Page MenuHomePhabricator

Configure Google Cloud Vision credentials in production
Closed, ResolvedPublic

Description

Google Cloud Vision will be the initial label provider for Computer-Aided Tagging. We need to work with the SRE team to get Cloud Vision API credentials set up in the private puppet repo and available to the appservers.

The MachineVision extension uses the official PHP client library to communicate with the Google Cloud Vision API, and that library expects to find a GOOGLE_APPLICATION_CREDENTIALS environment variable set to the filesystem location of a JSON file containing the API credentials.

Details

Related Gerrit Patches:
mediawiki/extensions/MachineVision : wmf/1.35.0-wmf.5Allow specifying API credentials as an associative array
mediawiki/extensions/MachineVision : masterAllow specifying API credentials as an associative array

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptThu, Oct 24, 6:46 PM
Mholloway triaged this task as High priority.Thu, Oct 24, 6:46 PM
Mholloway updated the task description. (Show Details)
Mholloway updated the task description. (Show Details)Tue, Oct 29, 2:47 PM
Mholloway added a project: serviceops.
Joe added a subscriber: Joe.Wed, Nov 6, 5:39 PM

Hi, the credentials file should be stored, as any secret that needs to be accessed by MediaWiki, within its private repository.

However, we only store php files (that will be thus interpreted by the application server) into that repository. A json file could potentially be reached via apache, and I don't want an apache RewriteRule to be the only line of defense for our credentials.

So the first question would be: is it possible to inject the credentials in the library in any other way?

If not, we'd need to evaluate options. I'm also not 100% sure that we have a handy way to define an environment variable outside of mediawiki-config, that should be done there.

@Joe Thanks, that's helpful. I found the private repo you're referring to, and the credentials can be included there as an associative array.

Change 549195 had a related patch set uploaded (by Mholloway; owner: Michael Holloway):
[mediawiki/extensions/MachineVision@master] Allow specifying API credentials as an associative array

https://gerrit.wikimedia.org/r/549195

Change 549200 had a related patch set uploaded (by Mholloway; owner: Michael Holloway):
[mediawiki/extensions/MachineVision@wmf/1.35.0-wmf.5] Allow specifying API credentials as an associative array

https://gerrit.wikimedia.org/r/549200

Change 549195 merged by jenkins-bot:
[mediawiki/extensions/MachineVision@master] Allow specifying API credentials as an associative array

https://gerrit.wikimedia.org/r/549195

Change 549200 merged by Mholloway:
[mediawiki/extensions/MachineVision@wmf/1.35.0-wmf.5] Allow specifying API credentials as an associative array

https://gerrit.wikimedia.org/r/549200

Mentioned in SAL (#wikimedia-operations) [2019-11-06T21:57:33Z] <mholloway-shell@deploy1001> Synchronized php-1.35.0-wmf.5/extensions/MachineVision: Allow specifying API credentials as an associative array (T236426) (duration: 01m 01s)

Mentioned in SAL (#wikimedia-operations) [2019-11-06T22:03:29Z] <mholloway-shell@deploy1001> Synchronized private/GoogleCloudVision.php: Configure Google Cloud Vision API credentials (1/2) (T236426) (duration: 00m 59s)

Mentioned in SAL (#wikimedia-operations) [2019-11-06T22:04:45Z] <mholloway-shell@deploy1001> Synchronized private/PrivateSettings.php: Configure Google Cloud Vision API credentials (2/2) (T236426) (duration: 00m 59s)

Mholloway closed this task as Resolved.Fri, Nov 8, 2:03 PM