Page MenuHomePhabricator
Create Task
Maniphest T87467

have any task put into ops-access-requests automatically generate an ops-access-review task
Closed, ResolvedPublic
Actions

Description

Requirements for tasks files as 'Operations Access Request' (OAR):

  • should get the Operations-Access-Request project associated.
  • Tasks files as 'Operations Access Request' (OAR) should get the Operations project associated.
  • Tasks should be public/all users for permissions (currently this is "admin" and members of operations-access-requests project which is not a "membership" oriented grouping)
  • Tasks should create a subtask that is hidden and set to Operations only (currently this is set to allow ops and the original tasks author which defeats the point of the private subtask). Projects of this sub-task should be Ops-Access-Reviews & SRE

We discussed this in our Phabricator discussions this week, but I cannot find a task to track this particular item.

Any tasks created or moved into ops-access-requests should have a blocking subtask in ops-access-review. The idea of this is the request will have the user info and manager approval, where the review will be a private security review ticket.

Right now, we're manually creating these tickets, but it stinks. Automatically creating these tickets would be ideal. The creator/author is immaterial, but it should NOT include the original requestor of access from the ops-access-request task. It should only be for ops, so having it wholly unassigned and authored by an admin or system user for the blocking task would be ideal.

The suggestion in the meeting was to make an 'access request' option in the security drop down, which would do these ticket creations automatically.

Additionally, any task in ops-access-requests or ops-access-review should also get tagged with SRE.

As such, I've assigned this to Mukunda, since he handles that drop down implementation. If this is incorrect, please let me know!

Details

SubjectRepoBranchLines +/-
* herald should ignore access-request tasksphabricator/extensions/securityproduction+7 -4
Fix the author username and the project names for ops-access-requestsphabricator/extensions/securityproduction+14 -8
Customize query in gerrit

Revisions and Commits

rOPUP Wikimedia Puppet
rOPUP99e83b51b417 phab update security extensions for access-request
rOPUPf485af6840ed phab update security extensions for access-request
rOPUPeebde3bd1102 phab update security extensions for access-request

Related Objects
Search...

Event Timeline

RobH created this task.Jan 23 2015, 10:31 PM
RobH assigned this task to mmodell.
RobH raised the priority of this task from to Needs Triage.
RobH updated the task description. (Show Details)
RobH added a project: acl*sre-team.
RobH subscribed.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 23 2015, 10:31 PM
chasemp added a project: Phabricator.Jan 23 2015, 10:32 PM
chasemp set Security to None.
RobH updated the task description. (Show Details)Jan 23 2015, 10:50 PM
mmodell added a comment.Jan 23 2015, 10:53 PM

I thought this was already done as part of the security extension. Not extensively tested though.

mmodell added a comment.Jan 23 2015, 10:58 PM

The described behaviour is essentially how it works, however, it's not based on project tags, it's based on the security dropdown. It's not at all straightforward to make it react to project tag changes. Selecting the access request dropdown should trigger the desired behaviour.

mmodell added a subscriber: chasemp.Jan 23 2015, 10:59 PM

Ah ha, I see the access request dropdown option is missing.

@chasemp: any reason this isn't included in the config?

chasemp added a comment.Jan 23 2015, 11:00 PM

@mmodell, before today we weren't ready for it, and I wasn't sure if the logic was ported to Security-Extension-2.0?

mmodell added a comment.Jan 23 2015, 11:01 PM

@chasemp the logic is ported, just not very well tested. I'll do some testing on my local phab and we can go from there.

chasemp added a comment.Jan 23 2015, 11:01 PM
In T87467#992026, @mmodell wrote:

@chasemp the logic is ported, just not very well tested. I'll do some testing on my local phab and we can go from there.

ok cool thanks man, I'll poke at it too. I think it was good last I checked tho?

mmodell added a project: Patch-For-Review.Jan 23 2015, 11:37 PM

https://gerrit.wikimedia.org/r/#/c/186533/

mmodell added a comment.Jan 23 2015, 11:40 PM

@chasemp: See my patch, I fixed a couple of little things (fallout from upstream changes) and this seems to be working well now.

mmodell added a comment.Jan 23 2015, 11:41 PM

One thing you might not want - it currently includes the "CC'd can see this" behaviour...

