Page MenuHomePhabricator

Security review GraphQL
Closed, DeclinedPublic

Description

Project Information

Description of the tool/project

GraphQL extension for MediaWiki. Enables a GraphQL endpoint which serves as a proxy for the Action API.

Description of how the tool will be used at WMF

Will be used to enable schema stitching for the GraphQL web service (https://graphql.wmflabs.org/). Since so much of the schema is determined by MediaWiki's config (and enabled extensions) there is not a mechanism to determine this configuration externally. To resolve this issue, each wiki will allow local queries, and the web service will allow global queries. See T209133

Dependencies

Has this project been reviewed before?

No

Working test environment

Ensure that the dependencies are installed. Then enable the extension. The endpoint should be available at /graphql or /wiki/Special:GraphQL (the later is localized, which is why the former is needed).

Post-deployment

@dbarratt

Event Timeline

Hi David,

I don't really see much discussion, consensus, etc around this extension. Nor do I see any RFCs (obviously not necessarily a requirement). Before taking the time to review this extension, we would like some assurance that there is actual agreement to deploy it on Wikimedia servers.

I don't really see much discussion, consensus, etc around this extension. Nor do I see any RFCs (obviously not necessarily a requirement). Before taking the time to review this extension, we would like some assurance that there is actual agreement to deploy it on Wikimedia servers.

Oh. Sorry. I'm new to this process so apologies if I'm doing something out of order.

I'm actually looking to get the extension deployed to beta in order to test that the GraphQL webservice will work well with schema stitching on a cluster of wikis with different configuration / extensions enabled.

How should I proceed? Is there a cluster of wikis setup other than beta?

Is the end goal to deploy in wikimedia production eventually?

If the answer is no, it probably shouldn't be on beta, as that's kind of a stage in the deploy to production pipeline (as i understand it, someone from release engineering can correct me). Probably you'd need to setup your own cluster. However check with release engineering to see how they feel about using beta for that purpose.

If the answer is eventually yes this will be in production - then I just need to see some buy-in politically. I just want to make sure that we don't do the review just to have politics make it a wasted effort. A statement from techcom would be ideal, but even just a +1 from somebody who works in the api space (e.g. Anomie) would be good enough for my purposes.

Is the end goal to deploy in wikimedia production eventually?

Yes. If everything works (well) and there is interest in using in Production.

Sorry, but we're not going to review this unless there is definite interest in using production.

Please reopen once/if this has generated interest in using in production.