Page MenuHomePhabricator
Create Task
Maniphest T9570

Can a hosted Phacility instance be exported?
Closed, ResolvedPublic
Actions

Description

My company is evaluating adopting Phabricator and weighing the Phacility SaaS vs managing an instance on RDS using the open source.

If we start with Phacility and choose later to migrate to a self-hosted instance, what will we have to do? Can we get a dump of the databases, load them up, and keep going?

Related Objects

Event Timeline

turadg created this task.Oct 14 2015, 8:42 PM
turadg updated the task description. (Show Details)
turadg added a project: Support.
turadg added a subscriber: turadg.
epriestley edited projects, added Phacility Support; removed Support.Oct 14 2015, 8:53 PM
Herald added a subscriber: epriestley. · View Herald TranscriptOct 14 2015, 8:53 PM
epriestley added a comment.Oct 14 2015, 9:04 PM

Yes, with caveats. See T7148 for discussion of why this is complex. Roughly, here's the state of the world today:

  • If you're leaving the service and plan to disable your instance, we'll run the export manually for you and provide some level of support in leaving the service.
  • If you just want it for safe keeping, analytics, etc., we really want to get a better process / safeguards in place, because of the extremely high level of access that the dump gives you to the active instance and its data. We attempt to scrub all the credentials out, but obviously can't scrub the private data since it's part of the dataset.
  • The current plan is to build a "quorum" feature (T9515) and let instance administrators configure the level of export protection they desire. This would lead to a workflow like this:
    • Alice enters her MFA token and requests an export.
    • Bart gets a notification, logs in, enters his MFA token, and approves the request.
    • Candice gets a notification, logs in, enteres her MFA token, and approves the request.
    • Dave gets a notification but doesn't need to log in, since 3/4 of the administrators have approved the request and established a quorum.
    • The system unlocks the export and Alice downloads it.

In the case of a single administrator, this would degrade to "Alice presses the download button, waits for a little while, and downloads the export".

The attacks we're particularly concerned with are social engineering attacks where a user claiming to be an instance administrator (or an instance administrator acting on their own) interact with us or the system and get access to a dump that their coworkers would not otherwise approve of. It's particularly bad if a curious administrator can just peek at their coworkers' conversations and other private data without anyone knowing. There are limits to what we can do to prevent this while still supporting exports, but the quorum system above would give administrators sufficient power to self-police without involving us, and let us decline requests categorically without running the risk of disclosing an instance's data inappropriately.

From a technical standpoint, we have some support for automating this process built but it's probably 1-2 days of work on the actual export and then 1-2 days of work on the quorum stuff and maybe an extra day in integrating them, and this is hard to prioritize because we've received a very small number of export requests since launch.

epriestley closed this task as Resolved.Oct 18 2015, 1:30 PM
epriestley claimed this task.

Presuming that answers the question, let us know if not. T7148 is the general production task here.

Phabricator · Built by Phacility