Design the Service-Specific Permissions System #6

Closed
opened 2025-04-22 23:13:30 +00:00 by abed.alrahman · 2 comments
Member

Ref epic: #13

Goal: Design a flexible system that allows individual microservices to define and manage their own specific permissions (e.g., "can_edit_widget", "can_view_special_report") while using the central user identity (users, groups) provided by Keycloak via injected headers.

Description:
This ticket will produce a design document describing the service-specific permission system. With this system, a microservice can define its own permissions using the users from Keycloak. The document needs to consider how the new system works with the existing authentication system (where auth-service injects user metadata headers) and how requests will be handled.

What needs to be designed / addressed:

Permission Definition: How will a microservice define its specific permissions (e.g., simple string names, structured objects)?
Permission Storage: Where will these service-specific permissions and the rules associating them with users/groups be stored?
    Option A: Within each microservice (e.g., its database, configuration).
    Option B: Centrally (e.g., extending Keycloak, using a dedicated permission service).
    Analyze pros and cons of decentralised vs. centralised storage in our context.
Permission Association: How will permissions be granted or associated with users or groups from Keycloak? (e.g., via an API within the microservice, configuration files, a central UI).
Enforcement Workflow: Detail the process for checking these permissions. Confirm that this check happens inside the microservice after it receives the request with the injected X-User-* headers (like X-User-Id, X-User-Groups).
Interaction with Existing Auth: Clarify how this fine-grained check within the service complements the initial coarse-grained authentication/authorization performed by Traefik and auth-service.
Flexibility: How will the design accommodate different microservices having potentially very different and complex permission requirements?
Data Flow: Provide sequence diagrams illustrating the request flow, highlighting where the user context is injected and where the service-specific permission check occurs.
Recommendation: Propose a recommended approach based on the analysis.

Deliverables:

A Design Document detailing the proposed system for service-specific permissions, covering definition, storage, association, enforcement workflow, and interaction with the existing architecture.
Ref epic: [#13](https://git.cleverthis.com/clevermicro/user-management/issues/13) Goal: Design a flexible system that allows individual microservices to define and manage their own specific permissions (e.g., "can_edit_widget", "can_view_special_report") while using the central user identity (users, groups) provided by Keycloak via injected headers. Description: This ticket will produce a design document describing the service-specific permission system. With this system, a microservice can define its own permissions using the users from Keycloak. The document needs to consider how the new system works with the existing authentication system (where auth-service injects user metadata headers) and how requests will be handled. What needs to be designed / addressed: Permission Definition: How will a microservice define its specific permissions (e.g., simple string names, structured objects)? Permission Storage: Where will these service-specific permissions and the rules associating them with users/groups be stored? Option A: Within each microservice (e.g., its database, configuration). Option B: Centrally (e.g., extending Keycloak, using a dedicated permission service). Analyze pros and cons of decentralised vs. centralised storage in our context. Permission Association: How will permissions be granted or associated with users or groups from Keycloak? (e.g., via an API within the microservice, configuration files, a central UI). Enforcement Workflow: Detail the process for checking these permissions. Confirm that this check happens inside the microservice after it receives the request with the injected X-User-* headers (like X-User-Id, X-User-Groups). Interaction with Existing Auth: Clarify how this fine-grained check within the service complements the initial coarse-grained authentication/authorization performed by Traefik and auth-service. Flexibility: How will the design accommodate different microservices having potentially very different and complex permission requirements? Data Flow: Provide sequence diagrams illustrating the request flow, highlighting where the user context is injected and where the service-specific permission check occurs. Recommendation: Propose a recommended approach based on the analysis. Deliverables: A Design Document detailing the proposed system for service-specific permissions, covering definition, storage, association, enforcement workflow, and interaction with the existing architecture.
abed.alrahman added the
Points
21
Priority
High
Blocked
labels 2025-04-22 23:13:30 +00:00
stanislav.hejny added the
Type
Documentation
label 2025-04-29 10:43:43 +00:00
stanislav.hejny added the
State
Verified
label 2025-04-30 18:49:36 +00:00
Member

need discussion in #2 to be completed before we start here

need discussion in #2 to be completed before we start here
stanislav.hejny added this to the V.01 milestone 2025-05-06 18:53:15 +00:00
hurui200320 self-assigned this 2025-05-26 10:05:52 +00:00
hurui200320 added
State
In Progress
and removed
State
Verified
labels 2025-05-26 10:06:02 +00:00
hurui200320 removed the Blocked label 2025-06-02 09:57:15 +00:00
hurui200320 added
State
In Review
and removed
State
In Progress
labels 2025-06-03 05:00:51 +00:00
Member
The design: https://docs.cleverthis.com/en/architecture/microservices/feature-discussion/service-specific-permission-system
hurui200320 added a new dependency 2025-06-03 05:02:19 +00:00
hurui200320 added
State
Completed
and removed
State
In Review
labels 2025-06-10 04:55:31 +00:00
hurui200320 added this to the Sprint June 1st- 14th project 2025-06-11 10:10:14 +00:00
Sign in to join this conversation.
3 Participants
Notifications
Due Date
No due date set.
Blocks
You do not have permission to read 1 dependency
Reference: clevermicro/user-management#6