Implement Phabricator Spaces
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	Qgil
	Oct 23 2014, 5:40 AM

Description

Phabricator Spaces are policy containers for groups of objects or, in plain English, areas where just some users with the appropriate permissions can access and work. Think for instance about spaces for Security, Procurement, Fundraising, Legal... accessed only by the members of those teams and optionally special guests. The full specifications are described in https://secure.phabricator.com/T3820#116875

The Phabricator maintainers expect to have a first version of Spaces ready by the end of June 2015, probably to be fine tuned during July after the first users report feedback.

Once this feature is implemented, the request of a new space should be a simple process, and could be possibly be handled by the Project-Admins process to request a new project. AffCom, Community Liaisons, and Fundraising Tech are the first cases that come to mind, and it is clear that these teams handle some private information combined with their public activities.

The implementation of Spaces might imply the deprecation of the Security extension that we are running locally in Wikimedia Phabricator, which currently allows the handling of security bugs and special requests to Operations. To be discussed.

The #Engineering-Community team is driving this initiative in Wikimedia's side. We are pooling a budget in the Community Engagement department to fund this development. See the WMF Short Form Business Case for Phabricator Spaces.

Old description

NOTE: Marking this task as Stalled. We need some months of real use of Phabricator, including private tasks, before even defining a plan for easy to use private projects that can scale. For now Phabricator is only for public projects that eventually have private tasks (for security reasons, etc). Until further notice, full private projects can stay in Trello, Asana, Google Drive, your mailbox, etc.

There are teams dealing with sensitive information that need to work with private tasks. Their theoretical options are:

Short term

Request a special security policy for their tasks, which will imply a new entry in the Security dropdown menu. Just like the Security team now or the Operations team as soon as RT is migrated, they will need to work privately in a fully open context. They will be responsible of maintaining the list of project members with access to the private tasks, and also who else can access to the tasks via CC. The Wikimedia Phabricator maintainers will not be responsible of any accidental leaks due to human errors messing with policies or users.

Note that we don't have any process to address a request like this. If a team steps in, we will need to discuss the proposal from scratch.

Mid term

Wait until upstream implements Spaces. Then you will be able to request an own namespace with default private policies fitting your needs. You will manage who can access to these namespaces and you will be able to create your projects within that namespace.

Related Objects
Search...

