Changeset View
Changeset View
Standalone View
Standalone View
src/docs/user/userguide/almanac.diviner
Show First 20 Lines • Show All 171 Lines • ▼ Show 20 Lines | |||||
services like `rake.shed.myranch.moo` as long as they can pass the policy check | services like `rake.shed.myranch.moo` as long as they can pass the policy check | ||||
for `shed.myranch.moo`, even if they do not have permission under the policy | for `shed.myranch.moo`, even if they do not have permission under the policy | ||||
for `myranch.moo`. | for `myranch.moo`. | ||||
Users can edit services and devices within a namespace if they have edit | Users can edit services and devices within a namespace if they have edit | ||||
permission on the service or device itself, as long as they don't try to rename | permission on the service or device itself, as long as they don't try to rename | ||||
the service or device to move it into a namespace they don't have permission | the service or device to move it into a namespace they don't have permission | ||||
to access. | to access. | ||||
Locking and Unlocking Services | |||||
============================== | |||||
Services can be locked to prevent edits from the web UI. This primarily hardens | |||||
Almanac against attacks involving account compromise. Notably, locking cluster | |||||
services prevents an attacker from modifying the Phabricator cluster definition. | |||||
For more details on this scenario, see | |||||
@{article:User Guide: Phabricator Clusters}. | |||||
Beyond hardening cluster definitions, you might also want to lock a critical | |||||
service to prevent accidental edits. | |||||
To lock a service, run: | |||||
phabricator/ $ ./bin/almanac lock <service> | |||||
To unlock a service later, run: | |||||
phabricator/ $ ./bin/almanac unlock <service> | |||||
Locking a service also locks all of the service's bindings and properties, as | |||||
well as the devices connected to the service. Generally, no part of the | |||||
service definition can be modified while it is locked. | |||||
Devices (and their properties) will remain locked as long as they are bound to | |||||
at least one locked service. To edit a device, you'll need to unlock all the | |||||
services it is bound to. | |||||
Locked services and devices will show that they are locked in the web UI, and | |||||
editing options will be unavailable. |