logo

WANDISCO ACCESS CONTROL PLUS®
USER GUIDE

Release notes support the installation of the latest product version. They describe:

For additional information go to:

1. Latest release details

Version: 1.9.2.3 Build 37
Release: 19th January 2018

1.1. New

  • ACP-2388, ACP-2930 - The scm-access-control-plus-manageLoggerUser.jar can now support SSL communication.

  • ACP-2409 - It is now possible to add resources from different resources pages to a team at one time.

  • ACP-2432 - It is now possible to choose the location to place the ACP "talkback" log files.

  • ACP-2450 - Wildcards for Git branch-paths and tags are now supported.

  • ACP-2558 - SSL configuration during installation is now fully supported.

  • ACP-2762 - It is now possible to change the ACP logging levels immediately via a REST endpoint.

  • ACP-2928 - ACP’s installer can now be requested to print out the environment variables necessary for non-interactive installs - see the Non-interactive Installation section in the User Guide.

  • ACP-2929, ACP-3057 - Flume receiver now supports encrypted passwords for keystore and truststore - see the Audit Accounts section in the User Guide.

  • ACP-2956 - ACP will no longer allow 2 refinements with the same path where one tagged as wildcard and one is not tagged. This is to prevent AuthZ file parsing failure when SVN 1.10 becomes supported.

  • ACP-3001 - Flume SSL passwords can now be stored encrypted in configuration files.

  • ACP-3003 - ACP now uses the G1 Java Garbage collector for improved behavior.

  • ACP-3004 - ACP now logs Java Garbage Collection activity.

  • ACP-3042 - The logger account can now be defined with LDAP credentials.

  • ACP-3047 - There is a new ACP property (acp.ldap.use.bindonly.auth=true) to enable customers who are using AD Proxy objects to authenticate. Please contact WANdisco support for details if you think you need this.

1.2. Fixed

  • ACP-2235 - LDAP authorities are sorted by "order". No other sorting is permitted.

  • ACP-2658 - The default wildcard for Account Access Audit processing is now more robust.

  • ACP-2698 - The full LDAP query string is now visible when editing a team.

  • ACP-2716 - Failure message when trying to add an Audit Account to a team is clearer and no longer displays UUIDs.

  • ACP-2769 - Removal of refinements now properly removes all entries selected for removal.

  • ACP-2824 - It is no longer possible to change resource permissions in "read only" mode.

  • ACP-2846 - Disabled local accounts are no longer re-enabled by restarting ACP.

  • ACP-2876 - The feedback is now improved if SSL certificate does not match server.

  • ACP-2878 - The error message is now improved when trying to add a disallowed account type to a team.

  • ACP-2879, ACP-2931 - ACP will now panic after logging the error if the configured SSL truststore is not proper.

  • ACP-2887 - The recovery of communication between nodes in certain circumstances is now much quicker.

  • ACP-2908 - Rule Lookup now clears the resource refinement when swapping back to no path.

  • ACP-2921 - ACP will now properly stop all communication with a removed ACP node.

  • ACP-2947 - A cause of replica divergence during LDAP polling was eliminated.

  • ACP-2998, ACP-3013 - ACP will no longer leak memory during proposal negotiations.

  • ACP-3006 - If the ACP property ldap.polling.skip.disabled.accounts=true then LDAP accounts disabled in ACP will no longer be included in the LDAP update checking.

  • ACP-3032, ACP-3043 - ACP installer will now properly check the correct port for usage.

1.3. Known Issues

  • ACP-2450 - If using ACP with Git, with wildcards enabled, do not uncheck the Wildcard Checkbox while creating refinements for Git.

  • ACP-2966 - Updating the GitMS or MSP administrative account credentials in ACP may fail. You should tail the ACP log file (acp.log) and verify that when authorization files are generated manually the delivery succeeds. If delivery fails, retry changing the credentials. This is a race condition which will be fixed in the next release of the product.

  • ACP-3020 - Fixed a bug that would cause an upgrade failure if ACP had been originally installed on very early ACP versions. However, when upgrading from ACP 1.9.0 or 1.9.1 to ACP 1.9.2 (or above) you must verify that the application.properties file contains a setting and value for node.name. If this value is not set the upgrade will fail. The value must match what is displayed in the UI Settings page. See the upgrade guide for more information.

  • ACP-3075 - When using the scm-access-control-plus-manageLoggerUser.jar, ensure admin account credentials are entered correctly. If incorrect details are given the tool will fail and create a traceback. This bug will be fixed in a future ACP release.

  • ACP-3114 - When performing an upgrade the /opt/wandisco/scm-access-control-plus/properties/log4j.properties file is overwritten. If you have made any changes to this file which you want to keep then you must make a copy of this file before doing the upgrade. This bug will be fixed in the next release of the product.

  • ACP-2882 - Induction details should never be changed once induction has been started. In order to make a change, first, stop the ongoing induction. You can then restart the induction with any necessary changes.

  • ACP-2860 - Currently, Generation Number resets should only be actioned from the managing node.

1.4. Software versions required or supported

The tested versions are listed below, we support these and higher patch levels:

  • RHEL 6.6

    • Red Hat 6 requires the RHEL Server Optional repository to be enabled in Red Hat Network.