Status	Assigned	Task
Resolved	Qgil	T553 Engineering Community team goals for October 2014
Resolved	Qgil	T174 Launch Wikimedia Phabricator Day 1
Resolved	Qgil	T175 Nominate a team in charge of deploying and maintaining Wikimedia Phabricator code
Resolved	• RobLa-WMF	T17 Allocate resources for the migration and maintenance
Resolved	Qgil	T19 Define which features existing in our current tools are really missing in Phabricator
Resolved	Dzahn	T30 Identify features RT users would miss in Phabricator
Resolved	Qgil	T15 Migrate Bugzilla to Phabricator
Resolved	Aklapper	T22 Identify features Bugzilla users would miss in Phabricator
Invalid	• mmodell	T235 Maniphest task does not show project name when being logged out if project visibility is not set to "Public"
Resolved	• mmodell	T50 Restricting access to tasks based on project membership
Resolved	• mmodell	T77228 Let non-members watch projects
Declined	Qgil	T85006 Cannot send comments in via email for restricted tasks I receive updates for via email
Declined	greg	T41 Set up redirects from RT URLs to Phabricator
Resolved	RobH	T93760 Moving procurement from RT to Phabricator
Declined	Varnent	T89335 Creating private tasks by filling a web form (for AffCom)
Resolved	Aklapper	T94108 Community Liaison project/space for private tasks
Resolved	• mmodell	T76929 Provide alternate style for non-public issues
Resolved	• mmodell	T76563 A direct way to submit a security report as a private task
Resolved	Aklapper	T105742 Document Phabricator Spaces for teams
Resolved	Qgil	T823 Implement Phabricator Spaces
Resolved	RobH	T38 Migrate RT to Phabricator
Resolved	Aklapper	T39 Set up permissions for Phabricator
Resolved	Aklapper	T43 Decide how to organize projects
Resolved	Aklapper	T107 Figure out a replacement for "easy" keyword: Create an "Easy" project in Phabricator
Resolved	Aklapper	T100 Decide how to organize iterations and releases
Resolved	Aklapper	T101 Figure out a process for backports: Create "WMF-Server-Backports" and "MediaWiki-Tarball-Backports" projects
Declined	Aklapper	T102 Decide whether we need to add a severity (impact) field to match Bugzilla's
Resolved	Qgil	T268 Decide on "Priority" field values for Maniphest tasks
Resolved	• chasemp	T212 Decide which task statuses we want to have in Maniphest
Resolved	• chasemp	T245 create script to dump RT tickets and relevant data to static and structured format
Resolved	• chasemp	T419 Handle metadata / user account claiming on imported tickets
Resolved	• chasemp	T572 Determine the fate of comment metadata from legacy systems in phabricator.wikimedia.org
		Restricted Task
Resolved	• chasemp	T918 Author: line remains in the description, even after the task is claimed by email address
Resolved	• chasemp	T376 logic to import rt data into phabricator
Resolved	Qgil	T76773 Schedule RT migration for Thu 18 Dec 00:00UTC (Wed 17 Dec 16:00PST) until Thu 18Dec 08:00UTC (00:00PST)
Resolved	• gpaumier	T76987 Blog post announcing the RT migration to Phabricator
Resolved	Aklapper	T76989 Document the details of the RT migration
Resolved	Dzahn	T674 need to figure out how to make an rt queue read-only
Resolved	Dzahn	T675 need to figure out how to redirect mail for a particular rt queue
Declined	None	T118176 migrate RT maint-announce into phabricator
Invalid	RobH	T120033 this is a test subtask
Duplicate	RobH	T120034 this is the second test sub-task
		Unknown Object (Task)
		Unknown Object (Task)
Declined	• mmodell	T517 Still, restricting access to tasks based on project membership
Duplicate	• mmodell	T518 Users CCed in private tasks should be able to access them
Resolved	Qgil	T76401 Short term plan for security and private tasks
		Restricted Task
Resolved	• mmodell	T101929 Next Phabricator Upgrade: 2015-06-10
Resolved	• Springle	T101347 need 'spaces' database for phabricator
Resolved	None	T102473 Visibility policies for objects in private Spaces can include 'Public' and be very misleading
Resolved	• mmodell	T104047 Next Phabricator upgrade: 2015-07-01

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Liuxinyu970226 subscribed.Jan 15 2015, 7:50 AM

• ggellerman added a subscriber: • Spage.Jan 16 2015, 9:47 PM

There is an ongoing discussion about the possibility for the Fundraising-Tech team to get permissions to mark some tasks private. See T88762: Enable select Fundraising people to modify policy for tasks.

• ggellerman added a subscriber: • DarTar.Feb 9 2015, 5:31 PM

Qgil moved this task from To Triage to Need discussion on the Phabricator board.Feb 11 2015, 8:20 AM

Seeing the discussion at T88762 and also knowing that other teams are considering Phabricator if the problem of private tasks can be solved (Zero, some non-tech WMF teams, and even the Affiliations Committee)... I wonder whether we should consider to simply add more options to the "Security" field.

The solution taken for security bugs and Ops private tasks is basically what these teams need. I don't see any problems in this approach, other than a longer dropdown menu and probably an increased risk of misfiled tasks.

Slaporte subscribed.Feb 11 2015, 3:54 PM

In T823#1030131, @Qgil wrote:

Seeing the discussion at T88762 and also knowing that other teams are considering Phabricator if the problem of private tasks can be solved (Zero, some non-tech WMF teams, and even the Affiliations Committee)... I wonder whether we should consider to simply add more options to the "Security" field.

