Page MenuHomePhabricator
Create Task
Maniphest T285098

Production A/B test deployment - Improved Property Suggester/Recommender
Open, Needs TriagePublic
Actions

Description

We would like to perform an A/B test to determine the success of the new suggester / recommender using a service deployed on Cloud VPS.
The service would be called from an existing and deployed MediaWiki extension (PropertySuggester). Effectively replacing a manually maintained SQL database there with calls to this service.
If the test is successful and the A/B test shows that we should use the new recommender we would then stop calling the Cloud VPS instance, and go through the full process of a production deploy of the service.

There is a precedent for calling external (not hosted in WMF production) services from WMF production / MediaWiki in specific cases.
Per https://wikitech.wikimedia.org/wiki/Cross-Realm_traffic_guidelines#Case_3:_generic_network_access_prod_--%3E_cloud in principle this network access is allowed, and this page outlines how it should be done.
However this may still need some other signoff by someone?

Request & Data

Neither payload, request or response, contain any remotely worrying / possible user focused data.
Responses are generated from publicly dumped data, and requests are essentially lists of property and item IDs.

The request from the MediaWiki extension to the service looks something like this:

$response = MediaWikiServices::getInstance()->getHttpRequestFactory()->post(
			$this->schemaTreeSuggesterUrl,
			[
				'postData' => json_encode( [
					'Properties' => $properties,
					'Types' => $types
				] ),
				'timeout' => 1
			],
			__METHOD__
		);

And the data would look something like this:

{
  "properties": [
    "P1"
    "P2452",
    "P3513551"
  ],
  "types": [
    "Q13",
    "Q245125",
    "Q1314"
  ]
}

Stability & Reliability considerations

If the request to the service times out (1 second) or fails, the old behaviour will be used as a fallback (using the SQL DB)
So even if cloud VPS etc is inaccessible users should not be impacted.
Calls to the service can easily be turned off with a single MediaWiki config variable change.

Generally requests from the new services are handled in < 200 ms

  • Traffic & Scope**

The A/B test covers some of the functionality provided by the wbsgetsuggestions API
Generally in Wikidata production there are 0.5 -> 1.5 requests per second to the wbsgetsuggestions API
This service would be receiving roughly 50% of those, so 0.25-0.75 requests per second
The API traffic involved in the test can be seen at https://grafana.wikimedia.org/d/000000559/api-requests-breakdown?orgId=1&refresh=5m&var-metric=p50&var-module=wbsgetsuggestions

Checklists

From that page:

  • the VM instance uses a web proxy created in horizon.
  • if only production is intended to consume the service, neutron security groups should be used to firewall the access.

This is meant to serve as a mostly complete checklist for getting this A/B test to production via the agreed path, & will be completed jointly by marta & WMDE.

Steps / Timeline / Order to Production:

Config

Default values from the extension:

$wgPropertySuggesterSchemaTreeUrl = '';
$wgPropertySuggesterABTestingState = false;
$wgPropertySuggesterDefaultSuggester = 'PropertySuggester';
$wgPropertySuggesterTestingRatio = '2';
$wgPropertySuggesterPropertyBaseUrl = '';
$wgPropertySuggesterTypesBaseUrl = '';

When PropertySuggester is set to read from the new service but no EventLogging / A/B testing is to happen, the config should look like:

TBA

When PropertySuggester is set to perform the A/B test (once Event Logging is ready) the config should look like:

TBA

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Add config for the updated PropertySuggester for test Wikidataoperations/mediawiki-configmaster+8 -0
Fix an incorrect EventLogging stream name client-sidemediawiki/extensions/PropertySuggestermaster+1 -1
Added the PropertySuggester event logging to InitialiseSettings-labs.phpoperations/mediawiki-configmaster+23 -1
Add michaelcochez to whitelist usersintegration/configmaster+2 -1
Set deprecated and classifying IDs for the SchemaTreeSuggestermediawiki/extensions/PropertySuggestermaster+7 -3
Adjust the SchemaTreeSuggester to not require URL prefixesmediawiki/extensions/PropertySuggestermaster+11 -50
Add config for updated PropertySuggester beta clusteroperations/mediawiki-configmaster+6 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Addshore updated the task description. (Show Details)Jul 20 2021, 12:15 PM
Addshore updated the task description. (Show Details)
Addshore updated the task description. (Show Details)Jul 20 2021, 12:18 PM
Addshore updated the task description. (Show Details)
gerritbot added a comment.Jul 20 2021, 4:05 PM

