懂你 2006-12-6 20:27
About ClearCase permissions on Windows
看到大家有很多关于windows系统上CC方面权限控制得问题,特转贴一篇官方关于这个问题的一个详细的解释。另外:翻译此文的人员奖励30积分。
原文地址:[url]http://www-1.ibm.com/support/docview.wss?uid=swg21143292[/url]
[b]Problem [/b]
This technote outlines what the recommended permissions and access requirements are for IBM® Rational® ClearCase® users and groups in a Microsoft® Windows® environment.
[b]Cause [/b]
There are required Windows permissions for various directories (VOBs, views, shares, and install) to enable ClearCase to function properly and without error. Some ClearCase operations will generate access and permission denied errors if certain directories have the wrong permissions.
Note: ClearCase does not have a built-in authentication mechanism, and makes use of the security and access controls provided by the Windows operating system.
[b]Solution [/b]
Important Advisory
This information is intended for use by the ClearCase Administrator (or systems administrator), who is responsible for configuring the ClearCase environment.
To setup protections for ClearCase, we recommend that you first read and understand the details covered in the IBM Rational ClearCase Administrator's Guide. If you do not have a hard copy, the document is available in soft copy, cc_admin.pdf, on any host with ClearCase installed, and is located by default in C:\Program Files\Rational\ClearCase\doc\books.
The goal of this technote is to supplement the IBM Rational ClearCase Administrator's Guide by providing considerations and guidelines to assist with managing the protections in a ClearCase environment. Due to the broad variances of protections that can be implemented to address the security needs in different environments, this technote cannot provide specifics that will be true for all cases.
[b]Non-ClearCase vs ClearCase Protections[/b]
It is important to understand that protections for non-ClearCase objects, such as shares used as storage locations or the install directory, are managed using operating system commands, while protections of ClearCase objects (VOBs, views, elements, and versions) are managed using ClearCase utilities and commands.
In short, non-ClearCase objects are directories (or folders) that are created using operating system functions, where as ClearCase objects are created using ClearCase functions or have been added to source control.
For information on the ClearCase utilities and commands used for changing VOB and view storage protections, see the IBM Rational ClearCase Administrator's Guide and the IBM Rational ClearCase Command Reference.
There is a group designated during the setup and installation of ClearCase referred to as the ClearCase privileged group. By default, this group is called clearcase. Some defining characteristics of the clearcase (or privileged group) are:
[list]The account under which whose identity Atria Location Broker Daemon (ALBD) runs has to be a member of this group, such as clearcase_albd.
This group has Full Control of the view and VOB storage directories
Members of this group are considered ClearCase Administrators.
[/list]
[b]Windows Permissions for ClearCase[/b]
Note: These permissions are applicable for NTFS (New Technology File System) used by the Windows operating system.
VOB and View Server Storage Directories. By default, they end with .vbs or .vws respectively.
clearcase group - Full Control
VOB Primary Group - Read, Write, Execute
Additional groups on VOBs group list - Read, Write, Execute
Note: If permissions on the VOB or view storage directories (.vbs or .vws) are manually modified from the operating system level, ClearCase may not recognize the access control list (ACL) format of those permissions and you will need to run fix_prot on the VOB or view storage directory. Review technote 1142606 for directions on running fix_prot. Also, see the VOB and View Administration sections in the IBM Rational ClearCase Administrator's Guide.
VOB and View Server Storage Locations (or Shares). By default, ccstg_<drive>, for example, ccstg_c.
clearcase group - Full Control
VOB Primary Group - Read, Write, Execute
Additional groups on VOBs list - Read, Write, Execute
Note: See technote 1147041 for more details on server storage locations.
ClearCase Home directory and all subdirectories
clearcase group - Full Control
ClearCase Home = C:\Program Files\Rational\ClearCase
Notes:
Even though a directory or share may have permissions set to Everyone - Full Control, it has been found that it may still be necessary to include clearcase group with Full Control.
If setting the above permissions does not fix the problem, add the DOMAIN\clearcase_albd account to the local computer's Administrators group. Local administrators have full access and rights throughout the file system on the host.
It can take several minutes for changes to NTFS permissions to replicate to all logon servers. If after rebooting the problem still persists, wait 15-60 minutes and try your action again.
[b]Recommendation [/b]
The easiest way to control access to the VOB and view storage directories is to use share access controls, and leave the underlying NTFS directories as "Everyone: Full Control".
The share permission levels and the ClearCase functions they permit are:
Full Control -
This level of permission is needed to create VOBs and Views.
This level is needed because the CLIENT cleartool process creates and protects the VOB/View database. Changing the ACL on a file in a share requires "Full Control" access through that share.
Change -
This is the minimum share permission level (read and write) to use, but not create, a clearcase VOB or view.
This is needed because a number of clearcase commands will be directly modifying files in VOB storage pools, and filesystem commands may be inderectly modifying files in a view's pools.
Taking the above into account, a locked down VOB storage share will look something like this:
"ClearCase Server Process Group" (ClearCase administrators group or just the ClearCase group): Full control.
