Changes between Version 1 and Version 2 of TracFineGrainedPermissions


Ignore:
Timestamp:
12/17/2013 03:58:56 AM (10 years ago)
Author:
trac
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • TracFineGrainedPermissions

    v1 v2  
    2929
    3030=== !AuthzPolicy ===
    31 
    32  - Install [http://www.voidspace.org.uk/python/configobj.html ConfigObj] (required).
    33  - Copy authz_policy.py into your plugins directory.
    34  - Put a [http://swapoff.org/files/authzpolicy.conf authzpolicy.conf] file somewhere, preferably on a secured location on the server, not readable for others than the webuser. If the  file contains non-ASCII characters, the UTF-8 encoding should be used.
    35  - Update your `trac.ini`:
    36    1. modify the [TracIni#trac-section permission_policies] entry in the `[trac]` section
     31==== Configuration ====
     32* Install [http://www.voidspace.org.uk/python/configobj.html ConfigObj] (still needed for 0.12).
     33* Copy authz_policy.py into your plugins directory.
     34* Put a [http://swapoff.org/files/authzpolicy.conf authzpolicy.conf] file somewhere, preferably on a secured location on the server, not readable for others than the webuser. If the  file contains non-ASCII characters, the UTF-8 encoding should be used.
     35* Update your `trac.ini`:
     36  1. modify the [TracIni#trac-section permission_policies] entry in the `[trac]` section
    3737{{{
    3838[trac]
     
    4040permission_policies = AuthzPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy
    4141}}}
    42    2. add a new `[authz_policy]` section
     42  2. add a new `[authz_policy]` section
    4343{{{
    4444[authz_policy]
    4545authz_file = /some/trac/env/conf/authzpolicy.conf
    4646}}}
    47    3. enable the single file plugin
     47  3. enable the single file plugin
    4848{{{
    4949[components]
     
    5454#authz_policy.* = enabled
    5555}}}
    56 
     56==== Usage Notes ====
    5757Note that the order in which permission policies are specified is quite critical,
    5858as policies will be examined in the sequence provided.
    5959
    60 A policy will return either `True`, `False` or `None` for a given permission check.
    61 Only if the return value is `None` will the ''next'' permission policy be consulted.
    62 If no policy explicitly grants the permission, the final result will be `False`
    63 (i.e. no permission).
     60A policy will return either `True`, `False` or `None` for a given permission check. `True` is returned if the policy explicitly grants the permission. `False` is returned if the policy explicitly denies the permission. `None` is returned if the policy is unable to either grant or deny the permission.
     61
     62NOTE: Only if the return value is `None` will the ''next'' permission policy be consulted.
     63If none of the policies explicitly grants the permission, the final result will be `False`
     64(i.e. permission denied).
     65
     66The `authzpolicy.conf` file is a `.ini` style configuration file:
     67{{{
     68[wiki:PrivatePage@*]
     69john = WIKI_VIEW, !WIKI_MODIFY
     70jack = WIKI_VIEW
     71* =
     72}}}
     73* Each section of the config is a glob pattern used to match against a Trac resource
     74  descriptor. These descriptors are in the form:
     75{{{
     76<realm>:<id>@<version>[/<realm>:<id>@<version> ...]
     77}}}
     78  Resources are ordered left to right, from parent to child. If any
     79  component is inapplicable, `*` is substituted. If the version pattern is
     80  not specified explicitely, all versions (`@*`) is added implicitly
     81
     82  Example: Match the WikiStart page
     83{{{
     84[wiki:*]
     85[wiki:WikiStart*]
     86[wiki:WikiStart@*]
     87[wiki:WikiStart]
     88}}}
     89
     90  Example: Match the attachment `wiki:WikiStart@117/attachment/FOO.JPG@*`
     91  on WikiStart
     92{{{
     93[wiki:*]
     94[wiki:WikiStart*]
     95[wiki:WikiStart@*]
     96[wiki:WikiStart@*/attachment/*]
     97[wiki:WikiStart@117/attachment/FOO.JPG]
     98}}}
     99
     100* Sections are checked against the current Trac resource descriptor '''IN ORDER''' of
     101  appearance in the configuration file. '''ORDER IS CRITICAL'''.
     102
     103* Once a section matches, the current username is matched against the keys
     104  (usernames) of the section, '''IN ORDER'''.
     105  * If a key (username) is prefixed with a `@`, it is treated as a group.
     106  * If a value (permission) is prefixed with a `!`, the permission is
     107    denied rather than granted.
     108
     109  The username will match any of 'anonymous',
     110  'authenticated', <username> or '*', using normal Trac permission rules.
    64111
    65112For example, if the `authz_file` contains:
     
    70117[wiki:PrivatePage@*]
    71118john = WIKI_VIEW
    72 * =
     119* = !WIKI_VIEW
    73120}}}
    74121and the default permissions are set like this:
     
    80127
    81128Then:
    82  - All versions of WikiStart will be viewable by everybody (including anonymous)
    83  - !PrivatePage will be viewable only by john
    84  - other pages will be viewable only by john and jack
     129  * All versions of WikiStart will be viewable by everybody (including anonymous)
     130  * !PrivatePage will be viewable only by john
     131  * other pages will be viewable only by john and jack
     132
     133Groups:
     134{{{
     135[groups]
     136admins = john, jack
     137devs = alice, bob
     138
     139[wiki:Dev@*]
     140@admins = TRAC_ADMIN
     141@devs = WIKI_VIEW
     142* =
     143
     144[*]
     145@admins = TRAC_ADMIN
     146* =
     147}}}
     148
     149Then:
     150- everything is blocked (whitelist approach), but
     151- admins get all TRAC_ADMIN everywhere and
     152- devs can view wiki pages.
     153
     154Some repository examples (Browse Source specific):
     155{{{
     156# A single repository:
     157[repository:test_repo@*]
     158john = BROWSER_VIEW, FILE_VIEW
     159# John has BROWSER_VIEW and FILE_VIEW for the entire test_repo
     160
     161# All repositories:
     162[repository:*@*]
     163jack = BROWSER_VIEW, FILE_VIEW
     164# John has BROWSER_VIEW and FILE_VIEW for all repositories
     165}}}
     166
     167Very fine grain repository access:
     168{{{
     169# John has BROWSER_VIEW and FILE_VIEW access to trunk/src/some/location/ only
     170[repository:test_repo@*/source:trunk/src/some/location/*@*]
     171john = BROWSER_VIEW, FILE_VIEW
     172
     173
     174# John has BROWSER_VIEW and FILE_VIEW access to only revision 1 of all files at trunk/src/some/location only
     175[repository:test_repo@*/source:trunk/src/some/location/*@1]
     176john = BROWSER_VIEW, FILE_VIEW
     177
     178
     179# John has BROWSER_VIEW and FILE_VIEW access to all revisions of 'somefile' at trunk/src/some/location only
     180[repository:test_repo@*/source:trunk/src/some/location/somefile@*]
     181john = BROWSER_VIEW, FILE_VIEW
     182
     183
     184# John has BROWSER_VIEW and FILE_VIEW access to only revision 1 of 'somefile' at trunk/src/some/location only
     185[repository:test_repo@*/source:trunk/src/some/location/somefile@1]
     186john = BROWSER_VIEW, FILE_VIEW
     187}}}
     188
     189Note: In order for Timeline to work/visible for John, we must add CHANGESET_VIEW to the above permission list.
    85190
    86191