The solution taken for security bugs and Ops private tasks is basically what these teams need. I don't see any problems in this approach, other than a longer dropdown menu and probably an increased risk of misfiled tasks.

Not opposed to adding more items to the drop down. I think but for the most part it is hard to make it flexible and not overwhelm people with weird and implicit behavior. We will be at four items pretty soon and from there it will start to get muddy if we aren't careful. I think before we go that route we should try a few case by case and see how things are used.

A few thoughts are:

Drop down items in the security menu can do lots of things, and are not necessarily obvious to the choosers we have found.
We can actually create template tasks that will carry policy over with them to any tickets created using the template. I investigated this with upstream a bit to see if the auxiliary fields would populate with a template (they don't), but most everything else does. So if we set up a template that sets view/edit policy as fundraising ...anyone in that group (I believe) can use it to create tasks that are secure. Only a few people in that arena need to be hip to how to navigate policy with rights to un-hide things as appropriate, and fix edge cases.
I think there are not many use cases we haven't encountered that we are aware of? Maybe HR and other non-technical people will have them, but I'm wondering if this is the right place for that kind of stuff. Not trying to keep them out but this is a bit of the wild west for HR type personal data.
I think a few Fundraising folks with policy knowledge, a template task for easy creation, and circling back in a few weeks to see how this is working is a reasonable way to feel our way through the darkness here.

In T823#1030131, @Qgil wrote:

Seeing the discussion at T88762 and also knowing that other teams are considering Phabricator if the problem of private tasks can be solved (Zero, some non-tech WMF teams, and even the Affiliations Committee)... I wonder whether we should consider to simply add more options to the "Security" field.

The solution taken for security bugs and Ops private tasks is basically what these teams need. I don't see any problems in this approach, other than a longer dropdown menu and probably an increased risk of misfiled tasks.

More detail on the AffCom use case-- they are discussing tools to easily manage their internal approval process for user group applications. User group applications should only be visible to AffCom members. Phabricator looks like it has great task management tools for them if it's possible for them to make their project private.

Qgil mentioned this in T89335: Creating private tasks by filling a web form (for AffCom).Feb 12 2015, 8:08 AM

Qgil added a parent task: T89335: Creating private tasks by filling a web form (for AffCom).

In T823#1032703, @chasemp wrote:

Drop down items in the security menu can do lots of things, and are not necessarily obvious to the choosers we have found.

Absolutely true, and a good reason to find alternatives to the drop-down menu, especially for cases where most if not all the private tasks will be created by a single team (as opposed to users creating them, as it is the case for security bugs and ops requests).

We can actually create template tasks that will carry policy over with them to any tickets created using the template.

This is great news indeed.

I think there are not many use cases we haven't encountered that we are aware of?

Not many, but I have stopped some myself, pointing the teams who asked to this task. Now that there is progress, I will encourage them to declare their needs in tasks, and add them as blocked by this one.

I think a few Fundraising folks with policy knowledge, a template task for easy creation, and circling back in a few weeks to see how this is working is a reasonable way to feel our way through the darkness here.

Strong +1. Fundraising-tech can go first; the rest can wait and see.

Qgil added a parent task: T88978: Migration of the Zero team to Phabricator.Feb 12 2015, 8:17 AM

Qgil added a parent task: T88762: Enable select Fundraising people to modify policy for tasks.

Research & Data also uses private trello boards for handling sensitive requests (for example, private data requests that may involve an NDA, grant proposals etc). It sounds like the mid term solution would be the best for us.

Qgil added a parent task: T826: Migration of Research & Data to Phabricator.Feb 12 2015, 10:53 PM

• atgo mentioned this in T88762: Enable select Fundraising people to modify policy for tasks.Feb 18 2015, 10:40 PM

Varnent subscribed.Feb 25 2015, 2:42 PM

Liuxinyu970226 unsubscribed.Feb 27 2015, 9:56 AM

@Qgil: I understand the mid-term solution is becoming long-term, how do we move forward with the short term approach?

