RBAC as RESTful Microservice
In this post, we’re gonna see how we can use RBAC to protect our backend from unauthorized access attempts. Of course, we’ll explore how much far we can extend the implementation of RBAC as microservice in a way to get maximum usage from it.
RBAC
Role-Based Access Control can use to restrict the system to unauthorized users.
Advantages of using RBAC
■ Able to ensure clients consume only privileged resources and reduce authorize issues.
■ You have extra control over the heart of an application. (the backend)
■ It can prevent hacking attempts.
Microservice
Simply we can describe microservice as separation of application to small services, based on application functionalities. So this one microservice can be implemented using different tech stack and run on different hardware compared to other microservices.
Let’s see our example application domain
For example, through this article, We’re taking an e-commerce web application. We’ll assume RBAC is developed as a microservice. The rest of the backend developed as one separated entity including the authentication (login) part. And last, assume RBAC microservice and backend are developed using RESTful architectural style.
Check the following diagram to understand the use of RBAC microservice.
- When the client tries to get the list of products, that API call request goes to the relevant method.
- Then it first does normal verify (JWT token authorization process) which is returns true for authenticated users.
(Since this is inside if condition two methods must return true to perform codes inside if statement.) - The second method invokes the RBAC method with parameters. If the authenticated user granted privileges it returns true and in our assumed scenario, it let request to go inside if statement and pass back a 200 response.
OK now, what? From where does the RBAC method come? It’s the microservice invoke point (method) in our e-commerce backend API. When it invokes with needed parameters, it calls microservice and checks user privileges and gives response back to e-commerce backend API.
Is this approach 100% secure? NO! But it has some security level more than before. Let’s discuss this later.
Design Database for RBAC
You can have a simple database structure for handling RBAC. But you must include compulsory entities to the database such as roles, role groups, users, and access/privileges. And according to your requirements, you can add more entities.
Apart from the table structures, you can use stored procedures to validate user access to a specific resource and other your operations regarding the database side. So your RBAC microservice can implement without much hassle with the SQL side.
For the design database, it’s easy if you use a relational database such as MySQL, MSSQL, PostgreSQL, or other.
You can get a basic idea from this database diagram. (Diagram 3)
Implement RBAC as Microservice
You can use any tech stack to develop the RBAC microservice. You need to concern about the pass and retrieve data in a format that each API backends (RBAC and e-commerce) could understand. Since those are RESTful API architecture style it’s good to use JSON format.
You have to implement the RBAC microservice with CRUD operations for each entity in the database and needed other methods.
For our above e-commerce example domain (Diagram 1) we have specific RBAC(userId, controller, method) method which returns true or false. We need to implement that too in our RBAC microservice side.
Integrate with many Projects
Before jumped into integrating RBAC microservice with many projects we’ll go back to our example. For this point, the company’s only business is an e-commerce web application solution. Now the company decides to extend its business. So the dev team starts the implementation of job bank web applications and classified ads web applications.
Now you have to think about adjusting the database of RBAC microservice (adding tables for storing business and their relationships). Since this RBAC is separated microservice you can scale database and API without affecting other associated applications.
Advantages of RBAC as Microservice
I have pointed out some advantages of RBAC at the beginning of this post. But what are the advantages if we could get if it is used as microservice.
■ After defining common response patterns, anytime you can change or optimize the processes of RBAC microservice since it is separate.
■ To have RBAC as reusable services in the business as mentioned above. (Diagram 4)
■ A separate entity from the real application/s
How to Increase the usability and security of RBAC as Microservice
■ Use an API gateway to handle incoming API calls.
We can reside RBAC microservice inside API gateway and check if whether incoming request sender has access to resources or not. This lets us handle unwanted/unauthorized API calls before they reach resources. In our example it prevents API calls reach e-commerce, job bank, classified ads backends.
■Take actions for unauthorized incoming API calls.
Identify unauthorized access and monitor them. Two unauthorized requests may come to your backend.
- Requests that are coming from users who had access but not anymore.
You know who it is requesting, so you have two actions to take either send them ‘you are not anymore privilege to access resource’ or give them access. There may be situations where mistakenly restricted resources. So you can grant them access again. - Requests that are coming from unknown senders. HACKING ATTEMPT!
In these situations, it’s really helpful to have a dashboard. So you can monitor your RBAC microservice in these types of situations. You can scale RBAC microservice to have logging and identify user behaviors. Back to our 2nd type of attempt again, we can track IPs, regions, or locations where this request comes from. Then we can take further actions such as blocking those from reach servers using the help of firewalls.
■ Use the portal/dashboard GUI to manage and monitor RBAC.
If you have a dashboard you have extra power with this RBAC microservice.
And that’s it! When you develop backend, make sure to include additional security features.
