WANdisco
Download Call me Whitepaper
 
 
Subsections

12 Access Control Triggers

The WANdisco CVS Replicator has a pre-commit access control mechanism that supplements the access control normally performed via commitinfo triggers, for example using the cvs_acl scripts. The commitinfo triggers fire after replication has been performed. Under some circumstances it may be desirable to perform access control on CVS write operations prior to any replication. This is what the WANdisco CVS Replicator authorization plugin can be used for, it fires just before replication is about to begin. The pre-replication trigger can be used for non-security purposes too, for instance generating email alerts.

The WANdisco CVS Replicator has a pluggable authorization model. By default a No-op auth plugin is enabled which allows unrestricted access. A CVS administrator can customize the bundled lib/authperlscript and setup a PerlAuthPlugin. Peek inside the authperlscript for more details on how to use it for access control. In addition to cvs user name, the IP address of the CVS client machine is also available as a parameter to access control rules. This can be used to ensure commits happen only from valid subnets or IP addresses, further tightening security constraints. The commitinfo triggers that run from backend CVS repository does not have the client IP address available due to limitations of CVS server itself, but using the WANdisco CVS Replicator access control trigger, the administrator can setup rules based on client IP address.

In order to use the lib/authperlscript please add the following line to the CVSProxy section of the cvs-replicator/config/prefs.xml file:

<CVSProxy>
 ....
 <AccessControlPlugin>org.nirala.admin.cvsproxy.security.PerlAuthPlugin</AccessControlPlugin>
 ....
</CVSProxy>

12.1 Custom Pre-Replication Trigger

For maximum flexibility it is possible to write a custom trigger in Java and install it such that the WANdisco CVS Replicator will invoke it prior to replication. You must be conversant with Java programming language in order to take advantage of this feature.

Follow these steps to invoke your own custom pre-replication trigger:

  1. Implement the com.wandisco.cvsreplicator.api.AuthorizationPlugin Java interface. There is only a single method, allow() to implement:
    public interface AuthorizationPlugin {
      /**
       * Returns true if user is authorized to execute the CVS command in question
       * else returns false.
       * @param user        CVS user trying to perform the write command
       * @param ip          IP address of the CVS client
       * @param cmd         CVS command user is trying to execute
       * @param dirs        List of CVS directories on which command will operate
       * @param cvsroot     The CVSROOT directory
       * @return
       */
      boolean allow(String user, String ip, String cmd, Set dirs, String cvsroot);
    }
    
  2. Compile your code, create a jar file and copy that into cvs-replicator/lib directory
  3. Specify the class name (without the .class suffix) in cvs-replicator/config/prefs.xml file using the AccessControlPlugin tag, for instance:
    <CVSProxy>
     ....
     <AccessControlPlugin>my.custom.AuthPlugin</AccessControlPlugin>
     ....
    </CVSProxy>