Support permissions/policies in all Phabricator applications
Closed, ResolvedPublic

Assigned To
epriestley
Priority
High
Subscribers
Cobi, epriestley, davidreuss and 57 others
Author
Cobi
Projects
Restricted Project
Restricted Project
Dependent Tasks
Restricted Task
Restricted Task
Restricted Task
Restricted Task
Restricted Task
Restricted Task
Depends On
T3820: Build JIRA-like "Namespaces" for putting global, default-deny walls around groups of unprivileged users
Restricted Task
Restricted Task
Restricted Task
Differential Revisions
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Restricted Differential Revision
Commits
D7343 / rP0b22777f68e7: Remove UI warnings about policies being a janky mess
D7342 / rP5171e3684c58: Require application "Can Use" capability to call Conduit methods
D7334 / rP95c2b03fc8e5: Distinguish between invalid/broken handles and filtered handles
D7322 / rP3410cbd53ee8: Add application and object level policy controls to Countdown
D7321 / rPe381022bc762: Provide application and object level policy controls in Slowvote
D7317 / rP8c1c6fec5ac9: Modernize policies in Paste and Macro
D7318 / rP197d3817bc57: Give disabled crumb actions a distinct visual style
D7300 / rP76dfeb95ba17: Allow "Custom" policies to be selected in the policy control
D7314 / rP3a4c08d7f11a: Simplify custom policies before saving, and reject meaningless policies
D7306 / rP073cb0e78c01: Make PhabricatorPolicyInterface require a getPHID() method
D7309 / rPc4abf160cc51: Fix some file policy issues and add a "Query Workspace"
D7310 / rP502c6f2d4816: Render public content as "Public" in headers, not "Public (No Login Required)"
D7299 / rP13178ec2792b: Prepare the policy rule edit endpoint for integration
D7298 / rP5e5b7576a675: Make PhabricatorPolicyQuery a CursorPagedPolicyAwareQuery
D7297 / rP7364a3bedd5d: Add some missing strings for custom policies
D7296 / rP6c1b00fa40ce: Rename ACTION_ACCEPT into ACTION_ALLOW
D7303 / rP67cca8f7fa14: Fix breadcrumbs for login screen triggered when a logged-out user fails a…
D7292 / rP67b17239b8e6: Allow custom policies to be loaded and exeucuted by the policy filter
D7289 / rP130a15b51bf5: Highlight the currently selected policy in the policy dropdown control thing
D7285 / rP5af031ec9bcb: Make the policy control a JS dropdown with icons
D7282 / rP5899ae08b32b: Add storage for custom policies
D7278 / rPc39b10aa7a56: Fix non-public capabilities in Application edit
Restricted Differential Revision / rPf4582dc49d8d: Allow "Default View" policies to be set to Public
Restricted Differential Revision / rP11fbd213b105: Custom Policy Editor
Restricted Differential Revision / rP436a40335723: Add a "default view" policy to Differential
Restricted Differential Revision / rP650dc0cc302b: Remove the "create rules" Herald capability
Restricted Differential Revision / rP1ee455c441a1: Add defualt view and default edit policies for tasks
Restricted Differential Revision / rP3147a6ca5709: Improve messaging of special policy rules in applications
Restricted Differential Revision / rP45f38c549b65: Use header status/policy elements in Applications meta-application
Restricted Differential Revision / rP7a97a71e2002: Move Herald application capabilities to newer infrastructure
Restricted Differential Revision / rPb1b1ff83f239: Allow applications to define new policy capabilities
Restricted Differential Revision / rP68c854b9673e: Remove dead `rejectImpossiblePolicy()` method
Restricted Differential Revision / rP2abbd518684a: Don't raise a policy exception if a user can't see the parent revision of a new…
Restricted Differential Revision / rP953ff197bf26: Allow Herald rules to be disabled, instead of deleted
Restricted Differential Revision / rP515f9a36ab7a: When editing objects which use files, attach the files to the objects
Restricted Differential Revision / rPc587b8a9c8fb: Remove `ProjectProfile->loadProfileImageURI()`
Restricted Differential Revision / rP80f6d0094041: Remove PhabricatorProject->loadProfile
Restricted Differential Revision / rP64e4b3aef449: Remove loadMemberPHIDs from PhabricatorProject
Restricted Differential Revision / rPe6d8e1a00ac4: Make Herald rules obey policies during application
Restricted Differential Revision / rPee4bdb501b9b: Make Herald transcripts policy-aware
Restricted Differential Revision / rPc8127edfe9a8: Tighten up some policy interactions in Herald
Restricted Differential Revision / rPa600ab77316f: Prevent administrators from locking themselves out of applications
Restricted Differential Revision / rPHUd72b0f90af7d: Add PhutilLunarPhase, for computing phases of the moon
Restricted Differential Revision / rPa6c4117ec434: Fix controller-level access rules
Restricted Differential Revision / rPc830461b00a0: Allow application policies to be edited
Restricted Differential Revision / rP6100906273eb: Support unlocking applications with bin/policy
Restricted Differential Revision / rP0d83e1d66fee: If a user can't see an application, prevent them from using its controllers
Restricted Differential Revision / rPf75c13b987c7: Use ApplicationSearch in Applications application
Restricted Differential Revision / rP901bdda6b157: Use a policy-aware query in PhabricatorSearchSelectController
Restricted Differential Revision / rP742d45b625d1: Modernize file embed Remarkup rule
Restricted Differential Revision / rPaac490180f30: Write "attach" edges when files are attached to objects via comment or other…
Restricted Differential Revision / rP1d1ecb562952: Add `bin/policy unlock`
Restricted Differential Revision / rP4dfdd0d3167d: Treat invalid policies as broadly similar to "no one"
Restricted Differential Revision / rP98bf001a58a3: Add `viewPolicy` and `attachedToObjectPHID` to PhabricatorFile
Restricted Differential Revision / rP472be5e26e6a: Provide an attached-to-visible-object policy exception for files
Restricted Differential Revision / rPca7a7927948b: Convert `bin/files` to ObjectQuery
Restricted Differential Revision / rPdd206a5b69d5: Viewerize ArcBundle file loading callbacks
Restricted Differential Revision / rP13dae0519368: Make most file reads policy-aware
Restricted Differential Revision / rPe2ed52735387: Add a very simple `bin/policy` script for CLI policy administration
Restricted Differential Revision / rP2d5b59b40108: Move policy config to "Policy" app and make `policy.allow-public` description…
Restricted Differential Revision / rPefc837318485: Show "Search" in menubar while logged out if users can access it
Restricted Differential Revision / rP7f0d0e4e6cc0: Make more Diffusion controllers/views capability-sensitive
Restricted Differential Revision / rP2e5ac128b3ee: Explain policy exception rules to users
Restricted Differential Revision / rP5799e8e2de67: Provide better strings in policy errors and exceptions
Restricted Differential Revision / rPe0f99484ac91: Make Differential views capability-sensitive
Restricted Differential Revision / rP874a9b7fe3f8: When creating or updating a revision, infer the repository from the diff
Restricted Differential Revision / rP3d354d205fbf: Allow editPolicy, viewPolicy, and repositoryPHID to be edited from the web UI…
Restricted Differential Revision / rP9b3d7b0dbaad: Make most Differential reads policy-aware
Restricted Differential Revision / rP80378eb5f6a8: Show policy information in Differential header
Restricted Differential Revision / rPd61c931c7b38: Use Differential policy columns to drive policies
Restricted Differential Revision / rP79abe6653e89: Remove PhabricatorRepository::loadAllByPHIDOrCallsign()
Restricted Differential Revision / rPc458517cb4fe: Add viewPolicy, editPolicy, repositoryPHID columns to DifferentialRevision
Restricted Differential Revision / rPc467cc464fb5: Make most repository reads policy-aware
Restricted Differential Revision / rP1e2718d747e8: Make Maniphest list page react to viewer capabilities
Restricted Differential Revision / rP800f6971bbf3: Make Maniphest detail page react to viewer capabilities
Restricted Differential Revision / rPc7f105ac0e4b: Allow task policies to be edited from the UI; show policy information on the…
Restricted Differential Revision / rP3a87a95e119b: Use ManiphestTaskQuery in nearly all interfaces
Restricted Differential Revision / rP36343600c5c7: Remove obsolete code from ManiphestTaskQuery
Restricted Differential Revision / rP225a38c7d36a: Add viewPolicy, editPolicy storage to tasks
Restricted Differential Revision / rPd63789e4b2a0: Allow repository policies to be edited
Restricted Differential Revision / rPa09616858b11: Use RepositoryQuery along common pathways
Restricted Differential Revision / rPe7a7e43104bc: Fix a bug where policy queries with cursor-based pagers and non-ID orders can…
Restricted Differential Revision / rPb558e1b4a4eb: Remove ManiphestTaskListController
Restricted Differential Revision / rPb902005bed52: Kill PhabricatorObjectDataHandle
Restricted Differential Revision / rP07b8becfc6d5: Policy - introduce parentQuery and pass around policy configuration from parent…
Restricted Differential Revision / rPe8142915269a: Introduce ManiphestTaskSearchEngine plus ManiphestTaskListControllerPro
Restricted Differential Revision / rP1e42c62b8f5c: Make ManiphestTaskQuery a (mostly) policy-aware query
Restricted Differential Revision / rPa2571de575c0: Remove obsolete/deprecated withTaskIDs() / withTaskPHIDs()
Restricted Differential Revision / rP1f86c7342881: Simplify policy filtering for projects and ObjectQuery
Restricted Differential Revision / rPe625c91867ec: Pass viewer to all ManiphestTaskQuery objects
Restricted Differential Revision / rP275f67294cc7: Make Flags policy aware
Restricted Differential Revision / rP8eed5b1f1449: Make HeraldRule implement PhabricatorPolicyInterface
Restricted Differential Revision / rPc5a06a624a44: Use application PHIDs for mailing lists
Restricted Differential Revision / rPd2e5afb0959c: Use application PHIDs in Releeph, plus more
Restricted Differential Revision / rP0630ffffaa75: Use ApplicationSearch in Slowvote
Restricted Differential Revision / rP9be755ab127e: Add PhabricatorSlowvoteQuery
Restricted Differential Revision / rP64cc0ce1287f: Add "Visible To" property fields for diffs and revisions
Restricted Differential Revision / rP6aee862bbe6a: Use ApplicationSearch in Differential
Restricted Differential Revision / rP3ec4984f27cd: Use cursor-based paging in Differential
Restricted Differential Revision / rP0c2e38e81c9c: Make DifferentialRevisionQuery policy-aware
Restricted Differential Revision / rP58884b94dc0b: Simplify construction and execution of Differential queries for "responsible"…
Restricted Differential Revision / rP90123dd7392f: Add DifferentialDiffQuery and change most callsites
Restricted Differential Revision / rP328aa383e460: Always provide a viewer when executing DifferentialRevisionQuery
Restricted Differential Revision / rPb28ceafa382d: Update Differential diff view
Restricted Differential Revision / rPab2ed06c384c: Remove DifferentialRevisionListData
Restricted Differential Revision / rPf82e4b0c70a0: Modernize most Conduit console interfaces
Files
Time Spent
brucezhang.q52 w
hwinkel2 m
Tokens
Description