@DarTar, I would say that as soon as @atgo confirms that she is happy with T88762: Enable select Fundraising people to modify policy for tasks we could create the same type of setup for other teams.

@Qgil, great – can you let me know when that happens and open a similar request for R&D?

@DarTar @Qgil 'm pretty happy with it, though I would like to expand the
group who can write policy a little bit to include a few more people. I'll
follow up with Chase about that when I have a chance.

• Rdicerb added a parent task: T94108: Community Liaison project/space for private tasks.Mar 26 2015, 10:23 PM

According to this estimate, asking Phacility Ink to prioritize the development of private spaces in Phabricator would cost about $18K USD. How I see it, for (say) $30K and a bit of extra work from our side, we could stop maintaining our own Security hack, make happy Fundraising Tech, Zero, Operations, and probably other Engineering & Product teams, and bring to Phabricator the non-tech WMF teams using Asana, Trello, or more rudimentary ways to organize their sensitive work.

@greg, please consider budgeting for this contract work in the next fiscal year. I think it would be a good investment and I will support it in any forum where someone is interested in my opinion. ;)

"global, default-deny walls around groups of unprivileged users"?

Hmm. Not sure if that is entirely what we want.

@Krenair Its been renamed to "Implement top-level "Spaces" that provide policy isolation to groups of objects" and that, I believe, is what we want.

The upstream implementation is focused on the use case of a design studio who uses phabricator and want to have a separate phab instance for each client. Essentially it's would allow employees to switch between namespaces but clients would be jailed to just one namespace. So most of the phab database would be unique to each namespace with just a few things shared among all of them. It would be perhaps overkill for our use case and I don't know if it would satisfy our very particular rules about who can and cannot see a security bug's task.

Then again I might be wrong, perhaps it would work somehow ... I don't see how it would work for security bugs but it might work well for the other use cases.

I think that use case works well for our teams dealing with sensitive information. According to https://secure.phabricator.com/T3820#86217, there will be a main space (public, like this instance now), and then specific spaces with specific policies. Projects and tasks can be moved from one space to the other. A task created publicly could be moved to a private space and vice versa.

Our local Security extension has allowed us to migrate Bugzilla and RT without waiting for a proper solution from upstream (that as of today still does not exist). However, since the beginning we agreed that this would be an interim solution, being the final solution either an upstream implementation (or our implementation being evolved and upstreamed, theoretically). Spaces is how Phabricator upstream plans to solve this problem, if they would have developed them a year ago we would have used them. I think we should support its development if we can afford it.

• ggellerman added a subscriber: • ksmith.Apr 24 2015, 8:13 PM

Qgil added a subscriber: • ZhouZ.May 7 2015, 9:43 PM

Qgil changed the task status from Stalled to Open.May 12 2015, 7:03 AM

Qgil claimed this task.

Qgil raised the priority of this task from Lowest to Low.

I will try to write a proposal and pool the budget necessary for Phacility Inc (the Phabricator maintainers) to work on Spaces. Dob't expect too much progress in the next couple of weeks (before the Wikimedia Hackathon), though.

In T823#1278602, @Qgil wrote:

I will try to write a proposal and pool the budget necessary for Phacility Inc (the Phabricator maintainers) to work on Spaces. Dob't expect too much progress in the next couple of weeks (before the Wikimedia Hackathon), though.

Is there a specific place we can give feedback on what tasks we'd like to pay upstream to work on? I think a lot more people would benefit if we asked upstream to fix search rather than private projects which would affect very few people.

Is there a specific place we can give feedback on what tasks we'd like to pay upstream to work on?

Currently not, and it is a good idea. It would make sense to have a relation between the relevance of a task and the likeliness of us paying to have it fixed, therefore I would start by discussing priorities of tasks under "Wikimedia requests" at the Phabricator (Upstream) workboard.

