7

The new Drive SDK is very good for the authenticated user. Is it possible use Drive SDK using Google Apps administrative access to impersonate other domain users?

The doclist API can do it but it's not possible manage and copy files (pdf, jpg) with this tool.

I'm using Java with this code:

credential_origine = new GoogleCredential.Builder().setTransport(HTTP_TRANSPORT)
                    .setJsonFactory(JSON_FACTORY)
                    .setServiceAccountId("[email from console api]")
                    .setServiceAccountScopes(DriveScopes.DRIVE)
                    .setServiceAccountUser("user@domain.com")
                    .setServiceAccountPrivateKeyFromP12File(new File("key.p12")).build();

But I get an error when I try to retrieve data for the user@domain.com. If I comment .setServiceAccountUser("user@domain.com") the code works great for the same account I used for creating the key.

In the old DOCList API we impersonated another user by the URL of the requests. Is it something similar?

Harshal Patil
  • 6,659
  • 8
  • 41
  • 57
Ridgh
  • 121
  • 1
  • 4
  • What error are you getting? Make sure to add the generated client ID from the APIs Console in your domain's cPanel as described [here](http://support.google.com/a/bin/answer.py?hl=en&answer=162106). – Alain Jul 26 '12 at 15:47
  • Hi Alain, It works fine now, probably I was wrong with ServiceAccountUser. I get a 500 Internal Server Error when I try to change the owner of a File with both updatePermission and patchPermission...maybe because a file must have an owner..I'll try again, thanks for help – Ridgh Jul 26 '12 at 18:20
  • @Ridgh can you give me some idea about accessing users documents using admin SDK. Currently i am working on users documents – Harshal Patil Sep 18 '14 at 13:03

3 Answers3

5

You can do that using Service Accounts and specifying the user to impersonate when building your assertion claim.

Once you have created a Service Account key in your API project (from the APIs Console), you will have to add this project to the list of authorized third party app in the cPanel. More information about this can be found here. The "Client Id" you need to use is the one bound to the Service Account key and looks like <APP_ID>-<OTHER_KEY>.apps.googleusercontent.com

Since you want to manage other users file, you will have to authorize the Drive wide scope: https://www.googleapis.com/auth/drive.

Most of our client libraries take care of abstracting the claim generation for developers. If you could specify which language your are planning to use, I can update this answer by providing a code snippet to help you get started.

Alain
  • 6,044
  • 21
  • 27
0

Upgrade:

the code:

com.google.api.client.googleapis.auth.oauth2.GoogleCredential.Builder credential_origine_builder = new GoogleCredential.Builder().setTransport(HTTP_TRANSPORT)
                    .setJsonFactory(JSON_FACTORY)
                    .setServiceAccountId("[[]]")
                    .setServiceAccountScopes(DriveScopes.DRIVE)
                    .setServiceAccountPrivateKeyFromP12File(new File("cfg/file.p12"));

credential_origine_builder.setServiceAccountUser("user@domain.com");

works fine.

If we change the .setServiceAccountScopes(DriveScopes.DRIVE) to

.setServiceAccountScopes(DriveScopes.DRIVE,Oauth2Scopes.USERINFO_EMAIL,Oauth2Scopes.USERINFO_PROFILE)

for retrieving the name and ID of the user It seems to not be compatible with .setServiceAccountUser("user@domain.com");

Using the 3 scopes works fine only with the user "owner" of the keys...keep building

Harshal Patil
  • 6,659
  • 8
  • 41
  • 57
Ridgh
  • 121
  • 1
  • 4
  • Did you grant those additional scopes when you configured the oAuth access in the cpanel? From the Google cpanel help: For each client, you can specify multiple APIs, separated by commas. For example, to allow access to both the Contacts and Documents List APIs: "http://www.google.com/m8/feeds/, http://docs.google.com/feeds/" – David Jul 27 '12 at 16:17
  • David, in my code I sure added the scopes, on Google Api console I don't see this scopes, Am I wrong?. I used groups settings api plus provisioning api and oauth 2.0 web flow correctly. My question is about doclist api + drive api and the Service account Oauth flow...I hope to use only drive sdk but it's not possibile to manage the permissions (the email field is not returned for privacy).. – Ridgh Jul 29 '12 at 17:19
0

OK here is complete code in Dartlang to list impersonated USER@YOUR_DOMAIN user files with JSON key

To run it you will need to generate JSON key (instead of P12) via Google Developer Console (in project's context: Apis & auth -> credentials) generate JSON key

Dart project's dependencies in pubspec.yaml: googleapis googleapis_auth async)

import 'package:googleapis/drive/v2.dart';
import 'package:googleapis_auth/auth_io.dart';
import 'package:async/async.dart';

final _credentials = new ServiceAccountCredentials.fromJson(r'''
{
  "private_key_id": "*PRIVATE_KEY_ID*",
  "private_key": "*PRIVATE_KEY_CONTENT*",
  "client_email": "*SOMETHING@developer.gserviceaccount.com*",
  "client_id": "*SOMETHING.apps.googleusercontent.co*m",
  "type": "service_account"
}
''', impersonatedUser: "*USER@YOUR_DOMAIN*");  //here you type user

const _SCOPES = const [DriveApi.DriveScope];

main() async {
  var http_client = await clientViaServiceAccount(_credentials, _SCOPES);
  var drive = new DriveApi(http_client);
  var docs = await drive.files.list(maxResults: 10);

  for (var itm in docs.items) {
    print(itm.title); //list docs titles
  }
}
tomaszkubacki
  • 3,181
  • 3
  • 23
  • 36