As an admin, I should be able to group users into groups and limit groups to certain repositories in Diffusion, certain projects in Maniphest and Differential, and certain pages in Phriction.

Cobi added a subscriber: Cobi.Via Web · Nov 3 2011, 5:08 PM
davidreuss added a comment.Via Web · Nov 3 2011, 5:12 PM

I'd love to see some sort of permission system in phabricator as well, and i'm sure lots of installations would be required that one was in place before considering evaluating phabricator for their needs. I was actually considering building a bridge utilizing our existing ACL system in place, but having the mechanism directly in phabricator would be really neat.

I'm sure @epriestley has some thoughts on the subject.

davidreuss added subscribers: epriestley, davidreuss.Via Web · Nov 3 2011, 5:12 PM
aran added a subscriber: aran.Via Web · Nov 3 2011, 6:11 PM

Strawman: Would it meet your needs if you could share user accounts across several Phabricator installations?

Cobi added a comment.Via Web · Nov 3 2011, 6:24 PM

It would be better than the current state of things, but a unified system would be preferable. Groups would be a big plus, too.

It would be nice to be able to, for example, add someone to the releng group, and they get access everywhere; or to add a new frontend contractor to a frontend contractor group and they only get access to that repository and related items; or a new full-time developer added to a developer group that gets access to trunk and the relevant development (non-operations) projects.

It would also be nice if there wasn't a different domain for each different project or logical group of projects.

stmontgomery added a subscriber: stmontgomery.Via Web · Dec 17 2011, 10:30 PM
epriestley triaged this task as "Normal" priority.Via Web · Dec 24 2011, 5:37 PM

We're going to pursue this, but it's some way off since it's a fairly big change.

jungejason added a subscriber: jungejason.Via Web · Dec 30 2011, 10:08 PM
hvaara added a subscriber: hvaara.Via Web · Jan 31 2012, 11:28 AM
btrahan added a subscriber: btrahan.Via Web · Feb 14 2012, 11:43 PM
btrahan added a project: Restricted Project
epriestley added a subscriber: blair.Via Old World · Mar 22 2012, 3:47 PM

◀ Merged tasks: T399.

epriestley added a subscriber: gschmidt.Via Web · Mar 22 2012, 4:32 PM

@gschmidt asked about this too -- there are a few general use cases here:

  • You want to hide data from your enemies within the company: this is kind of an anti-use-case that I don't feel great about. Facebook is very open (that is, within reason, people know or can get most information) and it seemed like a bias for openness was a really good thing on the balance. Some of the most frustrating things I dealt with at Facebook were systems which were too locked-down (for instance, it took weeks to get Ops to give me access to an internal test load balancer so I could write software for them to make it easier to manage load balancers). Generally, the tools try to give everyone access, and just make sure individuals are accountable for their actions; I think this is right overall approach. There were many times at Facebook that I was able to anticipate or solve problems because I had access to information or systems I didn't "need" access to. I basically view information partitioning as handcuffing your best people for no good reason (if you don't trust the people you're hiring and think they might be incompetent crooks, why are you hiring them?), not as a smart component of a comprehensive security policy. That said, there are some exceptions, and some of them are very good. For example, Facebook had some contractual obligations with vendors to limit access to some information. I ninja-vanished one task on secure.phabriactor.com since it was a drama mess. Some information (like credit card processing) may need restrictions to comply with regulation. So even in my platonic ideal of a well-run organization of the best people, there are some obviously valid use cases. I also don't have tons of experience building companies and the general stance of the tools is to gently suggest the defaults we think will work and scale best, but let you do something else if you want (cf. Mercurial support, audit support) and try to make the best of it, and ACLs are obviously a broadly-established feature in lots of similar software. We will likely end up building this mostly because the other use cases require a flexible enough system to support it. That said, the product implementation will probably tend to discourage information hiding (e.g., default to defaulting things open). We also probably won't ever let you hide the fact that you're hiding information: if a user goes to "/T123" and can't see it, it will say "This exists, but you aren't allowed to see it: you need to be in the 'security' group." or something like that (I think hiding the fact that information is hidden is pretty much evil, more technically challenging to implement, and would require product sacrifices, like moving away from incrementing object IDs). I also want to try playing around with the concepts here a bit, like possibly implementing "soft" access denial, where you get a roadblock prompt before you can look at an object: "T123 exists, but you aren't in a group that can see it. It's not super-duper secret, so you can click this button to see it, but that will be prominently displayed so everyone will know that you looked at it. Reason for clicking the button: [_______________] [Cancel] [View Task and Log Access]". Not sure if this would actually be a good idea or is like crazy nonsense, though.
  • You have some read-only open source information that you want to be public (maybe open source, maybe SDKs, documentation, etc): This is a use case that we're eager to support, although not focusing on too actively for now. It's kind of half-supported with a couple flags that let you flip everything open, but these are really just for Hive/Hadoop.
  • You want public/user-facing tasks/bug tracking: We generally want to support this through separate tooling, not by putting permissions on Maniphest. Maniphest will also get permissions as part of everything else (and for smaller projects with a very technical userbase, might be an appropriate public face), but our longer-term vision here is integrated-but-separate CRM tooling that can scale to consumer web products like Facebook.
  • OAuth/JS APIs: Phabricator is now an OAuth provider and we'll expose Conduit over a JS API at some point, so you can write tools on top of it using either client-side or server-side OAuth workflows. We want a granular permission system here so you can give up some of your data without giving away everything (Conduit is pretty all-or-nothing right now).
  • General Tooling: Some workflows like automatically-generated diffs need additional permissions which normally don't exist, like "post diffs as some other user". This is basically a super permission that even administrators do not have.
gschmidt added a comment.Via Web · Mar 23 2012, 1:38 AM

Our use case is that we want to give limited access to certain projects and repositories to open-source contributors. There'd be three tiers:

  • The public -- can browse repositories, can see most (but not all) tickets, can comment on things, can close tickets opened by them.
  • Trusted open-source contributors -- can see almost all tickets (including vulnerabilities, say), can accept reviews and audit commits (if they're a member of the appropriate project.) They might or might not have commit bits, and we might or might not have paperwork with them (we would definitely have a CLA with them if they had commit bits.)
  • Employees -- can see everything and do anything. For example, they would have access to the project for our website, and would be able to see and review diffs that discuss unreleased projects. They would have access to our closed-source projects.

There might be an additional tier for customers of our closed-source projects. They could see confirmed bugs on those projects and could file new bugs against them.

