No OneTemporary
Actions

Size

31 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/src/applications/config/check/PhabricatorExtraConfigSetupCheck.php b/src/applications/config/check/PhabricatorExtraConfigSetupCheck.php
	index 932e04db4b..a742e3b82b 100644
	--- a/src/applications/config/check/PhabricatorExtraConfigSetupCheck.php
	+++ b/src/applications/config/check/PhabricatorExtraConfigSetupCheck.php
	@@ -1,446 +1,541 @@
	<?php

	final class PhabricatorExtraConfigSetupCheck extends PhabricatorSetupCheck {

	public function getDefaultGroup() {
	return self::GROUP_OTHER;
	}

	protected function executeChecks() {
	$ancient_config = self::getAncientConfig();

	$all_keys = PhabricatorEnv::getAllConfigKeys();
	$all_keys = array_keys($all_keys);
	sort($all_keys);

	$defined_keys = PhabricatorApplicationConfigOptions::loadAllOptions();

	+ $stack = PhabricatorEnv::getConfigSourceStack();
	+ $stack = $stack->getStack();
	+
	foreach ($all_keys as $key) {
	if (isset($defined_keys[$key])) {
	continue;
	}

	if (isset($ancient_config[$key])) {
	$summary = pht(
	'This option has been removed. You may delete it at your '.
	'convenience.');
	$message = pht(
	"The configuration option '%s' has been removed. You may delete ".
	"it at your convenience.".
	"\n\n%s",
	$key,
	$ancient_config[$key]);
	$short = pht('Obsolete Config');
	$name = pht('Obsolete Configuration Option "%s"', $key);
	} else {
	$summary = pht('This option is not recognized. It may be misspelled.');
	$message = pht(
	"The configuration option '%s' is not recognized. It may be ".
	"misspelled, or it might have existed in an older version of ".
	"Phabricator. It has no effect, and should be corrected or deleted.",
	$key);
	$short = pht('Unknown Config');
	$name = pht('Unknown Configuration Option "%s"', $key);
	}

	$issue = $this->newIssue('config.unknown.'.$key)
	->setShortName($short)
	->setName($name)
	->setSummary($summary);

	- $stack = PhabricatorEnv::getConfigSourceStack();
	- $stack = $stack->getStack();
	-
	$found = array();
	$found_local = false;
	$found_database = false;

	foreach ($stack as $source_key => $source) {
	$value = $source->getKeys(array($key));
	if ($value) {
	$found[] = $source->getName();
	if ($source instanceof PhabricatorConfigDatabaseSource) {
	$found_database = true;
	}
	if ($source instanceof PhabricatorConfigLocalSource) {
	$found_local = true;
	}
	}
	}

	$message = $message."\n\n".pht(
	'This configuration value is defined in these %d '.
	'configuration source(s): %s.',
	count($found),
	implode(', ', $found));
	$issue->setMessage($message);

	if ($found_local) {
	$command = csprintf('phabricator/ $ ./bin/config delete %s', $key);
	$issue->addCommand($command);
	}

	if ($found_database) {
	$issue->addPhabricatorConfig($key);
	}
	}

	+ $options = PhabricatorApplicationConfigOptions::loadAllOptions();
	+ foreach ($defined_keys as $key => $value) {
	+ $option = idx($options, $key);
	+ if (!$option) {
	+ continue;
	+ }
	+
	+ if (!$option->getLocked()) {
	+ continue;
	+ }
	+
	+ $found_database = false;
	+ foreach ($stack as $source_key => $source) {
	+ $value = $source->getKeys(array($key));
	+ if ($value) {
	+ if ($source instanceof PhabricatorConfigDatabaseSource) {
	+ $found_database = true;
	+ break;
	+ }
	+ }
	+ }
	+
	+ if (!$found_database) {
	+ continue;
	+ }
	+
	+ // NOTE: These are values which we don't let you edit directly, but edit
	+ // via other UI workflows. For now, don't raise this warning about them.
	+ // In the future, before we stop reading database configuration for
	+ // locked values, we either need to add a flag which lets these values
	+ // continue reading from the database or move them to some other storage
	+ // mechanism.
	+ $soft_locks = array(
	+ 'phabricator.uninstalled-applications',
	+ 'phabricator.application-settings',
	+ 'config.ignore-issues',
	+ );
	+ $soft_locks = array_fuse($soft_locks);
	+ if (isset($soft_locks[$key])) {
	+ continue;
	+ }
	+
	+ $doc_name = 'Configuration Guide: Locked and Hidden Configuration';
	+ $doc_href = PhabricatorEnv::getDoclink($doc_name);
	+
	+ $set_command = phutil_tag(
	+ 'tt',
	+ array(),
	+ csprintf(
	+ 'bin/config set %R <value>',
	+ $key));
	+
	+ $summary = pht(
	+ 'Configuration value "%s" is locked, but has a value in the database.',
	+ $key);
	+ $message = pht(
	+ 'The configuration value "%s" is locked (so it can not be edited '.
	+ 'from the web UI), but has a database value. Usually, this means '.
	+ 'that it was previously not locked, you set it using the web UI, '.
	+ 'and it later became locked.'.
	+ "\n\n".
	+ 'You should copy this configuration value in a local configuration '.
	+ 'source (usually by using %s) and then remove it from the database '.
	+ 'with the command below.'.
	+ "\n\n".
	+ 'For more information on locked and hidden configuration, including '.
	+ 'details about this setup issue, see %s.'.
	+ "\n\n".
	+ 'This database value is currently respected, but a future version '.
	+ 'of Phabricator will stop respecting database values for locked '.
	+ 'configuration options.',
	+ $key,
	+ $set_command,
	+ phutil_tag(
	+ 'a',
	+ array(
	+ 'href' => $doc_href,
	+ 'target' => '_blank',
	+ ),
	+ $doc_name));
	+ $command = csprintf(
	+ 'phabricator/ $ ./bin/config delete --database %R',
	+ $key);
	+
	+ $this->newIssue('config.locked.'.$key)
	+ ->setShortName(pht('Deprecated Config Source'))
	+ ->setName(
	+ pht(
	+ 'Locked Configuration Option "%s" Has Database Value',
	+ $key))
	+ ->setSummary($summary)
	+ ->setMessage($message)
	+ ->addCommand($command)
	+ ->addPhabricatorConfig($key);
	+ }

	if (PhabricatorEnv::getEnvConfig('feed.http-hooks')) {
	$this->newIssue('config.deprecated.feed.http-hooks')
	->setShortName(pht('Feed Hooks Deprecated'))
	->setName(pht('Migrate From "feed.http-hooks" to Webhooks'))
	->addPhabricatorConfig('feed.http-hooks')
	->setMessage(
	pht(
	'The "feed.http-hooks" option is deprecated in favor of '.
	'Webhooks. This option will be removed in a future version '.
	'of Phabricator.'.
	"\n\n".
	'You can configure Webhooks in Herald.'.
	"\n\n".
	'To resolve this issue, remove all URIs from "feed.http-hooks".'));
	}

	}

	/**
	* Return a map of deleted config options. Keys are option keys; values are
	* explanations of what happened to the option.
	*/
	public static function getAncientConfig() {
	$reason_auth = pht(
	'This option has been migrated to the "Auth" application. Your old '.
	'configuration is still in effect, but now stored in "Auth" instead of '.
	'configuration. Going forward, you can manage authentication from '.
	'the web UI.');

	$auth_config = array(
	'controller.oauth-registration',
	'auth.password-auth-enabled',
	'facebook.auth-enabled',
	'facebook.registration-enabled',
	'facebook.auth-permanent',
	'facebook.application-id',
	'facebook.application-secret',
	'facebook.require-https-auth',
	'github.auth-enabled',
	'github.registration-enabled',
	'github.auth-permanent',
	'github.application-id',
	'github.application-secret',
	'google.auth-enabled',
	'google.registration-enabled',
	'google.auth-permanent',
	'google.application-id',
	'google.application-secret',
	'ldap.auth-enabled',
	'ldap.hostname',
	'ldap.port',
	'ldap.base_dn',
	'ldap.search_attribute',
	'ldap.search-first',
	'ldap.username-attribute',
	'ldap.real_name_attributes',
	'ldap.activedirectory_domain',
	'ldap.version',
	'ldap.referrals',
	'ldap.anonymous-user-name',
	'ldap.anonymous-user-password',
	'ldap.start-tls',
	'disqus.auth-enabled',
	'disqus.registration-enabled',
	'disqus.auth-permanent',
	'disqus.application-id',
	'disqus.application-secret',
	'phabricator.oauth-uri',
	'phabricator.auth-enabled',
	'phabricator.registration-enabled',
	'phabricator.auth-permanent',
	'phabricator.application-id',
	'phabricator.application-secret',
	);

