英文:
Connect to Cloud Firestore in DataStore mode from Java
问题
我正在将在App Engine上运行的Java微服务从DataStore迁移到Datastore模式下的Cloud Firestore,并且在连接到新数据库时遇到问题。我发现文档很令人困惑,但我正在基于以下依据进行操作(摘自此处):
“设置数据库权限
默认情况下,您的应用具有所需的权限,可以读取和写入Google Cloud项目中Datastore模式和Firestore数据库。
要管理这些权限,每个App Engine应用都使用一个默认服务帐号,该帐号可以完全读取和写入与应用位于同一项目中的Datastore模式和Firestore数据库。您可以更改默认服务帐号的权限,但是除非您分配了具有所需权限的IAM角色,否则您的应用可能会失去访问权限。”
我在IAM中找到了默认服务帐号,并生成了密钥,然后使用以下代码初始化FirebaseApp:
InputStream serviceAccount = this.getClass().getResourceAsStream("/toolbox-firebase-adminsdk-jbx2a-31651a7510.json");
try {
FirebaseOptions options = new FirebaseOptions.Builder()
.setCredentials(GoogleCredentials.fromStream(serviceAccount))
.setDatabaseUrl("https://toolbox.firebaseio.com")
.build();
FirebaseApp.initializeApp(options);
} catch (IOException e) {
throw new RuntimeException(e);
}
这段代码似乎可以正常执行,但是当我尝试访问数据库时,出现了以下权限错误:
INFO] GCLOUD: com.google.cloud.datastore.DatastoreException: Missing
> or insufficient permissions. [INFO] GCLOUD: at
> com.google.cloud.datastore.spi.v1.HttpDatastoreRpc.translate(HttpDatastoreRpc.java:128)
> [INFO] GCLOUD: at
> com.google.cloud.datastore.spi.v1.HttpDatastoreRpc.translate(HttpDatastoreRpc.java:113)
> [INFO] GCLOUD: at
> com.google.cloud.datastore.spi.v1.HttpDatastoreRpc.lookup(HttpDatastoreRpc.java:163)
> [INFO] GCLOUD: at
> com.google.cloud.datastore.DatastoreImpl$3.call(DatastoreImpl.java:392)
> [INFO] GCLOUD: at
> com.google.cloud.datastore.DatastoreImpl$3.call(DatastoreImpl.java:389)
> [INFO] GCLOUD: at
> com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:105)
> [INFO] GCLOUD: at
> com.google.cloud.RetryHelper.run(RetryHelper.java:76) [INFO
我正在使用的服务帐号具有以下权限:
- Cloud Datastore Owner
- Cloud Datastore User
- Editor
非常感谢您提供帮助以解决此问题。
英文:
I'm migrating a Java microservice running on App Engine from DataStore to Cloud Firestore in Datastore mode and having problems connecting to the new database. I find the documentation confusing, but am working on the following basis ( quoted from this )
>Setting database permissions
By default, your app has all the permissions required to read and write to Datastore mode and Firestore databases in your Google Cloud project.
>To manage these permissions, each App Engine app uses a default service account that gives full read and write access to Datastore mode and Firestore databases in the same project as the app. You can change the permissions of the default service account, but your app may lose access unless you assign an IAM role with the required permissions.
I found the default service account in IAM and generated the key and used the following code to initialise the FirebaseApp
InputStream serviceAccount = this.getClass().getResourceAsStream("/toolbox-firebase-adminsdk-jbx2a-31651a7510.json");
try {
FirebaseOptions options = new FirebaseOptions.Builder()
.setCredentials(GoogleCredentials.fromStream(serviceAccount))
.setDatabaseUrl("https://toolbox.firebaseio.com")
.build();
FirebaseApp.initializeApp(options);
} catch (IOException e) {
throw new RuntimeException(e);
}
This code seems to execute properly, but when I try to access the database I get the following permissions error
> INFO] GCLOUD: com.google.cloud.datastore.DatastoreException: Missing
> or insufficient permissions. [INFO] GCLOUD: at
> com.google.cloud.datastore.spi.v1.HttpDatastoreRpc.translate(HttpDatastoreRpc.java:128)
> [INFO] GCLOUD: at
> com.google.cloud.datastore.spi.v1.HttpDatastoreRpc.translate(HttpDatastoreRpc.java:113)
> [INFO] GCLOUD: at
> com.google.cloud.datastore.spi.v1.HttpDatastoreRpc.lookup(HttpDatastoreRpc.java:163)
> [INFO] GCLOUD: at
> com.google.cloud.datastore.DatastoreImpl$3.call(DatastoreImpl.java:392)
> [INFO] GCLOUD: at
> com.google.cloud.datastore.DatastoreImpl$3.call(DatastoreImpl.java:389)
> [INFO] GCLOUD: at
> com.google.api.gax.retrying.DirectRetryingExecutor.submit(DirectRetryingExecutor.java:105)
> [INFO] GCLOUD: at
> com.google.cloud.RetryHelper.run(RetryHelper.java:76) [INFO
The service account that I am using has the following permissions
- Cloud Datastore Owner
- Cloud Datastore User
- Editor
Any help in fixing this is greatly appreciated.
答案1
得分: 0
默认的App Engine标准服务帐户是:
gcloud iam service-accounts list | grep appspot.gserviceaccount.com
App Engine default service account your-project@appspot.gserviceaccount.com
此服务帐户已经具有Editor角色,并且您的应用程序具有在Google Cloud项目中读取和写入Datastore模式和Firestore数据库所需的所有权限。
因此,您无需创建key.json文件,并且可以从此文件初始化您的凭据。
> 如果您的应用程序在App Engine标准环境上运行,您可以使用App Engine App Identity API获取凭据。
>
> 在设置了服务帐户之后,ADC可以在不需要更改代码的情况下隐式地找到您的凭据,如上文所述。如果您想专门使用App Engine凭据,可以像以下代码示例中所示显式地这样做。
#编辑
如果您的代码在Firebase应用上运行而不是App Engine标准版,则我认为您不应使用默认的App Engine服务帐户。您应该创建一个具有“Editor”角色的新服务帐户,并生成key.json文件。
英文:
The default App Engine Standard Service Account is:
gcloud iam service-accounts list | grep appspot.gserviceaccount.com
App Engine default service account your-project@appspot.gserviceaccount.com
This service account has already the Editor Role, and your app has all the permissions required to read and write to Datastore mode and Firestore databases in your Google Cloud project.
Therefore you do not need to create a key.json file, and initilalize your credentials from this file.
> If your application runs on App Engine standard environment, you can
> use the App Engine App Identity API to obtain credentials.
>
> After you set up a service account, ADC can implicitly find your
> credentials without any need to change your code, as described in the
> section above. If you want to specifically use App Engine credentials,
> you can explicitly do so, as shown in the following code example.
#EDIT
If your code runs on Firebase App and not App Engine Standard, I think you should not use the default App Engine Service Account. You should create a new service account with Editor role and generate the key.json file.
专注分享java语言的经验与见解,让所有开发者获益!
评论