[p4] scripting with ticket-based authentication?

Jeff Grills jgrills at drivensnow.org
Wed Oct 12 11:57:09 PDT 2005


I just did a couple tests and noticed the same behavior, if the user is in
another group that has a 12 hour ticket expiration.  It seems like when the
server is comparing the ticket times for the groups, it doesn't consider 0
to be greater than 43200.  Once I took the user out of the other group with
the timeout, the ticket time was much longer (though it didn't claim
unlimited): ticket expires in 282872 hours 33 minutes.

This is consistent with the behavior of maxscanrows and maxresults, but it
is also very unfortunate in this case.  I'd consider it a bug and report it
to perforce.  The maxscanrows/maxresults documentation indicates that
unlimited is not considered a limit and that this behavior is expected, but
I saw no such similar note about ticket expiration.  Perhaps perforce
prefers this behavior - if so, then at least they should improve the
documentation.

I tried it on both these server versions and obtained the same results:

Server version: P4D/LINUX24X86/2005.1/82834 (2005/07/19)
Server version: P4D/LINUX24X86/2005.1/85663 (2005/09/12)

j

-----Original Message-----
From: perforce-user-bounces at perforce.com
[mailto:perforce-user-bounces at perforce.com] On Behalf Of Vaden, Paul
Sent: Wednesday, October 12, 2005 11:02 AM
To: Jeff Grills; perforce-user at perforce.com
Subject: RE: [p4] scripting with ticket-based authentication?


Hey Jeff,

I recently migrated some servers and created a automated user in it's own
group for checkpointing and such. Previously I had been setting the
expiration to 999999999 to avoid the issue described in the original post.
After seeing this post I set the expiration to 0 to avoid any surprises
999999999 seconds from now (yeah, I know, it's like 31 years or something).
However, after issuing the p4 login command it says the ticket will expire
in 11 hours 59 minutes.

I'm running 2005.1, and the same behavior happened on both of the servers I
tried it on.

Has anyone else seen this?

-V

-----Original Message-----
From: perforce-user-bounces at perforce.com
[mailto:perforce-user-bounces at perforce.com] On Behalf Of Jeff Grills
Sent: Thursday, October 06, 2005 2:27 PM
To: John.Davis at sophos.com; perforce-user at perforce.com
Cc: Amanda.Culver at sophos.com
Subject: RE: [p4] scripting with ticket-based authentication?


I've been in this exact situation before.  Perforce ticket expiration times
are based on groups, and users in multiple groups get the longest timeout of
any of the groups.  You can also set the timeout for a group to be 0,
indicating that the ticket never expires.  We dedicated a perforce license
for the automated scripts (you should be able to get a free license for an
automated user from perforce - just ask!).  We then put that automated user
in a group consisting of only themselves and gave that group a ticket
timeout of 0.  Then we just simply issued a single "p4 login" on the
automated machine to get a ticket that will never expire.  After that, the
password for the automated user is no longer needed for anything.  The
automated scripts never have to deal with embedded passwords or anything
else - the ticket always works.

Your IT department may want to set up the automated perforce user and issue
the "p4 login" for you, which means they never need to worry about anyone
else abusing that account's privileged ticket expiration.  In our case, the
automated machine was running UNIX, and we had a dedicated UNIX account for
the automation as well.  Users who needed access to the automated account
were given sudo access to that user, which can be managed by your IT
department as well.

I think the solution is reasonably straight forward and secure.  Most any IT
department will be okay with this solution as well, but if they're not, I'd
ask them to propose another solution that meets your goals as well as
theirs.

j

-----Original Message-----
From: perforce-user-bounces at perforce.com
[mailto:perforce-user-bounces at perforce.com] On Behalf Of
John.Davis at sophos.com
Sent: Thursday, October 06, 2005 8:21 AM
To: perforce-user at perforce.com
Cc: Amanda.Culver at sophos.com
Subject: [p4] scripting with ticket-based authentication?

We are using the Perforce ticket-based authentication system (security level
3). Our IT department has deciden on a policy of 12-hour ticket expiry,
which is acceptable (with some grumbles).

We have several automated scripts, though, and I can't figure out the best
way to run these without hitting problems with ticket expiry. Is it possible
to write scripts which can login automatically? Obviously I'd rather not
have plain text passwords in scripts, or anything obviously insecure. How do
you guys manage this sort of thing?

Our environment is mixed Unix and Windows, so solutions
on either platform may be helpful. Oh, and we're using 2005.1.

Thanks!

        John


_______________________________________________
perforce-user mailing list  -  perforce-user at perforce.com
http://maillist.perforce.com/mailman/listinfo/perforce-user

_______________________________________________
perforce-user mailing list  -  perforce-user at perforce.com
http://maillist.perforce.com/mailman/listinfo/perforce-user


_______________________________________________
perforce-user mailing list  -  perforce-user at perforce.com
http://maillist.perforce.com/mailman/listinfo/perforce-user





More information about the perforce-user mailing list