Page MenuHomePhabricator

Per-branch access control in code repositories
Closed, ResolvedPublic

Description

Gerrit has fine-grained per-branch ACLs. I haven't been able to find documentation for access control in Phabricator. For feature parity with Gerrit, we'll at least need to lock down approval rights to certain user groups on a per-branch basis, with wildcard support (for all branches, grant approval rights to group X, but for branches of the form wmf/*, grant approval rights only to the deployers group).

See also: T184: Inherited settings and access control for code repositories

Details

Reference
fl310

Related Objects

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.

Event Timeline

flimport raised the priority of this task from to Medium.Sep 12 2014, 1:35 AM
flimport added a project: Gerrit-Migration.
flimport set Reference to fl310.
Qgil renamed this task from Figure out how to do per-branch access control in Phabricator to Per-branch access control in code repositories.Oct 9 2014, 2:17 PM
Qgil updated the task description. (Show Details)
Qgil set Security to None.
Qgil added a subscriber: demon.Oct 9 2014, 2:20 PM

How relevant is this feature?

demon added a comment.Oct 9 2014, 3:40 PM

It's useful for deployment, but otherwise not terribly useful I think (others may disagree).

We could work around the deployment case if we had to.

Qgil lowered the priority of this task from Medium to Low.Oct 9 2014, 9:21 PM
mmodell added a subscriber: mmodell.Sep 3 2015, 8:00 PM

Herald can be used to create very fine-grained rules about which commits to accept.

Here's just a simple example I came up with to illustrate:

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 3 2015, 8:00 PM
greg added a subscriber: greg.Sep 3 2015, 8:39 PM

It might be useful to have explicit examples from Gerrit's ACLs that we need to reproduce (or not, we can debate them).

greg added a comment.Sep 3 2015, 8:41 PM

After reading the backscroll in -releng, it seems Mukunda and Chad think we're good here, don't take my previous comment as a statement of "thou shalt do this" ;)

Legoktm added a subscriber: Legoktm.Sep 3 2015, 8:59 PM

The main per-branch ACL we have right now is +2 and submit on wmf/* branches is limited to people in the wmf-deployment group, but +2 on all other branches is granted to the "mediawiki" group AFAIK.

demon added a comment.Sep 3 2015, 9:01 PM

The fun bit from IRC:

+ostriches> Although, if we do the Right Thing and move the deployment repo to a fork of MW and stop using submodules, we won't have need for those wmf/* branches everywhere.

Herald has a ref name condition,

Ref nameMatches Regexpwmf/.+
mmodell closed this task as Resolved.Oct 22 2015, 10:05 PM
mmodell claimed this task.

Phabricator supports this fully and flexibly.

demon moved this task from To Triage to Done/Archive on the Gerrit-Migration board.Dec 1 2015, 6:46 PM