How to implement a RBAC system in Moleculer？

[CheaterScript]

HI!
I searched but didn't find any related modules. How can I implement a configurable RBAC system?

[ccampanale]

There are many ways to approach implementing configurable RBAC support in a Moleculer system but how this would look is highly dependent on your system and what is in scope as far as access control requirements. Consider the following questions:

• Do you need RBAC for inter-service communication, only external API consumption, or both?
• What does your system do as far as authentication? (RBAC is a form of authorization control usually built on top of or along side authentication.)
• What sort of API are you exposing (REST, GraphQL, etc.) and are you using custom or support Moleculer modules to expose it?
• Where are your roles derived from? Do you want central dynamic role administration support (i.e. defined administratively in a GUI against a live system), statically defined role management (i.e. roles are defined at development time and static within the system once built, usually associated to actions), or a sort of hybrid policy as code solution?

Answering these questions can bring you closer to the reality you are seeking to implement and Moleculer can definitely support whatever direction you want to take (from my experience). That being said, due to the complexity, you likely will not find a plug-and-play solution that meets your needs exactly. Think of Moleculer as the "glue" for tying these concerns together; you may need to incorporate multiple modules/approaches to get the desired outcome.

What's Built-in

There are multiple security/auth modules in the Security section of the Moleculer documentation for modules which aim to help in this area.

Additionally, the supported API GW module moleculer-web has authentication and authorization support which can be used for this sort of thing. There are some examples in the documentation on how one might implement JWT tokens to authenticate users and authorize requests based on information about the principal behind the token.

There are several examples for moleculer-web, some of which include simple authentication and authorization implementations. These are very basic and highlight what is possible at a high level, but the details are dependent on your system design. In the examples, these auth* hooks are used to compute access at the API GW - some examples includes providing a property roles: string[] on action schemas which are then used statically at the GW - but this can also easily be offloaded to other microservices in the system by simple making brokered calls to those services.

Next Steps

Being that this is such a high-level topic that can go is so many directions, the best I can do is leave the answer very high level as well, for now.

I highly recommend trying to answer some of the questions at the top; make sure you have an solid idea of what auth* looks like in your system so that you can approach RBAC appropriately.

I'd be happy to go into more details and share some of my personal experience if you have more concrete questions to follow-up with.

Good luck!

[CheaterScript]

Comment options

Thank you for your answer. My current idea is to use JWT+Casbin, storing dynamic rules in Casbin's MySQL adapter and using its Redis adapter to synchronize them in real-time to the service. However, I lack experience in this area and don't know how to implement authorization for all services in the gateway.

[ccampanale]

My current idea is to use JWT+Casbin, storing dynamic rules in Casbin's MySQL adapter and using its Redis adapter to synchronize them in real-time to the service.

I'm not personally familiar with Casbin but it I took a look and it looks nice!

I'm sure there are several approaches and an abundance of customization options and configurations, but I would suggest starting simple and expanding as needed.

It looks like Casbin has modules which support Express middleware for NodeJS. This may actually fit cleanly into Moleculer Web via the middleware support on that side. I would imagine some customization will be required to connect things but this may also work out of the box, hard to say for sure. I would imagine this would be global middleware at the GW so probably wouldn't need to use the moleculer-web auth* features.

Generally, as far as JWTs are concerned, you'll likely need a service or module which handles the encoding/decoding of JWTs at the API GW. I think it's common but I can say at least in my case, we decode JWTs at the gateway (by calling an internal microservice which standardizes JWTs across our system) and store the decoded information and original JWT in the Moleculer Context metadata (meta) allowing it to be used in subsequent handlers.

However, I lack experience in this area and don't know how to implement authorization for all services in the gateway.

Authorization at the gateway for external calls to internal services is rather straightforward. As long as all external request are expected to go through the gateway the policy service (in this, Casbin) would be implemented and requested to evaluate it's stored policies against three fairly common properties of the request:

• principal/subject is the thing making the call
• object/resource is the thing being targeted for change (command) or describe (query)
• action is the action (command or query) itself

Generally these three things are associated in policies which either explicitly or implicitly allow or deny the request. For example, a policy may say that the subject X is allowed to call action Y against resource Z. Some frameworks also support attribute based policies which could extend the above to only allow the action if the subject has some attribute (having a particular role for example) or if the target resource has an attribute (such as a tenancy identifier that allows the system to confirm that the subject belongs to the same tenancy).

