Firebase Cloud Functions Firestore触发器产生:错误:7 PERMISSION_DENIED:缺少权限或权限不足 [英] Firebase Cloud Functions Firestore Trigger produces: Error: 7 PERMISSION_DENIED: Missing or insufficient permissions

问题描述

当我的一个文档已使用触发器更新时，我正在尝试使用Firebase Cloud Function更新Firestore数据库中的文档.触发器被调用并且工作正常，但是当我使用firebase admin实例获取要更新的其他文档时，出现以下错误.

I'm trying to use a Firebase Cloud Function to update a document within my Firestore database, when one of my documents has been updated using a trigger. The trigger is called and working fine, but when I'm using the firebase admin instance to get the other document which I want to update, I'm getting the following error.

Error: 7 PERMISSION_DENIED: Missing or insufficient permissions.
    at Object.exports.createStatusError (/user_code/node_modules/firebase-admin/node_modules/grpc/src/common.js:87:15)
    at ClientReadableStream._emitStatusIfDone (/user_code/node_modules/firebase-admin/node_modules/grpc/src/client.js:235:26)
    at ClientReadableStream._receiveStatus (/user_code/node_modules/firebase-admin/node_modules/grpc/src/client.js:213:8)
    at Object.onReceiveStatus (/user_code/node_modules/firebase-admin/node_modules/grpc/src/client_interceptors.js:1256:15)
    at InterceptingListener._callNext (/user_code/node_modules/firebase-admin/node_modules/grpc/src/client_interceptors.js:564:42)
    at InterceptingListener.onReceiveStatus (/user_code/node_modules/firebase-admin/node_modules/grpc/src/client_interceptors.js:614:8)
    at /user_code/node_modules/firebase-admin/node_modules/grpc/src/client_interceptors.js:1019:24

功能代码:

import * as functions from "firebase-functions";
import * as admin from "firebase-admin";

admin.initializeApp();
const settings = { timestampsInSnapshots: true };
admin.firestore().settings(settings);

export const onDocUpdate = functions.firestore
  .document("documents/{documentId}")
  .onUpdate((snapshot, context) => {
    console.log("onDocUpdate called ", context.params.documentId);
    const document = snapshot.after.data();
    console.log("Document: ", document);
    if (document.screw) {
      console.log("Document screw exists. ", document.screw);
      const docRef = admin
        .firestore()
        .collection("screws")
        .doc(document.screw);
      return docRef
        .get()
        .then(doc => {
          if (doc.exists) {
            console.log("Screw for document exists.");
          } else {
            console.error(
              "Screw for document not found! ",
              document.screw
            );
          }
        })
        .catch(error => {
          // Here I get the permission error :(
          console.error(
            "Screw for document doc load error!! ",
            error
          );
        });
    } else {
      console.error("Document is not bound to a screw! ", document.id);
    }
    return null;
  });

package.json

package.json

{
  "name": "functions",
  "scripts": {
    "lint": "tslint --project tsconfig.json",
    "build": "tsc",
    "serve": "npm run build && firebase serve --only functions",
    "shell": "npm run build && firebase functions:shell",
    "start": "npm run shell",
    "deploy": "firebase deploy --only functions",
    "logs": "firebase functions:log"
  },
  "main": "lib/index.js",
  "dependencies": {
    "@google-cloud/firestore": "^0.16.0",
    "firebase-admin": "^6.0.0",
    "firebase-functions": "^2.0.4",
    "protobufjs": "^6.8.8"
  },
  "devDependencies": {
    "tslint": "~5.8.0",
    "typescript": "~2.8.3"
  },
  "private": true
}

我认为这与管理实例的权限有关，但不知道错误可能是什么，我只是按照docs和youtube上的firebase视频中的步骤进行操作.

I assume that it has something to do with the permission of the admin instance, but no idea what the error could be, I've just followed the steps from the docs and the firebase videos on youtube.

我的帐户仍处于免费计划中，并且我在日志中收到一条通知，我应该配置计费帐户，但是如果了解正确的文档，我应该可以访问Google Cloud Platform中的服务，因此读取同一数据库中的其他节点应该没有问题.

My account is still on a Free Plan and I'm getting a notice in the logs the that I should configure the billing account, but if understand the documentation correct I should be able to access services within the Google Cloud Platform and so reading other nodes within the same database should not be a problem.

我已经在stackoverflow上找到了两个类似的问题，但是没有找到解决方案.也许其他人同时也遇到了这个问题并能够解决?

I've already found two similar issues here on stackoverflow, but did not find a solution there. Maybe someone else also faced this issue in the meantime and was able to solve it?

PERMISSION_DENIED Firestore CloudFunction TypeScript 和 通过函数写入Firestore的Firebase错误:"7 PERMISSION_DENIED:缺少权限或权限不足""

更新1:的新timestampsInSnapshots设置存在另一个问题.此问题已得到修复，上面的代码已更新.拒绝的主要问题权限仍然存在.

Update 1: Had another issue with the new timestampsInSnapshots setting. This has been fixed and the code above updated. The main issue permission denied is still present.

更新2 :关于下面@RonRoyston的回答.这是一个Cloud Function，它使用firebase-admin软件包中的Admin SDK读取节点.因此，它不应该受到Firestore安全规则的影响.其中之一上已经有评论. @DougStevenson提到的链接问题.根据 Admin SDK文档，通过调用即可对其进行初始化admin.initializeApp()，但不幸的是，事实并非如此.我没有读过在使用Cloud Functions时在服务帐户或安全规则中需要应用任何特殊IAM设置的地方，因此我没有涉及任何这些设置.

Update 2: Regarding the answer by @RonRoyston below. This is a Cloud Function and its using the Admin SDK from firebase-admin package to read the node. Hence it should not be effected by the firestore security rules. There's already a comment on one of the linked questions by @DougStevenson mentioning this. Based on the Admin SDK documentation it should be enough to initialize it by calling admin.initializeApp(), but unfortunately in my case it isn't. I've read no where that there is any need to apply any special IAM settings within the service accounts or security rules when using Cloud Functions, and so I didn't touch any of these settings.

干杯， 拉斯

推荐答案

我终于可以使用它了.我没有更改任何Firestore安全规则或任何IAM内容.我删除了在us-central1上运行的功能.再次创建了相同的Cloud Function项目，将其复制到我现有的代码上，但是这次我将其部署到europe-west1，并且可以立即使用.

I've finally got it working. I didn't change any firestore security rules nor any IAM stuff. I deleted the function which was running on us-central1. Created the same Cloud Function project again, copied over my existing code, but this time I deployed it to europe-west1 and it worked out of the box.

我认为在首次部署到us-central1的过程中，某些事情可能会失败，在那之后，即使我多次删除并重新部署了该函数，我的项目仍会出现错误.不知道到底发生了什么，因为没有显示明显的错误. Firebase团队的某个知道内部工作流程的人可能会告诉我们是否会发生这种情况，如果是，则如何处理.

I assume that something might failed during the first initial deployment to us-central1 and after that my project stuck with the error even if I had deleted and redeployed the function several times. Not sure what happened exactly, because no obvious error has been displayed. Maybe someone of the firebase team who knows the internal workflows can tell us if something like this can happen and if yes, how to deal with it.

目前，上述步骤解决了我的问题.

For now the above steps solved my issue.

这篇关于Firebase Cloud Functions Firestore触发器产生:错误:7 PERMISSION_DENIED:缺少权限或权限不足的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！