Change 705713 had a related patch set uploaded (by Martaannaj; author: Martaannaj):

[mediawiki/extensions/PropertySuggester@master] Adjust the SchemaTreeSuggester to not require URL prefixes

https://gerrit.wikimedia.org/r/705713

gerritbot added a project: Patch-For-Review.Jul 20 2021, 4:05 PM
Addshore updated the task description. (Show Details)Jul 20 2021, 4:13 PM
Addshore updated the task description. (Show Details)
gerritbot added a comment.Jul 21 2021, 12:15 PM

Change 705713 merged by jenkins-bot:

[mediawiki/extensions/PropertySuggester@master] Adjust the SchemaTreeSuggester to not require URL prefixes

https://gerrit.wikimedia.org/r/705713

Martaannaj mentioned this in rEPSfbae15c3149f: Adjust the SchemaTreeSuggester to not require URL prefixes.Jul 21 2021, 12:16 PM
ReleaseTaggerBot added a project: MW-1.37-notes (1.37.0-wmf.16; 2021-07-26).Jul 21 2021, 1:00 PM
Maintenance_bot removed a project: Patch-For-Review.Jul 21 2021, 1:10 PM
gerritbot added a comment.Jul 22 2021, 9:02 AM

Change 706326 had a related patch set uploaded (by Martaannaj; author: Martaannaj):

[mediawiki/extensions/PropertySuggester@master] Set deprecated and classifying IDs for the SchemaTreeSuggester

https://gerrit.wikimedia.org/r/706326

gerritbot added a project: Patch-For-Review.Jul 22 2021, 9:02 AM
Martaannaj updated the task description. (Show Details)Jul 22 2021, 9:04 AM
gerritbot added a comment.Jul 22 2021, 10:11 AM

Change 706326 merged by jenkins-bot:

[mediawiki/extensions/PropertySuggester@master] Set deprecated and classifying IDs for the SchemaTreeSuggester

https://gerrit.wikimedia.org/r/706326

Martaannaj mentioned this in rEPSb55db8674d9a: Set deprecated and classifying IDs for the SchemaTreeSuggester.Jul 22 2021, 10:12 AM
Maintenance_bot removed a project: Patch-For-Review.Jul 22 2021, 11:10 AM
Martaannaj updated the task description. (Show Details)Jul 22 2021, 11:21 AM
Addshore updated the task description. (Show Details)Jul 26 2021, 12:16 PM

Hi @Martaannaj

As long as everything looks good for you on beta we can probably prepare the config patch for test.wikidata this week and get it deployed toward the end of this week.
Is there anything missing for you?

Martaannaj added a comment.Jul 26 2021, 1:13 PM

@Addshore

It would still be required to test the event logging on beta right? And for that I believe that the schemas still need to be merged. If that gets done then I can make another patch for deploying the event logging streams to mediawiki-config. After that there should be nothing missing in order to proceed with test.wikidata.

Addshore updated the task description. (Show Details)Jul 27 2021, 6:57 AM
Addshore added a comment.Jul 28 2021, 9:08 AM
In T285098#7236140, @Martaannaj wrote:

@Addshore

It would still be required to test the event logging on beta right? And for that I believe that the schemas still need to be merged. If that gets done then I can make another patch for deploying the event logging streams to mediawiki-config. After that there should be nothing missing in order to proceed with test.wikidata.

This is now merged, let us know how testing goes or if you get stuck with anything!

Addshore closed subtask T284820: Code Review & Merge - Improved Property Suggester/Recommender service patches as Resolved.Jul 28 2021, 10:45 AM
Martaannaj added a comment.Jul 28 2021, 2:19 PM
In T285098#7242437, @Addshore wrote:
In T285098#7236140, @Martaannaj wrote:

@Addshore

It would still be required to test the event logging on beta right? And for that I believe that the schemas still need to be merged. If that gets done then I can make another patch for deploying the event logging streams to mediawiki-config. After that there should be nothing missing in order to proceed with test.wikidata.

This is now merged, let us know how testing goes or if you get stuck with anything!

Okay, great!
I'm looking at the guidelines for checking the event logging in beta and it seems that to do that I should be able to ssh into the deployment-eventlog05.eqiad1.wikimedia.cloud, however, I do not believe that I have the access. Is this something that can be granted?

