skip to Main Content

this question has been on my mind for several months now. In very simple terms, pretty much any SaaS that operates B2B will be required to isolate user-generated files (PDFs, Images, Documents) between tenants. If a user from "Company A" uploads a PDF to the SaaS, only members of "Company A" should be able to read/see this file. Seems pretty basic.

However, I can’t seem to find any information on how to design a system like this on a high, architectural level. Without going into the specifics of a cloud provider, my understanding is that IAM rules are usually meant for members of the organization that provides the service (so the company selling the SaaS), not for their end users. Another option, pre-signed URLs, seem like they are not truly secure, since sharing the link will grant access to anyone, even if not part of "Company A".

I know of a single service that can authorize storage bucket access down to an individual object, and that is Google’s Firestore (Storage Rules). How do they do it?!? Is there a reverse proxy that checks for valid auth and looks up the access that user has been granted before "tunneling back" the response?

TLDR: On a system design level, how does Firebase’s Storage Rules enable object-level authorization for objects? Is it a reverse proxy to a private bucket that auths the user, checks permission to the requested file and sends back the data via the proxy? This seems like powerful proxies are needed to serve all incoming requests.

2

Answers


  1. Firebase servers do not use a reverse proxy. They serve objects directly from the storage bucket after evaluating the conditions you’ve set in the Storage Rules.

    You really shouldn’t have to worry about using proxies at all. If you have on-premises data you need to access consider using a VPN behind the application. However object-level storage rules are the better choice as you have more control and security down to the object level.

    Login or Signup to reply.
  2. However, I can’t seem to find any information on how to design a system like this on a high, architectural level. Without going into the specifics of a cloud provider, my understanding is that IAM rules are usually meant for members of the organization that provides the service (so the company selling the SaaS), not for their end users. Another option, pre-signed URLs, seem like they are not truly secure, since sharing the link will grant access to anyone, even if not part of "Company A".

    A common approach is to not use the AWS root user.

    For more basic apps, one would just

    1. Create an IAM group using only the built-in policy AmazonS3FullAccess (or limiting even more to just the bucket)
    2. Create a user and adds the user to that group.

    That’s the user one uses to access the S3 bucket for all of the existing users in that app (which means your guess is partially correct).

    Also, generally speaking, to access the file, what one does is to use an S3 URL along with AWSAccessKeyId, Signature and Expires. So users can’t access it without the extra parameters or after the expiration time.

    When it comes to multitenant applications, it’s also possible to

    1. Create an IAM role for each tenant.
    2. Create a bucket policy to allow your app Tenants to access it.
    3. Ensure that each file uploaded to S3 has an object key with your app Tenant ID prefix.

    So, this way you can ensure that only users with that specific IAM role can access objects in the bucket that have a specific prefix.


    On a system design level, how does Firebase’s Storage Rules enable object-level authorization for objects?

    First, one has to understand we’re dealing with Object storage (as opposed to Block or File storage). Check here for a Storage systems overview.

    In that same article, Alex Xu mentions that

    Most public cloud service providers have an object storage offering, such as AWS S3, Google block storage, and Azure blob storage.

    ByteByteGo Storage systems overview

    In addition to placing the offerings in the same level of storage type, Xu also has an article where he explains how an S3-like storage system work.

    ByteByteGo S3-like storage system

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search