Other users/groups with permission to create VOBs in this share: Full Control
Anyone who just needs to be able to access VOBs or views on the share: Change
global2 2006-12-6 20:42
嗳,看这些英文文档就是吃力,主要是有些单词的意思很容易搞混,理解起来不直白~
葵花点穴手 2006-12-7 18:14
权限控制,其实只要用好protectvob,protect就好。
pingtou1984 2008-7-1 15:05
不才翻译了一下
友情提示:仅作参考,第一次翻译东西,老师们多提意见
Windows系统中CLearCase 的权限控制问题
[b]问题:[/b]
这段技术笔记概括了Windows 环境下推荐的有关ClearCase 用户和组的权限和访问的需求。
[b]原因:[/b]
在Windows 系统下,对于各种各样的ClearCase文件目录(VOBs,views,shares,install),有一些必须的权限,以便它们能正确地工作,不致出错。
如果某些文件目录访问权限设置的不对,一些ClearCase 操作便会产生权限和拒绝访问错误。
备注:ClearCase 没有内置的用户验证机制,所以它使用 Windows系统提供的安全与访问控制。
[b]解决方案:[/b]
重要咨询信息
这条信息供ClearCase 管理员(系统管理员)使用,因为他们负责搭建和配置ClearCase环境。
我们推荐您先阅读并理解ClearCase 管理员手册里面的相关细节以便设置ClearCase 权限控制。如果你手头没有相关书籍,你可以从任何一个安装了Clearcase 的主机的
C:\Program Files\Rational\ClearCase\doc\books 目录下(Clearcase 的默认安装目录)找一个叫做 cc_admin.pdf 的文件。
这份技术笔记的目的是为ClearCase管理员手册提供一些补充,通过提供一些考虑项和指导来帮助管理ClearCase 环境下的权限控制。考虑到权限控制要满足非常多的权限需求和变
化,这份技术笔记提供的技术细节不一定对所有的案例都适用。
[b]非ClearCase 和 ClearCase 权限控制对比[/b]
非ClearCase 对象(如用来作为存储区或安装区的共享目录)是由操作系统的命令来管理的,而ClearCase 对象(VOBs,views,elements和versions)是由ClearCase工具和命令
来管理的,理解这一点是很重要的。
总之,非ClearCase对象是用操作系统的功能创建的目录(或文件夹),而ClearCase对象是用ClearCase 的功能创建的或者已经加入了源控制。
有关ClearCase 变更VOB 和 view 存储的控制权限的的工具和命令的信息,可参考ClearCase 管理员手册和ClearCase 命令行手册。
在ClearCase的安装设置过程中,将分配一个ClearCase特权组,组名默认为clearcase,以下是一些clearcase 组(特权组)定义的特性:
用来运行Atria Location Broker Daemon (ALBD)服务的用户必须属于这个组,比如说 clearcase_albd。
这个组对VOB和View存储目录有完全控制权限。
这个组里的成员被当作ClearCase 管理员。
[b]Windows 系统为ClearCase提供的权限控制[/b]
备注:这些权限控制适用于使用NTFS(新技术文件系统)的Windows操作系统。
VOB 和 View Server 的存储目录(默认分别以.vbs和.vms为后缀)
clearcase 组:完全控制;
VOB 主组:读,写,执行;
VOB 的附加组:读,写,执行
备注:如果VOB或View存储目录(后缀是.vbs或.vms)的权限控制信息从操作系统级别进行了修改,ClearCase 不一定识别这种访问控制列表格式,那么你就要对VOB或View存储目录运行 fix_prot程序。关于如何让运行 fix_prot 程序,可以复习一下 技术笔记1142606。同时,也可以查阅 ClearCase 管理员手册中 VOB 和 view 管理部分的内容。
VOB 和 View 存储区域(或共享目录)。默认情况下,ccstg_<磁盘驱动器号>,例如,ccstg_c。
clearcase 组:完全控制
VOB 主组:读,写,执行
VOB 的附加组:读,写,执行
备注:有关服务器存储区域的更多细节,请查看技术笔记 1147041
ClearCase 主目录和所有的子目录
clearcase 组:完全控制
ClearCase 主目录:C:\Program Files\Rational\ClearCase
备注:即使一个目录或共享给 Everyone 用户设置了完全控制权限,事实证明还是有必要给clearcase 组设置完全控制权限。
如果以上的权限设置还是没能完全解决问题,把DOMAIN\clearcase_albd 帐户添加到本地计算机的管理员组。本机管理员对本机的文件系统有完全的访问和权限。
对NTFS的权限设置复制到所有登录得服务器可能要花费几分钟。如果重起之后问题仍然存在,等待15-60分钟以后重复刚才的操作。
[b]推荐: [/b]
控制对VOB 和view 存储访问的最简单的方法是共享目录的访问控制,然后让潜在的NTFS 目录权限设置为:Everyone 用户--完全控制。
共享目录允许的 访问级别和ClearCase功能如下:
完全控制:
这个级别的权限用来创建VOB 和 View。
需要这个级别的权限是因为客户端的cleartool 进程要创建和保护VOB/view 数据库。
更改一个文件的共享的访问控制列表需要对该共享有“完全控制”权限。
更改:
这是最小的共享权限级别(读和写),供使用,但是不能创建VOB 或 view。
需要这个权限是因为大量的clearcase命令要直接修改VOB 存储池里的文件,而文件系统的命令可能间接修改View 池里面的文件。
基于以上情况,一个锁定的VOB 共享存储看起来就是这样的:
ClearCase 服务器进程组(ClearCase 管理员组或者 只是ClearCase 组):完全控制权限。
其它拥有在该共享区创建VOB权限的用户或组:完全控制权限。
任何只是需要访问该共享区域的VOB 或 view 的用户或组:更改权限
[[i] 本帖最后由 pingtou1984 于 2008-7-1 15:15 编辑 [/i]]
pingtou1984 2008-7-2 09:26
见笑了,个人认为一般用CC的都是大公司,所以权限控制都不会很简单,因此最适合自己的权限控制策略才是最好的