Page MenuHomePhabricator
Create Task
Maniphest T239355

Deprecate phabricator's fixed_settings.yaml (in puppet) and just use phabricator's built in configuration tools
Open, LowPublic
Actions

Description

I would like to deprecate the fixed_settings.yaml (in puppet) and prefer just making customizations in the phab config gui with just a few security-critical settings to remain locked and managed via a plain json config file in puppet.

There are several reasons for this:

  1. The puppet code to compile a suitable phabricator config json (from a static yaml in puppet) is kind of a dirty hack implemented in ruby land (I believe via a puppet compiler function called ordered_json). Background: Internally, ruby hashes are unordered, while php stores hashes (aka associative arrays) in an order-preserving way. Further, phabricator cares about the order of keys in the config. In fact the order really matters a lot.
  2. There is already a nice GUI for editing phabricator's config that has several good features which we don't get when editing config via puppet:
    • The GUI does a lot of sanity checking on your new config values before applying them, a bad config change done by puppet can bring phabricator offline and it requires a time consuming git revert + puppet agent to bring things back to a working state.
    • The GUI has an audit trail for every edit. Of course, git/gerrit has this as well, but it mitigates some of the advantage that would otherwise be conferred by using gerrit & puppet.
    • Edits done in the GUI already override anything done in puppet so changes in puppet are sometimes ineffectual (see T228757: Rename Phabricator's "Normal" Priority field value to "Medium")
    • Phabricator already locks certain config settings so that they cannot be edited via the GUI, so security-critical settings must be managed by json files on disk (though there is a cli which does the same sanity checks as the phab gui). Nonetheless, we should at least eliminate the translation from yaml to json because it's slightly error-prone and provides very little benefit in terms of ergonomics (and it's a negative in terms of maintainability)

I have more thoughts on this but I'm supposed to be on vacation so I'll fill in more detail later.

Related Objects

Event Timeline

mmodell created this task.Nov 27 2019, 6:04 PM
mmodell updated the task description. (Show Details)Nov 27 2019, 6:08 PM
mmodell mentioned this in T228757: Rename Phabricator's "Normal" Priority field value to "Medium".
Aklapper added a comment.Nov 27 2019, 6:16 PM

Would there still be some way to (automatically?) export (and import again) the Wikimedia Phabricator production settings, e.g. to deploy the same configuration to https://phab.wmflabs.org/ or to some local Phab instance if someone wants to be as close to Wikimedia Phabricator settings as possible?

mmodell added a comment.Dec 3 2019, 3:16 PM

I could write a script that filters out sensitive values and then dumps the configuration into a json file.

chasemp added a project: Security.Feb 10 2020, 10:56 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:06 PM
Aklapper removed a subscriber: Security-Team.Oct 24 2020, 1:17 PM
thcipriani edited projects, added Release-Engineering-Team; removed Release-Engineering-Team-TODO.Jan 12 2021, 5:19 PM
thcipriani lowered the priority of this task from Medium to Low.Apr 6 2021, 4:32 PM
thcipriani edited projects, added Release-Engineering-Team-TODO; removed Release-Engineering-Team.
thcipriani edited projects, added Release-Engineering-Team-TODO (Yak Shaving 🐃🪒 ); removed Release-Engineering-Team-TODO.
thcipriani edited projects, added Release-Engineering-Team (Yak Shaving 🐃🪒); removed Release-Engineering-Team-TODO (Yak Shaving 🐃🪒 ).Apr 20 2021, 1:32 AM
thcipriani edited projects, added Release-Engineering-Team (Seen); removed Release-Engineering-Team (Yak Shaving 🐃🪒).Apr 28 2021, 5:34 PM
Aklapper moved this task from To Triage to Infrastructure on the Phabricator board.Jun 9 2023, 7:48 PM
Aklapper mentioned this in T331673: Remove unused(?) fixed_settings.yaml from Phabricator puppet config.Jul 14 2023, 1:11 PM
Aklapper edited projects, added Release-Engineering-Team; removed Release-Engineering-Team (Seen).Jul 18 2023, 10:27 AM
Aklapper added a subscriber: brennen.

Copying in comment from @brennen in T331673:

See discussion on https://gerrit.wikimedia.org/r/c/operations/puppet/+/877188 -

Have discussed this with Dzahn on IRC. It looks to me like the translation.override value is actually hardcoded in the deployment repo -

https://gitlab.wikimedia.org/repos/phabricator/deployment/-/blob/wmf/stable/scap/templates/phabricator/conf/local/local.json.j2#L295

That configuration template gets values from /etc/phabricator/config.yaml, which are in turn set from puppet.

This makes it seem like there's some redundant stuff in puppet that isn't actually getting applied to the Phabricator config, and fixed_settings.yaml here probably needs cleaned up.

Should make sure this is actually the case.

Aklapper added a comment.Jul 18 2023, 10:28 AM

So this is https://gitlab.wikimedia.org/repos/phabricator/deployment/-/commits/wmf/stable/scap/templates/phabricator/conf/local/local.json.j2 versus https://gerrit.wikimedia.org/r/plugins/gitiles/operations/puppet/+log/refs/heads/production/modules/phabricator/data/fixed_settings.yaml

Aklapper merged a task: T331673: Remove unused(?) fixed_settings.yaml from Phabricator puppet config.Jul 18 2023, 10:28 AM
Aklapper mentioned this in T344965: Remove a hyphen from "CC BY-SA" link text in Phabricator Footer .Aug 25 2023, 8:52 AM
Peachey88 mentioned this in T346321: Move notification servers config to local files.Sep 14 2023, 11:09 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits