借助 Admin SDK,您可以使用完全管理員權限或更細粒度的有限權限讀取和寫入實時數據庫數據。在本文檔中,我們將指導您將 Firebase Admin SDK 添加到您的項目以訪問 Firebase 實時數據庫。
管理員 SDK 設置
要開始在您的服務器上使用 Firebase 實時數據庫,您首先需要使用您選擇的語言設置 Firebase Admin SDK 。
管理員 SDK 身份驗證
在使用 Firebase Admin SDK 從服務器訪問 Firebase 實時數據庫之前,您必須使用 Firebase 對您的服務器進行身份驗證。當您對服務器進行身份驗證時,不是像在客戶端應用程序中那樣使用用戶帳戶的憑據登錄,而是使用向 Firebase 標識您的服務器的服務帳戶進行身份驗證。
使用 Firebase Admin SDK 進行身份驗證時,您可以獲得兩種不同級別的訪問權限:
| Firebase Admin SDK 授權訪問級別 | |
|---|---|
| 管理權限 | 擁有對項目實時數據庫的完整讀寫權限。謹慎使用以完成需要不受限制地訪問項目資源的管理任務,例如數據遷移或重組。 |
| 有限權限 | 訪問項目的實時數據庫,僅限於您的服務器所需的資源。使用此級別完成具有明確定義的訪問要求的管理任務。例如,在運行跨整個數據庫讀取數據的匯總作業時,您可以通過設置只讀安全規則然後使用受該規則限制的權限初始化 Admin SDK 來防止意外寫入。 |
使用管理員權限進行身份驗證
當您使用 Firebase 項目上具有編輯者角色的服務帳戶的憑據初始化 Firebase Admin SDK 時,該實例對您項目的實時數據庫具有完整的讀寫權限。
爪哇
// Fetch the service account key JSON file contents
FileInputStream serviceAccount = new FileInputStream("path/to/serviceAccount.json");
// Initialize the app with a service account, granting admin privileges
FirebaseOptions options = FirebaseOptions.builder()
.setCredentials(GoogleCredentials.fromStream(serviceAccount))
// The database URL depends on the location of the database
.setDatabaseUrl("https://DATABASE_NAME.firebaseio.com")
.build();
FirebaseApp.initializeApp(options);
// As an admin, the app has access to read and write all data, regardless of Security Rules
DatabaseReference ref = FirebaseDatabase.getInstance()
.getReference("restricted_access/secret_document");
ref.addListenerForSingleValueEvent(new ValueEventListener() {
@Override
public void onDataChange(DataSnapshot dataSnapshot) {
Object document = dataSnapshot.getValue();
System.out.println(document);
}
@Override
public void onCancelled(DatabaseError error) {
}
});
節點.js
var admin = require("firebase-admin");
// Fetch the service account key JSON file contents
var serviceAccount = require("path/to/serviceAccountKey.json");
// Initialize the app with a service account, granting admin privileges
admin.initializeApp({
credential: admin.credential.cert(serviceAccount),
// The database URL depends on the location of the database
databaseURL: "https://DATABASE_NAME.firebaseio.com"
});
// As an admin, the app has access to read and write all data, regardless of Security Rules
var db = admin.database();
var ref = db.ref("restricted_access/secret_document");
ref.once("value", function(snapshot) {
console.log(snapshot.val());
});
Python
import firebase_admin
from firebase_admin import credentials
from firebase_admin import db
# Fetch the service account key JSON file contents
cred = credentials.Certificate('path/to/serviceAccountKey.json')
# Initialize the app with a service account, granting admin privileges
firebase_admin.initialize_app(cred, {
'databaseURL': 'https://databaseName.firebaseio.com'
})
# As an admin, the app has access to read and write all data, regradless of Security Rules
ref = db.reference('restricted_access/secret_document')
print(ref.get())
去
ctx := context.Background()
conf := &firebase.Config{
DatabaseURL: "https://databaseName.firebaseio.com",
}
// Fetch the service account key JSON file contents
opt := option.WithCredentialsFile("path/to/serviceAccountKey.json")
// Initialize the app with a service account, granting admin privileges
app, err := firebase.NewApp(ctx, conf, opt)
if err != nil {
log.Fatalln("Error initializing app:", err)
}
client, err := app.Database(ctx)
if err != nil {
log.Fatalln("Error initializing database client:", err)
}
