This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How could I change firestore security rules in Datastore Mode?

Posted on 04-04-2024 07:07 PM
thHan
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

First of all, I apologize for my lack of English proficiency and my lack of Google Cloud related development experience. I am a junior software engineer of non-English speaking culture and currently have no knowledge of the issues I face.

I'm currently using the Firestore database in Datastore mode in Google Cloud, and trying to modify this security rules.

 

 

 

 

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
  }
}

 

 

 

 

But I can't edit security rules on the Google Cloud console. So I tried to use the Firebase Console or CLI, but I couldn't access the project in datastore mode. For example, the CLI generates the following error:

[It looks like this project is using Cloud Datastore or Cloud Firestore in Datastore mode. The Firebase CLI can only manage projects using Cloud Firestore in Native mode. For more information, visit https://cloud.google.com/datastore/docs/firestore-or-datastore]

sss.png

 I looked for a solution through Googling and found a post with a problem similar to the one I faced.

https://stackoverflow.com/questions/77327909/unable-to-set-firestore-rules-for-firestore-native-data... 

The answer to that question was that using the CLI or API other than the Firebase Console seemed to be the only solution. The problem is, I haven't found a way to fix this problem using Google Cloud's own console.

I looked up related documents and tutorials on Google or YouTube, but I couldn't find a valid solution. Maybe I just didn't find it, but I think I won't be able to solve this problem in my current capacity, so I ask this question.

Please Help 😢

Solved Solved
0 1 214
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ms4446
Staff
Reply posted on --/--/---- --:-- AM

Firestore in Datastore mode offers compatibility with the older Datastore service but does not support the granular, document-level security rules that are available in Firestore in Native mode. Instead, access control is managed exclusively through IAM, which operates at the project and service level rather than at the individual document level.

IAM

  • IAM Roles: Assign predefined IAM roles such as roles/datastore.user (read-write access), roles/datastore.viewer (read-only access), and roles/datastore.owner (full administrative access) to users or service accounts. This approach provides broader, but less granular, permissions compared to Firestore security rules.
  • Management Tools: Use the Google Cloud Console (navigate to "IAM & Admin" > "IAM") or the gcloud CLI to manage IAM policies effectively.

Differences from Native Firestore:

  • No Firestore Security Rules: Commands like gcloud firestore security-rules update are not applicable in Datastore mode because security rules are not supported.
  • No Emulator or Rules Playground: These testing tools, which are available for Firestore in Native mode, are not available in Datastore mode. Testing IAM policies typically involves applying them directly and observing their effects in the operational environment.

Additional Considerations:

  • Granularity: If your application requires fine-grained, document-level permissions, Firestore in Native mode is the appropriate choice.
  • Migration: Migrating from Datastore mode to Native mode involves significant planning and effort, especially for large datasets. It's important to carefully evaluate the benefits and challenges associated with such a migration.

Example (gcloud CLI):

 
gcloud projects add-iam-policy-binding your-project-id \
    --member='user:jane@example.com' \
    --role='roles/datastore.user'
 
This command grants read-write access to the user "jane@example.com" for your Firestore database in Datastore mode.
 
By understanding these key distinctions and leveraging IAM effectively, you can confidently manage access control for your Firestore database in Datastore mode. This setup ensures broad access control that, while not as fine-grained as Firestore's security rules, still provides robust management capabilities for large-scale applications.

 

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
ms4446
Staff
Reply posted on --/--/---- --:-- AM

Firestore in Datastore mode offers compatibility with the older Datastore service but does not support the granular, document-level security rules that are available in Firestore in Native mode. Instead, access control is managed exclusively through IAM, which operates at the project and service level rather than at the individual document level.

IAM

  • IAM Roles: Assign predefined IAM roles such as roles/datastore.user (read-write access), roles/datastore.viewer (read-only access), and roles/datastore.owner (full administrative access) to users or service accounts. This approach provides broader, but less granular, permissions compared to Firestore security rules.
  • Management Tools: Use the Google Cloud Console (navigate to "IAM & Admin" > "IAM") or the gcloud CLI to manage IAM policies effectively.

Differences from Native Firestore:

  • No Firestore Security Rules: Commands like gcloud firestore security-rules update are not applicable in Datastore mode because security rules are not supported.
  • No Emulator or Rules Playground: These testing tools, which are available for Firestore in Native mode, are not available in Datastore mode. Testing IAM policies typically involves applying them directly and observing their effects in the operational environment.

Additional Considerations:

  • Granularity: If your application requires fine-grained, document-level permissions, Firestore in Native mode is the appropriate choice.
  • Migration: Migrating from Datastore mode to Native mode involves significant planning and effort, especially for large datasets. It's important to carefully evaluate the benefits and challenges associated with such a migration.

Example (gcloud CLI):

 
gcloud projects add-iam-policy-binding your-project-id \
    --member='user:jane@example.com' \
    --role='roles/datastore.user'
 
This command grants read-write access to the user "jane@example.com" for your Firestore database in Datastore mode.
 
By understanding these key distinctions and leveraging IAM effectively, you can confidently manage access control for your Firestore database in Datastore mode. This setup ensures broad access control that, while not as fine-grained as Firestore's security rules, still provides robust management capabilities for large-scale applications.

 

Jump to Solution