问题
I am in the process of building a multi-tenant app using firebase. While building the app I am building out an RBAC model that enables users to be apart of multiple organizations and be assigned multiple roles within each organization. Each role has assigned resources that a user would have access to.
Given a firebase structure like the following, how would one go about creating a proper firebase security rule that would determine if the user has access to a resource in a given organization?
organizations
org1UUID
about
staff
uid1
roles
ViewerRoleUUID
about
type: "view"
resources
DashboardUUID: "true"
SomeSettingsUUID: "true"
MoreResourcesUUID: "true"
SysAdminUUID
about..
type: "full"
resources:
AdminAreaUUID: "true"
DashboardUUID: "true"
SomeSettingsUUID: "true"
type: "admin"
org2UUID...<repeat of above>
users
uid1
authinfo
organizations
org1UUID
roles
ViewRoleUUID: "true"
SysAdminUUID: "true"
org2UUID
roles
AnotherRoleUUID: "true"
Since firebase does not support many to many searches in rules, I don't see a way even if I change the data model of how this would be possible. I don't even see a way of accessing all of the children of a node either. I thought about copying the resources to the users data as well, but still couldn't find a way to access the children of any node without knowing the node's name or id. All of the implementations I have seen only allow for a user to be apart of a single role and end up doing something like
".read": "(root.child('users/' + auth.uid + '/organizations/' + $organization).child('role').val() === "viewer"),
".write": "(root.child('users/' + auth.uid + '/organizations/' + $organization).child('role').val() === "admin")"
The example above would only work if the user was assigned one role. However, if the user needs to be apart of two or more roles depending on the resources that the user needs access to this would not work.
Originally I thought about just copying the role information including its type and the list of resources to each of the users. The problem is even if the data structure was moved or copied to the user, searching to see if a user has access to the resource would still resolve in trying to search all of the users roles for a given company to determine if the user has access.
来源:https://stackoverflow.com/questions/34078703/proper-firebase-security-rules-for-implementing-rbac