Page MenuHomePhabricator

What permissions and access is required for a user created just to run the phabricator daemons?
Closed, ResolvedPublic


I've currently done some trial an error and got:

write access to /var/repo and all below
write access to /var/tmp/phd and all below
access to phabricator files and libphpfiles

This get the daemons running but I don't think I've got everything. For example I can't see the combined logs in the daemons application any longer.
I have looked through the documentation, but there doesn't seem to be any information further to "create a user" in the diffusion hosting guide.
Am I missing something in the documentation?

Event Timeline

cpa199 raised the priority of this task from to Needs Triage.
cpa199 updated the task description. (Show Details)
cpa199 added a subscriber: cpa199.

I think that's everything. We remove the Combined Log from the web UI in T5405 for security reasons. You can now review the dameon logs with bin/phd log.

Ah, that explains it :)
I'm very close now, I've got a hosted repo and I can clone it, but when I push anything back up (authenticated http) I get:
"remote: error: insufficient permission for adding an object to repository database ./objects"
Apparently that is likely related to the groups/permissions of the repo directory. Any idea what I may have done wrong here? I'm scouring the net as I type though I've not found the solution yet.

One reason that can happen is if you have everything set up correctly, but aren't running the daemons as the daemon-user (specifically, phd.user), or ran them as root at some point in the past. When they were running as root, they might have written files as root to the repository working copies. If so, you can resolve this by just changing permissions back to the daemon user.

Ah, that'll be it then. I'm going to go from scratch this time and hopefully this'll be the last piece of the puzzle.
Thanks for you prompt responses and helpful information as always.

cpa199 closed this task as Resolved.Aug 29 2014, 1:47 PM
cpa199 claimed this task.

That worked perfectly, thank you.
I'm putting all of these configuration pieces into an ansible role which allows me to reinstall and configure phabricator automatically in minutes. It currently in an early state and I'm doing other things too, but I'd be happy to keep you in the loop on progress and hopefully provide it to you at an appropriate point should you be interested.

See T4200 for some discussion of why we don't support playbooks/recipes/packages/AMIs/etc in the upstream right now.

No worries, thought I'd offer seeing as I'm doing the work anyway!
A well written role can maintain idempotence even in the face of already installed and configured databases for example, and can work across multiple OSs (I am currently working with Centos/RedHat 6+7 and Ubuntu 12+14 for example) but you are right that it's a lot of work to do that, almost a job in itself, so I can understand that you don't want to have to maintain such thing unless necessary.