Michaelcochez added a comment.Jul 28 2021, 7:53 PM

We (@Michaelcochez and @Martaannaj ) should have access now. We still have to figure out where the events are logged. The /srv/log/eventlogging directory were logging should happen according to TestingOnBetaCluster seems empty.

Michaelcochez added a comment.Jul 28 2021, 9:17 PM

Turned out the instructions which we had found before are outdated (now marked as deprecated). New ones are here: https://wikitech.wikimedia.org/wiki/Event_Platform/Instrumentation_How_To#Deployment
Accordingly, I created a patch to get our streams activated. https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/708592
At the moment, they are only in the -labs configuration. After making sure that works, we can move the configuration to main config and get it merged during a backport window.

Michaelcochez added a subtask: T287641: Review wd_propertysuggester event logging stream config.Jul 28 2021, 9:44 PM
gerritbot added a comment.Jul 29 2021, 7:03 AM

Change 708714 had a related patch set uploaded (by Martaannaj; author: Martaannaj):

[mediawiki/extensions/PropertySuggester@master] Fix an incorrect EventLogging stream name client-side

https://gerrit.wikimedia.org/r/708714

gerritbot added a project: Patch-For-Review.Jul 29 2021, 7:03 AM
gerritbot added a comment.Jul 29 2021, 8:00 AM

Change 708592 had a related patch set uploaded (by Michaelcochez; author: Michaelcochez):

[operations/mediawiki-config@master] Added the PropertySuggester event logging to InitialiseSettings-labs.php

https://gerrit.wikimedia.org/r/708592

gerritbot added a comment.Jul 29 2021, 1:18 PM

Change 708764 had a related patch set uploaded (by Addshore; author: Addshore):

[integration/config@master] Add michaelcochez to whitelist users

https://gerrit.wikimedia.org/r/708764

gerritbot added a comment.Jul 29 2021, 1:21 PM

Change 708764 merged by jenkins-bot:

[integration/config@master] Add michaelcochez to whitelist users

https://gerrit.wikimedia.org/r/708764

gerritbot added a comment.Jul 29 2021, 1:43 PM

Change 708592 merged by Ottomata:

[operations/mediawiki-config@master] Added the PropertySuggester event logging to InitialiseSettings-labs.php

https://gerrit.wikimedia.org/r/708592

Addshore updated the task description. (Show Details)Jul 30 2021, 2:25 PM
gerritbot added a comment.Jul 30 2021, 2:45 PM

Change 708714 merged by jenkins-bot:

[mediawiki/extensions/PropertySuggester@master] Fix an incorrect EventLogging stream name client-side

https://gerrit.wikimedia.org/r/708714

Martaannaj mentioned this in rEPS8ee714fe0db3: Fix an incorrect EventLogging stream name client-side.Jul 30 2021, 2:53 PM
ReleaseTaggerBot edited projects, added MW-1.37-notes (1.37.0-wmf.17; 2021-08-02); removed MW-1.37-notes (1.37.0-wmf.16; 2021-07-26).Jul 30 2021, 3:00 PM
Addshore added a subscriber: Ottomata.Jul 30 2021, 3:12 PM

While trying to test event logging on beta we couldnt see anything using this tool https://stream-beta.wmflabs.org/v2/ui/#/
So we made a bug T287760: stream-beta.wmflabs.org seems broken (can't see my mediawiki-create events) or anything else

We had a look in kafka and couldnt find any of the topics

addshore@deployment-kafka-jumbo-2:/$ kafkacat -L -b deployment-kafka-jumbo-2.deployment-prep.eqiad1.wikimedia.cloud | grep propertysuggester

