how to restrict to security.json to all other user expect super admin
super admin has all admin access and service user have access to only collections
when service user(permission to only collectios) login to admin UI, able see security.json(which has all rules and users), how to I block security.json to service users
-d '{
"set-permission" : {"name":"admin-ui",
"collection":null
"path":"/admin/zookeeper",
"role":"dev"}
}'
Related
I have a server side app that does not run on node.js (a Cloudflare Worker), so I'm trying to access Firestore resources via REST calls and not through the Admin SDK.
I have a default service account created automatically for the Admin SDK, and I created another service account manually in the GCP console.
After obtaining an OAuth token for the default service account, I'm able to access protected resources. However, with the newly created service account, I can't access resources even if the security rule is set to if true.
What permissions would I have to give this manually created service account in order to allow it access?
Creating a service account by itself grants no permissions. The Permissions tab in IAM & Admin > Service Accounts shows a list of "Principals with access to this account" - this is not the inheritance of permissions, it's simply which accounts, aka principals, can make use of the permissions granted to this service account. The "Grant Access" button on this page is about granting other principals access to this service account, not granting access to resources for this service account.
For Firestore access specifically - go to IAM & Admin > IAM, and you'll be on the permissions tab. Click "Add" at the top of the page. Type in your newly created service account under "New Principals", and for roles, select "Cloud Datastore Owner".
Note: Firestore is the next generation of Datastore, but this legacy role name has remained.
I have an app that lets users sign in via email and password. The app has a feed with posts that need to be moderated. I have an admin react website that lets the moderators remove or keep posts. Right now any user can login and see the content, however I wanna make the login only available for admin users. I made my account "admin" using Admin SDK of Firebase.
I was thinking to make a Cloud Function which verifies whether the email is an admin and return true or false accordingly. Then authenticate the user normally using Firebase Auth. Is this secure enough?
If you've set a custom claim marking the user as an application administrator, you can check in your client-side code for the presence of that claim. You can then use the result of that to show the correct UI.
On the server/in the database security rules, you'll also want to check the presence of this admin claim before allow the user to access/modify the moderator data.
Note that none of these prevents the users from authenticating. Authentication in Firebase is nothing more than entering your credentials to prove that you are you. Granting access to resources based on who you are, known as authorization, is up to the application, hence including it in your client-side code, and server-side code or security rules.
I want to change user password form admin. Users are login with firebase email and password option. Admin is also login with firebase. How can change the user password with web api?
There is no way to change another user's password with the client SDK.
Firebase Authentication doesn't have any concept of an admin user. That means that it can't grant special privileges to a user that you consider an admin.
There is however an Admin SDK, that runs with administrative privileges, and has the option to change the password (and other profile data) of any user in the project. This SDK is meant to be used on a so-called trusted environment, such as your development machine, a server you control, or Cloud Functions.
You could wrap the Admin SDK in an API endpoint that you can call from your web client code. Just be sure to check in the custom function whether the user is authorized to change the password.
I currently have admin users which have a email password login using firebase auth. These admin users have read and write access as set in security rules. I want to give the admin the ability to dynamically create subusers with limited access i.e with only read access for a certain node in firebase database. This node is not public accessible, I want to limit it to this admin and it's subusers.
My thought : is to generate secondary users username and password myself. And use that to do a basic custom Auth using firebase functions and add custom claims such as Admins UID so I can use that for security rules to give read permission for the Admin Node Only and another {sub-user: true} claim to the client to render subuser ui instead of the Admin UI.
If there is another method to achieve creating sub-accounts more efficiently, please suggest so.
On my application users are provisioned and delete by the admin. The documentation states that auth.removeUser requires an ID and password. Of course the admin user doesn't know its users passwords. Is there a way for the admin user to get permission to delete users?
Note that Firebase Simple Login is a separate service built on top of Firebase Authentication, intended to simplify authenticating users and generating Firebase Auth. Tokens for use in Security Rules.
All that said, if you log in to Firebase Forge (at https://<your-firebase>.firebaseio.com) and select the Auth tab, you can add or remove email / password users under the Email & Password button.