Page MenuHomePhabricator
Create Task
Maniphest T6947

Add configuration to lock auth/user creation, or to lock application policies
Closed, ResolvedPublic
Actions

Description

This isn't blocking anything, but is parallelizable.

On Phacility instances, we need to prevent users from making some classes of changes to the instance. Some of this we can already lock, but some if it we can't. I think the cleanest way forward is to introduce options:

  • lock.auth Prevents any authentication provider from being added, edited, or removed. We need this because we don't want users on instances unless they also have a phacility.com account, so we can send them to the correct instance when they log in to the administrative UI by accident. Instances will be configured with only an OAuth2 provider pointed at admin.phacility.com, and this should be immutable.
  • lock.users Prevent creation or import of users via admin tools. Administrators need to use options on admin.phacility.com to do this.

I actually think that might be all we need.

These options should be low-level (e.g., in TransactionEditors if possible) and there doesn't need to be a way to disable them -- the scripts which are synchronizing this stuff can use PhabricatorScopedEnv to bypass the options.

Another approach, which might be cleaner, would be:

  • Add a "Can Manage Providers" application-level policy to Auth.
  • Add a "Can Create Users" application-level policy to People.
  • Add a policy.locked (or similar) config option to let us lock specific application policies so they can not be edited.

That would be more flexible and maybe better? Not sure.

Revisions and Commits

rP Phabricator
D11373rP32edb7e2bbe8 Followup from D11358#106424 and make policy.locked fully work
D11358rP8cfc37f8fcba Config - add an option to lock policy settings
D11357rPe85dfcbeeeb3 People - add application policy on user creation
D11356rP46913f651e6f Auth - add "manage providers" capability

Event Timeline

epriestley created this task.Jan 12 2015, 8:44 PM
epriestley assigned this task to btrahan.
epriestley raised the priority of this task from to Normal.
epriestley updated the task description. (Show Details)
epriestley added a project: Phacility.
epriestley moved this task from Backlog to v0 Closed Beta on the Phacility board.
epriestley added a subscriber: epriestley.
btrahan added a comment.Jan 12 2015, 10:13 PM

I think the second approach sounds better, so approaching things that way.

btrahan added a revision: D11356: Auth - add "manage providers" capability.Jan 12 2015, 10:13 PM
btrahan added a commit: rP46913f651e6f: Auth - add "manage providers" capability.Jan 12 2015, 10:38 PM
btrahan added a revision: D11357: People - add application policy on user creation.Jan 12 2015, 10:44 PM
btrahan added a commit: rPe85dfcbeeeb3: People - add application policy on user creation.Jan 12 2015, 11:18 PM
btrahan added a revision: D11358: Config - add an option to lock policy settings.Jan 12 2015, 11:50 PM
btrahan closed this task as Resolved by committing rP8cfc37f8fcba: Config - add an option to lock policy settings.Jan 13 2015, 7:46 PM
btrahan added a commit: rP8cfc37f8fcba: Config - add an option to lock policy settings.
btrahan added a revision: D11373: Followup from D11358#106424 and make policy.locked fully work.Jan 13 2015, 7:55 PM
btrahan added a commit: rP32edb7e2bbe8: Followup from D11358#106424 and make policy.locked fully work.Jan 13 2015, 8:03 PM
Phabricator · Built by Phacility