[p4] Security question: super-limited account ?

Jeff Grills jgrills at drivensnow.org
Wed Aug 23 22:32:34 PDT 2006 

I can't think of any such thing within a perforce server.  Newer servers
have an audit log so you can determine what file contents were accessed by a
user, but it doesn't appear to log any of the metadata (see
http://www.perforce.com/perforce/doc.061/manuals/p4sag/03_superuser.html#108
5382)

If it's a read-only situation (and it sounds like it is), have you
considered some sort of review-like process that automatically replicates
changes to the files that would be within his view to another server, and
masks the data you don't want him to have access to?  I don't know of any
commercial p4 replication software that can anonymize data in the process,
but it seems like something that could be done - maybe
USER_<md5OfOriginalName> to avoid collisions.  It would be cool if you could
run a p4 proxy in a mode such that it manipulates this data on fly, but I
don't think it can do that.  Or maybe some sort of hacked up p4-to-http
interface that masks out the data you don't want him to see?

If you end up allowing access to the primary server, you might want to force
the user to go through a proxy anyway, just so that you can protect your
primary server from network attacks from the VPN accessible box.  I believe
there is a way to indicate the IP address of the proxy in the protections
table of the main server as well, so you force the user to go through the
proxy.

Anyway, that's just some ideas you might consider.  I'm sorry I don't have a
silver bullet for you.

j

-----Original Message-----
From: perforce-user-bounces at perforce.com
[mailto:perforce-user-bounces at perforce.com] On Behalf Of Steven Bougon
Sent: Wednesday, August 23, 2006 11:03 PM
To: Perforce Users
Subject: [p4] Security question: super-limited account ?


Hi guys,
 
we are being asked to provide a perforce account for a external user (so he
can syncs some files and apply them to their instance), but we feel really
weird security-wise and perforce-wise, to give access to an external guy The
external guy would have a vpn access on one box, quite isolated (I don't
have too 
much info on that for now).
 
Anyway, I can restrict the guy view and make sure thru the protect table
that he can 
only read a very restricted part of the tree, but, to my understanding, he
could still do a bunch of things:
- p4 users (and get the names of the users)
- p4 labels (and get some good information on how far we are on our
release)
- p4 filelog (and get who did what)
- etc ...
 
Am I right or does perforce provide a way to super-restrict the access for a
user ?
 
Thanks,
Steven
_______________________________________________
perforce-user mailing list  -  perforce-user at perforce.com
http://maillist.perforce.com/mailman/listinfo/perforce-user

More information about the perforce-user mailing list