Our team has decided to move to a microservice approach for newly developed features. We’ve decided to keep a database/datastore per service and to split the services along the business function they perform. As we move this direction we’re creating the services as necessary. This means that not only have we created a new service for this new functionality but we may be creating a new service for functionality and data that already exist within the system (within the monolithic application that is being deconstructed).
After working on our first service we’ve come up with an interesting dilemma. How do we secure data based on users’ relationships? This is not security based on authentication or authorization. We’re currently using a token passed from our SSO provider to insure authentication and are developing JWTs to add authorization.
I’m going to describe a basic scenario:
Suppose we have a business object which is owned by a user (or group). A lot of microservice architecture examples use orders, etc. Say we have a user, U1, which has created an
order object and we have another user which is a manager, M1, which oversees this user. Also, we have other users, U2, U3, and U4, which are part of group, G1. User U1 and manager M1 are not members of this group.
Here are some questions we would want answered:
- Manager, M1, logs in and should see his downline employee’s
orderobjects, but no other manager’s downline information.
- Members of G1 should be able to see each others
Assume that our monolithic application structure has defined groups of users and relationships between users. Without going in depth on the data structures, it could be assumed that there are linking tables for these structures. For groups a linking table would have a group identifier and a person identifier. For relationships the table could be between person identifiers that make up some type of relationship.
Depending on the question above the monolithic application could use a query that joined across these tables. The query would produce a projection of data which was filtered via the join to either linking tables in order to answer the above questions. The database in the application contains all relevant data to answer these questions.
This approach is how we currently function. It produces results very quickly since the data is filtered at the database level. The relational database allows the normalized data to be updated in a quick fashion which would filter through to allow any changes to be reflected pretty quickly in the answers to the questions.
Framing this in a microservice architecture
When our team is looking at this scenario in a microservice architecture we’re considering different business capabilities: relationship management, group membership, and orders (not to mention users or authentication, etc).
If we were to place these concerns into two services (or three) with the order information separated from the relationship or membership data how do we handle security based on these relationships?
Is this where we would be duplicating data between services and data stores? As in, should we be including group data within the orders microservice? This doesn’t seem correct as it violates a separation of concerns. However, it does support having a reactive services where this one service isn’t dependent on another.
Thinking of the solution where duplication of data is the way to go, this could get messy for this common data structure. If our system is dealing with business objects that are mainly subjected to security based on relationships between users and groups it would seem that almost every microservice would have this data by default. How does this duplicated data get sync’d? Aside from a technical solution (redis) is there a service design pattern we should be following?
The question of how to perform data security based on relationships between users and groups seems to not be answered in a well defined manner in any pattern we’ve researched. Topics such as authentication and authorization are fairly well covered. It seems that we can’t be the first to ask this question. Are we framing the question wrong, coming at it from a bad perspective? Does a microservice architecture pattern already address this concern?
✓ Extra quality
ExtraProxies brings the best proxy quality for you with our private and reliable proxies
✓ Extra anonymity
Top level of anonymity and 100% safe proxies – this is what you get with every proxy package
✓ Extra speed
1,ooo mb/s proxy servers speed – we are way better than others – just enjoy our proxies!
USA proxy location
We offer premium quality USA private proxies – the most essential proxies you can ever want from USA
Our proxies have TOP level of anonymity + Elite quality, so you are always safe and secure with your proxies
Use your proxies as much as you want – we have no limits for data transfer and bandwidth, unlimited usage!
Superb fast proxy servers with 1,000 mb/s speed – sit back and enjoy your lightning fast private proxies!
99,9% servers uptime
Alive and working proxies all the time – we are taking care of our servers so you can use them without any problems
No usage restrictions
You have freedom to use your proxies with every software, browser or website you want without restrictions
Perfect for SEO
We are 100% friendly with all SEO tasks as well as internet marketing – feel the power with our proxies
Buy more proxies and get better price – we offer various proxy packages with great deals and discounts
We are working 24/7 to bring the best proxy experience for you – we are glad to help and assist you!