New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FirestoreOptions.setHost causes PERMISSION_DENIED errors from Firestore Emulator #190
Comments
Hi @icoloma, I tried to reproduce the PERMISSION_DENIED error you ran into but wasn't able to do so. I tried a number of different methods ( The code I tested with: import com.google.cloud.firestore.CollectionReference;
import com.google.cloud.firestore.DocumentReference;
import com.google.cloud.firestore.Firestore;
import com.google.cloud.firestore.FirestoreOptions;
import com.google.common.collect.ImmutableMap;
import java.util.concurrent.ExecutionException;
public final class FirestoreConnect {
public static void main(String[] args) throws ExecutionException, InterruptedException {
Firestore fs = FirestoreOptions.getDefaultInstance()
.toBuilder()
.setProjectId("something")
.build()
.getService();
var doc1 = fs.collection("coll").document("doc1");
var set = doc1
.set(ImmutableMap.of("field", "value"));
var setResult = set.get();
System.out.printf(" setResult = %s%n", setResult.getUpdateTime());
Iterable<CollectionReference> colls = fs.listCollections();
for (CollectionReference coll : colls) {
System.out.printf("coll.getPath() = %s%n", coll.getPath());
Iterable<DocumentReference> docs = coll.listDocuments();
for (DocumentReference doc : docs) {
System.out.printf(" doc.getPath() = %s%n", doc.getPath());
}
}
var documentSnapshot = doc1.get().get();
System.out.println("coll/doc1.data = " + documentSnapshot.getData());
var deleteResult = doc1.delete().get();
System.out.println(" deleteResult = " + deleteResult.getUpdateTime());
}
} And the output when I ran it:
When running my program I set the Can you provide any more details about what types of operations you are trying to perform? |
Hi @BenWhitehead, thanks for giving this a look. It seems that the exception is triggered when using import com.google.cloud.firestore.CollectionReference;
import com.google.cloud.firestore.DocumentReference;
import com.google.cloud.firestore.Firestore;
import com.google.cloud.firestore.FirestoreOptions;
import com.google.common.collect.ImmutableMap;
import java.util.concurrent.ExecutionException;
public class IssueRepro {
public static void main(String[] args) throws ExecutionException, InterruptedException {
Firestore fs = FirestoreOptions.getDefaultInstance()
.toBuilder()
.setProjectId("foobar")
// uncomment this line
//.setHost("localhost:9000")
.build()
.getService();
CollectionReference coll = fs.collection("coll");
var doc1 = coll.document("doc1");
var set = doc1.set(ImmutableMap.of("field", "value")).get();
Iterable<DocumentReference> docs = coll.listDocuments();
for (DocumentReference doc : docs) {
System.out.printf(" doc.getPath() = %s%n", doc.getPath());
}
doc1.delete();
}
} When I uncomment the line I get the |
Wow that's subtle, thanks for narrowing down the difference. I'm going to change the name of this issue to reflect it's a config error in the service builder. |
@icoloma I guess you need to use local Sample Code : import com.google.api.gax.core.FixedCredentialsProvider;
import com.google.api.gax.grpc.InstantiatingGrpcChannelProvider;
import com.google.auth.Credentials;
import com.google.cloud.firestore.CollectionReference;
import com.google.cloud.firestore.DocumentReference;
import com.google.cloud.firestore.Firestore;
import com.google.cloud.firestore.FirestoreOptions;
import com.google.common.collect.ImmutableMap;
import java.io.IOException;
import java.net.URI;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ExecutionException;
public class IssueRepro {
private static final String PROJECT_ID = "project-id";
private static final String HOST = "127.0.0.1:8000";
public static void main(String[] args) throws ExecutionException, InterruptedException, IOException, ClassNotFoundException {
Firestore fs = FirestoreOptions.getDefaultInstance()
.toBuilder()
.setProjectId(PROJECT_ID)
.setHost(HOST)
.setChannelProvider(
InstantiatingGrpcChannelProvider.newBuilder()
.setEndpoint(HOST)
.setChannelConfigurator(input -> {
input.usePlaintext();
return input;
}).build())
.setCredentialsProvider(FixedCredentialsProvider.create(new FakeCredentials()))
.setCredentials(new FakeCredentials())
.setHeaderProvider(() -> ImmutableMap.of("Authorization", "Bearer owner"))
.build()
.getService();
CollectionReference coll = fs.collection("coll");
var doc1 = coll.document("doc1");
var set = doc1.set(ImmutableMap.of("field", "value")).get();
Iterable<DocumentReference> docs = coll.listDocuments();
for (DocumentReference doc : docs) {
System.out.printf(" doc.getPath() = %s%n", doc.getPath());
}
doc1.delete();
}
static class FakeCredentials extends Credentials {
private final Map<String, List<String>> HEADERS =
ImmutableMap.of("Authorization", Arrays.asList("Bearer owner"));
@Override
public String getAuthenticationType() {
throw new IllegalArgumentException("Not supported");
}
@Override
public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException {
return HEADERS;
}
@Override
public boolean hasRequestMetadata() {
return true;
}
