Page MenuHomePhabricator

Enable registration for everybody at phabricator.wikimedia.org
Closed, ResolvedPublic

Description

This is just a compilation of the tasks that need to be solved in order to open registration to Wikimedia users in phabricator.wikimedia.org.

If you need access urgently, check https://www.mediawiki.org/wiki/Phabricator#Access_to_phabricator.wikimedia.org

Event Timeline

Qgil created this task.Sep 19 2014, 12:19 PM
Qgil raised the priority of this task from to High.
Qgil updated the task description. (Show Details)
Qgil changed Security from none to None.
Qgil added a subscriber: Qgil.
Qgil renamed this task from Open registration at phabricator.wikimedia.org to Enable registration at phabricator.wikimedia.org.Sep 19 2014, 12:27 PM
Aklapper renamed this task from Enable registration at phabricator.wikimedia.org to Enable registration for everybody at phabricator.wikimedia.org.Sep 19 2014, 10:27 PM
Qgil updated the task description. (Show Details)Sep 21 2014, 2:31 PM
Qgil added a comment.Sep 23 2014, 8:51 AM

We could create a Wikimedia Phabricator Early Tester Agreement and restrict access to Maniphest to those that have signed it. Once the blockers are resolved, we set back the usual permissions and we forget about this agreement. You can test this setup in https://phab-01.wmflabs.org/ now.

This would allow us to enable LDAP now, while we solve the blockers. Again, we need more real users to test and get familiar with Phabricator, and the process of enabling/disabling manually doesn't scale.

@Qgil: Sounds good to me but it isn't my call.

In T463#16, @Qgil wrote:

We could create a Wikimedia Phabricator Early Tester Agreement and restrict access

For the records, I've sent an email to Chase and csteipp as I'd like to understand possible security implications and if there's any issues if we technically allowed file uploads and delete them later, etc.

Qgil-test added a subscriber: Qgil-test.EditedSep 24 2014, 12:31 PM
This comment has been deleted.
Qgil added a comment.Sep 24 2014, 12:32 PM

I really want to open registration for this production instance. We need real users before the Bugzilla migration, and every day that we delay this step we are introducing a higher risk of missing the kind of problems that only real users doing real work happen to find. In my opinion, this risk is more problematic than the risk of e.g. users uploading files or modifying the reference field.

I propose to enable the testers agreement with LDAP and SUL registration today (if SUL takes a bit longer that's fine; enabling LDAP is just a matter of ticking a checkbox). I will reply to Andre's email CCing Rob and MarkB, after that there is the Phabricator weekly meeting, and after that we have The Very Basics of Phabricator tech talk. After this session, I hope to have receivedenough feedback to make a decision.

@Qgil: there are some very real security implications if we allow file uploads without having T373 in place so that one probably needs to be a hard blocker.

Qgil added a comment.Sep 24 2014, 1:04 PM

Another possibility is to enable local uploads only (not in another domain) until T373 is fixed. We would be discouraging users to upload files, we would tell them that we will delete any file uploaded now, and if even after this someone uploads a file, it would be stored locally, without those security risks. Right now, user registration is a lot more important than file uploads.

@Qgil: allowing uploads without the separate domain is specifically the thing that causes security issues.

Qgil added a comment.Sep 25 2014, 8:16 AM
In T463#24, @Qgil wrote:

I hope to have received enough feedback to make a decision.

Indeed, and the decision is that there is no way to skip T373: get certificate for phab.wmfusercontent.org. Only when that task is resolved we can open registration. When that happens, we will opoen registration without need of any testers agreement.

Qgil removed a subscriber: Qgil-test.Sep 25 2014, 8:17 AM
Qgil added a subscriber: chasemp.Sep 30 2014, 5:31 AM

After all the fixes implemented yesterday (big thank you!), can we enable LDAP for everybody now?

Also, another week has passed, and we haven't heard from upstream in reference to T368: Upstream mediawiki oauth provider for Phabricator. Can we enable Wikimedia SUL locally?

I still have cleanup to do regarding the migration from fab. This is not ready. I will comment here when it is.

This comment was removed by chasemp.

Looks done to me?

Qgil assigned this task to chasemp.Oct 6 2014, 8:13 PM

Registration is now officially open for everybody. Big Thank You to @chasemp and everybody involved!

Qgil closed this task as Resolved.Oct 6 2014, 8:15 PM