Security Rules in Firebase (and RBAC in general)

Take home HW goal:

• Make yourself a user in your project
• Make some other users in your project
• Give yourself the role of ADMIN
• Allow any ADMIN to change the role of any other user
• Do NOT allow any other user to change roles (unless they become an admin)

Role-Based Access Control (RBAC)

TLDR: a ROLE grants the right to VERB this NOUN, and a USER has many ROLES

You can find whole books written about RBAC and set theoretical implementations of it.

I've given that kind of lecture in the past... but I suspect it's like describing the thermodynamics of wind before you go fly a kite.

More Formal RBAC Notes

A classical RBAC system ends up with functions roughly named like this:

• Add/Delete User
• Add/Delete Role
• Assign/Deassign User
• Grant/Revoke Permission
• Create/Delete Session
• Add/Drop ActiveRole
• CheckAccess
• Assigned Users/Roles
• Role/User Permissions
• Session Roles/Permissions
• Role/User OperationsOnObject

Firebase .read .write rules

Basics

Specifics

So a natural question is can you restrict the access of a user to REVOKE the right to:

• CREATE a new message
• UPDATE a specific message
• DESTROY a particular message
• READ a specific message
• All of the above but where message is replaced with "channel" or maybe "user"

Here is a firebase "CREATE" but not update:

$data_id : {".write": "!data.exists() || !newData.exists()"}

Interesting enough, but we need to play with it.

Make a firebase project and make a key "testing": {"stuff": "here"}. Now click rules, and put in the rules found in the following gist (the C but not U rule). Now use the simulator to test writing to /testing/stuff then writing to /testing/stuff2 and observe the difference.

Lovely Flag

Two rights make a wrong

See the Pen Flag Auth by Andy Novocin (@AndyNovo) on CodePen.