Administration Guide

This Admin Guide details the common procedures that you will need to follow in order to set up and use Access Control Plus.

3.1 Starting Up

To start Access Control Plus, follow these steps:

  1. Open a terminal window on the server and login with suitable file permissions.
  2. Run the scm-access-control-plus service, located in the /etc/init.d folder:
    lrwxrwxrwx  1 root root        65 Apr 24 11:43 scm-access-control-plus -> /opt/wandisco/scm-access-control-plus/bin/scm-access-control-plus
    
  3. Run the script with the start command:
    [root@localhost init.d]#  ./scm-access-control-plus start
    Starting scm-access-control-plus:. [ OK ]
  4. The Access Control Plus application will start. Read more about the svn-multisite init.d script

3.2 Shutting down

To shutdown:

  1. Open a terminal window on the server and login with suitable file permissions.
  2. Run the svn-multisite service, located in the init.d folder:
    lrwxrwxrwx  1 root root        65 Apr 24 11:43 scm-access-control-plus -> /opt/wandisco/scm-access-control-plus/bin/scm-access-control-plus
  3. Run the stop script, i.e.:
    [root@redhat6 init.d]#   ./scm-access-control-plus stop
    
    Stopping scm-access-control-plus:.                         [  OK  ]
    
    
  4. The process will shut down.

3.3 init.d Management Script

The 'start-up' script for persistent running of Access Control Plus can be found in the /etc/init.d folder. Run the script with the help command to list the available commands:

[root@redhat6 init.d]#  ./scm-access-control-plus help
usage: ./scm-access-control-plus (start|stop|restart|force-reload|status|version)

start         Start Access Control Plus services
stop          Stop Access Control Plus services
restart       Restart Access Control Plus services
force-reload  Restart Access Control Plus services
status        Show the status of Access Control Plus services
version       Show the version of Access Control Plus

Status

Check the running status (with current process ID).

[root@redhat6 init.d]# ./scm-access-control-plus status
Checking scm-access-control-plus:running with PID 29516    [  OK  ]

Version

[root@redhat6 init.d]# ./scm-access-control-plus version
1.0.0-1180

3.4 Password change/recovery

This section explains what to do if an admin loses their password and needs to regain entry to Access Control Plus. Currently the method uses a script that resets Access Control Plus's authentication. If you have set up to use LDAP, this will be disabled, returning access to local users. A new administrator-level local users will be created with credentials that you supply when you run the script.

Disable LDAP/external authentication
In the event that you need to disable LDAP authentication and return your deployment to the default internally managed users, use the following procedure. Your LDAP authorites will not be deleted, only disabled. They can be re-enabled from the Settings screen.

  1. Open a terminal on your node. Navigate to the replicator directory.
    $  cd /opt/wandisco/scm-access-control-plus
    

  2. Run the following command-line utility.
    [root@redhat6 scm-access-control-plus]# java -jar scm-access-control-plus-resetSecurity.jar
    Enter full path to the replicator properties folder: /opt/wandisco/scm-access-control-plus/properties
    Enter your username: temporary
    Enter your new password:************
    Confirm your new password:************
    Enter your first name: Temorary
    Enter your last name: Account
    Enter your email address: admin@theadmin.com
    A new user has been created, in order for this to take effect you will need to restart this node.
    [root@redhat6 scm-access-control-plus]#
    

  3. Respond to each prompt, then when you've entered everything, restart Access Control Plus to add the new users.

  4. Now login using the orginal authentication form:
    Login

Accounts

An Account is a collection of information that tells Access Control Plus which resources the account holder can access and what level of access they should have. Accounts are the fundamental building blocks for Access Control, although the Access Control model actually handles permissions only on a per-team basis, not directly on individual accounts.

3.5 Create an Account

There are three methods for four routes to an account creation. This procedure follows the sequence that follows from clicking the Create User button, on the Accounts pane that appears on the master screen. You can also create an account from within the Create Team procedure. A more common approach is to add accounts by setting up a query to an available LDAP authority, to add accounts using LDAP, see Connect to LDAP.

API
Shortly it will be possible to create accounts using a REST API.

Access to nothing by default All accounts are created with no access to any resources. For an account to gain access to a repository it must first become a member of a team, then that team must have a rule set up that associates repository resources along with permission levels. For more details see the section about Rules

3.6 Edit an existing account

Use the following procedure to make changes to an existing account.

LDAP-based users

Important: When LDAP authority tries to enter in an account that has a username that already exists on the system
When LDAP sync discovers there is already existing account with the same username it will log a warning and not will synchronize this user. The existing username can be local (entered into Access Control Plus directly) or from different LDAP authority. However, if the user exists in LDAP and can authorize against SVN, then it will get in and Authz will apply any rules.

