问题描述

在系统中，可能存在本质上受限制的数据.有时，应根据用户或组成员身份轻松限制或授予对特定实体的访问权限.

In the systems, there may be data that is restricted in nature. Sometimes access to specific entities should be easily restricted or granted based on user or group membership.

在微服务架构中实现此目标的最佳方法是什么?

What is the best way to implement this in the microservice architecture?

微服务本身应该负责访问控制，管理权限等吗?开发人员将必须为每个服务实现访问控制，存储和更新权限.似乎不是很健壮且容易出错的方法.

Should access control, managing permissions etc. be the responsibility of the microserive itself? Developers will have to implement access control, store, and update permissions for every service. Seems like not very robust and error-prone approach.

创建专用的微服务处理权限管理?其他微服务将调用此服务，以在返回结果之前检查每个实体的访问权限并过滤实体.集中的权限存储和管理是一个优势，但是微服务将必须为每个实体调用权限服务"以检查访问权限，这可能会对性能产生负面影响.开发人员仍然必须将访问检查集成到他们的服务中，从而为错误留下了空间.

Create dedicated microservice handling permission management? This service will be called by other microserives to check access permissions for each entity and filtering entities before returning results. Centralized permissions storage and management is an advantage but microservice will have to make a call to "Permission Service" for each entity to check access rights what may have a negative influence on performance. And developers still have to integrate access checks into their services what leaves space for an error.

承担API网关或服务网格的访问控制责任.可以考虑一个实现，该实现将自动过滤所有服务的响应.但是在微服务返回实体列表的情况下，应检查每个实体的权限.仍然是潜在的性能问题.

Make access control responsibility of the API Gateway or Service Mesh. It is possible to think of an implementation that will automatically filter responses of all services. But in the case when the microservice returns list of entities permissions should be checked for each entity. Still a potential performance problem.

请考虑以下综合示例.处理测试结果，X射线图像等的医疗保健系统.健康信息非常敏感，因此不应予以披露.

Consider the following synthetic example. Healthcare system dealing with test results, X-Ray images etc. Health information is very sensitive and should not be disclosed.

测试结果应仅适用于:

• 病人
• 医生
• 实验室

主治医生可将患者转送到另一位专科医生.一位新医生也应该可以得到检查结果.因此可以动态授予访问权限.

Attending doctor may send the patient to another specialist. A new doctor should have access to test results too. So access can be granted dynamically.

因此，每个实体(例如测试结果，X射线图像)都有一套规则，允许哪些用户和组访问它.

So each entity (e.g. test results, X-Ray image) has a set of rules what users and groups are allowed to access it.

想象一下，有一个称为测试结果服务"的微服务可以处理测试结果.它应该负责访问控制，管理权限等吗?还是应该提取权限管理来分离微服务?

Imagine there is a microservice called "Test Results Service" dealing with test results. Should it be responsible for access control, manage permissions etc.? Or permissions management should be extracted to separate microservice?

医疗保健系统还可以处理看望医生的事宜.有关患者去看医生的信息应可用于:

Healthcare system may also handle visits to a doctor. Information about patient's visit to the doctor should be available to:

• 病人
• 医生
• 诊所接待员

这是另一种类型的示例，该类型需要基于用户或组成员身份的实体级别访问限制.

This is the example of a different entity type that requires entity level access restriction based on user or group membership.

很容易想象需要实体级访问控制时的更多示例.

It is easy to imagine even more examples when entity level access control is required.

推荐答案

我来到了以下通用解决方案.

I came to the following generic solution.

1. 使用了ACL安全模型.系统中的每个对象都有一组关联的权限.权限定义了可以对对象执行哪些操作以及哪些操作.
2. 微服务负责实体级别的授权，并根据对象的权限过滤响应中的对象.
3. 中央访问控制服务负责创建，更新和删除系统中所有对象的权限.访问控制服务数据库是对象权限的主要存储.
4. 使用事件将存储在微服务数据库中的权限与Access Control Service数据库进行同步状态传输.每次更改权限时，都会将一个事件发送到消息代理.微服务可以订阅这些事件以同步权限.
5. API网关可用作附加保护层. API网关可以直接调用访问控制服务(RPC)来检查响应对象的权限或加载最近撤销的权限.

1. ACL security model is used. Each object in the system has associated set of permissions. Permissions defines who and what actions can perform on the object.
2. Microservices are responsible for entity-level authorization and filter objects in responses based on permissions of the objects.
3. Central Access Control Service is responsible for the creation, update, and deletion of permissions for all objects in the system. Access Control Service database is the primary store of objects' permissions.
4. Permissions stored in microservices databases are synchronized with Access Control Service database using event-carried state transfer. Every time, permissions are changed an event is sent to the message broker. Microservices can subscribe to these events to synchronize permissions.
5. API Gateway can be used as the additional protection layer. API Gateway can call Access Control Service directly (RPC) to check response objects' permissions or load recently revoked permissions.

设计特点:

1. 需要一种唯一标识系统中每个对象的方法(例如UUID).
2. 微服务中的权限同步最终是一致的.如果在消息代理和微服务之间进行分区，则权限将不同步.撤销权限可能是一个问题.解决此问题的方法是一个单独的主题.

这篇关于基于用户或组成员身份的微服务架构中的实体级访问限制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！