Jump to content


Protection Table to restrict access to root folder

protect permissions

  • Please log in to reply
5 replies to this topic

#1 Jayanth S Vasisht

Jayanth S Vasisht

    Advanced Member

  • Members
  • PipPipPip
  • 34 posts

Posted 30 April 2019 - 09:12 AM

Hi,
For a project, I am looking to setup protection table such that only maintainers can add contents to the root folder and everyone can read/write everything else below the root folder.

For example, given the following depot directory structure...
depot
||
proj1
||
---- src
||
   ---- foo.c
   ---- bar.c
||
---- include

I want only maintainers group to be able to add contents under //depot/proj1.
Likewise, I want everyone to be able to add contents under //depot/proj1/src, //depot/proj1/include etc.

Can this be achieved via the protection table or is pre-submit trigger the only way?

#2 Sambwise

Sambwise

    Advanced Member

  • Members
  • PipPipPip
  • 894 posts

Posted 30 April 2019 - 02:31 PM

write user * * -//depot/proj1/...
write group maintainers * //depot/proj1/...
write user * * //depot/proj1/src/...
write user * * //depot/proj1/include/...

If you don't want to enumerate all of the currently existing directories, a protection table trigger can help with that:

https://swarm.worksh...ipts/protexp.pl
write user * * -//depot/proj1/...
write group maintainers * //depot/proj1/...
write user * * $dirs(//depot/proj1/*)/...


#3 Matt Janulewicz

Matt Janulewicz

    Advanced Member

  • Members
  • PipPipPip
  • 176 posts
  • LocationSan Francisco, CA

Posted 02 May 2019 - 06:52 PM

View PostSambwise, on 30 April 2019 - 02:31 PM, said:

write user * * -//depot/proj1/...
write group maintainers * //depot/proj1/...
write user * * //depot/proj1/src/...
write user * * //depot/proj1/include/...

If you don't want to enumerate all of the currently existing directories, a protection table trigger can help with that:

https://swarm.worksh...ipts/protexp.pl
write user * * -//depot/proj1/...
write group maintainers * //depot/proj1/...
write user * * $dirs(//depot/proj1/*)/...

Depending on what we define as 'content', you could theoretically wildcard the directories under proj1/ directly:

write user * * -//depot/proj1/...
write group maintainers * //depot/proj1/...
write user * * //depot/proj1/*/...

But this would open it up so anyone could add a new directory under proj1, but not a file. Not sure if that's desirable but it's possible.
-Matt Janulewicz
Staff SCM Engineer, Perforce Administrator
Dolby Laboratories, Inc.
1275 Market St.
San Francisco, CA 94103, USA
majanu@dolby.com

#4 Sambwise

Sambwise

    Advanced Member

  • Members
  • PipPipPip
  • 894 posts

Posted 02 May 2019 - 06:55 PM

View PostMatt Janulewicz, on 02 May 2019 - 06:52 PM, said:

But this would open it up so anyone could add a new directory under proj1, but not a file. Not sure if that's desirable but it's possible.

Double wildcards in your protection table can also do really bad things performance-wise (which is always purely hypothetical right up until you cross the inflection point and suddenly it isn't).

#5 Jayanth S Vasisht

Jayanth S Vasisht

    Advanced Member

  • Members
  • PipPipPip
  • 34 posts

Posted 03 May 2019 - 06:23 AM

Thank you all for your replies. I will evaluate how best protexp.pl can help our needs.

#6 Matt Janulewicz

Matt Janulewicz

    Advanced Member

  • Members
  • PipPipPip
  • 176 posts
  • LocationSan Francisco, CA

Posted 04 May 2019 - 01:01 AM

View PostSambwise, on 02 May 2019 - 06:55 PM, said:

Double wildcards in your protection table can also do really bad things performance-wise (which is always purely hypothetical right up until you cross the inflection point and suddenly it isn't).

So true! I'd keep this stuff to a minimum. We only have about a dozen instances of this in a 2301 line protections table, and they don't overlap in any way. So far nobody has done anything unexpectedly weird to slam it, but I can imagine someone creating 200 directories under proj1/ might just do it. :)
-Matt Janulewicz
Staff SCM Engineer, Perforce Administrator
Dolby Laboratories, Inc.
1275 Market St.
San Francisco, CA 94103, USA
majanu@dolby.com





Also tagged with one or more of these keywords: protect, permissions

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users