如何将安全规则从Python的服务器客户端库集成到Firestore客户端中? [英] How to integrate security rules into Firestore client from Python's server client library?
问题描述
我正在尝试使用Firestore模拟器测试我的安全规则.我制定了 firestore.rules 安全规则,该规则禁止所有读写操作:
I am trying to test my security rules using the Firestore emulator. I made a firestore.rules security rule that disallows all reads and writes:
service cloud.firestore {
match /databases/{database}/documents {
allow read, write: if false;
}
}
我从终端启动了Firestore模拟器:
I started the Firestore emulator from the terminal:
firebase emulators:start --only firestore
然后我初始化了我的Firestore客户端:
I then initialized my Firestore client:
import firebase_admin
from firebase_admin import firestore
firebase_app = firebase_admin.initialize_app()
self.client = firestore.client(app=firebase_app)
我在Firestore模拟器的数据库中添加了一个示例文档:
I added an example document to the Firestore emulator's database:
self.client.collection("Users").document("user_1").set(...)
这一切都成功了,这是出乎意料的.我禁止所有写操作,但我只执行了一次写操作,而Firestore仿真器成功地承认该规则对以下命令有效:
And this all succeeds, which is unexpected. I disallowed all writes, yet I just performed one, and the Firestore emulator successfully acknowledges that the rules are in effect with:
[info] ✔ firestore: Rules updated.
我终于遇到了 Cloud Firestore安全规则入门,其中指出:
I finally came across Get started with Cloud Firestore Security Rules which states:
服务器客户端库绕过所有Cloud Firestore安全规则,而是通过Google应用程序默认凭据进行身份验证.
The server client libraries bypass all Cloud Firestore Security Rules and instead authenticate through Google Application Default Credentials.
真的没有办法修改 self.client 或 firebase_app 从而使上述写入失败吗?我无法想象只有客户端才能支持这种身份验证(例如,在iOS/Android设备上).该页面继续:
Is there really no way to modify self.client or firebase_app such that the above write fails? I can't imagine that this type of authentication would only be supported client side (as in on the iOS/Android device). The page continues with:
如果您使用服务器客户端库或REST或RPC API,请确保为Cloud Firestore设置身份和访问管理(IAM).
If you are using the server client libraries or the REST or RPC APIs, make sure to set up Identity and Access Management (IAM) for Cloud Firestore.
但是根据我的实际安全规则,我试图将访问权限限制为仅对某些集合/文档进行访问,并且IAM似乎仅覆盖诸如
But with my actual security rules I am trying to limit access to only certain collections / documents, and IAM seems to cover only only global permissions such as createDocument.
推荐答案
只有使用"@ firebase/testing"功能的nodejs应用程序才支持使用模拟器测试安全规则.文档中描述的模块:
Testing security rules with the emulator is only supported for nodejs apps that use the "@firebase/testing" module as described in the documentation:
使用
@ firebase/testing模块与本地运行的仿真器进行交互.
Use the
@firebase/testingmodule to interact with the emulator that runs locally.
使用此模块,您可以初始化SDK以提供用户信息,这些信息将传递给仿真器以用于特定的测试规则.
With this module, you can initilaize the SDK to provide user information that will be delivered to the emulator for the specific purpose of testing rules.
如果要改用python,则必须对该模块的功能进行反向工程,然后将其写入您自己的测试代码中.这可能比学习足够的JavaScript来执行所记录的测试要付出更多的努力.
If you want to use python instead, you would have to reverse engineer what that module does, and write that into your own test code. That might be more effort than learning enough JavaScript to perform tests as documented.
这篇关于如何将安全规则从Python的服务器客户端库集成到Firestore客户端中?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
