davidangb
commented
6 years ago This issue is fixed as a result of the work for #23.
Closed irosenbe closed 6 years ago
davidangb
commented
6 years ago This issue is fixed as a result of the work for #23.
We are scaring users - including some of our Google/BVDP collaborators - by asking for Google Drive/Google Sheets scopes under certain conditions. I believe this only happens when end users are asked to regenerate their refresh token ("offline credentials").
Within FC, we only use Drive/Sheets APIs for a very specific purpose: updating the free credits spreadsheet that we use to track spend and projects with Onix.
We never ask end users for this scope in their access tokens, unless that end user is a campaign manager intentionally updating the spreadsheet via an API call/swagger. In fact, Ilyana is the only person actively updating this spreadsheet. However, since the APIs are enabled in Google for the FireCloud app as a whole, users see them when regenerating refresh tokens.
Acceptance criteria:
end users are never asked for Drive/Sheets scopes at any time ever Implementation thoughts: This will require some research/experimentation to see under what conditions users are asked for the scopes. Do we need to disable those APIs entirely for the app? Do we need to just never ask for them in swagger? If the APIs are disabled in Google console for the app, can we still use them programmatically?
I've been unable to determine exactly what triggers this warning. When I revoke my own refresh token using https://rawls.dsde-dev.broadinstitute.org/#!/admin/admin_delete_refresh_token, then reload the UI and follow its prompt to generate a new refresh token, I do not get asked for the additional scopes. I only get asked for the scopes at https://github.com/broadinstitute/firecloud-ui/blob/develop/src/cljs/main/broadfcui/auth.cljs#L28.
We currently make the Drive/Sheets calls as the end user (e.g. Kendra). If we switch to using a service account to do make the calls, does it help? Can a service account update the spreadsheet?
Can we have FireCloud output json (like most other APIs), then have a standalone script that executes outside of FireCloud read that json and update the spreadsheet?
Finally, whatever solution we implement should be automatable - see GAWB-3160 IN QA .
User feedback:
A user said, "I got a banner message today when I logged into FC saying my offline credentials are missing or out of date. I went to refresh it seems that FC is asking for permissions it shouldn't need ... can someone tell me why it needs to be able to manage files on my Google Drive? ([other user] does not get this level of access request when he goes to refresh - his just wants permissions to manage Google Cloud Storage, Billing Accounts and Compute Engine Resources, which are clearly legitimate.)"
and supplied this screenshot:
Link to GAWB ticket: https://broadinstitute.atlassian.net/browse/GAWB-3292
Blocked by: GAWB-3366 Sam: Endpoint to get access token for user pet service account needs to be completed first (https://broadinstitute.atlassian.net/browse/GAWB-3366)