Object level authorization #156
Comments
|
If you think about the security, there are multiple tiers. The light-oauth2 can only address at the service/endpoint level with scopes. This is technical cross-cutting concerns which applies to all industries. It works in a generic way without considering any business context information. Once the technical cross-cutting concerns are passed, the request will enter the business context and the fine-grained authorization is address here. One of our customers have built a fine-grained authorization based on the rule-book but they are concerned as this library is not maintained for a while already. We have a lot of request for customers to build a workflow engine so that they can migrate the existing workflow application to microservices. As part of our workflow engine, we have developed light-rule and they are trying to convert the rule-book to light-rule now. This presentation contains a page for the cross-cutting concerns and you can see where the JWT verification and fine-grained authorization sit. https://doc.networknt.com/pdf/light-4j.pdf |
|
@stevehu thx, going to study |
|
@stevehu - Isn't better something like RBAC and ABAC instead of rule based engine? I mean if you go to attribute level you can end up with unmanageable set of rules... nice article here: |
|
In our implementation, we are not using pure ACL as you know it is not scalable. We have implemented Role-Based, Attribute-Based and Rule-Based access control. More information can be found at our document site. https://doc.networknt.com/architecture/security/#fine-grained-authorization If you look into the detailed implementation, they are all concentrated to the rule engine. For example, in RBAC, we need rules to determine the role from a request. ABAC is basically business rules. Currently, we have a team trying to implement this in a generic way to make it a commercial product. Given the limited resources, we don't know when this will be on the market. |
Hi after some time,
I am going to utilize light4j on new project once again :-) I am working on query translator engine services, which will build query from FE in form of GraphQL schemas and translate and route request to storage layer engines which will be standard relational database and graph engines (gremlin supported).
I am looking for object level granularity security authorization framework being enough generic so I can secure both relational structures in fine grained manner (table, row, column, cell, values) and also graph engines. I hope that you faced similar situation in your banking journey and might have some framework available.
Thanks for any kind of hints. I would like to stay away from Spring Security if possible...
Regards,
Ladislav
The text was updated successfully, but these errors were encountered: