As requested, I have begun experiments with DVC and the GDrive API "drive.file" scope. The goal is to resolve whether this scope may replace the excessively permissive "drive" scope for all of DVC's interactions with GDrive.
The "drive.file" scope allows the application using the API to "View and manage Google Drive files and folders that you have opened or created with this app"1. Suppose a user grants this access to a Google Drive folder they own called "dvcstore", then that user should be able to use dvc push
and dvc pull
. Suppose our user shares this Google Drive folder to a collaborator, then that collaborator should be able to dvc pull
and (if an Editor) dvc push
.
For round one, we can conduct tests with a google cloud project. As DVC adopts the client_id and client_secret of the cloud project, the anyone authorized on the google cloud project with access to the client_id and client_secret can get a token and are (we hope!) effectively the same client as far as GDrive is concerned.
The following steps only needed to be done once by the Google Drive folder Owner or Google Drive shared drive Manager.
- setup "gdrive-dvc-tests" in Google Cloud console
- create project
- enable GDrive API
- add OAuth consent screen with "gdrive.file" scope (even necessary?)
- create and download OAuth credentials as "credentials.json"
- setup "gdrive-scope-dvc" repository
- init git and dvc
- create data.csv and data.csv.dvc
- setup a Google Drive folder
- run gdrive.py to grant "gdrive-dvc-tests" access to users Google Drive and create a folder that will be used by DVC.
- note printed Goolge Drive folder id
- setup a DVC remote
- add remote with previously noted folder id and downloaded gdrive_client_id and gdrive_client_secret
- run
dvc push
to generate a url, but modify the scope query from "drive" to "drive.file" - profit!
The following should be tested before any attempts to make a PR to DVC:
- Owner of "dvcstore" folder can
dvc push
- Owner of "dvcstore" folder can
dvc pull
from a separate clone of this project - Editor of "dvcstore" folder can
dvc pull
- Editor of "dvcstore" folder can
dvc push
changes (with a new commit to this project) - Manager of "dvcstore" shared drive can
dvc push
- Manager of "dvcstore" shared drive can
dvc pull
from a separate clone of this project - Content Manager of "dvcstore" shared drive can
dvc pull
- Content Manager of "dvcstore" shared drive can
dvc push
changes (with a new commit to this project)
The normal DVC flow for authorizing the remote should work except for the change to the scope. When DVC spits out a url including "scope=https://www.googleapis.com/auth/drive", append ".file". Leave the "appdata" scope, which I presume DVC needs for some undocumented reason.
https://accounts.google.com/o/oauth2/auth? \
client_id=869640904795-ndtkii9qjrn90qnjp8lj9327a262us9f.apps.googleusercontent.com& \
redirect_uri=urn:ietf:wg:oauth:2.0:oob& \
scope=https://www.googleapis.com/auth/drive.file+ \
https://www.googleapis.com/auth/drive.appdata& \
access_type=offline& \
response_type=code& \
approval_prompt=force