Prevent unauthorized access to systems

You can implement a range of strategies to help prevent unauthorized access to your system.

Authenticate users and devices

Authentication is the process of verifying the identity of a user, device, or other entity before granting access to a system, application, or network.

In P4 Code Review, authentication (AuthN) is managed in the following ways:

  • By default, the local P4 Server username and password are used for authentication. User credentials are stored in the P4 Server internal database (p4 users).

  • In addition, you can enforce password strength, expiration, and lockout policies by specifying P4AUTH, P4PORT, and related settings.

  • Optionally, you can integrate P4 Code Review with P4 AS. In this way, you can integrate P4 Server with external identity providers by using the Lightweight Directory Access Protocol (LDAP), Active Directory, or SAML. Use this method if you want to implement multifactor authentication for P4 Code Review.

  • By implementing these measures, you can help to ensure that only authenticated and authorized users can access P4 Code Review, enhancing security by confirming that each access request is legitimate and in alignment with the organization's security policies.

  • Because P4 Code Review always follows P4 Server’s authentication mechanism, security is also managed according to the guidelines provided for P4 Server.

Grant access and permissions

The process of granting access rights and permissions is designed to ensure that only authorized users, user groups, devices, and other entities can access a system, application, or network. Commonly used authorization mechanisms include role-based access control (RBAC), attribute-based access control (ABAC), and access control lists (ACLs).

In P4 Code Review, RBAC is managed through the P4 Server via its permissions. P4 Server provides a protection scheme to prevent unauthorized or inadvertent access to files in the depot. The protections determine which P4 Server commands can be run, on which files, by whom, and from which host. You configure protections with the p4 protect command. For details, see Access authorization.

P4 Code Review-specific configuration for permissions includes the following items:

  • Project creation in P4 Code Review can be restricted to administrators. For more information, see Projects. Note that access to project files is enforced byP4 Server using path-level protections. When configuring branches, P4 Code Review also evaluates P4 Server permissions and applies any defined workflow rules.

  • Restricted change descriptions are hidden from users who lack access privileges. For details, see the “Restricted Changes” section in Security.

  • Key system data can be hidden as described in the “Disable system info” and “Restricted Changes” sections in Security.

  • Only users with the P4 Code Review admin role can configure global workflows to control global policies.

  • Test definition details are visible only to their owners.

You are responsible for configuring these options to the level of security that your organization requires.

Implement firewalls

Firewalls serve as a barrier between a trusted internal network and untrusted external networks, such as the internet. Firewalls filter incoming and outgoing traffic based on criteria such as IP addresses, ports, and protocols to protect a network or system from unauthorized access.

With P4 Code Review, you can implement firewalls and open the ports required to support operations:

  • If HTTPS is enabled, users typically access P4 Code Review on port 443. Depending on the architecture, you might have to open additional ports:

    • If P4 Server runs on a separate server, the P4 Code Review server must be able to communicate with the P4 Server. The default port is 1666.

    • If Redis runs on a separate server, communication must be open between P4 Code Review and Redis. The default port is 6379, but port 7379 is set by default during P4 Code Review installation. For details, see Redis configuration.

  • If you plan to integrate P4 Code Review with a continuous integration or continuous delivery system like Jenkins, open the relevant ports between P4 Code Review and that system.

Configure the firewall with a default 'deny-all' policy, allowing only explicitly permitted ports and services.

Implement logging

Logging can be implemented to gather operational and security data for a system, identify performance and security issues, and minimize the risk of data breaches. Log files can be encrypted, and access can be restricted to comply with data protection and privacy regulations.

With P4 Code Review, you can implement logging as described in Logging. The logs are stored on the P4 Code Review server. To help protect the log data, use centralized logging and ensure that the logs are not accessible to unauthorized users.

Starting with P4 Code Review 2021.1, the P4 Code Review package installations and upgrades include a logrotate configuration file to manage your P4 Code Review log rotation. The logrotate configuration supports P4 Code Review installations with single and multiple P4 Server instances.