Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

google: Service account-less group access #1896

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

whs
Copy link

@whs whs commented Dec 28, 2020

Overview

Allow access to Google Group information without using a service account

What this PR does / why we need it

This PR use new Google APIs that use the user's token itself to access list of groups the user can access, instead of domain-wide delegation on service account. This remove one secret that the administrator has to manage, and a highly-privileged one at that.

Special notes for your reviewer

  • As the API is new, google.golang.org/api needs to be bumped to at least 0.33. However this create complications as it depends on gRPC and there's etcd not compatible with grpc v1.30.0 etcd-io/etcd#12124 blocking update to latest gRPC (in short, etcd depends on an undocumented grpc API that has been removed). Therefore the replace in go.mod is needed.
  • I have not test this PR: It requires Google Workspace Enterprise license and I just found out when I'm almost done that our organization don't have one so it is stuck at Failed to authenticate: google: could not retrieve groups: could not list groups: googleapi: Error 403: Error(3005): Non-premium customers do not have access to certain premium features., forbidden. I'd be welcome if any organization with the license could test it.

Does this PR introduce a user-facing change?

Google connector now supports retrieving group information without a service account. This requires Google Workspace Enterprise or Cloud Identity Premium license.

whs added 2 commits January 10, 2021 16:06
Signed-off-by: Manatsawin Hanmongkolchai <git@whs.in.th>
Signed-off-by: Manatsawin Hanmongkolchai <git@whs.in.th>
@whs whs force-pushed the whs/sa-less-group branch from 4497bd8 to f421a11 Compare January 10, 2021 09:13
Signed-off-by: Manatsawin Hanmongkolchai <git@whs.in.th>
# for free to join this conversation on GitHub. Already have an account? # to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants