2. Deployment Guide
This guide sets out everything that you need to consider before integrating WANdisco's Access Control and or replication technology into your SCM platform. It isn't possible to address every possible set of conditions so it's important to remain watchful for possible problems - don't hesitate to contact our support team with any questions or concerns.
Though you may have referred to the Deployment Checklist before or during an earlier evaluation of Access Control Plus we strongly recommend that you revisit the checklist immediately prior to your deployment in order to confirm that your system still meets all requirements.
Don't skip this section! Overlooked requirements are a common cause of difficult-to-diagnose setup problems that could take a lot more time to fix than you'll spend running through these checks.
2.1 Deployment Checklist
| System setup | |
Operating Systems |
We've tested the following operating systems:
|
Deployment Modes |
The Deployment mode is completely controlled by the license.key file that you have in place. Should you need to run in a different deployment mode, or change any othe aspect of your license, you should see License Updates. Integration with SVN MultiSite Plus When running Access Control Plus with WANdisco's SVN MultiSite Plus, you should refer to the Deployment Guide for SVN MultiSite Plus. Integration with Git MultiSite When running Access Control Plus with WANdisco's Git MultiSite, you should refer to the Deployment Guide for Git MultiSite Plus. Integration with Both (SVN and Git MultiSite) Running Access Control in this mode allows for the combined management of Git and Subversion teams and resources - You should refer to both MultiSite deployment guides. Standalone Mode In standalone mode only Access Control data is replicated between nodes. Each Access Control Plus node only manages access to local repository data. Generated password/authz files are stored directly on the Access Control nodes. Standalone mode is available for SVN only
Currently the Standalone mode is not able to support Git. |
Git or Subversion clients |
Any that are compatible with SVN or Git servers. |
Apache server |
If you plan to deploy with an Apache server it will need to be configured to handle repositories appropriately. Both Git and SVN have their own requirements which are documented in more detail in their corresponding MultiSite Administration Guides: Git MultiSite Authentication (HTTP) SVN MultiSite Deployment Checklist (Apache) |
SSH |
SSH authentication is available for Git and supported by Git MultiSite. It is simple to set up and is attached to a service which is often already enabled. Occasionally, firewall rules may block clients and is not as popular with Windows users. There is guidance available on setting up SSH in WANdisco Git MultiSite Administrator's Guide |
System memory |
Ensure RAM and swapping containers are at least four times larger than the largest repository file. Minimum: 2GB RAM; 4GB swapping container Minimum isn't Recommended By default, Access Control Plus's Java process is allocated the following heap space: -Xms128m -Xmx2048m If you need to reduce the heap size you're probably not going to have a comfortable margin. Consider increasing your server's system memory. In case of problems getting Access Control Plus running, you may need to alter the heap. If you need to reduce the heap size you won't be operating with a comfortable margin: consider increasing your server's system memory. Recommended: 4GB; 4GB swapping container Running with other apps In production you must always ensure that your system operates with a comfortable margin. The above memory recommendations don't take into account other applications that you may need to run on the server, notably when running Access Control Plus with either the git or SVN MultiSite products. We recommend that you complete load testing and specify your server's memory based on peak usage. |
Disk space |
Subversion: Match to projects and branches. Checkouts: You need sufficient disk space to handle large, in-transit checkouts which may get buffered to a tmp directory beneath the replicator installation until that checkout has been completed. The required space can be calculated using the following guideline: |
File descriptor limit |
Ensure hard and soft limits are set to 64000 or higher. Check with the ulimit or limit command. |
Journaling file system |
Replicator logs should be on a journaling file system, for example, ext3 on Linux or VXFS from Veritas. |
Max. User Process Limit |
At least three times the number of Git or SVN users. |
Java |
Install JDK 6 (previously referred to as 1.6) or higher. We recommend using Oracle JDK 6. JDK 7 While we currently develop primarily to support Java 6's feature set, Access Control Plus is also compatible with Java 7. |
License Model |
You can read about the license model in the License Management section of the reference guide. |
2.2 Deployment Types
Access Control Plus can be deployed in various modes, including:
- Standalone - One ore more nodes that handle repository access control with in a non-replicated scm environment. To clarify, Access Control Plus itself can still be replicated between multiple nodes, "Standalone" is used here to indicate that it is not dealing with replicated Git or SVN data.
