简体繁体 English

GCP - 使用自定义Auth系统计算每组/用户访问ACL的存储

[英]GCP - Compute Engine to Storage per group/user access ACL with custom Auth system

原文 2018-07-04 15:32:44 5 2 node.js/ google-cloud-platform/ google-cloud-storage

I've built a simple messaging application with NodeJS on GCP that, at the moment consists of a single compute engine instance. 我在GCP上用NodeJS构建了一个简单的消息传递应用程序，目前由一个计算引擎实例组成。 I'm using this to learn the stack and how GCP sits together. 我正在使用它来学习堆栈以及GCP如何组合在一起。

My application has it's own user/password registration system and allows users to message each other in 'groups'. 我的应用程序拥有自己的用户/密码注册系统，允许用户在“组”中互相发送消息。 These groups can consist of 1...n users and one user is responsible for adding/removing users from a group. 这些组可以包含1 ... n个用户，一个用户负责添加/删除组中的用户。 They can do this at any time. 他们可以随时做到这一点。

I want to allow the users to upload pics and ideally I will then store them in Google Storage. 我想允许用户上传照片，理想情况下我会将它们存储在Google存储中。 But I want to make sure that only users in a room where an image is uploaded can view that file.I know that GCP makes use of IAM roles etc. but with the authentication being in my system am I expected to update IAM policies every time via the API? 但我想确保只有上传图像的房间中的用户才能查看该文件。我知道GCP使用了IAM角色等但是我的系统中的身份验证是我希望每次都更新IAM策略通过API？ In a scaled solution would this work? 在缩放的解决方案中，这会有用吗？

My initial thought is that I should do the authentication at an app level. 我最初的想法是我应该在应用程序级别进行身份验证。 eg my Compute Engine instance can talk to Storage so when a user requests to a view an image by its url - such as example.com/uploads/:id 例如，我的Compute Engine实例可以与Storage通信，因此当用户通过其URL请求查看图像时 - 例如example.com/uploads/:id

I then validate that the current user can view the upload with id :id and if they can, then serve the image from the app. 然后我验证当前用户可以使用id :id查看上传，如果可以，则从应用程序提供图像。 Would this work? 这会有用吗？ Would it be compatible with utilising Google CDN? 它是否与使用谷歌CDN兼容？ Is there a preferred solution for doing something like this bearing in mind I'm not using firebase (which I understand can use access tokens for auth) but I'm using my own authentication based on username/password combos with sessions? 有没有一个首选的解决方案做这样的事情记住我没有使用firebase（我明白可以使用访问令牌进行身份验证）但我使用自己的身份验证基于用户名/密码组合与会话？

2 个解决方案

So it looks like I actually have 2 options here. 所以看起来我实际上有2个选项。

I can use signed urls https://cloud.google.com/storage/docs/access-control/signed-urls#signed-urls and grant temporary access to the files to the users in question. 我可以使用已签名的网址https://cloud.google.com/storage/docs/access-control/signed-urls#signed-urls ，并向相关用户授予对文件的临时访问权限。 I would just need to regenerate this whenever required. 我只需要在需要时重新生成它。

My second option (event though I said I don't want to migrate) is to use Firebase Auth. 我的第二个选项（事件虽然我说我不想迁移）是使用Firebase Auth。 I wasn't aware it actually supported email/password migration and validation and is actually free regardless of number of users. 我不知道它实际上支持电子邮件/密码迁移和验证，并且无论用户数量多少，实际上都是免费的。 The only thing I'm not sure on here is how Storage is configured with relation to my current GCP project. 我唯一不确定的是如何根据我当前的GCP项目配置存储。

For examples of sharing and collaboration scenarios that involve setting bucket and object ACLs, you may take a look at Sharing and Collaboration . 有关涉及设置存储桶和对象ACL的共享和协作方案的示例，您可以查看共享和协作。 As you mentioned and also noted here , you can create a service that authenticates users and redirects them to a URL signed by a service account and this solution helps the scaling amount of users as well. 正如您在此处提到的那样，您可以创建一个对用户进行身份验证的服务，并将其重定向到由服务帐户签名的URL，此解决方案也可以帮助扩展用户数量。

You must give Cloud CDN permission to read the objects by adding the Cloud CDN service account to Cloud Storage's ACLs for restricting the users on reading the objects. 您必须通过将Cloud CDN服务帐户添加到云存储的ACL来授予Cloud CDN读取对象的权限，以限制用户读取对象。

I should also add that Cloud Storage is integrated with Firebase and you may acquire Firebase Security Rules for Cloud Storage to authenticate and authorize the users. 我还应该补充说，云存储已与Firebase集成，您可能会获得用于云存储的Firebase安全规则来对用户进行身份验证和授权。