SDC with background process on GAE

[Vincent A.]

Hi,

I would like to use SDC to access private data from a process running on app engine on a cron basis.

a far I understand, a user must be authenticated to access intranet via SDC, and as my process is launched in background via cron, I have no user connected ... 

so, is it possible to use SDC via an authentication of type OAuth using a key and secret ?

Is there any other way to achieve this ?

thanks

Vincent

[Joel Tello]

Hi, I have exactly the same problem I've tried a lot of solutions but
no lock...Did you get something?

The last thing that I tried was this post
http://blog.lazyhacker.com/2009/12/programmatically-authenticating-to.html
but it doesn't work...

[Joel Tello]

Hi, I have exactly the same problem I've tried a lot of solutions but
no lock...Did you get something?

The last thing that I tried was this post
http://blog.lazyhacker.com/2009/12/programmatically-authenticating-to.html
but it doesn't work...

On Apr 26, 5:13 am, "Vincent A." <vincent.arc...@gmail.com> wrote:

[Vincent A.]

Hi,

no answer at all !!

Google SDC team, are you there ... ?

please help 

regards

[Eric Pollmann]

Hello Vincent and Joel,

Sorry to say, but we do not currently support this feature.  We're developing support for it but don't yet have a timeline for when it is expected to go live.

-Eric

--
You received this message because you are subscribed to the Google Groups "enterprise-data-questions" group.
To post to this group, send email to enterprise-d...@google.com.
To unsubscribe from this group, send email to enterprise-data-qu...@google.com.
For more options, visit this group at http://groups.google.com/a/google.com/group/enterprise-data-questions/?hl=en.

[Vincent A.]

Hi Eric,

thanks for the answer, even if ... 

I'm also a little bit worried about the multiple outages in the past,  what about SDC reliability ?

please see also https://groups.google.com/forum/?fromgroups#!starred/google-sdc/5Jy2uSB0HPk ?

regards

Le mardi 29 mai 2012 17:57:09 UTC+2, Eric Pollmann a écrit :

Hello Vincent and Joel,

Sorry to say, but we do not currently support this feature.  We're developing support for it but don't yet have a timeline for when it is expected to go live.

-Eric

To post to this group, send email to enterprise-data-questions@google.com.
To unsubscribe from this group, send email to enterprise-data-questions+unsub...@google.com.

[Eric Pollmann]

Hi Vincent,

Can you tell us a bit more about your use case and what kind of reliability concerns you may have?

SDC reliability is a major goal for the team over the coming quarter or so.  We've made a couple significant improvements, and have a couple more in the pipeline, but it probably makes the most sense to get a better understanding of your use case.

Thanks,
-Eric

To post to this group, send email to enterprise-d...@google.com.
To unsubscribe from this group, send email to enterprise-data-qu...@google.com.

[Vincent A.]

Hi Eric,

I'm building an integration app between GApps and our legacy CRM / DMS.

By example , this app will give us the possibility to save directly a mail from Gmail (contextual widget) to our CRM via SDC.

To assign this mail to a particular case/opportunity I need to fetch data from my legacy via SDC, and as most of these data are shared between my company users, I would like to be able to fetch/cache them on GAE via a background process ... that's why I need the "not logged" SDC feature (it would be also useful to monitor SDC and send alerts automatically if the connectivity is broken).

In the futur, it is not impossible I deploy this app as a SaaS app on the market place, that why I ask about the SDC reliability ...

regards,

Vincent

Le samedi 2 juin 2012 00:27:44 UTC+2, Eric Pollmann a écrit :

Hi Vincent,

Can you tell us a bit more about your use case and what kind of reliability concerns you may have?

SDC reliability is a major goal for the team over the coming quarter or so.  We've made a couple significant improvements, and have a couple more in the pipeline, but it probably makes the most sense to get a better understanding of your use case.

Thanks,
-Eric

To unsubscribe from this group, send email to enterprise-data-questions+unsubsc...@google.com.

For more options, visit this group at http://groups.google.com/a/google.com/group/enterprise-data-questions/?hl=en.

[Eric Pollmann]

Hi,

An update on this topic:

We don't currently officially support this feature.  However, we are developing support for it and there's a way to try it out on an experimental basis.  As an experimental feature, it's not documented in the official SDC docs.  We plan on adding this feature in the future, but as it is experimental, we can't guarantee that it will be added, or that it will retain the present form.

Before trying it out there are a few important security notes:

 - You are enabling access to your resource with no authentication.  This means that incoming requests will not be checked to verify that they come from an authenticated user.  You must take precautions to ensure that no unexpected access is enabled by turning on this feature.

 - Carefully look at the entire rule definition to make sure that the level of unauthenticated access is appropriate for the resource. You can restrict access to only a specific set of AppEngine IDs, for example, or only applications within your domain (<allowOutsideDomainAccess>false</allowOutsideDomainAccess>).

 - Do NOT combine this feature with <allowAnyAppId>true</allowAnyAppId> unless you want ALL App Engine Apps written by any author to have unrestricted access to your resource.

