Page MenuHomePhabricator
Create Task
Maniphest T324171

Audit Diffusion-Repository-Administrators group membership and rights
Closed, ResolvedPublic
Actions

Description

The acl*repository-admins group grants rights for creating new Diffusion repositories, editing most existing Diffusion repositories, and via a PhabricatorHeraldApplication ACL creation of global Herald rules.

As T191182: Migrate active repositories in Phabricator Differential to GitLab has progressed, we are nearing or possibly past the point of wanting to allow creation of non-mirror Diffusion repos. There will certainly still be a desire for @StrikerBot and other bots/humans to be able to create mirrors of externally hosted git repos, but this will not require as many folks to have rights.

Related Objects

Event Timeline

bd808 created this task.Nov 30 2022, 11:30 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 30 2022, 11:30 PM
bd808 added a subscriber: thcipriani.Nov 30 2022, 11:31 PM

@thcipriani and the folks on his team are probably best positioned to evaluate both the membership and rights.

Dzahn subscribed.Dec 2 2022, 9:15 PM
Dzahn added projects: Phabricator, collaboration-services.Dec 2 2022, 9:19 PM
LSobanski triaged this task as Medium priority.Dec 5 2022, 4:42 PM
LSobanski added a project: Release-Engineering-Team.
LSobanski moved this task from Incoming to Consultation on the collaboration-services board.
Dzahn moved this task from Consultation to Work in Progress on the collaboration-services board.Jan 6 2023, 7:57 PM

I sent an email to all users with the the repository-admins ACL and asked if it's ok that I remove them.. waiting for responses to start and make the list smaller as the ticket says..

LSobanski assigned this task to Dzahn.Jan 9 2023, 4:10 PM
LSobanski moved this task from Work in Progress to Backlog on the collaboration-services board.Jan 23 2023, 4:24 PM
Dzahn added a comment.Mar 3 2023, 8:29 PM

Well, we have reduced the number of admins but we have also heard from some of them that they do want to keep their admin rights.

So I would say the "Audit the users in acl*repository-admins" part is done.

Regarding acl*discovery-repository-admins I have mailed Mikhail and Erik to ask them about it now.

Dzahn moved this task from Backlog to Work in Progress on the collaboration-services board.Mar 6 2023, 4:05 PM
Dzahn added a comment.Mar 6 2023, 6:35 PM

I checked with the 2 members in acl*discovery-repository-admins and was told it's safe to clean that up.

Dzahn added a comment.Mar 6 2023, 6:37 PM

I removed the members from https://phabricator.wikimedia.org/project/manage/2625/ , locked it and then archived it.

  • Determine if acl*discovery-repository-admins is still useful
Stashbot added a comment.Mar 6 2023, 6:38 PM

Mentioned in SAL (#wikimedia-operations) [2023-03-06T18:38:15Z] <mutante> phabricator - locked and archived project acl*discovery-repository-admins (T324171)

Dzahn added a comment.EditedMar 6 2023, 6:45 PM

@bd808 So an audit has happened and we have reduced the number of admins and archived one of the ACLs.

You were among the users who had reasons to want to keep these rights so you are aware of the special cases.

Separately one single user has said "allows me to manage global Herald rules which is something I use from time to time" so that would answer the last of the 3 check boxes. But I am going to see if we can give them those rights in a different way.

Other than that I think we can close this ticket now. Thoughts?

taavi subscribed.Mar 6 2023, 6:49 PM

Global Herald rules can be managed via acl*phabricator membership. (Why do we even include Diffusion-Repository-Administrators in that ACL?)

Dzahn added a subscriber: MarcoAurelio.Mar 6 2023, 6:49 PM

Hi @MarcoAurelio you have said that you sometimes use the "Diffusion-Repository-Administrators" group membership to edit global Herald rules.

In https://phabricator.wikimedia.org/policy/explain/PHID-APPS-PhabricatorHeraldApplication/herald.global/ I see that it's either "be a Phab admin" or "be a repo admin" or "be in acl*phabricator" to be allow to edit global Herad rules.

You are both a repo admin and in acl*phabricator, so removing you from repo admins should not take away your rights to edit global herald rules.

But then there is still the "archive the repositories of the archived extensions" ?

Dzahn added a comment.EditedMar 6 2023, 6:53 PM

Yea, so if anyone can edit https://phabricator.wikimedia.org/policy/explain/PHID-APPS-PhabricatorHeraldApplication/herald.global/ to remove "Diffusion-Repository-Administrators" from the Herald policy, please do so.

@Aklapper @brennen

Dzahn added a subscriber: brennen.Mar 6 2023, 6:54 PM
Aklapper added a comment.Mar 6 2023, 8:49 PM
In T324171#8669941, @Dzahn wrote:

Yea, so if anyone can edit to remove "Diffusion-Repository-Administrators" from the Herald policy

I went to https://phabricator.wikimedia.org/applications/edit/PhabricatorHeraldApplication/ and removed Diffusion-Repository-Administrators from Can Manage Global Rules

Dzahn closed this task as Resolved.Mar 6 2023, 10:59 PM

Thanks @Aklapper :)

@bd808 I would claim this is resolved now as described.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits