google: Service account-less group access #1896
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Allow access to Google Group information without using a service account
What this PR does / why we need it
This PR use new Google APIs that use the user's token itself to access list of groups the user can access, instead of domain-wide delegation on service account. This remove one secret that the administrator has to manage, and a highly-privileged one at that.
Special notes for your reviewer
google.golang.org/api
needs to be bumped to at least 0.33. However this create complications as it depends on gRPC and there's etcd not compatible with grpc v1.30.0 etcd-io/etcd#12124 blocking update to latest gRPC (in short, etcd depends on an undocumented grpc API that has been removed). Therefore the replace in go.mod is needed.Failed to authenticate: google: could not retrieve groups: could not list groups: googleapi: Error 403: Error(3005): Non-premium customers do not have access to certain premium features., forbidden
. I'd be welcome if any organization with the license could test it.Does this PR introduce a user-facing change?