Jump to content

Help:Access policies

From Wikitech

All users of Wikimedia Cloud Services are required to abide by the Cloud Services Terms of Use.

In addition to standard in-project permissions, volunteers interested in working on the cloud infrastructure itself may apply for additional, elevated permissions.

Project Types

For the purposes of this discussion, there are four kinds of OpenStack projects:

  • "Normal" projects whose influence does not extend outside their own VMs. This is not covered in this document and is just up to the existing administrators of the project.
  • Tools: the Toolforge project
  • Cloudinfra: the project that contains services that support or act on all other VMs, including cloud-wide puppetmasters
  • "Special" projects: other projects which have wide-reaching effects on all services, e.g. ‘project-proxy’.

Access Types

There are several forms of escalated access that we can grant to users. Each should be considered a separate escalation, although in some cases there is overlap in the capabilities of each:

  • Access to a Special project
  • Tool root: Users who need to do administrative work in Toolforge
  • Cloud-wide root: root key in labs/private, membership in the "cloudinfra" project
  • Cloud admin: membership in "admin" project and "admin" role on the OpenStack default domain (granting admin access on all projects)

Application Process

Volunteers can apply to have one of the above roles granted via a Phabricator ticket. This request will be communicated to the existing group of people with similar privileges (the easiest way to do this is to send an email to the cloud-admin mailing list) and to the Trust and Safety team and a one-week comment period will be observed. If there are no strong objections, then anyone other than the applicant may implement the rights change. (Note that this means that a volunteer is allowed to escalate the rights of another volunteer, presuming general agreement from staff and others during the waiting period.)


In addition to the above approval process, volunteers with escalated rights must:

Expiration or Revocation of Special Rights

Special permissions may be removed for any of the following reasons:

  • End of employment with the Wikimedia Foundation (if applicable), unless the employee intends to continue as a volunteer
  • User is idle and unreachable by other cloudadmins
  • Unapproved escalation of privileges for self or others
  • Pattern of complaint from multiple other staff or volunteers
  • Violation of the Cloud Services Terms of use
  • Request by Wikimedia Foundation legal or security staff
  • Compromised account (this will result in temporary removal of rights until the account is secured.)