I am new to Google Endpoints and Datastore. I've followed several tutorials, among which this one for example: https://github.com/GoogleCloudPlatform/endpoints-codelab-android
我是Google Endpoints和Datastore的新手。我已经按照几个教程,其中一个例如:https://github.com/GoogleCloudPlatform/endpoints-codelab-android
My question is: what is the security mechanism that is used when we deploy the Endpoints backend application to Google App Engine? How does Google App Engine know you are the owner of the project? And I have this same question both for deployment through a terminal (See Step 6 of above tutorial) and for deployment through an IDE (e.g. through Maven in Eclipse).
我的问题是:当我们将端点后端应用程序部署到Google App Engine时使用的安全机制是什么? Google App Engine如何知道您是该项目的所有者?我对通过终端进行部署(参见上面教程的第6步)和通过IDE进行部署(例如通过Eclipse中的Maven)也有同样的问题。
I imagine that somehow the terminal (or the IDE) gets your credentials from the browser, which is logged in to the GAE console but I am not sure at all this is the good explanation.
我想,不知何故终端(或IDE)从浏览器获取您的凭据,登录到GAE控制台,但我不确定这是否是一个很好的解释。
Thanks! :-)
谢谢! :-)
1 个解决方案
#1
1
There are several ways to authenticate when deploying to Google App Engine. The recommended method uses OAuth2 to authenticate with Google (see below for another method). OAuth2 is the method used in the tutorial you mentioned (search for oauth in the link you sent), and is activated by the setting
部署到Google App Engine时,有多种方法可以进行身份验证。推荐的方法使用OAuth2对Google进行身份验证(请参阅下面的其他方法)。 OAuth2是您提到的教程中使用的方法(在您发送的链接中搜索oauth),并由设置激活
appcfg {
oauth2 = true
}
in the build.gradle
file of that tutorial. If you prefer the command-line appcfg
interface, use the flag appcfg --oauth2
.
在该教程的build.gradle文件中。如果您更喜欢命令行appcfg接口,请使用标志appcfg --oauth2。
When you installed the Google Cloud SDK, you were shown a web page in which you authorized the SDK to access and modify various Google Cloud services, including App Engine. The SDK locally stores a token which indicates that it is allowed to deploy to App Engine under your username. The oauth2 = true
line tells appcfg to request access to App Engine using this token.
安装Google Cloud SDK后,系统会显示一个网页,您授权SDK访问和修改各种Google云服务,包括App Engine。 SDK本地存储一个令牌,表示允许以您的用户名部署到App Engine。 oauth2 = true行告诉appcfg使用此令牌请求访问App Engine。
If you like, you can view (and revoke) this authorization by navigating to Google's Account Permissions page. You should see an entry for Google Cloud SDK, and clicking on it will show you that the SDK is authorized to access App Engine. If you click on "Revoke", the locally stored token will no longer be valid and you will need to re-authorize in order to use most of the Cloud SDK functionality.
如果您愿意,可以通过导航到Google的“帐户权限”页面来查看(并撤消)此授权。您应该会看到Google Cloud SDK的条目,点击它会显示SDK有权访问App Engine。如果单击“撤消”,则本地存储的令牌将不再有效,您需要重新授权才能使用大多数Cloud SDK功能。
If for some reason you do not want to rely on oauth2 (for example, if for security reasons you want to enter a password every time you deploy), then you can remove the oauth2 = true
line (or the --oauth2
command-line argument). This will cause appcfg to prompt for your Google username and password each time you deploy. However, this is a lot less convenient, both because appcfg will not store your password, and because it does not support 2-factor authentication. So, if your Google account uses 2-factor authentication (which is really recommended), you will need to use an App Password with this approach.
如果由于某种原因您不想依赖oauth2(例如,出于安全原因,您希望每次部署时都输入密码),那么您可以删除oauth2 = true行(或--oauth2命令行)论据)。这将导致appcfg每次部署时都会提示您输入Google用户名和密码。但是,这不太方便,因为appcfg不会存储您的密码,并且因为它不支持双因素身份验证。因此,如果您的Google帐户使用双因素身份验证(这是真正推荐的),则需要使用此方法的应用密码。
#1
1
There are several ways to authenticate when deploying to Google App Engine. The recommended method uses OAuth2 to authenticate with Google (see below for another method). OAuth2 is the method used in the tutorial you mentioned (search for oauth in the link you sent), and is activated by the setting
部署到Google App Engine时,有多种方法可以进行身份验证。推荐的方法使用OAuth2对Google进行身份验证(请参阅下面的其他方法)。 OAuth2是您提到的教程中使用的方法(在您发送的链接中搜索oauth),并由设置激活
appcfg {
oauth2 = true
}
in the build.gradle
file of that tutorial. If you prefer the command-line appcfg
interface, use the flag appcfg --oauth2
.
在该教程的build.gradle文件中。如果您更喜欢命令行appcfg接口,请使用标志appcfg --oauth2。
When you installed the Google Cloud SDK, you were shown a web page in which you authorized the SDK to access and modify various Google Cloud services, including App Engine. The SDK locally stores a token which indicates that it is allowed to deploy to App Engine under your username. The oauth2 = true
line tells appcfg to request access to App Engine using this token.
安装Google Cloud SDK后,系统会显示一个网页,您授权SDK访问和修改各种Google云服务,包括App Engine。 SDK本地存储一个令牌,表示允许以您的用户名部署到App Engine。 oauth2 = true行告诉appcfg使用此令牌请求访问App Engine。
If you like, you can view (and revoke) this authorization by navigating to Google's Account Permissions page. You should see an entry for Google Cloud SDK, and clicking on it will show you that the SDK is authorized to access App Engine. If you click on "Revoke", the locally stored token will no longer be valid and you will need to re-authorize in order to use most of the Cloud SDK functionality.
如果您愿意,可以通过导航到Google的“帐户权限”页面来查看(并撤消)此授权。您应该会看到Google Cloud SDK的条目,点击它会显示SDK有权访问App Engine。如果单击“撤消”,则本地存储的令牌将不再有效,您需要重新授权才能使用大多数Cloud SDK功能。
If for some reason you do not want to rely on oauth2 (for example, if for security reasons you want to enter a password every time you deploy), then you can remove the oauth2 = true
line (or the --oauth2
command-line argument). This will cause appcfg to prompt for your Google username and password each time you deploy. However, this is a lot less convenient, both because appcfg will not store your password, and because it does not support 2-factor authentication. So, if your Google account uses 2-factor authentication (which is really recommended), you will need to use an App Password with this approach.
如果由于某种原因您不想依赖oauth2(例如,出于安全原因,您希望每次部署时都输入密码),那么您可以删除oauth2 = true行(或--oauth2命令行)论据)。这将导致appcfg每次部署时都会提示您输入Google用户名和密码。但是,这不太方便,因为appcfg不会存储您的密码,并且因为它不支持双因素身份验证。因此,如果您的Google帐户使用双因素身份验证(这是真正推荐的),则需要使用此方法的应用密码。