I need to design an authorization scheme for an application based on micro-services architecture.
I will focus on 3 micro-services to define the problem.
- API Gateway Service
- Projects Service - handles project metadata information like (project_id, name, description ...)
- Billing Service - handles project billing process and saves (project_id, billing_information)
The current authorization model requires RBAC and ACL (Resource based) where each user has defined set of roles (ADMIN, Project Manager, etc) and also there can be a definition of which user can access which project by it's ID (Project Manager X can access projects 1,2 but not 3,4)
Number of questions:
- Who's responsibility to manage the ACL of the project? which user can access which project? (assuming that you can have a lot of projects)
- How the authorization should be verified when user tries to access the Project service or the Billing service when supplying a project_id?
Saw some solution suggestions that a centralized micro-service should be added to run this operation and it should propagate it's information to other services for performance reasons (for example if a user wants to fetch all the relevant projects he can see - this will be much faster if the Project service will join the authorization information in his service). This may raise a problem where new ACL objects will be added and the authorization object will start to grow.
Other say that this should be handled on the micro-service level - but then who is eventually responsible for the ACL? if it's the Projects micro-service, so when the billing service needs to authorize - should it call Projects micro-service?
