Skip to content

Hydra Accounts

Jump to bottom Edit New page
Martin Weinelt edited this page Aug 28, 2024 · 6 revisions

Register with a Google Account

Anybody can create a Hydra account by signing in with Google. Hydra will create your account automatically when you sign in.

If you use a privacy blocker like uBlock Origin, you will need to disable the extension while logging in. You can re-enable it after.

  1. Click Sign In
  2. Then click Sign in with Google

Your account is now created. If you need additional roles, ask in #infra:nixos.org or open a ticket on this repository. See Deciding on Roles.

Creating a "local" Hydra Account without Google

Note: we strongly prefer users register with a Google account. Creating a Hydra account through this method is labor-intensive and does not provide self-service account management tools.

We will only create an account like this for people who don't have a Google account who also has a responsibility which requires it. For example, we may create a local account for release managers without any Google account.

Things to have ready for admin:

  1. Your account name; preferrably, this should match your maintainers.nix account name.
  2. Your full name
  3. Your email address
  4. The admin will coordinate on how to configure the password.
  5. Please communicate these over a secure channel of your choosing to the admin.

Things the admin does

  1. Verify all credentials the user has provided using a second secure channel.

  2. Identify the roles appropriate for the user. See Deciding on Roles.

  3. Create the hydra user, granting them roles corresponding to a well-known, regular contributor:

    hydra-create-user --type hydra --full-name "$account_name" --email-address "$email_address" --password-hash "$hashed_password" --role restart-jobs --role cancel-build

Deciding on Roles

Users should receive as few privileges as possible for them to do accomplish their task. Sometimes, users will have their roles revoked after their access is no longer needed.

A full list of roles are in the Hydra source code at: https://github.com/NixOS/hydra/blob/2d79b0a4da9e2a8ff97c1173aa56fe92e1f4629b/src/root/user.tt#L89-L94 Note: You may need to view a more recent revision of the repository, looking for a similar bit of code.

Role Risk

Some of these roles are more sensitive than others. The following roles are in an increasing order of sensitivity:

  • restart-jobs (low risk) - The user can instruct Hydra to build a failed job again.
  • cancel-build (low risk) - The user can cancel a queued or running job.
  • eval-jobset (low risk) - The user can trigger an evaluation for a jobset
  • bump-to-front (medium risk) - The user can increase the priority of a job or jobs using "Bump to Front".
  • create-projects (high risk) - The user can create new projects and jobsets.
  • admin - (very high risk) - The user can do anything.

Contributor Types and their Roles

  • A regular contributor who is still new may receive restart-jobs.
  • A well-known, regular contributor or package set maintainer may receive restart-jobs, cancel-build and eval-jobset.
  • A release manager may receive restart-jobs, cancel-build, and bump-to-front.
  • A well-known member of the NixOS security team may receive restart-jobs, cancel-build, and bump-to-front.
  • A long-term contributor who is well known by the Infrastructure team might receive create-projects.
  • Only members of the NixOS Infrastructure Team may receive admin.
Add a custom footer
Add a custom sidebar
Clone this wiki locally