Changes between Version 2 and Version 3 of TracFineGrainedPermissions


Ignore:
Timestamp:
04/03/14 16:25:26 (11 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TracFineGrainedPermissions

    v2 v3  
     1[[PageOutline(2-5, Contents, floated)]] 
    12= Fine grained permissions = 
    23 
     
    2930 
    3031=== !AuthzPolicy ===  
    31  
    32  - Install [http://www.voidspace.org.uk/python/configobj.html ConfigObj] (required). 
    33  - Copy authz_policy.py into your plugins directory. 
    34  - Put a [http://swapoff.org/files/authzpolicy.conf authzpolicy.conf] file somewhere, preferably on a secured location on the server, not readable for others than the webuser. If the  file contains non-ASCII characters, the UTF-8 encoding should be used. 
    35  - Update your `trac.ini`: 
    36    1. modify the [TracIni#trac-section permission_policies] entry in the `[trac]` section 
     32==== Configuration ==== 
     33* Install [http://www.voidspace.org.uk/python/configobj.html ConfigObj] (still needed for 0.12). 
     34* Copy authz_policy.py into your plugins directory (only for Trac 0.11). 
     35* Put a [http://swapoff.org/files/authzpolicy.conf authzpolicy.conf] file somewhere, preferably on a secured location on the server, not readable for others than the webuser. If the  file contains non-ASCII characters, the UTF-8 encoding should be used. 
     36* Update your `trac.ini`: 
     37  1. modify the [TracIni#trac-section permission_policies] entry in the `[trac]` section 
    3738{{{ 
    3839[trac] 
     
    4041permission_policies = AuthzPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy 
    4142}}} 
    42    2. add a new `[authz_policy]` section 
     43  1. add a new `[authz_policy]` section 
    4344{{{ 
    4445[authz_policy] 
    4546authz_file = /some/trac/env/conf/authzpolicy.conf 
    4647}}} 
    47    3. enable the single file plugin 
     48  1. enable the plugin through [/admin/general/plugin WebAdmin] or by editing the `[components]` section 
    4849{{{ 
    4950[components] 
     
    5556}}} 
    5657 
     58 
     59==== Usage Notes ==== 
    5760Note that the order in which permission policies are specified is quite critical,  
    5861as policies will be examined in the sequence provided. 
    5962 
    60 A policy will return either `True`, `False` or `None` for a given permission check. 
    61 Only if the return value is `None` will the ''next'' permission policy be consulted. 
    62 If no policy explicitly grants the permission, the final result will be `False`  
    63 (i.e. no permission). 
     63A policy will return either `True`, `False` or `None` for a given permission check. `True` is returned if the policy explicitly grants the permission. `False` is returned if the policy explicitly denies the permission. `None` is returned if the policy is unable to either grant or deny the permission. 
     64 
     65NOTE: Only if the return value is `None` will the ''next'' permission policy be consulted. 
     66If none of the policies explicitly grants the permission, the final result will be `False`  
     67(i.e. permission denied). 
     68 
     69The `authzpolicy.conf` file is a `.ini` style configuration file: 
     70{{{ 
     71[wiki:PrivatePage@*] 
     72john = WIKI_VIEW, !WIKI_MODIFY 
     73jack = WIKI_VIEW 
     74* = 
     75}}} 
     76* Each section of the config is a glob pattern used to match against a Trac resource 
     77  descriptor. These descriptors are in the form: 
     78{{{ 
     79<realm>:<id>@<version>[/<realm>:<id>@<version> ...] 
     80}}} 
     81  Resources are ordered left to right, from parent to child. If any 
     82  component is inapplicable, `*` is substituted. If the version pattern is 
     83  not specified explicitely, all versions (`@*`) is added implicitly 
     84 
     85  Example: Match the WikiStart page 
     86{{{ 
     87[wiki:*] 
     88[wiki:WikiStart*] 
     89[wiki:WikiStart@*] 
     90[wiki:WikiStart] 
     91}}} 
     92 
     93  Example: Match the attachment `wiki:WikiStart@117/attachment/FOO.JPG@*` 
     94  on WikiStart 
     95{{{ 
     96[wiki:*] 
     97[wiki:WikiStart*] 
     98[wiki:WikiStart@*] 
     99[wiki:WikiStart@*/attachment/*] 
     100[wiki:WikiStart@117/attachment/FOO.JPG] 
     101}}} 
     102 
     103* Sections are checked against the current Trac resource descriptor '''IN ORDER''' of 
     104  appearance in the configuration file. '''ORDER IS CRITICAL'''. 
     105 
     106* Once a section matches, the current username is matched against the keys  
     107  (usernames) of the section, '''IN ORDER'''.  
     108  * If a key (username) is prefixed with a `@`, it is treated as a group.  
     109  * If a value (permission) is prefixed with a `!`, the permission is 
     110    denied rather than granted. 
     111 
     112  The username will match any of 'anonymous', 'authenticated', <username> or '*', using normal Trac permission rules. || '''Note:''' Other groups which are created by user (e.g. by 'adding subjects to groups' on web interface page //Admin / Permissions//) cannot be used. See [trac:ticket:5648 #5648] for details about this missing feature || 
    64113 
    65114For example, if the `authz_file` contains: 
     
    70119[wiki:PrivatePage@*] 
    71120john = WIKI_VIEW 
    72 * = 
     121* = !WIKI_VIEW 
    73122}}} 
    74123and the default permissions are set like this: 
     
    80129 
    81130Then:  
    82  - All versions of WikiStart will be viewable by everybody (including anonymous) 
    83  - !PrivatePage will be viewable only by john 
    84  - other pages will be viewable only by john and jack 
    85  
     131  * All versions of WikiStart will be viewable by everybody (including anonymous) 
     132  * !PrivatePage will be viewable only by john 
     133  * other pages will be viewable only by john and jack 
     134 
     135Groups: 
     136{{{ 
     137[groups] 
     138admins = john, jack 
     139devs = alice, bob 
     140 
     141[wiki:Dev@*] 
     142@admins = TRAC_ADMIN 
     143@devs = WIKI_VIEW 
     144* = 
     145 
     146[*] 
     147@admins = TRAC_ADMIN 
     148* = 
     149}}} 
     150 
     151Then: 
     152- everything is blocked (whitelist approach), but 
     153- admins get all TRAC_ADMIN everywhere and 
     154- devs can view wiki pages. 
     155 
     156Some repository examples (Browse Source specific): 
     157{{{ 
     158# A single repository: 
     159[repository:test_repo@*] 
     160john = BROWSER_VIEW, FILE_VIEW 
     161# John has BROWSER_VIEW and FILE_VIEW for the entire test_repo 
     162 
     163# All repositories: 
     164[repository:*@*] 
     165jack = BROWSER_VIEW, FILE_VIEW 
     166# John has BROWSER_VIEW and FILE_VIEW for all repositories 
     167}}} 
     168 
     169Very fine grain repository access: 
     170{{{ 
     171# John has BROWSER_VIEW and FILE_VIEW access to trunk/src/some/location/ only 
     172[repository:test_repo@*/source:trunk/src/some/location/*@*] 
     173john = BROWSER_VIEW, FILE_VIEW 
     174 
     175 
     176# John has BROWSER_VIEW and FILE_VIEW access to only revision 1 of all files at trunk/src/some/location only 
     177[repository:test_repo@*/source:trunk/src/some/location/*@1] 
     178john = BROWSER_VIEW, FILE_VIEW 
     179 
     180 
     181# John has BROWSER_VIEW and FILE_VIEW access to all revisions of 'somefile' at trunk/src/some/location only  
     182[repository:test_repo@*/source:trunk/src/some/location/somefile@*] 
     183john = BROWSER_VIEW, FILE_VIEW 
     184 
     185 
     186# John has BROWSER_VIEW and FILE_VIEW access to only revision 1 of 'somefile' at trunk/src/some/location only 
     187[repository:test_repo@*/source:trunk/src/some/location/somefile@1] 
     188john = BROWSER_VIEW, FILE_VIEW 
     189}}} 
     190 
     191Note: In order for Timeline to work/visible for John, we must add CHANGESET_VIEW to the above permission list. 
     192 
     193 
     194==== Missing Features ==== 
     195Although possible with the !DefaultPermissionPolicy handling (see Admin panel), fine-grained permissions still miss those grouping features (see [trac:ticket:9573 #9573], [trac:ticket:5648 #5648]). Patches are partially available, see forgotten authz_policy.2.patch  part of [trac:ticket:6680 #6680]). 
     196 
     197You cannot do the following: 
     198{{{ 
     199[groups] 
     200team1 = a, b, c 
     201team2 = d, e, f 
     202team3 = g, h, i 
     203departmentA = team1, team2 
     204}}} 
     205 
     206Permission groups are not supported either. You cannot do the following: 
     207{{{ 
     208[groups] 
     209permission_level_1 = WIKI_VIEW, TICKET_VIEW 
     210permission_level_2  = permission_level_1, WIKI_MODIFY, TICKET_MODIFY 
     211[*] 
     212@team1 = permission_level_1 
     213@team2 = permission_level_2 
     214@team3 = permission_level_2, TICKET_CREATE 
     215}}} 
    86216 
    87217=== !AuthzSourcePolicy  (mod_authz_svn-like permission policy) === #AuthzSourcePolicy