In version 4.2:
As only usernames were used to match users a conflict would not be detected. In this situation users with duplicate usernames would be synchronized.

Solution: If Apache is suitably configured, the local accounts, via the passwd file would get precedence, so it should work OK for local users. However if the username conflict is between two LDAP authorities then we currently still can get the clash.

3.7 Remove an account

Use this procedure to completely remove an account from Access Control Plus. Be aware that it is often better to disable accounts, should the holder need to get their access back in future.

If you need to check the accounts particulars to ensure that you are removing the correct account, go to the accounts details screen, you'll find a Delete button at the bottom. This does the same thing as the remove link on the main management screen.

3.8 Disable an account

Disable accounts remain stored in Access Control Plus, they are, however, unable to login or interactive with any repository resources. A disabled account can be added back at a moments notice by re-enabling them.

Disabled accounts are not counted towards the licensed number of users so it is possible to store users in a disabled state even if you are needing to make room for additional users within the limit of your current license.

Currently this isn't working for me.

Teams

Teams are intended to make organizing account permissions much simpler as they allow you to apply rules en mass, rather than have to detail permissions for each individual account. There are.

3.9 Create a Team

Use this procedure to set up a new Access Control Team. This method follows the method for adding accounts manually, it is also possible to manager your team structure through LDAP, setting up a query that will filter for the specific account holders that you need for a particular team. For more about this see Adding an LDAP-based team

Adding an LDAP-based team

Follow this procedure to create a team that is populated from an LDAP authority.

Global LDAP
In previous versions of Access Control it was possible to import user accounts from LDAP at the global level, before assignment to a team. Access Control Plus doesn't support the global importation from LDAP (except for "Admin" accounts see below) because team membership is a fundamental requirement of Access Control Plus's model, in which all access control is applied at the team level. There is no concept of a free-floating accounts, unless the LDAP Authority is flagged for managing Admin accounts, admin accounts are handled differently, they will be imported from LDAP without needing to be assigned to a team.

Recommended approach for access management
When building your access structure you should think first in terms of teams and the access privileges that they will require - then populate teams directly from LDAP using a suitable query. If you really need that global LDAP team, you can create a team called "global" and add to it all accounts.

Mix and match Once LDAP-based accounts have been added to Access Control Plus, they'll appear within the Accounts pane and can be added to any team. However, it's easier to track and manage LDAP users if they're enabled through their own team, where the team is setup to get its members from an authority, although, so long as you tick the checbox Allow local users you can also add local users to an LDAP-managed team.

3.10 Edit a Team

3.11 Delete a Team

Resources

Resources are the available repository data, they can be in the form of full repositories or small portions of a repositories file tree. It's only possible to add Resources to Access Control Plus when there is at least one account assigned to a team.

3.12 Create a Resource

Use this procedure to create additional resources, when not syncing with WANdisco's MultiSite products. If you are connecting to MultiSite then resources are selected from whatever repositories that are automatically added. See Create a Resource in a MultiSite Environment

Create a Resource in a MultiSite Environment

Use this procedure to create additional resources, if syncing with WANdisco's MultiSite products. If you are connecting to MultiSite then resources are selected from whatever repositories that are automatically added.

Repositories (w/o templates) currently can't be deleted until they are assigned a template.

3.13 Edit a Resource

You can easily edit resources by clicking on the resource's name.

Access Control Plus supports repository resources in various configurations: replicated (managed and replicated through a WANdisco MultiSite product), non-replicated (stored in a MultiSite node and not replicated to other nodes) and in stand-alone mode, "local repositories" which are stored directly on the Access Control Plus server. You can tell the type of a particular resource by checking the text under its title; it will say either "Replicated" or "Non-replicated".

3.14 Remove a Resource

You can remove the resource from the main screen:

Rules

Rules are used to define the parameters for what resources and what permission levels are applied to accounts, strickly through the account's team membership - rules are not applied directly to accounts. Accounts can only have rules applied to them if they are first assigned to a team.

3.15 Using Rule lookup

The Rule lookup tool provides administrators with a means of testing what access and permissions apply to specific accounts. Given that Accounts can belong to multiple teams and have multiple rules applied, the Rule lookup tool can useful tool.

If you have two repositories with the same name (also of the same SCM type) then currently a rule lookup that will display them will currently only show one of the repositories (chosen randomly). We'll address this issue in a future release.

3.16 Create a Rule

Use this procedure to create a new rule

3.17 Edit a Rule

You can edit a rule by clicking on its name on the main screen. This will open up the Rule from where you can modify any of its settings.

3.18 Delete a Rule

You can delete a rule by clicking on it's corresponding check box and then clicking on the - Remove button.
ACP
.

When only DENY rules apply to an account
When troubleshooting user access problems (in deployments that manage htpasswd/sshd files) you may notice that an active account for which only DENY rules currently apply will generate an authentication rather than authorization error on any Git/SVN access attempt. It's as if the account didn't exist or the wrong password was given, instead of not having the appropriate access permissions. This apparent quirk is by design. If an account doesn't have access to any resources at all, we don't bother writing it to the password or sshd rules file. In fact, if the account doesn't have any associated rules then "Deny" rules are applied by default and the account will not be written to the AuthZ file either.

You should note that this does not occur if authentication is delegated to LDAP/AD or any method which does not use passwd/sshd files.

Settings

This section deals with the changing and modifying the application settings.

3.19 Connecting your nodes

If you are deploying multiple Access Control Plus node, you'll need to do the following steps to get the nodes talking to each other correctly.

Nodes that are not the state machine creator will be locked-down until they're inducted
You won't be able to create any objects (accounts, teams, rules etc) on the non-state machine creator nodes until you have completed the following procedure.

3.20 Enable SSL Encryption

Access Control Plus supports the use of Secure Socket Layer encrytion (SSL) for securing network traffic. Currently SSL properties are not exposed through the admin console, instead you need to make edits to Access Control Plus's applications properties file.

/opt/wandisco/scm-access-control-plus/properties/applications.properties
If you plan to use SSL you need to run through the following steps before going into production.

Overview
SSL is enabled for both UI and the underlying Rest API (the administrator's access to HTTP port will automatically redirect to HTTPS) AND for internal communication between nodes on application.port. For this reason the switch over needs to be done on all nodes at once, otherwise those nodes that delayed their switch will no longer be able to talk to those nodes running with SSL.

Using stronger and faster encryption
Java's default SSL implementation is intentionally weak so as to avoid the import regulations associated with stronger forms of encryption. However stronger algorithms are available to install, placing the legal responsibility for compliance with local regulation on the user.

See Oracle's page on the Import limits of Cryptographic Algorithms.

If you need stronger algorithms, I.E., AES which supports 256-bit keys, then you can download JCE Unlimited Strength Jurisdiction Policy Files that can be installed with your JDK/JRE.

See Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7

Important: To follow this procedure you will need to create a keystore and a truststore.

You might be familiar with the Public-key system that allows two parties to use encryption to keep their communication with each other private (incomprehensible to an intercepting third-party). The keystore is used to store the public and private keys that are used in this system. However, in isolation, the system remains susceptible to the hijacking of the public key file, where an end user may receive a fake public key and be unaware that it will enable communication with an impostor. Enter Certificate Authorities (CAs). These trusted third parties issue digital certificates that verify that a given public key matches with the expected owner. These digital certificates are kept in the truststore (Which is really just another keystore file, but for certificates instead of keys. An SSL implementation that uses both keystore and truststore files offers a more secure SSL solution.

SSLv3 Support SSLv3 is support (though not enforced). If your browser setting has SSLv3 disabled, you will get a handshake error message. If it has both SSLv3 and TLS enabled, then, depending on the browser, it will try to switch from TLS to SSLv3 during the handshake. If you receive a handshake error message in your browser, make sure that TLS is disabled and only SSLv3 is enabled. All current browsers support SSLv3.

Setting the server key

In the keystore, the server certificate is associate with a key. By default, we look for a key named server to validate the certificate. If you use a key for the server with a different name, enter this in the SSL settings.

Export the certificate

Next we need to export the certificate so that it can be added to the tuststore as the trusted certificate. Again, using Java' trusty Keytool.

keytool -export -alias server -file <Cert-Name>.cert -keystore wandisco.ks
Enter keystore password:  
Certificate stored in file <Cert-Name>.cert

Create a Truststore

Use this short procedure for creating a new Truststore:

  1. For each certificate (CA) that you trust, run the following command
    keytool -import -file C:\cascerts\<Cert-Name>.cert -alias <Cert-Name-Alias> -keystore myTrustStore
    The first command creates a keystore file named myTrustStore in the current working directory and imports the first certificate into the truststore with an alias of <Cert-Name-Alias>. The format of myTrustStore is JKS. Each additional run of the command adds additional certificates to the TrustStore. Once completed, myTrustStore is available to be used as the truststore.

SSL Troubleshooting

A complete debug of the SSL logging will be required to diagnose the problems. To capture the debugging, run the java process with:

'-Djavax.net.debug=all' flag.