Korvin added a comment.Via Web · Apr 4 2012, 6:59 PM

@gschmidt's use case is very similar to ours, it'd be beneficial to have a very flexible system to show or hide specific objects by group so that we can add groups on the fly.
We would use groups like this:

  • Bottom of the Barrel
    • browse everything
    • can't view private repos
  • Contributor
    • discuss commits
    • create diffs
    • edit docs
    • create tasks
    • claim tasks
  • Community Leader
    • Contributor stuff
    • Assign Tasks
    • Accept diffs
Korvin added a subscriber: Korvin.Via Web · Apr 4 2012, 6:59 PM

Herp it'd be nice to be able to edit =[

At the end of that list:

  • Core Team
    • Everything that everyone can do
    • View and manage private repos
    • Create and manage (private)? projects
epriestley added subscribers: toulouse, paulb.Via Old World · Apr 5 2012, 3:13 AM

◀ Merged tasks: T221.

epriestley claimed this task.Via Web · Apr 5 2012, 6:14 PM
epriestley changed files, attached: ; detached: Via Old World · Apr 12 2012, 1:22 AM
epriestley changed files, attached: ; detached: Via Old World · Apr 14 2012, 10:30 PM
joe added a subscriber: joe.Via Web · May 1 2012, 10:31 PM
briancline added a subscriber: briancline.Via Web · May 5 2012, 12:00 AM
mathieuk added a comment.Via Web · May 8 2012, 2:57 PM

My use case would be the following:

Users in certain groups should be able to report and monitor issues, but have no need for viewing the source code. Their access to Diffusion and/or Differential should be limited. Basically it'd be usefull to have DEVELOPER role along with a REPORTER role.

mathieuk added a subscriber: mathieuk.Via Web · May 8 2012, 2:57 PM

My experience is that permission controls are irresistible to middle managers and other people with no real work to do. Further, my experience is similar with being able to fix things that ware "not my job" mostly because the people whose job it was, were not able to solve it - organizations could increase efficiency with more open internal access to information/systems. Many big organizations can't risk being too open internally and tools used in those environments require these controls - not that there is not something wrong with that.

ipalaus added a subscriber: ipalaus.Via Web · Jun 19 2012, 5:57 PM
chrismcintoshdesigns added a comment.Via Web · Jun 19 2012, 7:34 PM

I would recommend a system similar to what Drupal CMS uses, ie there are Roles, Permissions, and Users.

Permissions are provided by the various pieces of the system that provide functionality allowing someone to say you can do XYZ, but not ABC.

Roles allows you to create a template of Permissions and then assign Users to them. Phabricator currently has two Roles, user and administrator. Being able to create more with fine grains would be great.

asherkin added a subscriber: asherkin.Via Web · Jul 7 2012, 1:30 AM
mikefullerton added a subscriber: mikefullerton.Via Web · Jul 15 2012, 12:12 AM
mikefullerton added a comment.Via Web · Jul 15 2012, 4:55 PM

Is there an ETA on this? The timing of this feature's arrival will help us plan how to deploy phabricator for use in a couple of different scenarios.

Thanks.

floatinglomas added a subscriber: floatinglomas.Via Web · Jul 16 2012, 5:21 PM
epriestley added a comment.Via Web · Jul 16 2012, 5:32 PM

I can't give you too specific an estimate. You can check out Roadmap for the major goals we're pursuing, but realistically the majority of our development bandwidth is spent on interrupts -- support/documentation/bugs/minor features -- rather than pursuing larger initiatives and the rate we make progress toward those goals varies enormously.

I'd guess this is probably 3-6 months away, but that estimate is like plus or minus 3 years.

fabiorocha added a subscriber: fabiorocha.Via Web · Jul 17 2012, 3:04 AM
champo added a subscriber: champo.Via Web · Jul 24 2012, 10:59 PM
AndHub added a subscriber: AndHub.Via Web · Jul 31 2012, 9:44 AM
mbeck added a subscriber: mbeck.Via Web · Aug 6 2012, 8:56 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 7 2012, 1:37 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 7 2012, 3:00 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 7 2012, 3:07 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 7 2012, 3:18 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 7 2012, 3:40 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 7 2012, 4:36 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 7 2012, 4:43 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 7 2012, 6:17 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 7 2012, 10:01 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 8 2012, 2:22 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 8 2012, 4:36 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 8 2012, 5:17 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 8 2012, 5:27 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 8 2012, 8:22 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 9 2012, 12:12 AM
epriestley added a revision: Restricted Differential Revision.
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 9 2012, 2:41 AM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 9 2012, 2:58 AM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 9 2012, 12:46 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 9 2012, 3:25 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 9 2012, 5:42 PM
jeremyb added a project: Restricted ProjectVia Web · Aug 10 2012, 6:40 PM
mtraceur added a subscriber: mtraceur.Via Web · Aug 10 2012, 7:12 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 13 2012, 11:06 PM
jeremyb added a subscriber: jeremyb.Via Web · Aug 15 2012, 1:07 AM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 15 2012, 5:44 PM
ttr added a subscriber: ttr.Via Web · Aug 21 2012, 2:56 PM
starruler attached a file: Restricted FileVia Web · Aug 25 2012, 2:40 AM

hey @epriestley not sure if you're aware of this but you may want to look into the effect this has on feed. see screen shot. I clicked a link and was told off harshly

starruler added a subscriber: starruler.Via Web · Aug 25 2012, 2:40 AM
epriestley added a comment.Via Web · Aug 25 2012, 3:06 AM

Yeah, Feed and Search and a few other things still aren't privacy-aware. (There's a big caveat on the Project edit page about it:)

NOTE: Policy settings are not yet fully implemented. Some interfaces still ignore these settings, particularly "Visible To".
krz added a subscriber: krz.Via Web · Aug 27 2012, 9:28 PM
UniIsland added a subscriber: UniIsland.Via Web · Sep 4 2012, 6:13 AM
tlogbon added a subscriber: tlogbon.Via Web · Sep 4 2012, 5:04 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Sep 11 2012, 10:35 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Sep 11 2012, 11:20 PM
jdonald added a subscriber: jdonald.Via Web · Sep 14 2012, 11:26 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Sep 17 2012, 6:36 PM
omair added a subscriber: omair.Via Web · Sep 26 2012, 9:51 AM
codertux added a subscriber: codertux.Via Web · Oct 4 2012, 2:54 PM
cmanon added a subscriber: cmanon.Via Web · Oct 18 2012, 2:30 PM
edward added a subscriber: edward.Via Web · Oct 25 2012, 5:55 PM
epriestley added revisions: Restricted Differential Revision, Restricted Differential Revision.Via Old World · Oct 25 2012, 5:56 PM
tolbrino added a comment.Via Web · Nov 22 2012, 9:11 AM

Without having tested the latest changes, but looking at the history this feature seems close to completion. Or am I missing something?

tolbrino added a subscriber: tolbrino.Via Web · Nov 22 2012, 9:11 AM
epriestley added a comment.Via Web · Nov 22 2012, 4:09 PM

Policies themselves are implemented and some of the smaller/newer apps are respecting them, but the major apps (Maniphest, Differential and Diffusion, particularly) do not yet.

