使用ServiceAccount Actor用户访问域范围的Google云端硬盘数据 [英] Access Domain wide Google Drive data with ServiceAccount Actor user

问题描述

所需技术:C#

说明:我正在努力在应用程序中创建工作流，以便网站将通过用户同意屏幕请求Google身份验证，并且一旦获得域管理员的授权，网站将可以访问该域下的所有用户，还可以访问驱动器和团队推动数据.

Description : I am working to create workflow in application such that website will ask for Google Authentication with user consent screen, and once it is authorized by domain administrator, website will have access to all users under that domain and also access to drive and team drive data.

尝试进行身份验证的方式:

1. 创建的服务帐户用户，从admin.google.com向该用户提供了Google范围的必要权限
2. 已创建超级管理员用户，并为其分配了在#1中创建的服务帐户的服务帐户角色角色.

与ServiceAccountCredential对象一起使用的代码

ServiceAccountCredential credential = new ServiceAccountCredential(
                    new ServiceAccountCredential.Initializer("Service_Account_Email")
{
    Scopes = SCOPES,
    User = ADMIN_EMAIL,
}.FromPrivateKey("PRIVATE_KEY"));

使用ServiceAccountCredential对象，可以根据需要列出域用户以及驱动器详细信息.唯一的问题是，为此，我需要客户端创建#1中提到的服务帐户和身份验证步骤，并要求提供不需要的凭据(服务帐户电子邮件，私钥，管理电子邮件).

With the use of ServiceAccountCredential object, I am able to list domain users, as well as drive details, as required. The only problem is that for that I need client to create service account and authentication steps mentioned in #1, and also ask for credentials ( Service account email, private key, admin email ), which I don't want to.

我尝试通过管理员用户(#2)进行身份验证，该用户具有带有以下代码的用户同意屏幕的服务帐户演员角色".

I have tried to authenticate with admin user (#2), which have Service Account Actor Role with user consent screen with below code.

GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow(new GoogleAuthorizationCodeFlow.Initializer
{
    ClientSecrets = new ClientSecrets
    {
        ClientId = Constants.GoogleClientId,
        ClientSecret = Constants.GoogleClientSecret
    },
    Scopes = Constants.GoogleScopes
    //,DataStore = new FileDataStore("Drive.Api.Auth.Store")
});

UserCredential credential = new UserCredential(flow, email, response);

var service1 = new DriveService(new BaseClientService.Initializer()
{
    HttpClientInitializer = credential,
    ApplicationName = "Drive API Service Account Sample",
});

使用上面的代码"service1.Teamdrives.List().Execute();"尽管我在UserCredential对象中传递了不同的电子邮件，但总是会导致我通过身份验证的管理员用户使用Team驱动器.

With the above code "service1.Teamdrives.List().Execute();" always results Team drives available with the admin user I am authenticated with, though I am passing different email in UserCredential object.

在这里我需要帮助，我需要能够在管理员用户(服务帐户执行者)进行身份验证之后，在没有任何用户干预的情况下操纵所有用户的驱动器数据.

I need help here, I need to be able to manipulate all user's drive data without any user intervention once authenticated by admin user ( Service Account Actor )

任何帮助将不胜感激.

谢谢

推荐答案

AFAIK，位于将域范围的权限委派给使用的服务帐户 UserCredential应该是域的成员. 文档中的警告提示，

AFAIK, in delegating domain-wide authority to a service account UserCredential used should be a member of the domain. Note of the warning in the documentation,

服务帐户应仅用于执行委派，其中有效身份是域中单个用户的身份.此外，服务帐户可能无法获得额外的存储配额，也不能充当域的成员.

Service accounts should only be used for performing delegation where the effective identity is that of an individual user in a domain. Additionally, service accounts may not acquire additional storage quota, nor do they act as members of a domain.

您可能想尝试以下步骤来授予访问权限(必须具有服务帐户和Apps管理员角色):

You may want to try these steps to grant access (account with services and Apps admin role are required):

• 登录Google Admin并转到应用-> G Suite->云端硬盘和文档->共享设置子菜单，然后从共享选项中选择开启
• 单击管理团队驱动器子菜单，然后单击要授予访问权限的团队驱动器
• 在会员访问权限弹出窗口中点击添加成员
• 输入服务帐户的帐户ID(电子邮件)，选择访问权限级别(我选择完整")，检查跳过发送通知，然后单击发送

• Sign-in to Google Admin and go to Apps -> G Suite -> Drive and Docs -> Sharing Settings sub-menu and select ON from the Sharing options
• Click on the Manage Team Drives sub-menu and click on the Team Drive you want to grant access to
• Click on ADD MEMBERS in the Member access pop-up
• Enter the service account Account ID (email), choose access level (I chose Full), check the Skip sending notification and click on SEND

有关其他见解，请参阅以下SO帖子和教程:

For additional insights, see these SO posts and tutorial:

• 如何使用带有Google Drive .NET API v3的服务帐户访问Team Drive
• 驱动器对文档的API访问使用服务帐户
• 带有服务帐户的Google Drive API

• How to access Team Drive using service account with Google Drive .NET API v3
• Drive API access to document with service account
• Google Drive API with a Service Account

这篇关于使用ServiceAccount Actor用户访问域范围的Google云端硬盘数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！