How to integrate security rules into Firestore client from Python's server client library?

问题

I am trying to test my security rules using the Firestore emulator. I made a firestore.rules security rule that disallows all reads and writes:

service cloud.firestore {
    match /databases/{database}/documents {
        allow read, write: if false;
    }
}

I started the Firestore emulator from the terminal:

firebase emulators:start --only firestore

I then initialized my Firestore client:

import firebase_admin
from firebase_admin import firestore

firebase_app = firebase_admin.initialize_app()
self.client = firestore.client(app=firebase_app)

I added an example document to the Firestore emulator's database:

self.client.collection("Users").document("user_1").set(...)

And this all succeeds, which is unexpected. I disallowed all writes, yet I just performed one, and the Firestore emulator successfully acknowledges that the rules are in effect with:

[info] ✔  firestore: Rules updated.

I finally came across Get started with Cloud Firestore Security Rules which states:

The server client libraries bypass all Cloud Firestore Security Rules and instead authenticate through Google Application Default Credentials.

Is there really no way to modify self.client or firebase_app such that the above write fails? I can't imagine that this type of authentication would only be supported client side (as in on the iOS/Android device). The page continues with:

If you are using the server client libraries or the REST or RPC APIs, make sure to set up Identity and Access Management (IAM) for Cloud Firestore.

But with my actual security rules I am trying to limit access to only certain collections / documents, and IAM seems to cover only only global permissions such as createDocument.

回答1:

Testing security rules with the emulator is only supported for nodejs apps that use the "@firebase/testing" module as described in the documentation:

Use the @firebase/testing module to interact with the emulator that runs locally.

With this module, you can initilaize the SDK to provide user information that will be delivered to the emulator for the specific purpose of testing rules.

If you want to use python instead, you would have to reverse engineer what that module does, and write that into your own test code. That might be more effort than learning enough JavaScript to perform tests as documented.

来源：https://stackoverflow.com/questions/63458980/how-to-integrate-security-rules-into-firestore-client-from-pythons-server-clien