Wikimedia services policy/ja

この文書では、実装ガイドラインではなく、原則 (例: アプリケーションは監視可能にして、適切なメトリックを公開する必要がある) を扱います. この文書に列挙されている原則を技術用語でどのように適用するかを詳しく説明するために、実用的な実装ガイドラインが作成されます (例: アプリケーションは、正確な命名規則を使用して、 エンドポイントからの RED メトリックを prometheus 形式で公開する必要がある). 2 つの部分を分割する理由は、原則が時間の経過とともに大きく変化することは期待しないものの、実装ガイドラインが技術の進化によりさらに迅速に変化することを期待しているためです.

新しいサービスの開発と使用サイクルにはさまざまな側面があり、エコシステムの複雑さが維持できなくなるのを防ぐために、それらのいくつかを可能な限り標準化する必要があります. 一般に、非モノリシック アーキテクチャの採用にはコストがかかり、さまざまなアプリケーションの相互運用の必要性と開発方法に関する標準が維持されていない限りコストがかかります.

考慮に入れる必要があるサービスの開発のいくつかの側面があります:


 * 開発のポリシー
 * セキュリティ/プライバシー要件
 * 本番環境への展開

以下のいくつかの節では、新しいサービスがこれらの各カテゴリで満たさなければならない要件を分析します:

開発のポリシー
Everything we develop should be free, open to collaboration and useful in itself. So, a new service must:


 * Actually do something
 * Be created only if there is no well crafted, well maintained, architecturally compatible FLOSS software that provides comparable functionality that can be adopted and improved/modified if needed.
 * Avoid needlessly duplicating features or functionality provided in other services
 * Be licensed under an OSI-approved license
 * Provide a configuration mechanism that does not involve changing the distributed code
 * Use a language and toolset that have been approved by TechCom

While some of our services will be only useful in the WMF context, in other cases the standalone service is intended to be distributed for general use. In that case, it must have the following properties:


 * Have a documented installation and uninstallation process that conform to our implementation guidelines
 * Have a documented upgrade process that conform with our implementation guidelines
 * Be versioned using semver
 * Indicate versions of MediaWiki with which it's compatible
 * Provide a mechanism by which support (community or otherwise) can be requested
 * Provide a mechanism by which patches can be proposed
 * Provide a mechanism by which public security advisories are issued

セキュリティとプライバシー
All features implemented as standalone services must have the following properties:


 * Minimize data collection for any type of PII
 * Be compliant with the WMF privacy/data retention policies.
 * Implement privacy controls that are at least equivalent to those of any calling service. For example, if the privacy controls of the calling service specify that IP addresses will not be stored for more than 90 days, the external service may not store IP addresses for longer than that time.
 * Have a privacy policy and privacy practices that are compatible with the WMF/Wikimedia properties
 * Have passed a Security review
 * Have resources allocated so that a prompt response to any security incident is possible

本番環境への展開
If the standalone service is intended to be used in the Wikimedia production environment, it should comply with the guidelines above, and in addition must


 * Be deployable with standard WMF tooling (as specified in the implementation guidelines).
 * Have an owner, and a plan for on-going maintenance. If the owner of a service is missing (because the team is disbanded/has a different focus), a new owner must be found via the code stewardship process
 * Have logging that conforms to the WMF standards - specified in the service implementation guidelines
 * Be able to collect and expose operational metrics according to the current WMF standards specified in the implementation guidelines.
 * Have a runbook for operational purposes.
 * Support a multi-datacenter active-active (or active-passive) deployment.


 * Service Level Indicators must be defined for the service, and Service Level Objectives should be agreed upon. Failure to meet said service level objectives SHOULD result action to bring the service back into operational agreed upon Service Level Objectives. The Service Level Objectives can of course be reevaluated and changed, but preferably not as a result of a violation but rather an informed process.
 * Have pinned / pinnable dependencies that don't need to be downloaded at runtime and/or from untrusted source.
 * Have backups and a restoration/emergency plan (if the service stores any data).
 * Have users, or a plan to acquire users

サービス間のやり取り
Services will likely interact with each other; if that is the case, measures must be taken not to make the whole system dependent on the failure of a single component. Also, increased observability in the flow of requests is needed. So any new service that needs to be deployed in production should:


 * Degrade gracefully its functionality if it can't access another service. If that's not possible, maybe the new service should be logically tied to the other. An exception is explicitly made for the MediaWiki API, given quite a few services might depend on its availability to be useful.
 * Be able to perform requests to a specific hostname/ip provided via configuration.
 * Be able to use infrastructure middleware for inter service communication functionalities including, but not limited to, encryption and circuit-breaking. Alternatively, the service SHOULD implement those functionalities internally.
 * Add the appropriate tracing headers to the request, according to the WMF standards specified in the implementation guidelines.
 * Log actions via the production logging facilities.

メタ
This policy was established in March 2019 by RFC T208524.