- With Git MultiSite - One or more nodes deployed at a one or more sites in conjunction with WANdisco's Git MultiSite product.
- With SVN MultiSite - One or more nodes deployed at a one or more sites in conjunction with WANdisco's SVN MultiSite product.
- Both (with Git & SVN MultiSite) - One or more nodes deployed at a one or more sites in conjunction with both of WANdisco's SCM replication products.
Confirm which mode you a running in
After installation you can see which mode you're in - Check your mode
2.3 Installation Procedure
Once you've checked through the deployment checklist and you're confident that your system meets all the requirements, run through the following section to get Access Control Plus installed.
Don't forget to check the Release Notes for the current version. There may be references to Known limitations that you'll benefit from known about. See Release Notes
Tips If you run into difficulties, be sure to check out our Knowledgebase before raising contacting Support.
1. Download the Access Control Plus installation script "scm-access-control-plus_rpm_installer.sh" from the WANdisco File Distribution website, along with the necessary license key.
2. Create a home directory for the installation, e.g. /opt/wandisco.
3. Ensure that the license.key file is placed on your server (you'll need to provide a path to it during installation). Before you start, make sure the license matches the version of Access Control that you need.
4. Ensure that the installation script is executable, e.g., enter the command:
chmod a+x scm-access-control-plus_rpm_installer.sh
5. Run the installation script
Running Apache?
- Run Access Control Plus with the same user and group that is used for Apache. This will help to ensure that permission problems don't occur.
Silent Installation
- In a future release it will be possible to complete an installation without the need for user-interaction. Silent Installation.
[root@redhat6 wandisco]# ./scm-access-control-plus_rpm_installer.sh
Verifying archive integrity... All good.
Uncompressing WANdisco Access Control Plus..........
:: :: :: # # ## #### ###### # ##### ##### #####
:::: :::: ::: # # # # ## ## # # # # # # # # #
::::::::::: ::: # # # # # # # # # # # # # #
::::::::::::: ::: # # # # # # # # # # # ##### # # #
::::::::::: ::: # # # # # # # # # # # # # # #
:::: :::: ::: ## ## # ## # # # # # # # # # # #
:: :: :: # # ## # # # ###### # ##### ##### #####
Welcome to the WANdisco Access Control Plus installation
You are about to install WANdisco Access Control Plus version 1.0.0-1229
Do you want to continue with the installation? (Y/n) Y
Enter "Y" to continue.
6. The installer now checks for prerequisite applications. If there's a problem with Java, recheck the deployment checklist for information about their requirement. Once Java is confirmed as installed Heap settings are applied for running Access Control Plus.
Checking prerequisites: INFO: Using the following Memory settings: INFO: -Xms128m -Xmx2048m Do you want to use these settings for the installation? (Y/n) Y
We'll run with these default settings, entering "Y. For production you should match these settings to your particular requirements - in which case, enter N and type in the start and maximum heap values.
Changing Java Heap after installation
-
The Java heap settings are stored in the configuration file /opt/wandisco/scn-access-control-plus/main.config
e.g.# Access Control Plus configuration # DO NOT DELETE ACP_USER=wandisco ACP_GROUP=wandisco ACP_MEM_LOW=128 ACP_MEM_HIGH=2048
7. Next, the installer confirms TCP ports that it requires.
Which port should ACP listen on? [8082]: 8082 Which port should DConE listen on? [6444]: 6444 Which port should the Content Delivery service listen on? [6445]: 6445Stick with the default values if you can. Should your network management require that other ports be used, enter them at each prompt.
8. Enter the path to your license.key file. Then press enter.
A license file is required to use Access Control Plus Path to the license file: /opt/wandisco/license.key
9. Enter a name for the Access Control Plus Node, this will be used to refer to this particular instance of Access Control Plus. Choose a unique name consisting of numbers and letters.
Node name: node70
10. Enter system user and group details for running Access Control Plus. Heed the warning about not using root user. In this case we've created a specific user and group for use with our scm related services and applications.
We strongly advise against running Access Control Plus as the root user. Which user should Access Control Plus run as? wandisco Which group should Access Control Plus run as? wandisco
11. The next option configures the node for operating as part of a replication group. If you are installing a single Access Control Plus node, select "Y". If you are installing multiple Access Control Plus nodes for replication, you need to decide which of those nodes will have this option enabled.
