Planning support for ACL authorization of VOBs and VOB objects
Create a plan to add support for ACL authorization of VOBs and VOB objects. Adding support requires installing DevOps Code ClearCase® on client hosts, enabling ACL authorization support, and setting up ACL rules.
- Install server and client software
- DevOps Code ClearCase client software must be at
version 8.0.1 or later to support
ACL-enabled VOBs. ClearCase VOBs must be at
schema 80, feature level 8 or higher. VOBs created with
ClearCase version
8.0.1 are at schema 80, feature level 8 with ACLs enabled by default. A VOB upgraded from a previous ClearCase version must meet these requirements to support ACL authentication of VOB objects.
- VOB format must be schema 80
- VOB feature level must be feature level 8
- ACLs must be explicitly enabled on the VOB
You can upgrade VOB servers to support ACLs in phases because VOBs at schema 80, feature level 8 remain compatible with ClearCase version 7.1.2 and 8.0 clients until ACL enforcement is active. For each VOB that requires upgrade, the first step is to upgrade the server software to version 8.0.1. After upgrading the software, you can complete the remaining configuration tasks to upgrade the schema version, raise the feature level, and complete configuration tasks to enable ACLs.
In parallel with this work, upgrade full-client desktops and shared multi-user systems to ClearCase 8.0.1 or later. You can phase the clients into production without waiting for the server upgrade to version 8.0.1. This phased approach means that all clients are updated to version 8.0.1 and available when you are ready to enable ACL rules on the VOB server.
In the later stages of a phased upgrade to enable ACLs, the ClearCase deployment has mixed client and server versions with some servers and clients at version 7.1.2 or 8.0, and others at version 8.0.1. In this environment, you might experience lower overall performance (throughput and latency) than typical of a ClearCase environment with all servers and clients on the same version.
- Upgrade VOB schema version
- Decide whether to reformat each VOB on the newly installed ClearCase version 8.0.1 server.
- If you upgrade from version 7.1.x, the VOBs are at schema 54.
- If you are upgrading from 8.0, VOBs can be at schema 54 or schema 80.
- VOBs originating at ClearCase version 7.1.x are at schema 54.
- VOBs originating at ClearCase version 8.0 can be at schema 54 or schema 80.
After you upgrade the ClearCase server software, you can leave VOBs at schema 54 and immediately use them in production. However, you cannot define or enable ACLs until you upgrade to schema 80 by using the reformatvob cleartool command. You must reformat each VOB and each replica in a MultiSite replication VOB. The VOB is out of service during the reformat operation, but other VOBs on the same server host are available to users.
- Raise the feature level
- After a VOB database is formatted with schema 80, you can
raise the VOB feature level to feature level 8. Replicated VOBs must raise the feature level on
each replica, and then raise the family feature level. Note: The first time that you raise the VOB family feature level above 7, run the chflevel command at a preserving replica in the VOB family to avoid divergence in the predefined ACL objects and the required repair process.
After the family feature level is raised to feature level 8, you can define ACL rules, but the ACL rules are not enforced until you run the protectvob cleartool command. This architecture allows administrators to customize the default ACL rolemap and policy before you enable ACL enforcement. See ACL enforcement and enablement for VOBs and VOB objects.
If you do not want to use ACLs, you can raise the VOB feature level to feature level 7, which is the minimum feature level that can be used with ClearCase version 8.x. At feature level 7, you can use ClearCase features like evil twin detection that were introduced in version 8.0.
- Decide which clients to allow
-
After your VOB is at feature level 8 with ACLs disabled, you can specify a minimum client feature level setting for the VOB for added security. For example, you can prevent version 8.0 and earlier clients from accessing the VOB by changing the minimum client feature level to feature level 7. You can allow ClearCase clients on version 8.0 or earlier to use the VOB server by setting the minimum client feature level to allow older clients. See Operating in mixed version environments.
If you have no plans to use ACL authorization on the VOB, run this command to verify that the ACL enforcement is set to none:
cleartool describe vob: <vob-tag>
. - Create new ACLs
After you raise the VOB feature level, all ACL-controlled objects in the VOB are controlled by a single default rolemap and its default policy. You can use ACLs to protect the VOB object, policies, rolemaps, and elements.
To provide the same protection for all VOB elements, modify the default rolemap and policy to customize ACL rules for element access without changing the protections for individual elements.
If you prefer to have different access controls to some subset of elements in the VOB, define new policies and rolemaps. After you create new rolemaps, use this command to restore protection on existing elements by using your new rolemap: cleartool protect -chrolemap.
You administer policies and rolemaps by using cleartool policy and rolemap commands or from the ClearTeam Explorer client.
For more information, see these resources:- Full deployment
- After you configure ACL rules and verify that VOB access protections are configured correctly, enable ACL use for all ClearCase version 8.0.1 or later clients. Set the ACL enforcement level for the VOB to feature level 8. As soon as you enable ACL enforcement, ClearCase clients on earlier versions no longer have access to the VOB.