	$ancient_config = array_fill_keys($auth_config, $reason_auth);

	$markup_reason = pht(
	'Custom remarkup rules are now added by subclassing '.
	'%s or %s.',
	'PhabricatorRemarkupCustomInlineRule',
	'PhabricatorRemarkupCustomBlockRule');

	$session_reason = pht(
	'Sessions now expire and are garbage collected rather than having an '.
	'arbitrary concurrency limit.');

	$differential_field_reason = pht(
	'All Differential fields are now managed through the configuration '.
	'option "%s". Use that option to configure which fields are shown.',
	'differential.fields');

	$reply_domain_reason = pht(
	'Individual application reply handler domains have been removed. '.
	'Configure a reply domain with "%s".',
	'metamta.reply-handler-domain');

	$reply_handler_reason = pht(
	'Reply handlers can no longer be overridden with configuration.');

	$monospace_reason = pht(
	'Phabricator no longer supports global customization of monospaced '.
	'fonts.');

	$public_mail_reason = pht(
	'Inbound mail addresses are now configured for each application '.
	'in the Applications tool.');

	$gc_reason = pht(
	'Garbage collectors are now configured with "%s".',
	'bin/garbage set-policy');

	$aphlict_reason = pht(
	'Configuration of the notification server has changed substantially. '.
	'For discussion, see T10794.');

	$stale_reason = pht(
	'The Differential revision list view age UI elements have been removed '.
	'to simplify the interface.');

	$global_settings_reason = pht(
	'The "Re: Prefix" and "Vary Subjects" settings are now configured '.
	'in global settings.');

	$dashboard_reason = pht(
	'This option has been removed, you can use Dashboards to provide '.
	'homepage customization. See T11533 for more details.');

	$elastic_reason = pht(
	'Elasticsearch is now configured with "%s".',
	'cluster.search');

	$mailers_reason = pht(
	'Inbound and outbound mail is now configured with "cluster.mailers".');

	$prefix_reason = pht(
	'Per-application mail subject prefix customization is no longer '.
	'directly supported. Prefixes and other strings may be customized with '.
	'"translation.override".');

	$ancient_config += array(
	'phid.external-loaders' =>
	pht(
	'External loaders have been replaced. Extend `%s` '.
	'to implement new PHID and handle types.',
	'PhabricatorPHIDType'),
	'maniphest.custom-task-extensions-class' =>
	pht(
	'Maniphest fields are now loaded automatically. '.
	'You can configure them with `%s`.',
	'maniphest.fields'),
	'maniphest.custom-fields' =>
	pht(
	'Maniphest fields are now defined in `%s`. '.
	'Existing definitions have been migrated.',
	'maniphest.custom-field-definitions'),
	'differential.custom-remarkup-rules' => $markup_reason,
	'differential.custom-remarkup-block-rules' => $markup_reason,
	'auth.sshkeys.enabled' => pht(
	'SSH keys are now actually useful, so they are always enabled.'),
	'differential.anonymous-access' => pht(
	'Phabricator now has meaningful global access controls. See `%s`.',
	'policy.allow-public'),
	'celerity.resource-path' => pht(
	'An alternate resource map is no longer supported. Instead, use '.
	'multiple maps. See T4222.'),
	'metamta.send-immediately' => pht(
	'Mail is now always delivered by the daemons.'),
	'auth.sessions.conduit' => $session_reason,
	'auth.sessions.web' => $session_reason,
	'tokenizer.ondemand' => pht(
	'Phabricator now manages typeahead strategies automatically.'),
	'differential.revision-custom-detail-renderer' => pht(
	'Obsolete; use standard rendering events instead.'),
	'differential.show-host-field' => $differential_field_reason,
	'differential.show-test-plan-field' => $differential_field_reason,
	'differential.field-selector' => $differential_field_reason,
	'phabricator.show-beta-applications' => pht(
	'This option has been renamed to `%s` to emphasize the '.
	'unfinished nature of many prototype applications. '.
	'Your existing setting has been migrated.',
	'phabricator.show-prototypes'),
	'notification.user' => pht(
	'The notification server no longer requires root permissions. Start '.
	'the server as the user you want it to run under.'),
	'notification.debug' => pht(
	'Notifications no longer have a dedicated debugging mode.'),
	'translation.provider' => pht(
	'The translation implementation has changed and providers are no '.
	'longer used or supported.'),
	'config.mask' => pht(
	'Use `%s` instead of this option.',
	'config.hide'),
	'phd.start-taskmasters' => pht(
	'Taskmasters now use an autoscaling pool. You can configure the '.
	'pool size with `%s`.',
	'phd.taskmasters'),
	'storage.engine-selector' => pht(
	'Phabricator now automatically discovers available storage engines '.
	'at runtime.'),
	'storage.upload-size-limit' => pht(
	'Phabricator now supports arbitrarily large files. Consult the '.
	'documentation for configuration details.'),
	'security.allow-outbound-http' => pht(
	'This option has been replaced with the more granular option `%s`.',
	'security.outbound-blacklist'),
	'metamta.reply.show-hints' => pht(
	'Phabricator no longer shows reply hints in mail.'),

