Microservicessystem_design~25 mins

Role-based access control in Microservices - System Design Exercise

Choose your learning style9 modes available

Learn Why Deep Arch Practice Challenge Design Recall Scale

Design: Role-Based Access Control (RBAC) System

Design covers the RBAC system including role management, permission assignment, and enforcement in microservices. Out of scope are user authentication mechanisms and UI design.

Functional Requirements

FR1: Users can have one or more roles assigned.

FR2: Each role has specific permissions to access resources or perform actions.

FR3: The system must enforce access control checks for microservices APIs.

FR4: Support dynamic role and permission management by administrators.

FR5: Audit logs for access attempts and changes to roles or permissions.

FR6: Support at least 100,000 users and 1,000 concurrent API requests.

FR7: API response latency for access checks should be under 100ms p99.

FR8: Ensure high availability with 99.9% uptime.

Non-Functional Requirements

NFR1: Microservices architecture with independent services.

NFR2: Centralized authorization service for role and permission management.

NFR3: Use token-based authentication (e.g., JWT) for user identity.

NFR4: Access control decisions must be fast and scalable.

NFR5: Data consistency for role and permission updates must be eventual.

Think Before You Design

Questions to Ask

❓ Question 1

❓ Question 2

❓ Question 3

❓ Question 4

❓ Question 5

❓ Question 6

Key Components

Authorization Service for managing roles and permissions

API Gateway or sidecar for enforcing access control

Token service issuing JWTs with embedded roles/permissions

Permission cache for fast access checks

Audit logging service

Database for storing roles, permissions, and assignments

Design Patterns

Centralized authorization with distributed enforcement

Token-based authentication with embedded claims

Caching for low-latency permission checks

Event-driven updates for cache invalidation

Audit logging with append-only storage

Reference Architecture

          +---------------------+
          |  Admin UI / CLI     |
          +----------+----------+
                     |
                     v
          +---------------------+          +---------------------+
          | Authorization       |          | Audit Logging       |
          | Service             |<---------| Service             |
          +----------+----------+          +---------------------+
                     |
                     v
          +---------------------+          +---------------------+
          | Role & Permission   |          | Database            |
          | Database            |          | (Roles, Permissions,|
          +----------+----------+          | Assignments, Logs)  |
                     |                     +---------------------+
                     v
          +---------------------+
          | Token Service       |
          +----------+----------+
                     |
                     v
          +---------------------+          +---------------------+
          | API Gateway /       |<-------->| Permission Cache    |
          | Sidecar             |          +---------------------+
          +----------+----------+
                     |
                     v
          +---------------------+
          | Microservices       |
          +---------------------+

Components

Authorization Service

Spring Boot / Node.js microservice

Manages roles, permissions, and user-role assignments. Provides APIs for admin operations.

Role & Permission Database

PostgreSQL

Stores roles, permissions, user-role mappings, and audit logs.

Token Service

OAuth2 / JWT issuer

Issues JWT tokens embedding user roles and permissions claims.

API Gateway / Sidecar

Envoy / Kong / custom middleware

Intercepts requests, validates tokens, and enforces access control using cached permissions.

Permission Cache

Redis

Caches user permissions for fast access control checks.

Audit Logging Service

Elastic Stack / Kafka + storage

Records access attempts and changes to roles or permissions for compliance.

Request Flow

1. 1. Admin creates or updates roles and permissions via Authorization Service.

2. 2. Authorization Service updates Role & Permission Database and emits events for cache invalidation.

3. 3. Token Service issues JWT tokens embedding user roles and permissions claims after user authentication.

4. 4. User sends API request with JWT token to API Gateway.

5. 5. API Gateway validates token signature and extracts roles/permissions claims.

6. 6. API Gateway checks Permission Cache for user permissions; if missing, fetches from Authorization Service.

7. 7. API Gateway enforces access control based on permissions; allows or denies request.

8. 8. Microservice processes request if authorized.

9. 9. Audit Logging Service records access decisions and role/permission changes asynchronously.

Database Schema

Entities: - User: user_id (PK), username, email - Role: role_id (PK), role_name, description - Permission: permission_id (PK), resource, action - UserRole: user_id (FK), role_id (FK), composite PK - RolePermission: role_id (FK), permission_id (FK), composite PK - AuditLog: log_id (PK), user_id (FK), action, resource, timestamp, success_flag Relationships: - User to Role is many-to-many via UserRole - Role to Permission is many-to-many via RolePermission - AuditLog references User for tracking

Scaling Discussion

Bottlenecks

Authorization Service becomes a bottleneck for frequent role/permission queries.

Permission Cache may become stale or overwhelmed with invalidation events.

API Gateway latency increases with complex permission checks.

Audit Logging volume grows rapidly with many users and requests.

Solutions

Use distributed caching with TTL and event-driven invalidation to reduce Authorization Service load.

Shard Permission Cache by user or service to improve scalability.

Offload complex permission evaluation to asynchronous jobs or precompute permission sets.

Implement log aggregation and compression; use scalable storage like Elasticsearch or cloud logging.

Interview Tips

Time: Spend 10 minutes clarifying requirements and constraints, 20 minutes designing components and data flow, 10 minutes discussing scaling and trade-offs, 5 minutes summarizing.

Explain how roles and permissions map to user access.

Describe token-based authentication and embedding claims for efficiency.

Discuss caching strategies to meet latency requirements.

Highlight audit logging importance for security and compliance.

Address how to handle updates and cache invalidation.

Mention trade-offs between consistency and availability.