Service users
A service user is for
server-to-server authentication as part of the replication process and does not consume a license. To learn more, see service user under p4 user in the P4 CLI Reference.
Create a separate service user for each master, replica, or proxy server that you control. This makes it easier to interpret your server logs.
Having service users improves security by requiring that communication between participating servers takes place using an authenticated user with a ticket.
| Type | Service user is logged in according to: |
|---|---|
| edge | The server specified by the P4TARGET. |
| replica | |
| commit | The ExternalAddress field configured in the server specification for each edge server that is enabled for background archive transfer. |
Tickets and timeouts for service users
A newly-created service user that is not a member of any group is subject to the default ticket timeout of 12 hours. To avoid issues that arise when a service user’s ticket ceases to be valid:
-
On the master server, create a group for service users:
p4 group service_users
-
Add one or more service users to the list of
Users:in theservice_usersgroup, and set theTimeout:andPasswordTimeout:values tounlimitedor a large value: .
Group: service_users
Timeout: unlimited
PasswordTimeout: unlimited
Subgroups:
Owners:
Users:
service_user1Permissions for service users
On the master server, use p4 protect to grant the service_users group the super access level A permission assigned to a user to control which commands the user can run. See also the 'protections' entry in this glossary and the 'p4 protect' command in the P4 CLI Reference.. For example:
Protections:
super group service_users * //...
Granting the service_users group the super access level is considered to be safe because service users are tightly restricted in the commands they can run. To learn more, see service user in the P4 CLI Reference.