	'metamta.differential.reply-handler-domain' => $reply_domain_reason,
	'metamta.diffusion.reply-handler-domain' => $reply_domain_reason,
	'metamta.macro.reply-handler-domain' => $reply_domain_reason,
	'metamta.maniphest.reply-handler-domain' => $reply_domain_reason,
	'metamta.pholio.reply-handler-domain' => $reply_domain_reason,

	'metamta.diffusion.reply-handler' => $reply_handler_reason,
	'metamta.differential.reply-handler' => $reply_handler_reason,
	'metamta.maniphest.reply-handler' => $reply_handler_reason,
	'metamta.package.reply-handler' => $reply_handler_reason,

	'metamta.precedence-bulk' => pht(
	'Phabricator now always sends transaction mail with '.
	'"Precedence: bulk" to improve deliverability.'),

	'style.monospace' => $monospace_reason,
	'style.monospace.windows' => $monospace_reason,

	'search.engine-selector' => pht(
	'Phabricator now automatically discovers available search engines '.
	'at runtime.'),

	'metamta.files.public-create-email' => $public_mail_reason,
	'metamta.maniphest.public-create-email' => $public_mail_reason,
	'metamta.maniphest.default-public-author' => $public_mail_reason,
	'metamta.paste.public-create-email' => $public_mail_reason,

	'security.allow-conduit-act-as-user' => pht(
	'Impersonating users over the API is no longer supported.'),

	'feed.public' => pht('The framable public feed is no longer supported.'),

	'auth.login-message' => pht(
	'This configuration option has been replaced with a modular '.
	'handler. See T9346.'),

	'gcdaemon.ttl.herald-transcripts' => $gc_reason,
	'gcdaemon.ttl.daemon-logs' => $gc_reason,
	'gcdaemon.ttl.differential-parse-cache' => $gc_reason,
	'gcdaemon.ttl.markup-cache' => $gc_reason,
	'gcdaemon.ttl.task-archive' => $gc_reason,
	'gcdaemon.ttl.general-cache' => $gc_reason,
	'gcdaemon.ttl.conduit-logs' => $gc_reason,

	'phd.variant-config' => pht(
	'This configuration is no longer relevant because daemons '.
	'restart automatically on configuration changes.'),

	'notification.ssl-cert' => $aphlict_reason,
	'notification.ssl-key' => $aphlict_reason,
	'notification.pidfile' => $aphlict_reason,
	'notification.log' => $aphlict_reason,
	'notification.enabled' => $aphlict_reason,
	'notification.client-uri' => $aphlict_reason,
	'notification.server-uri' => $aphlict_reason,

	'metamta.differential.unified-comment-context' => pht(
	'Inline comments are now always rendered with a limited amount '.
	'of context.'),

	'differential.days-fresh' => $stale_reason,
	'differential.days-stale' => $stale_reason,

	'metamta.re-prefix' => $global_settings_reason,
	'metamta.vary-subjects' => $global_settings_reason,

	'ui.custom-header' => pht(
	'This option has been replaced with `ui.logo`, which provides more '.
	'flexible configuration options.'),

