This is just a compilation of the tasks that need to be solved in order to open registration to Wikimedia users in phabricator.wikimedia.org.
If you need access urgently, check https://www.mediawiki.org/wiki/Phabricator#Access_to_phabricator.wikimedia.org
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | Qgil | T553 Engineering Community team goals for October 2014 | |||
| Resolved | Qgil | T174 Launch Wikimedia Phabricator Day 1 | |||
| Declined | Qgil | T375 Aligning Phabricator account restrictions with Wikimedia's | |||
| Resolved | • mmodell | T258 Publicly show which MediaWiki.org account a Phabricator account is associated with | |||
| Resolved | • chasemp | T463 Enable registration for everybody at phabricator.wikimedia.org | |||
| Resolved | • chasemp | T346 configure LDAP and SUL for phab instance | |||
| Resolved | • mmodell | T186 Implement WMF SUL Authentication | |||
| Resolved | • chasemp | T457 Login with http throws ugly error | |||
| Resolved | • chasemp | T373 get certificate for phab.wmfusercontent.org | |||
| Resolved | • chasemp | T248 Define and test phabricator backup system | |||
| Resolved | • chasemp | T458 "ext_ref" field should be hidden/non-editable when submitting a task |
We could create a Wikimedia Phabricator Early Tester Agreement and restrict access to Maniphest to those that have signed it. Once the blockers are resolved, we set back the usual permissions and we forget about this agreement. You can test this setup in https://phab-01.wmflabs.org/ now.
This would allow us to enable LDAP now, while we solve the blockers. Again, we need more real users to test and get familiar with Phabricator, and the process of enabling/disabling manually doesn't scale.
For the records, I've sent an email to Chase and csteipp as I'd like to understand possible security implications and if there's any issues if we technically allowed file uploads and delete them later, etc.
I really want to open registration for this production instance. We need real users before the Bugzilla migration, and every day that we delay this step we are introducing a higher risk of missing the kind of problems that only real users doing real work happen to find. In my opinion, this risk is more problematic than the risk of e.g. users uploading files or modifying the reference field.
I propose to enable the testers agreement with LDAP and SUL registration today (if SUL takes a bit longer that's fine; enabling LDAP is just a matter of ticking a checkbox). I will reply to Andre's email CCing Rob and MarkB, after that there is the Phabricator weekly meeting, and after that we have The Very Basics of Phabricator tech talk. After this session, I hope to have receivedenough feedback to make a decision.
Another possibility is to enable local uploads only (not in another domain) until T373 is fixed. We would be discouraging users to upload files, we would tell them that we will delete any file uploaded now, and if even after this someone uploads a file, it would be stored locally, without those security risks. Right now, user registration is a lot more important than file uploads.
@Qgil: allowing uploads without the separate domain is specifically the thing that causes security issues.
Indeed, and the decision is that there is no way to skip T373: get certificate for phab.wmfusercontent.org. Only when that task is resolved we can open registration. When that happens, we will opoen registration without need of any testers agreement.
After all the fixes implemented yesterday (big thank you!), can we enable LDAP for everybody now?
Also, another week has passed, and we haven't heard from upstream in reference to T368: Upstream mediawiki oauth provider for Phabricator. Can we enable Wikimedia SUL locally?
I still have cleanup to do regarding the migration from fab. This is not ready. I will comment here when it is.
Registration is now officially open for everybody. Big Thank You to @chasemp and everybody involved!