To enable the logging of SSL implemented layer, turn the logging to FINEST for 'com.wandisco.platform.net' package.

3.21 Node Repair

The Node Repair tool is used to recover from the loss of one or more nodes. Once replication is set up.

Important: The Node Repair tool provides an effective method of returning a failed node back into production. However, its misuse can worsen the situation. Until we place blocks against potentially destructive actions we strongly recommend that you don't use the Repair Tool unless under direct instruction from WANdisco's support team.

3.22 Connect to MultiSite

In this section we connect Access Control Plus to an existing Git or SVN MultiSite setup.

Return to the Getting Set up

3.23 Connect to LDAP

This section explains how to configure Access Control Plus to query one or more LDAP authorities in order to pull in accounts for your Git or Subversion users.

LDAP Settings

The settings tell Access Control Plus how to use any available LDAP Authorities that you connect up.

Synchronisation Period (minutes)
Access Control Plus will rerun your LDAP queries with this frequency, picking up any changes that may have occurred within the LDAP service.

TIP
Don't set the period to 0. You shouldn't need to constantly hit your LDAP authority.

IMPORTANT
If you perform an import from an earlier version of Access Control you must ensure that Access Control Plus does not poll the LDAP authorities during the process. You can do this by setting the Synchronisation Period to 999 (minutes) - Just for the duration of the import

Allow Local Users (checkbox)
Ticked by default. When ticked it is possible to field both LDAP-controlled and manually entered Accounts. Some organizations don't permit manually entered accounts, they need to be sure that all accounts are managed through their LDAP. If this is the case, untick the check box once you're LDAP accounts have been successfully imported.

TIP Should you be running with Local Users disabled and your LDAP service fails, you can re-enable local users as part of the account password recovery process. This process will automatically re-enable local users, allowing you to gain access to the admin console.

Entering LDAP Authority details

This is the entry form for adding any number of LDAP Authorities. Multiple Authorities are checked in the order that matches their order number (see below). The lower the order number, the earlier the authority is checked.

Connect
Order:
The priority given to the LDAP URL. e.g. A Location Order of 1 means that Access Control will look within that defined authority for a user first. If unsuccessful then Access Control will then check the authority with the next order number (e.g. 2).
Regular Expression:
Enter a regular expression to set a pattern for matching against available LDAP authorities. The expression, is applied locally to limit unnecessary queries against available LDAP authorities. For instance, setting an expression that specifies a top-level domain can ensure that authentication of a user (whose username is their email address) doesn't need to run through all LDAP authorities, but instead can be checked only against those servers that match the the regular expression - in this case, the same top-level domain.

URL: the URL for the LDAP authority, using the format ldap(s)://hostport/basedn?attribute
Bind User DN:
(Optional)
Bind Password:
(Optional)
First Name Attribute:
(Optional)
Last Name Attribute:
(Optional)
Email Address Attribute:
(Optional)
Public Key Attribute:
(Optional) Used with the LDAP service is encrypted, requiring Access Control Plus to be setup with an SSH key pair. As with any public key entry, make sure that no line breaks are introduced to the key, it should be one long string, no breaks.
Case Insensitive Usernames?
Tick this checkbox if you need MultiSite to stop distinguishing between usernames that differ only by their case pattern.
For example, with the "Case Insensitive Usernames?" unticked (it is by default), MultiSite will treat username "MelissaJones" and username "melissajones" as two distinct users. Support for username case insensitivity is a feature that may be required when Active Directory
System Administrator Group?:
Tick this checkbox if the authority will return users who are System Administrators (able to access the MultiSite admin console).

We strongly recommend that you guard against the adding of LDAP-based accounts that use the same account name. Currently there's no guard against having two accounts with the same name - as accounts can be distributed accross any number of authorities. In the event that you attempt to add two accounts that use the same account name, their addition will fail and an error message will appear in the logs that warns you of an "Incorrect result size: expected 1, actual 2".

3.24 Email Notification

The mail notification system lets you connect Access Control Plus to an email gateway server, which enables it to send alert email concerning important system events. It's possible to add as many email gateways as you like, so that the loss of a single mail server need to result in the halting of notifications.

The following procedure shows you have to set up an email gateway.

Notifiable events

The following events currently trigger notifications (when suitably configured)

3.25 Create a Repository Template

In Access Control Plus's backend, there's a mechanism or managing and replicating the core password and or authz files. This mechanism needs a template creating which will contain the path location for these files, as well as a number of optional parameters. Once setup, Repositories that are added to Access Control can be assigned the template, telling Access Control Plus how to handle the repository's necessary files.