	'welcome.html' => $dashboard_reason,
	'maniphest.priorities.unbreak-now' => $dashboard_reason,
	'maniphest.priorities.needs-triage' => $dashboard_reason,

	'mysql.implementation' => pht(
	'Phabricator now automatically selects the best available '.
	'MySQL implementation.'),

	'mysql.configuration-provider' => pht(
	'Phabricator now has application-level management of partitioning '.
	'and replicas.'),

	'search.elastic.host' => $elastic_reason,
	'search.elastic.namespace' => $elastic_reason,

	'metamta.mail-adapter' => $mailers_reason,
	'amazon-ses.access-key' => $mailers_reason,
	'amazon-ses.secret-key' => $mailers_reason,
	'amazon-ses.endpoint' => $mailers_reason,
	'mailgun.domain' => $mailers_reason,
	'mailgun.api-key' => $mailers_reason,
	'phpmailer.mailer' => $mailers_reason,
	'phpmailer.smtp-host' => $mailers_reason,
	'phpmailer.smtp-port' => $mailers_reason,
	'phpmailer.smtp-protocol' => $mailers_reason,
	'phpmailer.smtp-user' => $mailers_reason,
	'phpmailer.smtp-password' => $mailers_reason,
	'phpmailer.smtp-encoding' => $mailers_reason,
	'sendgrid.api-user' => $mailers_reason,
	'sendgrid.api-key' => $mailers_reason,

	'celerity.resource-hash' => pht(
	'This option generally did not prove useful. Resource hash keys '.
	'are now managed automatically.'),
	'celerity.enable-deflate' => pht(
	'Resource deflation is now managed automatically.'),
	'celerity.minify' => pht(
	'Resource minification is now managed automatically.'),

	'metamta.domain' => pht(
	'Mail thread IDs are now generated automatically.'),
	'metamta.placeholder-to-recipient' => pht(
	'Placeholder recipients are now generated automatically.'),

	'metamta.mail-key' => pht(
	'Mail object address hash keys are now generated automatically.'),

	'phabricator.csrf-key' => pht(
	'CSRF HMAC keys are now managed automatically.'),

	'metamta.insecure-auth-with-reply-to' => pht(
	'Authenticating users based on "Reply-To" is no longer supported.'),

	'phabricator.allow-email-users' => pht(
	'Public email is now accepted if the associated address has a '.
	'default author, and rejected otherwise.'),

	'metamta.conpherence.subject-prefix' => $prefix_reason,
	'metamta.differential.subject-prefix' => $prefix_reason,
	'metamta.diffusion.subject-prefix' => $prefix_reason,
	'metamta.files.subject-prefix' => $prefix_reason,
	'metamta.legalpad.subject-prefix' => $prefix_reason,
	'metamta.macro.subject-prefix' => $prefix_reason,
	'metamta.maniphest.subject-prefix' => $prefix_reason,
	'metamta.package.subject-prefix' => $prefix_reason,
	'metamta.paste.subject-prefix' => $prefix_reason,
	'metamta.pholio.subject-prefix' => $prefix_reason,
	'metamta.phriction.subject-prefix' => $prefix_reason,

	'aphront.default-application-configuration-class' => pht(
	'This ancient extension point has been replaced with other '.
	'mechanisms, including "AphrontSite".'),

	);

	return $ancient_config;
	}

	}
	diff --git a/src/applications/config/option/PhabricatorPHDConfigOptions.php b/src/applications/config/option/PhabricatorPHDConfigOptions.php
	index 37fae45dfb..e04353876a 100644
	--- a/src/applications/config/option/PhabricatorPHDConfigOptions.php
	+++ b/src/applications/config/option/PhabricatorPHDConfigOptions.php
	@@ -1,100 +1,105 @@
	<?php

	final class PhabricatorPHDConfigOptions
	extends PhabricatorApplicationConfigOptions {

	public function getName() {
	return pht('Daemons');
	}

	public function getDescription() {
	return pht('Options relating to PHD (daemons).');
	}

