| Abstract [eng] |
Implementation of effective and robust access control in distributed modules is a challenging puzzle to solve. To this day software engineering community is searching for most optimal solution for this matter. Therefore, the main goal of this project is to ease access control in microservice-based architecture by creating a method which is secure, effective, and easily adaptable. Analysis of scientific papers identified two main strategies for managing access in microservice architecture which are based on either central authorization or security of inner perimeter. Therefore, it was decided to create a method which merges these both strategies by using external and internal tokens for access management. Proposed method incorporates authentication, authorization, request manager and business microservices for specific token flow. This solution allows separation of concerns where the client of the system is unaware and has no control of internal authorization flow, which improves both usability and security of the system. In addition to that, this method can conveniently base request authorization not only on user permissions, but also on general state of the environment or any other additional rules. Implementation of proposed access control prototype fulfills its essential attributes and is using Service Fabric platform. However, during interim experiments on the platform an efficiency fault was discovered within the reverse proxy component, which is suggested to use by official Microsoft documentation. This matter had a need of creating and applying an optimization, which avoids using default reverse proxy for internal cluster communication altogether. After doing so, performance tests concluded that optimized communication is twice faster than using reverse proxy. Regarding proposed access control method, it is 7% more efficient than the decentralized variant of the prototype. However, the main uniqueness of suggested method is located within one specific use case, where business microservice sends authorized requests internal to its cluster. In such case optimized and centralized variant processes requests 30% faster than decentralized variant. |
