| ▲ | solid_fuel 3 days ago | |||||||
That implies that every service has a `user -> permissions` table, no? That seems to contradict the idea brought up elsewhere in the thread that microservices should all be the size of one table. | ||||||||
| ▲ | whstl 20 hours ago | parent [-] | |||||||
Well, depends on the permission model. For RBAC or capability-based permissions, the gateway can enrich the request or the it can be in (eg) a JWT. Then each service only has to know how to map roles/capabilities to permissions. For ABAC it depends on lots of things, but you often evaluate access based on user attributes and context (which once again can be added to the request or go into the JWT) plus resource attributes (which is already in the microservice anyway). For ACL you would need a list of users indeed... Something like Google Zanzibar can theoretically live on the gateway and apply rules to different routes. Dunno how it would deal with lists, though. After writing it down: sounds like an awful lot of work for a lot of cases. Btw: the rule for microservices that I know of, is that they must have their own database, not their own table. | ||||||||
| ||||||||