// As an admin, the app has access to read and write all data, regradless of Security Rules
ref := client.NewRef("restricted_access/secret_document")
var data map[string]interface{}
if err := ref.Get(ctx, &data); err != nil {
log.Fatalln("Error reading from database:", err)
}
fmt.Println(data)
使用有限權限進行身份驗證
作為最佳實踐,服務應該只能訪問它需要的資源。要更精細地控制 Firebase 應用實例可以訪問的資源,請在您的安全規則中使用唯一標識符來表示您的服務。然後設置適當的規則,授予您的服務對其所需資源的訪問權限。例如:
{
"rules": {
"public_resource": {
".read": true,
".write": true
},
"some_resource": {
".read": "auth.uid === 'my-service-worker'",
".write": false
},
"another_resource": {
".read": "auth.uid === 'my-service-worker'",
".write": "auth.uid === 'my-service-worker'"
}
}
}
然後,在您的服務器上,當您初始化 Firebase 應用程序時,使用databaseAuthVariableOverride選項覆蓋數據庫規則使用的auth對象。在此自定義auth對像中,將uid字段設置為您在安全規則中用於表示您的服務的標識符。
爪哇
// Fetch the service account key JSON file contents
FileInputStream serviceAccount = new FileInputStream("path/to/serviceAccountCredentials.json");
// Initialize the app with a custom auth variable, limiting the server's access
Map<String, Object> auth = new HashMap<String, Object>();
auth.put("uid", "my-service-worker");
FirebaseOptions options = new FirebaseOptions.Builder()
.setCredential(FirebaseCredentials.fromCertificate(serviceAccount))
// The database URL depends on the location of the database
.setDatabaseUrl("https://DATABASE_NAME.firebaseio.com")
.setDatabaseAuthVariableOverride(auth)
.build();
FirebaseApp.initializeApp(options);
// The app only has access as defined in the Security Rules
DatabaseReference ref = FirebaseDatabase
.getInstance()
.getReference("/some_resource");
ref.addListenerForSingleValueEvent(new ValueEventListener() {
@Override
public void onDataChange(DataSnapshot dataSnapshot) {
String res = dataSnapshot.getValue();
System.out.println(res);
}
});
節點.js
var admin = require("firebase-admin");
// Fetch the service account key JSON file contents
var serviceAccount = require("path/to/serviceAccountKey.json");
// Initialize the app with a custom auth variable, limiting the server's access
admin.initializeApp({
credential: admin.credential.cert(serviceAccount),
// The database URL depends on the location of the database
databaseURL: "https://DATABASE_NAME.firebaseio.com",
databaseAuthVariableOverride: {
uid: "my-service-worker"
}
});
// The app only has access as defined in the Security Rules
var db = admin.database();
var ref = db.ref("/some_resource");
ref.once("value", function(snapshot) {
console.log(snapshot.val());
});
Python
import firebase_admin
from firebase_admin import credentials
from firebase_admin import db
# Fetch the service account key JSON file contents
cred = credentials.Certificate('path/to/serviceAccountKey.json')
# Initialize the app with a custom auth variable, limiting the server's access
firebase_admin.initialize_app(cred, {
'databaseURL': 'https://databaseName.firebaseio.com',
'databaseAuthVariableOverride': {
'uid': 'my-service-worker'
}
})
# The app only has access as defined in the Security Rules
ref = db.reference('/some_resource')
print(ref.get())
去
ctx := context.Background()
// Initialize the app with a custom auth variable, limiting the server's access
ao := map[string]interface{}{"uid": "my-service-worker"}
conf := &firebase.Config{
DatabaseURL: "https://databaseName.firebaseio.com",
AuthOverride: &ao,
}
// Fetch the service account key JSON file contents
opt := option.WithCredentialsFile("path/to/serviceAccountKey.json")
app, err := firebase.NewApp(ctx, conf, opt)
if err != nil {
log.Fatalln("Error initializing app:", err)
}
client, err := app.Database(ctx)
if err != nil {
log.Fatalln("Error initializing database client:", err)
}
// The app only has access as defined in the Security Rules
ref := client.NewRef("/some_resource")
var data map[string]interface{}
if err := ref.Get(ctx, &data); err != nil {
log.Fatalln("Error reading from database:", err)
}
fmt.Println(data)
在某些情況下,您可能希望縮小 Admin SDK 的範圍以充當未經身份驗證的客戶端。您可以通過為數據庫 auth 變量覆蓋提供null值來執行此操作。
爪哇
// Fetch the service account key JSON file contents
FileInputStream serviceAccount = new FileInputStream("path/to/serviceAccountCredentials.json");
FirebaseOptions options = new FirebaseOptions.Builder()
.setCredential(FirebaseCredentials.fromCertificate(serviceAccount))
// The database URL depends on the location of the database
.setDatabaseUrl("https://DATABASE_NAME.firebaseio.com")
.setDatabaseAuthVariableOverride(null)
.build();
FirebaseApp.initializeApp(options);
// The app only has access to public data as defined in the Security Rules
DatabaseReference ref = FirebaseDatabase
.getInstance()
.getReference("/public_resource");
ref.addListenerForSingleValueEvent(new ValueEventListener() {
@Override
public void onDataChange(DataSnapshot dataSnapshot) {
String res = dataSnapshot.getValue();
System.out.println(res);
}
});
節點.js
var admin = require("firebase-admin");
// Fetch the service account key JSON file contents
var serviceAccount = require("path/to/serviceAccountKey.json");
// Initialize the app with a null auth variable, limiting the server's access
admin.initializeApp({
credential: admin.credential.cert(serviceAccount),
// The database URL depends on the location of the database
databaseURL: "https://DATABASE_NAME.firebaseio.com",
databaseAuthVariableOverride: null
});
// The app only has access to public data as defined in the Security Rules
var db = admin.database();
var ref = db.ref("/public_resource");
ref.once("value", function(snapshot) {
console.log(snapshot.val());
});
Python
import firebase_admin
from firebase_admin import credentials
from firebase_admin import db
# Fetch the service account key JSON file contents
cred = credentials.Certificate('path/to/serviceAccountKey.json')
# Initialize the app with a None auth variable, limiting the server's access
firebase_admin.initialize_app(cred, {
'databaseURL': 'https://databaseName.firebaseio.com',
'databaseAuthVariableOverride': None
})
# The app only has access to public data as defined in the Security Rules
ref = db.reference('/public_resource')
print(ref.get())
去
ctx := context.Background()
// Initialize the app with a nil auth variable, limiting the server's access
var nilMap map[string]interface{}
conf := &firebase.Config{
DatabaseURL: "https://databaseName.firebaseio.com",
AuthOverride: &nilMap,
}
// Fetch the service account key JSON file contents
opt := option.WithCredentialsFile("path/to/serviceAccountKey.json")
app, err := firebase.NewApp(ctx, conf, opt)
if err != nil {
log.Fatalln("Error initializing app:", err)
}
client, err := app.Database(ctx)
if err != nil {
log.Fatalln("Error initializing database client:", err)
}
// The app only has access to public data as defined in the Security Rules
ref := client.NewRef("/some_resource")
var data map[string]interface{}
if err := ref.Get(ctx, &data); err != nil {
log.Fatalln("Error reading from database:", err)
}
fmt.Println(data)