Google team drives use domain admin access


#1

at the moment, rclone only allows me to list team drives of which i am a member. however, the api allows admins to list and access all team drives. could you add this option? at the moment, i can specify the team drive id in the config, but if i not a member of the drive, it looks like an empty folder. if i add myself i get the contents of the drive from rclone ls.

i’m not that familiar with go, but i think the api call is here


#2

self-comment: i’ve been tinkering with the drive api, and while useDomainAdminAccess allows you to list all team drives, in order to access them, you have to modify the permission on each drive. thus, if we wished to allow cloning of all team drives on a domain, we would have to (1) include the useDomainAdminAccess flag when listing team drives, (2) select a team drive to clone/sync/copy, (3) add a permission to the drive with the same scope, (4) create the config entry as usual. for the moment i’m using a shell script (untested) to do1, 3 and 4 manually, but it should be possible to do this on a team drive by team drive basis using the current logic flow, no?


#3

Setting that flag would be easy enough… I think that will cause the return to only show drives which you are an administrator of.

So rclone would probably have to call the API twice, once with the flag and once without.

Doing this seems like a worthwhile addition to rclone.

So if rclone was to list the drives the user has admin access to, then if the user chose one of these in the config then rclone would add the permission

    # create a permission if necessary
    ./perm_id=$(
    google-api -X POST /drive/v3/files/$id/permissions \
        supportsTeamDrives=true \
        useDomainAdminAccess=true \
        -p '{"role":"reader","type":"user","emailAddress":"'$EMAIL'}' |
        jq -r '.id'
    )

So that would need an EMAIL address too. Your code seems to take the permission away afterwards which I don’t understand!


#4

i should think you could ask whether to useDomainAdminAccess after you ask whether to configure as a team drive but before listing the drives, and then add the permissions if necessary once the team drive has been selected. you don’t need to worry about creating an unnecessary permission because the api declines to duplicate permissions silently.

with gsuite, i think you’re either an admin or your not, so all the team drives in the domain are listable to admins.

you can add permissions to a team drive for a user or a group, either of which needs to be specified with an email address.

i run this script as an external backup of my org’s admin docs and team drives, so i like to leave things as i found them after the backup session is over. i don’t think that would be practical with rclone, since it doesn’t really need the principal of a per-session config.

i’m glad you think so. thanks for the brilliant code. i’ve been waiting for this for a long time.

edit: i just realized i was being unnecessarily obtuse. useDomainAdminAccess does not refer to being an admin of individual team drives, but rather to admins of the entire gsuite domain. gsuite admins have access to all team drives, and thus team drives (in your domain) of which you are a member will always be a subset of the list returned using useDomainAdminAccess.


#5

Do you want to make a new issue on github about this with what needs to be done?

Maybe I could talk you through doing the changes?


#6

sure, i’d love to. learning some go is high on my bucket list.


#7

Great! I don’t think the changes would be too complicated. I’ll talk you through it on the issue.