phorge-phorge/src/applications/config/option/PhabricatorClusterConfigOptions.php

<?php

final class PhabricatorClusterConfigOptions
  extends PhabricatorApplicationConfigOptions {

  public function getName() {
    return pht('Cluster Setup');
  }

  public function getDescription() {
    return pht('Configure Phabricator to run on a cluster of hosts.');
  }

  public function getIcon() {
    return 'fa-sitemap';
  }

  public function getGroup() {
    return 'core';
  }

  public function getOptions() {
    $databases_type = 'custom:PhabricatorClusterDatabasesConfigOptionType';
    $databases_help = $this->deformat(pht(<<<EOTEXT
WARNING: This is a prototype option and the description below is currently pure
fantasy.

This option allows you to make Phabricator aware of database read replicas so
it can monitor database health, spread load, and degrade gracefully to
read-only mode in the event of a failure on the primary host. For help with
configuring cluster databases, see **[[ %s | %s ]]** in the documentation.
EOTEXT
      ,
      PhabricatorEnv::getDoclink('Cluster: Databases'),
      pht('Cluster: Databases')));

    return array(
      $this->newOption('cluster.addresses', 'list<string>', array())
        ->setLocked(true)
        ->setSummary(pht('Address ranges of cluster hosts.'))
        ->setDescription(
          pht(
            'To allow Phabricator nodes to communicate with other nodes '.
            'in the cluster, provide an address whitelist of hosts that '.
            'are part of the cluster.'.
            "\n\n".
            'Hosts on this whitelist are permitted to use special cluster '.
            'mechanisms to authenticate requests. By default, these '.
            'mechanisms are disabled.'.
            "\n\n".
            'Define a list of CIDR blocks which whitelist all hosts in the '.
            'cluster. See the examples below for details.',
            "\n\n".
            'When cluster addresses are defined, Phabricator hosts will also '.
            'reject requests to interfaces which are not whitelisted.'))
        ->addExample(
          array(
            '23.24.25.80/32',
            '23.24.25.81/32',
          ),
          pht('Whitelist Specific Addresses'))
        ->addExample(
          array(
            '1.2.3.0/24',
          ),
          pht('Whitelist 1.2.3.*'))
        ->addExample(
          array(
            '1.2.0.0/16',
          ),
          pht('Whitelist 1.2.*.*'))
        ->addExample(
          array(
            '0.0.0.0/0',
          ),
          pht('Allow Any Host (Insecure!)')),
      $this->newOption('cluster.instance', 'string', null)
        ->setLocked(true)
        ->setSummary(pht('Instance identifier for multi-tenant clusters.'))
        ->setDescription(
          pht(
            'WARNING: This is a very advanced option, and only useful for '.
            'hosting providers running multi-tenant clusters.'.
            "\n\n".
            'If you provide an instance identifier here (normally by '.
            'injecting it with a `%s`), Phabricator will pass it to '.
            'subprocesses and commit hooks in the `%s` environmental variable.',
            'PhabricatorConfigSiteSource',
            'PHABRICATOR_INSTANCE')),
      $this->newOption('cluster.read-only', 'bool', false)
        ->setLocked(true)
        ->setSummary(
          pht(
            'Activate read-only mode for maintenance or disaster recovery.'))
        ->setDescription(
          pht(
            'WARNING: This is a prototype option and the description below '.
            'is currently pure fantasy.'.
            "\n\n".
            'Switch Phabricator to read-only mode. In this mode, users will '.
            'be unable to write new data. Normally, the cluster degrades '.
            'into this mode automatically when it detects that the database '.
            'master is unreachable, but you can activate it manually in '.
            'order to perform maintenance or test configuration.')),
      $this->newOption('cluster.databases', $databases_type, array())
        ->setHidden(true)
        ->setSummary(
          pht('Configure database read replicas.'))
        ->setDescription($databases_help),
    );
  }

}
Add `cluster.addresses` and require membership before accepting cluster authentication tokens Summary: Ref T2783. Ref T6706. - Add `cluster.addresses`. This is a whitelist of CIDR blocks which define cluster hosts. - When we recieve a request that has a cluster-based authentication token, require the cluster to be configured and require the remote address to be a cluster member before we accept it. - This provides a general layer of security for these mechanisms. - In particular, it means they do not work by default on unconfigured hosts. - When cluster addresses are configured, and we receive a request //to// an address not on the list, reject it. - This provides a general layer of security for getting the Ops side of cluster configuration correct. - If cluster nodes have public IPs and are listening on them, we'll reject requests. - Basically, this means that any requests which bypass the LB get rejected. Test Plan: - With addresses not configured, tried to make requests; rejected for using a cluster auth mechanism. - With addresses configred wrong, tried to make requests; rejected for sending from (or to) an address outside of the cluster. - With addresses configured correctly, made valid requests. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T6706, T2783 Differential Revision: https://secure.phabricator.com/D11159 2015-01-03 00:13:41 +01:00			`<?php`

			`final class PhabricatorClusterConfigOptions`
			`extends PhabricatorApplicationConfigOptions {`

			`public function getName() {`
			`return pht('Cluster Setup');`
			`}`

			`public function getDescription() {`
			`return pht('Configure Phabricator to run on a cluster of hosts.');`
			`}`

Move FontIcon calls to Icon Summary: Normalizes all `setFontIcon` calls to `setIcon`. Test Plan: UIExamples, Almanac, Apps list, etc. Reviewers: epriestley Reviewed By: epriestley Subscribers: Korvin, hach-que, yelirekim Differential Revision: https://secure.phabricator.com/D15129 2016-01-28 17:40:22 +01:00			`public function getIcon() {`
Use icons with Config Options page Summary: This sets an icon for each config, makes it easier to scan. Test Plan: Reload Config page, see all new icons {F281089} Reviewers: btrahan, epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Differential Revision: https://secure.phabricator.com/D11619 2015-02-02 19:17:25 +01:00			`return 'fa-sitemap';`
			`}`

Add getGroup to ConfigOptions Summary: Adds core and apps grouping to configuration options, makes it somewhat easier to browse config options. Test Plan: Set each option, review list. Breakdown is nearly 50/50 apps/core. Reviewers: btrahan, epriestley Reviewed By: epriestley Subscribers: Korvin, epriestley Differential Revision: https://secure.phabricator.com/D11722 2015-02-09 22:10:56 +01:00			`public function getGroup() {`
			`return 'core';`
			`}`

Add `cluster.addresses` and require membership before accepting cluster authentication tokens Summary: Ref T2783. Ref T6706. - Add `cluster.addresses`. This is a whitelist of CIDR blocks which define cluster hosts. - When we recieve a request that has a cluster-based authentication token, require the cluster to be configured and require the remote address to be a cluster member before we accept it. - This provides a general layer of security for these mechanisms. - In particular, it means they do not work by default on unconfigured hosts. - When cluster addresses are configured, and we receive a request //to// an address not on the list, reject it. - This provides a general layer of security for getting the Ops side of cluster configuration correct. - If cluster nodes have public IPs and are listening on them, we'll reject requests. - Basically, this means that any requests which bypass the LB get rejected. Test Plan: - With addresses not configured, tried to make requests; rejected for using a cluster auth mechanism. - With addresses configred wrong, tried to make requests; rejected for sending from (or to) an address outside of the cluster. - With addresses configured correctly, made valid requests. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T6706, T2783 Differential Revision: https://secure.phabricator.com/D11159 2015-01-03 00:13:41 +01:00			`public function getOptions() {`
Lay `cluster.databases` configuration groundwork for database clustering Summary: Ref T4571. This adds a new option which allows you to upgrade your one-host configuration to a multi-host configuration by configuring it. Doing this currently does nothing. I wrote a lot of words about what it is //supposed// to do in the future, though. Test Plan: - Tried to configure the option in all the possible bad ways, got errors. - Read documentation. Reviewers: chad Reviewed By: chad Subscribers: eadler Maniphest Tasks: T4571 Differential Revision: https://secure.phabricator.com/D15663 2016-04-09 14:41:08 +02:00			`$databases_type = 'custom:PhabricatorClusterDatabasesConfigOptionType';`
			`$databases_help = $this->deformat(pht(<<<EOTEXT`
			`WARNING: This is a prototype option and the description below is currently pure`
			`fantasy.`

			`This option allows you to make Phabricator aware of database read replicas so`
			`it can monitor database health, spread load, and degrade gracefully to`
			`read-only mode in the event of a failure on the primary host. For help with`
			`configuring cluster databases, see [[ %s \| %s ]] in the documentation.`
			`EOTEXT`
			`,`
			`PhabricatorEnv::getDoclink('Cluster: Databases'),`
			`pht('Cluster: Databases')));`

Add `cluster.addresses` and require membership before accepting cluster authentication tokens Summary: Ref T2783. Ref T6706. - Add `cluster.addresses`. This is a whitelist of CIDR blocks which define cluster hosts. - When we recieve a request that has a cluster-based authentication token, require the cluster to be configured and require the remote address to be a cluster member before we accept it. - This provides a general layer of security for these mechanisms. - In particular, it means they do not work by default on unconfigured hosts. - When cluster addresses are configured, and we receive a request //to// an address not on the list, reject it. - This provides a general layer of security for getting the Ops side of cluster configuration correct. - If cluster nodes have public IPs and are listening on them, we'll reject requests. - Basically, this means that any requests which bypass the LB get rejected. Test Plan: - With addresses not configured, tried to make requests; rejected for using a cluster auth mechanism. - With addresses configred wrong, tried to make requests; rejected for sending from (or to) an address outside of the cluster. - With addresses configured correctly, made valid requests. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T6706, T2783 Differential Revision: https://secure.phabricator.com/D11159 2015-01-03 00:13:41 +01:00			`return array(`
			`$this->newOption('cluster.addresses', 'list<string>', array())`
			`->setLocked(true)`
			`->setSummary(pht('Address ranges of cluster hosts.'))`
			`->setDescription(`
			`pht(`
			`'To allow Phabricator nodes to communicate with other nodes '.`
			`'in the cluster, provide an address whitelist of hosts that '.`
			`'are part of the cluster.'.`
			`"\n\n".`
			`'Hosts on this whitelist are permitted to use special cluster '.`
			`'mechanisms to authenticate requests. By default, these '.`
			`'mechanisms are disabled.'.`
			`"\n\n".`
			`'Define a list of CIDR blocks which whitelist all hosts in the '.`
			`'cluster. See the examples below for details.',`
			`"\n\n".`
			`'When cluster addresses are defined, Phabricator hosts will also '.`
			`'reject requests to interfaces which are not whitelisted.'))`
			`->addExample(`
			`array(`
			`'23.24.25.80/32',`
			`'23.24.25.81/32',`
			`),`
			`pht('Whitelist Specific Addresses'))`
			`->addExample(`
			`array(`
			`'1.2.3.0/24',`
			`),`
			`pht('Whitelist 1.2.3.*'))`
			`->addExample(`
			`array(`
			`'1.2.0.0/16',`
			`),`
			`pht('Whitelist 1.2..'))`
			`->addExample(`
			`array(`
			`'0.0.0.0/0',`
			`),`
			`pht('Allow Any Host (Insecure!)')),`
Promote instance identity to the upstream and pass it to commit hooks Summary: Fixes T7019. In a cluster environment, pushes currently fail because the commit hook can't identify the instance. For web processes, the hostname identifies the instance -- but we don't have a hostname in the hook. For CLI processes, the environment identifies the instance -- but we don't have an environment in the hook under SVN. Promote the instance identifier into the upstream and pack/unpack it explicitly for hooks. This is probably not useful for anyone but us, but the amount of special-purpose code we're introducing is very small. I poked at trying to do this in a more general way, but: - We MUST know this BEFORE we run code, so the normal subclassing stuff is useless. - I couldn't come up with any other parameter which might ever be useful to pass in. Test Plan: Used `git push` to push code through proxied HTTP, got a clean push. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T7019 Differential Revision: https://secure.phabricator.com/D11495 2015-01-27 23:51:48 +01:00			`$this->newOption('cluster.instance', 'string', null)`
			`->setLocked(true)`
			`->setSummary(pht('Instance identifier for multi-tenant clusters.'))`
			`->setDescription(`
			`pht(`
			`'WARNING: This is a very advanced option, and only useful for '.`
			`'hosting providers running multi-tenant clusters.'.`
			`"\n\n".`
			`'If you provide an instance identifier here (normally by '.`
phtize all the things Summary: `pht`ize a whole bunch of strings in rP. Test Plan: Intense eyeballing. Reviewers: #blessed_reviewers, epriestley Reviewed By: #blessed_reviewers, epriestley Subscribers: hach-que, Korvin, epriestley Differential Revision: https://secure.phabricator.com/D12797 2015-05-22 09:27:56 +02:00			'injecting it with a `%s`), Phabricator will pass it to '.
			'subprocesses and commit hooks in the `%s` environmental variable.',
			`'PhabricatorConfigSiteSource',`
			`'PHABRICATOR_INSTANCE')),`
Add a `cluster.read-only` option Summary: Ref T4571. There will be a very long path beyond this, but add a basic read-only mode. You can explicitly enable this to put Phabricator in a sort of "maintenance" mode today if you're swapping databases or something. In the long term, we'll automatically degrade into this mode if the master database is down. Test Plan: - Enabled read-only mode. - Browsed around. - Didn't immediately see anything that was totally 100% broken. Most stuff is 80-90% broken right now. For example: - Stuff like submitting comments doesn't work, and gives you a confusing, unhelpful error. - None of the UI really knows that it's read-only. EditEngine stuff should all hide itself and say "you can't add new comments while an install is in read-only mode", for example, but currently does not. Reviewers: chad Reviewed By: chad Maniphest Tasks: T4571 Differential Revision: https://secure.phabricator.com/D15662 2016-04-09 00:04:05 +02:00			`$this->newOption('cluster.read-only', 'bool', false)`
			`->setLocked(true)`
			`->setSummary(`
			`pht(`
			`'Activate read-only mode for maintenance or disaster recovery.'))`
			`->setDescription(`
			`pht(`
			`'WARNING: This is a prototype option and the description below '.`
			`'is currently pure fantasy.'.`
			`"\n\n".`
			`'Switch Phabricator to read-only mode. In this mode, users will '.`
			`'be unable to write new data. Normally, the cluster degrades '.`
			`'into this mode automatically when it detects that the database '.`
			`'master is unreachable, but you can activate it manually in '.`
			`'order to perform maintenance or test configuration.')),`
Lay `cluster.databases` configuration groundwork for database clustering Summary: Ref T4571. This adds a new option which allows you to upgrade your one-host configuration to a multi-host configuration by configuring it. Doing this currently does nothing. I wrote a lot of words about what it is //supposed// to do in the future, though. Test Plan: - Tried to configure the option in all the possible bad ways, got errors. - Read documentation. Reviewers: chad Reviewed By: chad Subscribers: eadler Maniphest Tasks: T4571 Differential Revision: https://secure.phabricator.com/D15663 2016-04-09 14:41:08 +02:00			`$this->newOption('cluster.databases', $databases_type, array())`
			`->setHidden(true)`
			`->setSummary(`
			`pht('Configure database read replicas.'))`
			`->setDescription($databases_help),`
Add `cluster.addresses` and require membership before accepting cluster authentication tokens Summary: Ref T2783. Ref T6706. - Add `cluster.addresses`. This is a whitelist of CIDR blocks which define cluster hosts. - When we recieve a request that has a cluster-based authentication token, require the cluster to be configured and require the remote address to be a cluster member before we accept it. - This provides a general layer of security for these mechanisms. - In particular, it means they do not work by default on unconfigured hosts. - When cluster addresses are configured, and we receive a request //to// an address not on the list, reject it. - This provides a general layer of security for getting the Ops side of cluster configuration correct. - If cluster nodes have public IPs and are listening on them, we'll reject requests. - Basically, this means that any requests which bypass the LB get rejected. Test Plan: - With addresses not configured, tried to make requests; rejected for using a cluster auth mechanism. - With addresses configred wrong, tried to make requests; rejected for sending from (or to) an address outside of the cluster. - With addresses configured correctly, made valid requests. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Maniphest Tasks: T6706, T2783 Differential Revision: https://secure.phabricator.com/D11159 2015-01-03 00:13:41 +01:00			`);`
			`}`

			`}`