Page MenuHomePhabricator

Cloud admin for Majavah
Closed, ResolvedPublic


@aborrero thinks I should be a "cloud admin" and "cloud-wide root" (as defined by This would let me run Cumin commands on all projects and make myself a member of any project, which would be let me work on cloud vps infrastructure services spread accross various service projects. I meet the policy-mandated requirements as I already am a project admin on Toolforge.

Event Timeline

aborrero moved this task from Inbox to Needs discussion on the cloud-services-team (Kanban) board.

If nobody opposes, this request can be executed starting 2021-10-15.

taavi signed these changes with MFA.Oct 13 2021, 1:46 PM

I generated a new SSH key (with a strong passphraise and other relevant security practices) that can be used as a cloud-wide root key:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOH8BG56Gh6c9ggaMGP04R9xY/bf06HFdT0ThkvN/jC taavi wmcs-wide root key

This was agreed to in the 2021-10-13 meeting. Congrats and well deserved! Thank you for all the work you do in helping make our platforms and services better!

Change 731796 had a related patch set uploaded (by Andrew Bogott; author: Andrew Bogott):

[labs/private@master] Add taavi/majavah root key

Change 731796 merged by Andrew Bogott:

[labs/private@master] Add taavi/majavah root key

Andrew claimed this task.
Andrew added a subscriber: Andrew.

@Majavah , I've merged your root key and granted you the 'admin' role both in the 'admin' project and in the default domain.

It's probably worth confirming that your root key works in a half hour or so. The new openstack roles will make Horizon look funny (it'll show more options and features, some of them broken) but shouldn't restrict anything you could do before.

Mentioned in SAL (#wikimedia-cloud) [2021-10-18T18:58:24Z] <andrewbogott> granting majavah 'admin' role in the 'admin' project and also in the default domain. T292827

Mentioned in SAL (#wikimedia-cloud) [2021-10-18T19:21:22Z] <andrewbogott> also ticked the 'admin' box on wikitech for majavah T292827

It's probably worth confirming that your root key works in a half hour or so.

Confirmed that I can ssh to any VM I tried as root. Thanks!