Posts: 14
Registered: Feb 05, 2010 07:44:50 AM VOB access control
Posted: Oct 29, 2010 10:54:29 AM Hi,
I am trying to understand a bit to Clearcase access control to VOBs. Basically, my point would be to do so that not every user of the Clearcase server is able to see every VOBs in it.
I am having a test "server" on a XP machine and am connecting to it with another PC. Now that I've spent my whole day on this subject, I am asking myself whether the "cleartool protectvob -add_group..." function is really useful; explanations:
As far as I understood, Clearcase access control is based on windows access control (right click on a vob folder, security and share...)When I add a group through cleartool to the vob, I don't see any change in the windows security window.When I 'cleartool describe' a vob folder, I only get "User : UNKNOWN and Group: UNKNOWN" informationThe only achievements to which I got today were by changing directly the accesses to the ".vbs" folders either for the PVOB or the VOB, without passing by cleartool.Is there anything I am missing (since I didn't really get far on this subject yet), which would require the use of protectvob etc.? What is in your opinion the best way to get a good control on the visibility to the VOB for the different users?
Many thanks to whoever would answer my questions :)
Posts: 417
Registered: Sep 28, 2005 02:20:11 PM Re: VOB access control
Posted: Oct 29, 2010 11:24:29 AM in response to: PResin's post >> * As far as I understood, Clearcase access control is based on windows access control (right click on a vob folder, security and share...)
Yes and no. Windows access control is only part of the picture. Windows access control it what gets you to the containers in the pools, and what limits your ability to mount a VOB. Beyond that, you're looking strictly at ClearCase permissions, which are more unix-like.
>> * When I add a group through cleartool to the vob, I don't see any change in the windows security window.
Generally speaking, this is normal behavior. You may see the windows permissions on the pool directories change, but not on the .vbs itself. cleartool protect -add_group adds a group to the list of groups that can create or "own" elements within the VOB. That's essentially ALL it does. It does not control a user's ability to access elements in that VOB. The element permissions do that.
>> * When I 'cleartool describe' a vob folder, I only get "User : UNKNOWN and Group: UNKNOWN" information
This shouldn't happen unless the user who owns that element can't be looked up from the host you're on. Are you using a non-domain system as the test system?
>> * The only achievements to which I got today were by changing directly the accesses to the ".vbs" folders either for the PVOB or the VOB, without passing by cleartool.
Don't do this. You run a better than 90% chance of BREAKING the VOB storage directory permissions. You will become very familiar with the "fix_prot" utility if you persist in doing this.
If this is an all-Windows environment, and you want only authorized users to be able to mount VOBs (If users can't mount the VOB, they can't access the contents) try setting up multiple project-specific shares on your VOB server. You then grant ONLY the "ClearCase Server process Group" and the group of users access through that share using SHARE PERMISSIONS ONLY. You may have users who try to get around this using snapshot views, but while they may be able to see the NAMES of the files in the directories, they won't be able to load any of those files into their views. If you want to limit that, you would have to work with element permissions. The biggest problem here is that you can only work with 16 or 32 groups, depending on the VOB storage platform, and this limits the number of options you have there.
=================================================================
Brian Cowan
Advisory Software Engineer
ClearCase SoftWare Advisory Team (SWAT)
Rational Software
IBM Software Group
550 King St
Littleton, MA 01460
Phone: 1.978.899.9471
Web: http://www.ibm.com/software/rational/support/
Posts: 14
Registered: Feb 05, 2010 07:44:50 AM Re: VOB access control
Posted: Nov 01, 2010 05:58:34 AM in response to: brcowan's post Thank you Brian for your answer.
I should have maybe mentioned that I'm still a beginner in Clearcase management, thus the following answers may reflect my level.
%% >> * As far as I understood, Clearcase access control is based on windows access control (right click on a vob folder, security and share...)
%% Yes and no. Windows access control is only part of the picture. Windows access control it what gets you to the containers in the pools, and what limits your ability to mount a VOB. Beyond that, you're looking strictly at ClearCase permissions, which are more unix-like.
%% >> * When I add a group through cleartool to the vob, I don't see any change in the windows security window.
%% Generally speaking, this is normal behavior. You may see the windows permissions on the pool directories change, but not on the .vbs itself. cleartool protect -add_group adds a group to the list of groups that can create or "own" elements within the VOB. That's essentially ALL it does. It does not control a user's ability to access elements in that VOB. The element permissions do that.
Ok, that's understood :)
%% >> * When I 'cleartool describe' a vob folder, I only get "User : UNKNOWN and Group: UNKNOWN" information
%% This shouldn't happen unless the user who owns that element can't be looked up from the host you're on. Are you using a non-domain system as the test system?
