All geek questions in one place

App Engine and Bigquery Authentication

We would like to implement an analytical tool using the services Bigquery and Cloud Storage. The tool must run in App Engine and set the REST interface so that all requests go through this interface and subsequently redirected to Bigquery. Access authorization for Bigquery must be based on the App Engine service account (App Identity API). However, we also need to authenticate the clients of the tool. The client is always another application or service, so OAuth 2.0 and web browser authentication are not acceptable to us. Is there any way we can implement this authentication and somehow associate it with Bigquery ACL Cloud Storage?

Consider the situation as follows. A customer has been provided with a Google account in our domain. It sends a request to our REST interface and provides credentials (email address and password) with other details. The tool authenticates the client and sends a request on its behalf to Bigquery (or Cloud Storage). If the client tries to access the data set (Bigquery) or Bucket / Entity (cloud storage) without the correct permission (set using the Bigquery / Cloud Storage ACL), access is denied.

+4
source share
1 answer

I think we all need the details for this. How do you issue credentials to customers? Do you expect customer operators to recognize the username / password in your domain to authenticate the client to your service?

One option might be to give the client an OAuth 2.0 update token, and they put that update token in their application configuration (securely) or automatically bind it when the application loads. Refresh tokens are valid indefinitely unless canceled.

Then transfer the OAuth 2.0 update token directly through the application engine application and to BigQuery / Google Cloud Storage. All ACLs (which client has permission for what) can then be processed initially in Cloud Storage / BigQuery.

You can also force them to use tokens themselves in a web browser, provided that they have credentials. They will need to do this only once when setting up the application, and the token will be saved by the application. For more information, see the OAuth 2.0 usage guide for installed applications: https://developers.google.com/accounts/docs/OAuth2InstalledApp

+2
source

Source: https://habr.com/ru/post/1440860/

More articles:


All Articles