是否可以使用服务帐户访问Provisioning API? [英] Is it possible to access Provisioning API with service account?
本文介绍了是否可以使用服务帐户访问Provisioning API?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我的服务帐户范围是: https://apps-apis.google.com/a/feeds/user/和DriveScope.DRIVE
我在服务帐户ID的域设置中的管理第三方OAuth客户端访问"中授权了相同的范围.
我使用预配置api的java客户端.
我使用GoogleCredential.Builder的google oauth客户端构建凭据:
credBuilder.setTransport(HTTP_TRANSPORT)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId(config.serviceAccountId)
.setServiceAccountPrivateKeyFromP12File(new File(config.keyFilePath))
.setServiceAccountScopes(SCOPES);
.setServiceAccountUser("admin.of.my@domain.com")
我尝试使用
将我的请求授权给预配置api userService = new UserService(config.repositoryId);
userService.setOAuth2Credentials(oAuthCredentials);
其中oAuthCredentials是我先前构建的服务凭据.
通过该配置,我可以从我域中任何用户的Google云端硬盘访问文件和集合.但是我无法使用这些凭据访问我域的用户列表.
如果我没有指定服务帐户用户,那么它也不起作用
这是我得到的堆栈跟踪:
com.google.gdata.util.ServiceForbiddenException: You are not authorized to access this API.
<HTML>
<HEAD>
<TITLE>You are not authorized to access this API.</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>You are not authorized to access this API.</H1>
<H2>Error 403</H2>
</BODY>
</HTML>
at com.google.gdata.client.http.HttpGDataRequest.handleErrorResponse(HttpGDataRequest.java:605)
at com.google.gdata.client.http.GoogleGDataRequest.handleErrorResponse(GoogleGDataRequest.java:564)
at com.google.gdata.client.http.HttpGDataRequest.checkResponse(HttpGDataRequest.java:560)
at com.google.gdata.client.http.HttpGDataRequest.execute(HttpGDataRequest.java:538)
at com.google.gdata.client.http.GoogleGDataRequest.execute(GoogleGDataRequest.java:536)
at com.google.gdata.client.Service.getFeed(Service.java:1135)
at com.google.gdata.client.Service.getFeed(Service.java:998)
at com.google.gdata.client.GoogleService.getFeed(GoogleService.java:645)
at com.google.gdata.client.Service.getFeed(Service.java:1017)
at com.google.gdata.client.appsforyourdomain.AppsForYourDomainService.getFeed(AppsForYourDomainService.java:137)
at foo.bar.baz.eci.gdrive.service.BaseService$1.doTry(BaseService.java:125)
at foo.bar.baz.eci.gdrive.service.BaseService$1.doTry(BaseService.java:1)
at foo.bar.baz.eci.gdrive.service.backoff.BackoffRequest.execute(BackoffRequest.java:50)
at foo.bar.baz.eci.gdrive.service.BaseService.getFeedWithBackoff(BaseService.java:129)
at foo.bar.baz.eci.gdrive.service.BaseService.retrieveAllEntries(BaseService.java:90)
at foo.bar.baz.eci.gdrive.service.GappsUserService.getAllUserFeed(GappsUserService.java:57)
at foo.bar.baz.eci.gdrive.GdriveContentProviderFactory.doDiscover(GdriveContentProviderFactory.java:67)
... 19 more
以及来自客户端lib的日志记录:
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setPrivateHeader
PLUS FIN: Authorization: <Not Logged>
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setPrivateHeader
PLUS FIN: Authorization: <Not Logged>
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setPrivateHeader
PLUS FIN: Authorization: <Not Logged>
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: User-Agent: gdocsRepo GData-Java/1.47.1(gzip)
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: User-Agent: gdocsRepo GData-Java/1.47.1(gzip)
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: User-Agent: gdocsRepo GData-Java/1.47.1(gzip)
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: Accept-Encoding: gzip
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: Accept-Encoding: gzip
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: Accept-Encoding: gzip
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: GData-Version: 1.0
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: GData-Version: 1.0
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: GData-Version: 1.0
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
FIN: 403 You are not authorized to access this API.
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
FIN: 403 You are not authorized to access this API.