	public function getIcon() {
	return 'fa-pied-piper-alt';
	}

	public function getGroup() {
	return 'core';
	}

	public function getOptions() {
	return array(
	$this->newOption('phd.pid-directory', 'string', '/var/tmp/phd/pid')
	->setLocked(true)
	->setDescription(
	pht('Directory that phd should use to track running daemons.')),
	$this->newOption('phd.log-directory', 'string', '/var/tmp/phd/log')
	->setLocked(true)
	->setDescription(
	pht('Directory that the daemons should use to store log files.')),
	$this->newOption('phd.taskmasters', 'int', 4)
	->setLocked(true)
	->setSummary(pht('Maximum taskmaster daemon pool size.'))
	->setDescription(
	pht(
	"Maximum number of taskmaster daemons to run at once. Raising ".
	"this can increase the maximum throughput of the task queue. The ".
	"pool will automatically scale down when unutilized.".
	"\n\n".
	"If you are running a cluster, this limit applies separately ".
	"to each instance of `phd`. For example, if this limit is set ".
	"to `4` and you have three hosts running daemons, the effective ".
	- "global limit will be 12.")),
	+ "global limit will be 12.".
	+ "\n\n".
	+ "After changing this value, you must restart the daemons. Most ".
	+ "configuration changes are picked up by the daemons ".
	+ "automatically, but pool sizes can not be changed without a ".
	+ "restart.")),
	$this->newOption('phd.verbose', 'bool', false)
	->setLocked(true)
	->setBoolOptions(
	array(
	pht('Verbose mode'),
	pht('Normal mode'),
	))
	->setSummary(pht("Launch daemons in 'verbose' mode by default."))
	->setDescription(
	pht(
	"Launch daemons in 'verbose' mode by default. This creates a lot ".
	"of output, but can help debug issues. Daemons launched in debug ".
	"mode with '%s' are always launched in verbose mode. ".
	"See also '%s'.",
	'phd debug',
	'phd.trace')),
	$this->newOption('phd.user', 'string', null)
	->setLocked(true)
	->setSummary(pht('System user to run daemons as.'))
	->setDescription(
	pht(
	'Specify a system user to run the daemons as. Primarily, this '.
	'user will own the working copies of any repositories that '.
	'Phabricator imports or manages. This option is new and '.
	'experimental.')),
	$this->newOption('phd.trace', 'bool', false)
	->setLocked(true)
	->setBoolOptions(
	array(
	pht('Trace mode'),
	pht('Normal mode'),
	))
	->setSummary(pht("Launch daemons in 'trace' mode by default."))
	->setDescription(
	pht(
	"Launch daemons in 'trace' mode by default. This creates an ".
	"ENORMOUS amount of output, but can help debug issues. Daemons ".
	"launched in debug mode with '%s' are always launched in ".
	"trace mode. See also '%s'.",
	'phd debug',
	'phd.verbose')),
	$this->newOption('phd.garbage-collection', 'wild', array())
	->setLocked(true)
	->setLockedMessage(
	pht(
	'This option can not be edited from the web UI. Use %s to adjust '.
	'garbage collector policies.',
	phutil_tag('tt', array(), 'bin/garbage set-policy')))
	->setSummary(pht('Retention policies for garbage collection.'))
	->setDescription(
	pht(
	'Customizes retention policies for garbage collectors.')),
	);
	}

	}
	diff --git a/src/docs/user/configuration/configuration_locked.diviner b/src/docs/user/configuration/configuration_locked.diviner
	index 958124c381..f96adc2d82 100644
	--- a/src/docs/user/configuration/configuration_locked.diviner
	+++ b/src/docs/user/configuration/configuration_locked.diviner
	@@ -1,121 +1,170 @@
	@title Configuration Guide: Locked and Hidden Configuration
	@group config

	Details about locked and hidden configuration.


	Overview
	========

	Some configuration options are Locked or Hidden. If an option has one
	of these attributes, it means:

	- Locked Configuration: This setting can not be written from the web UI.
	- Hidden Configuration: This setting can not be read or written from
	the web UI.

	This document explains these attributes in more detail.


	Locked Configuration
	====================

	Locked Configuration can not be edited from the web UI. In general, you
	can edit it from the CLI instead, with `bin/config`:

	```
	phabricator/ $ ./bin/config set <key> <value>
	```

	Some configuration options take complicated values which can be difficult
	to escape properly for the shell. The easiest way to set these options is
	to use the `--stdin` flag. First, put your desired value in a `config.json`
	file:

	```name=config.json, lang=json
	{
	"duck": "quack",
	"cow": "moo"
	}
	```

	Then, set it with `--stdin` like this:

	```
	phabricator/ $ ./bin/config set <key> --stdin < config.json
	```

	A few settings have alternate CLI tools. Refer to the setting page for
	details.

