Phabricator Username: Stevemunene
Reasons For Request: I am a Site Reliability Engineer within the Data Engineering team.
It would therefore be useful for me to be able to see security related tickets.
Stevemunene | |
Jan 11 2023, 7:37 PM |
F36687865: denied.png | |
Feb 2 2023, 10:31 PM |
Phabricator Username: Stevemunene
Reasons For Request: I am a Site Reliability Engineer within the Data Engineering team.
It would therefore be useful for me to be able to see security related tickets.
Hi @Stevemunene - Access has been granted.
Please let us know if you need additional help.
Hey @mmartorana
Thanks for picking this up.
It seems like @Stevemunene still cannot access some security related tasks.
eg.
https://phabricator.wikimedia.org/T327525
https://phabricator.wikimedia.org/T326625
https://phabricator.wikimedia.org/T324842
Is this a separate/different process? We need him to be able to access all levels of security tasks.
Thanks
Emil
They were added to the Security project (which actually is publicly join-able and gives no access), they actually need to be added to a acl*security subproject (I guess acl*security_sre).
Thanks @Zabe!
Is the process the same? Do we have to file a separate ticket - or can this one be reused?
So it turns out (we just found out) that acl*security_sre is just joinable - which auto adds him to acl*security
Not sure if this is intended or not - but this ticket is now resolved.
Going to resolve this, but someone (not sure who) should check if this is in fact intended behaviour. Tagging @mmartorana & @BTullis
Not really. I was just testing it, and it is not. acl*security_sre is joinable by people in acl*security, so he must have already been in acl*security to be able to join there.
Thats just a bit weird because then they would have been able to view protected tasks.
In T326752#8583804, @Zabe wrote:
Thats just a bit weird because then they would have been able to view protected tasks.
Indeed. @mmartorana how are you adding people to the acl?
Maybe, if it is added through some script, it is added but doesn't propagate. That could also explain why there's apparently no log entry of mmartorana adding Steve other than to the (open for all) Security tag.
And no, being a member of Security does not allow joining to acl*security_sre
I have also reviewed other subgroups, and it doesn't seem Steve had been added there.
Maybe @pfischer can chime in on whether security access works for him, since T327746 is really similar to this one.
Just to clarify (our Phabricator has quite a complex permission hierarchy), @Stevemunene was able to add themselves because they were already a member of acl*sre-team. acl*sre-team grants edit access to acl*security, and anyone with edit access on a parent project can edit a subproject, and anyone with edit access can also join that project (see https://secure.phabricator.com/book/phabricator/article/projects/#parent-projects). Therefore they were able join acl*security_sre because is is a subproject of acl*security which they could edit. FWIW Security is not supposed to be used for permissions in any way, as it is joinable by anyone, it is just for tracking tasks.
Aha,! They went through acl*sre-team I had been looking in the acl*security ones. Missing puzzle pieces found.
Thanks, @Dylsss