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
FIN: 403 You are not authorized to access this API.
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Encoding: gzip
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Encoding: gzip
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Encoding: gzip
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Length: 151
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Length: 151
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Length: 151
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: null: HTTP/1.1 403 You are not authorized to access this API.
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: null: HTTP/1.1 403 You are not authorized to access this API.
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: null: HTTP/1.1 403 You are not authorized to access this API.
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Expires: Wed, 21 Nov 2012 14:17:37 GMT
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Expires: Wed, 21 Nov 2012 14:17:37 GMT
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Expires: Wed, 21 Nov 2012 14:17:37 GMT
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-XSS-Protection: 1; mode=block
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-XSS-Protection: 1; mode=block
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-XSS-Protection: 1; mode=block
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-Frame-Options: SAMEORIGIN
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-Frame-Options: SAMEORIGIN
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-Frame-Options: SAMEORIGIN
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Date: Wed, 21 Nov 2012 14:17:37 GMT
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Date: Wed, 21 Nov 2012 14:17:37 GMT
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Date: Wed, 21 Nov 2012 14:17:37 GMT
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Type: text/html; charset=UTF-8
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Type: text/html; charset=UTF-8
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Type: text/html; charset=UTF-8
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Server: GSE
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Server: GSE
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Server: GSE
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-Content-Type-Options: nosniff
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-Content-Type-Options: nosniff
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-Content-Type-Options: nosniff
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Cache-Control: private, max-age=0
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Cache-Control: private, max-age=0
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Cache-Control: private, max-age=0
解决方案
经过调查,如果在.setServiceAccountUser("admin.of.my@domain.com")中设置的帐户不是域的超级管理员",似乎会发生403错误. >
但是,在上述情况下,"admin.of.my@domain.com"确实是该域的超级管理员.该代码还可以与该域的任何其他超级管理员一起很好地工作,从而导致人们尤其认为帐户"admin.of.my@domain.com"出了问题.
如果其他任何人都遇到了这种情况-又名设置为超级管理员"的帐户,该帐户无法通过服务帐户访问仅管理员的API-请确保您在下面的评论中告知我们,我们将进一步调查这会影响很多人.
My service account scopes are : https://apps-apis.google.com/a/feeds/user/ and DriveScope.DRIVE
I authorized this same scope in "Manage third party OAuth Client access" in domain settings for my service account Id.
I use the java client of the provisioning api.
I build my credentials with the google oauth client with a GoogleCredential.Builder :
credBuilder.setTransport(HTTP_TRANSPORT)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId(config.serviceAccountId)
.setServiceAccountPrivateKeyFromP12File(new File(config.keyFilePath))
.setServiceAccountScopes(SCOPES);
.setServiceAccountUser("admin.of.my@domain.com")
I try to authorize my request to the provisioning api with
userService = new UserService(config.repositoryId);
userService.setOAuth2Credentials(oAuthCredentials);
where oAuthCredentials are my previously built Service credentials.
With that configuration i can access files and collections from the Google Drive of any user of my domain. But i can't acces the list of users of my domain with those credentials.
If i dont specify the service account user, it doesn't work either
Here is the stack trace i get :
com.google.gdata.util.ServiceForbiddenException: You are not authorized to access this API.
<HTML>
<HEAD>
<TITLE>You are not authorized to access this API.</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000">
<H1>You are not authorized to access this API.</H1>
<H2>Error 403</H2>
</BODY>
</HTML>
at com.google.gdata.client.http.HttpGDataRequest.handleErrorResponse(HttpGDataRequest.java:605)
at com.google.gdata.client.http.GoogleGDataRequest.handleErrorResponse(GoogleGDataRequest.java:564)
at com.google.gdata.client.http.HttpGDataRequest.checkResponse(HttpGDataRequest.java:560)
at com.google.gdata.client.http.HttpGDataRequest.execute(HttpGDataRequest.java:538)
at com.google.gdata.client.http.GoogleGDataRequest.execute(GoogleGDataRequest.java:536)
at com.google.gdata.client.Service.getFeed(Service.java:1135)
at com.google.gdata.client.Service.getFeed(Service.java:998)
at com.google.gdata.client.GoogleService.getFeed(GoogleService.java:645)
at com.google.gdata.client.Service.getFeed(Service.java:1017)
at com.google.gdata.client.appsforyourdomain.AppsForYourDomainService.getFeed(AppsForYourDomainService.java:137)
at foo.bar.baz.eci.gdrive.service.BaseService$1.doTry(BaseService.java:125)
at foo.bar.baz.eci.gdrive.service.BaseService$1.doTry(BaseService.java:1)
at foo.bar.baz.eci.gdrive.service.backoff.BackoffRequest.execute(BackoffRequest.java:50)
at foo.bar.baz.eci.gdrive.service.BaseService.getFeedWithBackoff(BaseService.java:129)
at foo.bar.baz.eci.gdrive.service.BaseService.retrieveAllEntries(BaseService.java:90)
at foo.bar.baz.eci.gdrive.service.GappsUserService.getAllUserFeed(GappsUserService.java:57)
at foo.bar.baz.eci.gdrive.GdriveContentProviderFactory.doDiscover(GdriveContentProviderFactory.java:67)
... 19 more
And the logging from the client lib :
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setPrivateHeader
PLUS FIN: Authorization: <Not Logged>
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setPrivateHeader
PLUS FIN: Authorization: <Not Logged>
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setPrivateHeader
PLUS FIN: Authorization: <Not Logged>
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: User-Agent: gdocsRepo GData-Java/1.47.1(gzip)
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: User-Agent: gdocsRepo GData-Java/1.47.1(gzip)
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: User-Agent: gdocsRepo GData-Java/1.47.1(gzip)
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: Accept-Encoding: gzip
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: Accept-Encoding: gzip
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: Accept-Encoding: gzip
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: GData-Version: 1.0
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: GData-Version: 1.0
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader
PLUS FIN: GData-Version: 1.0
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
FIN: 403 You are not authorized to access this API.
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
FIN: 403 You are not authorized to access this API.
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
FIN: 403 You are not authorized to access this API.
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Encoding: gzip
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Encoding: gzip
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Encoding: gzip
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Length: 151
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Length: 151
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Length: 151
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: null: HTTP/1.1 403 You are not authorized to access this API.
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: null: HTTP/1.1 403 You are not authorized to access this API.
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: null: HTTP/1.1 403 You are not authorized to access this API.
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Expires: Wed, 21 Nov 2012 14:17:37 GMT
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Expires: Wed, 21 Nov 2012 14:17:37 GMT
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Expires: Wed, 21 Nov 2012 14:17:37 GMT
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-XSS-Protection: 1; mode=block
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-XSS-Protection: 1; mode=block
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-XSS-Protection: 1; mode=block
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-Frame-Options: SAMEORIGIN
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-Frame-Options: SAMEORIGIN
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-Frame-Options: SAMEORIGIN
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Date: Wed, 21 Nov 2012 14:17:37 GMT
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Date: Wed, 21 Nov 2012 14:17:37 GMT
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Date: Wed, 21 Nov 2012 14:17:37 GMT
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Type: text/html; charset=UTF-8
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Type: text/html; charset=UTF-8
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Content-Type: text/html; charset=UTF-8
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Server: GSE
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Server: GSE
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Server: GSE
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-Content-Type-Options: nosniff
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-Content-Type-Options: nosniff
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: X-Content-Type-Options: nosniff
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Cache-Control: private, max-age=0
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Cache-Control: private, max-age=0
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute
PLUS FIN: Cache-Control: private, max-age=0
解决方案
After investigation it seems that getting a 403 error happens if the account that is set in .setServiceAccountUser("admin.of.my@domain.com") is not a "Super Admin" of the domain.
However in the case above "admin.of.my@domain.com" is indeed a Super Admin of the domain. Also the code works well with any other Super Admin of the domain which leads to believe that there is something wrong with the account "admin.of.my@domain.com" in particular.
If this happens to anyone else - a.k.a. an account set as "Super Admin" which does not work to access Admins-only APIs through Service Accounts - make sure you let us know in the comments below and we'll investigate further if this impacts lots of people.
这篇关于是否可以使用服务帐户访问Provisioning API?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
