clevermicro/user-management
clevermicro/user-management
14
0
Fork 0
Code Issues 9 Pull requests Projects Releases Packages 1 Wiki Activity Actions

Design Permission System for Endpoint Access Control #2

New issue
Closed
opened 2025-04-22 21:58:16 +00:00 by abed.alrahman · 5 comments
abed.alrahman commented 2025-04-22 21:58:16 +00:00
Member
Copy link

Ref epic: #13

Goal: Design a system that allows individual backend services to define which users or groups (from Keycloak) can access their specific REST endpoints, and have this access enforced centrally before requests reach the service.

Background:
We need finer control over who can access specific API endpoints. The requirement is that the service owning the endpoint should ultimately define the access rules (e.g., "Only users in the 'admins' group can call POST /users"). This system needs to integrate with Keycloak for user/group information and likely with Traefik (potentially via the auth-service) for enforcement.

What needs to be done:

Evaluate Architectures: Research and compare different ways to achieve this, considering:
    Central Policy Store: Services register rules (e.g., Endpoint=/abc, Method=GET, Group=readers) centrally. An auth service checks requests against this store.
    Backend Service Callback: An auth service receives the request, gets user info, then calls a specific endpoint on the backend service itself (e.g., /_check_permission) asking "Can this user access this original request?". The backend service contains the logic and responds yes/no.
    Other approaches: Explore alternatives if applicable.
Analyze Options: Compare the evaluated architectures based on:
    How well they meet the "backend service decides" requirement.
    Latency impact on requests.
    Complexity of implementation (for auth service, backend services, and potential central stores).
    Scalability and maintainability.
    Security implications.
Select and Specify: Choose the most suitable architecture and document the design in detail:
    Data Formats: Define how user identity (username, groups, roles from Keycloak) and permission rules/requests will be represented (e.g., JSON schemas).
    Protocols: Specify the communication flow (e.g., REST calls, headers used) between Traefik, the auth-service, Keycloak, and potentially the backend services or a policy store.
    Workflow: Create sequence diagrams showing the end-to-end process for an incoming request being allowed or denied.
    Backend Service Integration: Clearly define how a backend service will provide its access rules (e.g., API for registration, expected format for a check endpoint).
Develop PoC: Create a small Proof of Concept (PoC) to demonstrate the core mechanics of the chosen design. This could involve mock services simulating Traefik, auth-service, Keycloak, and a backend service.

Deliverables:

A detailed Design Document containing:
    Comparison of evaluated architectures.
    Specification of the chosen architecture, including data formats, protocols, and workflow diagrams.
    Guidelines for backend service integration.
PoC Code and demonstration results.
Ref epic: [#13](https://git.cleverthis.com/clevermicro/user-management/issues/13) Goal: Design a system that allows individual backend services to define which users or groups (from Keycloak) can access their specific REST endpoints, and have this access enforced centrally before requests reach the service. Background: We need finer control over who can access specific API endpoints. The requirement is that the service owning the endpoint should ultimately define the access rules (e.g., "Only users in the 'admins' group can call POST /users"). This system needs to integrate with Keycloak for user/group information and likely with Traefik (potentially via the auth-service) for enforcement. What needs to be done: Evaluate Architectures: Research and compare different ways to achieve this, considering: Central Policy Store: Services register rules (e.g., Endpoint=/abc, Method=GET, Group=readers) centrally. An auth service checks requests against this store. Backend Service Callback: An auth service receives the request, gets user info, then calls a specific endpoint on the backend service itself (e.g., /_check_permission) asking "Can this user access this original request?". The backend service contains the logic and responds yes/no. Other approaches: Explore alternatives if applicable. Analyze Options: Compare the evaluated architectures based on: How well they meet the "backend service decides" requirement. Latency impact on requests. Complexity of implementation (for auth service, backend services, and potential central stores). Scalability and maintainability. Security implications. Select and Specify: Choose the most suitable architecture and document the design in detail: Data Formats: Define how user identity (username, groups, roles from Keycloak) and permission rules/requests will be represented (e.g., JSON schemas). Protocols: Specify the communication flow (e.g., REST calls, headers used) between Traefik, the auth-service, Keycloak, and potentially the backend services or a policy store. Workflow: Create sequence diagrams showing the end-to-end process for an incoming request being allowed or denied. Backend Service Integration: Clearly define how a backend service will provide its access rules (e.g., API for registration, expected format for a check endpoint). Develop PoC: Create a small Proof of Concept (PoC) to demonstrate the core mechanics of the chosen design. This could involve mock services simulating Traefik, auth-service, Keycloak, and a backend service. Deliverables: A detailed Design Document containing: Comparison of evaluated architectures. Specification of the chosen architecture, including data formats, protocols, and workflow diagrams. Guidelines for backend service integration. PoC Code and demonstration results.
stanislav.hejny commented 2025-04-23 09:32:22 +00:00
Member
Copy link

It is important for this feature that we do a model design and schema implementation as first, before hooking it with Traefik API Gateway or AMQ Adapter. Things that need to be designed:

  1. We need to model a resource, privilege, role, group. In the design we need to define a representation of all 4 entities.
  • Resource is a something we control access to. if it an endpoint, it can be either fully specified or given as regex. if we allow regex, than privilege attached to fully specified resource has precedence over privilege attached to resource specified as regex
  • Privilege is something user is granted. Do we allow grants of individual privileges? How do we map Resource to Privilege?
  • Role. How do we model it? Is the role limited to single service(application) or is it possible that one role can grant user privileges in multiple services(applications)? Is it a hierarchical inheritance, like in OO programming, so is modelled as something user IS, where e.g super-admin is extension of admin role, so super-admin can do everything admin can do plus something extra? In this model, user is allowed to have only single role in each service. Or is a role just a label that identifies what user can DO? Like 'job editor' role meaning that e.g. user can manually change job status? In this model, user can have multiple roles in single service/application.
  • Group. Is group an aggregation of privileges? Or is it aggregation of resources and privilege(s) are assigned to entire group? Do we allow resource aggregation across the multiple services(e.g. membership in a group will grant user privilege in multiple services)? Do we allow supergroups (aggregation of groups, where membership in a group will automatically imply membership in ALL sub-groups?
  1. When all the above is agreed and documented, we need to design a schema that will allow efficient queries:
  • given a username and resourcename, is there an intersection between privileges granted to user via role(s), group membership or direct grants and the privileges assigned to the resource? (aka - is user allowed to access it)
  • given username and resource+privilege, what grants user needs in order to have access to the resource with privilege? this will be very basic management question: "I need to do X in the service S, what role or which group I need to be in in order to be allowed to do X?)
  • who has privilege P on resource R? - if something goes wrong, or just regular housekeeping
  • what are the privileges of an user (what are MY privileges - to be part of display in user profile)

  1. Next we need to determine the maintenance of the privilege matrix or access control list (ACL). Who is responsible for determining the privileges? Is it a Service developers? Management? How do we represent the ACL in both human readable form so it is suitable for review and human amendment and also in machine readable form, so we can feed the entire ACL to the security schema and synchronize the new ACL with existing ACL? Implement the sync function.

  2. What is the user privilege granting process? Who approves the grant request? Can some requests be auto-approved? Do we implement a time limited privilege escalation? (e.g. user can request a sudo privilege for an 1 hr to perform a release or some privilege action?) The privilege is than auto-removed after the period elapse or user can give up the privilege.

It is important for this feature that we do a model design and schema implementation as first, before hooking it with Traefik API Gateway or AMQ Adapter. Things that need to be designed: 1. We need to model a resource, privilege, role, group. In the design we need to define a representation of all 4 entities. - Resource is a something we control access to. if it an endpoint, it can be either fully specified or given as regex. if we allow regex, than privilege attached to fully specified resource has precedence over privilege attached to resource specified as regex - Privilege is something user is granted. Do we allow grants of individual privileges? How do we map Resource to Privilege? - Role. How do we model it? Is the role limited to single service(application) or is it possible that one role can grant user privileges in multiple services(applications)? Is it a hierarchical inheritance, like in OO programming, so is modelled as **something user IS**, where e.g super-admin is extension of admin role, so super-admin can do everything admin can do plus something extra? In this model, user is allowed to have only single role in each service. Or is a role just a label that identifies what **user can DO**? Like 'job editor' role meaning that e.g. user can manually change job status? In this model, user can have multiple roles in single service/application. - Group. Is group an aggregation of privileges? Or is it aggregation of resources and privilege(s) are assigned to entire group? Do we allow resource aggregation across the multiple services(e.g. membership in a group will grant user privilege in multiple services)? Do we allow supergroups (aggregation of groups, where membership in a group will automatically imply membership in ALL sub-groups? 2. When all the above is agreed and documented, we need to design a schema that will allow efficient queries: - given a username and resourcename, is there an intersection between privileges granted to user via role(s), group membership or direct grants and the privileges assigned to the resource? (aka - is user allowed to access it) - given username and resource+privilege, what grants user needs in order to have access to the resource with privilege? this will be very basic management question: "I need to do X in the service S, what role or which group I need to be in in order to be allowed to do X?) - who has privilege P on resource R? - if something goes wrong, or just regular housekeeping - what are the privileges of an user (what are MY privileges - to be part of display in user profile) 3. Next we need to determine the maintenance of the privilege matrix or access control list (ACL). Who is responsible for determining the privileges? Is it a Service developers? Management? How do we represent the ACL in both human readable form so it is suitable for review and human amendment and also in machine readable form, so we can feed the entire ACL to the security schema and synchronize the new ACL with existing ACL? Implement the sync function. 4. What is the user privilege granting process? Who approves the grant request? Can some requests be auto-approved? Do we implement a time limited privilege escalation? (e.g. user can request a sudo privilege for an 1 hr to perform a release or some privilege action?) The privilege is than auto-removed after the period elapse or user can give up the privilege.
stanislav.hejny commented 2025-04-30 18:47:56 +00:00
Member
Copy link

Following on discussion on the questions raised above, I have created the following design proposal:

https://docs.cleverthis.com/en/architecture/microservices/feature-discussion/user-privilege-design

@CoreRasurae
@freemo
please feel free to review/comment

Following on discussion on the questions raised above, I have created the following design proposal: https://docs.cleverthis.com/en/architecture/microservices/feature-discussion/user-privilege-design @CoreRasurae @freemo please feel free to review/comment
aleenaumair added this to the V.01 milestone 2025-05-05 10:49:58 +00:00
abed.alrahman commented 2025-05-15 20:26:07 +00:00
Author
Member
Copy link

Here is the design document for Access control using Keycloak capabilities:
https://docs.cleverthis.com/en/architecture/microservices/feature-discussion/Endpoint-Access-Control-using-Keycloak

It shows how the auth-service endpoint will act as a middleware between Traefik and Keycloak to authenticate and authorize users' requests.

Here is the design document for Access control using Keycloak capabilities: https://docs.cleverthis.com/en/architecture/microservices/feature-discussion/Endpoint-Access-Control-using-Keycloak It shows how the auth-service endpoint will act as a middleware between Traefik and Keycloak to authenticate and authorize users' requests.
abed.alrahman commented 2025-05-28 00:05:17 +00:00
Author
Member
Copy link

A new version for ACL using Keycloak, in this version, there are two main additions:

  1. Use the ALL keyword to represent any method (GET, POST, etc).
  2. Use STAR to mean "anything beyond this point" (like /*).
    Here is the link for the document v1.1
    https://docs.cleverthis.com/en/architecture/microservices/feature-discussion/endpoint-keycloakv2
A new version for ACL using Keycloak, in this version, there are two main additions: 1. Use the ALL keyword to represent any method (GET, POST, etc). 2. Use STAR to mean "anything beyond this point" (like /*). Here is the link for the document v1.1 https://docs.cleverthis.com/en/architecture/microservices/feature-discussion/endpoint-keycloakv2
abed.alrahman commented 2025-05-28 00:06:57 +00:00
Author
Member
Copy link

Here is a quick guideline document.
This guide explains how to configure your service in Keycloak so its API endpoints can be protected by our central auth-service. The auth-service checks if a user has the correct "Client Role" in Keycloak before allowing access to an endpoint.

https://docs.cleverthis.com/en/user_pages/abed_alrahman/permission_keycloak

Here is a quick guideline document. This guide explains how to configure your service in Keycloak so its API endpoints can be protected by our central auth-service. The auth-service checks if a user has the correct "Client Role" in Keycloak before allowing access to an endpoint. https://docs.cleverthis.com/en/user_pages/abed_alrahman/permission_keycloak
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
feat/authz-scaffolding
develop
No results found.
Labels
Clear labels
  
Blocked

A ticket in a blocked state and unable to complete until some other task is completed first.

  
Bounty
$100
A bounty of $100 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$1000
A bounty of $1000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$10000
A bounty of $10000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$20
A bounty of $20 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$2000
A bounty of $2000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$250
A bounty of $250 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$50
A bounty of $50 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$500
A bounty of $500 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$5000
A bounty of $5000 for any open-source contributor who provides a MR that solves this issue

  
Bounty
$750
A bounty of $750 for any open-source contributor who provides a MR that solves this issue

  
MoSCoW
Could have
Could have feature in order to satisfy the epic/legendary.

  
MoSCoW
Must have
Must have feature in order to satisfy the epic/legendary.

  
MoSCoW
Should have
Should have feature in order to satisfy the epic/legendary.

  
Needs feedback

There are questions in the ticket that can not be completed until the project owner provides clarity.

  
Points
1
1 man-hours worth of work for an expert with no learning curve.

  
Points
13
13 man-hours worth of work for an expert with no learning curve.

  
Points
2
2 man-hours worth of work for an expert with no learning curve.

  
Points
21
21 man-hours worth of work for an expert with no learning curve.

  
Points
3
3 man-hours worth of work for an expert with no learning curve.

  
Points
34
34 man-hours worth of work for an expert with no learning curve.

  
Points
5
5 man-hours worth of work for an expert with no learning curve.

  
Points
55
55 man-hours worth of work for an expert with no learning curve.

  
Points
8
8 man-hours worth of work for an expert with no learning curve.

  
Points
88
88 man-hours worth of work for an expert with no learning curve.

  
Priority
Backlog
This ticket has backlogged priority and is not to be worked on yet

  
Priority
Critical
The priority is critical

  
Priority
High
The priority is high

  
Priority
Low
The priority is low

  
Priority
Medium
The priority is medium

  
Signed-off: Owner

When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  
Signed-off: Scrum Master

When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  
Signed-off: Tech Lead

When an epic or legendary is in review it must be signed off by owner, tech lead, and scrum master before being marked as completed.

  
Spike

A ticket for learning a tool or technology that is needed to be able to do future planning and design.

  
State
Completed
The ticket has been fully implemented, completed, and merged with the source code. This label should only be applied once a ticket is closed.

  
State
Duplicate
A ticket that represents the same content as an existing ticket.

  
State
In Progress
A ticket that is actively being developed.

  
State
In Review
A ticket that has had some code completed to implement but is waiting to pass peer review and is not yet merged in.

  
State
Paused
This ticket's work started but wasn't finished. It's on hold (likely in a feature branch) and will be resumed later, either due to a blocker or a delay.

  
State
Unverified
All new tickets start in this state. A developer may set it to show the ticket is unverified. This means we haven't agreed to work on it. It will either move to a verified state or be closed as wontdo.

  
State
Verified
The issue has been verified by a developer as legitimate. It will be worked on and verified tickets are now considered part of the backlog.

  
State
Wont Do
This ticket has been decided it wont be done. This may mean the bug has been determined to not be real (cant verify) or the feature is one we have decided we dont want to adopt.

  
Type
Bug
Something that doesnt work as intended.

  
Type
Discussion
Anytime a ticket represents a discussion about a subject and doesnt fall into one of the other categories.

  
Type
Documentation
An error or improvement needed in the documentation.

  
Type
Epic
Any first tier epic. That is, an epic which contains only issues as children and will not have sub-epics.

  
Type
Feature
Some new functionality not present.

  
Type
Legendary
A type of Epic which will contain other Epics.

  
Type
Support
Someone needs help using the project.

  
Type
Task
A generic task that doesnt fit into the other type categories.

  
Type
Testing
Work exclusively focusing on fixing or expanding testing.

No labels
Blocked
Bounty
$100
Bounty
$1000
Bounty
$10000
Bounty
$20
Bounty
$2000
Bounty
$250
Bounty
$50
Bounty
$500
Bounty
$5000
Bounty
$750
MoSCoW
Could have
MoSCoW
Must have
MoSCoW
Should have
Needs feedback
Points
1
Points
13
Points
2
Points
21
Points
3
Points
34
Points
5
Points
55
Points
8
Points
88
Priority
Backlog
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Signed-off: Owner
Signed-off: Scrum Master
Signed-off: Tech Lead
Spike
State
Completed
State
Duplicate
State
In Progress
State
In Review
State
Paused
State
Unverified
State
Verified
State
Wont Do
Type
Bug
Type
Discussion
Type
Documentation
Type
Epic
Type
Feature
Type
Legendary
Type
Support
Type
Task
Type
Testing
Milestone
Clear milestone
No items
No milestone
V.01
Projects
Clear projects
No items
No project
Sprint May 1st- 14th
Assignees
Clear assignees
No assignees
abed.alrahman
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Blocks
You do not have permission to read 1 dependency
Reference: clevermicro/user-management#2
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?