That seems easy enough, but there's something I don't understand. Where does
the accessing user's identity come into play?
If I follow the directions the SO answer links to, I end up with something like
this:
def adminPermission():
from googleapiclient import discovery
from oauth2client.client import GoogleCredentials
credentials = GoogleCredentials.get_application_default()
service = discovery.build('cloudresourcemanager', 'v1',
credentials=credentials)
resource = "my-project-name"
test_iam_permissions_request_body = {
"permissions": [
"resourcemanager.projects.get"
]
}
request = service.projects().testIamPermissions(resource=resource,
body=test_iam_permissions_request_body)
response = request.execute()
return len(response.get("permissions",[])) == 1
But all I'm checking in that code is whether my project has project permission,
not whether the user making the request has project permission. If I hit a URL
from curl with no auth that is returning True, since of course, my project has
permission to get itself.
How do I get the credentials of the user accessing the URL?
-Joshua
> On Jan 28, 2021, at 10:56 AM, 'Emil' via Google App Engine
> <[email protected]> wrote:
>
> The builtin solution is no longer available, you can test iam permission in
> your code as explained here <https://stackoverflow.com/a/52055488/12232507>
> if it is feasible for you.
>
> On Wednesday, January 27, 2021 at 8:28:10 PM UTC+1 Joshua Smith wrote:
> Interesting. I'll make that my fallback plan if nobody has an idea that
> simply reproduces the old behavior (which was the exact behavior everyone
> needed, by the way; why does Google always insist on replacing perfectly good
> things with insanely complicated things that lack the one thing we all need?)
>
>
>> On Jan 27, 2021, at 2:13 PM, 'Charlie Engelke' via Google App Engine
>> <[email protected]
>> <applewebdata://B06B617B-3188-486C-88EE-8CD2374DC966>> wrote:
>>
>
>> You can enable and configure IAP independently for different services, so if
>> you can put all the admin functions in a separate service, that could do it.
>>
>> On Wednesday, January 27, 2021 at 8:49:57 AM UTC-8 Joshua Smith wrote:
>> That does look super easy, but as you pointed out, it applies to the whole
>> app. I just want pages in my /admin section to require auth.
>>
>>
>>> On Jan 27, 2021, at 11:44 AM, 'Jose V' via Google App Engine
>>> <[email protected] <>> wrote:
>>>
>>
>>> Just in case it helps, you can also easily implement IAP for App Engine
>>> <https://cloud.google.com/iap/docs/app-engine-quickstart>. The only
>>> drawback would be that it secures the entire application, not specific
>>> endpoints, which I am not sure is what you require in your scenario
>>>
>>> On Monday, January 25, 2021 at 7:21:37 PM UTC+1 Joshua Smith wrote:
>>> I'm hoping someone on this list has encountered this, and can say "Yeah, I
>>> ran into that. Here's how I dealt with it..."
>>>
>>> I'm looking for an easy step-by-step guide to just get the exact behavior
>>> that Python 2.7 had.
>>>
>>> -Joshua
>>>
>>>
>>>> On Jan 25, 2021, at 1:05 PM, 'Elliott (Cloud Platform Support)' via Google
>>>> App Engine <[email protected] <>> wrote:
>>>>
>>>
>>>> Hello Joshua,
>>>>
>>>> I understand that you would like an easy way to implement authentication
>>>> because you may not continue to use login: admin. I was able to confirm
>>>> this. First, I would like to apologize for the inconvenience. There is no
>>>> easy way other than to implement one of the options listed in this
>>>> document
>>>> <https://cloud.google.com/appengine/docs/standard/python3/authenticating-users>.
>>>>
>>>> You are presented with some options including Firebase Authentication,
>>>> Google Sign-In and OAuth 2.0 and OpenID Connect. Each of these
>>>> technologies are described in the document.
>>>>
>>>> I would like your thoughts on the recommended ways so that we may find a
>>>> solution that agrees with you.
>>>>
>>>> I hope that we may now have enough to elaborate on this discussion.
>>>>
>>>>
>>>> On Friday, January 22, 2021 at 1:07:16 PM UTC-5 Joshua Smith wrote:
>>>> In my quest to figure out how to keep using Google App Engine when
>>>> Python27 eventually goes away, I've just run into yet another case where
>>>> something simple seems to have been replaced with a nightmare of
>>>> complexity
>>>> <https://cloud.google.com/appengine/docs/standard/python/migrate-to-python3/migrating-services#user_authentication>.
>>>>
>>>> In my old app.yaml, I had this:
>>>>
>>>> - url: /admin/.*
>>>> script: main.app
>>>> secure: always
>>>> login: admin
>>>>
>>>> Unfortunately, python37 doesn't support login: admin any more (!). I'm
>>>> facing a mountain of documentation detailing a bunch of different ways I
>>>> can do authentication now.
>>>>
>>>> Stack overflow is no help at all in simplifying this.
>>>>
>>>> Anyone here have advice on the easiest possible way to get the old
>>>> Python27 behavior that you have to be logged in as the app administrator
>>>> in order to hit a certain URL?
>>>>
>>>> This isn't for ensuring crons are only run by cron. That seems pretty easy
>>>> by looking at headers.
>>>>
>>>> This is for when you have administrative functions that only the
>>>> developers need access to, and I'm looking for the easiest way to ensure a
>>>> URL is only accessible to those particular people.
>>>>
>>>> In case it matters, I'm using Flask.
>>>>
>>>> -Joshua
>>>>
>>>>
>>>
>>>> --
>>>> You received this message because you are subscribed to the Google Groups
>>>> "Google App Engine" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send an
>>>> email to [email protected] <>.
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/google-appengine/05ac62c4-6c44-4e7b-8068-1601d6a4eef0n%40googlegroups.com
>>>>
>>>> <https://groups.google.com/d/msgid/google-appengine/05ac62c4-6c44-4e7b-8068-1601d6a4eef0n%40googlegroups.com?utm_medium=email&utm_source=footer>.
>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "Google App Engine" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to [email protected] <>.
>>
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/google-appengine/86c21824-14b2-4bd7-97e7-d4756227f046n%40googlegroups.com
>>>
>>> <https://groups.google.com/d/msgid/google-appengine/86c21824-14b2-4bd7-97e7-d4756227f046n%40googlegroups.com?utm_medium=email&utm_source=footer>.
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Google App Engine" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected]
>> <applewebdata://B06B617B-3188-486C-88EE-8CD2374DC966>.
>
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/google-appengine/0df02dc3-86d2-4ad3-acb4-288afb3547a9n%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/google-appengine/0df02dc3-86d2-4ad3-acb4-288afb3547a9n%40googlegroups.com?utm_medium=email&utm_source=footer>.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected]
> <mailto:[email protected]>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/google-appengine/d8b2e595-bcd4-48df-9f7b-ea6908ec24e2n%40googlegroups.com
>
> <https://groups.google.com/d/msgid/google-appengine/d8b2e595-bcd4-48df-9f7b-ea6908ec24e2n%40googlegroups.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/google-appengine/E4E3E288-E828-4559-B564-791FF81387CB%40gmail.com.