Aklapper triaged this task as High priority.Jan 24 2015, 1:05 AM
Aklapper moved this task from To Triage to Doing on the Phabricator board.
Aklapper added a comment.Feb 16 2015, 10:34 AM
In T87467#992259, @mmodell wrote:

https://gerrit.wikimedia.org/r/#/c/186533/

Patch (3 lines changed) still needs review. Anybody up?

mmodell added a project: Blocked-on-Operations.Feb 18 2015, 8:06 AM

This is blocked on ops, afaik. It's only used by them so I'll let them decide when to merge it.

mmodell changed the task status from Open to Stalled.Feb 18 2015, 8:33 AM
chasemp added a commit: rOPUPeebde3bd1102: phab update security extensions for access-request.Feb 20 2015, 10:02 PM
mmodell closed this task as Resolved.Mar 28 2015, 10:58 AM
mmodell removed projects: Blocked-on-Operations, Patch-For-Review.
fgiunchedi subscribed.Mar 30 2015, 9:59 AM

today a new access request came in at https://phabricator.wikimedia.org/T94390 however I don't see the related blocking task in ops-access-reviews (https://phabricator.wikimedia.org/maniphest/?statuses=open%2Cstalled&allProjects=PHID-PROJ-ig3hjrebd3npo4yozdz7#R)
also in the security dropdown there's no "ops access request" or equivalent, what's the right procedure?

fgiunchedi reopened this task as Open.Mar 30 2015, 9:59 AM

FTR I came here from https://wikitech.wikimedia.org/wiki/Ops_Clinic_Duty#Access_requests where the whole process is outlined on how it is supposed to work

mmodell added a comment.Mar 30 2015, 10:04 AM

@fgiunchedi: I'm not sure why the menu entry for "ops access request" isn't configured. The code to support it has been merged for quite some time (see rOPUPeebde3bd1102)

chasemp added a comment.Mar 30 2015, 4:56 PM
In T87467#1161698, @mmodell wrote:

@fgiunchedi: I'm not sure why the menu entry for "ops access request" isn't configured. The code to support it has been merged for quite some time (see rOPUPeebde3bd1102)

hey @mmodell, I enabled it here and ran through it and a few things were odd / wrong. I then disabled it and did nothing with that information :) I will try to outline what's up this week here, but overall I think it's minor.

mmodell mentioned this in Unknown Object (Diffusion Commit).Apr 8 2015, 4:33 PM
mmodell mentioned this in rPHESb58375b7920d: Fix fallout from upstream changes. "Ops-Access-Requests" subtask creation is….Apr 8 2015, 4:47 PM
mmodell changed the task status from Open to Stalled.Apr 14 2015, 5:28 PM

@chasemp: any further info would be welcome

chasemp changed the task status from Stalled to Open.EditedApr 27 2015, 8:49 PM
chasemp updated the task description. (Show Details)
chasemp updated the task description. (Show Details)

I setup phab-01 with the relevant settings and ran through and came up with a few of the aforementioned issues. I put some items in the description. Sorry this took me so long to circle back on.