@Override
public boolean hasRequestMetadataOnly() {
return true;
}
@Override
public void refresh() {
}
}
} Output:
|
This leaves some questions open:
"Admin permissions" sounds like a common case for any tests planning to clean up the database afterwards. Maybe add a specific flag in Thanks for the workaround, I can use this. |
@icoloma Thanks for filling this issue, i think everything is setup in existing Code : package com.google.cloud.firestore;
import com.google.cloud.ServiceOptions;
import com.google.common.collect.ImmutableMap;
import java.util.concurrent.ExecutionException;
public class Test {
private static final String PROJECT_ID = "project-id";
private static final String HOST = "localhost:8000";
public static void main(String[] args) throws ExecutionException, InterruptedException {
Firestore fs =
FirestoreOptions.getDefaultInstance()
.toBuilder()
.setProjectId(PROJECT_ID)
.setHost(HOST)
.build()
.getService();
CollectionReference coll = fs.collection("coll");
DocumentReference doc1 = coll.document("doc1");
WriteResult set = doc1.set(ImmutableMap.of("field", "value")).get();
Iterable<DocumentReference> docs = coll.listDocuments();
for (DocumentReference doc : docs) {
System.out.printf(" doc.getPath() = %s%n", doc.getPath());
}
doc1.delete();
}
} Output :
|
The original code that I assume @icoloma tried by setting the host to The complexity of how the Firestore client is bootstrapped is very high, and is something I am actively looking at seeing if it can be simplified (including other clients as well like Datastore). When using the Firestore emulator, the intention is that the client is functioning as with admin level permissions to allow automatic index creations while developing. Everything @icoloma lists in #190 (comment) is correct, and needs to be accounted for in the fix. For now, the workaround I recommend is "When using the emulator, only use the environment variable not I hope to have a more straightforward solution in the future, but don't yet have an estimated timeframe. |
This change allows users who want to try to manually configured FirestoreOptions for an emulator to be able to leverage the credentials we use when boostrapping via environment variable. * Rename FakeCredentials to EmulatorCredentials * Make EmulatorCredentials static * Move from inner class of FirestoreOptions.Builder to inner class of FirestoreOptions Related to #190
🤖 I have created a release \*beep\* \*boop\* --- ## [2.0.0](https://www.github.com/googleapis/java-firestore/compare/v1.35.2...v2.0.0) (2020-08-14) ### New Features #### Query Partition API New API and backend RPC which allows for fetching a set of cursor keys for a Collection Group Query. Accessible via the new [`CollectionGroup#getPartitions(long,ApiStreamObserver)`](https://googleapis.dev/java/google-cloud-firestore/2.0.0/com/google/cloud/firestore/CollectionGroup.html#getPartitions-long-com.google.api.gax.rpc.ApiStreamObserver-) method. #### Read-Only Transaction Options [`TransactionOptions`](https://googleapis.dev/java/google-cloud-firestore/2.0.0/com/google/cloud/firestore/TransactionOptions.html) has been refactored to provide the ability to configure options for read-only transactions along with the existing configuration for read-write transactions. This new ability is provided via the new [`TransactionOptions.createReadOnlyOptionsBuilder()`](https://googleapis.dev/java/google-cloud-firestore/2.0.0/com/google/cloud/firestore/TransactionOptions.html#createReadOnlyOptionsBuilder--) type safe builder. Along with the new type safe builder for read-only options, there is a new type safe builder for read-write options as well accessible via [`TransactionOptions.createReadWriteOptionsBuilder()`](https://googleapis.dev/java/google-cloud-firestore/2.0.0/com/google/cloud/firestore/TransactionOptions.html#createReadWriteOptionsBuilder--). Each of the existing `TransactionOptions.create(...)` methods for configuring read-write options has been deprecated in favor of the new builder. #### EmulatorCredentials `com.google.cloud.firestore.FirestoreOptions.Builder.FakeCredentials` has been made static and renamed to `com.google.cloud.firestore.FirestoreOptions.EmulatorCredentials` allowing instantiation outside `FirestoreOptions.Builder`. When connecting to the Cloud Firestore Emulator via `FirestoreOptions` rather than the environment variable `FIRESTORE_EMULATOR_HOST`, a custom credential implementation must be specified to allow various admin operations in the emulator. Previously this required users to create their own implementation due to it not being possible to construct a `FakeCredential`. As part of this change, `EmulatorCredentials` is static and therefore able to be constructed from any location. ### Breaking Changes #### New Firestore Admin Client API Artifact The Cloud Firestore Admin Client has been migrated to its own maven artifact `com.google.cloud:google-cloud-firestore-admin` rather than being bundled in `com.google.cloud:google-cloud-firestore`. All packages and classes have retained their existing