Externalized and Decentralized Authorization of Microservices
摘要
Authorization mechanisms are essential for securing requests in microservice-based applications, with Attribute Based Access Control (ABAC) being a prominent choice for fine-grained authorization. ABAC allows enforcing an authorization decision in a dedicated authorization component. The decentralization of authorization mechanisms allows the transfer of responsibility for authorization enforcement from a centralized entity to multiple decentralized entities. Existing solutions either come with a centralized authorization service or implement the authorization mechanism in the code of microservices, which reduces complexity but contradicts the principles of microservice architecture, such as its overall distributed nature and loose coupling. In this paper, we propose an authorization architecture extension to microservices that enables fine-grained authorization using ABAC. Our approach externalizes the authorization mechanism from the microservice and decentralizes it in the microservice architecture. This preserves the inherent loose coupling of microservices and enables the integration of authorization without modifying the microservice code, allowing a microservice to be reused in multiple applications. Consequently, the authorization logic can be modified without adapting the microservice.