Page MenuHomePhabricator
Create Task
Maniphest T114135

create acl*operationsteam & acl*procurement projects, cease using #operations for access control
Closed, ResolvedPublic
Actions

Description

I'm creating this sub-task of T90491 in Project-Admins for overview before I create and implement.

Due to the reasons listed on T90491, our current use of SRE as a policy/access control is sub-standard. It disallows volunteers from joining SRE, so they cannot easily follow all tasks if they so choose. As this is sub-optimal, other teams have begun to create acl*groups for policy access to address this.

We need to base access to acl*operationsteam for the #ops-access-review project tasks, as well as future procurement and S4 space access policies.

Additionally, I'll be creating an acl*procurement project for access for the S4 procurement vendor space. this space is for our quoting, and will be used instead of our current RT implementation. Procurement space access will need to be restricted to operations and wmf staff ONLY. As operations will have an acl group already, the acl*procurement will include acl*operations, plus individuals added to the policy by me (@RobH), which will be noted in the acl*procurement info page.

All of the above is basically correcting access on SRE and Ops-Access-Reviews, as well as then implementing replacing RT. None of the above should have anything but an overall positive benefit to other users (allowing them to subscribe and/or join SRE.)

I'll leave this sit for a day or so for potential objections/comments/insights I may have missed in 1:1 discussions about this.

Details

SubjectRepoBranchLines +/-
Fix ops security policy for access review tasksphabricator/extensions/securitymaster+1 -1
Customize query in gerrit

Related Objects
Search...

Event Timeline

RobH created this task.Sep 29 2015, 4:40 PM
RobH claimed this task.
RobH raised the priority of this task from to Medium.
RobH updated the task description. (Show Details)
RobH added projects: Project-Admins, Phabricator, acl*sre-team.
RobH added subscribers: RobH, Negative24, scfc and 8 others.
RobH added a comment.Sep 29 2015, 4:43 PM

I'll note for future changing of the SRE group, we need to audit ALL tasks and ensure the policy access for restricted (or historical) tasks is changed from SRE to the future acl*operationsteam.

Liuxinyu970226 set Security to None.Sep 30 2015, 10:18 AM
RobH added a parent task: T93760: Moving procurement from RT to Phabricator.Oct 13 2015, 2:40 PM
greg awarded a token.Oct 13 2015, 3:32 PM
RobH added a parent task: T89053: unable to subscribe to operations tag after migration and merge from ops-core and ops-request.Oct 20 2015, 6:43 PM
chasemp mentioned this in acl*sre-team.Oct 21 2015, 6:18 PM
RobH added a comment.Oct 21 2015, 6:29 PM

Post migration sync up (@chasemp and I have been cleanging things up).

Included in migration was also the cleanup of the herald rules for ops tags: H86, H22, H21, H20, H19, H18, H17, H16, H15

RobH added a comment.Oct 21 2015, 7:08 PM

So @chasemp created the associated project (new SRE) as the old one was renamed to #acl*operations-team, and then his script updated all tasks that had #acl*operations-team to SRE. This left any previously setup access restrictions that were on SRE to #acl*operations-team, as the project ID didn't change, only the naming of it.

The end result is our previously setup rules based on SRE automatically updated to #acl*operations-team. The herald rules mentioned above had to be modified, as they were pointing at the original project id, not the new SRE project ID.

I've also completed the creation and cleanup of the #acl*procurement-review project, and modified S4 to limit access based on the two new acl groups.

RobH closed this task as Resolved.Oct 21 2015, 7:08 PM
RobH mentioned this in T89053: unable to subscribe to operations tag after migration and merge from ops-core and ops-request.
chasemp added a comment.Oct 21 2015, 7:10 PM

Outcome:

  • This mucked up the existing work board for SRE but since we don’t use it we decided not to revert (if this is an issue we can explore it)
  • SRE is now OPEN for all comers to watch/join
  • #acl*operations-team is now a viable locked down grouping we can use where needed
  • Robh seems to have used the above to sort out his procurement policy needs
  • Robh had to modify some herald things to not apply the wrong group
  • All things that were policed policy wise by SRE are still private but now as #acl*operations-team so don’t panic

https://phabricator.wikimedia.org/T114135
https://phabricator.wikimedia.org/project/query/.56Kqk_sr48z/#R

https://www.mediawiki.org/wiki/Phabricator/Security

Chase Pettet

Liuxinyu970226 unsubscribed.Oct 22 2015, 12:09 AM
Aklapper awarded a token.Oct 23 2015, 7:44 PM
RobH added a comment.Oct 23 2015, 9:14 PM

Just for historical notes, I also had to change all the operations clinic dashboards, as the old queries were incorrect and pointing at the acl group due to the changes above.

gerritbot subscribed.Oct 24 2015, 7:27 PM

Change 248638 had a related patch set uploaded (by Alex Monk):
Fix ops security policy for access review tasks

https://gerrit.wikimedia.org/r/248638

gerritbot added a project: Patch-For-Review.Oct 24 2015, 7:27 PM
gerritbot added a comment.Oct 24 2015, 7:31 PM

Change 248638 merged by 20after4:
Fix ops security policy for access review tasks

https://gerrit.wikimedia.org/r/248638

Luke081515 moved this task from Incoming to Projects to create on the Project-Admins board.Jul 3 2016, 12:53 PM
Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptJul 3 2016, 12:53 PM
mmodell mentioned this in rPHEX664dfb6208d4: Fix ops security policy for access review tasks.Jul 11 2018, 11:58 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL