Page MenuHomePhabricator
Create Task
Maniphest T6741

Lock Almanac networks, and allow Almanac domain namespaces to be locked
Closed, ResolvedPublic
Actions

Description

A risk of defining Phabricator clusters within Phabricator is that anyone with permission to edit said services in Almanac can adjust the cluster -- at best taking the cluster down, and at worst, e.g., configuring the master database to replicate to some external, attacker-controlled device (this won't be possible for a long time, but similar attacks will be possible sooner.).

I think the best approach for this is to allow services to be locked, forbidding all edits from the web UI. So you configure a cluster service, lock it from the CLI, and then can use it safely. These locks could be soft to avoid getting in the way too much (you can use unlocked services, we just warn you that you should lock services in use).

Locking a service should lock all connected bindings, interfaces and devices. Interfaces and devices may need to hold a lock-level: if a device is part of several services, all services must be unlocked before the device can be modified.

We need this (or some similar tech) for Phacility to prevent installs from going into Almanac and breaking their own cluster by changing things around randomly. It's possible we could accomplish this more cleanly in the long run with Spaces or maybe just policies, but having an extra layer of immutability won't hurt even when those are running.

Revisions and Commits

rP Phabricator
D15339rP944539a78679 Simplify locking of Almanac cluster services
D15325rP411331469af4 Apply namespace locking rules in Almanac
D15324rPdb50d0fb11e2 Rough-in Almanac namespaces
D15322rP50debecf5268 Allow Almanac namespaces to be searched by ngram index
D11006rPd2df3064bcc3 Allow Almanac services to be locked
D11005rPf5600acb16f0 Don't skip policy checks on ObjectQuery if special capabilities are required

Related Objects
Search...

Event Timeline

epriestley created this task.Dec 12 2014, 6:17 PM
epriestley claimed this task.
epriestley raised the priority of this task from to Normal.
epriestley updated the task description. (Show Details)
epriestley added projects: Phacility, Almanac, Security.
epriestley moved this task from Backlog to v0 Closed Beta on the Phacility board.
epriestley added subscribers: talshiri, chad, aderumier and 4 others.
epriestley mentioned this in D10995: Give AlmanacServices a service type.Dec 15 2014, 9:05 PM
epriestley mentioned this in rPc85327ca3e58: Give AlmanacServices a service type.Dec 17 2014, 7:10 PM
epriestley added a revision: D11005: Don't skip policy checks on ObjectQuery if special capabilities are required.Dec 17 2014, 11:44 PM
epriestley added a revision: D11006: Allow Almanac services to be locked.Dec 18 2014, 1:02 AM
epriestley added a commit: rPf5600acb16f0: Don't skip policy checks on ObjectQuery if special capabilities are required.Dec 18 2014, 1:04 AM
epriestley closed this task as Resolved.Dec 18 2014, 10:31 PM
epriestley added a commit: rPd2df3064bcc3: Allow Almanac services to be locked.

Closed by commit rPd2df3064bcc3.

epriestley reopened this task as Open.Dec 20 2014, 1:12 PM

I need to get Networks in on this too.

Mnkras added a subscriber: Mnkras.Jan 27 2015, 9:26 PM
Mnkras removed a subscriber: Mnkras.
epriestley mentioned this in T5833: Build "Almanac", a service/host/device directory.Feb 1 2015, 1:01 AM
epriestley added a comment.Feb 1 2015, 1:03 AM

The remaining work is:

  • Networks should also lock. This doesn't really matter since they don't do anything important right now.
  • We should prevent installs from creating services in the "phacility.net" domain, because they could create services which would collide with services we later attach to the instance. This isn't something you can blunder into, though, and is easily resolved manually at small scales.
epriestley renamed this task from Allow Almanac services to be locked to Lock Almanac networks, and allow Almanac domain namespaces to be locked.Feb 1 2015, 1:03 AM
epriestley moved this task from v0 Closed Beta to Do After Launch on the Phacility board.
epriestley lowered the priority of this task from Normal to Low.Feb 27 2015, 12:53 AM

The urgency of fixing this is dramatically reduced by Almanac being a prototype and installs not having access to prototypes so this can be punted to the horizon.

epriestley moved this task from Do After Launch to Do Eventually on the Phacility board.Feb 27 2015, 12:54 AM
frankth added a subscriber: frankth.Jul 4 2015, 10:18 AM

It is good ~

aantelov87 added a subscriber: aantelov87.Jan 15 2016, 10:58 AM
Herald added subscribers: cburroughs, andypuettmann, revi. · View Herald TranscriptJan 15 2016, 10:58 AM
aantelov87 removed a subscriber: aantelov87.Jan 15 2016, 10:58 AM
epriestley mentioned this in T10246: Deploy Drydock in the Phacility cluster.Feb 1 2016, 12:12 AM
epriestley moved this task from Backlog to v2 on the Almanac board.Feb 21 2016, 1:05 AM
epriestley edited projects, added Almanac (v2); removed Almanac.
epriestley added a comment.Feb 21 2016, 7:04 PM

In the Phacility case, I can also just give these networks a "no one" edit policy, but still need to do the namespace locking.

epriestley added a revision: D15322: Allow Almanac namespaces to be searched by ngram index.Feb 21 2016, 7:16 PM
epriestley added a revision: D15324: Rough-in Almanac namespaces.Feb 21 2016, 10:06 PM
epriestley added a revision: D15325: Apply namespace locking rules in Almanac.Feb 21 2016, 10:43 PM
talshiri removed a subscriber: talshiri.Feb 21 2016, 10:43 PM
epriestley added a commit: rP50debecf5268: Allow Almanac namespaces to be searched by ngram index.Feb 22 2016, 12:58 PM
epriestley added a commit: rPdb50d0fb11e2: Rough-in Almanac namespaces.
epriestley added a commit: rP411331469af4: Apply namespace locking rules in Almanac.
epriestley added a comment.Feb 22 2016, 1:04 PM

I also think the current per-service and per-device granular locking might be better off as a cluster.locked global configuration which prevents creating or editing anything touching a cluster service, so I may pursue that.

As written, it is insufficient to prevent services from being added, and Diffusion's default behavior is to randomly select a cluster repository host if any are available, so adding new services counts. We can lock the add permission for cluster services to "no one", but then the mechanism isn't useful in the general case.

We could also implicitly lock new services if any existing service is locked, but this feels non-obvious / non-general. It would be better to lock the service class as a whole, instead.

epriestley added a parent task: T10246: Deploy Drydock in the Phacility cluster.Feb 22 2016, 1:12 PM
epriestley added a revision: D15339: Simplify locking of Almanac cluster services.Feb 24 2016, 12:59 AM
epriestley closed this task as Resolved by committing rP944539a78679: Simplify locking of Almanac cluster services.Feb 25 2016, 11:38 AM
epriestley added a commit: rP944539a78679: Simplify locking of Almanac cluster services.
Phabricator · Built by Phacility