In the systems, there may be data that is restricted in nature. Sometimes access to specific entities should be easily restricted or granted based on user or group membership.
What is the best way to implement this in the microservice architecture?
Should access control, managing permissions etc. be the responsibility of the microserive itself? Developers will have to implement access control, store, and update permissions for every service. Seems like not very robust and error-prone approach.
Create dedicated microservice handling permission management? This service will be called by other microserives to check access permissions for each entity and filtering entities before returning results. Centralized permissions storage and management is an advantage but microservice will have to make a call to "Permission Service" for each entity to check access rights what may have a negative influence on performance. And developers still have to integrate access checks into their services what leaves space for an error.
Make access control responsibility of the API Gateway or Service Mesh. It is possible to think of an implementation that will automatically filter responses of all services. But in the case when the microservice returns list of entities permissions should be checked for each entity. Still a potential performance problem.
Consider the following synthetic example. Healthcare system dealing with test results, X-Ray images etc. Health information is very sensitive and should not be disclosed.
Test results should be available only to:
Attending doctor may send the patient to another specialist. A new doctor should have access to test results too. So access can be granted dynamically.
So each entity (e.g. test results, X-Ray image) has a set of rules what users and groups are allowed to access it.
Imagine there is a microservice called "Test Results Service" dealing with test results. Should it be responsible for access control, manage permissions etc.? Or permissions management should be extracted to separate microservice?
Healthcare system may also handle visits to a doctor. Information about patient's visit to the doctor should be available to:
This is the example of a different entity type that requires entity level access restriction based on user or group membership.
It is easy to imagine even more examples when entity level access control is required.
Approach #1 doesn't seem all that bad, I feel that's the way to go, when it comes to authorization at granular level, the permission's data needs to persisted under the service's DB.
Syncing data across services in general is a common problem while building microservices, and it's possible via MQs (RabbitMQ, Kafka etc..)
Use Kafka (or Xyz MQ) to stream data across services, and let the service decide, if the incoming data makes sense, which it will then, either save to it's DB, or discard it. I'm pretty sure consistency won't be a problem at all, with all the retry mechanism available.
Hope this helps!
My first thought is to avoid low level access control management. Consider to apply authorization at service model level (API endpoint). Different models represents different composition of physical entities so you can set which composition available to who.
You can create a restricted/sensitive model which contains:
And you can also create less restricted model which contains:
Each data model (composition) have its own API endpoint. Then you can apply any type of authorization logic on them. You can use an external authorization server or you can store access rights assignments in each MS while you can still use an external authentication server.
Thanks to Gautham Ramachandran I came to the following generic solution.
Design features: