在服务器端进行对Firestore的调用时,用户对Cloud Firestore的访问和数据控制 [英] user access and data control to cloud firestore when calls to firestore are made server side
问题描述
我已经使用nodejs,express,firebase函数,firestore启动了一个基于Web的项目,并最终希望使用Firebase托管.到目前为止,我已经可以保留服务器端的所有内容,直到获得授权和身份验证为止.我使用的是模型视图控制器结构,因此在服务器端进行了对Firestore的调用,因此Firestore安全规则不起作用.Firestore安全规则仅在您访问Firestore客户端时有效.
I've started a web-based project using nodejs, express, firebase functions, firestore and eventually want to use firebase hosting. So far, I have been able to keep everything server side until I've reached Authorisation and Authentication. I'm using a model view controller structure so calls to firestore are being made server side and therefore the firestore security rules don't work. Firestore security rules only work if you access firestore client side.
我是否可以像使用Cloud Firestore安全规则那样使用Google Cloud IAM(身份和访问管理)来控制用户对Firestore的读写能力级别?
Can I use google cloud IAM (Identity and Access Management) to control users level of ability to read/write to firestore like you would with Cloud Firestore Security Rules?
如果是这样的话,就像说在MySQL中设置其他用户一样:
If so does it work like say setting up different users in MySQL:
grant INSERT, UPDATE, SELECT on name_of_database.* to 'admin_webuser'@'%';
grant SELECT on name_of_database.* to 'user_webuser'@'%';
因此,当管理员登录时,他们使用admin_webuser连接到数据库并且如果其他人登录,他们将使用user_webuser连接到数据库.
So, when admin signs in they use the admin_webuser to connect to the database and if anyone else signs in they use user_webuser to connect to the database.
我可以使用nodejs,express,firebase函数来实现上述设置,以使用IAM连接到Firestore吗?
Can I achieve the above kind of setup with nodejs, express, firebase functions to connect to firestore using IAM?
目前,在我的模型文件夹中,我使用以下命令调用Firestore:
Currently in my models folder I make calls to firestore with:
const admin = require('firebase-admin');
const functions = require('firebase-functions');
admin.initializeApp(functions.config().firebase);
我假设我可以根据已设置的IAM规则更改 admin.initializeApp(functions.config().firebase); 部分以命中其他配置文件?那么,当管理员登录我的网站时,我可以使用具有不同配置文件的models文件夹吗?
I’m assuming I could change the admin.initializeApp(functions.config().firebase); part to hit a different config file based on IAM rules that have been setup? So, when admin logs in on my website I could use a models folder with a different config file?
我已经阅读了有关IAM的文档,但这没有任何意义.有人可以建议我吗:
I have read through the docs on IAM but it just doesn't make any sense. Could someone please advise me on:
-
如何设置可以使用IAM在Firestore上执行CRUD的管理员?
How to set up an admin that can perform CRUD on firestore using IAM?
当管理员登录到我的帐户后,我该如何安排网站只有他们可以在Firestore上执行CRUD操作?
How I would then arrange so that when the admin signs in on my website only they can perform CRUD operations on firestore?
推荐答案
在服务器端,您可以通过为Admin SDK使用的服务帐户授予适当的IAM权限来配置访问控制:
In the server-side you configure access control by granting the appropriate IAM permissions to the service account used by the Admin SDK: https://cloud.google.com/firestore/docs/security/iam. This doesn't allow configuring permissions at individual collection/document level like security rules.
我认为您需要在客户端中处理用户身份验证(Firebase Auth)才能执行您要尝试执行的操作.然后,您可以轻松地将自定义声明与安全规则结合使用来回答您的问题1和2.
I think you need to handle user authentication (Firebase Auth) in the client-side to do what you're trying to do. Then you can easily use custom claims in conjunction with security rules to answer your questions 1 and 2.
可能的解决方法是在服务器环境中使用客户端SDK.然后,您可以使用Admin SDK为每个用户创建一个自定义令牌,并使该用户登录服务器应用程序本身.
A possible workaround is to use the client SDK in the server environment. Then you can use the Admin SDK to mint a custom token for each user, and have that user sign-in in the server app itself.
这篇关于在服务器端进行对Firestore的调用时,用户对Cloud Firestore的访问和数据控制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
