Page MenuHomePhabricator
Create Task
Maniphest T10513

Proposed Solution to Admin Control Paradox
Closed, WontfixPublic
Actions

Description

The Problem: Administrators of any online collaboration platform, including Phabricator, typically discover a need for all-access or near-all-access controls in order to properly maintain the community. Many Phabricator users have expressed a desire for these kinds of features.

Some examples of the need for these controls:

  • A change needs to be made to an object for accuracy, but the user with edit privileges is unavailable for an extended period of time.
  • An object is given incorrect view/edit privileges, thereby preventing necessary admin management (edit, remove, etc) without opening policy where possible. This is especially problematic on objects that should not have "All Users" policy.
  • Pedantic (but important) cleanup work - file permissions wrong on an attached file, wrong linked object codes, broken links, closing outdated polls - where requesting changes by the user is either impossible or a royal pain in the keister.
  • Administrative conflict resolution - removing inappropriate material from comments/objects (such as flaming or community rule violations) without destroying useful information also present on the material.
  • Cleanup from deactivated/banned users - right now, either policy has to be opened fully (where even possible), or the deactivated account has to be taken over by the admin. In the latter scenario, cleanup is not credited to the admin (which looks really awkward at times. (Minor.)

However, the equally weighty problem that @epriestley and @chad have brought up is that, if compromised, an all-access admin account is now an open door to crackers. Simply put, the benefits of an all-access accounts are far outweighed by the security risk.

The Current Solution: To offset the inconvenience, anyone with access to the server controls (a far more secure interface) can manage Phabricator user accounts and perform some override actions (such as freeing some object policies). This does not provide the full set of obvious or necessary controls, however, and many actions (especially edits) require manual login as another user. To do this, either the admins must maintain a list of issued passwords (security risk), or force users to change passwords after they manually overriding the current password via server controls so they can log in. Neither of these solutions are ideal by any measure.

The Proposed Solution: Over lunch, the thought occurred to me that we can find a safe compromise between both views, by creating a fourth kind of user account, which I'll call a hammer for the moment (borrowing from my IRC days). A hammer account would have the following features.

  • Can only be created via the server interface.
  • Automatically generated username (hammer, followed by 16+ random characters) and very strong password (64+ characters, including letters, numbers, and symbols) - copy and paste from the server terminal is easy, but it would be mathematically impossible to crack it within the account's lifespan.
  • Forced maximum lifespan of (two?) hours - plenty of time to perform any necessary action. After the lifespan ends, or after the account is logged out of (whichever happens first), the hammer account is automatically destroyed.
  • All hammer actions are attributed to a "System Administrator" bot account, which was automatically created by Phabricator, has no direct login, and cannot be modified or deleted.
  • A hammer account has all-access control to everything, regardless of space, scope, view, or edit privileges.
  • Optional localhost access only setting could prevent hammer logins from any IP besides localhost, adding a layer of steel to the security of the feature.

Other Benefits: Another benefit of having a hammer account feature is that it would further discourage less-experienced admins from doing unsafe things, like deleting or blowing policy wide open on something the admin wants to edit or remove. The fact they can "hammer-up" and use Phabricator's usual web interface will encourage them to use the typical edit and hide features.

Also, since actions are taking place via the normal Phabricator interface, and are being attributed to System Administrator, admin actions are completely transparent and, in many cases, reversible by the user in question.

Event Timeline

CodeMouse92 created this task.Mar 3 2016, 10:50 PM
CodeMouse92 updated the task description. (Show Details)
wschroo added a subscriber: wschroo.Mar 4 2016, 9:19 AM
epriestley added a comment.Mar 4 2016, 4:27 PM

What are the specific things you want this feature for? Please describe the root problem you're facing. See Describing Root Problems for help.

Many Phabricator users have expressed a desire for these kinds of features.

Can you point me at a few examples of things users want this feature for?

(Users have sometimes expressed surprise that administrators are not all-powerful, but I don't consider this a problem in and of itself.)

CodeMouse92 updated the task description. (Show Details)Mar 4 2016, 9:23 PM
CodeMouse92 added a comment.EditedMar 4 2016, 9:26 PM

Added several scenario issues to the description. I don't know that I can track down all the comments, as this place is huge and my memory is pretty shaky on things like that. I just remember a observing few different conversations regarding it, but I cannot remember where. If we polled users, we could probably get a better idea of whether this matters to users in general.

I can say personally that it's really awkward to do my admin duties on our server under present conditions. I can continue on the way I'm doing it, but our workarounds are not ideal. It's also one of the reasons I'm hesitant to ever open our instance of Phabricator up to outside open-source contributors - I cannot efficiently keep things organized in that situation, given current tools.

avivey added a subscriber: avivey.EditedMar 4 2016, 10:23 PM

How many of these would be solved with a ./bin/policy set-edit-policy --user bobc object, instead of unlock (== 'all users') ?

CodeMouse92 added a comment.EditedMar 4 2016, 10:24 PM

Hm, somehow I missed the documentation on that. However, set-policy does not work on all objects.

avivey added a comment.Mar 4 2016, 10:24 PM

(That's a theoretical workflow, it's not there yet)

CodeMouse92 added a comment.EditedMar 4 2016, 10:25 PM

Ah, I see. Well, that's one more way to solve it, I suppose. At the same time, it might be slightly less efficient if you have to do that on 20-30 objects in one session, and then edit. The hammer method would be one command and one login, and then you can edit all of the above (including policy, via normal web interface means.)

epriestley closed this task as Wontfix.Mar 4 2016, 11:47 PM
epriestley claimed this task.

I can't recall any reports of those issues on other installs, and we haven't experienced them ourselves. I don't think these issues are typical, frequent, or widespread.

You can fork Phabricator and make this change to give administrators total power:

diff --git a/src/applications/people/storage/PhabricatorUser.php b/src/applications/people/storage/PhabricatorUser.php
index 07c5695..fd8d50b 100644
--- a/src/applications/people/storage/PhabricatorUser.php
+++ b/src/applications/people/storage/PhabricatorUser.php
@@ -1056,6 +1056,11 @@ final class PhabricatorUser
    * @return bool True if the user bypasses policy checks.
    */
   public function isOmnipotent() {
+    // Allow administrators to bypass all policies.
+    if ($this->getIsAdmin()) {
+      return true;
+    }
+
     return $this->omnipotent;
   }

I currently think it is very unlikely that we will ever provide any sort of omnipotent web access for any users.

aubort added a subscriber: aubort.EditedMay 30 2016, 9:38 AM

Hi,

I had to make the admin omnipotent using this trick, but then it had trouble validating the CSRF token.

I also had to add this patch for this to work,

--- a/src/applications/people/storage/PhabricatorUser.php
+++ b/src/applications/people/storage/PhabricatorUser.php
@@ -357,7 +357,7 @@ final class PhabricatorUser
   }
 
   public function getCSRFToken() {
-    if ($this->isOmnipotent()) {
+    if ($this->isOmnipotent() && !$this->getIsAdmin()) {
       // We may end up here when called from the daemons. The omnipotent user
       // has no meaningful CSRF token, so just return `null`.
       return null;

It must be noted, there are a lot of problems forcing admin to be omnipotent, it cannot interact with repositories by ssh for instance.

Herald added a subscriber: faulconbridge. · View Herald TranscriptMay 30 2016, 9:38 AM
Phabricator · Built by Phacility