Page MenuHomePhabricator

create acl*operationsteam & acl*procurement projects, cease using #operations for access control
Closed, ResolvedPublic


I'm creating this sub-task of T90491 in Project-Admins for overview before I create and implement.

Due to the reasons listed on T90491, our current use of Operations as a policy/access control is sub-standard. It disallows volunteers from joining Operations, so they cannot easily follow all tasks if they so choose. As this is sub-optimal, other teams have begun to create acl*groups for policy access to address this.

We need to base access to acl*operationsteam for the #ops-access-review project tasks, as well as future procurement and S4 space access policies.

Additionally, I'll be creating an acl*procurement project for access for the S4 procurement vendor space. this space is for our quoting, and will be used instead of our current RT implementation. Procurement space access will need to be restricted to operations and wmf staff ONLY. As operations will have an acl group already, the acl*procurement will include acl*operations, plus individuals added to the policy by me (@RobH), which will be noted in the acl*procurement info page.

All of the above is basically correcting access on Operations and Ops-Access-Reviews, as well as then implementing replacing RT. None of the above should have anything but an overall positive benefit to other users (allowing them to subscribe and/or join Operations.)

I'll leave this sit for a day or so for potential objections/comments/insights I may have missed in 1:1 discussions about this.


Related Gerrit Patches:
phabricator/extensions/security : masterFix ops security policy for access review tasks

Event Timeline

RobH created this task.Sep 29 2015, 4:40 PM
RobH claimed this task.
RobH raised the priority of this task from to Medium.
RobH updated the task description. (Show Details)
RobH added subscribers: RobH, Negative24, scfc and 8 others.
RobH added a comment.Sep 29 2015, 4:43 PM

I'll note for future changing of the Operations group, we need to audit ALL tasks and ensure the policy access for restricted (or historical) tasks is changed from Operations to the future acl*operationsteam.

greg awarded a token.Oct 13 2015, 3:32 PM
RobH added a comment.Oct 21 2015, 6:29 PM

Post migration sync up (@chasemp and I have been cleanging things up).

Included in migration was also the cleanup of the herald rules for ops tags: H86, H22, H21, H20, H19, H18, H17, H16, H15

RobH added a comment.Oct 21 2015, 7:08 PM

So @chasemp created the associated project (new Operations) as the old one was renamed to #acl*operations-team, and then his script updated all tasks that had #acl*operations-team to Operations. This left any previously setup access restrictions that were on Operations to #acl*operations-team, as the project ID didn't change, only the naming of it.

The end result is our previously setup rules based on Operations automatically updated to #acl*operations-team. The herald rules mentioned above had to be modified, as they were pointing at the original project id, not the new Operations project ID.

I've also completed the creation and cleanup of the #acl*procurement-review project, and modified S4 to limit access based on the two new acl groups.


  • This mucked up the existing work board for Operations but since we don’t use it we decided not to revert (if this is an issue we can explore it)
  • Operations is now OPEN for all comers to watch/join
  • #acl*operations-team is now a viable locked down grouping we can use where needed
  • Robh seems to have used the above to sort out his procurement policy needs
  • Robh had to modify some herald things to not apply the wrong group
  • All things that were policed policy wise by Operations are still private but now as #acl*operations-team so don’t panic

Chase Pettet

RobH added a comment.Oct 23 2015, 9:14 PM

Just for historical notes, I also had to change all the operations clinic dashboards, as the old queries were incorrect and pointing at the acl group due to the changes above.

Change 248638 had a related patch set uploaded (by Alex Monk):
Fix ops security policy for access review tasks

Change 248638 merged by 20after4:
Fix ops security policy for access review tasks

Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptJul 3 2016, 12:53 PM