Thanks to Gautham Ramachandran I came to the following generic solution.
- ACL security model is used. Each object in the system has associated set of permissions. Permissions defines who and what actions can perform on the object.
- Microservices are responsible for entity-level authorization and filter objects in responses based on permissions of the objects.
- Central Access Control Service is responsible for the creation, update, and deletion of permissions for all objects in the system. Access Control Service database is the primary store of objects' permissions.
- Permissions stored in microservices databases are synchronized with Access Control Service database using event-carried state transfer. Every time, permissions are changed an event is sent to the message broker. Microservices can subscribe to these events to synchronize permissions.
- API Gateway can be used as the additional protection layer. API Gateway can call Access Control Service directly (RPC) to check response objects' permissions or load recently revoked permissions.
Design features:
- A way to uniquely identify each object in the system is required (e.g. UUID).
- Permissions synchronization in microservices are eventual consistent. In case of partitioning between message broker and microservice permissions will not be synchronized. It may be a problem with revocation of the permissions. The solution to this problem is a separate topic.