Page MenuHomePhabricator

Deprecate phabricator's fixed_settings.yaml (in puppet) and just use phabricator's built in configuration tools
Open, MediumPublic

Description

I would like to deprecate the fixed_settings.yaml (in puppet) and prefer just making customizations in the phab config gui with just a few security-critical settings to remain locked and managed via a plain json config file in puppet.

There are several reasons for this:

  1. The puppet code to compile a suitable phabricator config json (from a static yaml in puppet) is kind of a dirty hack implemented in ruby land (I believe via a puppet compiler function called ordered_json). Background: Internally, ruby hashes are unordered, while php stores hashes (aka associative arrays) in an order-preserving way. Further, phabricator cares about the order of keys in the config. In fact the order really matters a lot.
  2. There is already a nice GUI for editing phabricator's config that has several good features which we don't get when editing config via puppet:
    • The GUI does a lot of sanity checking on your new config values before applying them, a bad config change done by puppet can bring phabricator offline and it requires a time consuming git revert + puppet agent to bring things back to a working state.
    • The GUI has an audit trail for every edit. Of course, git/gerrit has this as well, but it mitigates some of the advantage that would otherwise be conferred by using gerrit & puppet.
    • Edits done in the GUI already override anything done in puppet so changes in puppet are sometimes ineffectual (see T228757: Rename Phabricator's "Normal" Priority field value to "Medium")
    • Phabricator already locks certain config settings so that they cannot be edited via the GUI, so security-critical settings must be managed by json files on disk (though there is a cli which does the same sanity checks as the phab gui). Nonetheless, we should at least eliminate the translation from yaml to json because it's slightly error-prone and provides very little benefit in terms of ergonomics (and it's a negative in terms of maintainability)

I have more thoughts on this but I'm supposed to be on vacation so I'll fill in more detail later.

Event Timeline

mmodell created this task.Nov 27 2019, 6:04 PM

Would there still be some way to (automatically?) export (and import again) the Wikimedia Phabricator production settings, e.g. to deploy the same configuration to https://phab.wmflabs.org/ or to some local Phab instance if someone wants to be as close to Wikimedia Phabricator settings as possible?

I could write a script that filters out sensitive values and then dumps the configuration into a json file.