RhodeCode 4.13 Release: Enterprise branch permissions

We're happy to announce that RhodeCode 4.13 series release is out. In this release, we introduced long-awaited branch permissions,

a new unified repository switcher, public user group profiles and a completely new caching to improve performance even further.

This release highlights are:

Enterprise-Grade Branch permissions.

Built-in Error Tracker.

Unified repo switcher.

New caches improving permissions calculation.

Public user group profiles.

Nix 18.03 based packages.

Added support for svn 1.10

Added support for Mercurial 4.6

Few notable security improvements.

Better clustering support.

Take a few minutes to update your RhodeCode instance:

rccontrol self-update && rccontrol upgrade '*'

New to RhodeCode? Download the latest RhodeCode 4.13 Series from our website.

Keep reading for full release details.

Branch Permissions

This particular feature has been one of the most requested one by our customers. We took some time to implement it, but now we believe it's one of the best in class.

In our view branch permissions, or called sometimes branch protection goes beyond just protecting certain branch names from being modified. It's the whole set of possible modifications that should be controlled.

Those include: control forced pushes; control branch modifications via the code-review or pull requests, and finally protecting branches from modification even for the super-admin users,

simply to prevent accidental modification by those power users.

Our users are familiar with our extended permissions system.

Now we're introducing a similar interface to control branch permissions in RhodeCode.

The new rules adds 4 ways to control branch modification:

no modification possible

modification via web-merge in pull requests

modification with push

modification with forced push

RhodeCode supports multiple branch protection entries as well as wildcard entries such as * or feature-* to give users total flexibility, and the ability to protect branches that aren't yet existing.

Also, as mentioned above even super-admin users can write self-protect rules so they are assured certain branches cannot be modified even by them.

And of course, this all comes with some other well-known RhodeCode features like audit-logs, permissions summary snapshots, permission delegation, and others.

With our Branch Permissions it's possible to implement a strict review workflow in which users with write access to the repository can only modify code via the pull requests functionality.

It ensures the code that lands in the main repository branch is checked, validated and approved.

Built-in Exception Tracker

We understand that the corporate environments are often divided between end users (developers, managers) and devops/sysops that handle the server and resources that power RhodeCode Enterprise on premise installation.

To help our end users track problems faster, and detect possible repository problems we're introducing a built-in error tracker into RhodeCode.

In case of unhandled errors that occur inside a running RhodeCode system, we now expose in the 500 error page, a unique error_id .

Users who are RhodeCode Administrators can see more details about occurred issues and investigate them by themselves.

This allows the development teams who work with RhodeCode on a daily basis to track problems faster, without bothering the IT/DevOps/SysOps department to check the problem on the server side.

Often the problems that happen are disk quotas, filesystem permissions issues, or configuration issues like missing SSL certificates or similar problems.

In addition, we track few additional things to help RhodeCode administrators to debug the configured system faster,

and those are: celery async tasks failures, integration failures, and few other important exceptions that happen in the background.

New Unified search field

Often our users have asked about a quick way to search via the nested repositories list,

we did provide this functionality via a goto switcher however in addition repository filter existed in the main view which often confused users.

The repository filter partially duplicated the functionality of goto switcher .

We decided to implement a single solution, that would be easier to use for the users, and not confuse them by having two ways to search/filter.

In 4.13 we shipped a unified search box. Its main features are quick filtering for, repositories, repository groups, user groups, users and if a full-text search is enabled possible doing a full-text search as well.

The unified search box is also quickly available via the '/' key.

This is of course powered by our permissions system, and users will only search what they allowed to access.

New caches improving permissions calculation

RhodeCode implements a very complex permission system. In this release, it got even more complex due to the additional Branch Permissions that are now calculated for each user.

This worked quite well for companies that have simple, relatively flat permissions structure, such as RhodeCode Team itself.

Things get much different in case of a big more complex organization. Imagine that your organization has 1000 users,

and those users are spread across a few thousand user groups which have access to many nested repositories groups,

with few hundred of repositories in each of them. Calculating the permissions on each user can get very expensive.

We've got in certain situations to calculation time of ~10s for one particular client. This resulted in bad experience and users complaining.

This is why we're introducing a smart permission caching in the 4.13 release. Generally, since this release permissions are cached on disk until an invalidation signal is triggered,

and permissions are re-calculated.

This allowed us to get as low as few ms response time for cached permissions. We're sure this would increase user experience and performance for our most demanding customers.

Other notable changes

Diffs: skip line numbers during copy from a diff view.

GIT: bumped release to 2.17.2 which addresses cve-2018-17456.

SVN: properly handle credentials from URL during remote repository import.

Upgrade notes

Be sure to check the upgrade notes as there are few potential things to consider checking before the upgrade.

Especially for SVN users, or users of some legacy backends.

Summary

See the full list of changes in the release notes.

As usual, the update process is a simple one-liner type:

rccontrol self-update && rccontrol upgrade '*'

in the command line interface. Done!

Sincerely yours,

The RhodeCode team.