0x1d
38a251968c
Transform all documentation from modular monolith to true microservices
architecture where core services are independently deployable.
Key Changes:
- Core Kernel: Infrastructure only (no business logic)
- Core Services: Auth, Identity, Authz, Audit as separate microservices
- Each service has own entry point (cmd/{service}/)
- Each service has own gRPC server and database schema
- Services register with Consul for service discovery
- API Gateway: Moved from Epic 8 to Epic 1 as core infrastructure
- Single entry point for all external traffic
- Handles routing, JWT validation, rate limiting, CORS
- Service Discovery: Consul as primary mechanism (ADR-0033)
- Database Pattern: Per-service connections with schema isolation
Documentation Updates:
- Updated all 9 architecture documents
- Updated 4 ADRs and created 2 new ADRs (API Gateway, Service Discovery)
- Rewrote Epic 1: Core Kernel & Infrastructure (infrastructure only)
- Rewrote Epic 2: Core Services (Auth, Identity, Authz, Audit as services)
- Updated Epic 3-8 stories for service architecture
- Updated plan.md, playbook.md, requirements.md, index.md
- Updated all epic READMEs and story files
New ADRs:
- ADR-0032: API Gateway Strategy
- ADR-0033: Service Discovery Implementation (Consul)
New Stories:
- Epic 1.7: Service Client Interfaces
- Epic 1.8: API Gateway Implementation
5.0 KiB
5.0 KiB
Story 2.3: Authz Service - Authorization & RBAC
Metadata
- Story ID: 2.3
- Title: Authz Service - Authorization & RBAC
- Epic: 2 - Core Services (Authentication & Authorization)
- Status: Pending
- Priority: High
- Estimated Time: 10-12 hours
- Dependencies: 1.1, 1.2, 1.5, 1.7, 2.2
Goal
Implement Authz Service as an independent microservice for permission resolution and authorization checks. The service exposes a gRPC server, manages its own database connection with Role and Permission entities, and registers with Consul service registry.
Description
This story implements the Authz Service as a separate, independently deployable microservice. It includes permission resolution, RBAC/ABAC authorization checks, role-permission management, and user-role assignment via gRPC. The service has its own entry point, database connection with Role and Permission entity schemas, and service registration.
Deliverables
1. Service Entry Point (cmd/authz-service/main.go)
- Independent service entry point
- Bootstrap with core kernel services
- Register with Consul service registry
- Start gRPC server on configured port (default: 8083)
- Graceful shutdown with service deregistration
2. gRPC Service Definition (api/proto/authz.proto)
AuthorizeRequest/AuthorizeResponse- Check if user has permissionHasPermissionRequest/HasPermissionResponse- Boolean permission checkGetUserPermissionsRequest/GetUserPermissionsResponse- Get all user permissionsGetUserRolesRequest/GetUserRolesResponse- Get user rolesAuthzServicegRPC service definition
3. gRPC Server Implementation (services/authz/internal/api/server.go)
- gRPC server implementation
- Handlers for authorization operations
- Integration with Authz Service business logic
4. Authz Service Implementation (services/authz/internal/service/authz_service.go)
- Permission resolution from user roles
- RBAC authorization checks
- Permission caching (Redis)
- Uses
IdentityServiceClientto get user roles - Permission inheritance via roles
5. Permission System (pkg/perm/perm.go)
Permissiontype (string format: "module.resource.action")- Core permission constants
- Permission validation utilities
6. Database Connection and Schema (services/authz/ent/schema/)
- Authz Service database connection (schema:
authz) - Role entity schema: ID, name, description, created_at
- Permission entity schema: ID, name (format: "module.resource.action")
- RolePermission entity (many-to-many relationship)
- UserRole entity (many-to-many, references Identity Service users)
- Migration support
- Per-service connection pool
7. Service Client Integration
- Uses
IdentityServiceClientto get user roles - Uses
AuditServiceClientto log authorization checks - Service discovery via Consul
8. Service Registration
- Register with Consul on startup
- Health check endpoint for Consul
- Service metadata (name:
authz-service, port: 8083) - