Page MenuHomePhabricator

Per-branch access control in code repositories
Closed, ResolvedPublic


Gerrit has fine-grained per-branch ACLs. I haven't been able to find documentation for access control in Phabricator. For feature parity with Gerrit, we'll at least need to lock down approval rights to certain user groups on a per-branch basis, with wildcard support (for all branches, grant approval rights to group X, but for branches of the form wmf/*, grant approval rights only to the deployers group).

See also: T184: Inherited settings and access control for code repositories


TitleReferenceAuthorSource BranchDest Branch
Move logstash checker code into scaprepos/releng/scap!358dancymaster-I8ec33a8cdad453e35e3c67840f3e0ee843d28dadmaster
Customize query in GitLab

Related Objects

View Standalone Graph
This task is connected to more than 200 other tasks. Only direct parents and subtasks are shown here. Use View Standalone Graph to show more of the graph.

Event Timeline

flimport raised the priority of this task from to Medium.Sep 12 2014, 1:35 AM
flimport added a project: Gerrit-Migration.
flimport set Reference to fl310.
Qgil renamed this task from Figure out how to do per-branch access control in Phabricator to Per-branch access control in code repositories.Oct 9 2014, 2:17 PM
Qgil updated the task description. (Show Details)
Qgil set Security to None.

How relevant is this feature?

It's useful for deployment, but otherwise not terribly useful I think (others may disagree).

We could work around the deployment case if we had to.

Qgil lowered the priority of this task from Medium to Low.Oct 9 2014, 9:21 PM

Herald can be used to create very fine-grained rules about which commits to accept.

Here's just a simple example I came up with to illustrate:

herald-commit-rule-example.png (444×1 px, 43 KB)

It might be useful to have explicit examples from Gerrit's ACLs that we need to reproduce (or not, we can debate them).

After reading the backscroll in -releng, it seems Mukunda and Chad think we're good here, don't take my previous comment as a statement of "thou shalt do this" ;)

The main per-branch ACL we have right now is +2 and submit on wmf/* branches is limited to people in the wmf-deployment group, but +2 on all other branches is granted to the "mediawiki" group AFAIK.

The fun bit from IRC:

+ostriches> Although, if we do the Right Thing and move the deployment repo to a fork of MW and stop using submodules, we won't have need for those wmf/* branches everywhere.

Herald has a ref name condition,

Ref nameMatches Regexpwmf/.+
mmodell claimed this task.

Phabricator supports this fully and flexibly.