I have two projects Project-A and Project-B.
On Project-A I have a service account loader#project-a.iam.gserviceaccount.com which I want to use to read messages from Project-B PubSub topic.
I've created a topic subscription on Project-B projects/project-b/subscriptions/data. Then added loader#project-a.iam.gserviceaccount.com in Permissions tab as a Subscriber. I believe it should give me access.
But if I try:
TestIamPermissionsRequest iamreq = new TestIamPermissionsRequest();
iamreq.setPermissions(Arrays.asList(
"pubsub.subscriptions.consume",
"pubsub.subscriptions.get"
));
pubsub.projects().subscriptions()
.testIamPermissions(topicSubscription, iamreq).execute();
It returns empty list of permissions.
And for actual pull request:
PullRequest pull = new PullRequest();
pull.setMaxMessages(1);
pull.setReturnImmediately(true);
pubsub.projects().subscriptions().pull(topicSubsription, pull).execute();
It fails with:
com.google.api.client.googleapis.json.GoogleJsonResponseException: 403
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "User not authorized to perform this action.",
"reason" : "forbidden"
} ],
"message" : "User not authorized to perform this action.",
"status" : "PERMISSION_DENIED"
}
I've double checked that service account is in Subscribers list, also tried to remove/add it again, etc. Tried with different project. It doesn't change anything.
If I have PubSub Topic Subscription and Service Account under same Cloud Project, then it works fine, for both testIamPermissions and pull requests. Does it mean that IAM Service Account cannot be used to get access to PubSub from another project?
Please note that it works fine for Storage access from other project. Which means that problem is specific only to PubSub. That's why I think I've missed something on PubSub configuration side. But what exactly?
To consume from Topic Subscription role "Subscriber" should be given to the Subscription. Unfortunately it's not possible with Cloud Console right now.
The problem was that Cloud Console is misleading, by selecting a Topic I expect to setup permissions to Topic Subscriptions also (because there're no separate UI for Topic Subscriptions after all). But it's doesn't work like this, Permissions form applies changes only to selected Topic, ignoring all existing Topic subscriptions. Basically you cannot view or edit Subscriber permissions, there're no such UI currently.
PS There're a way to do that via API, though. But it doesn't work for my situation
Related
I am trying to obtain the "Versioning" status of my Storage account using azure-sdk-for-java
// Azure environment URL is ".core.windows.net" hence used "AzureEnvironment.AZURE"
// this.clientSecretCredential ->is built using AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID
AzureProfile profile = new AzureProfile("<TENANT_ID", "<SUBSCRIPTION_ID>", AzureEnvironment.AZURE);
StorageManager manager = StorageManager.authenticate(this.clientSecretCredential, profile);
BlobServicesClient blobServicesClient = manager.serviceClient().getBlobServices();
// Exception is thrown at the following line
BlobServicePropertiesInner blobServicePropertiesInner = blobServicesClient.getServiceProperties("<RESOURCE_GROUP_NAME>", "<ACCOUNT_NAME>");
boolean versionFlag = blobServicePropertiesInner.isVersioningEnabled();
Azure configuration details:
Subscrition: "<SUBSCRIPTION_ID>" is created in the subscriptions.
Resource Group: "<RESOURCE_GROUP_NAME>" is configured with the "<SUBSCRIPTION_ID>".
Storage Accouunt: "<ACCOUNT_NAME>" is configured with the "<SUBSCRIPTION_ID>".
App Registartion: "<APP_REGISTARTION>" is created to provide the "<AZURE_CLIENT_ID>", "<AZURE_CLIENT_SECRET>", "<AZURE_TENANT_ID>"
Role Assignments: "DEVELOPER" has "Reader" access across subscriptions, resource groups, storage accounts but still I still have no idea on how the App registration is configured into the subscription
Error Message:
{
"code": "ERROR",
"message": "Status code 403, "{"error":{"code":"AuthorizationFailed","message":"The client '<APP_REGISTARTION_OBJECT_ID>' with object id '<APP_REGISTARTION_OBJECT_ID>' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/blobServices/read' over scope '/subscriptions/{"<SUBSCRIPTION_ID>"}/resourceGroups/Titaniam-Sandbox/providers/Microsoft.Storage/storageAccounts/sandboxtestaccount/blobServices/default' or the scope is invalid. If access was recently granted, please refresh your credentials."}}""
}
Kinldy let me know what is the mistake i am making whether it is a code issue or configuration issue.
Things i am need of clarification:
Is there any other way to get the "is Versioning enabled" value using azure-sdk-for-java?
How App registration is connected with subscription.
How are roles connected with App registration as well as subscription.
How to set the scope
How to add the application and how to identify the application.
Thanks in advance.
I work on chat app one to one chat and my database structure is
"rules": {
"Messages" :{
"$chatId" : {
".read": "root.child('Chat_members').child(chatId).child(auth.uid).exists()",
".write": "root.child('Chat_members').child(chatId).child(auth.uid).exists()"
}
I want to implement delete message so if user1 delete message i will hide it and display it only for user2 ,i can do this from client side but it is very inefficient way to request all data where there is for example just one message that will display for user1 how to do this from firebase rules? can I find any help?
