1. 首頁
  2. 問答
  3. 是否可以使用服務帳戶訪問Provisioning API?

是否可以使用服務帳戶訪問Provisioning API?

2012-10-18 108 views
4

我的服務帳戶的範圍有:https://apps-apis.google.com/a/feeds/user/和DriveScope.DRIVE是否可以使用服務帳戶訪問Provisioning API?

我授權「管理第三方OAuth客戶端訪問」域設置爲我的服務帳戶ID此相同的範圍。

我使用Provisioning API的Java客戶端。

我建立我與谷歌OAuth客戶端憑證與GoogleCredential.Builder

credBuilder.setTransport(HTTP_TRANSPORT) 
     .setJsonFactory(JSON_FACTORY) 
     .setServiceAccountId(config.serviceAccountId) 
     .setServiceAccountPrivateKeyFromP12File(new File(config.keyFilePath)) 
     .setServiceAccountScopes(SCOPES); 
     .setServiceAccountUser("[email protected]")

我嘗試授權請求配置API與

userService = new UserService(config.repositoryId); 
userService.setOAuth2Credentials(oAuthCredentials);

其中oAuthCredentials是我以前構建服務憑據。

通過這種結構,我可以從谷歌驅動器訪問我的域名的任何用戶的文件和集合。但是我無法使用這些憑據訪問我的域的用戶列表。

如果我不指定服務帳戶的用戶,它不工作,要麼

這裏是堆棧跟蹤我得到:

com.google.gdata.util.ServiceForbiddenException: You are not authorized to access this API. 
<HTML> 
<HEAD> 
<TITLE>You are not authorized to access this API.</TITLE> 
</HEAD> 
<BODY BGCOLOR="#FFFFFF" TEXT="#000000"> 
<H1>You are not authorized to access this API.</H1> 
<H2>Error 403</H2> 
</BODY> 
</HTML> 
at com.google.gdata.client.http.HttpGDataRequest.handleErrorResponse(HttpGDataRequest.java:605) 
at com.google.gdata.client.http.GoogleGDataRequest.handleErrorResponse(GoogleGDataRequest.java:564) 
at com.google.gdata.client.http.HttpGDataRequest.checkResponse(HttpGDataRequest.java:560) 
at com.google.gdata.client.http.HttpGDataRequest.execute(HttpGDataRequest.java:538) 
at com.google.gdata.client.http.GoogleGDataRequest.execute(GoogleGDataRequest.java:536) 
at com.google.gdata.client.Service.getFeed(Service.java:1135) 
at com.google.gdata.client.Service.getFeed(Service.java:998) 
at com.google.gdata.client.GoogleService.getFeed(GoogleService.java:645) 
at com.google.gdata.client.Service.getFeed(Service.java:1017) 
at com.google.gdata.client.appsforyourdomain.AppsForYourDomainService.getFeed(AppsForYourDomainService.java:137) 
at foo.bar.baz.eci.gdrive.service.BaseService$1.doTry(BaseService.java:125) 
at foo.bar.baz.eci.gdrive.service.BaseService$1.doTry(BaseService.java:1) 
at foo.bar.baz.eci.gdrive.service.backoff.BackoffRequest.execute(BackoffRequest.java:50) 
at foo.bar.baz.eci.gdrive.service.BaseService.getFeedWithBackoff(BaseService.java:129) 
at foo.bar.baz.eci.gdrive.service.BaseService.retrieveAllEntries(BaseService.java:90) 
at foo.bar.baz.eci.gdrive.service.GappsUserService.getAllUserFeed(GappsUserService.java:57) 
at foo.bar.baz.eci.gdrive.GdriveContentProviderFactory.doDiscover(GdriveContentProviderFactory.java:67) 
... 19 more

並從客戶端的lib日誌:

21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setPrivateHeader 
PLUS FIN: Authorization: <Not Logged> 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setPrivateHeader 
PLUS FIN: Authorization: <Not Logged> 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setPrivateHeader 
PLUS FIN: Authorization: <Not Logged> 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader 
PLUS FIN: User-Agent: gdocsRepo GData-Java/1.47.1(gzip) 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader 
PLUS FIN: User-Agent: gdocsRepo GData-Java/1.47.1(gzip) 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader 
PLUS FIN: User-Agent: gdocsRepo GData-Java/1.47.1(gzip) 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader 
PLUS FIN: Accept-Encoding: gzip 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader 
PLUS FIN: Accept-Encoding: gzip 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader 
PLUS FIN: Accept-Encoding: gzip 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader 
PLUS FIN: GData-Version: 1.0 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader 
PLUS FIN: GData-Version: 1.0 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest setHeader 
PLUS FIN: GData-Version: 1.0 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
FIN: 403 You are not authorized to access this API. 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
FIN: 403 You are not authorized to access this API. 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
FIN: 403 You are not authorized to access this API. 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Content-Encoding: gzip 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Content-Encoding: gzip 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Content-Encoding: gzip 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Content-Length: 151 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Content-Length: 151 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Content-Length: 151 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: null: HTTP/1.1 403 You are not authorized to access this API. 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: null: HTTP/1.1 403 You are not authorized to access this API. 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: null: HTTP/1.1 403 You are not authorized to access this API. 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Expires: Wed, 21 Nov 2012 14:17:37 GMT 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Expires: Wed, 21 Nov 2012 14:17:37 GMT 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Expires: Wed, 21 Nov 2012 14:17:37 GMT 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: X-XSS-Protection: 1; mode=block 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: X-XSS-Protection: 1; mode=block 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: X-XSS-Protection: 1; mode=block 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: X-Frame-Options: SAMEORIGIN 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: X-Frame-Options: SAMEORIGIN 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: X-Frame-Options: SAMEORIGIN 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Date: Wed, 21 Nov 2012 14:17:37 GMT 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Date: Wed, 21 Nov 2012 14:17:37 GMT 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Date: Wed, 21 Nov 2012 14:17:37 GMT 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Content-Type: text/html; charset=UTF-8 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Content-Type: text/html; charset=UTF-8 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Content-Type: text/html; charset=UTF-8 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Server: GSE 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Server: GSE 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Server: GSE 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: X-Content-Type-Options: nosniff 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: X-Content-Type-Options: nosniff 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: X-Content-Type-Options: nosniff 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Cache-Control: private, max-age=0 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Cache-Control: private, max-age=0 
21 nov. 2012 15:17:37 com.google.gdata.client.http.HttpGDataRequest execute 
PLUS FIN: Cache-Control: private, max-age=0

來源

2012-10-18 Jerome

回答

1

調查後似乎得到一個403錯誤發生,如果是在.setServiceAccountUser("[email protected]")設置的帳號是不是「超級管理員」域。

然而在上述情況中「[email protected]」確實是域的超級管理員。此外,該代碼適用於任何其他超級域名管理員,因此相信特別是賬戶「[email protected]」存在問題。

如果其他人發生這種情況 - 也稱爲「超級管理員」,該帳戶無法通過服務帳戶訪問管理員專用API - 請確保您在下面的評論中告知我們,我們會進一步調查如果這影響了很多人。

來源

2012-11-21 00:58:34 Nivco

+0

只讀acces是我所需要的。只要我測試過了,我會給你一些反饋。 – Jerome

+0

我剛剛測試過你給我的示波器。我的完整範圍列表是:https://apps-apis.google.com/a/feeds/group/#readonly,https://apps-apis.google.com/a/feeds/user/#readonly, HTTPS://docs.google.com/feeds/,https://www.googleapis.com/auth/drive,https:// www.googleapis.com/auth /中userinfo.email'。我收到'invalid_scope'爲錯誤TokenResponseException了'Credential.refreshToken'方法invokation – Jerome

+0

確實有SEM過程中的問題瓦特/使用服務帳戶和這些示波器他們似乎是不被認可......我會工作與我們的團隊一起嘗試解決這個問題。同時,如果您只需對用戶列表進行只讀訪問,則還可以使用Google Apps配置文件API。我檢查了一下,它在那個場景中工作得很好。更新答案。 – Nivco

0

現在提供的API已經被棄用2013年五月,他們已經推出了新的API叫做Directory APIs解決了你的問題的15日。

來源

2013-05-30 05:17:11

相關問題

 相關問題