Firestore emulator: PERMISSION_DENIED

[sgammon]

[REQUIRED] Environment info

firebase-tools: 6.10.0

Platform: macOS

[REQUIRED] Test case

This will take a moment, brb

[REQUIRED] Steps to reproduce

1. Setup a Java project with the Firestore gcloud SDK, or the Firebase Admin SDK. Either way, make sure you're on the newest Firestore release. In Gradle, for us, that's:

  compile group: 'com.google.cloud', name: 'google-cloud-firestore', version: '1.6.0'

2. Install the latest gcloud SDK locally. Gcloud reports the following for gcloud --version:

Google Cloud SDK 248.0.0
alpha 2019.05.17
app-engine-go 
app-engine-java 1.9.74
app-engine-python 1.9.85
beta 2019.05.17
bq 2.0.43
cloud-build-local 
cloud-datastore-emulator 2.1.0
cloud-firestore-emulator 1.4.6
cloud_sql_proxy 
core 2019.05.24
docker-credential-gcr 
emulator-reverse-proxy 
gsutil 4.38
pubsub-emulator 2019.04.26

3. Write up a rules file for local emulator access to Firestore. Try your hardest to make it fully open - i.e. allow all traffic for basic testing.

rules_version = '2';

service cloud.firestore {
  match /databases/{database} {
    allow read, write: if true;

    match /{document=**} {
      allow read, write: if true;
    }
  }
}

4. Try to runlistDocuments() on a query, receive the following exception:

com.google.cloud.firestore.FirestoreException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Metadata operations require admin authentication.
	at com.google.cloud.firestore.FirestoreException.apiException(FirestoreException.java:79)
	at com.google.cloud.firestore.CollectionReference.listDocuments(CollectionReference.java:140)
       [... lots of user code...]

5. Think to yourself, okay, I'll play this dumb credentials game. So you load up your JSON service account key file, and inject the credentials into the Firestore adapter, like you do for production access to Firestore:

    public static @Provides FirestoreOptions getFirestoreOptions() {
      // [... lots of prep ...]
      if (emulator) {
        final CredentialsProvider adminCreds = FixedCredentialsProvider.create(googleCreds);
        opts.setCredentials(googleCreds);
        opts.setCredentialsProvider(credentialsProvider);
        return opts.build();
      }
      return opts.build();
    }

6. Run it again. Observe the following exception, because the emulator isn't running via TLS, we see that the request is rejected again, this time because you cannot use credentials over a plaintext connection:

Caused by: com.google.api.gax.rpc.UnauthenticatedException: io.grpc.StatusRuntimeException: UNAUTHENTICATED: Credentials require channel with PRIVACY_AND_INTEGRITY security level. Observed security level: NONE
	at com.google.api.gax.rpc.ApiExceptionFactory.createException(ApiExceptionFactory.java:73)

[REQUIRED] Expected behavior

It should be possible to run queries on the local emulator for Firestore.

[REQUIRED] Actual behavior

Because of this catch-22 error setup, I don't believe there is a way to run queries on the local emulator for Firestore, at least not queries that involve "metadata."

[sgammon]

It is also worth saying that running the emulator with no rules produces the same exception for listDocuments:

com.google.cloud.firestore.FirestoreException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: Metadata operations require admin authentication.

	at com.google.cloud.firestore.FirestoreException.apiException(FirestoreException.java:79)
	at com.google.cloud.firestore.CollectionReference.listDocuments(CollectionReference.java:140)

[abeisgoat]

Hey @sgammon,

Thanks for this report. @ryanpbrewster can you shed some light on if this is expected behavior?

[ryanpbrewster]

It is indeed expected behavior. You will need to be authenticated as an admin. The upside is that it's actually much simpler than authenticating against prod firestore: all you need to do is pass in an "Authorization: Bearer owner" header. The bearer "owner" is accepted by the emulator for all projects.

If you're familiar with @google-cloud/firestore you should be able to use the Admin SDK like so:

const grpc = require("@grpc/grpc-js");
const Firestore = require("@google-cloud/firestore");
const firestore = new Firestore({
  projectId: 'firestore-emulator-sample',
  servicePath: 'localhost',
  port: 8080,
  sslCreds: grpc.credentials.createInsecure(),
  customHeaders: {
    "Authorization": "Bearer owner"
  }
});

[ryanpbrewster]

The REST API looks like

curl "localhost:8080/v1/projects/example-project-name/databases/(default)/documents:listCollectionIds" \
  -X POST \
  -H 'Authorization: Bearer owner'

Out of curiosity, which SDK are you using here? Based on the stack trace it looks like Java?

[sgammon]

I'm using Java (via the Maven dependencies for gcloud, not firebase-admin), but this does look easy and I'll give it a shot. Injecting headers is rather hard in the Java client but I believe there is a facility to do it alongside the code I mentioned for injecting credentials.

[sgammon]

It also wouldn't be too hard to implement this as a CredentialProvider in gax or what not. That would be super helpful, if you could point me in the right direction I'd be happy to file a PR or an issue in the right repo (because that's way closer to general Google APIs Java than it is Firebase, if I'm not mistaken).

Thank you btw for the quick reply Firebase team :)

edit: @ryanpbrewster feel free to close as wontfix once you reply.

[ryanpbrewster]

I think the repo you want is https://github.com/googleapis/google-cloud-java. If you file an issue there, our SDK team can take a closer look.

I implemented this in the Node Admin SDK in googleapis/nodejs-firestore#654, which effectively bypasses the gax credential loop.

[sgammon]

@ryanpbrewster sorry to check back in, but i've tried to inject the specified header and i'm having trouble getting it working with gax.

essentially, i've tried setting the HeaderProvider, and i've tried adding an interceptor manually to the channel in setChannelConfigurator (both on InstantiatingGrpcChannelProvider in gax).

Any ideas about how I might actually get that header in? short of the approach i mentioned earlier, which involves extending gax with a CredentialProvider?

[sgammon]

@ryanpbrewster if you could link me to some java tests somewhere that inject that token, that would be sufficient too, probably. thank you again for your help

[sgammon]

@ryanpbrewster sorry to blow up this thread, lol. but i found some tests, and they use NoCredentials like i was using before :(

https://github.com/googleapis/google-cloud-java/blob/master/google-cloud-clients/google-cloud-firestore/src/test/java/com/google/cloud/firestore/v1/FirestoreClientTest.java#L99

[ryanpbrewster]

Got it working, a bit hackily: https://gist.github.com/ryanpbrewster/aef2a5c411a074819c8d7b67be80621c

LMK if that's enough to get you going