问题描述

在系统中，可能存在本质上受限的数据.有时，应根据用户或组成员身份轻松限制或授予对特定实体的访问权限.

In the systems, there may be data that is restricted in nature.Sometimes access to specific entities should be easily restricted or granted based on user or group membership.

在微服务架构中实现这一点的最佳方式是什么?

What is the best way to implement this in the microservice architecture?

访问控制、管理权限等是否应该由微服务本身负责?开发人员必须为每项服务实施访问控制、存储和更新权限.似乎不是很健壮且容易出错的方法.

Should access control, managing permissions etc. be the responsibility of the microserive itself? Developers will have to implement access control, store, and update permissions for every service. Seems like not very robust and error-prone approach.

创建专门的微服务处理权限管理?该服务会被其他微服务调用，在返回结果之前检查每个实体的访问权限并过滤实体.集中的权限存储和管理是一个优势，但微服务必须为每个实体调用权限服务"，以检查可能对性能产生负面影响的访问权限.而且开发人员仍然必须将访问检查集成到他们的服务中，这为错误留出了空间.

Create dedicated microservice handling permission management? This service will be called by other microserives to check access permissions for each entity and filtering entities before returning results. Centralized permissions storage and management is an advantage but microservice will have to make a call to "Permission Service" for each entity to check access rights what may have a negative influence on performance. And developers still have to integrate access checks into their services what leaves space for an error.

让 API Gateway 或 Service Mesh 负责访问控制.可以考虑一种自动过滤所有服务响应的实现.但是在微服务返回实体列表的情况下，应该检查每个实体的权限.仍然是潜在的性能问题.

Make access control responsibility of the API Gateway or Service Mesh. It is possible to think of an implementation that will automatically filter responses of all services. But in the case when the microservice returns list of entities permissions should be checked for each entity. Still a potential performance problem.

考虑以下综合示例.医疗保健系统处理测试结果、X 射线图像等.健康信息非常敏感，不应公开.

Consider the following synthetic example.Healthcare system dealing with test results, X-Ray images etc. Health information is very sensitive and should not be disclosed.

测试结果应该只提供给:

Test results should be available only to:

• 病人
• 医生
• 实验室

主治医生可能会将患者转诊给另一位专科医生.新医生也应该可以访问测试结果.因此可以动态授予访问权限.

Attending doctor may send the patient to another specialist. A new doctor should have access to test results too. So access can be granted dynamically.

因此每个实体(例如测试结果、X 射线图像)都有一组规则，允许用户和组访问它.

So each entity (e.g. test results, X-Ray image) has a set of rules what users and groups are allowed to access it.

想象有一个叫做Test Results Service"的微服务处理测试结果.它是否应该负责访问控制、管理权限等?还是应该把权限管理抽取出来单独微服务?

Imagine there is a microservice called "Test Results Service" dealing with test results. Should it be responsible for access control, manage permissions etc.? Or permissions management should be extracted to separate microservice?

医疗保健系统还可以处理看医生的情况.有关患者就诊的信息应可用于:

Healthcare system may also handle visits to a doctor. Information about patient's visit to the doctor should be available to:

• 病人
• 医生
• 诊所接待员

这是一个不同实体类型的示例，它需要基于用户或组成员身份的实体级访问限制.

This is the example of a different entity type that requires entity level access restriction based on user or group membership.

很容易想象更多需要实体级访问控制的例子.

It is easy to imagine even more examples when entity level access control is required.

推荐答案

我得出了以下通用解决方案.

I came to the following generic solution.

1. 使用了 ACL 安全模型.系统中的每个对象都有相关的权限集.权限定义了可以对对象执行的操作和操作.
2. 微服务负责实体级授权并根据对象的权限过滤响应中的对象.
3. 中央访问控制服务负责创建、更新和删除系统中所有对象的权限.访问控制服务数据库是对象权限的主要存储.
4. 存储在微服务数据库中的权限使用 事件与访问控制服务数据库同步-携带状态转移.每次更改权限时，都会向消息代理发送一个事件.微服务可以订阅这些事件来同步权限.
5. API 网关可用作附加保护层.API Gateway 可以直接调用访问控制服务 (RPC) 来检查响应对象的权限或加载最近撤销的权限.

1. ACL security model is used. Each object in the system has associated set of permissions. Permissions defines who and what actions can perform on the object.
2. Microservices are responsible for entity-level authorization and filter objects in responses based on permissions of the objects.
3. Central Access Control Service is responsible for the creation, update, and deletion of permissions for all objects in the system. Access Control Service database is the primary store of objects' permissions.
4. Permissions stored in microservices databases are synchronized with Access Control Service database using event-carried state transfer. Every time, permissions are changed an event is sent to the message broker. Microservices can subscribe to these events to synchronize permissions.
5. API Gateway can be used as the additional protection layer. API Gateway can call Access Control Service directly (RPC) to check response objects' permissions or load recently revoked permissions.

设计特点:

1. 需要一种唯一标识系统中每个对象的方法(例如 UUID).
2. 微服务中的权限同步最终是一致的.在消息代理和微服务权限之间进行分区的情况下，将不会同步.撤销权限可能有问题.此问题的解决方案是一个单独的主题.

这篇关于微服务架构中基于用户或组成员身份的实体级访问限制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！