Changeset View
Changeset View
Standalone View
Standalone View
src/docs/user/userguide/almanac.diviner
| Show First 20 Lines • Show All 171 Lines • ▼ Show 20 Lines | |||||
| services like `rake.shed.myranch.moo` as long as they can pass the policy check | services like `rake.shed.myranch.moo` as long as they can pass the policy check | ||||
| for `shed.myranch.moo`, even if they do not have permission under the policy | for `shed.myranch.moo`, even if they do not have permission under the policy | ||||
| for `myranch.moo`. | for `myranch.moo`. | ||||
| Users can edit services and devices within a namespace if they have edit | Users can edit services and devices within a namespace if they have edit | ||||
| permission on the service or device itself, as long as they don't try to rename | permission on the service or device itself, as long as they don't try to rename | ||||
| the service or device to move it into a namespace they don't have permission | the service or device to move it into a namespace they don't have permission | ||||
| to access. | to access. | ||||
| Locking and Unlocking Services | |||||
| ============================== | |||||
| Services can be locked to prevent edits from the web UI. This primarily hardens | |||||
| Almanac against attacks involving account compromise. Notably, locking cluster | |||||
| services prevents an attacker from modifying the Phabricator cluster definition. | |||||
| For more details on this scenario, see | |||||
| @{article:User Guide: Phabricator Clusters}. | |||||
| Beyond hardening cluster definitions, you might also want to lock a critical | |||||
| service to prevent accidental edits. | |||||
| To lock a service, run: | |||||
| phabricator/ $ ./bin/almanac lock <service> | |||||
| To unlock a service later, run: | |||||
| phabricator/ $ ./bin/almanac unlock <service> | |||||
| Locking a service also locks all of the service's bindings and properties, as | |||||
| well as the devices connected to the service. Generally, no part of the | |||||
| service definition can be modified while it is locked. | |||||
| Devices (and their properties) will remain locked as long as they are bound to | |||||
| at least one locked service. To edit a device, you'll need to unlock all the | |||||
| services it is bound to. | |||||
| Locked services and devices will show that they are locked in the web UI, and | |||||
| editing options will be unavailable. | |||||