Implementing policies in these applications isn't a huge amount of work, but is less straightforward than the existing implementations because they integrate more broadly.

Some features which cross application boundaries are policy-aware (search, feed, notifications) while others are not or are only partially aware (handles, remarkup). We need to lock all of these down before policies really work, since it's obviously silly if you can use {T123} to get the name of a task you aren't permitted to see. (I believe we have plans in place for most of these features, we just need to thread the current viewer through the code in a number of places, and some are tricky.)

Because there are still outstanding issues, we haven't done an audit pass on the code to look for anything we missed (i.e., examine and justify all non-policy direct queries). We will probably end up with a fair number of these and straightening out the ones that should really be policy-aware may take some time.

There are a few open questions. For example, if users A and B are CC'd on a revision and A attaches a task which B can't see but the install is configured to not multiplex email (so we must send A and B a single email), what do we send? A attached T123: xyz? (This leaks the task name). A attached T123: a task some recipients can't see? (this is complicated and less useful for A). How do we deal with policy implementations for mailing lists? How do we deal with Herald rules triggering on a revision you aren't allowed to see (this is complex because a user potentially combine rules like "content matches regexp" with other side effects to discover object content)?

The answer to some of these questions will probably be meta-policies (see T2034) because some of these questions will create too much tension between utility and policies to really resolve; instead we'll allow you to limit who can, e.g., create global Herald rules and describe the sort of policy violations the permission allows them to perform.

We have at least one request to implement visibility at a more granular level than objects (e.g., let individual comments be marked visible / invisible). We don't currently have an abstract-enough concept of object transactions to support this, but probably want to move there (see T2104). This is messy because we don't feel that edit/delete or comment visibility are incredibly compelling features, but they have fairly large technical/product costs (see T1082).

We don't yet support external policies (e.g., "user is in LDAP group X on my company's LDAP server") but plan to.

We don't yet support custom policies ("Users A, B, C and administrators", "All users except D") but probably plan to.

So a lot of things work well, but there's a lot of stuff remaining too. As is often the case, the major issue is prioritization -- I built around 90% of what we have in 3 days in August. We're probably 1-2 days of dedicated effort away from having Repositories covered in a reasonable way, but I may not get a chance to dedicate that effort for some time. You can check the product roadmap for a sense of what we're working on.

codeblock added a subscriber: codeblock.Via Web · Dec 13 2012, 7:48 AM
skillcoder added a subscriber: skillcoder.Via Web · Dec 14 2012, 11:10 AM
skillcoder raised the priority of this task from "Normal" to "High".Via Web · Dec 14 2012, 11:15 AM

Anyone can change priority ? O_o

asl added a subscriber: asl.Via Web · Dec 16 2012, 9:49 AM
mikefullerton added a comment.Via Web · Dec 17 2012, 11:07 PM

+1 for repository support for this.

epriestley added a revision: Restricted Differential Revision.Via Old World · Dec 18 2012, 1:36 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Dec 18 2012, 4:55 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Dec 18 2012, 5:10 PM
mikefullerton added a comment.Via Web · Dec 18 2012, 6:59 PM

Where are are you on making the major apps policy aware? Your previous comment was almost a month ago. In particular Manifest policy support would be a big deal for me. It would save me on order of $1k per year. (I'm a one man shop :-).

thanks!

epriestley added a revision: Restricted Differential Revision.Via Old World · Dec 18 2012, 7:56 PM
epriestley added a dependent task: Restricted TaskVia Old World · Dec 18 2012, 11:24 PM
mdjbxz raised the priority of this task from "High" to "Needs Triage".Via Old World · Dec 20 2012, 3:02 AM
mdjbxz triaged this task as "High" priority.
epriestley added a dependent task: Restricted TaskVia Old World · Dec 23 2012, 12:57 AM
pulkit added a subscriber: pulkit.Via Web · Jan 1 2013, 6:45 AM
tristan added a subscriber: tristan.Via Web · Jan 17 2013, 8:21 PM
jevripio added a subscriber: jevripio.Via Web · Jan 25 2013, 2:22 PM
hvaara removed a subscriber: hvaara.Via Web · Jan 25 2013, 2:29 PM
senzzie added a subscriber: senzzie.Via Web · Feb 3 2013, 1:50 PM
tmaroschik added a subscriber: tmaroschik.Via Web · Feb 11 2013, 1:06 PM
bobek added a subscriber: bobek.Via Web · Feb 13 2013, 8:46 PM
chrisbolt added a subscriber: chrisbolt.Via Web · Feb 20 2013, 11:25 PM
fabiorocha removed a subscriber: fabiorocha.Via Email · Feb 20 2013, 11:45 PM
josh-at-wrale added a subscriber: josh-at-wrale.Via Web · Feb 21 2013, 4:49 PM
shochdoerfer added a subscriber: shochdoerfer.Via Web · Feb 24 2013, 9:31 PM
epriestley added revisions: Restricted Differential Revision, Restricted Differential Revision, Restricted Differential Revision, Restricted Differential Revision, Restricted Differential Revision, Restricted Differential Revision.Via Old World · Feb 28 2013, 6:24 PM
epriestley changed the title from "Phabricator should have permissions on repository/project basis." to "Support permissions/policies in all Phabricator applications".Via Web · Feb 28 2013, 6:24 PM
jdonald removed a subscriber: jdonald.Via Email · Feb 28 2013, 6:28 PM
mczubak added a subscriber: mczubak.Via Web · Mar 5 2013, 3:42 PM
chad added a subscriber: chad.Via Web · Mar 15 2013, 1:12 AM
epriestley added a dependent task: Restricted TaskVia Old World · Mar 20 2013, 3:20 PM
darren.blum added a subscriber: darren.blum.Via Web · Apr 7 2013, 9:10 PM
brucezhang.q added a subscriber: brucezhang.q.Via Web · Apr 16 2013, 2:41 AM
epriestley added a dependent task: Restricted TaskVia Old World · Apr 17 2013, 10:36 PM
mbishopim3 added a subscriber: mbishopim3.Via Web · Apr 18 2013, 9:29 PM
jamie.kahgee added a subscriber: jamie.kahgee.Via Web · Apr 22 2013, 1:19 PM
gschmidt removed a subscriber: gschmidt.Via Email · Apr 23 2013, 12:26 AM
epriestley added a subscriber: adityar7.Via Old World · Apr 30 2013, 6:41 PM

