我正在将旧的用户管理脚本从Google Provisioning API(使用python gdata库)移植到Google Directory API(python admin-sdk库)。到目前为止,大多数事情都很顺利,但是当我尝试对用户属于哪些组(我需要在用户删除之前删除成员资格)进行发现时,我遇到了问题。甚至将代码剥离到最基本的必需品(替换电子邮件/凭证以供公众消费):
#!/usr/bin/python
import httplib2
from apiclient import errors
from apiclient.discovery import build
from oauth2client.client import SignedJwtAssertionCredentials
SERVICE_ACCOUNT_EMAIL = 'XXXXXXXXXXXXXXXXXXXXXX@developer.gserviceaccount.com'
SERVICE_ACCOUNT_PKCS12_FILE_PATH = '/blah/blah/XXXXXXXX-privatekey.p12'
f = file(SERVICE_ACCOUNT_PKCS12_FILE_PATH, 'rb')
key = f.read()
f.close()
credentials = SignedJwtAssertionCredentials(SERVICE_ACCOUNT_EMAIL, key,
scope='https://www.googleapis.com/auth/admin.directory.user', sub='serviceaccount@our.tld')
service.users()
members = service.members().get(memberKey = 'serviceaccount@our.old', groupKey = 'googlegroup@our.tld').execute()
print members
这将返回403权限错误:
Traceback (most recent call last):
File "group_tests.py", line 39, in <module>
members = service.members().get(memberKey = 'serviceaccount@our.tld', groupKey = 'googlegroup@our.tld').execute()
File "/XXX/bin/gapps/lib/python2.6/site-packages/oauth2client/util.py", line 137, in positional_wrapper
return wrapped(*args, **kwargs)
File "/XXX/bin/gapps/lib/python2.6/site-packages/googleapiclient/http.py", line 729, in execute
raise HttpError(resp, content, uri=self.uri)
googleapiclient.errors.HttpError: <HttpError 403 when requesting https://www.googleapis.com/admin/directory/v1/groups/googlegroup%40our.tld/members/serviceaccount%40our.tld?alt=json returned "Insufficient Permission">
我不知道这里的范围是否错误,如果是,它应该是什么?此服务帐户已设置为具有以下范围的权限(在安全性&gt;高级安全性&gt; API&gt;管理API客户端访问中):
https://www.googleapis.com/auth/admin.directory.user
https://www.googleapis.com/auth/admin.directory.group
或者我应该使用群组而不是会员?像:
members = service.groups().get(memberKey = 'serviceaccount@our.old', groupKey = 'googlegroup@our.tld').execute()
任何指示赞赏,我一直在寻找任何帮助一周,但现在无济于事。
答案 0 :(得分:2)
有这个工作:
首先,凭据定义中的范围不正确。
admin.directory.user
更改为:
admin.directory.group
“build”的初始化也是错误的:
service.users()
更改为:
service.groups()
查询语句本身是完全错误的,我回到reference文档并继续尝试不同的更改,直到它花了:
members = service.groups().list(domain = 'our.tld',userKey = 'user_whos_groups_i_want@our.tld',pageToken=None,maxResults=500).execute()
希望这对后来遇到同样问题的其他人有用。请注意,并非谷歌将丢弃的所有权限错误都是因为权限,可能是您自己的代码具有您尝试使用的冲突范围。