Managing InstancesPhacility User Documentation (Administrating Instances)
Guide to managing instances using the web tools.
You can manage Phabricator instances hosted by Phacility by using the web UI tools located at admin.phacility.com.
This document walks through these tools and their capabilities.
Administrators have some special powers on the instance itself, but they can not perform instance management actions like editing billing, accessing support, or disabling the instance.
The Instances application is a set of web UI tools for managing Phabricator instances in the Phacility cluster. In general, you'll access the main management screen for an instance by browsing to admin.phacility.com, then choosing the instance you want to manage:
- admin.phacility.com → Choose an Instance
To edit an instance or perform other administrative actions, a user must be a member of the billing account associated with the instance. In particular, being an administrator on the instance does not give users the power to manage the instance itself, only administrative powers within the context of the instance.
To let other users make changes to an instance, you must explicitly grant users these permission by adding them to the billing account for the instance.
You can edit members of the billing account by navigating to:
- Billing → Edit Account
Adding users here gives them total control over all instances attached to the billing account: for example, they can invite users or disable the instance.
If you manage multiple instances, note that this will also give them power over all of the instances associated with that billing account.
You can improve the security of your instance by configuring multi-factor auth for your account (and having any other administrators configure it for themselves). You can do this in:
- Settings → Multi-Factor Auth
Once multi-factor auth is configured, you'll be prompted to enter a secondary authentication factor (normally, a code displayed on your phone) when logging in or taking sensitive actions (like adding members or disabling an instance).
This helps protect against your instance against account compromise by limiting what an attacker who compromises a session (for example, by stealing a laptop) can actually do with it.
To invite new members, use Members. You can view current members and pending invites.
If you send an invite by mistake, you can cancel it from:
- Members → Choose a Member → Cancel Invitation
You can disable a user or make them an administrator from the instance itself. The user's state will automatically synchronize back to the administrative console.
To quickly find a user's profile from the administrative console, do this:
- Members → Choose a Member → View Profile
This will take you to their profile on the instance itself, and let you make changes to their instance account (provided your account has administration privileges on the instance).
Note that making a user an administrator on the instance does not let them manage the instance in the instance console, see above for discussion.
If a user loses their phone, you can strip multi-factor authentication from their instance account:
- Members → Choose a Member → Strip Multi-Factor Auth
This is equivalent to running bin/auth strip from the command line.
Before stripping multi-factor auth, you should be certain the user is who they claim to be, not an attacker claiming to be that user: it is easier to pretend you have lost your phone than it is to steal someone's phone. You can find more specific discussion of stripping MFA in the main Phabricator documentation: User Guide: Multi-Factor Authentication.
Note that a MFA on an instance account is not directly tied to MFA on a Phacility acccount. Stripping instance MFA won't strip Phacility MFA, and vice versa.
Most Phabricator configuration can be edited from the web UI on your instance, using the Config application.
Some Phabricator configuration is locked and can not be edited from the web UI. This configuration mostly breaks down into three categories:
- Options with major security or safety implications (editing them would let an attacker compromise an instance, or would break an instance).
- Options with only one reasonable value (these options have automatically been set to whatever value makes them work in the Phacility cluster, and they can not be edited).
- Options with minor security/safety implications.
Some of the options in group (3) can be edited from the administrative console:
- Configuration → Choose an Option
If you can't edit an option that you'd like to be able to edit, let us know. We may be able to add it. See Phacility Support.
You can manually restart daemons from the instance console:
- Configuration → Restart Daemons
This is mostly useful to clear setup warnings after changing instance configuration. Daemons will be restarted periodically as part of normal cluster operations.
You can disable an instance at any time via the web UI. This will immediately terminate service for the instance, and access to all members.
- Billing → Disable Instance
For details on exactly what this does and more information on terminating service, see Terminating Service.