Documented admin permissions for adding maintainers and creating repos.

[dblock]

Description

A lightweight doc that explains how to effect maintainer permissions or create/adopt new repos in the org.

Note that I attempted to reference an internal Amazon wiki with a little 🔒 emoji, following the Artsy README style.

Issues Resolved

Closes #82.
Closes #79.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[dblock]

@nknize @anastead FYI

[saratvemulapalli]

Im not comfortable sharing internal wiki's.
But anyway, an alternative I believe would be better is to have an issue template in this repo which describes "the request for creating/moving a repo". This would be even field for all requestor's (Community or Amazonian's) and obviously admins can follow up.

[dblock]

What are your reasons for not being comfortable with sharing an internal link? This one is pretty vanilla IMO.

[saratvemulapalli]

Just exposing internal tools and their URLs. May be its just me :).

[scrawfor99]

Maybe we can make a generic note saying that there may be additional steps depending on organization affiliation. I am not concerned about exposing internal tools personally, but I would like to avoid as many Amazon specific references as we can. Does that sound like a reasonable alternative?

[peternied]

I am not concerned about this internal wiki link, as that URL does not disclose any interesting information and its documented that its 'restricted' access.

[dblock]

I think we all agree on a couple of things:

1. The link itself is not anything sensitive, and we must continue being careful about not disclosing any information that shouldn't be.
2. It's totally ok for a company to ask its employees to follow an additional process because if I leave my employer someone will have to inherit some of my commitments for me.

I like my idea of putting a link to a private wiki in open-source because it's "open-source first", and it has worked for me well in past life. I want employees at Amazon to be reading these open-source docs, then if they need to do something extra because the company asks them to, read something internal.

I would also, personally, be totally fine for another company with N+1 developers heavily involved in OpenSearch open-source (e.g. Aiven, cc: @reta) to put an internal link to their own wiki here.

I'm curious what @hyandell thinks.

[spotaws]

AWS managed open source projects should not include internal URLs. This includes wiki links.

[dblock]

I removed it. But thought I'd try, I still think it's a harmless idea.

[peternied]

I like this, thanks for documenting this parts to the 'what and why' of some of the Admin practices.

👍 adding the #maintainers slack channel - great place to start those discussions.

[nknize]

I like the transparency intent and motivation. Putting down my initial thoughts in a quick first round review.

[nknize]

Did we ever document why or how the individuals below were granted admin karma?

[dblock]

We did not. Originally this was (a very large) group that worked on setting up the GitHub org and systems during the fork. The list was reduced to people who maintain the support infrastructure (https://github.com/opensearch-project/opensearch-build, CI/CD). Is it worth adding? Is there another organizational README that states such history?

[dblock]

I added this:

These are individuals that worked on creating the OpenSearch fork, and those that currently support the organization-wide infrastructure, such as the public CI/CD.

[nknize]

I think we need to flesh this out a lot more. A move to more open governance with shared ownership should allow for non AWS members to be granted admin karma but we don't have anything formalized. Perhaps we can have @hyandell weigh in here on what is possible w/ outside collaborators vs AWS members of the opensearch-project github org.

[dblock]

These are all good future suggestions, but my intent here is to document current state.

[nknize]

What does "organizational best practices" mean? Do we have anything concrete here to offer?

[dblock]

This is existing text that just moved, I don't want to remove it or change it, but it's a good point.

[dblock]

I renamed "Organizational Best Practices" to "Organizational Practices" and said "Adopt organizational practices documented in this repo," to make it clear.

[nknize]

There currently isn't a public way for someone to "open a request" with the AWS Open Source Program Office. Is this even worth calling out? Or should we be more direct with something like the below rough draft:

The AWS Open Source Program Office (OSPO) currently controls and manages the opensearch-project github organization, and is the only group with permissions to create new repositories. Therefore there is no mechanism for community maintainers or collaborators that are not employed by Amazon to directly request the OSPO create a new repository on their behalf. If you are interested in donating a repository to the project, reach out to an AWS admin in the list above (or post on the OpenSearch Forum) your intent to donate a repository to the opensearch-project organization.

Then maybe we have a separate guide Interested in donating a project or repository to OpenSearch?

[dblock]

I say basically the same thing below and explain that beyond permissions there needs to be an Amazon team on-call for security.

All new repositories inside opensearch-project follow the security response process, and therefore require an Amazon team to be engaged when necessary. If you don't work for Amazon, and wish to create a repository in this organization, or move a repository into opensearch-project, please first discuss it in the #maintainers channel on the public Slack, and one of the above-mentioned admins will seek a team to support you.

Do you have specific suggestions to edit this text?

[spotaws]

I think it would be better for the opensearch maintainers to bring new repo requests to the AWS OSPO, rather than encouraging others to go directly, if that makes sense. 😁

[dblock]

I think for as long as OSPO creates repos, most definitely. My updated text version says this:

"All new repositories inside opensearch-project follow the security response process, and therefore require an Amazon team to be engaged when necessary. If you wish to create a repository in this organization, or move a repository into opensearch-project, please contact one of the above-mentioned admins via the #maintainers channel on the public Slack."

WDYT?

[anastead]

I am not able to access the security response link. Is it because it is an internal link? It may be good to elaborate more and provide transparency on what it takes to be compliant with security

[dblock]

It's a relative link in the content so it renders incorrectly in my copy-pasted comment. The complete URL is https://github.com/opensearch-project/.github/blob/main/SECURITY.md

[nknize]

/cc @ke4qqq @mikemccand @rbowen @spotaws for fresh eyes

[peternied]

I like the updates, this is a good step forward. To me the feedback in open conversations have been addressed or could be followed up in a separate PR.

[CEHENKLE]

So the place we generally get into sticky wickets with admins and projects is around the project settings page. We haven't defined what those best practices are, and so one frequent reason cited for needing admin rights is to change them.

I think it might be worth calling out something that says "if you're a maintainer and you want to change the settings there, open an issue in .github and tag the admin team, and they'll review the change and make it".

It's been on my personal backlog to figure out a way to script setting those settings so they get set up in a certain way at creation, so we're being intentional when we change them, but I haven't gotten around to it.

The other reason we get requests for admin rights is to be able to use zen hub. I think it's worth it to state explicitly that this is not a reason to grant admin rights. WDYT?

[dblock]

It's a good point, but for now I'd rather not introduce a new process of opening issues in .github. So far I've seen issues opened in their own repos for changes in that repo, rather than in .github.

[CEHENKLE]

I generally just get backchanneled. I've never seen a issue in a particular repo. Is that how we want folks to handle it? If so, let's put that there.

[dblock]

Let's wait for a few days for @nknize to review/dismiss his asks.

[peternied]

Doh, it would be great if we could reset the bake-time timer... maybe someone could make a PR while waiting ;)

[nknize]

I'll take a look again tomorrow. The folks I tagged have been on travel and I think it's worth getting their thoughts as well.

[dblock]

I'll take a look again tomorrow. The folks I tagged have been on travel and I think it's worth getting their thoughts as well.

Last change was 11 days ago, I'll merge this mid week if nobody objects. This PR just documents current state, there's no new process here.

Outdated feedback, no response.

[peternied]

@nknize I dismissed your review since there hasn't been any updates and the comments raised have responses from @dblock.

[dblock]

I rebased, which reset bake time. Merging.