One of your Access Control Plus nodes needs to be configured as a state machine creator. This MUST only be configured on ONE node. Configure this node as the statemachine creator? (y/N) yHere we've entered "y". If you're installing multiple Access Control Nodes then select yes for just one of them.
12. Enter the details for an administrator account, you'll use these details for accessing the Access Control admin console.
Access Control Plus needs an admin user to be configured First Name: Adie Last Name: Ministrator Username: admin Email Address: adie@theorganization.com Enter a password for admin: Confirm the password for admin:
13. In the final step for completion you are given a summary of your entries. Check through them and if you're happy, enter "y" to continue.
Installing with the following settings: System user: wandisco System group: wandisco Node name: node70 Application Port: 8082 DConE Port: 6444 Content Delivery Port: 6445 Application Hostname: 10.0.5.96 License: /opt/wandisco/license.key Admin user: admin Application Minimum memory: 128 Application Maximum memory: 2048 Statemachine Creator: true Do you want to continue with the installation? (Y/n) y
14. The installation will now complete with a confirmation that a restart has occured.
Restarting scm-access-control-plus services... Stopping scm-access-control-plus:[ OK ] Starting scm-access-control-plus:[ OK ] Installation Complete [root@redhat6 wandisco]#At this point the Access Control Plus will be running. You'll continue your set up from there. Open a browser and point it at http://<serviceIP>:8082/ui.
If you chose a different application port during step 7 then you will need to use it instead of the default "8082".
Don't miss out the /ui/ from the URL
Currently the browser-based admin console requires that you include the /ui/ directory in its URL. In a future release we'll ensure that any request on the application port will redirect to the admin console.
15. You will first be presented with the Access Control Plus End-user agreement. Read through the agreement, then click the Accept button to continue.
16. Login for the first time. Enter the username and password that you provided during step 12. Then click Let's do this
You'll arrive at Access Control Plus's Management Screen. This provides an overview of the accounts, teams and SCM repositories that Access Control Plus manages, along with rules that dictate what scm resources that account holders can access.
2.4 Getting Set up
After completing the installation you now need to set up Access Control Plus to work to your deployment requirements. Different deployments will require different steps. Below are checklists for some example deployments.
Standalone Mode
Follow this checklist if you are deploying in Standalone mode:
In Standalone mode there's no integration with an SCM replication product (e.g. Git MultiSite).
In this example we'd be running with multiple Access Control Plus nodes, using LDAP authentication and SSL end-to-end encryption of traffic. Click each step to be taken to the relevant sections. Obviously if any of these elements are not required, you can ignore or replace the step. e.g. If you are not running with LDAP, you'll maybe replace that step with Adding Accounts
- Follow these links to each step:
- Induction - Connecting your nodes
- LDAP - Enable LDAP Auth
- SSL - Enable SSL Encryption
- Email Notifications - Setup Email notification
- Repositories Templates - Create Repositories Templates
- Resources - Add Resources
- Teams - Create a Team
- Rules - Create a Rule
If you were running with only one Access Control node, you could drop the Induction step.
Access Control Plus with MultiSite
Follow this checklist if you are deploying with a MultiSite Product:
Unlike in standalone mode you'll need to have
- Follow these links to each step:
- Induction - Connecting your nodes
- Git/SVN MultiSite - Connect to MultiSite
- LDAP - Enable LDAP Auth
- SSL - Enable SSL Encryption
- Email Notifications - Setup Email notification
- Repositories Templates - Create Repositories Templates
- Resources - Add Resources
- Teams - Create a Team
- Rules - Create a Rule
Setting up LDAP
It is common practice to use one or more LDAP authorities for managing which employees need accounts created in Access Control Plus. You connect any number of LDAP authorities, adding them through the Settings screen.
Local users are exempt from updates and removal for synchronization of team admins and team members. This means that a local admin who appears in an authority won't suddenly be added to a team or be made in to a sys admin. Instead a message is logged to indicate that this user has been skipped, it is then down to the sys admin to ensure that the local user is removed.
Access Control Settings
1. From the admin console, click the Settings link on the menu bar.
2. The settings are displayed in an Accordion style menu. Click either the links on the side menu or the title bars in the right-hand panel.