names. The new artifact is included in the `com.google.cloud:google-cloud-firestore-bom`, `com.google.cloud:google-cloud-bom` and `com.google.cloud:libraries-bom` artifacts and is accessible by adding the new dependency to your `pom.xml` file: ```xml <dependency> <groupId>com.google.cloud</groupId> <artifactId>google-cloud-firestore-admin</artifactId> </dependency> ``` #### Removal of v1beta1 Cloud Firestore has been GA for some time now, and the `google-cloud-firestore` code base has been using the protos and generated classes for the v1 api since that time. As such, we will no longer be publishing artifacts for the deprecated v1beta1 protos. All functionality from v1beta1 is present in v1, and all users should update any code to use v1. #### Removal of support for `java.util.Date` in Snapshots It is no longer possible to configure the ability for `java.util.Date` to be returned from `DocumentSnapshot.get(FieldPath)` or `DocumentSnapshot.getData()` for properties which are stored as Timestamps in Cloud Firestore. The default behavior has been to return `com.google.cloud.Timestamp` by default for some time, and is now the only option. Any code that is dependent on the old behavior must be updated to use Timestamps instead of Date. ### Laundry List of Pull Requests #### ⚠ BREAKING CHANGES * add support for the Query Partition API (#202) * `Firestore#collectionGroup(...)` has a new return type `CollectionGroup` which requires any code that previously used the method be re-compiled to pick up the new signature. `CollectionGroup` extends `Query` and as such does not require your code to be updated, only the compiled class files. * move FirestoreAdminClient and associated classes to new artifact google-cloud-firestore-admin (#311) * remove deprecated v1beta1 protos and grpc client (#305) * remove deprecated FirestoreOptions#setTimestampsInSnapshotsEnabled (#308) * remove deprecated getCollections() methods (#307) * various renames due to generator changes #### Features * add support for read-only transactions in TransactionOptions ([#320](https://www.github.com/googleapis/java-firestore/issues/320)) ([c25dca3](https://www.github.com/googleapis/java-firestore/commit/c25dca3ed6ca0c156ec60569ebc9f3a481bd4fee)) * add support for the Query Partition API ([#202](https://www.github.com/googleapis/java-firestore/issues/202)) ([3996548](https://www.github.com/googleapis/java-firestore/commit/39965489cbc836af573e500d57007c88241d7eb6)) #### Bug Fixes * refactor FakeCredentials ([#325](https://www.github.com/googleapis/java-firestore/issues/325)) ([269e62c](https://www.github.com/googleapis/java-firestore/commit/269e62c6b8031d48e7f2e282b09b5ffcfadae547)), closes [#190](https://www.github.com/googleapis/java-firestore/issues/190) #### Dependencies * update dependency com.google.cloud:google-cloud-shared-dependencies to v0.8.5 ([#322](https://www.github.com/googleapis/java-firestore/issues/322)) ([1b21350](https://www.github.com/googleapis/java-firestore/commit/1b21350c0bc4a21cee2b281f944cbd061b1f8898)) * update dependency com.google.cloud:google-cloud-shared-dependencies to v0.8.6 ([#324](https://www.github.com/googleapis/java-firestore/issues/324)) ([b945fdb](https://www.github.com/googleapis/java-firestore/commit/b945fdb04da76a1e007d012c809449c5a43bb990)) * update jackson dependencies to v2.11.2 ([#314](https://www.github.com/googleapis/java-firestore/issues/314)) ([15d68cd](https://www.github.com/googleapis/java-firestore/commit/15d68cd93ac1fd206895fd37155a9ba82b9196ca)) #### Miscellaneous Chores * enable gapicv2 ([#188](https://www.github.com/googleapis/java-firestore/issues/188)) ([92224bc](https://www.github.com/googleapis/java-firestore/commit/92224bcd52aa88cc6eb1da28747de0535d776a0f)) * move FirestoreAdminClient and associated classes to new artifact google-cloud-firestore-admin ([#311](https://www.github.com/googleapis/java-firestore/issues/311)) ([03ef755](https://www.github.com/googleapis/java-firestore/commit/03ef755dd164e6f1ec749f3f985b913b5ae23d14)) * remove deprecated FirestoreOptions#setTimestampsInSnapshotsEnabled ([#308](https://www.github.com/googleapis/java-firestore/issues/308)) ([7255a42](https://www.github.com/googleapis/java-firestore/commit/7255a42bcee3a6938dd5fafaef3465f948f39600)) * remove deprecated getCollections() methods ([#307](https://www.github.com/googleapis/java-firestore/issues/307)) ([bb4ddf1](https://www.github.com/googleapis/java-firestore/commit/bb4ddf1ce3cc3bd2e06a4ad5097bd18060e4467b)) * remove deprecated v1beta1 protos and grpc client ([#305](https://www.github.com/googleapis/java-firestore/issues/305)) ([96adacb](https://www.github.com/googleapis/java-firestore/commit/96adacbf52ace27e54b7a210d7c73b46922fbcbd)) * add BulkWriter ([#323](https://www.github.com/googleapis/java-firestore/issues/323)) ([e7054df](https://www.github.com/googleapis/java-firestore/commit/e7054df79b4139fdfd0cc6aa0620fbfa1a10a6b0)) * make BulkWriter package private ([#330](#330)) ([ef0869a](ef0869a)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please).
See for initial discussion: #319 Fixes #319, #210. Relates to #190. Similar issues in other SDKs: googleapis/google-cloud-go#1978, firebase/firebase-admin-node#776.
🤖 I have created a release \*beep\* \*boop\* --- ## [2.1.0](https://www.github.com/googleapis/java-firestore/compare/v2.0.0...v2.1.0) (2020-09-10) ### Features * add method to set emulator host programmatically ([#319](https://www.github.com/googleapis/java-firestore/issues/319)) ([#336](https://www.github.com/googleapis/java-firestore/issues/336)) ([97037f4](https://www.github.com/googleapis/java-firestore/commit/97037f42f76e9df3ae458d4e2b04336e64b834c3)), closes [#210](https://www.github.com/googleapis/java-firestore/issues/210) [#190](https://www.github.com/googleapis/java-firestore/issues/190) * add opencensus tracing support ([#360](https://www.github.com/googleapis/java-firestore/issues/360)) ([edaa539](https://www.github.com/googleapis/java-firestore/commit/edaa5395be0353fb261d954429c624623bc4e346)) * add support for != and NOT_IN queries ([#350](https://www.github.com/googleapis/java-firestore/issues/350)) ([68aff5b](https://www.github.com/googleapis/java-firestore/commit/68aff5b406fb2732951750f3d5f9768df6ee12b5)) * generate protos to add NOT_EQUAL, NOT_IN, IS_NOT_NAN, IS_NOT_NULL query operators ([#343](https://www.github.com/googleapis/java-firestore/issues/343)) ([3fb1b63](https://www.github.com/googleapis/java-firestore/commit/3fb1b631f8dd087f0f3e1c43363e9642f497993a)) ### Bug Fixes * **samples:** re-add maven exec config for Quickstart sample ([#347](https://www.github.com/googleapis/java-firestore/issues/347)) ([4c2329b](https://www.github.com/googleapis/java-firestore/commit/4c2329bf89ffab4bd3060e16e1cf231b7caf4653)) * add support to deserialize to custom Lists and Maps ([#337](https://www.github.com/googleapis/java-firestore/issues/337)) ([dc897e0](https://www.github.com/googleapis/java-firestore/commit/dc897e00a85e745f57f615460b29d17b7dd247c6)) ### Dependencies * update dependency com.google.cloud:google-cloud-shared-dependencies to v0.9.0 ([#352](https://www.github.com/googleapis/java-firestore/issues/352)) ([783d41e](https://www.github.com/googleapis/java-firestore/commit/783d41e167c7c79957faeeebd7a76ab72b5b157d)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please).
Seems to me #319 will have resolved this. |
I'm seeing a PERMISSION DENIED message when trying to clean my test data using
collection.listDocuments()
:This error has been reported before as firebase-tools#1363. The workaround that is mentioned in the referenced issue is not working for me. I have tried three variants of the same thing:
setCredentials()
,setCredentialsProvider()
andsetHeaderProvider()
.It seems that some of these settings are being ignored by
com.google.cloud.firestore.spi.v1.GrpcFirestoreRpc
when the URL points tolocalhost
.The expected behavior would be a documented way to get admin permissions on the emulator, preferably through the
Options
object. Failing that, this workaround should work, and maybe makepublic static FirestoreOptions.FakeCredentials
instead of justpublic
(as is now), so it can be used by others.The text was updated successfully, but these errors were encountered: