Attribute Based Access Control (ABAC) in a microservices architecture for lists of resources
I am investigating options to build a system to provide "Entity Access Control" across a microservices based architecture to restrict access to certain data based on the requesting user. A full Role Based Access Control (RBAC) system has already been implemented to restrict certain actions (based on API endpoints), however nothing has been implemented to restrict those actions against one data entity over another. Hence a desire for an Attribute Based Access Control (ABAC) system.
Given the requirements of the system to be fit-for-purpose and my own priorities to follow best practices for implementations of security logic to remain in a single location I devised to creation of an externalised "Entity Access Control" API.
The end result of my design was something similar to the following image I have seen floating around (I think from axiomatics.com)
The problem is that the whole thing falls over the moment you start talking about an API that responds with a list of results.
Eg. A /api/customers endpoint on a Customers API that takes in parameters such as a query filter, sort, order, and limit/offset values to facilitate pagination, and returns a list of customers to a front end. How do you then also provide ABAC on each of these entities in a microservices landscape?
Terrible solutions to the above problem tested so far:
- Get the first page of results, send all of those to the EAC API, get the responses, drop the ones that are rejected from the response, get more customers from the DB, check those... and repeat until either you get a page of results or run out of customers in the DB. Tested that for 14,000 records (which is absolutely within reason in my situation) would take 30 seconds to get an API response for someone who had zero permission to view any customers.
- On every request to the all customers endpoint, a request would be sent to the EAC API for every customer available to the original requesting user. Tested that for 14,000 records the response payload would be over half a megabyte for someone who had permission to view all customers. I could split it into multiple requests, but then you are just balancing payload size with request spam and the performance penalty doesn't go anywhere.
- Give up on the ability to view multiple records in a list. This totally breaks the APIs use for customer needs.
- Store all the data and logic required to perform the ABAC controls in each API. This is fraught with danger and basically guaranteed to fail in a way that is beyond my risk appetite considering the domain I am working within.
Note: I tested with 14,000 records just because its a benchmark of our current state of data. It is entirely feasible that a single API could serve 100,000 or 1m records, so anything that involves iterating over the whole data set or transferring the whole data set over the wire is entirely unsustainable.
So, here lies the question... How do you implement an externalised ABAC system in a microservices architecture (as per the diagram) whilst also being able to service requests that respond with multiple entities with a query filter, sort, order, and limit/offset values to facilitate pagination.
After dozens of hours of research, it was decided that this is an entirely unsolvable problem and is simply a side effect of microservices (and more importantly, segregated entity storage).
If you want the benefits of a maintainable (as in single piece of externalised infrastructure) entity level attribute access control system, a monolithic approach to entity storage is required. You cannot simultaneously reap the benefits of microservices.
- Clean Architecture: Where to make API calls
- Database Connection Scaling in AWS ECS: Handling Increased Load in a Containerized Spring Boot Application
- Moleculer micro service rooting not working in case of separate services rooting
- Why does OrderInfoDto become null in the event handler of CanceledPreemptProductEvent in Axon Saga?
- Data duplication or async on-demand oriented communication on microservices
- Zipkin not working in Docker - conncection refused
- NestJS - Using Microservice to fetch file stream and return to Gateway using Observable
- How to manage MassTransit Outbox pattern db schemas across microservices
- Implementing OIDC with Authorization Code Flow on API Gateway using Keycloak as SSO provider
- Service oriented architecture vs Microservices
- Connecting to AxonServer node failed: UNAVAILABLE: Network closed for unknown reason
- Why do we need Outbox pattern with Kafka
- 502 Bad Gateway on Azure Ingress for Kubernetes Service /microservice1/hello (Quarkus Application)
- Could not load assembly 'CommonBaseData'. Ensure it is referenced by the startup project 'CommonBaseType'
- Transactional outbox distributed lock fencing confusion
- Cloud config got Request execution error. endpoint=DefaultEndpoint{ serviceUrl='http://localhost:8761/} from Eureka server
- Kong blocks all IPs when rate-limiting plugin is added
- Identityserver 4 in docker compose The remote certificate is invalid according to the validation procedure
- Protocol Buffer vs Json - when to choose one over the other?
- Guidance on building and integrating multiple Angular apps with ASP.NET Web API
- how to change timeout of WebTestClient
- Why is 2-phase commit not suitable for a microservices architecture?
- Dynamic Routing in API Gateway with Tenant-Based Service Resolution Using Spring Cloud and Eureka
- What is the difference between a circuit breaker and a bulkhead pattern?
- Kafka Msg VS REST Calls
- How to avoid circular dependency in multiple API healthchecks?
- publishEndpoint.Publish() Not Sending Messages with Kafka in MassTransit
- Can we use server sent events in nestjs without using interval?
- Use JWT to authenticate separate API Microservice
- Difference Microservices vs. Lambda vs. Serverless-Functions