I am part of development of multi-tenant cloud SaaS. Currently we have around 15 micro services. We are using mongo as backend with db per tenant as tenancy sepration. We are now trying to design rbac for the complete platform. Below are the questions I have regarding the same.
Should i have a central authz micro-service for manage my rbac autz ? a. With this if authz service fails all micro-services are affected, and platform is prone or unusable.(bad) b. Service will store roles/permissions for all the resources across the micro-services.(good) c. For every request that comes to api gw post auth will go to authz and before calling micro-service it can be rejected.(good)
Should i have a side car for each micro-service as my autz No single point of failure ... if authz fails for some service other service can continue to work.(good) Every service will have its on permissions ..(good) Auth service can store role and group info for permission it has to reach to individual service for its management (permission CRUD).(bad) Authz evaluation happens at individual service level.(not sure)
Any other approach ?
Thanks Jeet
