a perm. In one case, a denial has been added by the project manager for "ci" permissions but it applies to a group she's not a part of. Link to comment Share on other sites More sharing options...
rodgeralley Posted October 26, 2018 Report Share Posted October 26, 2018 Any progress on this by chance? Link to comment Share on other sites More sharing options...
rodgeralley Posted November 5, 2018 Report Share Posted November 5, 2018 Anything? On 10/15/2018 at 7:46 AM, Borja said: Hi, I checked your case (using your versions) but I couldn't reproduce it. A merge-to can be done without any problem without the permission 'replicationwrite'. I reviewed the code and as far as I see the ' replicationwrite ' permission is not checked during the merge-to operation. This permission is only used by the replication and the tube. Could you attach the client and the server log with the error? Maybe we can see anything on them. Best regards Borja Link to comment Share on other sites More sharing options...
calbzam Posted November 8, 2018 Report Share Posted November 8, 2018 Hi, I can see in the logs that you don't have permissions for the "mergefrom" operation. This permission is actually necessary to perform the merge-to operation. I don't see any reference in the error logs to the "replicatewrite" permissions. Do you have an error message related to this permission? Could you double check if your user/group has enabled the "mergefrom" permissions? Regards, Carlos. Link to comment Share on other sites More sharing options...
ChonkyBiscuit Posted November 8, 2018 Author Report Share Posted November 8, 2018 From the comment from Rodger, I am in the _RW group, which has the `mergefrom` permission. I get the error 'You do not have permissions for operation mergefrom' whenever I try to do merge-to, and adding the permission for `replicatewrite` allows me to complete the transaction. I don't really know what else to say at this point. This has also happened on multiple repositories on the same server. If you have any advice on how to concretely verify where in the permission chain I might be missing the mergefrom permission, that would help immensely, but for right now, from my end, the permission viewer says I have the necessary mergefrom permission, the logs say I don't, and adding `replicatewrite` allows me to merge. Link to comment Share on other sites More sharing options...
calbzam Posted November 9, 2018 Report Share Posted November 9, 2018 Hi, using the "cm showacl --extended" command you can get all the ACL (permissions assigned to an object). If you can't see any permissions denied there (double check that your user actually belong to this group and not also belong to any other group with denied permissions ), please send an email to "support@codicesoftware.com" and we can arrange a session to debug the issue with you. Regards, Carlos. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.