Here's how to use it.  In your resourceRules.xml file, add this to the rule definition:

   <allowAnonymousAccess>true</allowAnonymousAccess>

A fuller example:

<resourceRules>

  <rule repeatable="true">

    <ruleNum>1</ruleNum>

    <agentId>agentId1</agentId>

    <allowDomainViewers>true</allowDomainViewers>

    <allowOutsideDomainAccess>false</allowOutsideDomainAccess>

    <allowAnonymousAccess>true</allowAnonymousAccess>

    <apps repeatable="true">

      <container>AppEngine</container>

      <appId>REPLACE-WITH-APPID</appId>

    </apps>

    <url>REPLACE-WITH-URL</url> 
    <urlMatch>HOSTPORT</urlMatch>

  </rule>

</resourceRules>

Please let us know if this works for you or not, we'd love to get feedback on it!

Thank you,

-Eric Pollmann

 SDC Engineer

[Joel Tello]

Hi Eric, 

I already tried your solution but It didn't work. I'm getting the same error that before. This is the piece of code that is giving the exception:

urlfetch.fetch(url=url,headers={'use_intranet': 'yes'},deadline=60)

And this is the exception:

<class 'google.appengine.api.urlfetch_errors.DownloadError'>, DownloadError('ApplicationError: 2 ',), <traceback object at 0x10b926c0>

If I add a debug parameter to my url (X-secureDataConnectorDebug=text) I get this:

request_url : my_resource_url
request_service : AppEngine
request_appId : myAppID
request_requestId : (Id = xxxxxxxxx)
sdc_routing : Internet
sdc_anonymous_user : true
sdc_internet_routing : USER_NOT_LOGGED_IN
response_sdc_status : ok
response_content_size : 0

Do I need to install a new SDC client version on my server?

Regards!

To post to this group, send email to enterprise-data-questions@google.com.
To unsubscribe from this group, send email to enterprise-data-questions+unsub...@google.com.

[vincent]

Hi guys,

thanks for the feature ... I will test it asap !

regards

@federevo

[Dexter Legaspi]

i tried this and it doesn't work for us.

[Vincent A.]

Hi Eric,

I tried this unofficial feature also without any success ...

I have probably not understood everything, but for me, there is something magic with this feature ;-)

As far I understand, when a user is logged with its GApps account to an app deployed on GAE, you are able to find easily the corresponding GApps domain and forward intranet requests to the channels created by sdc agents connected to this domain.

But, what happen when the user is not logged to this app ... as the app deployed on GAE is not linked to a specific domain, i don't see how you can determine the sdc channel to send requests ???

Thanks in advance for your answer.

Vincent 

@federevo

Please find here the test details ...

Answer when not logged (ie: cron) --> ERROR

Hello, cron
Fetching your data from url=http://www.google.com with debug=X-secureDataConnectorDebug=text
URL = http://www.google.com?X-secureDataConnectorDebug=text
Response Code: 200
request_url : http://www.google.com?X-secureDataConnectorDebug=text
request_service : AppEngine
request_appId : s~f-tests-openid
request_requestId : (Id = 776299b009eb8bb3)
sdc_routing : Internet
sdc_anonymous_user : true
sdc_internet_routing : USER_NOT_LOGGED_IN
response_sdc_status : ERROR[7]: Error in fetching this resource from the Internet.

Answer when logged --> OK

Hello, admin@mydomain.com
Fetching your data from url=http://www.google.com with debug=X-secureDataConnectorDebug=text
URL = http://www.google.com?X-secureDataConnectorDebug=text
Response Code: 200
request_user : ad...@mydomain.com
request_sdc_agent_domain : mydomain.com
request_url : http://www.google.com?X-secureDataConnectorDebug=text
request_service : AppEngine
request_appId : s~f-tests-openid
request_requestId : (Id = c9085c8fb780c3f6)
sdc_matched_rule_agentId : f-sdc-agent
sdc_matched_rule_ruleNum : 1
sdc_routing : SDC
sdc_internet_routing : TO_WOODSTOCK
response_sdc_status : ok
response_latency : 2647
response_content_size : 12388

Env:
App http://f-tests-openid.appspot.com/ deployed on GAE 

SDC v1.3rc2

localConfig

<entity>

  <sdcServerHost>apps-secure-data-connector.google.com</sdcServerHost>

  <sdcServerPort>443</sdcServerPort>

  <domain>mydomain.com</domain>

  <user>secure-data-connector-user</user>

  <password>mysdcUserPassword</password>

  <agentId>f-sdc-agent</agentId>

  <socksServerPort>1080</socksServerPort>

  <healthCheckGadgetUsers></healthCheckGadgetUsers>

</entity>

resourcesRules.xml

<resourceRules>

<rule repeatable="true">

<ruleNum>1</ruleNum>

<agentId>all</agentId>

<allowDomainViewers>true</allowDomainViewers>

<allowOutsideDomainAccess>true</allowOutsideDomainAccess>

<allowAnonymousAccess>true</allowAnonymousAccess>

<apps repeatable="true">

<container>AppEngine</container>

<allowAnyAppId>true</allowAnyAppId>

</apps>

<url>http://www.google.com</url>

<urlMatch>HOSTPORT</urlMatch>

</rule>

</resourceRules>

To post to this group, send email to enterprise-data-questions@google.com.
To unsubscribe from this group, send email to enterprise-data-questions+unsub...@google.com.

