granular protections management with triggers
TRANSCRIPT
![Page 1: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/1.jpg)
Granular Protections Management with TriggersAmy KendziorskiDesign Methodology EngineerCirrus Logic
![Page 2: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/2.jpg)
2
Who is Excited?
![Page 3: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/3.jpg)
Managing the protections table with triggers
![Page 4: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/4.jpg)
4
Agenda
What is the “Protections Table”?What’s wrong with it?
How to fix it A real life Example
The Payoff
![Page 5: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/5.jpg)
5
Protections Table Basics
Perforce provides a protection scheme to prevent unauthorized or inadvertent access to files in
the depot. The protections determine which Perforce commands can be run, on which files, by whom, and from which host. You configure protections with the p4
protect command.
![Page 6: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/6.jpg)
6
Protections Example
Protections: read user emily * //depot/elm_proj/... write group devgrp * //... write user * 195.3.24.0/24 -//... write user joe * -//... write user lisag * -//depot/... write user lisag * //depot/doc/... super user edk * //...
![Page 7: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/7.jpg)
7
What’s wrong with it?
Comments not allowed No change history Multiple users can override changes Difficult to keep clean Requires super permissions to view or edit Time drain on admins to maintain table
File Based Protections
Table
Multi-File Based
Management
![Page 8: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/8.jpg)
8
Solution: File Based Protections Table
Manage protections with a file Trigger or manual process to update table Users can modify entire table
![Page 9: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/9.jpg)
9
Solution: Multi-File Based Management
Manage protections with multiple files Triggers automatically update the protects table Restrict users to which sections of the table to modify
![Page 10: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/10.jpg)
Example
![Page 11: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/11.jpg)
11
![Page 12: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/12.jpg)
12
Protections Table Division
Admin Header
Admin Footer
Project A
Project B
Project C
![Page 13: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/13.jpg)
13
Projects Depot
Each project has a permissions file Read/Write of projects depot granted to all users Trigger gates submit of permissions file
//projects/abc/ permissions//projects/xyz/ permissions
![Page 14: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/14.jpg)
14
Granular Permissions Management
Contains a list of projects, depots, and allowed users Project name maps to //projects/<name> //admin/protects/projectaccess
# project depot usersabc //abc akendz,moneal,zbehrxyz //xyz akendz,moneal,jrhode
small_ip //ip/small akendz,monealbig_ip //ip/big akendz,moneal
![Page 15: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/15.jpg)
15
Admin Depot
Accessible by users in the “admin” group Trigger scripts Protections header/footer files File to manage granular permissions
//admin/triggers/ protects_update.rb//admin/protects/ header footer projectaccess
![Page 16: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/16.jpg)
16
Protects Header (optional)
Setup default permissions Manage old projects //admin/protects/header# grant read permissions to all cirrusread group cirrus * //cirrus-ip/...# the validation team has a special depotread group read-qa * //depot/qa/...write group qa * //depot/qa/...
![Page 17: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/17.jpg)
17
Protects Body
Concatenation of projects permissions file //projects/*/permissions# comment from abc permissions fileread group read-abc * //abc/...Write group abc * //abc/...# comment from xyz permissions fileread group read-xyz * //xyz/...write group xyz * //xyz/main/...write group xyz * //xyz/dev-*/...
![Page 18: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/18.jpg)
18
Protects Footer
Setup super users Hide restricted projects Non-chip depot management //admin/protects/footerwrite group admin * //admin/...list user * * -//super_secret/...admin user swarm * //...super user superamy * //...
![Page 19: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/19.jpg)
Triggering Updates
![Page 20: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/20.jpg)
20
Triggers
Pre-submit• change-content //projects/*/permissions
Post-submit• change-commit //projects/*/permissions• change-commit //admin/protects/...
![Page 21: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/21.jpg)
21
Pre-Submit Trigger
Confirms that user has been granted permission to submit Checks for common syntax errors Only allowed depot can be present in file
![Page 22: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/22.jpg)
22
Post-Submit Trigger
Concatenates files and updates the protections table• p4 print -q //admin/protects/header• p4 print -q //projects/*/permissions• p4 print -q //admin/protects/footer
![Page 23: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/23.jpg)
23
Protects Table
Old Flow
User A
User B
User C
Miles
![Page 24: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/24.jpg)
24
Protects Tablepre-commit
trigger
New Flow with Triggers
project files
post-committrigger
commit
![Page 25: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/25.jpg)
25
Only Downside: What about Miles?
Miles
![Page 26: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/26.jpg)
26
Implementation Issues
Initial Setup Cost• Additional steps required to setup project permissions• Solution: Automated with scripts
User Education• More users require protections table knowledge• Solution: Provided examples to all users
![Page 27: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/27.jpg)
27
ThePayoff
![Page 28: Granular Protections Management with Triggers](https://reader035.vdocument.in/reader035/viewer/2022070601/5887eef21a28ab7d5c8b5a33/html5/thumbnails/28.jpg)
28
Benefits
No more downtime from protections table “oopsies” All changes are instantly communicated All users can see relevant protections entries Managers maintain their own project protections Dramatically decreased number of admin requests