we had a look in mediawiki logs and saw the server side things working

addshore@deployment-mwlog01:/srv/mw-log$ tail -f EventBus.log
2021-07-30 14:53:00 [YQQSS5TpG-VtzLzPtnfaKwAAAA0] deployment-mediawiki11 wikidatawiki 1.37.0-alpha EventBus DEBUG: Using destination_event_service eventgate-analytics-external for stream wd_propertysuggester.server_side_property_request.
2021-07-30 14:53:05 [YQQSUZTpG-VtzLzPtnfaNAAAAA8] deployment-mediawiki11 wikidatawiki 1.37.0-alpha EventBus DEBUG: Using destination_event_service eventgate-analytics-external for stream wd_propertysuggester.server_side_property_request.
2021-07-30 14:53:07 [YQQSUpTpG-VtzLzPtnfaOQAAAAk] deployment-mediawiki11 wikidatawiki 1.37.0-alpha EventBus DEBUG: Using destination_event_service eventgate-analytics-external for stream wd_propertysuggester.server_side_property_request.
2021-07-30 14:53:19 [YQQSX5TpG-VtzLzPtnfaUwAAABM] deployment-mediawiki11 wikidatawiki 1.37.0-alpha EventBus DEBUG: Using destination_event_service eventgate-analytics-external for stream wd_propertysuggester.server_side_property_request.
2021-07-30 14:53:20 [YQQSYJTpG-VtzLzPtnfaYAAAABY] deployment-mediawiki11 wikidatawiki 1.37.0-alpha EventBus DEBUG: Using destination_event_service eventgate-analytics-external for stream wd_propertysuggester.server_side_property_request.
2021-07-30 14:53:22 [YQQSYpTpG-VtzLzPtnfaawAAAA4] deployment-mediawiki11 wikidatawiki 1.37.0-alpha EventBus DEBUG: Using destination_event_service eventgate-analytics-external for stream wd_propertysuggester.server_side_property_request.
2021-07-30 14:53:23 [YQQSY5TpG-VtzLzPtnfacwAAAAg] deployment-mediawiki11 wikidatawiki 1.37.0-alpha EventBus DEBUG: Using destination_event_service eventgate-analytics-external for stream wd_propertysuggester.server_side_property_request.
2021-07-30 14:53:25 [YQQSZJTpG-VtzLzPtnfadQAAAAQ] deployment-mediawiki11 wikidatawiki 1.37.0-alpha EventBus DEBUG: Using destination_event_service eventgate-analytics-external for stream wd_propertysuggester.server_side_property_request.
2021-07-30 14:53:26 [YQQSZpTpG-VtzLzPtnfaeAAAAAg] deployment-mediawiki11 wikidatawiki 1.37.0-alpha EventBus DEBUG: Using destination_event_service eventgate-analytics-external for stream wd_propertysuggester.server_side_property_request.
2021-07-30 14:53:27 [YQQSZ5TpG-VtzLzPtnfaewAAAAg] deployment-mediawiki11 wikidatawiki 1.37.0-alpha EventBus DEBUG: Using destination_event_service eventgate-analytics-external for stream wd_propertysuggester.server_side_property_request.
2021-07-30 14:53:28 [YQQSaJTpG-VtzLzPtnfafwAAAAg] deployment-mediawiki11 wikidatawiki 1.37.0-alpha EventBus DEBUG: Using destination_event_service eventgate-analytics-external for stream wd_propertysuggester.server_side_property_request.

We could also see in the JS console some of the client side event working

{$schema: "/analytics/mediawiki/wd_propertysuggester/client_side_property_request/1.0.0",…}
$schema: "/analytics/mediawiki/wd_propertysuggester/client_side_property_request/1.0.0"
dt: "2021-07-30T15:11:34.089Z"
entity_id: "Q393194"
event_id: "162765789408917eb23f8"
meta: {stream: "wd_propertysuggester.client_side_property_request", domain: "wikidata.beta.wmflabs.org"}
num_characters: 2
session_id: "YQQT2X7pLd-EyzjN7IWIAAAAAFI"
user_id: "17eb23f8"

But still nothing in kafka

@Ottomata any thoughts?

Michaelcochez added a comment.EditedJul 30 2021, 9:06 PM

With much appreciated help from @Ottomata , we got to see some events using kafkacat on deployment-kafka-jumbo-2 now. To check whether the events are correctly generated, this seems sufficient.
One thing which got done on the way is including the config of these streams from this patch https://gerrit.wikimedia.org/r/c/operations/mediawiki-config/+/708592 into the main config.

To see the events:
ssh deployment-kafka-jumbo-2.deployment-prep.eqiad1.wikimedia.cloud
then for the client events:
kafkacat -C -b deployment-kafka-jumbo-2.deployment-prep.eqiad1.wikimedia.cloud -t eqiad.wd_propertysuggester.client_side_property_request
and for the server events:
kafkacat -C -b deployment-kafka-jumbo-2.deployment-prep.eqiad1.wikimedia.cloud -t eqiad.wd_propertysuggester.server_side_property_request

Remarks:

