Perforce security

Hey, yo.
I’m wondering how many other studios who use perforce have “permanent” tickets for all their users?

If you don’t know what I’m talking about then you probably do have permanent tickets. Otherwise you will get a promt to enter a password to renew your ticket every so often when you open P4 (for most people here its every 12 hours). At my previous Job we all had permanent tickets so this is all new to me.

P4 is pretty well integrated to our engine and source art tools, and it will only get more integrated in the future. Right now if guys don’t have an up-to-date ticket their tools just don’t work. I’d like us to drop the short term tickets just to improve daily workflow for the whole team, but there is some concern from IT over security. Our other option is to make sure all our different tools (engine side, maxscripts, .bat files, etc) are able to check if your ticket has expired, then prompt you to renew it.

In the scheme of things I see P4 security being pretty minor when considering all the other more robust security measures we have in the studio. I definitely feel like workflow and simpler p4 tools wins over security here.

How do you guys handle p4 tickets/security when integrated with your tools?
Thanks in advance.

our tickets expire after 12 hours and any tool that needs perforce access will ask you to log back in before continuing.

In the last studio I worked at we all had permanent tickets and I really liked that way of doing things. At my current studio we have tickets that expire after 12 hours and I find it slightly annoying to have to log into Perforce every 12 hours.

I personally am in favor of permanent tickets because its one less thing to have to worry about and lets face it, if someone really wants to get at your information and cause you harm they will. A Perforce log in every 12 hours is not really going to stop them maybe just slow them down a bit.

some places set the tickets to last 100’s or 1000’s of hours, so logging in is pretty rare.

Ours are also permanent. We have not found value in requiring people to log in again regularly.

I believe there are other ways to enforce security in Perforce.

Skimming the superuser entry:
http://www.perforce.com/perforce/doc.current/manuals/p4sag/03_superuser.html

It appears that:

  • By default, tickets are only valid for the IP address they’re initially created with (when you log in the first time).

So in theory, a Perforce ticket is only valid for that user’s desktop. And since I’m sure that desktop requires a login and automatically locks after being idle for 5 minutes, that should be reasonable enough security.

If it’s not, I would question IT about why their desktop security is so poor :slight_smile:

Phil

I worked with permanent tickets and I work with 24-hour tickets. I don’t see the security benefits but whatever. What I did find was:

With permanent tickets we became sloppy. We always assumed the user was logged in. Unfortunately this caused problems if their IP changed, and no end to broken tools at regular intervals.

With expiring tickets, yes it’s annoying to enter your password but at least we can’t be lazy about our tools. That said, it does suck when the ticket expires at some random point while you’re using the tool and now p4 doesn’t work :wink:

We use permanent tickets (90 days?), but also we’ve tried to make sure every place where we call p4 we check for the login status (it’s in a single C# lib so most of our integrations use the same codepath).

However, we do have a seemingly random issue that on some machines the ticket just expires in a seemingly random way and we’ve never been able to reliably identify why that happens.

So, we sort of have the best and worst of both worlds. :slight_smile:

SamiV.

Ours are temporary expiring logins. All the tools should check for it and bring up a login if you aren’t. Not all do though, one or two just sit there and do nothing until you log in to Perforce manually.

I have to say we also have some issues where it’ll think the ticket has expired and ask us to log in, even though we just did that half an hour ago.

It isn’t a significant hassle to me to have to login once a day. The same as it’s not a hassle to log in to the workstation first thing in the morning. They’re quite tight on security issues round here, so it’s to be expected.

we are quite lucky in that we seldom work for more than 12 hours per day :slight_smile:
everyone just logs in when they arrive in the morning and work all day with no problems.
of course during crunch time, you can get into a cycle where your perforce does expire at in-opportune times, but it’s a very minor hassle.

We did run into some headaches where users had multiple tickets, but i’m not sure how it was resolved.

I second the opinion that the ticket-length isn’t going to stop anyone from accessing your data if they want to and already bypassed all your other security measures.

Generally I don’t have a problem with tickets that expire fairly often. The most annoying problem I’ve run into is when the ticket expires in the middle of a script/tool/etc. Normally I only check the ticket at the beginning of a script, so time isn’t wasted checking it before every single file checkout or sync. But if I have a process that takes several hours, I might leave it running overnight, only to come back in the morning to find an error because the ticket expired. (In this case, a prompt to log in if the ticket is expired wouldn’t help because I would not see it until I came in the next morning.)

12 hours is our limit as well slightly annoying but not too big of a hassle.

RFlannery, you could do a p4 login before the batch?

In regards to the particular script I was working on, it could take 30 seconds or it could take 5 hours, depending on how many files it was being run on. I didn’t want it to ask the user to log in every single time if they were just running it on a few files. I guess I could have looked at the number of files and done a p4 login if the list was long enough.

Permanent tickets, and we become careless. We always assume that the user is logged Unfortunately, the problems caused by this, if their IP changes, and no regular broken tool.

[QUOTE=natsuto;14591]We always assume that the user is logged.[/QUOTE]

Please don’t do that - it’s just bad practice. Nothing worse than connecting from China to a client’s P4 server in the US and then having to deal with dropped connections.
If there’s any length of time between two P4 operations that you cannot control (e.g. the user works with a file), check if the connection is still there before you issue a new batch of commands.

Short tickets could also cause us problems - sometimes the transfers we do to client depots can take very long (great chinese firewall causing lag + sending files to the other end of the world). We encountered solutions from clients that would download/upload stuff from P4 for hours.

Although this really hasn’t anything to do with tickets and security.

Hehe, it was a spammer. natsuto’s post has been deleted.

those bots are getting clever - although he had a point :wink: