11 Access Control Triggers

The WANdisco CVS Replicator has a pre-commit access control mechanism that supplements the access control normally performed via commitinfo triggers, for example using the cvs_acl scripts. The commitinfo triggers fire after replication has been performed. Under some circumstances it may be desirable to perform access control on CVS write operations prior to any replication. This is what the WANdisco CVS Replicator authorization plugin can be used for, it fires just before replication is about to begin. The pre-replication trigger can be used for non-security purposes too, for instance generating email alerts.

The WANdisco CVS Replicator has a pluggable authorization model. By default a No-op auth plugin is enabled which allows unrestricted access. A CVS administrator can customize the bundled lib/authperlscript and setup a PerlAuthPlugin. Peek inside the authperlscript for more details on how to use it for access control. In addition to cvs user name, the IP address of the CVS client machine is also available as a parameter to access control rules. This can be used to ensure commits happen only from valid subnets or IP addresses, further tightening security constraints. The commitinfo triggers that run from backend CVS repository does not have the client IP address available due to limitations of CVS server itself, but using the WANdisco CVS Replicator access control trigger, the administrator can setup rules based on client IP address.

In order to use the lib/authperlscript please add the following line to the CVSProxy section of the cvs-replicator/config/prefs.xml file:

<CVSProxy>
 ....
 <AccessControlPlugin>org.nirala.admin.cvsproxy.security.PerlAuthPlugin</AccessControlPlugin>
 ....
</CVSProxy>

%INCLUDED(t2t) ends here: security.t2t
%! include : ee.t2t
%! include : reports.t2t
%! include : end.t2t