◀ Merged tasks: T3074.

senzzie removed a subscriber: senzzie.Via Web · Apr 30 2013, 6:55 PM
pprkut added a subscriber: pprkut.Via Old World · May 4 2013, 1:27 PM
elazarl added a subscriber: elazarl.Via Old World · May 7 2013, 4:55 PM
mbialon added a subscriber: mbialon.Via Old World · May 20 2013, 9:37 PM
ybizeul added a subscriber: ybizeul.Via Old World · May 25 2013, 3:27 AM
alexshtuk added a subscriber: alexshtuk.Via Web · Jun 5 2013, 3:36 PM
epriestley added a dependent task: Restricted TaskVia Old World · Jun 14 2013, 1:51 AM
beatsmyahia added a subscriber: beatsmyahia.Via Old World · Jun 25 2013, 7:09 PM
sascha-egerer added a comment.Via Web · Jun 28 2013, 8:36 AM

Hey @epriestley,

is there any roadmap or implementation status for this and the related features?

epriestley added a comment.Via Web · Jun 28 2013, 11:27 AM

@sascha-egerer you can find our roadmap here: https://secure.phabricator.com/w/roadmap/

This task is under the "Policy (ACLs)" heading, and the roadmap is roughly in priority order, so there are a several items scheduled before this.

This task is the best representation of the current status, which is basically that there hasn't been significant progress here in about 10 months.

mikefullerton removed a subscriber: mikefullerton.Via Old World · Jun 28 2013, 7:15 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Jul 1 2013, 2:11 AM
epriestley added a revision: Restricted Differential Revision.Via Old World · Jul 1 2013, 1:18 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Jul 1 2013, 1:31 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Jul 1 2013, 1:56 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Jul 1 2013, 3:13 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Jul 2 2013, 2:40 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Jul 2 2013, 3:51 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Jul 2 2013, 7:04 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Jul 2 2013, 9:00 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Jul 3 2013, 5:31 PM
levijackson added a subscriber: levijackson.Via Old World · Jul 8 2013, 1:03 AM
edward removed a subscriber: edward.Via Old World · Jul 8 2013, 10:33 AM
epriestley added a revision: Restricted Differential Revision.Via Old World · Jul 13 2013, 4:27 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Jul 13 2013, 4:49 PM
adityar7 removed a subscriber: adityar7.Via Old World · Jul 13 2013, 5:45 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Jul 15 2013, 10:29 AM
epriestley added a dependent task: Restricted TaskVia Old World · Jul 19 2013, 6:43 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Jul 21 2013, 4:35 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Jul 21 2013, 5:48 PM
jbrown added a subscriber: jbrown.Via Web · Jul 29 2013, 6:44 PM
hwinkel added a subscriber: hwinkel.Via Old World · Jul 29 2013, 7:37 PM
bigo added a subscriber: bigo.Via Old World · Jul 30 2013, 7:59 PM
karagodin added a subscriber: karagodin.Via Web · Jul 31 2013, 1:31 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 2 2013, 1:33 PM
toulouse removed a subscriber: toulouse.Via Old World · Aug 6 2013, 12:41 AM
epriestley added a revision: Restricted Differential Revision.Via Old World · Aug 13 2013, 10:33 PM
aarwine added a subscriber: aarwine.Via Old World · Aug 14 2013, 5:58 PM
hoverruan added a subscriber: hoverruan.Via Old World · Aug 16 2013, 6:41 AM
hach-que added a subscriber: hach-que.Via Old World · Aug 30 2013, 11:56 AM
mister_zombie added a subscriber: mister_zombie.Via Old World · Sep 4 2013, 11:07 AM
epriestley added a dependency: Restricted TaskVia Old World · Sep 4 2013, 3:04 PM
epriestley added a dependency: Restricted TaskVia Old World · Sep 4 2013, 3:56 PM
davidressman added a subscriber: davidressman.Via Old World · Sep 5 2013, 1:24 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Sep 10 2013, 2:45 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Sep 10 2013, 2:48 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Sep 10 2013, 3:02 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Sep 10 2013, 4:10 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Sep 10 2013, 5:07 PM
btrahan added a revision: Restricted Differential Revision.Via Old World · Sep 10 2013, 11:15 PM
epriestley added a dependency: Restricted TaskVia Old World · Sep 11 2013, 4:37 PM
btrahan added a revision: Restricted Differential Revision.Via Old World · Sep 11 2013, 6:45 PM
chrisbolt removed a subscriber: chrisbolt.Via Old World · Sep 11 2013, 6:46 PM
tlogbon removed a subscriber: tlogbon.Via Web · Sep 11 2013, 7:20 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Sep 13 2013, 4:49 PM
epriestley added a revision: Restricted Differential Revision.Via Old World · Sep 21 2013, 3:05 PM
epriestley added a revision: Restricted Differential Revision.
epriestley added a revision: Restricted Differential Revision.Via Old World · Sep 21 2013, 3:10 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 25 2013, 4:10 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 25 2013, 5:54 PM
stmontgomery removed a subscriber: stmontgomery.Via Web · Sep 25 2013, 5:54 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 25 2013, 6:31 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 25 2013, 6:45 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 25 2013, 6:59 PM
blair removed a subscriber: blair.Via Web · Sep 25 2013, 7:01 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 25 2013, 7:34 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 25 2013, 11:16 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 26 2013, 1:14 AM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 26 2013, 1:19 AM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 26 2013, 1:24 AM
ybizeul removed a subscriber: ybizeul.Via Web · Sep 26 2013, 1:30 AM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 26 2013, 1:48 AM
mczubak removed a subscriber: mczubak.Via Web · Sep 26 2013, 6:17 AM
mbeck removed a subscriber: mbeck.Via Web · Sep 26 2013, 6:18 AM
btrahan added a comment.Via Web · Sep 26 2013, 6:24 AM

We should probably stop working on this to prevent the mass exodus of folks who cc'd themselves for updates. :D

epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 26 2013, 1:29 PM
Korvin added a comment.Via Web · Sep 26 2013, 5:29 PM

@Korvin will never unsubscribe.

epriestley added a comment.Via Web · Sep 26 2013, 5:30 PM

What if it takes TEN THOUSAND COMMITS!?!

bwahaha

epriestley added a comment.Via Web · Sep 26 2013, 5:52 PM

General status update for those of you who are still with us:

  • We're currently nearing the end of building out policy infrastructure. This makes all the reads and writes in all applications policy-aware, so queries don't show objects the user can't see and edits are rejected from objects users can't touch.
    • Effectively all major applications have substantial infrastructure support now.
    • Maniphest is about 95% complete.
    • Diffusion is about 80% complete.
    • Differential is about 60% (?) complete.
    • Much of this work was blocked on other infrastructure work (T2217, T3794), which is where a lot of the time has actually gone, so "60%" isn't "60% of the time". Also all these numbers are more or less made up anyway.
    • These should mostly finish up in the next few days, depending mostly on how much of T2222 happens in front of this (that's another major infrastructure issue, but it probably won't block this because it has a very high degree of complexity and nuisance).
  • Policy infrastructure is the hard part, and will make policies work, but they won't be very user friendly. Once infrastructure finishes up, we'll work on improving the UI/UX:
    • Adding more types of policies ("users X, Y and Z", "when the moon is full")
    • Adding defaults and configuration ("new pastes I create should be public")
    • Adding application level policies ("Can create new task: [users in project Engineering]")
    • Adding administrative tools ("I accidentally locked everyone out of an object.")
    • Improving UI and feedback about policy controls (e.g., more detailed "who can see this" / "you can't see this") messages
    • This should all move relatively quickly, as it's much less technically demanding than the infrastructure stuff, but we'll probably need to go through a few iterations to find good ways to approach it.
  • This collectively includes support for the "public (no login required)" policy, too. Open source projects can open sort-of open up most applications today, and will have more reasonable UI to do so soon.
    • Diffusion is already public on this install.
epriestley changed the visibility of this Task from "All Users" to "Public (No Login Required)".Via Web · Sep 26 2013, 5:53 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 26 2013, 9:05 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 26 2013, 10:13 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 26 2013, 11:16 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 27 2013, 1:42 AM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 27 2013, 2:26 AM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 27 2013, 2:10 PM
davidressman added a comment.Via Web · Sep 27 2013, 2:21 PM

I am interested in your views and wish to subscribe to your newsletter.

epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 27 2013, 2:25 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 27 2013, 2:46 PM
pulkit removed a subscriber: pulkit.Via Web · Sep 27 2013, 3:45 PM
hach-que added a comment.Via Web · Sep 28 2013, 12:28 AM

One of the latest changes to make the policy information on an object clickable (e.g. you can click "All Users") sort of implies that you can change it by clicking it. It might be a good idea in the future to allow changing the policy from the dialog as well (for those that can actually change it).

chad added a comment.Via Email · Sep 28 2013, 12:44 AM

I'd probably lean against that for two reasons. First being it's not a commonly needed action and second I'd rather not make it "lightweight" so people put some thought in what they are changing.

Adding a link to Edit Task in the dialog is probably enough for most cases?

hach-que added a comment.Via Web · Sep 28 2013, 12:47 AM

The dialog and link is quite heavy; it implies there's something to actually change with the dialog (similar to the way you can edit what objects relate to a task in the action list, these also popup in the same kind of dialog).

Would it be better if it was just a tooltip? After all, unless people are creating weird policies, I think a short description in a tooltip is enough to explain "Public (No Login Required)". It doesn't need a whole dialog devoted to it.

chad added a comment.Via Email · Sep 28 2013, 1:08 AM

We are planning for people to create weird policies. :) It was an overly large tooltip but I think being verbose in a dialog is still better given policies are newish to Phabricator. We can always tone down later after people take them for granted / learn the lingo.

epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 29 2013, 1:35 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 29 2013, 4:33 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 30 2013, 2:05 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 30 2013, 4:52 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 30 2013, 5:00 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Sep 30 2013, 5:38 PM
elazarl removed a subscriber: elazarl.Via Web · Sep 30 2013, 5:43 PM
asherkin added a comment.Via Web · Oct 1 2013, 3:24 PM

We are planning for people to create weird policies. :) It was an overly large tooltip but I think being verbose in a dialog is still better given policies are newish to Phabricator. We can always tone down later after people take them for granted / learn the lingo.

I think it would be a lot better if you could click outside the modal to dismiss it, having to hunt for the close button makes it seem artificially heavy (given how common click-background-to-dismiss is, normally only prevented for modals containing forms).

epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 1 2013, 4:03 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 1 2013, 10:17 PM
epriestley added a revision: Restricted Differential Revision.
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 2 2013, 12:42 AM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 2 2013, 2:31 AM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 2 2013, 4:14 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 3 2013, 1:23 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 3 2013, 1:29 PM
epriestley added a revision: Restricted Differential Revision.
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 4 2013, 1:10 AM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 4 2013, 2:45 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 4 2013, 4:19 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 4 2013, 4:57 PM
tflink added a subscriber: tflink.Via Web · Oct 4 2013, 5:17 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 4 2013, 8:15 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 4 2013, 9:06 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 4 2013, 10:53 PM
epriestley added a subscriber: Restricted Mailing List.Via Web · Oct 4 2013, 11:05 PM

Oh I never added Facebook to this.

Facebook: HEAD has an implementation of (approximately) per-object-privacy. If you don't touch anything, nothing should really change, except that there will be more policy controls in the UI. Herald rules have changed slightly: by default, only administrators can create Global rules now, because they punch through access controls. You can configure this back to "all users" in the "Applications" application if you want to keep the old policy.

Everyone else: here's a screenshot of the advanced policy construction interface in D7217 if you have any feedback. This will be an optional advanced mode which supplements the current policy control -- the UI will still provide easy access to common policies like "All Users".

hoverruan removed a subscriber: hoverruan.Via Web · Oct 4 2013, 11:22 PM
tmaroschik removed a subscriber: tmaroschik.Via Web · Oct 6 2013, 3:08 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 6 2013, 5:42 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 6 2013, 10:21 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 6 2013, 10:30 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 6 2013, 10:48 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 6 2013, 11:30 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 7 2013, 1:02 PM
mathieuk removed a subscriber: mathieuk.Via Web · Oct 7 2013, 1:28 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 7 2013, 4:25 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 7 2013, 5:41 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 8 2013, 12:57 AM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 8 2013, 1:00 AM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 8 2013, 1:24 AM
krz removed a subscriber: krz.Via Web · Oct 8 2013, 6:49 AM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 8 2013, 1:33 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 8 2013, 1:38 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 8 2013, 2:04 PM
epriestley added a revision: Restricted Differential Revision.Via Legacy · Oct 9 2013, 10:00 PM
brent added a subscriber: brent.Via Web · Oct 13 2013, 12:33 AM
darren.blum removed a subscriber: darren.blum.Via Web · Oct 14 2013, 11:42 PM
epriestley closed this task as "Resolved".Via Web · Oct 17 2013, 8:32 PM

I'm going to close this task, since it has served its purpose and we have basically-usable policies almost-everywhere now.

Policies are newly implemented, and are obviously not mature. There are likely to be some remaining bugs, rough edges, etc. However, by all appearances they work correctly and are reasonably usable. You should be cautious about using them to protect nuclear launch codes from hostile nations, but they should be fine for hiding information from your enemies at your company, and for opening up applications on open source installs.

The policy implementation today consists of flexible infrastructure, a basically reasonable UI on top of it, and some application-level defaults and settings (accessible in the "Applications" application). We expect to refine all of these things in time, but mostly in response to feedback. If you begin using these features, let us know what works, what doesn't work, what's confusing, what you wish were easier, etc.

Some particular notes:

  • Open-Source Installs
    • There's no logged-out version of the home page yet. Do you want one? What should it look like or do?
    • There may be performance issues with some queries if you have a large amount of private data and a small amount of public data. Let us know if you run into these.
    • There's no script to retroactively open up access. You can generally update the viewPolicy column of an object type in the DB, or we can build tools for this.
  • Installs with Clients or Project-Level Policy Implications
    • We suspect the current implementation is very labor-intensive for the use case of having several clients, each of whom you only want to see their own stuff. Is this true? Some discussion in T3820.
    • Broadly, the implementation is easier to use with policies that are default-open, selective-deny than default-deny, selective-open. We think this is the more common use case, but maybe not?
  • Tooling
    • There isn't much support tooling yet. What do you need?
    • The bin/policy tool does exist, and will let you unlock objects which you accidentally lock yourself out of. (We'll make it harder to lock yourself out of things, too -- it's fairly easy in a few interfaces now.)
  • Custom Policies
    • The custom policy UI provides "user", "project", "admin", and "lunar phase" rules. What additional rules do you need? "Time of day"? "LDAP group"?
    • These rules are relatively pluggable. Are you interested in writing custom rules?
    • Do you even end up using custom policies? Could we have gotten away without building them?
  • Defaults
    • We provide global defaults in most applications now. Do we need more fine-grained defaults (per-user, per-project...)?
    • There's no way to save or bookmark specific custom policies. Is this important?
    • Some object types have implicit rules, e.g. the author of a paste can always view and edit it. Are there other rules we should have? Do current rules make sense?
  • Clarity
    • A particular goal of this implementation is to make it clear how policies operate. Did we succeed? When you can't see an object, is it clear why you can't see it? Are policy rules intuitive?
    • Is it easy to set the policies you want to set?
  • Incomplete Applications and Policies
    • Not all applications have full policy support yet, usually because it's blocked by something or they're beta. Which remaining apps do you want support for?
    • Capabilities are relatively coarse right now, and mostly fall into "edit" and "view". Do you need more fine-grained capabilities (like "comment" as distinct from "view")?
  • Documentation
    • If you're lost, yell at me and I can write some sooner rather than later.
    • Or if you'd just find this interesting or whatever.
  • General
    • We believe policies are broadly at a level where they're usable, make sense, and are consistently enforced everywhere. If you see anything suspicious or confusing or which seems obviously broken or doesn't make sense, let us know. From here on out, they're expected to work in a generally reasonable way.

If you have feedback on any of this, file a new task and we'll merge things together into some smaller piles and move them forward separately with less than 100 people on the CC list. I'd guess that most of these topics are not interesting to most installs.

hwinkel added a comment.Via Web · Nov 30 2013, 10:34 PM

should this nice description an question find a way into the docs?

hwinkel added a comment.Via Web · Nov 30 2013, 10:38 PM

Just configured a new clean phab instance, is there a way to set a default behavior? How can I lock out all people by default and give them access only if they belong to a project."Installs with Clients or Project-Level Policy Implications" its really labor intensive. Can we have a config option or install question which controls the general behavior and default permissions?

asherkin added a comment.Via Web · Nov 30 2013, 10:44 PM

Most default policies are configured in the Applications app, only a few have them right now - what do you need that is missing?.

As @epriestley mentioned, that is currently the weakest state for the policy infrastructure right now, but will probably need to wait for T390 to get any real work.

maemarcus added a subscriber: maemarcus.Via Web · Dec 4 2013, 6:57 AM
allan.laal added a subscriber: allan.laal.Via Web · Feb 6 2014, 2:10 PM

Add Comment