Users must have a ticket for each server they access in a distributed environment. The best way to handle this requirement is to set up a single login to the master, which is then valid across all replica instances.
You can set up single-sign-on authentication using two server configurables:
- Set auth.id (p4d 2015.2 and later) or cluster.id (p4d 2014.2 and 2015.1) to the same value for all servers participating in a distributed configuration.
- Enable rpl.forward.login (set to 1) for each replica participating in a distributed configuration.
For example, the following p4 configure set commands run against the commit/master server set auth.id globally and enable login forwarding from the edge1 and replica1 servers:
p4 configure set auth.id=myAuthName
p4 configure set edge1#rpl.forward.login=1
p4 configure set replica1#rpl.forward.login=1
The auth.id value is a string of your choosing and is used for the login ticket generated by login commands. Once set and the settings replicated out to the edge1 and replica1 servers, logins will generate one ticket based on the auth.id setting:
User bruno logged in.
localhost:myAuthName (bruno) FDD99991DE2CEE569FB74A8694F4E596
and the login ticket will work for any server in the distributed environment.
After the configuration changes above have been made, new login tickets need to be generated which includes:
- All regular user accounts
- All service user accounts
- All trigger scripts, user scripts, and build scripts that run p4 commands and use tickets
- Configurations for other apps that use tickets to connect to any of the servers, such as Swarm and P4DTG
New tickets will have to be generated for all accounts so plan accordingly before making the server configuration changes.
Although you get a ticket which is valid for all your replica instances, there may be a slight lag while you wait for each instance to replicate the db.user record from the master/commit server.