Full details on setting up each section is provided in the Settings reference guide. What settings you apply will be largely determined by how you are using Access Control Plus. The products appearance and functionality differs depending on whether you are running it in a stand-alone mode or in conjunction with WANdisco's Git or SVN MultiSite products.
Application Settings
The Application Settings extend Access Control Plus's own functionality.
Access Control Updates
This section contains settings for running Access Control in Batch updates mode. For more information see the reference section on Batch updates.
Repository Templates
The Repository Templates section is where Git or SVN repositories are defined. In order for Access Control Plus to manage access to a repository a template that corresponds with an existing repository must be added here, along with appropriate references it a password or authorization file.
See Adding Repository Templates, Managing Repository Templates.
Node Management
The Node Management section is used to control how Access Control Plus communicates with other Access Control Plus nodes on replication network, specifically when Access Control Plus is used in conjunction with WANdisco's DConE replication protocol.
Node Induction
The Node Induction section is used to connect this particular instance of Access Control Plus to a replication network. Again, this applies to deployments where multiple instances of Access Control Plus are running, which would allow each development site to have it's own replica of the the access control service.
See Inducting a node.
Node Repairs
The Node Repairs tool is used should one or more nodes be lost or experiencing a lengthy disconnection from the replication network. The tool is used to redefine the replication group so that the remaining nodes can continue to operate.
External Applications
Connects Access Control Plus to supporting systems to benefit from additonal capabilities.
Connect to MultiSite
If you are running Access Control Plus along with WANdisco's Git or SVN MultiSite products then you enter the necessary details for Access Control Plus to talk to MultiSite via its REST API interface.
See Connecting to SVN MultiSite , See Connecting to Git MultiSite.
Connect to LDAP
Most deployments will use an existing LDAP authority to manage their employee system accounts. This section lets you connect to multiple LDAP authorities and setup queries to filter for accounts that need access to SCM resources.
See Adding an LDAP Authority, Manage LDAP Authorities
Email Notifications
The Email Notifcations settings are used to connect to an available relay server so that Access Control Plus and send notifcation emails to administration staff.
2.5 Silent Installation
It will soon be possible to install Access Control Plus Silently, that is through a non-interactive process that can be kicked off as part of an automated action, with no need for a user to respond to entry prompts. When available the following environment variables must be set:
- ACP_USER=wandisco
- System user for the Access Control Plus process
- ACP_GROUP=wandisco
- System group used by Access Control Plus process
- ACP_PORT=9000
- Port allocated for web access to the admin console
- ACP_DCONE_PORT=9050
- Port allocated for replicated data
- ACP_CONTENT_PORT=8000
- Port allocated for Access Control's internal content delivery
- ACP_NODE_NAME=node1
- Name of the Node (different for each node)
- ACP_ADMIN_USER=admin
- Admin account username
- ACP_ADMIN_FIRST_NAME=mr
- Admin account first name
- ACP_ADMIN_LAST_NAME=admin
- Admin account last name
- ACP_ADMIN_EMAIL=mr@admin.com
- Email address for the admin account - needed to allow Access Control Plus to send out notification emails.
- ACP_ADMIN_PASSWORD=password
- Admin password
- ACP_MEM_LOW=128
- The minimum amount of memory allocated to Access Control Plus.
- ACP_MEM_HIGH=2048
- The maximum amount of memory allocated to Access Control Plus.
- ACP_LICENSE_FILE=/home/wandisco/keys/License.key
- The full path to the license.key file
- ACP_STATEMACHINE_CREATOR='true'
- True only for a single (Induction controller node), 'false' for the rest.
- ACP_HOSTNAME=node1
- The IP address or fully qualified domain name of the node (must match with those encoded into to the license.key file.)
A scripted start to the installation requires the running of the following command:
ACP__USER=wandisco ACP_GROUP=wandisco ACP_PORT=9000 etc... export ACP_USER ACP_GROUP ACP_PORT ACP_DCONE_PORT ACP_CONTENT_PORT ACP_NODE_NAME etc... ./scm-access-control-plus_rpm_installer.shThe installation will then run without user interaction. Once installation is completed, the browser-based admin console will start. You'll then need to complete the node set up from step 10.
Copyright © 2010-2014 WANdisco plc.
All Rights Reserved
This product is protected by copyright and distributed under
licenses restricting copying, distribution and decompilation.
Access Control Plus
Last doc build: 17:35 09 May 2014