TL DR; Your problem is that you basically translate your data model into services. This is wrong, this is not how you model the microservice architecture. This is not about a data model, but about functionality . (I base this on how you formulated the question, you are not talking about functionality and responsibilities, you are talking about relationships).
I will quickly answer the first part of your question, since I think that your problem is actually on your modeling.
About authentication and authorization
Question: where can I make these requests? Ask Gateway to ask for hotel service before sending a customer request for room service, or call the hotel service on your own. When to choose one over the other? What is the use?
First, in your model, Room Service is one who has enough context to actually resolve the request. The gateway does not have (and should not have) enough information to judge (the gateway should NOT understand anything about rooms or hotels or anything else, its task is to forward requests, and not interpret them).
Secondly, despite the fact that you can order room service, call the hotel for authorization, it is better if the room service does it on its own or calls another service whose responsibility is to provide authorization (that is, in the authorization service).
But most importantly, this microservice architecture does not make much sense (as you described it), so the whole model is strange to work with.
Why the wrong model
The reason this simulation seems wrong is because it is there.
The problem with the term “micro” service is that people tend to focus on the “micro” service and forget about the “service” part. There are different ideas about what a microservice is, but a service is something that can be called on its own and provides a value that is shared between several clients of this service.
Room service does not make sense. You basically translate your data model into services. The hotel has rooms, so you determine the hotel service and room service. This is NOT what microservices are about ...
Without knowing the specific requirements of the user, it is difficult to judge, but, in my opinion, you probably do not need a microservice architecture. Just because in the latest trend you do not need to solve every problem.
If your operations are things like “Register a new room, add photos to the room, delete photos from the room, reserve a room, etc.”, you better just have a backend service with a simple API that allows you to do all these simple operations . Honestly, the hotel management system does not seem to be the right kind of application to build using microservice architecture. Honestly, this is similar to the traditional MVC model.
If I had to come up with a precedent for a microservice in a room, I would say that you can have a room service that ALL rooms in all hotels know. Rooms can be registered at the hotel, edited and modified. Anyone can get a list of all available rooms, filter by the available date, filter by the number of beds, etc.
Please note that we now have two or three possible clients: - Your entry to hotel management. - Your personal outlet for the halls. - Someone elses frontrend for your room service to search for rooms.
Please note that we have changed the system, from a site management system to a system that can be used to query different hotels for toll free numbers ... useful, but completely different types of user needs.
So, now your service really makes sense ... and then the parts begin to fall into place.
Since you now have anonymous users (or users from outside the system), it makes no sense to go to the hotel service anymore (after all, the user no longer needs to manage the hotel), so why does the hotel service know ?.
Now, how are you going to handle the users of your system? Were there different users for each microservice? Or will there be a single user to be used in all microservices? Probably the latter, so it hints at another service for authentication (or you can use oauth2, if that matches your model, what exactly is this, a service that authenticates people).
How will you manage your permissions (your authorization), do you want to have a central configuration for authorization or will each microservice have its own configuration? If this is the first, then you probably need another service that provides authorization to each microservice.