All geek questions in one place

How an authorization service implements property checks in a role-based microservice architecture

Say I have three types of users in a blogging application.

  • Author (may modify his own posts, but not others)
  • Administrator (can change all messages)
  • Reader (cannot change any messages)

To manage this system, I want to have three main services:

  • An API gateway that displays all API clients will consume, constructing services as needed.
  • A messaging service that provides CRUD operations for blog posts (including information about who owns which posts)
  • The authorization service , which stores roles and permissions, exposes an API that accepts an array of roles (the roles that the user requests) and an array of permissions (permissions required to access the API) and determines whether the entered roles will cover all entered permissions.

Now what I'm struggling with is ownership of the resource (and where ownership should be verified).

Without interacting with other services, how the authorization service will determine whether the user should have access to what they have, not knowing how to determine whether the user owns this resource.

I came up with several different solutions to this problem, although I am not completely satisfied with any of them.

  • The API gateway will request another service that manages the messages to determine if the requesting user has a message that they are trying to access, which means that there is authorization logic that occurs outside the authorization service.
  • The blog post management service will handle ownership-based authorization, which also means that the authorization logic happens outside the authorization service, as well as the fact that unauthorized requests are marked as allowed at the initial stage (since they will still go through the authorization service)
  • The authorization service may be provided with knowledge on how to verify ownership, the API should be able to say whether to verify ownership along with permissions. This would add complexity to the authorization service and increase the interservice communication, which I would assign to the API gateway as much as possible, since this should be the main service staff.

Look for ideas on alternative methods or what might be the best solution to this problem.

+5
source share
1 answer

Since it is externalized, the authorization service should be as dumb as possible. Sometimes “authorization” based on business logic and data can become very complex. I think the business logic belongs to the service responsible for managing it. In addition, the API gateway will probably need to give the client ownership status anyway (from the service that manages these blog posts?) So that customers can know what to show. Therefore, keep authorization simple and encapsulate more complex business checks to see what can be done in the service itself.

An alternative is to strengthen the authorization service to accept another parameter, in this case the owner status. An API gateway or other permission to verify the service (Blog Post Manager?) Can first obtain ownership status from the service, knowing about the business of ownership, and then use an authorization service that provides the role and status of the owner. Permission rules would (optionally) be based on both the role and the true / false indicator. The authorization service does not know what true / false means, so that the Edit Message permission is granted for the Reader role + indicator = true, and for the Administrator role + indicator = false or the Administrator role + indicator = true and t .d.

0
source

Source: https://habr.com/ru/post/1272172/

More articles:


All Articles