I’m thinking about how to model entity level access control. Because of performance and flexibility issues I think the best approach is to let each microservice manage access control for their own entities.
For code-reuse and easier maintenance i want to create a lagom project called “access-control” which provides support utilities for the projects with standard requirements.
- Apache Shiro dependency
- Cassandra dependency
- Utility methods to store rules
- Utility methods to make access checks easy
e.g. access.isPermitted(user, "organization:edit:1234).thenApply(…)
If i implement those helpers in a way that they are optimized for a read-side, i have the problem that a read side in lagom lags about 2 seconds due to the cassandra polling mechanism and if a client requests its own resource after creation, it may not have access to it yet.
Another possibility would be to design the library to be used in a ServiceCall method - then i could use it directly in the Request calls and delay the response to the user until the access - control update is completed.
An advantage of the read-side implementation would be some sort of transaction…
My questions are:
- How do you think about this topic and the proposed solution?
- Are there any known existing libraries?
- Any other ideas or suggestions for this topic?