All of the above would be captured in your policies and the gateway would generally consume the policy system/service's API to request that the policies are contextually evaluated against that particular request. This is pretty straightforward and I think common.

Where this gets a little complicated (at least in my mind) is if you need to implement inter-service access controls. In the above scenario the API GW is the authoritative point of enforcement, ensuring that incoming requests are authorized to consume the system's services. Enforcing access controls between the parts of a distributed system introduces complexity, primarily given that there is no longer a central authoritative point of enforcement. Essentially, inter-service traffic happens between the services without a mediator. This means that each service must be responsible for authorizing external calls to itself; this is somewhat inverted when compared to the API GW playing the role of mediator.

A central policy service can of course still be implemented to manage policies but you must also introduce logic locally. In a moleculer system this would likely look like Service Broker Middleware which authenticates the incoming request then authorizes it against the policy service similar to the API GW flow. Authentication between services would likely be a combination of public key verification and JWTs (in order to support authentication of the service and authorization of the subject, if there is one, for activity within the system).

I've not yet had the opportunity to implement the above, but I think it makes sense conceptually. The devil, as they say, is in the details; as long as you understand this conceptually, the hard part is just reading the docs to implement things correctly.

Hope this sheds some additional insight.

[CheaterScript]

My current idea is to use JWT+Casbin, storing dynamic rules in Casbin's MySQL adapter and using its Redis adapter to synchronize them in real-time to the service.

I'm not personally familiar with Casbin but it I took a look and it looks nice!

I'm sure there are several approaches and an abundance of customization options and configurations, but I would suggest starting simple and expanding as needed.

It looks like Casbin has modules which support Express middleware for NodeJS. This may actually fit cleanly into Moleculer Web via the middleware support on that side. I would imagine some customization will be required to connect things but this may also work out of the box, hard to say for sure. I would imagine this would be global middleware at the GW so probably wouldn't need to use the moleculer-web auth* features.

Generally, as far as JWTs are concerned, you'll likely need a service or module which handles the encoding/decoding of JWTs at the API GW. I think it's common but I can say at least in my case, we decode JWTs at the gateway (by calling an internal microservice which standardizes JWTs across our system) and store the decoded information and original JWT in the Moleculer Context metadata (meta) allowing it to be used in subsequent handlers.

However, I lack experience in this area and don't know how to implement authorization for all services in the gateway.

Authorization at the gateway for external calls to internal services is rather straightforward. As long as all external request are expected to go through the gateway the policy service (in this, Casbin) would be implemented and requested to evaluate it's stored policies against three fairly common properties of the request:

• principal/subject is the thing making the call
• object/resource is the thing being targeted for change (command) or describe (query)
• action is the action (command or query) itself

Generally these three things are associated in policies which either explicitly or implicitly allow or deny the request. For example, a policy may say that the subject X is allowed to call action Y against resource Z. Some frameworks also support attribute based policies which could extend the above to only allow the action if the subject has some attribute (having a particular role for example) or if the target resource has an attribute (such as a tenancy identifier that allows the system to confirm that the subject belongs to the same tenancy).

All of the above would be captured in your policies and the gateway would generally consume the policy system/service's API to request that the policies are contextually evaluated against that particular request. This is pretty straightforward and I think common.

Where this gets a little complicated (at least in my mind) is if you need to implement inter-service access controls. In the above scenario the API GW is the authoritative point of enforcement, ensuring that incoming requests are authorized to consume the system's services. Enforcing access controls between the parts of a distributed system introduces complexity, primarily given that there is no longer a central authoritative point of enforcement. Essentially, inter-service traffic happens between the services without a mediator. This means that each service must be responsible for authorizing external calls to itself; this is somewhat inverted when compared to the API GW playing the role of mediator.

A central policy service can of course still be implemented to manage policies but you must also introduce logic locally. In a moleculer system this would likely look like Service Broker Middleware which authenticates the incoming request then authorizes it against the policy service similar to the API GW flow. Authentication between services would likely be a combination of public key verification and JWTs (in order to support authentication of the service and authorization of the subject, if there is one, for activity within the system).

I've not yet had the opportunity to implement the above, but I think it makes sense conceptually. The devil, as they say, is in the details; as long as you understand this conceptually, the hard part is just reading the docs to implement things correctly.

Hope this sheds some additional insight.

👍👍👍Thank you for your explanation, it was very helpful to me.