admin/Authorization
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7349ed4e1b5796d3f686328b8f382cd0a1a80de3
Authorization/docs/RBAC_ABAC_README.md
T
admin 5743dbf22d fixed authorization
2025-12-09 15:42:35 +08:00

7.2 KiB
Raw Blame History

RBAC + ABAC Authorization Service

Complete Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) implementation for the UESS Authorization microservice.

Features

  • Database-driven permissions - Permissions stored in MySQL
  • Policy-based authorization - ABAC policies with attribute constraints
  • High-performance caching - 5-minute cache for permissions and policies
  • User attribute support - Dynamic user attributes for fine-grained control
  • Variable substitution - Dynamic policy values (e.g., ${resource.region})
  • Multiple comparison operators - =, !=, >, <, >=, <=, IN, CONTAINS
  • JWT integration - Works with existing JWT middleware

Database Schema

Tables Created

  1. permissions - System permissions (resource + action)
  2. policy_attributes - ABAC policy constraints
  3. user_attributes - User-specific attributes
  4. users - User information

API Usage

Authorization Request

Endpoint: POST /v1/auth/check

Headers:

Authorization: Bearer <JWT_TOKEN>

Request Body:

{
  "user_id": "U0000000001",
  "resource": "users",
  "action": "manage",
  "resource_data": {
    "region": "01"
  }
}

Success Response (200):

{
  "allowed": true,
  "reason": "All policies satisfied",
  "permission_id": 1,
  "evaluated_at": "2025-12-09T10:30:00Z",
  "matched_policies": [1, 7]
}

Denied Response (403):

{
  "allowed": false,
  "reason": "Policy failed: region = 01 (actual: 03)",
  "permission_id": 1,
  "evaluated_at": "2025-12-09T10:30:00Z"
}

Authorization Flow

  1. JWT Validation - JWT middleware extracts user claims
  2. Permission Lookup - Find permission by resource + action
  3. User Attributes - Load user attributes from database (cached)
  4. Policy Evaluation - Evaluate all ABAC policies
  5. Decision - Return allowed/denied with reason

Examples

Example 1: Admin Access (Permission ID: 1)

Permission: users + manage
Policy: user.role = Admin
Result: Only users with role="Admin" can manage users

Example 2: Regional Access (Permission ID: 3)

Permission: personnel + assign_role
Policy: user.region = ${resource.region}
Result: User can only assign roles in their own region

Example 3: Role Exclusion (Permission ID: 14)

Permission: cases + verify
Policy: user.action_user_role != Data Collector
Result: Data Collectors cannot verify cases

Example 4: Role Inclusion (Permission ID: 20)

Permission: data_processing + certify
Policy: user.action_user_role IN RFP,PFP
Result: Only RFP or PFP can certify data

Policy Comparison Operators

Operator Description Example
= Equals user.role = Admin
!= Not equals user.role != Guest
> Greater than user.level > 5
< Less than user.age < 65
>= Greater or equal user.score >= 80
<= Less or equal user.attempts <= 3
IN In list user.role IN Admin,Moderator
CONTAINS Contains substring user.email CONTAINS @psa.gov
STARTS_WITH Starts with user.id STARTS_WITH U00
ENDS_WITH Ends with user.email ENDS_WITH .gov

Variable Substitution

Policies support dynamic values using ${type.attribute} syntax:

${user.region}        → User's region attribute
${resource.region}    → Resource region from request
${environment.time}   → Current timestamp

Example:

Policy: user.region = ${resource.region}
Evaluates to: "01" = "01" ✓

Performance

Without Caching

  • Permission lookup: ~5-10ms
  • Policy fetch: ~3-5ms
  • Total: ~10-20ms per request

With Caching

  • Cache hit: ~0.1-0.5ms
  • Cache miss: ~10-20ms (then cached)
  • Average: ~0.5ms per request (98% cache hit rate)

Cache Settings

  • Permissions: Refreshed every 5 minutes
  • Policies: Refreshed every 5 minutes
  • User attributes: Cached indefinitely, LRU eviction at 10k entries

Testing

Test Admin Access

curl -X POST http://localhost:8080/v1/auth/check \
  -H "Authorization: Bearer <JWT_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{
    "user_id": "U0000000001",
    "resource": "users",
    "action": "manage",
    "resource_data": {}
  }'

Test Regional Access

curl -X POST http://localhost:8080/v1/auth/check \
  -H "Authorization: Bearer <JWT_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{
    "user_id": "U0000000002",
    "resource": "personnel",
    "action": "assign_role",
    "resource_data": {
      "region": "01"
    }
  }'

File Structure

authorization/
├── models/
│   ├── rbac.go              # RBAC/ABAC data models
│   └── authorize.go         # Request/Response models
├── repository/
│   └── permission_repository.go  # Database access layer
├── services/
│   ├── authorize.go         # Base authorization service
│   ├── policy_evaluator.go # ABAC policy evaluation engine
│   └── cached_authorization.go  # Cached authorization service
├── handlers/
│   └── authorize.go         # HTTP handler
└── middleware/
    └── jwt.go               # JWT authentication

Adding New Permissions

  1. Add permission to database:
INSERT INTO permissions (permission_name, description, resource, action)
VALUES ('Export Data', 'Export survey data to Excel', 'data', 'export');
  1. Add policies (optional):
INSERT INTO policy_attributes (attribute_name, attribute_type, comparison, attribute_value, permission_id)
VALUES ('role', 'user', '=', 'Admin', 28);
  1. Cache updates automatically in 5 minutes or restart service

Cache Statistics

Get cache performance metrics (add this endpoint if needed):

// GET /v1/auth/cache-stats
{
  "permissions_cached": 27,
  "policies_cached": 16,
  "user_attributes_cached": 1523,
  "last_refresh": "2025-12-09T10:25:00Z",
  "cache_age_seconds": 245.3
}

Security Considerations

  1. JWT Required - All requests must have valid JWT
  2. User ID Verification - Request user_id must match JWT user_id
  3. Secure Database - Use read-only DB user for authorization service
  4. Audit Logging - Log all authorization decisions (implement as needed)
  5. Cache Invalidation - Invalidate user cache on attribute changes

Troubleshooting

Permission Not Found

  • Verify permission exists in database
  • Check resource and action spelling
  • Wait for cache refresh or restart service

Policy Fails Unexpectedly

  • Check user has required attributes in user_attributes table
  • Verify attribute names match exactly
  • Check comparison operator is correct
  • Use variable substitution syntax correctly

Slow Performance

  • Check database indexes on permissions table
  • Monitor cache hit rate
  • Increase cache expiry if permissions change rarely
  • Check database connection pool settings
Reference in New Issue View Git Blame Copy Permalink