  • CentOS 6.6

    • See Red Hat note above.

  • RHEL 7.1

  • CentOS 7.1

  • SUSE 11.3

    • Contact WANdisco Support for more information about running on this platform.

  • JDK 7

    • JDK 8 is only tested with CentOS currently but is supported on all platforms.

We don’t support ACP on 32-bit architecture because this would impose serious limits on scalability. You must deploy on a 64-bit OS.

Browser compatibility:

The following browsers are used in testing:

  • Firefox 55 or later

  • Google Chrome 60 or later

The latest versions of these browsers can also be used:

  • Internet Explorer

  • Safari

  • Opera

Browser caching problem in Access Control browser-based UI.

If a UI change doesn’t appear to have worked as expected, try clearing the browser cache by holding down the Shift key while clicking on the browser refresh icon.

Notable exception: Don’t do this if you are part way through entering system changes as a refresh will remove any changes that have not been successfully updated.

2. Previous ACP 1.9 releases

2.1. Release details

Version: 1.9.1.2 Build 29
Release: 30 May 2017

In addition to the notes below for ACP 1.9.0 the ACP 1.9.1 product release has the following:

2.1.1. Fixed

  • ACP-2938 - ACP will only poll LDAP information from a single node per LDAP Authority.

  • ACP-2988 - ACP will no longer attempt to upload Account Information to GitMS/MSP every 5 seconds under rare conditions.

2.1.2. Known Issues

  • ACP-2896 - On the Connect to MultiSite settings page, if you try to set the GitMS or MSP Managing Node to "None", a warning will be generated but it will not actually have saved the setting.
    Instead, the REST API can be used to set the Managing Node to none. To do this use the following curl commands:

    # Set the Managing Node for MSP to "None":
    curl -u admin:admin --header "Content-Type: application/json;charset=UTF-8" \
                        --data '{"property":[{"key":"acp.int.msp.managing_node","value":""}]}' \
                        -X PUT http://192.168.56.201:8083/api/settings/replicated
    # Set the Managing Node for GitMS to "None":
    curl -u admin:admin --header "Content-Type: application/json;charset=UTF-8" \
                        --data '{"property":[{"key":"acp.int.gitms.managing_node","value":""}]}' \
                        -X PUT http://192.168.56.201:8083/api/settings/replicated
  • ACP-2987 - ACP will attempt to deliver Auth files to GitMS/MSP inappropriately under rare conditions

  • ACP-2988 - As of ACP 1.9.1, setting the update frequency to less than 30 seconds will effectively have a value of 30 seconds due to other properties. In general, this value should be a minimum of 300 seconds in a production environment.

2.2. Release details

Version: 1.9.0.16 Build 26
Release: 16 November 2016

2.2.1. New

  • ACP-2528 - RHEL/CentOS 7 is now supported by ACP 1.9.0.

  • ACP-2654 - ACP can now be run using JRE/JDK 8.

  • ACP-62 - Administrative accounts polled via the Administrative Group will now be updated when their LDAP attributes change.

  • ACP-2551 - ACP now ships with Apache Collections 3.2.1 with its critical security fix.

  • ACP-467/ACP-468/ACP-479 - ACP now supports multiple SSH public keys per account. Multiples can be polled from LDAP and multiples can be set locally. Local SSH public keys can have aliases to make them easier to manage. See Adding Public SSH keys in the User Guide.

  • ACP-1536 - Disabled accounts are now visually distinct from non-disabled accounts in the ACP UI.

  • ACP-2272/ACP-2624 - Generated AuthZ file headers have improved readability.

  • ACP-2313 - Search facility now capable of including repository tag in search.

  • ACP-2338 - LDAP Accounts are now visually distinct from local accounts in the ACP UI. See Accounts

  • ACP-2342 - Resource sorting now includes refinements as part of the sort.

  • ACP-2536 - It is now possible to remove the "Associated LDAP query" from a team. The team’s membership must then be manually administrated.

  • ACP-2670 - Searching for resources is now easier to understand.

  • ACP-2702 - Better AuthZ file push management to GitMS and MSP.

2.2.2. Fixed

  • ACP-621 - Accounts that are manually created from LDAP will now be updated when their LDAP attributes change.

  • ACP-1493 - SSH keys associated with LDAP Accounts will now be updated when they change in LDAP.

  • ACP-1823 - ACP’s logging now matches with companion GitMS/SVN MultiSite Plus products.

  • ACP-1940 - Audit Accounts are now stripped from all Teams upon upgrade (see restrictions for Audit Accounts).

  • ACP-2278 - ACP node names can now be re-used after a node-removal.

  • ACP-2359 - Can now change the IP address of multiple ACP nodes at the same time. Requires use of utility jar. See More information.

  • ACP-2378/ACP-2525 - LDAP Accounts are updated when their LDAP attributes change even if not a member of a Team associated with an LDAP query.

  • ACP-2399 - A team leader can now set an account to be a sub-team leader.

  • ACP-2403 - LDAP Authority passwords stored in ACP backups are now encrypted.

  • ACP-2404 - All plaintext LDAP Authority passwords are now encrypted as part of backup.

  • ACP-2406 - Email passwords are now encrypted in ACP backups.

  • ACP-2427 - ACP installer no longer depends on "rsync".

  • ACP-2437 - ACP upgrade from 1.5.1.1 now properly records FLUME_MAX_MEMORY in main.conf file.

  • ACP-2463 - Java NPE fixed on LDAP poll.

  • ACP-2464 - Performance tuning on LDAP poll.

  • ACP-2469 - Fixed API documentation for adding accounts.

  • ACP-2471 - XML for ACP REST API eliminate duplicate global components.

  • ACP-2505 - Better handling of the Pending area of the Batch Updates Settings page.

  • ACP-2519 - We have enabled the account that ACP is installed as to use the "service" command to start and stop ACP properly.

  • ACP-2523 - Wildcard refinements are now honored during searches.

  • ACP-2526 - ACP nodes that have been sidelined will now have that state shown on the Setting page. Please contact WANdisco support should you find one of your ACP nodes has been sidelined.

  • ACP-2632 - When the managing node on the "Connect to MultiSite" Settings page is set to "None" then a warning is provided that polling is now off.

  • ACP-2533 - ACP log files are now properly rotated. The log files have been renamed from "scm-access-control.log.<dateStamp>" to "acp.log" when active and, when rotated, to "acp.log.<dateStamp>".

  • ACP-2547/ACP-2713 - ACP licensing now only counts accounts that are members of teams require licenses. LDAP accounts that no longer are members of teams (e.g. they are no longer polled into a team via a query) will no longer be automatically disabled.

  • ACP-2570 - GFR now properly validates “svnserve” location.

  • ACP-2573 - Inappropriate "Priority Conflicts" have been eliminated.

  • ACP-2678 - It is no longer possible to create an LDAP account without associating it with an LDAP authority.

  • ACP-2579 - Git rules are now properly formatted and displayed when mixed with Subversion rules.

  • ACP-2605 - Fixed a PANIC due to a missing task.

  • ACP-2607 - ACP now properly counts applicable rules when "Apply Rule to all current and future team members." is selected.

  • ACP-2613 - GFR now properly rotates its logs. If you have been rotating these logs using some other mechanism then you should stop.

  • ACP-2619 - Negative priorities are now properly displayed in the UI.

  • ACP-2628 - ACP now properly generates proper ordering of "*" and "" sections in Subversion AuthZ file.

  • ACP-2629 - ACP will no longer poll GitMS or MSP if the corresponding Hostname/IP Address has not been filled in.

  • ACP-2685/ACP-2706 - One possible cause for inappropriate marking of "Repository is Removed" has been eliminated. Final fix will be in MSP 1.6.5 and MSP 1.9.3 due out later this fall.

  • ACP-2690 - ACP will no longer hang if a log file was removed prematurely.

  • ACP-2739 - New REST API to enable modification of the associated LDAP authority to a non-local account.

  • ACP-2744 - Fixed API doc’s resource element description.

  • ACP-2753 - Team Leader can now set permissions for Sub-Team Team Leader.

2.2.3. Known Issues

  • ACP-2885 - Currently it’s possible, in very rare circumstances, to receive an incorrect error notification after creating a new team rule. E.g.

The error appears to present a permission ID conflict, e.g.:

resource permission must be unique, a resource permission with a value of [539f282d-a732-44ff-8755-4731bfc189fc] for [ownerRule], [ae4a097f-5f19-457c-84e1-2826eb94a6bb] for [ownerResource] and [] for [path] already exists

To be clear, the rule is created successfully.

  • ACP-2903 - There is a know issue for Team Leaders: with sufficient permissions it may look like they can add SSH public keys for team members other than themselves. They cannot, any attempt will silently fail. Also, if they want to modify their own SSH public keys they need to use the "self-service" page. Otherwise, again, the addition silently fails.

  • ACP-2911 - There is a quirk in the ACP UI where a rule priority conflict warning which would appear on the top menu bar, will not clear if all rules are removed. In production this is unlikely to appear, given that you can’t run without rules.

  • ACP-2888 - See changes to the REST API

2.2.4. Software versions required or supported

The tested versions are listed below, we support these and higher patch levels:

  • RHEL 6.6

    • Red Hat 6 requires the RHEL Server Optional repository to be enabled in Red Hat Network.

  • CentOS 6.6

    • See Red Hat note above.

  • RHEL 7.1

  • CentOS 7.1

  • SUSE 11.3

    • Contact WANdisco Support for more information about running on this platform.

  • JDK 7

    • JDK 8 is only tested with CentOS currently but is supported on all platforms.

We don’t support ACP on 32-bit architecture because this would impose serious limits on scalability. You must deploy on a 64-bit OS.

Browser compatibility:

The following browsers are used in testing:

  • Firefox 36 or later

  • Google Chrome 56 or later

The latest versions of these browsers can also be used:

  • Internet Explorer

  • Safari

  • Opera

3. Earlier product versions

For Release Notes and documentation for earlier versions of Access Control Plus, see Access Control Plus 1.7 Release Notes