Authorization server (P4AUTH)

Using a P4AUTH server frees you from the necessity of ensuring that all your servers contain the same users and protections entries.

If you are running multiple P4 Servers, you can configure them to retrieve protections and licensing data from the dedicated server configured as the P4AUTH server by the environment variable, P4AUTH.

On this page, "outer server" means any server that connects to the P4AUTH server.

Prerequisites

  1. Use a dedicated server as the P4AUTH server.

  2. All outer servers must be at the same, or newer, release level as the P4AUTH server.

  3. Ensure that the license file for the P4AUTH server is valid because it governs the number of licensed users that are permitted to exist on the outer servers.

  4. Each user must exist on the P4AUTH server. Otherwise such users will not appear to exist on the outer servers.

  5. Configure any serviceUser on an outer servers to be a valid service user on the P4AUTH server before you set the P4AUTH environment variable on the outer server. Otherwise a lockout occurs.

  6. To ensure that p4 review and p4 reviews work correctly, enable remote depot access for the service user on the P4AUTH server.

  7. Starting with release 2023.1, servers using P4AUTH authentication require the P4AUTH server's release version to be at least 2023.1.

  8. All servers that use P4AUTH must have the same Unicode setting as the P4AUTH server.

Configure the P4AUTH server

To configure a P4 Server to use the P4AUTH server, set the P4AUTH environment variable before starting the server, or specify it on the command line when you start the server.

The P4AUTH server must be running when its outer servers are starting up or being upgraded.

P4AUTH and p4 info

If your P4 Server is making use of a P4AUTH server for authorization, the following line will appear in the output of p4 info:

...
Authorization Server: [protocol:]host:port

Where [protocol:]host:port refers to the protocol, host, and port number of the P4AUTH server. See Specify hosts.

For example, an outer server is configured to use a P4AUTH server named guardian. The outer server listens for user requests on port 1999 and relies on the P4AUTH server’s data for user, group, protection, review, and licensing information. It also joins the protection table from the server at guardina:1666 to its own protections table.

For example:

p4d -a guardian:1666 -p 1999

Windows outer server

On Windows, configure the outer server with p4 set -S as follows:

C:\> p4 set -S "Outer Server" P4AUTH=guardian:1666
C:\> p4 set -S "Outer Server" P4PORT=1999

Commands that the P4AUTH server processes

When you configure a P4AUTH server, outer servers forward the following commands to the P4AUTH server for processing:

Command Forwarded to auth server? Note

p4 group

Yes

Local group data is derived from the P4AUTH server.

p4 groups

Yes

Local group data is derived from the P4AUTH server.

p4 license

Yes

License limits are derived from the P4AUTH server. License updates are forwarded to the P4AUTH server.

p4 passwd

Yes

This command to change the password is forwarded to the P4AUTH server.

p4 property

Yes

Local property data is derived from the P4AUTH server.

p4 review

No

The default user named remote must have access to the P4AUTH server. However, best practice is to create Service users and not use the default user named remote. See Restrict access to remote depots.

p4 reviews

No

The default user named remote must have access to the P4AUTH server. However, best practice is to create Service users and not use the default user named remote. See Restrict access to remote depots.

p4 user

Yes

Local user data is derived from the P4AUTH server.

p4 users

Yes

Local user data is derived from the P4AUTH server.

p4 protect

No

The local server’s protections table is displayed if the user is authorized (as defined by the combined protection tables) to edit it.

p4 protects

Yes

Protections are derived from the P4AUTH server’s protection table as appended to the outer server’s protection table.

p4 login

Yes

Command is forwarded to the P4AUTH server for ticket generation.

p4 logout

Yes

Command is forwarded to the P4AUTH server for ticket invalidation.

Limitations and notes

  • P4 Code Review is not supported with the P4AUTHized authentication server.

  • Setting P4AUTH by means of a p4 configure set P4AUTH=[protocol:]server:port command requires a restart of the outer server.

    If you need to set P4AUTH for a replica, use the following syntax:

    p4 configure set ServerName#P4AUTH=[protocol:]server:port

  • If you have set the P4AUTH environment variable, no warning will be given if you delete a user who has an open file or client.
  • To ensure that the P4AUTH server correctly distinguishes forwarded commands from commands issued by trusted, directly-connected users, you must define any IP-based protection entries in the Perforce service by prepending the string “proxy-” to the [protocol:]host:port definition. Before you prepend the string proxy- to the workstation’s IP address, make sure that a broker or proxy is in place.
  • Protections for non-forwarded commands are enforced by the outer server and use the plain client IP address, even if the protections are derived from lines in the P4AUTH server’s protections table.