Hi Joshua,
I will state for you few options here:
1- extract all admin functionality to another app engine service and put
IAP in front of it (That's what would I do personaly as it's the most
secure and easy one)
2- Create some old fashion login form and test the email and password
against some database like datastore before letting any access to admin
endpoint
3- use federated auth like firebase auth but this need some more
implementation and work from your side. check
here
https://cloud.google.com/appengine/docs/standard/python/authenticating-users-firebase-appengine
On Thursday, January 28, 2021 at 5:29:53 PM UTC+1 Joshua Smith wrote:
> That seems easy enough, but there's something I don't understand. Where
> does the accessing user's identity come into play?
>
> If I follow the directions the SO answer links to, I end up with something
> like this:
>
> def adminPermission():
> from googleapiclient import discovery
> from oauth2client.client import GoogleCredentials
> credentials = GoogleCredentials.get_application_default()
> service = discovery.build('cloudresourcemanager', 'v1',
> credentials=credentials)
> resource = "my-project-name"
> test_iam_permissions_request_body = {
> "permissions": [
> "resourcemanager.projects.get"
> ]
> }
> request = service.projects().testIamPermissions(resource=resource,
> body=test_iam_permissions_request_body)
> response = request.execute()
> return len(response.get("permissions",[])) == 1
>
> But all I'm checking in that code is whether my project has project
> permission, not whether the user making the request has project permission.
> If I hit a URL from curl with no auth that is returning True, since *of
> course*, my project has permission to get itself.
>
> How do I get the credentials of the *user* accessing the URL?
>
> -Joshua
>
> On Jan 28, 2021, at 10:56 AM, 'Emil' via Google App Engine <
> [email protected]> wrote:
>
> The builtin solution is no longer available, you can test iam permission
> in your code as explained here
> <https://stackoverflow.com/a/52055488/12232507> if it is feasible for you.
>
> On Wednesday, January 27, 2021 at 8:28:10 PM UTC+1 Joshua Smith wrote:
>
>> Interesting. I'll make that my fallback plan if nobody has an idea that
>> simply reproduces the old behavior (which was the exact behavior everyone
>> needed, by the way; why does Google always insist on replacing perfectly
>> good things with insanely complicated things that lack the one thing we all
>> need?)
>>
>> On Jan 27, 2021, at 2:13 PM, 'Charlie Engelke' via Google App Engine <
>> [email protected]> wrote:
>>
>> You can enable and configure IAP independently for different services, so
>> if you can put all the admin functions in a separate service, that could do
>> it.
>>
>> On Wednesday, January 27, 2021 at 8:49:57 AM UTC-8 Joshua Smith wrote:
>>
>>> That does look super easy, but as you pointed out, it applies to the
>>> whole app. I just want pages in my /admin section to require auth.
>>>
>>> On Jan 27, 2021, at 11:44 AM, 'Jose V' via Google App Engine <
>>> [email protected]> wrote:
>>>
>>> Just in case it helps, you can also easily implement IAP for App Engine
>>> <https://cloud.google.com/iap/docs/app-engine-quickstart>. The only
>>> drawback would be that it secures the entire application, not specific
>>> endpoints, which I am not sure is what you require in your scenario
>>>
>>> On Monday, January 25, 2021 at 7:21:37 PM UTC+1 Joshua Smith wrote:
>>>
>>>> I'm hoping someone on this list has encountered this, and can say
>>>> "Yeah, I ran into that. Here's how I dealt with it..."
>>>>
>>>> I'm looking for an easy step-by-step guide to just get the exact
>>>> behavior that Python 2.7 had.
>>>>
>>>> -Joshua
>>>>
>>>> On Jan 25, 2021, at 1:05 PM, 'Elliott (Cloud Platform Support)' via
>>>> Google App Engine <[email protected]> wrote:
>>>>
>>>> Hello Joshua,
>>>>
>>>> I understand that you would like an easy way to implement
>>>> authentication because you may not continue to use login: admin. I was
>>>> able
>>>> to confirm this. First, I would like to apologize for the inconvenience.
>>>> There is no easy way other than to implement one of the options listed in
>>>> this document
>>>> <https://cloud.google.com/appengine/docs/standard/python3/authenticating-users>
>>>> .
>>>>
>>>> You are presented with some options including Firebase Authentication,
>>>> Google Sign-In and OAuth 2.0 and OpenID Connect. Each of these
>>>> technologies
>>>> are described in the document.
>>>>
>>>> I would like your thoughts on the recommended ways so that we may find
>>>> a solution that agrees with you.
>>>>
>>>> I hope that we may now have enough to elaborate on this discussion.
>>>>
>>>>
>>>> On Friday, January 22, 2021 at 1:07:16 PM UTC-5 Joshua Smith wrote:
>>>>
>>>>> In my quest to figure out how to keep using Google App Engine when
>>>>> Python27 eventually goes away, I've just run into yet another case where
>>>>> something simple seems to have been replaced with a nightmare of
>>>>> complexity
>>>>> <https://cloud.google.com/appengine/docs/standard/python/migrate-to-python3/migrating-services#user_authentication>
>>>>> .
>>>>>
>>>>> In my old app.yaml, I had this:
>>>>>
>>>>> - url: /admin/.*
>>>>> script: main.app
>>>>> secure: always
>>>>> login: admin
>>>>>
>>>>> Unfortunately, python37 doesn't support *login: admin* any more (!).
>>>>> I'm facing a mountain of documentation detailing a bunch of different
>>>>> ways
>>>>> I can do authentication now.
>>>>>
>>>>> Stack overflow is no help at all in simplifying this.
>>>>>
>>>>> Anyone here have advice on the *easiest possible way* to get the old
>>>>> Python27 behavior that you have to be logged in as the app administrator
>>>>> in
>>>>> order to hit a certain URL?
>>>>>
>>>>> This isn't for ensuring crons are only run by cron. That seems pretty
>>>>> easy by looking at headers.
>>>>>
>>>>> This is for when you have administrative functions that only the
>>>>> developers need access to, and I'm looking for the easiest way to ensure
>>>>> a
>>>>> URL is only accessible to those particular people.
>>>>>
>>>>> In case it matters, I'm using Flask.
>>>>>
>>>>> -Joshua
>>>>>
>>>>>
>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Google App Engine" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/google-appengine/05ac62c4-6c44-4e7b-8068-1601d6a4eef0n%40googlegroups.com
>>>>
>>>> <https://groups.google.com/d/msgid/google-appengine/05ac62c4-6c44-4e7b-8068-1601d6a4eef0n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>>
>>>>
>>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Google App Engine" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>>
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/google-appengine/86c21824-14b2-4bd7-97e7-d4756227f046n%40googlegroups.com
>>>
>>> <https://groups.google.com/d/msgid/google-appengine/86c21824-14b2-4bd7-97e7-d4756227f046n%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>>
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Google App Engine" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>>
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/google-appengine/0df02dc3-86d2-4ad3-acb4-288afb3547a9n%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/google-appengine/0df02dc3-86d2-4ad3-acb4-288afb3547a9n%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>>
>>
> --
> You received this message because you are subscribed to the Google Groups
> "Google App Engine" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
>
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/google-appengine/d8b2e595-bcd4-48df-9f7b-ea6908ec24e2n%40googlegroups.com
>
> <https://groups.google.com/d/msgid/google-appengine/d8b2e595-bcd4-48df-9f7b-ea6908ec24e2n%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/google-appengine/0ec1b495-04d4-47af-aa59-3019c8daa085n%40googlegroups.com.
