Changes between Version 2 and Version 3 of TracFineGrainedPermissions


Ignore:
Timestamp:
2013-10-17 13:42:34 (11 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • TracFineGrainedPermissions

    v2 v3  
    2929 
    3030=== !AuthzPolicy ===  
    31  
    32  - Install [http://www.voidspace.org.uk/python/configobj.html ConfigObj] (required). 
    33  - Copy authz_policy.py into your plugins directory. 
    34  - Put a [http://swapoff.org/files/authzpolicy.conf authzpolicy.conf] file somewhere, preferably on a secured location on the server, not readable for others than the webuser. If the  file contains non-ASCII characters, the UTF-8 encoding should be used. 
    35  - Update your `trac.ini`: 
    36    1. modify the [TracIni#trac-section permission_policies] entry in the `[trac]` section 
     31==== Configuration ==== 
     32* Install [http://www.voidspace.org.uk/python/configobj.html ConfigObj] (still needed for 0.12). 
     33* Copy authz_policy.py into your plugins directory. 
     34* Put a [http://swapoff.org/files/authzpolicy.conf authzpolicy.conf] file somewhere, preferably on a secured location on the server, not readable for others than the webuser. If the  file contains non-ASCII characters, the UTF-8 encoding should be used. 
     35* Update your `trac.ini`: 
     36  1. modify the [TracIni#trac-section permission_policies] entry in the `[trac]` section 
    3737{{{ 
    3838[trac] 
     
    4040permission_policies = AuthzPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy 
    4141}}} 
    42    2. add a new `[authz_policy]` section 
     42  2. add a new `[authz_policy]` section 
    4343{{{ 
    4444[authz_policy] 
    4545authz_file = /some/trac/env/conf/authzpolicy.conf 
    4646}}} 
    47    3. enable the single file plugin 
     47  3. enable the single file plugin 
    4848{{{ 
    4949[components] 
     
    5454#authz_policy.* = enabled  
    5555}}} 
    56  
     56==== Usage Notes ==== 
    5757Note that the order in which permission policies are specified is quite critical,  
    5858as policies will be examined in the sequence provided. 
    5959 
    60 A policy will return either `True`, `False` or `None` for a given permission check. 
    61 Only if the return value is `None` will the ''next'' permission policy be consulted. 
    62 If no policy explicitly grants the permission, the final result will be `False`  
    63 (i.e. no permission). 
     60A policy will return either `True`, `False` or `None` for a given permission check. `True` is returned if the policy explicitly grants the permission. `False` is returned if the policy explicitly denies the permission. `None` is returned if the policy is unable to either grant or deny the permission. 
     61 
     62NOTE: Only if the return value is `None` will the ''next'' permission policy be consulted. 
     63If none of the policies explicitly grants the permission, the final result will be `False`  
     64(i.e. permission denied). 
     65 
     66The `authzpolicy.conf` file is a `.ini` style configuration file: 
     67{{{ 
     68[wiki:PrivatePage@*] 
     69john = WIKI_VIEW, !WIKI_MODIFY 
     70jack = WIKI_VIEW 
     71* = 
     72}}} 
     73* Each section of the config is a glob pattern used to match against a Trac resource 
     74  descriptor. These descriptors are in the form: 
     75{{{ 
     76<realm>:<id>@<version>[/<realm>:<id>@<version> ...] 
     77}}} 
     78  Resources are ordered left to right, from parent to child. If any 
     79  component is inapplicable, `*` is substituted. If the version pattern is 
     80  not specified explicitely, all versions (`@*`) is added implicitly 
     81 
     82  Example: Match the WikiStart page 
     83{{{ 
     84[wiki:*] 
     85[wiki:WikiStart*] 
     86[wiki:WikiStart@*] 
     87[wiki:WikiStart] 
     88}}} 
     89 
     90  Example: Match the attachment `wiki:WikiStart@117/attachment/FOO.JPG@*` 
     91  on WikiStart 
     92{{{ 
     93[wiki:*] 
     94[wiki:WikiStart*] 
     95[wiki:WikiStart@*] 
     96[wiki:WikiStart@*/attachment/*] 
     97[wiki:WikiStart@117/attachment/FOO.JPG] 
     98}}} 
     99 
     100* Sections are checked against the current Trac resource descriptor '''IN ORDER''' of 
     101  appearance in the configuration file. '''ORDER IS CRITICAL'''. 
     102 
     103* Once a section matches, the current username is matched against the keys  
     104  (usernames) of the section, '''IN ORDER'''.  
     105  * If a key (username) is prefixed with a `@`, it is treated as a group.  
     106  * If a value (permission) is prefixed with a `!`, the permission is 
     107    denied rather than granted. 
     108 
     109  The username will match any of 'anonymous', 
     110  'authenticated', <username> or '*', using normal Trac permission rules. 
    64111 
    65112For example, if the `authz_file` contains: 
     
