Google Cloud Vision will be the initial label provider for Computer-Aided Tagging. We need to work with the SRE team to get Cloud Vision API credentials set up in the private puppet repo and available to the appservers.
The MachineVision extension uses the official PHP client library to communicate with the Google Cloud Vision API, and that library expects to find a GOOGLE_APPLICATION_CREDENTIALS environment variable set to the filesystem location of a JSON file containing the API credentials.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | • Ramsey-WMF | T225964 [SDC] Build a depicts tag suggestion tool that is powered by machine vision platforms | |||
| Resolved | • Mholloway | T226119 Build middleware to utilize machine vision API for structured data on commons depicts tag suggestion tool | |||
| Resolved | • Mholloway | T227349 Deploy the MachineVision extension to production | |||
| Resolved | • Mholloway | T236797 How should the MachineVision extension interact with external APIs from production? | |||
| Resolved | • Mholloway | T236426 Configure Google Cloud Vision credentials in production |
Hi, the credentials file should be stored, as any secret that needs to be accessed by MediaWiki, within its private repository.
However, we only store php files (that will be thus interpreted by the application server) into that repository. A json file could potentially be reached via apache, and I don't want an apache RewriteRule to be the only line of defense for our credentials.
So the first question would be: is it possible to inject the credentials in the library in any other way?
If not, we'd need to evaluate options. I'm also not 100% sure that we have a handy way to define an environment variable outside of mediawiki-config, that should be done there.
@Joe Thanks, that's helpful. I found the private repo you're referring to, and the credentials can be included there as an associative array.
Change 549195 had a related patch set uploaded (by Mholloway; owner: Michael Holloway):
[mediawiki/extensions/MachineVision@master] Allow specifying API credentials as an associative array
Change 549200 had a related patch set uploaded (by Mholloway; owner: Michael Holloway):
[mediawiki/extensions/MachineVision@wmf/1.35.0-wmf.5] Allow specifying API credentials as an associative array
Change 549195 merged by jenkins-bot:
[mediawiki/extensions/MachineVision@master] Allow specifying API credentials as an associative array
Change 549200 merged by Mholloway:
[mediawiki/extensions/MachineVision@wmf/1.35.0-wmf.5] Allow specifying API credentials as an associative array
Mentioned in SAL (#wikimedia-operations) [2019-11-06T21:57:33Z] <mholloway-shell@deploy1001> Synchronized php-1.35.0-wmf.5/extensions/MachineVision: Allow specifying API credentials as an associative array (T236426) (duration: 01m 01s)
Mentioned in SAL (#wikimedia-operations) [2019-11-06T22:03:29Z] <mholloway-shell@deploy1001> Synchronized private/GoogleCloudVision.php: Configure Google Cloud Vision API credentials (1/2) (T236426) (duration: 00m 59s)
Mentioned in SAL (#wikimedia-operations) [2019-11-06T22:04:45Z] <mholloway-shell@deploy1001> Synchronized private/PrivateSettings.php: Configure Google Cloud Vision API credentials (2/2) (T236426) (duration: 00m 59s)