implementation of object level raw permissions inside microservice architecture
I have a bunch of microservices running. I have an api gateway that connect consumers to all these services. Now on some services I need to give permission to certain users ( users are stored in separate Users Service ). For example if I have a blog service I need to give blog 1, blog 2 and blog 3 view permissions only to user 1 and not to user 2 ( the scenario is acl rather than RBAC or ABAC i think, correct me if i am worng ). Now how should i implement the permission system.
For example If store the permission on each entity object inside each microservice as suggested here then each of my service has to know about users also to grant them permissions. this scenario will compel me to synchronize the users data across all microservices ( on users delete update ... ).
Another Solution is to create a separate generic authorization service to manage all services permissions. but this solution will require me to save each microservice schema ( and have to synchronize that schema on change )
Or there is any other solution. please help. how to implement ACL (authorization)
One solution would be to introduce userID into the downstream path from the gateway. So the path
GET /blogs/{blogId}
is exposed on the gateway, but this becomes
GET /blogs/{userId}/{blogId}
on the blogs microservice. The gateway handles the user's bearer token and injects the user's ID into the downstrteam call. The blogs microservice would then return the blog for a "valid" path, or a 404 if the path was not valid.
This is illustrated here:
the backend service maintains which users have access to which blogs?
The blog microservice stores and manages blogs. A blog can have an access list associated with it. That list may contain only the user who is the blog owner, or more than one user. The point is that the ACL is not centralised, but distributed with each blog's data containing it.
if a user is deleted
Then you have two choices. If the user is deleted you publish a UserDeleted event, to which the blogs service is subscribed. Then you can manage all the blogs which have the user in their ACL and remove them. Or, you can do nothing. I would personally choose the latter; one of the features of having a microservice architecture is that some data will not be consistent. If you require absolute consistency then you can have a "caretaker" process which removes deleted users out of blog ACLs. Or don't use microservices.
- Authorize attribute works in client but not in controller
- How do I resolve this bug when setting up log in authentication system in react?
- Is it a good praxis to secure an webservice endpoint with a simple token string?
- How to extend the core user schema in better-auth
- Authorization is revoked every week. How to maintain persistent authorization?
- How to lock users using Devise?
- React/Express set-cookie not working across different subdomains
- Apply Policy to Resource Controller
- Blazor Custom AuthenticationStateProvider Not Setting Cookies or Authorizing Pages
- redirecting to a specific page on auth.requires_membership failure in web2py
- Error with autowiring in WebSecurityConfiguration bean Spring boot security
- How to get user account name after Google Drive authorization?
- .Net 8.0 Blazor: Authorize with policy on Page always redirecting to non-existent Identity Access Denied page
- sending emails with laravel 9 using azure
- How to insert/update standard table AGR_USERS?
- Problem with JWT authorization in ASP.NET Core
- Navbar not showing the changed value when a state changes
- How to Access Azure Table Storage using Shared Access Key in Postman?
- Azure ShareClient: This request is not authorized to perform this operation
- How to Implement Token Validation for External Users Consuming My Public API Using Auth0?
- CakePHP: How do I access the Auth->allow action array?
- How to define the basic HTTP authentication using cURL correctly?
- ASP.NET 5 Authorize against two or more policies (OR-combined policy)
- How to disable Authentication in FastAPI based on environment?
- How to Get All Endpoints List After Startup, Spring Boot
- Freshdesk OAuth SSO: Freshdesk Login Page Doesn't Ping My Auth Page?
- Are auth code and access token exclusive to a single resource owner?
- Use http Google Cloud Functions "Require Authentication" with Firebase
- Add custom JwtBearerHandler to "AddMicrosoftIdentityWebApi" in .net7
- Access token and Refresh token best practices ? How to implement Access & Refresh Tokens