Issue 917 in google-api-java-client: Only require a context-sensitive subset of permissions for Service Accounts

[google-api-...@googlecode.com]

Status: New
Owner: wonder...@google.com
Labels: Type-Enhancement Priority-Medium

New issue 917 by hurlin...@googlemail.com: Only require a context-sensitive
subset of permissions for Service Accounts
https://code.google.com/p/google-api-java-client/issues/detail?id=917

External references, such as a standards document, or specification?

https://developers.google.com/android-publisher/edits/

Java environments (e.g. Java 6, Android 2.3, App Engine, or All)?

All

Please describe the feature requested.

The current way of editing a Play Store entry with the Google Play
Developer API requires an admin to grant four permissions simultaneously:

* Edit store listing, pricing & distribution
* Manage Production APKs
* Manage Alpha & Beta APKs
* Manage Alpha & Beta Users

as those resources MAY be changed by the incoming Edit. However, it would
be much more secure to only require those permissions that are actually
touched by the incoming Edit. For example, if we know we only ever upload
to the alpha track we could create a service account with only that one
permission. Especially, since there already are permissions like that.



--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[google-api-...@googlecode.com]

Comment #1 on issue 917 by zac.swe...@gmail.com: Only require a

context-sensitive subset of permissions for Service Accounts
https://code.google.com/p/google-api-java-client/issues/detail?id=917

+1 for this. We have an app that has 100m+ installs, so granting access to
the Play Store in any form is done with extreme caution.

Using our case as a specific example:

We plan to use a separate listing on the play store for distributing
internal betas within the company. This would only exist on that listing's
alpha channel, and we would manage alpha user access to it via the console
only.

Ideally, we would like to only have to grant permission to upload
alpha/beta builds and to update listings. Due to this broad requirement for
the API however, we also *have* to give it permission to upload production
builds and manage alpha/beta users.

[google-api-...@googlecode.com]

Comment #2 on issue 917 by wonder...@google.com: Only require a

context-sensitive subset of permissions for Service Accounts
https://code.google.com/p/google-api-java-client/issues/detail?id=917

Thanks for the feedback. We'll try to get this resolved at our earliest.

[google-api-...@googlecode.com]

Comment #3 on issue 917 by wonder...@google.com: Only require a

context-sensitive subset of permissions for Service Accounts
https://code.google.com/p/google-api-java-client/issues/detail?id=917

Here's the response from Google Play Developer Support, I hope this helps.

Thanks for contacting Google Play Developer Support.

Currently, we require all API users accounts to have both "Manage Alpha &
Beta APKs" and "Manage Production APKs" permissions in order to upload and
commit (publish) APKs through the API to any track (Alpha, Beta or
Production). We are aware this enables API users to publish APKs to
Production and are currently working to improve user access behavior. I
apologize for any inconvenience this may cause.

As a workaround, if you wish to restrict user access to publishing only
Alpha and Beta APKs, we recommend using a build server with a service
account, which will allow you to control access to what can be pushed to
the build server.

If you have any further questions, please let me know.

[google-api-...@googlecode.com]

Comment #4 on issue 917 by zac.swe...@gmail.com: Only require a

context-sensitive subset of permissions for Service Accounts
https://code.google.com/p/google-api-java-client/issues/detail?id=917

Thank you for the update and for looking into it. The build server is a
decent solution, but not a particularly convenient one. Hopefully they
change this requirement soon!

[google-api-...@googlecode.com]

Updates:
Status: Done

Comment #5 on issue 917 by wonder...@google.com: Only require a

context-sensitive subset of permissions for Service Accounts
https://code.google.com/p/google-api-java-client/issues/detail?id=917

(No comment was entered for this change.)

[google-api-...@googlecode.com]

Comment #6 on issue 917 by wonder...@google.com: Only require a

context-sensitive subset of permissions for Service Accounts
https://code.google.com/p/google-api-java-client/issues/detail?id=917

Just a FYI, you can contact the Developer Console Help Center located at
https://support.google.com/googleplay/android-developer/?hl=en#topic=3450769
for Google Play Developer API related questions. Engineers from that team
will assist you directly.