As the documentation says security rules don't filter data. Instead you need to ensure that the client only reads the data you want to show.
I don't seen an easy way to do that to your structure without adding more data. In fact, the simplest way I can think of is to simply replicate the chat for each user and then actually delete the message from their data structure when needed.
I already have an implemented CMS system where the user creates the subscription plans.
I want to integrate my CMS server with Paypal so when the user creates a plan it will be created on Paypal servers.
I can see how to do that in https://developer.paypal.com/docs/subscriptions/integrate/
But the problem is there is no documentation for the front-end side for the subscription step ! How should i redirect the customer to Paypal to login, and how will i receive the data to send it to my server ?
Note : Since i want my user to create plans only on my CMS, there is no easier way to integrate with paypal than this : https://developer.paypal.com/docs/subscriptions/integrate/ .. right?
i don't want to use Smart Buttons so the only option i have is to integrate with APIs.. if there is any easier way please tell me.
This is a bit hidden.
When you create a subscription, its status will be set to APPROVAL_PENDING. Look for the "rel": "approve" link in the response (in links). The URL will look something like this:
https://www.paypal.com/webapps/billing/subscriptions?ba_token=xyz
This is the URL you need to redirect the customer's browser to. Once they click on "Subscribe" to approve it, PayPal will redirect their browser to the return_url value you set when you created the subscription.
PayPal adds 3 extra parameters to that return URL: subscription_id (self-explanatory), ba_token (the approval token), and token (???). At that point, you can get the subscription details from PayPal, and its status should now be "ACTIVE".
Now I just need to figure out why next_billing_time is set in the past, and why I'm not receiving the PAYMENT_SALE webhooks :)
Hope this answers your question.
I am writing a service which would store picture associated with registered email. So, other domains would have a possibility to get image of the user by email. The main goal is not to upload it each time as nowadays we have to register almost everywhere and that process is quite annoying.
My application is written on Java and I am using REST API.
For example, user's account information is available by login:
#RequestMapping(value = "/get/{login}",
method = RequestMethod.GET,
produces = MediaType.APPLICATION_JSON_VALUE)
#ResponseBody
public ResponseEntity<User> getByEmail(#PathVariable String login) {
User user = userDao.getUserByLogin(login);
return Optional.ofNullable(user)
.map(result -> new ResponseEntity<>(
result, HttpStatus.OK))
.orElse(new ResponseEntity<>(HttpStatus.NOT_FOUND));
}
And now, what i want is to send just updated data to the domains which gonna use my service. How could I figure that out? I think I could ask "domain" to provide some information in order to use my service (some king of registration), but what exactly should I ask for to be able to send data udpdates?
In my thoughts they should also provide some REST path where I could send some kind of request that something has changed.
Any help would be appreciated a lot, thanks.
This is essentially a pub-sub model . You publish some information , on various defined events , to whoever has subscribed to it . Look at this as a subset of state syncronisation of the user information across various endpoints.
In your case , the 'domains' you are referring to would be subscribers of your service and the events could be 'itemAdded' , 'itemAdded' etc. You would want to 'push' out the updates ( or whole info) to the subscribers when the event they have subscribed for occurs , instead of them trying to pull this at some frequency ( that would be a lot of waste calls to your server - you dont want that ! )
There are various solutions available that could achieve this . The one I am going to point you to is called Twilio Sync . This would obviously mean that the 'domains' would have to do some changes at their end to subscribe and consume the updates , but I dont see how else could they be regularly updated if they want information pushed.
Send last update date to the endpoint from the domain which
use it. Then check which data was updated after that date and return
appropriate response.
Talking about image, you can always return URL for download but add last update field. The service which use REST service will determine to download it or not.
Also you may need event driven messaging, publish–subscribe pattern (https://en.wikipedia.org/wiki/Publish%E2%80%93subscribe_pattern). Related threads:
How would I create an asynchronous notification system using RESTful web services?
Event Based interaction style in REST
Firebase for mobile apps: https://firebase.google.com/docs/notifications/
So I've recently been working on a server-side application which collects message lists from users, based on history id. I am doing full syncs.
Normally, I get responses like this:
{
"messages": [
{
"id": "14d9c91dbba84646",
"threadId": "14d9a7f9b36c65ae"
},
],
"nextPageToken": "14788016228466612591",
"resultSizeEstimate": 832
}
which is precisely what I get in 99% of cases. However, for some users, I get only this:
{"resultSizeEstimate":0}
with no other information. Note that this is on a full sync. I find this odd, because even on brand new email accounts, I receive the oldest information. One of the emails providing this result is an #yahoo.com email. Which in itself is not so odd, since non-gmail accounts can have OAuth credentials. However, normally when a user has no gmail inbox I instead get a 400 error with failedPrecondition. Can anybody provide some insight on this behaviour?