如何模拟在G-Suite域中运行的AppEngine Java应用程序的用户? [英] How can I impersonate a user of AppEngine java application operating in G-Suite domain?
问题描述
我的标准AppEngine应用程序需要对Google表格文档(以及其他文档)进行更改.
My standard AppEngine application needs to perform changes in a Google Sheet documents (among others).
要实现此目的,我需要获取服务帐户的凭据,并以某种方式配置它应代表用户执行操作.
To achieve this, I need to obtain a credential for service account, and somehow configure that it should act in behalf of a user.
此方法允许给我默认的服务帐户凭据:
This method allows gives me default service account credentials:
private static GoogleCredential getDefaultServiceAccountCredential() throws IOException {
return GoogleCredential.getApplicationDefault()
.createScoped(MY_SCOPES);
}
但它不能代表用户使用.
but it does not work in behalf of a user.
以下代码类似,使用其他(非默认)服务帐户,但仍然不会进行假冒:
Following code is similar, uses other (non-default) service account, but still no impersonation happens:
private static GoogleCredential getNonDefaultServiceAccountCredential() throws IOException {
return GoogleCredential.fromStream(IncomingMailHandlerServlet.class.getResourceAsStream("/tokens/anoher-e6351a8c5b91.json"))
.createScoped(MY_SCOPES);
}
要进行模拟,请 Google文档(以及许多SO建议)提到了如何使用PKCS12文件来完成此操作;但是,该文件只能在已安装的应用程序上读取为 PrivateKey ,而不能在AppEngine上读取.
For impersonation, Google Docs (and many SO advices) mentions how to do it with use of PKCS12 file; however, that file can only be read as PrivateKey on installed application and not on AppEngine.
有什么方法可以获取AppEngine中运行的Java应用程序的模拟凭据吗?还是有一种技巧可以从AppEngine上的 File 中读取?
Is there any way to obtain impersonated credential for java application running in AppEngine?
Or, is there a trick to read from a File on AppEngine?
请注意,对于我尝试的所有服务帐户,我都使用角色Owner和DwD(域范围的委托)配置了它们.还有什么要配置的吗?
Note that, for all service accounts that I tried, I configured them with role Owner and with DwD (Domain-wide delegation). Is there anything else to configure?
推荐答案
还使用服务帐户流来模拟您拥有的域中的用户.这与上面的服务帐户流程非常相似,但是您还要致电 关于如何从App Engine标准访问文件,有多个选项.在下面,您有两个选择的解释: public static GoogleCredential createCredentialForServiceAccountImpersonateUser(
HttpTransport transport,
JsonFactory jsonFactory,
String serviceAccountId,
Collection<String> serviceAccountScopes,
File p12File,
String serviceAccountUser) throws GeneralSecurityException, IOException {
return new GoogleCredential.Builder().setTransport(transport)
.setJsonFactory(jsonFactory)
.setServiceAccountId(serviceAccountId)
.setServiceAccountScopes(serviceAccountScopes)
.setServiceAccountPrivateKeyFromP12File(p12File)
.setServiceAccountUser(serviceAccountUser)
.build();
}
选项1: p12File (凭证文件)是此答案,以了解如何以代码方式访问此类文件.我强烈推荐这种方法,因为
There are multiple options on how to access a file from App Engine Standard. Below, you have two options explained:
Option 1: the
p12File (credentials file) is an App Engine Standard resource file. Check this answer to see how to access such files, code-wise. I strongly recommend this approach because
这些文件只能以只读方式提供给您的代码,而不能用于流量服务.
These files are only available to your code on a read-only basis and not for traffic serving.
File f = new File("path/below/my/project/directory/credentials.json");
和 appengine-web.xml 应该定义资源文件:
<resource-files>
<include path="path/below/my/project/directory/credentials.json"/>
</resource-files>
选项2:凭据文件位于Cloud Storage中.此文档解释了如何通过App Engine Standard访问Cloud Storage中的文件.但是我相信这太麻烦了.我也提供了此选项,因为我已经提到了它.
Option 2: the credentials file is in Cloud Storage. This document explains how to reach files in Cloud Storage from App Engine Standard. But I believe it's too much of a hassle. I provided this option as well because I have mentioned it.
这篇关于如何模拟在G-Suite域中运行的AppEngine Java应用程序的用户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
