In addition to standard in-project permissions, volunteers interested in working on the cloud infrastructure itself may apply for additional, elevated permissions.
For the purposes of this discussion, there are four kinds of OpenStack projects:
- "Normal" projects whose influence does not extend outside their own VMs. This is not covered in this document and is just up to the existing administrators of the project.
- Tools: the Toolforge project
- Cloudinfra: the project that contains services that support or act on all other VMs, including cloud-wide puppetmasters
- "Special" projects: other projects which have wide-reaching effects on all services, e.g. ‘project-proxy’.
There are several forms of escalated access that we can grant to users. Each should be considered a separate escalation, although in some cases there is overlap in the capabilities of each:
- Access to a Special project
- Tool root: Users who need to do administrative work in Toolforge
- Cloud-wide root: root key in labs/private, membership in the "cloudinfra" project
- Cloud admin: membership in "admin" project and "admin" role on the OpenStack default domain (granting admin access on all projects)
Volunteers can apply to have one of the above roles granted via a Phabricator ticket. This request will be communicated to the existing group of people with similar privileges (the easiest way to do this is to send an email to the cloud-admin mailing list) and to the Trust and Safety team and a one-week comment period will be observed. If there are no strong objections, then anyone other than the applicant may implement the rights change. (Note that this means that a volunteer is allowed to escalate the rights of another volunteer, presuming general agreement from staff and others during the waiting period.)
In addition to the above approval process, volunteers with escalated rights must:
- Be users of Cloud VPS or Toolforge in good standing for at least three months
- Comply with the Wikimedia Foundation policy on access to nonpublic data
- Subscribe to and read the cloud-admin mailing list
- Agree to abide by the Cloud Services social norms
- Maintain an email address that will be responded to within a week in case of issues that require immediate attention.
Expiration or Revocation of Special Rights
Special permissions may be removed for any of the following reasons:
- End of employment with the Wikimedia Foundation (if applicable), unless the employee intends to continue as a volunteer
- User is idle and unreachable by other cloudadmins
- Unapproved escalation of privileges for self or others
- Pattern of complaint from multiple other staff or volunteers
- Request by Wikimedia Foundation legal or security staff
- Compromised account (this will result in temporary removal of rights until the account is secured.)