For instance, I'm increasing the priority of this task, since I want to have the budget part solved before the end of June / end of of WMF fiscal year.

While private projects might affect less people than search, the impact on these teams would be very high, and I think it would ultimately benefit our support on Phabricator. For instance, if the percentage of WMF teams using Phabricator as primary tool increases, and they also happen to find problems with search, then the chances of raising the priority of the related tasks and even finding budget to pay for the fixes would also increase.

Qgil added a project: ECT-June-2015.May 29 2015, 7:26 AM

Niharika subscribed.May 29 2015, 12:48 PM

Development is happening upstream.

https://secure.phabricator.com/T3820 (followed the blockers)
Specs: https://secure.phabricator.com/T3820#116875

Qgil renamed this task from Process to request a private project to Implement Phabricator Spaces.Jun 3 2015, 9:09 AM

Qgil updated the task description. (Show Details)

Qgil edited projects, added Phabricator (Upstream); removed Phabricator.

Qgil updated the task description. (Show Details)Jun 3 2015, 9:52 AM

Qgil added a subtask: Restricted Task.Jun 4 2015, 9:47 AM

Qgil added a subtask: T101347: need 'spaces' database for phabricator.

Qgil mentioned this in T93760: Moving procurement from RT to Phabricator.Jun 4 2015, 11:06 PM

This exists since the phabricator upgrade yesterday:

https://phabricator.wikimedia.org/spaces/

The database for it had to be created that's why i know it wasn't there before.

There is also a button "Create Space" now, it's limited to admins though.

https://phabricator.wikimedia.org/spaces/create/

Qgil added a parent task: T93760: Moving procurement from RT to Phabricator.Jun 5 2015, 8:32 AM

From https://secure.phabricator.com/T8376#118034

Spaces is now a real (prototype) application, but doesn't do anything useful yet.

Contract Request Form sent to WMF-Legal. This will take some days but will not stop the development upstream.

• atgo unsubscribed.Jun 5 2015, 9:52 AM

JeanFred awarded a token.Jun 9 2015, 8:12 AM

Qgil added a parent task: T76929: Provide alternate style for non-public issues.Jun 10 2015, 6:43 AM

Qgil removed a parent task: T826: Migration of Research & Data to Phabricator.Jun 10 2015, 3:32 PM

Aklapper added a parent task: T76563: A direct way to submit a security report as a private task.Jun 10 2015, 6:06 PM

Aklapper mentioned this in T76563: A direct way to submit a security report as a private task.Jun 10 2015, 6:08 PM

After the last Wikimedia Phabricator update, https://phabricator.wikimedia.org/spaces/ exists. According to upstream it is "useless" as of today. Development continues upstream at a fast pace.

On our side, I got the contract past the Legal check and now it is waiting for the Financial check. Should be fine, since we have the budget.

In T823#1355913, @Qgil wrote:

After the last Wikimedia Phabricator update, https://phabricator.wikimedia.org/spaces/ exists. According to upstream it is "useless" as of today.

I got Phab-03 up with Phabricator at upstream's HEAD if it is any use to anyone else. Spaces seems to be working quite well there. I'll just be testing on it for a few weeks (at least) and then'll probably delete it unless someone needs it.

Qgil removed a parent task: T88978: Migration of the Zero team to Phabricator.Jun 11 2015, 8:25 PM

Qgil moved this task from Backlog to Wikimedia requests on the Phabricator (Upstream) board.Jun 12 2015, 7:29 AM

(Lowering priority to Normal only to reflect that others are taking the initiative. My part as pusher is basically done. I keep reacting fast to anything I can do with the contract and the project upstream.)

