archive/phabricator
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

Allow Almanac services to be locked

Browse Source 
Summary:
Fixes T6741. This allows Almanac services to be locked from the CLI. Locked services (and their bindings, interfaces and devices) can not be edited. This serves two similar use cases:

  - For normal installs, you can protect cluster configuration from an attacker who compromises an account (or generally harden services which are intended to be difficult to edit).
  - For Phacility, we can lock externally-managed instance cluster configuration without having to pull any spooky tricks.

Test Plan:
  - Locked and unlocked services.
  - Verified locking a service locks connected properties, bindings, binding properties, interfaces, devices, and device properties.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T6741

Differential Revision: https://secure.phabricator.com/D11006
This commit is contained in:
epriestley
2014-12-18 14:31:36 -08:00
parent cd6f67ef95
commit d2df3064bc
24 changed files with 548 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
src/docs/user/configuration/cluster.diviner Normal file
View File

@@ -0,0 +1,31 @@
@title User Guide: Phabricator Clusters
@group config
Guide on scaling Phabricator across multiple machines, for large installs.
Overview
========
IMPORTANT: Phabricator clustering is in its infancy and does not work at all
yet. This document is mostly a placeholder.
Locking Services
================
Because cluster configuration is defined in Phabricator itself, an attacker
who compromises an account that can edit the cluster definition has significant
power. For example, the attacker might be able to configure Phabricator to
replicate the database to a server they control.
To mitigate this attack, services in Almanac can be locked to prevent them
from being edited from the web UI. An attacker would then need significantly
greater access (to the CLI, or directly to the database) in order to change
the cluster configuration.
You should normally keep cluster services in a locked state, and unlock them
only to edit them. Once you're finished making changes, lock the service again.
The web UI will warn you when you're viewing an unlocked cluster service, as
a reminder that you should lock it again once you're finished editing.
For details on how to lock and unlock a service, see
@{article:Almanac User Guide}.