[mike__t]

The methods posted in here donnnot work. all request still return with error7 not logged in!!! You would think cron jobs would have an agent account or something like that to login under.

[Eric Pollmann]

Hi,

Thank you all for the feedback and giving this a shot.  I will look into why this experimental feature isn't working externally and let you know what I find.

-Eric

--

You received this message because you are subscribed to the Google Groups "enterprise-data-questions" group.

To post to this group, send email to enterprise-d...@google.com.
To unsubscribe from this group, send email to enterprise-data-qu...@google.com.

[Vincent A.]

Hi Eric,

any news ?

regards

vincent

Le mardi 17 juillet 2012 19:44:21 UTC+2, Eric Pollmann a écrit :

Hi,

Thank you all for the feedback and giving this a shot.  I will look into why this experimental feature isn't working externally and let you know what I find.

-Eric

On Tue, Jul 17, 2012 at 8:57 AM, mike__t <mic...@test.trinitymirror.com> wrote:

The methods posted in here donnnot work. all request still return with error7 not logged in!!! You would think cron jobs would have an agent account or something like that to login under.

On Thursday, 26 April 2012 11:13:24 UTC+1, Vincent A. wrote:

Hi,

I would like to use SDC to access private data from a process running on app engine on a cron basis.

a far I understand, a user must be authenticated to access intranet via SDC, and as my process is launched in background via cron, I have no user connected ... 

so, is it possible to use SDC via an authentication of type OAuth using a key and secret ?

Is there any other way to achieve this ?

thanks

Vincent

--
You received this message because you are subscribed to the Google Groups "enterprise-data-questions" group.

To post to this group, send email to enterprise-data-questions@google.com.
To unsubscribe from this group, send email to enterprise-data-questions+unsub...@google.com.

[Dexter Legaspi]

Yeah also anxious about this one. I'm this close to requesting to get a firewall hole open for this...and i'd rather not do that. 

-

"it's better to burn out than to fade away."

     - kurt cobain

[Joel Tello]

YEAH me too Kurt I'm planing to put some service on DMZ but I think this will be a serious security hole! I'm really desperate!

[John Del Rosario]

Hi Eric,

I'm trying the <allowAnonymousAccess> tag, but I get the same result as the others.

Any updates on the status of this feature? Any info would be great.

Thanks,

John

To unsubscribe from this group, send email to enterprise-data-questions+unsub...@google.com.

[Suthagaran Kurusamy]

Hi Eric, 

Me too facing the same problem. Could you please help on this.

My application nothing to do with browser interaction, all running in the background. So how can I authenticate with a user?

Regards,

Suthagaran.

[ovidiu...@ullink.com]

Hello,

We have to types of uses : internal (with Google accounts) and external (non-Google accounts).

For external users, we are handling the authentication on ourselves.

All users need to be able to access a resource inside our Intranet. For that we have the SDC in place.
The problem is SDC only works if a Google user is logged in, so it doesn't work for external users.

My question : is there anyway I can find a workaround for this ?

I tried the allowAnonymousAccess solution and it doesn't seam to work.

Creating a Goole account for all external users is not an option.

Kind regards,

[David C]

Hi, we are working on a replacement / alternative to SDC since Google is deprecating this product in 2015. Please contact me if you are interested.  

--
You received this message because you are subscribed to the Google Groups "google-secure-data-connector" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-sdc+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Venkat]

Hi David,

     We are using Google SDC for Contextual gadget. we are planning to replace Google SDC. Can you please let me know replacement for Google SDC.

To unsubscribe from this group and stop receiving emails from it, send an email to google-sdc+unsubscribe@googlegroups.com.

[Ray Colline]

Venkat,

If your gadget is powered by App Engine, then you can use the socket API to make an encrypted connection to your network.  You will have to make sure your internal service can be reached from the App Engine IP Ranges.

Thanks and sorry we do not have a better solution in place.

Ray

To unsubscribe from this group and stop receiving emails from it, send an email to google-sdc+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "enterprise-data-questions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise-data-qu...@google.com.

To post to this group, send email to enterprise-d...@google.com.

Visit this group at http://groups.google.com/a/google.com/group/enterprise-data-questions/.
For more options, visit https://groups.google.com/a/google.com/d/optout.

[Prateek Malhotra]

There is a somewhat better option to ensuring the identity of the request. This little gem should be added as an article on the Developer AppEngine site if you ask me...

Using the App Identity API you can add another layer of verification on the requesting user. Using this in addition to the IP address filtering should give you ease of mind on the accessing user on whatever internal API you decide to create to use with this.

Thank you,

Prateek Malhotra