无法使用委派用户G-Suite Admin SDK Python

时间:2017-05-17 11:42:44

标签: oauth google-admin-sdk oauth2client

我尝试使用Google Oauth2服务帐户修补一些自定义用户字段的用户,但如果我委托给除我之外的任何其他用户,我会收到403 Unauthorized响应。

我已经有效地受到以下文件的指导。 https://developers.google.com/api-client-library/python/auth/service-accounts#jwtsample

我暂时给了这个委派用户(service-user@test.pugme.co.uk)SuperAdmin权限,但问题仍然存在,事实上除了实际名称之外,我找不到任何内容区分帐户和我自己的帐户,这让我怀疑这个问题与实际架构的权限有关" customPermissions" ?. (委派的用户也是服务帐户上的服务帐户Actor)

我的测试代码是...... 

from __future__ import print_function
import json
import os
import httplib2

from httplib2 import Http
from json import dumps
from apiclient import discovery
from httplib2 import Http

from oauth2client.service_account import ServiceAccountCredentials

headers = {}

scopes = ['https://www.googleapis.com/auth/admin.directory.user',
          'https://www.googleapis.com/auth/admin.directory.userschema']

credentials = ServiceAccountCredentials.from_json_keyfile_name('service-account.json', scopes=scopes)

# Service account actor - Valid Google user but not a real person. 
account_sub = 'service-user@test.pugme.co.uk'

delegated_credentials=credentials.create_delegated(account_sub)

httplib2.debuglevel=3

http = delegated_credentials.authorize(Http())

service = discovery.build('admin', 'directory_v1', http=http)

# Prove we can get some users ... 
results = service.users().list(customer='<redacted>', maxResults=10, orderBy='email').execute()
users = results.get('users', [])

# Prove we can update schema for a particular user
schema = dumps({'customSchemas':{'pugme':{'customPermissions':[{'value':'role1'},{'value':'role2'}],'realName':'Mike Kirk'}}})

headers['Content-Type']="application/json; charset=UTF-8"
resp = http.request('https://www.googleapis.com/admin/directory/v1/users/michael.kirk@test.pugme.co.uk?projection=full', "PATCH", body=schema, headers=headers)
print(resp)

我的自定义架构如下。 

custom_schema = {
    "fields": [
        {
            "fieldName": "customPermissions",
            "fieldType": "STRING",
            "multiValued": True
        },
        {
            "fieldName": "realName",
            "fieldType": "STRING"
        }
    ],
    "schemaName": "pugme",
}

谢谢Mike

1 个答案:

答案 0 :(得分:2)

用户service-user@test.pugme.co.uk上的密码是否已过期?我遇到了类似的问题,通过重置密码解决了这个问题。在字段属性中更改readAccessType也是值得的:

https://developers.google.com/admin-sdk/directory/v1/reference/schemas

相关问题
最新问题