Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
R
R
raiboon2021-07-11 22:31:58
Software design
raiboon, 2021-07-11 22:31:58

How to implement list endpoint filtering for microservices based on user role?

There are already microservices, there is a need to implement a more complex role model for access control. We need row based permissions.
I really don’t want the rights and role model to flow heavily into each of the microservices. There will be a mess, but it’s impossible to think of another way.
If everything is simple for one entity - we take some kind of open policy agent or ory / keto, they have convenient rules, we slip an object on them and they decide whether the current user can watch it or not.

But with list ones, there’s no way at all, well, you won’t raise all the entities in memory and check each one. Or will you? How to solve the pagination problem? That the service returned a dozen objects, and they were all filtered to the policy decision point?

So, after all, roles and attributes should "leak" into each microservice? But then it makes no sense at all to have a separate microservice for centralized rights systems.

I don't understand how this is implemented in microservices. I did this in the monolith, and everything is simple there - you create a small extension for orms, automatically add attributes to the models and everything is magically filtered.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
I
Ivan Shumov, 2021-07-11
@inoise

In the general case, everything is decided through ABAC. As for the list elements, you need to understand several points:
- what is the purpose of the delimitation
- what is the organization of resources
In my experience, in most cases they try to replace the organization of resources with a system of access rights. It must be understood that these are independent, but often sequential processes.
Let's take an example - users and projects in jira. Rights describe access to the project, but do not affect the list of projects in any way. Instead, jira stores associations between projects and users.
You can also consider a tree structure of resources where rights can be divided by mask, for example:
/resource_type/resource_group/random_prefix*

Similar questions
A
Alexander Mikhailenko2019-01-19 16:18:30
How to organize data transfer between microservices (if there is a common database)? 1Reply
D
Dmitry Krapivin2019-01-29 18:01:07
What type to specify for a value whose type changes depending on the selected characteristic (uml)? 0Reply
T
trauus2019-01-30 19:27:41
How to map from domain layer to storage layer? 1Reply
3
3ton2019-01-31 17:37:05
How to implement a telephone queue microservice from an architectural point of view? 0Reply
N
Nikita Undefined2020-11-08 10:46:25
How to view the schematic structure of the project? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question