	Note that these settings can not be written to the database, even from the
	CLI.

	Locked values can not be unlocked: they are locked because of what the setting
	does or how the setting operates. Some of the reasons configuration options are
	locked include:


	Required for bootstrapping: Some options, like `mysql.host`, must be
	available before Phabricator can read configuration from the database.

	If you stored `mysql.host` only in the database, Phabricator would not know how
	to connect to the database in order to read the value in the first place.

	These options must be provided in a configuration source which is read earlier
	in the bootstrapping process, before Phabricator connects to the database.


	Errors could not be fixed from the web UI: Some options, like
	`phabricator.base-uri`, can effectively disable the web UI if they are
	configured incorrectly.

	If these options could be configured from the web UI, you could not fix them if
	you made a mistake (because the web UI would no longer work, so you could not
	load the page to change the value).

	We require these options to be edited from the CLI to make sure the editor has
	access to fix any mistakes.


	Attackers could gain greater access: Some options could be modified by an
	attacker who has gained access to an administrator account in order to gain
	greater access.

	For example, an attacker who could modify `cluster.mailers` (and other
	similar options), could potentially reconfigure Phabricator to send mail
	through an evil server they controlled, then trigger password resets on other
	user accounts to compromise them.

	We require these options to be edited from the CLI to make sure the editor
	has full access to the install.


	Hidden Configuration
	====================

	Hidden Configuration is similar to locked configuration, but also can not
	be //read// from the web UI.

	In almost all cases, configuration is hidden because it is some sort of secret
	key or access token for an external service. These values are hidden from the
	web UI to prevent administrators (or attackers who have compromised
	administrator accounts) from reading them.

	You can review (and edit) hidden configuration from the CLI:

	```
	phabricator/ $ ./bin/config get <key>
	phabricator/ $ ./bin/config set <key> <value>

	```


	+Locked Configuration With Database Values
	+=========================================
	+
	+You may receive a setup issue warning you that a locked configuration key has a
	+value set in the database. Most commonly, this is because:
	+
	+ - In some earlier version of Phabricator, this configuration was not locked.
	+ - In the past, you or some other administrator used the web UI to set a
	+ value. This value was written to the database.
	+ - In a later version of the software, the value became locked.
	+
	+When Phabricator was originally released, locked configuration did not yet
	+exist. Locked configuration was introduced later, and then configuration options
	+were gradually locked for a long time after that.
	+
	+In some cases the meaning of a value changed and it became possible to use it
	+to break an install or the configuration became a security risk. In other
	+cases, we identified an existing security risk or arrived at some other reason
	+to lock the value.
	+
	+Locking values was more common in the past, and it is now relatively rare for
	+an unlocked value to become locked: when new values are introduced, they are
	+generally locked or hidden appropriately. In most cases, this setup issue only
	+affects installs that have used Phabricator for a long time.
	+
	+At time of writing (February 2019), Phabricator currently respects these old
	+database values. However, some future version of Phabricator will refuse to
	+read locked configuration from the database, because this improves security if
	+an attacker manages to find a way to bypass restrictions on editing locked
	+configuration from the web UI.
	+
	+To clear this setup warning and avoid surprise behavioral changes in the future,
	+you should move these configuration values from the database to a local config
	+file. Usually, you'll do this by first copying the value from the database:
	+
	+```
	+phabricator/ $ ./bin/config set <key> <value>
	+```
	+
	+...and then removing the database value:
	+
	+```
	+phabricator/ $ ./bin/config delete --database <key>
	+```
	+
	+See @{Configuration User Guide: Advanced Configuration} for some more detailed
	+discussion of different configuration sources.
	+
	+
	Next Steps
	==========

	Continue by:

	- learning more about advanced options with
	@{Configuration User Guide: Advanced Configuration}; or
	- returning to the @{article: Configuration Guide}.

File Metadata

Mime Type: text/x-diff
Expires: Thu, Nov 13, 9:18 PM (15 h, 48 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 336555
Default Alt Text: (31 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions