Context Navigation

Changes between Version 2 and Version 3 of 1.1/TracFineGrainedPermissions

Timestamp:: Jan 10, 2015, 10:17:19 AM (9 years ago)
Author:: Jun Omae
Comment:: Merged TracFineGrainedPermissions@55-61

Legend:

: Unmodified
: Added
: Removed
: Modified

1.1/TracFineGrainedPermissions

-              v2
+              v3
+= Fine grained permissions =
 [[PageOutline(2-5, Contents, floated)]]
+= Fine grained permissions =
+Before Trac 0.11, it was only possible to define fine-grained permissions checks on the repository browser sub-system.
+Since 0.11, there's a general mechanism in place that allows custom **permission policy plugins** to grant or deny any action on any kind of Trac resources, even at the level of specific versions of such resources.
+Note that for Trac 0.12, `authz_policy` has been integrated as an optional module (in `tracopt.perm.authz_policy.*`), so it's installed by default and can simply be activated via the //Plugins// panel in the Trac administration module.
+[[TracGuideToc]]
+There's a general mechanism in place that allows custom **permission policy plugins** to grant or deny any action on any kind of Trac resources, even at the level of specific versions of such resources.
+That mechanism is `authz_policy`, which is an optional module (in `tracopt.perm.authz_policy.*`), so it's installed by default and can simply be activated via the //Plugins// panel in the Trac administration module.
 …
 Which policies are currently active is determined by a configuration setting in TracIni:
 e.g.
 {{{
+{{{#!ini
 [trac]
 permission_policies = ReadonlyWikiPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy
 …
 Among the possible optional choices, there is [#AuthzPolicy], a very generic permission policy, based on an Authz-style system. See
 [trac:source:branches/0.12-stable/tracopt/perm/authz_policy.py authz_policy.py] for details.
+[trac:source:branches/1.0-stable/tracopt/perm/authz_policy.py authz_policy.py] for details.
 Another popular permission policy [#AuthzSourcePolicy], re-implements the pre-0.12 support for checking fine-grained permissions limited to Subversion repositories in terms of the new system.
 See also [trac:source:branches/0.12-stable/sample-plugins/permissions sample-plugins/permissions] for more examples.
+See also [trac:source:branches/1.0-stable/sample-plugins/permissions sample-plugins/permissions] for more examples.
 === !AuthzPolicy ===
 ==== Configuration ====
+* Install [http://www.voidspace.org.uk/python/configobj.html ConfigObj] (still needed for 0.12 and later).
+* Copy [browser:/trunk/tracopt/perm/authz_policy.py /tracopt/perm/authz_policy.py] to your environment's plugins directory (only for Trac 0.11).
+* Install [http://www.voidspace.org.uk/python/configobj.html ConfigObj].
 * Put a [http://swapoff.org/files/authzpolicy.conf authzpolicy.conf] file somewhere, preferably on a secured location on the server, not readable for others than the webuser. If the  file contains non-ASCII characters, the UTF-8 encoding should be used.
 * Update your `trac.ini`:
 . modify the [TracIni#trac-section permission_policies] entry in the `[trac]` section
 {{{
+{{{#!ini
 [trac]
 ...
 …
 }}}
 . add a new `[authz_policy]` section
 {{{
+{{{#!ini
 [authz_policy]
 authz_file = /some/trac/env/conf/authzpolicy.conf
 }}}
 . enable the plugin through [/admin/general/plugin WebAdmin] or by editing the `[components]` section
 {{{
+{{{#!ini
 [components]
-...
-# Trac 0.12
 tracopt.perm.authz_policy.* = enabled
-# for Trac 0.11 use this
-#authz_policy.* = enabled
 }}}
 …
 The `authzpolicy.conf` file is a `.ini` style configuration file:
 {{{
+{{{#!ini
 [wiki:PrivatePage@*]
 john = WIKI_VIEW, !WIKI_MODIFY
 …
   Example: Match the WikiStart page
 {{{
+{{{#!ini
 [wiki:*]
 [wiki:WikiStart*]
 …
   Example: Match the attachment `wiki:WikiStart@117/attachment:FOO.JPG@*`
   on WikiStart
 {{{
+{{{#!ini
 [wiki:*]
 [wiki:WikiStart*]
 …
 For example, if the `authz_file` contains:
 {{{
+{{{#!ini
 [wiki:WikiStart@*]
 * = WIKI_VIEW
 …
 Groups:
 {{{
+{{{#!ini
 [groups]
 admins = john, jack
 …
 Some repository examples (Browse Source specific):
 {{{
+{{{#!ini
 # A single repository:
 [repository:test_repo@*]
 …
 Very fine grain repository access:
 {{{
+{{{#!ini
 # John has BROWSER_VIEW and FILE_VIEW access to trunk/src/some/location/ only
 [repository:test_repo@*/source:trunk/src/some/location/*@*]
 …
 You cannot do the following:
 {{{
+{{{#!ini
 [groups]
 team1 = a, b, c
 …
 Permission groups are not supported either. You cannot do the following:
 {{{
+{{{#!ini
 [groups]
 permission_level_1 = WIKI_VIEW, TICKET_VIEW
 …
 Example:
 {{{
+{{{#!ini
 [/]
 * = r
 …
 To activate fine grained permissions you __must__ specify the {{{authz_file}}} option in the {{{[trac]}}} section of trac.ini. If this option is set to null or not specified the permissions will not be used.
 {{{
+{{{#!ini
 [trac]
 authz_file = /path/to/svnaccessfile
 …
 If you want to support the use of the `[`''modulename''`:/`''some''`/`''path''`]` syntax within the `authz_file`, add
 {{{
+{{{#!ini
 authz_module_name = modulename
 }}}
 …
 where ''modulename'' refers to the same repository indicated by the `<name>.dir` entry in the `[repositories]` section. As an example, if the `blahblah.dir` entry in the `[repositories]` section is `/srv/active/svn/blahblah`, that would yield the following:
 {{{
+{{{ #!ini
 [trac]
 authz_file = /path/to/svnaccessfile
 …
 As of version 0.12, make sure you have ''!AuthzSourcePolicy'' included in the permission_policies list in trac.ini, otherwise the authz permissions file will be ignored.
 {{{
+{{{#!ini
 [trac]
 permission_policies = AuthzSourcePolicy, ReadonlyWikiPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy
 …
 The same access file is typically applied to the corresponding Subversion repository using an Apache directive like this:
 {{{
+{{{#!apache
 <Location /repos>
   DAV svn
 …
 == Debugging permissions
 In trac.ini set:
 {{{
+{{{#!ini
 [logging]
 log_file = trac.log
 …
 And watch:
 {{{
+{{{#!sh
 tail -n 0 -f log/trac.log | egrep '\[perm\]|\[authz_policy\]'
 }}}