I am using a computer in the domain and everything; this may be due the different manipulations I did on the VOBs. Once I get the clean method to protect vobs, I will create new test VOBs and see if this problem remains.
%% >> * The only achievements to which I got today were by changing directly the accesses to the ".vbs" folders either for the PVOB or the VOB, without passing by cleartool.
%% Don't do this. You run a better than 90% chance of BREAKING the VOB storage directory permissions. You will become very familiar with the "fix_prot" utility if you persist in doing this.
Good to know. I actually got this kind of errors, and trying fix_prot returned me errors in the permissions messsage.
----
Now the hardest part for me.
%% If this is an all-Windows environment (yes), and you want only authorized users to be able to mount VOBs
I may not have used the correct method previously but so far what I'm doing is using the project explorer to display the different VOBs (from which I can already see the different activities that I would like to hide) and I never "mounted" a VOB, am I doing all wrong?
%%(If users can't mount the VOB, they can't access the contents) try setting up multiple project-specific shares on your VOB server.
"Multiple project specific shares". On my side I am creating One set of VOB/PVOB per project. Then creating "clearcase-named" projects per sub-project (Aouch...this isn't clear..let's say that I have one project to develop an airplane software and another one to develop a pong game, these would be two different VOBS, then if I have two sub-projects within the airplane software project, there I would create two clearcase projects within the VOB), is it the right way to do it?
%% You then grant ONLY the "ClearCase Server process Group" and the group of users access through that share using SHARE PERMISSIONS ONLY.
Are you here mentioning the SHARE PERMISSIONS on the windows environment or another way to handle it? Supposing I have a base cleacase group ccgroup and two other groups that shouldn't have access to every VOB (+ccgp1+ & +ccgp2+), shall I only give SHARE PERMISSIONS to ccgroup and not the others in other to avoid having them seeing the VOB? IS it really sufficient?
%% You may have users who try to get around this using snapshot views, but while they may be able to see the NAMES of the files in the directories, they won't be able to load any of those files into their views.
If they can create views then I suppose that they can see the activites?
%% If you want to limit that, you would have to work with element permissions. The biggest problem here is that you can only work with 16 or 32 groups, depending on the VOB storage platform, and this limits the number of options you have there.
Sorry for all these questions but I feel like I always did the wrong way since I discovered Clearcase...
Posts: 14
Registered: Feb 05, 2010 07:44:50 AM Re: VOB access control
Posted: Nov 02, 2010 03:40:40 AM in response to: PResin's post Hi again,
I guess by the number of views and the lack of answers that my reply was a bit long, thus discouraging...let's make it shorter:
Why do we have to mount a VOB? On my side, I am seeing them in the project explorer without mounting them.Are the SHARE PERMISSIONS the ones handled with Windows or is there another way?
My goal is, having a PVOB and a VOB, to hide even the activities for the streams etc. is it feasible?
Hoping that this simplifies the reading, the answers may be a good start for me.
Thanks to anybody who could answer this!
Posts: 14
Registered: Feb 05, 2010 07:44:50 AM Re: VOB access control
Posted: Nov 03, 2010 05:18:44 AM in response to: PResin's post It seems like nobody really has answers for me; anyway here are some updates on what I've found: On PVOB folder, when removing NTFS security "write" permission to the primary group, then the user can not see the PVOB in the project explorer anymore.
Om VOB folder, when removing NTFS security"write" permission to the primary group, then the user can not see the VOB components when creating a view on a stream.
It seems that the more restrictive access security apply, therefore creating NTFS security rights for a specific user (myself in my case) doesn't have any effect.
Given that I don't know much about windows security, I've found this article: http://www.windowsecurity.com/articles/Share-Permissions.html, that states that "when the NTFS permissions are combined with the share permissions, the most secure of the two permissions controls the access to the resource.". In my case, I've tried to apply restrictive share permissions, as recommended by Brian, but it had absolutely no effect.
Again, my questions may be due to the fact that I am testing the Clearcase server on a WinXP machine and not on a real server, but if anybody has more information or tutorials on how to control the access and visibility for different users on Clearcase, please answer this thread, as for the moment, I feel kind of lost in it :).
Thanks in advance...please... :)
Use the search field to find all types of content in My developerWorks with that tag.
Use the slider bar to see more or fewer tags.
Popular tags shows the top tags for this particular type of content or application that you're viewing.
My tags shows your tags for this particular type of content or application that you're viewing.
Use the search field to find all types of content in My developerWorks with that tag. Use the slider bar to see more or fewer tags. Popular tags shows the top tags for this particular type of content or application that you're viewing. My tags shows your tags for this particular type of content or application that you're viewing.MoreLess
No comments:
Post a Comment