3

Problem:

I am building a FastAPI based API and need to design a role-based permission system for authorization. Users can have one of three roles: Admin, Developer, and Operator. These roles are hierarchical:

  • Operator has basic permissions.
  • Developer inherits Operator permissions and has additional capabilities.
  • Admin inherits Developer permissions and has full access.

I want a require_role dependency that enforces role-based authorization for my endpoints. This system should be scalable across multiple microservices and easy to extend when adding new roles in the future.

Extra information:

  • Roles must be shared between microservices and the frontend.
  • The system should follow a hierarchy where higher roles inherit lower-level permissions.
  • New roles may be added occasionally, but I don’t need a full-fledged RBAC system.

Example:

An implementation example to illustration the use case can be:

class Role:
    OPERATOR
    DEVELOPER
    ADMIN

class User(Model):
    username: str
    role: Role

def get_current_user() -> User:
    # to be replaced with actual authentication logic (e.g., JWT, OAuth, etc.)
    return User(username="john_doe", role=Role.DEVELOPER)

# Dependency to enforce role-based access
def require_role(min_role: Role) -> Callable[[User], None]:
    def role_checker(user: User = Depends(get_current_user)):
        # some logic here to verify if the user is authorized or not
    return role_checker

# Admins, developers and operators can access this resource
@app.get("/operator-endpoint")
async def operator_endpoint(user: User = Depends(require_role(Role.OPERATOR))):
    return {"message": "Accessible by operators and higher roles"}

# Admins and developers can access this resource
@app.get("/developer-endpoint")
async def developer_endpoint(user: User = Depends(require_role(Role.DEVELOPER))):
    return {"message": "Accessible by developers and higher roles"}

# Only admins can access this resource
@app.get("/admin-endpoint")
async def admin_endpoint(user: User = Depends(require_role(Role.ADMIN))):
    return {"message": "Accessible by admins only"}

First approach: Integer-Based Roles

  • Use an integer Enum to represent role weights, allowing authorization checks via simple comparisons (role >= required_role).
  • The Enum would be shared across microservices and redefined in the frontend.
  • Adding new roles requires extending the Enum.

An example of this approach implementation would be:

class Role(Enum):
    OPERATOR = 1
    DEVELOPER = 2
    ADMIN = 3

class User(Model):
    username: str
    role: int

def require_role(min_role: int) -> Callable[[User], None]:
    def role_checker(user: User = Depends(get_current_user)):
        if user.role < min_role:
            raise HTTPException(
                status_code=status.HTTP_403_FORBIDDEN,
                detail="Insufficient permissions",
            )
    return role_checker

Second approach: Database-Backed Roles

  • Use a Role database table to store roles and their weights.
  • The User table has a foreign key referencing the Role table.
  • Adding new roles requires inserting a new row into the Role table.

An example of this approach implementation would be:

class Role(Model):
    id: int #primary key
    weight: int #an int to reflect thee role weight in order to verify authorization  

class User(Model):
    username: str
    role_id: int #foreign key to Role table

def require_role(min_role: int) -> Callable[[User], None]:
    def role_checker(user: User = Depends(get_current_user)):
        if user.role.weight < min_role:
            raise HTTPException(
                status_code=status.HTTP_403_FORBIDDEN,
                detail="Insufficient permissions",
            )
    return role_checker

Question:

  • Considering maintainability, scalability (occasional role adding), performance and my use case, which approach is better: integer-based roles or database-backed roles?
Improve this question
1
  • 4
    Don't do this. Even if it now seems to be that there is a clear ordering of role permissions, that approach is far too limited and cannot be extended when your requirements change. With some caching, a system which associates a set of roles with each user, and a list of allowed operations with each role is much more powerful and would likely cause insignificant performance degradation. Commented Nov 27, 2024 at 16:34

1 Answer 1

Reset to default
4

In the context of microservices, neither of the options you presented is viable.

Microservices are meant to be independently deployable, which means that it must be possible to deploy a new version of the service that maintains the set of roles and introduce a new role, without affecting any of the other services.

With the integer roles, you need to do a lot of planning up-front to be able to insert new roles between the existing ones without affecting the numbering of the roles. And you will hit a point somewhere where it is not possible to add new roles without affecting the numbers of the existing roles.

With the database version, you can mitigate the numbering problem by looking up the number assigned to the target role, but that creates a bottleneck and single point of failure in your system, because every service becomes dependent on that database.

A better solution is to isolate the logic that a user with the Developer role always has the Operator role to the place where the roles get assigned to the user.

Design your system such that a User can have multiple Roles assigned to them and when one of those Roles matches the required Role, then the user has access to the resource. And only in the function that handles the assignment or Roles to Users, there is the logic that if the Administrator role gets assigned, then automatically the Developer and Operator roles are assigned as well.

Creating a new Role means updating the role-assignment logic, but services that don't need the new role can remain in complete ignorance of its existence.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.