如何限制只有GSuite帐户才能访问GAE灵活网站? [英] How to restrict access to GAE Flexible site only for GSuite account?
问题描述
如何限制GAE Flexible网站的访问权限,仅限于我在GSuite域中的所有帐户以及我明确提供的其他Google帐户。 AFAIR那里的标准GAE版本中的某些东西在 app.yaml
处理程序部分中。\\ b
$ b
所以我的场景:
- 制作版本受限制直至上线
- 开发版和版本版本永久限制
我想在IAM级别上执行此操作,以拒绝网站的流量。但是我没有在文档中发现任何东西。
解决方案好的,在重新思考问题并深入研究文档后,我发现了一个关于开发环境的页面 - https://cloud.google .com / appengine / docs / standard / python / creating-separate-dev-environments 。所以我现在的解决方案并没有像 dev
, stage
和 prod
并且在一个项目中使用它们,而是为每个环境创建单独的项目。
它也将简化数据库的管理 - 以前我在一个数据库服务器中考虑过特定环境中的不同数据库。现在我将拥有一个单独的数据库实例。
无论如何,我仍然遇到安全访问问题。
我以类似于限制App Engine访问自定义域上的G Suite帐户:
- 将Google身份验证更改为我的Google Suite网域
- 在我的应用中添加了自定义域名
- 将我的页面域名添加到我的GSuite作为第二个域名
我仍然可以连接到我的页面即使在隐身模式和其他电脑和手机上也是如此。
编辑:
作为解决方法,我使用了 Django-lockdown 模块。对于时间绰绰有余 - 我有一个密码,我有一个会话,我可以设置它在中间件或作为网址的装饰。
编辑2:
今天我注意到了GAE Flexible中的一项新功能 - 身份识别代理。
这是我正在搜索的功能。您可以通过以下方式限制访问量: b
How to restrict access to GAE Flexible site only for all account from my domain in GSuite and eventually other Google accounts that I provide explicitely. AFAIR there where something simillar in Standard GAE version in app.yaml
handlers section.
So my scenario:
- prodution versions restricted until go-live
- dev and stage version restricted permanently
I would like to do this on the IAM level, to reject traffic to the site. But I didn't found anything in docs.
Ok, after rethink the problem and dig deeper in a documentation I found a page about dev environment - https://cloud.google.com/appengine/docs/standard/python/creating-separate-dev-environments.
So my current solution is not to have separate versions like dev
, stage
and prod
and work with them within one project, but to create separate projects for each of environment.
It will also simplify management of DBs - previous I thought about different database in one DB server for particular environment. Now I will have a separate DB instance for it.
Anyway I still have a problem with securing access. I did it in the same way like in Restrict App Engine access to G Suite accounts on custom domain:
- changed Google Authentication to my Google Suite domain
- added Custom Domain in my app
- added my page domain to my GSuite as a second domain And I still can connect to my page without auth - even in "Incognito mode" and on others computers and mobiles.
EDIT: As a workaround I used Django-lockdown module. For the timebeing is more than enough - I have a password, I have a session, I can set it in Middleware or as a decorator for urls.
EDIT 2: I noticed today a new feature in GAE Flexible - Identity-Aware Proxy. This is the feature, that I was searching. You can restrict accces by:
- Google Account email: user@gmail.com
- Google Group: admins@googlegroups.com
- Service account: server@example.gserviceaccount.com
- Google Apps domain: example.com
这篇关于如何限制只有GSuite帐户才能访问GAE灵活网站?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!