https://phabricator.wikimedia.org/source/tool-ddescriptions/manage/policies/ and https://phabricator.wikimedia.org/source/tool-socks/manage/policies/ allow anyone to push to them.
Can a phab admin please update these policies? (and review for any inappropriate pushes)
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Dzahn | T280597 move phabricator to new hardware generation | |||
| Resolved | Dzahn | T296022 Deprecate git-ssh service on phabricator.wikimedia.org | |||
| Invalid | thcipriani | T313359 Email tool maintainers about git-ssh deprecation on phabricator | |||
| Resolved | Security | None | T313487 Some tools have open push policies |
https://phabricator.wikimedia.org/source/tool-ddescriptions/manage/policies/ is configured such that only @Mbch331 (deliberately not adding that user to this task as a viewer yet) can make additional configuration changes. This is one of those very interesting features of Phabricator and it's ACL permissions model. My admin bit does not allow me to override the edit ACL.
I believe it would need to be done via shell (there might be a script in phab's bin).
The other one should be editable if someone can add a decent group as phab required you to have access after so probably best a diffusion admin does that:
https://phabricator.wikimedia.org/source/tool-socks/manage/policies/
I restored the policies here to the defaults (acl*repository-admins + the tool maintainer). There is only one commit to the repo which is attributed to the tool maintainer.
@Aklapper since you are an admin, would it be possible for you to update the mentioned policies?
@Mstyles: I cannot edit its policies (see also https://www.mediawiki.org/wiki/Phabricator/Permissions#Administrators )
thanks @Aklapper. we need someone with shell access to address this. Tagging service ops as that seems like something they can do
Ah, alright, I have shell access (and I didn't realize earlier that this is the way to go here, sorry). Let me fix the remaining one.
Alright, done.
Long version: Using https://phabricator.wikimedia.org/conduit/method/diffusion.repository.search/ and entering {"shortNames": ["tool-socks","tool-ddescriptions"]} as constraints provides the PHID to pass in the next command. Following https://wikitech.wikimedia.org/wiki/Phabricator#Unlocking_edit_permissions_on_random_objects I ssh'ed into phab1001 and ran sudo /srv/phab/phabricator/bin/policy unlock --edit aklapper PHID-REPO-ikwqj5rpqn3mbjx7jhcg and then edited https://phabricator.wikimedia.org/source/tool-ddescriptions/manage/policies/ accordingly (acl*repository-admins + tool maintainer, for both Editable By and Pushable By). Plus had to add myself for Editable By because otherwise I could not have saved the change (as I'm not a member of acl*repository-admins).