this question has been on my mind for several months now. In very simple terms, pretty much any SaaS that operates B2B will be required to isolate user-generated files (PDFs, Images, Documents) between tenants. If a user from "Company A" uploads a PDF to the SaaS, only members of "Company A" should be able to read/see this file. Seems pretty basic.
However, I can’t seem to find any information on how to design a system like this on a high, architectural level. Without going into the specifics of a cloud provider, my understanding is that IAM rules are usually meant for members of the organization that provides the service (so the company selling the SaaS), not for their end users. Another option, pre-signed URLs, seem like they are not truly secure, since sharing the link will grant access to anyone, even if not part of "Company A".
I know of a single service that can authorize storage bucket access down to an individual object, and that is Google’s Firestore (Storage Rules). How do they do it?!? Is there a reverse proxy that checks for valid auth and looks up the access that user has been granted before "tunneling back" the response?
TLDR: On a system design level, how does Firebase’s Storage Rules enable object-level authorization for objects? Is it a reverse proxy to a private bucket that auths the user, checks permission to the requested file and sends back the data via the proxy? This seems like powerful proxies are needed to serve all incoming requests.
2
Answers
Firebase servers do not use a reverse proxy. They serve objects directly from the storage bucket after evaluating the conditions you’ve set in the Storage Rules.
You really shouldn’t have to worry about using proxies at all. If you have on-premises data you need to access consider using a VPN behind the application. However object-level storage rules are the better choice as you have more control and security down to the object level.
A common approach is to not use the AWS root user.
For more basic apps, one would just
AmazonS3FullAccess(or limiting even more to just the bucket)That’s the user one uses to access the S3 bucket for all of the existing users in that app (which means your guess is partially correct).
Also, generally speaking, to access the file, what one does is to use an S3 URL along with
AWSAccessKeyId,SignatureandExpires. So users can’t access it without the extra parameters or after the expiration time.When it comes to multitenant applications, it’s also possible to
So, this way you can ensure that only users with that specific IAM role can access objects in the bucket that have a specific prefix.
First, one has to understand we’re dealing with Object storage (as opposed to Block or File storage). Check here for a Storage systems overview.
In that same article, Alex Xu mentions that
In addition to placing the offerings in the same level of storage type, Xu also has an article where he explains how an S3-like storage system work.