是否可以从服务帐户调用API,而不必代表用户在整个域范围内进行代理? [英] Is it possible to call APIs from service account without acting on behalf of a user in domain-wide delegation?
问题描述
我的Python脚本从G Suite检索有关用户和组的信息(目前,使用14天免费帐户进行测试).我正在使用域范围的委派和OAuth 2.0用于服务器到服务器的应用程序,因为我不想显示一个弹出窗口,来自托管域的用户可以让我看到他们的组和用户.
My Python script retrieves infos about users and groups from a G Suite (testing, for now, with the 14 days free account). I'm using domain-wide delegation and OAuth 2.0 for server to server applications because I don't want to display a pop window where users from hosted domains would allow me to see their groups and users.
这些是我为了获得用户和组而遵循的步骤:
These are the steps I followed in order to get users and groups:
- 创建并下载所有必要的凭据,例如客户ID;
- 在我的G Suite管理控制台中,允许访问我的客户ID,并授予其访问权限与我的脚本具有相同作用域的用户和组API的权限;
- 在我的脚本中,使用.json创建凭据,并代表G Suite管理员进行请求;
- 开始调用API.
现在,G Suite管理员已经允许在其安全性"设置中为某些客户ID分配某些范围:我手动进行了此操作,手动输入了客户ID和范围.在用于服务器到服务器应用程序的OAuth 2.0 教程中它显示为:
Now, the G Suite admin has to allow, in its Security settings, to a certain Client ID some scopes: this I made by hand, manually entering Client ID and scopes. In the OAuth 2.0 for Server to Server Applications tutorial it reads:
如果您已委派了对服务帐户的域范围访问权限,并且要模拟用户帐户,请使用现有service_account.Credentials对象的with_subject方法.
If you have delegated domain-wide access to the service account and you want to impersonate a user account, use the with_subject method of an existing service_account.Credentials object.
所以:我让自己从G Suite管理面板访问某些API,我的脚本创建了使用该API的凭据,但我下载的.json不够:似乎在域范围内的委托中,我的脚本仍然具有代表该托管域中的用户发出请求,在我的情况下,是托管域的管理员.我试图创建用于模拟用户的凭据 wihtout ,但是我没有足够的权限执行此操作,因此对API的调用返回了401或403.
So: I gave myself access from G suite admin panel to some APIs, my script creates credentials for using that APIs but the .json I downloaded is not enough: it seems that with domain-wide delegation my script still have to make requests on behalf of a user from that hosted domain, in my case the admin of the hosted domain. I tried to create the credentials wihtout impersonating a user, but I did not have enough permissions to do so and the call to APIs returns me 401 or 403.
我认为委派访问不需要代表用户执行,因为服务帐户未与任何用户相关联.
我可以在不假冒属于我正在使用的托管域的用户的情况下为服务帐户创建凭据吗?包含我的私钥和其他内容的客户ID和.json文件不够吗?
Can I create credentials for a service account without impersonating a user belonging to the hosted domain I'm working with? Are my Client ID and .json file containing my private key and other stuff not enough?
这是我的代码:
from google.oauth2 import service_account
import googleapiclient.discovery
import json
""" CONSTANTS AND GLOBAL VARIABLES
"""
# The API we request to use
SCOPES = ['https://www.googleapis.com/auth/admin.directory.group.readonly',
'https://www.googleapis.com/auth/admin.directory.user.readonly']
# json containing keys, account service email, id client and other stuff
SERVICE_ACCOUNT_FILE = 'my_file.json'
# The hosted domain we want to work with
DOMAIN = 'some_hd.it'
# The user I'm using to create credentials
USER_EMAIL = 'name.surname@some_hd.it'
""" SETTING AND GETTING CREDENTIALS
"""
credentials = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE, scopes=SCOPES)
if credentials is None:
print "BAD CREDENTIALS"
delegated_credentials = credentials.with_subject(USER_EMAIL)
"""
build('api_name', 'api_version', ...)
https://developers.google.com/api-client-library/python/apis/
"""
service = googleapiclient.discovery.build('admin', 'directory_v1',
credentials=delegated_credentials)
""" GETTING GROUPS AND USERS
"""
request = service.groups().list(domain=DOMAIN)
response = request.execute()
groups = response.get('groups', [])
if not groups:
print "No groups in %s" % (DOMAIN)
print
request = service.users().list(domain=DOMAIN)
response = request.execute()
users = response.get('users', [])
if not users:
print "No users in %s" % (DOMAIN)
else:
for user in users:
for email in user['emails']:
print email['address']
print 'User ID: %s' % (user['id'])
print 'Is admin? %s' % (str(user['isAdmin']))
print
推荐答案
我使用Google API已有一段时间了,我们有相同的情况,据我所知,您不需要模仿.
I've been working with Google API for a while and we have the same scenario and no, as far as i know, you'll need to impersonate.
请注意,仅允许API,下载凭据并为范围提供客户端ID的权限是不够的.
Note that simply allowing the API, download the credential and give scopes permissions to the client ID isnt enough.
对于某些服务,例如Directory API,您需要向要从admin gsuite面板中模拟的用户授予特定的读写权限,以便能够访问您的组和用户.
For certain services like Directory API, you need to give specifc read and write permissions to the user that you're going to impersonate from the admin gsuite panel to be able to access your groups and users.
这篇关于是否可以从服务帐户调用API,而不必代表用户在整个域范围内进行代理?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
