FAQ | This is a LIVE service | Changelog

Drive Management Tool - Step 2 - user drive scanning

Step 2

Following on from step 1, with the list of suspended users with mydrive-shared-action of "scan":

  • cap number of users to change (setting in configuration)
  • for each user:
    • impersonate that user
    • scan their files for sharing permissions
    • set mydrive-shared-filecount to number shared file permissions found
    • if none found:
      • set mydrive-shared-result to "clean"
    • else:
      • copy shared permissions to a "ucam-shared-permissions-{datetime}.yaml" file in user's mydrive
      • remove shared permissions
      • set mydrive-shared-result to "removed"
    • clear mydrive-shared-action

Impersonation

Impersonation is performed by adding with_subject() to the Google credentials loaded from file with service_account.Credentials.from_service_account_file(). This happens before building an API client with discovery.build().

The user/group sync tool impersonates the admin user from the configuration file (e.g lookup-sync-admin@cam.ac.uk in production). This is needed to update, suspend, restore, delete and undelete users, and change group and licensing settings. It is also needed to update the customSchema properties of the user. This cannot be done when impersonating the user themselves.

All file scanning, writing and permission removal and restoration must be done while impersonating the user owning the drive.

Thus this drive tool will need to authenticate to the admin directory API impersonating the admin user to read and update the customSchema of a user. It will also need to (re)authenticate to the drive API and impersonate each user that it needs to scan the MyDrive of (and building a client).

Scopes

Reading drive permissions requires “https://www.googleapis.com/auth/drive.metadata.readonly” scope but writing files or changing permissions requires the more powerful “https://www.googleapis.com/auth/drive” scope. The tool should use the read-only scope when in dry-run mode.

File scanning

Ref: Google Drive API

After building a client (ds = discovery.build('drive', 'v3')) with the service account credentials with_scopes() and with_subject(user), this client’s functions can be used to:

  • list the files of a person - ds.files().list()
  • delete permissions - ds.permissions().delete()
  • write a new file - ds.files().create()

Files that are shared by the user can be filtered by a query of “trashed = false and 'me' in owners” then further filtering on the result with the boolean shared property.

Ask @rjg21 for a code snippet if needed.

Edited by Robin Goodall