Krenair added a subtask: T102473: Visibility policies for objects in private Spaces can include 'Public' and be very misleading.Jun 15 2015, 1:54 PM

The contract has been approved by Legal and Finance. After the trivial step of collecting a couple of signatures, Phacility Inc can invoice us by the end of this month. Therefore, I will stop talking about bureaucracy here. Back to 100% technical discussion. :)

Qgil moved this task from Backlog to Doing on the ECT-June-2015 board.Jun 18 2015, 9:04 AM

Krenair closed subtask Restricted Task as Resolved.Jun 19 2015, 2:46 PM

Krenair closed subtask T102473: Visibility policies for objects in private Spaces can include 'Public' and be very misleading as Resolved.Jun 22 2015, 2:49 PM

From https://secure.phabricator.com/T3820#123094 :

Spaces are now available in master. They'll promote to stable in this week's release, and are likely to leave prototype next week.

You can find some documentation here: https://secure.phabricator.com/book/phabricator/article/spaces/

T8376 has details and additional context, as well as links to remaining work.

This means that we might get stable Spaces functionality in our next upgrade, or in the following at most (meaning in about 2-4 weeks).

We can start thinking who will want to test Spaces...

Phab-03 was ready for Spaces testing (I say was because T103918 seems to have left it in a peculiar state).

Qgil mentioned this in T87135: Phabricator should only notify changes to the "Security" field if it is indeed changed.Jun 26 2015, 6:13 PM

Ricordisamoa subscribed.Jun 26 2015, 7:06 PM

Qgil added a subtask: T104047: Next Phabricator upgrade: 2015-07-01.Jun 27 2015, 7:35 AM

Aklapper closed subtask T104047: Next Phabricator upgrade: 2015-07-01 as Resolved.Jul 2 2015, 10:55 AM

Restricted Application added a subscriber: Luke081515. · View Herald TranscriptJul 2 2015, 10:55 AM

Alright, we have Spaces. I'm resolving this task, and I'm happy to give a hand to the first team willing to test them.

Krenair removed a parent task: T88762: Enable select Fundraising people to modify policy for tasks.Jul 2 2015, 2:22 PM

Aklapper mentioned this in T105742: Document Phabricator Spaces for teams.Jul 13 2015, 9:14 PM

Aklapper added a parent task: T105742: Document Phabricator Spaces for teams.

I'm wondering if the people using Spaces know what they're doing... I've been getting subscribed to tasks in spaces that I can't actually view, and it's actually kind of annoying (and concerning that someone might be trying to bring my attention to something but me not being able to view).

In T823#1727008, @Krenair wrote:

I've been getting subscribed to tasks in spaces that I can't actually view

Meh. :(
Please point people to the documentation which has always been stating:

A Space's policy is absolute and stronger than any other policy rules. If a user cannot see a space, the user can never see objects inside the space either, even if they are author, assignee or subscriber of the task in that space. (To allow users which are not member of the space to view or edit an object in the Space, a Custom Policy needs to be applied on the object instead of a Space.)

Or if you have an idea how to make that documentation more clear, feel free to edit.

In T823#1727542, @Aklapper wrote:

In T823#1727008, @Krenair wrote:

I've been getting subscribed to tasks in spaces that I can't actually view

Please point people to

Part of the problem is that I can't identify the people doing it. We can't even send out a mass message to all users of private spaces warning them to clean up their act, because in at least one case all you can see about a space visibility policy is that it's set to custom - unless your account fits the space policy (and maybe the space edit policy?) in which case you can probably view the policy itself.

In T823#1727544, @Krenair wrote:

Part of the problem is that I can't identify the people doing it.

@Krenair: As you wrote "I've been getting subscribed to tasks in spaces that I can't actually view", how did you find out? We currently have two restricted spaces in use (CEP and Ops) so teams could be contacted (both have a mailing list) to raise awareness.

The notification counter goes up without any new unread notifications being shown. It's an upstream bug, which they could fix... But still wouldn't deal with my concern that maybe some of these are people actually trying to add me to things (or maybe not... who knows?).