Tech:Access policy

From Meta
Jump to navigation Jump to search

Granting shell access (aka access to a server, or multiple servers) to someone needs to be done with extreme caution. With more people having shell access to (critical) servers, the chances of suffering from human mistakes and compromised shell accounts do increase. This page contains instructions for requesting shell access, and the policy for granting access.

Requesting access (new users)

This applies to people, who do not have shell access yet. After you have got a valid reason for requesting shell access, and followed the instructions below, the members of the operations team will review your request, and approve/deny it.

  • Ensure you have an account on GitHub and Phabricator (which requires a Miraheze account).
  • Login into Phabricator, and fill in this form (do not forget to replace "[USERNAME]" with your username!). The form should contain the following information:
    • Miraheze Username
    • GitHub Username
    • Preferred shell username
    • A freshly generated 4096 bit RSA or ed25519 keypair, protected with a secure password.
      • Obviously you should only give us the public key, keep the private key private.
      • This key should not be used for non-Miraheze servers!
    • Description of the access you need. If you need sudo rights, please do not forget to include that as well.
    • The reason why you need shell access.
    • A verification that your Miraheze, GitHub and Phabricator accounts are owned by you. This can be accomplished by a) pasting the public key of your keypair on your Miraheze Meta userpage (or another page in your user namespace) and b) creating a GitHub repository with a file containing the public key (or commiting your public key to an already existing repository).

Expanding current shell access

If you already have a shell account, and want to get extra privileges (or requesting access to more servers) after this process has been completed then you need to:

  • Login to Phabricator and make a new request by using this layout including in the request:
    • Why you need extra access and what benefit this would provide to either Miraheze or yourself (in respect to productivity);
    • What access you specifically need (log viewing, service interaction, ability to deploy changes).