    70117[wiki:PrivatePage@*] 
    71118john = WIKI_VIEW 
    72 * = 
     119* = !WIKI_VIEW 
    73120}}} 
    74121and the default permissions are set like this: 
     
    80127 
    81128Then:  
    82  - All versions of WikiStart will be viewable by everybody (including anonymous) 
    83  - !PrivatePage will be viewable only by john 
    84  - other pages will be viewable only by john and jack 
     129  * All versions of WikiStart will be viewable by everybody (including anonymous) 
     130  * !PrivatePage will be viewable only by john 
     131  * other pages will be viewable only by john and jack 
     132 
     133Groups: 
     134{{{ 
     135[groups] 
     136admins = john, jack 
     137devs = alice, bob 
     138 
     139[wiki:Dev@*] 
     140@admins = TRAC_ADMIN 
     141@devs = WIKI_VIEW 
     142* = 
     143 
     144[*] 
     145@admins = TRAC_ADMIN 
     146* = 
     147}}} 
     148 
     149Then: 
     150- everything is blocked (whitelist approach), but 
     151- admins get all TRAC_ADMIN everywhere and 
     152- devs can view wiki pages. 
     153 
     154Some repository examples (Browse Source specific): 
     155{{{ 
     156# A single repository: 
     157[repository:test_repo@*] 
     158john = BROWSER_VIEW, FILE_VIEW 
     159# John has BROWSER_VIEW and FILE_VIEW for the entire test_repo 
     160 
     161# All repositories: 
     162[repository:*@*] 
     163jack = BROWSER_VIEW, FILE_VIEW 
     164# John has BROWSER_VIEW and FILE_VIEW for all repositories 
     165}}} 
     166 
     167Very fine grain repository access: 
     168{{{ 
     169# John has BROWSER_VIEW and FILE_VIEW access to trunk/src/some/location/ only 
     170[repository:test_repo@*/source:trunk/src/some/location/*@*] 
     171john = BROWSER_VIEW, FILE_VIEW 
     172 
     173 
     174# John has BROWSER_VIEW and FILE_VIEW access to only revision 1 of all files at trunk/src/some/location only 
     175[repository:test_repo@*/source:trunk/src/some/location/*@1] 
     176john = BROWSER_VIEW, FILE_VIEW 
     177 
     178 
     179# John has BROWSER_VIEW and FILE_VIEW access to all revisions of 'somefile' at trunk/src/some/location only  
     180[repository:test_repo@*/source:trunk/src/some/location/somefile@*] 
     181john = BROWSER_VIEW, FILE_VIEW 
     182 
     183 
     184# John has BROWSER_VIEW and FILE_VIEW access to only revision 1 of 'somefile' at trunk/src/some/location only 
     185[repository:test_repo@*/source:trunk/src/some/location/somefile@1] 
     186john = BROWSER_VIEW, FILE_VIEW 
     187}}} 
     188 
     189Note: In order for Timeline to work/visible for John, we must add CHANGESET_VIEW to the above permission list. 
    85190 
    86191