phorge-phorge/src/docs/user/userguide/almanac.diviner

@title Almanac User Guide
@group userguide

Using Almanac to manage services.

= Overview =

IMPORTANT: Almanac is a prototype application. See
@{article:User Guide: Prototype Applications}.

Locking and Unlocking Services
==============================

Services can be locked to prevent edits from the web UI. This primarily hardens
Almanac against attacks involving account compromise. Notably, locking cluster
services prevents an attacker from modifying the Phabricator cluster definition.
For more details on this scenario, see
@{article:User Guide: Phabricator Clusters}.

Beyond hardening cluster definitions, you might also want to lock a service to
prevent accidental edits.

To lock a service, run:

  phabricator/ $ ./bin/almanac lock <service>

To unlock a service later, run:

  phabricator/ $ ./bin/almanac unlock <service>

Locking a service also locks all of the service's bindings and properties, as
well as the devices connected to the service. Generally, no part of the
service definition can be modified while it is locked.

Devices (and their properties) will remain locked as long as they are bound to
at least one locked service. To edit a device, you'll need to unlock all the
services it is bound to.

Locked services and devices will show that they are locked in the web UI, and
editing options will be unavailable.
Allow Almanac services to be locked Summary: Fixes T6741. This allows Almanac services to be locked from the CLI. Locked services (and their bindings, interfaces and devices) can not be edited. This serves two similar use cases: - For normal installs, you can protect cluster configuration from an attacker who compromises an account (or generally harden services which are intended to be difficult to edit). - For Phacility, we can lock externally-managed instance cluster configuration without having to pull any spooky tricks. Test Plan: - Locked and unlocked services. - Verified locking a service locks connected properties, bindings, binding properties, interfaces, devices, and device properties. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T6741 Differential Revision: https://secure.phabricator.com/D11006 2014-12-18 23:31:36 +01:00			`@title Almanac User Guide`
			`@group userguide`

			`Using Almanac to manage services.`

			`= Overview =`

			`IMPORTANT: Almanac is a prototype application. See`
			`@{article:User Guide: Prototype Applications}.`

			`Locking and Unlocking Services`
			`==============================`

			`Services can be locked to prevent edits from the web UI. This primarily hardens`
			`Almanac against attacks involving account compromise. Notably, locking cluster`
			`services prevents an attacker from modifying the Phabricator cluster definition.`
			`For more details on this scenario, see`
			`@{article:User Guide: Phabricator Clusters}.`

			`Beyond hardening cluster definitions, you might also want to lock a service to`
			`prevent accidental edits.`

			`To lock a service, run:`

			`phabricator/ $ ./bin/almanac lock <service>`

			`To unlock a service later, run:`

			`phabricator/ $ ./bin/almanac unlock <service>`

			`Locking a service also locks all of the service's bindings and properties, as`
			`well as the devices connected to the service. Generally, no part of the`
			`service definition can be modified while it is locked.`

			`Devices (and their properties) will remain locked as long as they are bound to`
			`at least one locked service. To edit a device, you'll need to unlock all the`
			`services it is bound to.`

			`Locked services and devices will show that they are locked in the web UI, and`
			`editing options will be unavailable.`