GCP中的授权和认证机制 [英] authorization and authentication mechanism in GCP
问题描述
我想创建一个 Udemy 这样的视频平台,用户可以在其中看到所有视频,但只能观看自己购买的视频.
I want to create a Udemy like video platform where a user can see all videos but can watch videos only that he has purchased.
我正在拨打电话,使用此处的 Firebase 身份验证从角度应用程序从存储桶中获取视频.在对存储桶的GET请求中,我传递了从 Firebase authn 获得的访问令牌.
I am making a rest call to get the videos from the storage bucket from an angular application, using Firebase authentication here. In my GET request to storage bucket I am passing the access token that I got from Firebase authn.
此访问令牌可以用于确定用户访问存储桶中视频的范围吗?
Does this access token can be used to determine scope of the user to access video in a bucket?
假设我已为存储桶中的特定用户授予了对视频的读取访问权限,那么使用访问令牌可以获取视频吗?但是每次我尝试显示未经授权.还有其他方法可以验证用户对存储桶对象的访问权限.
Assume if I have given read access for a video in a bucket for a specific user, using the access token can I get the video? But every time I tried it shows unauthorized. Is there any other way to verify users access to storage bucket object.
推荐答案
Google 建议不要使用ACL ,因为它很难管理并且很难对授权进行全局查看.
Google recommend to not use ACL because it's hard to manage and to have a global view on the authorization.
在大多数情况下,建议使用Cloud Identity and Access Management(Cloud IAM)来控制对资源的访问.
In most cases, Cloud Identity and Access Management (Cloud IAM) is the recommended method for controlling access to your resources.
警告:可以通过ACL或Cloud IAM策略来授予权限.通常,由Cloud IAM策略授予的权限不会出现在ACL中,并且由ACL授予的权限也不会出现在Cloud IAM策略中.唯一的例外是直接应用于存储桶和某些存储桶级Cloud IAM策略的ACL,如Cloud IAM与ACL的关系所述.
Caution: Permissions can be granted either by ACLs or Cloud IAM policies. In general, permissions granted by Cloud IAM policies do not appear in ACLs, and permissions granted by ACLs do not appear in Cloud IAM policies. The only exception is for ACLs applied directly on a bucket and certain bucket-level Cloud IAM policies, as described in Cloud IAM relation to ACLs.
IMO,最好的模式是在您的身边拥有一个数据库,并允许每个用户使用GCS上的文件.您可以将这些存储在Firestore中:价格合理,使用时付费,免费的层级存储.要下载视频,您可以通过生成临时访问用户的视频一个已签名的网址.
IMO, the best pattern is to have a database on your side with the file on GCS allowed per user. You can store these in Firestore: affordable, pay as you use, generous free tier. For downloading the video, you can generate a temporarily access to the user by generating a signedUrl.
这篇关于GCP中的授权和认证机制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
