Fine-Grained Authorization in Microservice Architecture: A Decentralized Approach
Pages 1219 - 1222
Abstract
Authorization mechanisms are essential for securing microservice-based applications, with Attribute Based Access Control (ABAC) being a prominent choice for fine-grained authorization. A decentralized authorization mechanism allows the transfer of responsibility for authorization enforcement from a central unit to multiple distributed and decentralized units. However, existing solutions often centralize authorization in microservice-based applications, which mitigate complexity but contradict the core principles of the microservice architecture, such as its overall distributed nature and loose coupling. To overcome this, we propose a microservice architecture that enables fine-grained authorization using ABAC on the microservice level. Our approach preserves the inherent loose coupling of microservices while ensuring high scalability. In particular, our architecture addresses the distribution of attributes among ABAC components, recognizing this as a critical consideration for robust authorization in microservice environments.
References
[1]
Davide Berardi, Saverio Giallorenzo, Jacopo Mauro, Andrea Melis, Fabrizio Montesi, and Marco Prandini. 2022. Microservice security: a systematic literature review. PeerJ Computer Science 7 (Jan. 2022), e779.
[2]
Brendan Burns and David Oppenheimer. 2016. Design Patterns for Container-based Distributed Systems. In 8th USENIX Workshop on Hot Topics in Cloud Computing (HotCloud 16). USENIX Association, Denver, CO. https://www.usenix.org/conference/hotcloud16/workshop-program/presentation/burns
[3]
Vincent C. Hu, David Ferraiolo, Rick Kuhn, Adam Schnitzer, Kenneth Sandlin, Robert Miller, and Karen Scarfone. 2014. Guide to Attribute Based Access Control (ABAC) Definition and Considerations. Technical Report NIST SP 800-162. National Institute of Standards and Technology. NIST SP 800--162 pages.
[4]
Loic Miller, Pascal Merindol, Antoine Gallais, and Cristel Pelsser. 2021. Towards Secure and Leak-Free Workflows Using Microservice Isolation. In 2021 IEEE 22nd International Conference on High Performance Switching and Routing (HPSR). IEEE, Paris, France, 1--5.
[5]
Antonio Nehme, Vitor Jesus, Khaled Mahbub, and Ali Abdallah. 2019. FineGrained Access Control for Microservices. In Foundations and Practice of Security, Nur Zincir-Heywood, Guillaume Bonfante, Mourad Debbabi, and Joaquin Garcia-Alfaro (Eds.), Vol. 11358. Springer International Publishing, Cham, 285--300.
[6]
Sam Newman. 2015. Building microservices: designing fine-grained systems (first edition ed.). O'Reilly Media, Beijing Sebastopol, CA.
[7]
Francisco Ponce, Jacopo Soldani, Hernán Astudillo, and Antonio Brogi. 2021. Smells and Refactorings for Microservices Security: A Multivocal Literature Review. http://arxiv.org/abs/2104.13303 arXiv:2104.13303 [cs].
[8]
Francisco Ponce, Jacopo Soldani, Hernán Astudillo, and Antonio Brogi. 2022. Should Microservice Security Smells Stay or be Refactored? Towards a Trade-off Analysis. In Software Architecture, Ilias Gerostathopoulos, Grace Lewis, Thais Batista, and Tomáš Bureš (Eds.). Vol. 13444. Springer International Publishing, Cham, 131--139. Series Title: Lecture Notes in Computer Science.
[9]
Martijn Sauwens, Emad Heydari Beni, Kristof Jannes, Bert Lagaisse, and Wouter Joosen. 2021. ThunQ: A Distributed and Deep Authorization Middleware for Early and Lazy Policy Enforcement in Microservice Applications. In Service-Oriented Computing, Hakim Hacid, Odej Kao, Massimo Mecella, Naouel Moha, and Hye-young Paik (Eds.), Vol. 13121. Springer International Publishing, Cham, 204--220.
[10]
Mike Swoyer. 2020. Microservices Adoption in 2020. https://www.oreilly.com/radar/microservices-adoption-in-2020/
[11]
Niklas Sänger and Sebastian Abeck. 2023. User Authorization in Microservice-Based Applications. Software 2, 3 (Sept. 2023), 400--426. Number: 3 Publisher: Multidisciplinary Digital Publishing Institute.
[12]
Stefan Throner, Heiko Hutter, Niklas Sänger, Michael Schneider, Simon Hanselmann, Patrick Petrovic, and Sebastian Abeck. 2021. An Advanced DevOps Environment for Microservice-based Applications. In 2021 IEEE International Conference on Service-Oriented System Engineering (SOSE). IEEE, Oxford, United Kingdom, 134--143.
[13]
Tetiana Yarygina and Anya Helene Bagge. 2018. Overcoming Security Challenges in Microservice Architectures. In 2018 IEEE Symposium on Service-Oriented System Engineering (SOSE). 11--20.
Index Terms
- Fine-Grained Authorization in Microservice Architecture: A Decentralized Approach
Recommendations
A Systematic Approach to Implementing ABAC
ABAC '17: Proceedings of the 2nd ACM Workshop on Attribute-Based Access ControlIn this paper we discuss attribute-based access control (ABAC), and how to proceed with a systematic implementation of ABAC across an enterprise. The paper will cover the different steps needed to be successful.
A System for Centralized ABAC Policy Administration and Local ABAC Policy Decision and Enforcement in Host Systems using Access Control Lists
ABAC'18: Proceedings of the Third ACM Workshop on Attribute-Based Access ControlWe describe a method that centrally manages Attribute-Based Access Control (ABAC) policies and locally computes and enforces decisions regarding those policies for protection of resource repositories in host systems using their native Access Control ...
Ticket-based fine-grained authorization service in the dynamic VO environment
SWS '04: Proceedings of the 2004 workshop on Secure web serviceVirtual Organization (VO) is a collection of users and distributed resources, in which resources are shared by users. Creating VOs is very important task in Grid computing. VOs are dynamically created for some goals and then disappear after the goals ...
Comments
Information & Contributors
Information
Published In
April 2024
1898 pages
Copyright © 2024 Copyright held by the owner/author(s).
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the owner/author(s).
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 21 May 2024
Check for updates
Author Tags
Qualifiers
- Poster
Conference
SAC '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 1,650 of 6,669 submissions, 25%
Upcoming Conference
SAC '25
- Sponsor:
- sigapp
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 50Total Downloads
- Downloads (Last 12 months)50
- Downloads (Last 6 weeks)12
Reflects downloads up to 01 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in