  • It is not clear whether these events are send if the do-not-track of a browser is enabled.
  • It takes a bit of time (seconds) for the events to show up. (it seems there is a bit of delay sending these on the client side and probably a small delay in kafka)
  • On the stream we should/might also see some canary events. These are 'heartbeat events' to make sure the stream is still active. (I haven't noticed them yet, maybe they are infrequent)
  • The events do not always arrive in order, check the timestamp

Now, the events also show up on https://stream-beta.wmflabs.org/v2/ui/#/?streams=wd_propertysuggester.client_side_property_request,wd_propertysuggester.server_side_property_request

Michaelcochez added a subtask: T287797: request_duration_ms is -1 in A/B testing when the request goes to the PropertySuggester.Jul 30 2021, 11:34 PM
Martaannaj updated the task description. (Show Details)Jul 31 2021, 8:20 AM
Michaelcochez closed subtask T287797: request_duration_ms is -1 in A/B testing when the request goes to the PropertySuggester as Resolved.Jul 31 2021, 9:58 AM
Michaelcochez updated the task description. (Show Details)Aug 1 2021, 10:00 PM
Addshore updated the task description. (Show Details)Aug 2 2021, 10:43 AM

@Martaannaj If all things look good on beta with the testing of events then I think we can move forward with the config changes for test.wikidata this week!

Ladsgroup subscribed.Aug 4 2021, 7:01 AM

As the unstaller this week. What can I do to move this forward?

Addshore updated the task description. (Show Details)Aug 4 2021, 9:31 AM
Addshore updated the task description. (Show Details)
Addshore added a comment.Aug 4 2021, 9:33 AM

Everything looks good on beta, so the next step is @Martaannaj to write the code patches for this for testwikidatawiki!

Addshore updated the task description. (Show Details)Aug 4 2021, 9:34 AM
gerritbot added a comment.Aug 4 2021, 10:07 AM

Change 709991 had a related patch set uploaded (by Martaannaj; author: Martaannaj):

[operations/mediawiki-config@master] Add config for the updated PropertySuggester for test Wikidata

https://gerrit.wikimedia.org/r/709991

Addshore updated the task description. (Show Details)Aug 4 2021, 2:45 PM
Addshore updated the task description. (Show Details)
Addshore updated the task description. (Show Details)Aug 4 2021, 2:56 PM
Addshore updated the task description. (Show Details)Aug 4 2021, 3:54 PM
Joe subscribed.Aug 5 2021, 8:13 AM

Given my opposition to the plan as proposed in this task, I've been asked to explain it in more detail here.

First of all, I want to say that IMHO things would have gone smoother if you asked SRE for an opinion about the plan before it was put in motion. Keep this in mind for the future.

Having said that, we don't usually allow any request to flow from production services to services running in WMCS for a few good reasons, regarding reliability, privacy, and security. I don't think we've ever made an exception to this rule, and I don't think we should make one in this case - but this is my own personal opinion.

I would be interested in seeing if we can have a path forward that allows you to get what you want with minimum effort while deploying in production.

I would say that a security review cannot be skipped even if you're running the code from WMCS - as it's involved in serving production traffic. The other things standing in your way are a production deployment and a performance review, AIUI.

Given you already have a docker image coming from the pipeline, creating a dedicated chart shouldn't be much harder than running the scaffolding script, and we can create an LVS endpoint for it in a relatively short timescale, so that you can get to production (a few weeks I think). I can't speak for the performance team, but I think you can ask for the performance review to happen with the service already deployed for the inital phases of your A/B testing.

This path seems more reasonable to me than creating an exception to serve production traffic from WMCS. Does it sound unreasonable / irrealistic to you?

In the future, we plan to have a much easier process for small experiments to run on kubernetes as "lambdas", but that will take some time to come to fruition - we're just working right now on introducing the technologies that will make it possible.

Ladsgroup added a comment.Aug 5 2021, 8:35 AM

(Not speaking on behalf of the team, completely personal):
I see three way out that we could talk about and decide:

  • Get SRE/Security/Legal approval for a temporary deployment of reading for wmcs. One idea I have to ease and compromise is to have a fixed deadline. e.g. "This will stay in production no more than 30 days" This would reduce the risk. The actual number should be decided by PM and the rest.
  • Do the A/B testing outside production. Get the requests made in production (from hadoop). Make a list and find differences between the old and the new system and then decide for its future.
  • Do an actual security review, performance review, get it properly deployed.

My ideal solution would be a mixture of two and three. e.g. Just do a basic check outside production to make sure the suggestion are not off beyond repair, then if it's fine, we can deploy and fix and iterate.

