Page MenuHomePhabricator
Create Task
Maniphest T326752

Security Issue Access Request for Stevemunene
Closed, ResolvedPublic
Actions

Description

Phabricator Username: Stevemunene

Reasons For Request: I am a Site Reliability Engineer within the Data Engineering team.
It would therefore be useful for me to be able to see security related tickets.

Related Objects

Event Timeline

Stevemunene created this task.Jan 11 2023, 7:37 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 11 2023, 7:37 PM
mmartorana changed the task status from Open to In Progress.Jan 17 2023, 7:14 PM
mmartorana triaged this task as Medium priority.
mmartorana subscribed.Jan 17 2023, 7:16 PM

Hi SRE and @Stevemunene - Can we get your manager's approval, please?

Thanks

sbassett moved this task from Incoming to In Progress on the Security-Team board.Jan 17 2023, 8:00 PM
sbassett added a project: SecTeam-Processed.
Stevemunene added a subscriber: odimitrijevic.Jan 18 2023, 4:55 PM

Hi @odimitrijevic requesting approval for Security Issue Access Request.
Thanks.

Stevemunene added a comment.Jan 23 2023, 10:21 AM

Hi @mmartorana this is still pending, how do I get the task back moving?

Aklapper added a comment.Jan 23 2023, 12:47 PM

See your previous comment - manager approval :)

odimitrijevic added a comment.Jan 23 2023, 4:23 PM

I approve the request!

mmartorana closed this task as Resolved.Jan 25 2023, 4:28 PM
mmartorana claimed this task.
mmartorana moved this task from In Progress to Our Part Is Done on the Security-Team board.

Hi @Stevemunene - Access has been granted.

Please let us know if you need additional help.

EChetty reopened this task as Open.EditedFeb 2 2023, 10:04 PM
EChetty subscribed.

Hey @mmartorana

Thanks for picking this up.

It seems like @Stevemunene still cannot access some security related tasks.
eg.
https://phabricator.wikimedia.org/T327525
https://phabricator.wikimedia.org/T326625
https://phabricator.wikimedia.org/T324842

Is this a separate/different process? We need him to be able to access all levels of security tasks.

Thanks
Emil

Zabe subscribed.Feb 2 2023, 10:08 PM

They were added to the Security project (which actually is publicly join-able and gives no access), they actually need to be added to a acl*security subproject (I guess acl*security_sre).

EChetty added a comment.Feb 2 2023, 10:10 PM

Thanks @Zabe!

Is the process the same? Do we have to file a separate ticket - or can this one be reused?

EChetty raised the priority of this task from Medium to High.Feb 2 2023, 10:11 PM
Platonides subscribed.Feb 2 2023, 10:21 PM

@Stevemunene is a member of acl*security_sre (he added himself?!)

EChetty added a comment.EditedFeb 2 2023, 10:22 PM

So it turns out (we just found out) that acl*security_sre is just joinable - which auto adds him to acl*security

Not sure if this is intended or not - but this ticket is now resolved.

EChetty closed this task as Resolved.Feb 2 2023, 10:27 PM
EChetty added a subscriber: BTullis.

Going to resolve this, but someone (not sure who) should check if this is in fact intended behaviour. Tagging @mmartorana & @BTullis

Platonides added a comment.Feb 2 2023, 10:27 PM

Not really. I was just testing it, and it is not. acl*security_sre is joinable by people in acl*security, so he must have already been in acl*security to be able to join there.

Platonides added a comment.EditedFeb 2 2023, 10:31 PM

denied.png (448×596 px, 50 KB)

Error message received by a test account with no privileges

Zabe added a comment.Feb 2 2023, 10:39 PM
In T326752#8583776, @Platonides wrote:

Not really. I was just testing it, and it is not. acl*security_sre is joinable by people in acl*security, so he must have already been in acl*security to be able to join there.

Thats just a bit weird because then they would have been able to view protected tasks.

Platonides added a subscriber: pfischer.Feb 2 2023, 11:09 PM

In T326752#8583804, @Zabe wrote:

Thats just a bit weird because then they would have been able to view protected tasks.

Indeed. @mmartorana how are you adding people to the acl?
Maybe, if it is added through some script, it is added but doesn't propagate. That could also explain why there's apparently no log entry of mmartorana adding Steve other than to the (open for all) Security tag.

And no, being a member of Security does not allow joining to acl*security_sre
I have also reviewed other subgroups, and it doesn't seem Steve had been added there.

Maybe @pfischer can chime in on whether security access works for him, since T327746 is really similar to this one.

Dylsss subscribed.Feb 3 2023, 1:06 AM

@Zabe @Platonides

Just to clarify (our Phabricator has quite a complex permission hierarchy), @Stevemunene was able to add themselves because they were already a member of acl*sre-team. acl*sre-team grants edit access to acl*security, and anyone with edit access on a parent project can edit a subproject, and anyone with edit access can also join that project (see https://secure.phabricator.com/book/phabricator/article/projects/#parent-projects). Therefore they were able join acl*security_sre because is is a subproject of acl*security which they could edit. FWIW Security is not supposed to be used for permissions in any way, as it is joinable by anyone, it is just for tracking tasks.

Platonides added a comment.Feb 3 2023, 2:36 AM

Aha,! They went through acl*sre-team I had been looking in the acl*security ones. Missing puzzle pieces found.
Thanks, @Dylsss

Zabe mentioned this in T328746: Require 2FA for members of acl*sre-team.Feb 3 2023, 10:35 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL