Proposal: Authorization
Problem
- ARSnova has a role concept based around a room
- Currently, information about who is owner/moderator in a room is stored in the couchdb
- Each service needs role information when handling commands/requests
Supporting an API for room access information
- Provide an API (accessible by a JWT only services can generate) to get room access
- Request has to involve roomId and userId
- Returns a role
- arsnova-backend can still work the way it works now
Add a distributed cache (hazelcast?) to all services
- Cache:
- Key:
<roomId>_<userId>
- Value (e.g.):
CREATOR
- Key:
- arsnova-backend can fill the cache by listening to spring events (e.g.
AfterCreationEvent<Room>
) - Services can check for authorization against cache
- not sure: If it's a miss, the API can be queried (as a fallback)
Thoughts
- Gateways would only need to authenticate
- If Gateways would inject the role into requests, the different instances would have to synchronize anyway
Edited by Tom Käsler