Follow this procedure for adding a Repository Template:

3.26 Enable/Disable Batch updates

Follow this procedure to enable Batch mode. Make sure you understand what it does and how it works before you do though.

Batch updates is a mechanism that can improve performance in large deployments that field large numbers of accounts holders, accross a number of nodes. There's a section in the Reference Guide that explains more about Batch Updates Mode.

See Access Control Updates for more details.

3.2.7 Example Configuration

Per-repository Authz via SVNServe and SSH

The following details map out an example setup that sets up authorization using Authz on a per-repository basis, running on SVNServe with SSH encryption. This is only intended as an illustration, so you shouldn't follow it as an actual set up procedure.

Repository Template

Access Control Plus Login

The setting set the target location of the authz file and the common path segment of the SVN repositories:

Target Location:
%/conf/authz
Common Repository Path Segment:
/opt/svn/

svnserve.conf

svnserve.conf controls the behavior of the svnserve daemon on a per-repository basis. It is located in the conf subdirectory of the repository, e.g. /opt/svn/repo/conf/svnserve.conf.

[general]
anon-access = none 
auth-access = write
authz-db = authz
[sasl]    
anon-access
Determines the access level for unauthenticated users. "write" allows all repository operations. "read" allows all operations except committing and changing revision properties. "none" allows no unauthenticated access. The default level is "read".
auth-access
Determines the access level for authenticated users, using the same access levels as above. The default level is "write".
authz-db
The authz-db option controls the location of the authorization rules for path-based access control. filename may be relative to the repository conf directory. There is no default value. If you don't specify an authz-db, no path-based access control will be set.

Server-side

The following configuration is required on the server:

Client-side

The following configuration is required for clients:

Access Control Plus Admin Console settings

An Authz file should be generated, here:

/opt/svn/repo/conf/authz
It should look like this: Example (Team: team1, Account Name: user1, Resource: repo0, Perms: RW)
# Generated by Access Control Plus, WANdisco.
# ACP Node Name            : node1
# ACP Node Hostname        : 172.16.6.55
# Generation Audit number  : abab31d2-a266-426b-a578-336b58419130
# Generation Serial number : 187
# Template Id              : 97e47269-4b20-40e8-b1a0-fa052d74ecb9
# Template Name            : svn
# Template Description     : svn
# Assignment Type          : svn-authz
# Assignment Id            : 1de6a9c6-c8ec-4eaa-9391-0a7cd55f8ab3
# Assignment Modified at   : 2014-05-27 23:32:16.346


[groups]
virtual_team_team1_rule_rule1_88b17a89-157b-48ab-a9dd-364912f20b25 = user1

[/]
* = 

[repo:/]
@virtual_team_team1_rule_rule1_88b17a89-157b-48ab-a9dd-364912f20b25 = rw	

Client-side access

Access the repository using:

svn co svn+ssh://wandisco@<ip address>/repo

3.27 Troubleshooting

Problem: replication runs very slowly while server load and traffic are both light.

Solution:
It's possible that pending tasks are currently stuck and are therefore holding up further replication. To test if this is what is happening
  1. Go to Settings/Node Induction
  2. Check for any pending tasks
  3. If you find that there are pending tasks then you should consider aborting them.
  4. Recheck replication to see if things improve (it can take a few mins for backlogs to clear).

Problem: Induction never completes (blocked CD port)

Use this work-around for unblocking a deployment which is stuck in an induction This can occur should a second induction be triggered while an induction is still being progressed.

    Repair

  1. Make sure the CD port is not blocked. Full duplex access is required between all nodes. By default the content delivery port is 6445 unless a different port was specified. You can confirm allocation of the port by checking the content.server.port entry in /opt/wandisco/scm-access-control-plus/properties/application.properties.
  2. Shut down the replicators at all nodes.
    service scm-access-control-plus stop
  3. Delete the contents of the database directory from all nodes.
    /opt/wandisco/scm-access-control-plus/database/
  4. Restart the replicator on all nodes.
    service scm-access-control-plus start
  5. Induction

  6. On your first node complete the induction form using the details of your second node. You must not refresh the page or make any other changes while the induction is in progress.
  7. You can verify the induction completed succesfully by making a call using the REST API
     http://IP:PORT/dcone/tasks/pending
    and make sure there are no tasks present.
  8. If tasks remain then you'll need to wait while they complete before you log in to the Access Control Plus UI on your second node. If you are unable to log in then induction is still in progress!
  9. Additional nodes

    Once the induction of the second node is confirmed as complete, you can repeat the procedure for the third node, running through the procedure for each additional node, one at a time.