RobH updated the task description. (Show Details)Apr 27 2015, 9:03 PM
mmodell added a comment.Apr 28 2015, 4:36 PM

Doesn't phabricator always assume the author has access? maybe I can work around that.

chasemp added a comment.Apr 28 2015, 5:01 PM
In T87467#1242033, @mmodell wrote:

Doesn't phabricator always assume the author has access? maybe I can work around that.

no it's assignee that always has access

gerritbot subscribed.Apr 28 2015, 5:57 PM

Change 207155 had a related patch set uploaded (by 20after4):
Fix the author username and the project names for ops-access-requests

https://gerrit.wikimedia.org/r/207155

gerritbot added a project: Patch-For-Review.Apr 28 2015, 5:57 PM
gerritbot added a comment.Apr 28 2015, 6:22 PM

Change 207155 merged by Rush:
Fix the author username and the project names for ops-access-requests

https://gerrit.wikimedia.org/r/207155

gerritbot added a comment.Apr 28 2015, 6:32 PM

Change 207165 had a related patch set uploaded (by 20after4):

  • herald should ignore access-request tasks

https://gerrit.wikimedia.org/r/207165

gerritbot added a comment.Apr 28 2015, 6:33 PM

Change 207165 merged by Rush:

  • herald should ignore access-request tasks

https://gerrit.wikimedia.org/r/207165

mmodell mentioned this in rPHES571d16d76640: Fix the author username and the project names for ops-access-requests.Apr 28 2015, 9:06 PM
mmodell mentioned this in rPHES0d3eab8c2172: * herald should ignore access-request tasks.
mmodell mentioned this in rPHESdb399b3720bc: Fix the author username and the project names for ops-access-requests.
mmodell mentioned this in rPHES172605e25e05: * herald should ignore access-request tasks.
mmodell added a subtask: T89830: Next Phabricator upgrade on 2015-05-06.May 1 2015, 8:16 AM
mmodell mentioned this in W1 Tips.May 6 2015, 11:51 AM
mmodell closed subtask T89830: Next Phabricator upgrade on 2015-05-06 as Resolved.May 6 2015, 3:13 PM
Liuxinyu970226 subscribed.May 7 2015, 12:35 AM
mmodell added a comment.May 12 2015, 12:09 AM

@RobH: I believe this should be working now, can you confirm?

mmodell closed this task as Resolved.May 14 2015, 7:49 PM

As far as I can tell this is resolved, please reopen if there are further problems.

Liuxinyu970226 unsubscribed.May 14 2015, 10:49 PM
chasemp added a commit: rOPUP99e83b51b417: phab update security extensions for access-request.Apr 28 2016, 3:23 AM
chasemp added a commit: rOPUPf485af6840ed: phab update security extensions for access-request.
Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptApr 28 2016, 3:23 AM
mmodell mentioned this in rPHESd1aa0c0a29a2: Fix the author username and the project names for ops-access-requests.Apr 28 2016, 7:58 AM
mmodell mentioned this in rPHES4f850a61640c: Fix the author username and the project names for ops-access-requests.
mmodell mentioned this in rPHEXb58375b7920d: Fix fallout from upstream changes. "Ops-Access-Requests" subtask creation is….Jul 11 2018, 11:58 PM
mmodell mentioned this in rPHEX172605e25e05: * herald should ignore access-request tasks.
mmodell mentioned this in rPHEXdb399b3720bc: Fix the author username and the project names for ops-access-requests.
Pppery mentioned this in T103194: Changing a non-access request ticket into an access request ticket does not create restricted blocker.Jan 5 2024, 12:20 AM
Aklapper added a comment.Apr 10 2024, 7:49 AM

For archaeology researchers: This functionality got broken/removed in February 2016 by https://gerrit.wikimedia.org/r/plugins/gitiles/phabricator/extensions/security/+/25c3f70dca558922ac22bb1b664b88208ae2ec37

CodeReviewBot added a comment.Apr 15 2024, 9:47 PM

brennen updated https://gitlab.wikimedia.org/repos/phabricator/extensions/-/merge_requests/30

Remove unused createPrivateSubtask()

CodeReviewBot added a comment.Apr 15 2024, 9:48 PM

brennen merged https://gitlab.wikimedia.org/repos/phabricator/extensions/-/merge_requests/30

Remove unused createPrivateSubtask()

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits