Drive Management Tool - Step 2 - user drive scanning
Step 2
Following on from step 1, with the list of suspended users with mydrive-shared-action
of "scan":
- cap number of users to change (setting in configuration)
- for each user:
- impersonate that user
- scan their files for sharing permissions
- set
mydrive-shared-filecount
to number shared file permissions found - if none found:
- set
mydrive-shared-result
to "clean"
- set
- else:
- copy shared permissions to a "ucam-shared-permissions-{datetime}.yaml" file in user's mydrive
- remove shared permissions
- set
mydrive-shared-result
to "removed"
- clear
mydrive-shared-action
Impersonation
Impersonation is performed by adding with_subject()
to the Google credentials loaded from file with service_account.Credentials.from_service_account_file()
. This happens before building an API client with discovery.build()
.
The user/group sync tool impersonates the admin user from the configuration file (e.g lookup-sync-admin@cam.ac.uk
in production). This is needed to update, suspend, restore, delete and undelete users, and change group and licensing settings. It is also needed to update the customSchema
properties of the user. This cannot be done when impersonating the user themselves.
All file scanning, writing and permission removal and restoration must be done while impersonating the user owning the drive.
Thus this drive tool will need to authenticate to the admin directory API impersonating the admin user to read and update the customSchema
of a user. It will also need to (re)authenticate to the drive API and impersonate each user that it needs to scan the MyDrive of (and building a client).
Scopes
Reading drive permissions requires “https://www.googleapis.com/auth/drive.metadata.readonly” scope but writing files or changing permissions requires the more powerful “https://www.googleapis.com/auth/drive” scope. The tool should use the read-only scope when in dry-run mode.
File scanning
Ref: Google Drive API
After building a client (ds = discovery.build('drive', 'v3')
) with the service account credentials with_scopes()
and with_subject(user)
, this client’s functions can be used to:
- list the files of a person -
ds.files().list()
- delete permissions -
ds.permissions().delete()
- write a new file -
ds.files().create()
Files that are shared by the user can be filtered by a query of “trashed = false and 'me' in owners”
then further filtering on the result with the boolean shared
property.
Ask @rjg21 for a code snippet if needed.