Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
P
P
Petr Kozlovsky2020-06-29 13:55:29
Java
Petr Kozlovsky, 2020-06-29 13:55:29

How to synchronize change of roles/privileges in microservice architecture?

At the moment I am using the standard Spring Cloud components:
Discovery, Config, Gateway, but I think even here the technology stack will not be so important as understanding how to correctly organize privilege synchronization when microservices are used.
There is relatively speaking user-service, cart/order, etc. The flow of requests at the moment is as follows:

  1. If there is no JWT token / the validity time has expired, go through the gateway to the user-service for the token, sending your credits.
  2. With this token, go to the desired service through gateway.

In my case, the gateway does not do any checks for the token at all, it just proxies requests and is used as a single entry point.
Each service, without requests to the user, checks the validity of the JWT with the public key that was specified in their config at startup.
Now the point. The problem now is that all microservices depend on one common component, where there is an Enum - Privilege. Its approximate content:
  • ORDER_VIEW
  • ORDER_EDIT

And in some service I prescribe antMatcher in SecurityConfig with this Enum and the endpoint that I want to protect.
Problems:
  1. If the user-service generated a JWT token with this privilege in the form of an enam, then when trying to deserialize it with another microservice, when it has not yet been updated taking into account the change in the enam class, it will simply crash on deserialization. This is by the way that you need to somehow get rid of common components so that they are independent.
  2. If we get a lot of privileges, it turns out that the token grows in size and we will drive traffic back and forth with each request. Although I think here enam is not the root cause, but the fact that the privilege is written as a string.
  3. We added an antMatcher to the conditional order-service with the /api/v2/orders endpoint with the ORDERS_EDIT privilege, how to push these user-service changes to its database? coordinate between teams?


And in general, I would like to hear what problems may arise with this authorization flow, which I described above.
https://ordina-jworks.github.io/microservices/2017...
read a post like this using oauth2. From what I read about problems numbered 2 and 3, I did not find answers there, and the idea is strange, why check the JWT token in the uaa server on every request? It slows down the entire system as a whole.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

0 answer(s)
Similar questions
H
HudiDudi2015-05-02 21:25:16
How to handle old links when migrating a project? 4Reply
L
Leks22019-04-04 09:50:21
How to check if a youtube video exists? 2Reply
R
ratatyq2016-11-07 20:29:47
Is there a library that accepts certain data from the device (android) for the nodejs server? 1Reply
T
tadius2019-04-04 21:48:13
Android. Where to store mutable string resources? 2Reply
N
nano_e_t_42016-11-08 15:01:34
How to change the listener? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question