Addshore added a comment.EditedAug 5 2021, 10:33 AM

Before diving into the individual parts of the comments above the main points here seem to be:

  1. Is there a precedent for calling services that are external to Wikimedia production, from Wikimedia production
  2. Can we treat a service on WMCS in the same way (a service external to Wikimedia production)
  3. If so: What was / is the process for such a call to an external service

(Sorry for the book)

In T285098#7262291, @Joe wrote:

First of all, I want to say that IMHO things would have gone smoother if you asked SRE for an opinion about the plan before it was put in motion. Keep this in mind for the future.

So I did touch base back in in April, and we got guided toward potentially using the https://www.mediawiki.org/wiki/Technical_Decision_Forum
But then the powers that be opted for direct WMDE -> WMF communication via email which ultimately lead us to https://wikitech.wikimedia.org/wiki/Cross-Realm_traffic_guidelines
Which after this ticket coming up has since had some clarifying alterations https://wikitech.wikimedia.org/w/index.php?title=Cross-Realm_traffic_guidelines&type=revision&diff=1920750&oldid=1900570

Having said that, we don't usually allow any request to flow from production services to services running in WMCS for a few good reasons, regarding reliability, privacy, and security. I don't think we've ever made an exception to this rule, and I don't think we should make one in this case - but this is my own personal opinion.

The precedent mentioned in the task description that we were directed to was calling other external to WMF production services from WMF production.
The one example of this that springs to mind is the vision API, however I believe at least 1 more example has been offered in the past year.
We totally agree that this is not the usual thing to do, but would like this case to be considered for one of the exceptions.
Specifically talking to the 3 good reasons that for not doing this you raise, we believe that our case presents minimal risk there.

I would be interested in seeing if we can have a path forward that allows you to get what you want with minimum effort while deploying in production.

I would say that a security review cannot be skipped even if you're running the code from WMCS - as it's involved in serving production traffic. The other things standing in your way are a production deployment and a performance review, AIUI.

I totally agree that if this service is to be deployed to production, then it should have a full security review, performance review and go through the regular vigorous process to get deployed.
However tying this into the precedent mentioned above, I highly doubt that external services that we call get a security review of their code etc, but indeed perhaps for the requests & responses and general risk.
Services running on WMCS (the Service we want to use in A/B testing) and routine Gerrit changes (which were made to the property suggestor extension) are also listed as things unlikely to get a review https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews

Given you already have a docker image coming from the pipeline, creating a dedicated chart shouldn't be much harder than running the scaffolding script, and we can create an LVS endpoint for it in a relatively short timescale, so that you can get to production (a few weeks I think). I can't speak for the performance team, but I think you can ask for the performance review to happen with the service already deployed for the inital phases of your A/B testing.

This path seems more reasonable to me than creating an exception to serve production traffic from WMCS. Does it sound unreasonable / irrealistic to you?

If we spend the latter half of 2021 going through the full production deployment flow for the service:

  • Security & performance review of the golang service (using resources from 2 WMF teams)
  • Making needed changes to the service based on the feedback
  • Resourcing and provisioning of the service in production with WMF SREs

To then run a 1 month A/B test and then turn the service off / undeploy it, evaluate the A/B result and potentially not deploy the service again.
Then I feel that we would have unnecessarily spent a whole lot of resources for the year and probably extended the timeline of this A/B test by 6 months or so (I could be wrong).

But I do agree that having some sign off on the payloads being exchanged could still make sense if we are to try and move forward with calling WMCS, even if we deem it to be low risk.

In the future, we plan to have a much easier process for small experiments to run on kubernetes as "lambdas", but that will take some time to come to fruition - we're just working right now on introducing the technologies that will make it possible.

I imagine this would probably leave us in the same situation for this case, as it is the security and performance review of a service that we are not currently planning on deploying to production that we are trying to avoid, by framing it as an external service.
If such a service were to be deployed as a lambdas etc it would still then be getting deployed to production and 100% need to have the full service code be reviewed.

In T285098#7262378, @Ladsgroup wrote:

(Not speaking on behalf of the team, completely personal):
I see three way out that we could talk about and decide:

  • Get SRE/Security/Legal approval for a temporary deployment of reading for wmcs. One idea I have to ease and compromise is to have a fixed deadline. e.g. "This will stay in production no more than 30 days" This would reduce the risk. The actual number should be decided by PM and the rest.

To me this seems quite reasonable, and probably a much smaller investment of people time into such an A/B test than trying to fulfil a full deployment to production that we may just undo.
I believe this is probably something like the process for previous such external calls (if we can frame a WMCS call as external)

  • Do the A/B testing outside production. Get the requests made in production (from hadoop). Make a list and find differences between the old and the new system and then decide for its future.

This would indeed be partly possible, but one part of the A/B test measures user selection and timing of results from the suggester.
So although some sort of A/B testing would probably be possible, not the full A/B test that is actually currently planned.

  • Do an actual security review, performance review, get it properly deployed.

Indeed, also a path forward, and if this is truly the only way forward then we will indeed have to do this.
But as noted above, this ends up spending lots of resources on something that we may not want to spend said resources on, the whole point of the A/B test is to answer that question.

My ideal solution would be a mixture of two and three. e.g. Just do a basic check outside production to make sure the suggestion are not off beyond repair, then if it's fine, we can deploy and fix and iterate.

I believe 2 has already happened to some degree.
My ideal solution would be 1, then if we want to deploy the service 3.

karapayneWMDE subscribed.Aug 10 2021, 2:58 PM
ReleaseTaggerBot edited projects, added MW-1.37-notes (1.37.0-wmf.19; 2021-08-16); removed MW-1.37-notes (1.37.0-wmf.17; 2021-08-02).Aug 13 2021, 9:00 AM
Mholloway closed subtask T286655: Review wd_propertysuggester A/B testing schema as Resolved.Aug 19 2021, 2:44 PM
Addshore mentioned this in T72037: [Story] Automate Entity Suggester Data Updates.Aug 24 2021, 9:36 AM
kostajh subscribed.Sep 6 2021, 12:31 PM
WMDE-leszek subscribed.Sep 14 2021, 5:43 PM
WMDE-leszek mentioned this in T292110: Security Readiness Review For Improved Property Suggester/Recommender for Wikidata.Sep 29 2021, 7:29 PM
sbassett subscribed.Oct 4 2021, 5:35 PM

Hey all-

We've received the security review request (T292110) for this and will plan to include it within our review planning session this week (whether it's accepted for the quarter as-is or not is a separate matter to be determined). Responding to a few issues:

In T285098#7262291, @Joe wrote:

First of all, I want to say that IMHO things would have gone smoother if you asked SRE for an opinion about the plan before it was put in motion. Keep this in mind for the future.

Same for the Security-Team. The earlier we have some general idea of an architecture and code base, the better we can offer guidance on how to successfully get something through a security review. Even a simple RFS form submissions or email to security-help@ with a sketch of the project very early in the process can be helpful and hopefully avoid unpleasantness at a much later date, which is painful for everyone involved. And unfortunately, this has to be a proactive process for engineering teams, as our team literally cannot monitor every conversation that happens on Phab, gerrit, wikitech, meta or mediawiki.org.

Having said that, we don't usually allow any request to flow from production services to services running in WMCS for a few good reasons, regarding reliability, privacy, and security. I don't think we've ever made an exception to this rule, and I don't think we should make one in this case - but this is my own personal opinion.

The Security-Team would likely rate something like this high risk by default (requires c-level/leadership risk acceptance), without additional assurances and some type of mitigation plan.

I would say that a security review cannot be skipped ...

Confirmed.

In T285098#7262893, @Addshore wrote:

However tying this into the precedent mentioned above, I highly doubt that external services that we call get a security review of their code etc, but indeed perhaps for the requests & responses and general risk.

The most they'd likely get in terms of a direct review is a supplier review (apologies as I know most folks can't see that) and/or a third party review. But we would certainly look heavily into the contexts in which they were being used by Wikimedia production services, MediaWiki extensions, etc. e.g. a small amount of public, read-only data vs. read/write of sensitive data.

Services running on WMCS (the Service we want to use in A/B testing) and routine Gerrit changes (which were made to the property suggestor extension) are also listed as things unlikely to get a review https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews

Correct, which is why we'd echo the advice of pursuing this as a proper Wikimedia production service.

To then run a 1 month A/B test and then turn the service off / undeploy it, evaluate the A/B result and potentially not deploy the service again.
Then I feel that we would have unnecessarily spent a whole lot of resources for the year and probably extended the timeline of this A/B test by 6 months or so (I could be wrong).

The other side of this reasoning is that performing end-runs around processes put in place to get something into Wikimedia production exposes the Foundation, WMDE and the community to a much larger potential attack surface and greater risk profile. Our current risk management framework doesn't really want to be in the business of being a hard blocker for anything but rather pushes for their to be a proper understanding of risk and a thoughtful acceptance of risk at various levels across organizations and the community.

In T285098#7262378, @Ladsgroup wrote:

(Not speaking on behalf of the team, completely personal):
I see three way out that we could talk about and decide:

  • Get SRE/Security/Legal approval for a temporary deployment of reading for wmcs. One idea I have to ease and compromise is to have a fixed deadline. e.g. "This will stay in production no more than 30 days" This would reduce the risk. The actual number should be decided by PM and the rest.

To me this seems quite reasonable, and probably a much smaller investment of people time into such an A/B test than trying to fulfil a full deployment to production that we may just undo.
I believe this is probably something like the process for previous such external calls (if we can frame a WMCS call as external)

This might be possible, but it also feels like an exceptional path that a lot of other ad hoc projects will pursue once the precedent exists.

WMDE-leszek changed the task status from Open to Stalled.Oct 6 2021, 1:07 PM

I'm marking this task as stalled to indicate that WMDE undesrtands that security readiness review of the recommender service is to happen first.
WMDE would like T292110 to be handled as a first step towards getting a service productionized and deployed.

SWakiyama added a project: Foundational Technology Requests.Nov 18 2021, 5:40 PM
Manuel edited projects, added Wikidata-Campsite (Team A Hearth 🏰🔥); removed Wikidata-Campsite (Wikidata-Campsite-Iteration-∞ (On Hold)).Nov 23 2021, 1:11 PM
Manuel moved this task from Incoming to Prioritized Backlog on the Wikidata-Campsite (Team A Hearth 🏰🔥) board.Nov 25 2021, 11:12 AM
Manuel moved this task from Prioritized Backlog to Incoming on the Wikidata-Campsite (Team A Hearth 🏰🔥) board.Dec 9 2021, 9:35 AM
Manuel moved this task from Incoming to Prioritized Backlog on the Wikidata-Campsite (Team A Hearth 🏰🔥) board.Dec 9 2021, 1:31 PM
Manuel changed the task status from Stalled to Open.Jan 13 2022, 12:34 PM
Manuel subscribed.

Unstalled, as this passed the security review (T292110#7613470).

Michaelcochez mentioned this in T301471: New Service Request SchemaTree.Feb 10 2022, 2:23 PM
ItamarWMDE subscribed.Feb 16 2022, 9:39 AM
ItamarWMDE mentioned this in T306520: [EPIC] Remove property pair table based property suggestion.Apr 20 2022, 12:58 PM
Manuel edited projects, added [Archived]Wikidata Dev Team; removed Wikidata-Campsite (Team A Hearth 🏰🔥).Aug 10 2022, 9:58 AM
Lydia_Pintscher mentioned this in T156401: Improved property recommender for Wikidata.Aug 16 2022, 10:59 AM
Lydia_Pintscher mentioned this in T132839: [RfC] Property suggester suggests human properties for non-human items.
ItamarWMDE moved this task from Incoming to Product Backlog on the [Archived]Wikidata Dev Team board.Sep 27 2022, 2:23 PM
Addshore unsubscribed.Jun 27 2023, 11:47 AM
Sjoerddebruin subscribed.Jan 19 2024, 10:32 AM

What is the current state of this project? Wikidata is using two-year old suggestions at the moment and I haven't seen an update on this task for around the same period.

Michaelcochez added a comment.Jan 22 2024, 12:17 AM

I did quite an overhaul of the code here: https://github.com/martaannaj/RecommenderServer to comply with the security and deployment related issues. (see https://phabricator.wikimedia.org/T292110#7613470 )

@Sjoerddebruin your status request urged me to also upgrade to the latest version of go, which seems working fine.

An earlier version of this is still running in beta. I would like to get this up in the test environment, but would need a bit of help getting that setup.

First, I want to get the code properly mirrored or moved to gitlab ( https://phabricator.wikimedia.org/T344746 ). It is unclear whether I should just create an new repository there and go ahead. My access request is pending now.

Then, we can go forward to test wikidata. ( see also https://phabricator.wikimedia.org/T301471 )

Pppery edited projects, added Patch-Needs-Improvement; removed Patch-For-Review.Mar 27 2025, 10:38 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits