Changes between Version 2 and Version 3 of 1.1/TracFineGrainedPermissions
- Timestamp:
- Jan 10, 2015, 10:17:19 AM (9 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
1.1/TracFineGrainedPermissions
v2 v3 1 = Fine grained permissions = 1 2 [[PageOutline(2-5, Contents, floated)]] 2 = Fine grained permissions = 3 4 Before Trac 0.11, it was only possible to define fine-grained permissions checks on the repository browser sub-system. 5 6 Since 0.11, there's a general mechanism in place that allows custom **permission policy plugins** to grant or deny any action on any kind of Trac resources, even at the level of specific versions of such resources. 7 8 Note that for Trac 0.12, `authz_policy` has been integrated as an optional module (in `tracopt.perm.authz_policy.*`), so it's installed by default and can simply be activated via the //Plugins// panel in the Trac administration module. 3 [[TracGuideToc]] 4 5 There's a general mechanism in place that allows custom **permission policy plugins** to grant or deny any action on any kind of Trac resources, even at the level of specific versions of such resources. 6 7 That mechanism is `authz_policy`, which is an optional module (in `tracopt.perm.authz_policy.*`), so it's installed by default and can simply be activated via the //Plugins// panel in the Trac administration module. 9 8 10 9 … … 15 14 Which policies are currently active is determined by a configuration setting in TracIni: 16 15 e.g. 17 {{{ 16 {{{#!ini 18 17 [trac] 19 18 permission_policies = ReadonlyWikiPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy … … 22 21 23 22 Among the possible optional choices, there is [#AuthzPolicy], a very generic permission policy, based on an Authz-style system. See 24 [trac:source:branches/ 0.12-stable/tracopt/perm/authz_policy.py authz_policy.py] for details.23 [trac:source:branches/1.0-stable/tracopt/perm/authz_policy.py authz_policy.py] for details. 25 24 26 25 Another popular permission policy [#AuthzSourcePolicy], re-implements the pre-0.12 support for checking fine-grained permissions limited to Subversion repositories in terms of the new system. 27 26 28 See also [trac:source:branches/ 0.12-stable/sample-plugins/permissions sample-plugins/permissions] for more examples.27 See also [trac:source:branches/1.0-stable/sample-plugins/permissions sample-plugins/permissions] for more examples. 29 28 30 29 31 30 === !AuthzPolicy === 32 31 ==== Configuration ==== 33 * Install [http://www.voidspace.org.uk/python/configobj.html ConfigObj] (still needed for 0.12 and later). 34 * Copy [browser:/trunk/tracopt/perm/authz_policy.py /tracopt/perm/authz_policy.py] to your environment's plugins directory (only for Trac 0.11). 32 * Install [http://www.voidspace.org.uk/python/configobj.html ConfigObj]. 35 33 * Put a [http://swapoff.org/files/authzpolicy.conf authzpolicy.conf] file somewhere, preferably on a secured location on the server, not readable for others than the webuser. If the file contains non-ASCII characters, the UTF-8 encoding should be used. 36 34 * Update your `trac.ini`: 37 35 1. modify the [TracIni#trac-section permission_policies] entry in the `[trac]` section 38 {{{ 36 {{{#!ini 39 37 [trac] 40 38 ... … … 42 40 }}} 43 41 1. add a new `[authz_policy]` section 44 {{{ 42 {{{#!ini 45 43 [authz_policy] 46 44 authz_file = /some/trac/env/conf/authzpolicy.conf 47 45 }}} 48 46 1. enable the plugin through [/admin/general/plugin WebAdmin] or by editing the `[components]` section 49 {{{ 47 {{{#!ini 50 48 [components] 51 ...52 # Trac 0.1253 49 tracopt.perm.authz_policy.* = enabled 54 # for Trac 0.11 use this55 #authz_policy.* = enabled56 50 }}} 57 51 … … 68 62 69 63 The `authzpolicy.conf` file is a `.ini` style configuration file: 70 {{{ 64 {{{#!ini 71 65 [wiki:PrivatePage@*] 72 66 john = WIKI_VIEW, !WIKI_MODIFY … … 84 78 85 79 Example: Match the WikiStart page 86 {{{ 80 {{{#!ini 87 81 [wiki:*] 88 82 [wiki:WikiStart*] … … 93 87 Example: Match the attachment `wiki:WikiStart@117/attachment:FOO.JPG@*` 94 88 on WikiStart 95 {{{ 89 {{{#!ini 96 90 [wiki:*] 97 91 [wiki:WikiStart*] … … 113 107 114 108 For example, if the `authz_file` contains: 115 {{{ 109 {{{#!ini 116 110 [wiki:WikiStart@*] 117 111 * = WIKI_VIEW … … 134 128 135 129 Groups: 136 {{{ 130 {{{#!ini 137 131 [groups] 138 132 admins = john, jack … … 155 149 156 150 Some repository examples (Browse Source specific): 157 {{{ 151 {{{#!ini 158 152 # A single repository: 159 153 [repository:test_repo@*] … … 173 167 174 168 Very fine grain repository access: 175 {{{ 169 {{{#!ini 176 170 # John has BROWSER_VIEW and FILE_VIEW access to trunk/src/some/location/ only 177 171 [repository:test_repo@*/source:trunk/src/some/location/*@*] … … 201 195 202 196 You cannot do the following: 203 {{{ 197 {{{#!ini 204 198 [groups] 205 199 team1 = a, b, c … … 210 204 211 205 Permission groups are not supported either. You cannot do the following: 212 {{{ 206 {{{#!ini 213 207 [groups] 214 208 permission_level_1 = WIKI_VIEW, TICKET_VIEW … … 228 222 229 223 Example: 230 {{{ 224 {{{#!ini 231 225 [/] 232 226 * = r … … 248 242 To activate fine grained permissions you __must__ specify the {{{authz_file}}} option in the {{{[trac]}}} section of trac.ini. If this option is set to null or not specified the permissions will not be used. 249 243 250 {{{ 244 {{{#!ini 251 245 [trac] 252 246 authz_file = /path/to/svnaccessfile … … 255 249 If you want to support the use of the `[`''modulename''`:/`''some''`/`''path''`]` syntax within the `authz_file`, add 256 250 257 {{{ 251 {{{#!ini 258 252 authz_module_name = modulename 259 253 }}} … … 261 255 where ''modulename'' refers to the same repository indicated by the `<name>.dir` entry in the `[repositories]` section. As an example, if the `blahblah.dir` entry in the `[repositories]` section is `/srv/active/svn/blahblah`, that would yield the following: 262 256 263 {{{ 257 {{{ #!ini 264 258 [trac] 265 259 authz_file = /path/to/svnaccessfile … … 276 270 As of version 0.12, make sure you have ''!AuthzSourcePolicy'' included in the permission_policies list in trac.ini, otherwise the authz permissions file will be ignored. 277 271 278 {{{ 272 {{{#!ini 279 273 [trac] 280 274 permission_policies = AuthzSourcePolicy, ReadonlyWikiPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy … … 284 278 285 279 The same access file is typically applied to the corresponding Subversion repository using an Apache directive like this: 286 {{{ 280 {{{#!apache 287 281 <Location /repos> 288 282 DAV svn … … 327 321 == Debugging permissions 328 322 In trac.ini set: 329 {{{ 323 {{{#!ini 330 324 [logging] 331 325 log_file = trac.log … … 335 329 336 330 And watch: 337 {{{ 331 {{{#!sh 338 332 tail -n 0 -f log/trac.log | egrep '\[perm\]|\[authz_policy\]' 339 333 }}}