问题
I've started a web-based project using nodejs, express, firebase functions, firestore and eventually want to use firebase hosting. So far, I have been able to keep everything server side until I've reached Authorisation and Authentication. I'm using a model view controller structure so calls to firestore are being made server side and therefore the firestore security rules don't work. Firestore security rules only work if you access firestore client side.
Can I use google cloud IAM (Identity and Access Management) to control users level of ability to read/write to firestore like you would with Cloud Firestore Security Rules?
If so does it work like say setting up different users in MySQL:
grant INSERT, UPDATE, SELECT on name_of_database.* to 'admin_webuser'@'%';
grant SELECT on name_of_database.* to 'user_webuser'@'%';
So, when admin signs in they use the admin_webuser to connect to the database and if anyone else signs in they use user_webuser to connect to the database.
Can I achieve the above kind of setup with nodejs, express, firebase functions to connect to firestore using IAM?
Currently in my models folder I make calls to firestore with:
const admin = require('firebase-admin');
const functions = require('firebase-functions');
admin.initializeApp(functions.config().firebase);
I’m assuming I could change the admin.initializeApp(functions.config().firebase); part to hit a different config file based on IAM rules that have been setup? So, when admin logs in on my website I could use a models folder with a different config file?
I have read through the docs on IAM but it just doesn't make any sense. Could someone please advise me on:
How to set up an admin that can perform CRUD on firestore using IAM?
How I would then arrange so that when the admin signs in on my website only they can perform CRUD operations on firestore?
回答1:
In the server-side you configure access control by granting the appropriate IAM permissions to the service account used by the Admin SDK: https://cloud.google.com/firestore/docs/security/iam. This doesn't allow configuring permissions at individual collection/document level like security rules.
I think you need to handle user authentication (Firebase Auth) in the client-side to do what you're trying to do. Then you can easily use custom claims in conjunction with security rules to answer your questions 1 and 2.
A possible workaround is to use the client SDK in the server environment. Then you can use the Admin SDK to mint a custom token for each user, and have that user sign-in in the server app itself.
来源:https://stackoverflow.com/questions/51519274/user-access-and-data-control-to-cloud-firestore-when-calls-to-firestore-are-made