gapic-generator-ruby icon indicating copy to clipboard operation
gapic-generator-ruby copied to clipboard

Published 20 hours ago verified publisher icon googleapis

[Ruby] Consider limiting scopes for cloud services to cloud-platform

Open dazuma opened this issue 6 years ago • 2 comments

The generated credentials class currently copies the scopes listed in the discovery doc. However, the discovery doc lists scopes that could be used, whereas the credentials class specifies scopes that must be present. As a result of this semantic mismatch, cloud services often require redundant scopes—typically both "https://www.googleapis.com/auth/cloud-platform" and service-specific scopes—in their credentials request. For example, currently, the generated trace client specifies these scopes:

          SCOPE = [
            "https://www.googleapis.com/auth/cloud-platform",
            "https://www.googleapis.com/auth/trace.append",
            "https://www.googleapis.com/auth/trace.readonly"
          ].freeze

For cloud platform services, we should require only cloud-platform if that is sufficient (which it usually should be):

          SCOPE = [
            "https://www.googleapis.com/auth/cloud-platform"
          ].freeze

dazuma avatar Jun 27 '18 22:06 dazuma

@dazuma do you want this changed or is it still being considered?

It's a simple change if we can just use the cloud-platform scope. We don't currently have any configuration options for scopes, so if we need to vary it per service we'll need to add one. I don't really know how often it would vary to make that decision.

If we reduce them would it be useful to list the full set of scopes somewhere, perhaps in a comment above?

jbolinger avatar Jun 28 '18 16:06 jbolinger

I'm not sure if we still want this. Putting it on hold as a question.

dazuma avatar Apr 10 '20 23:04 dazuma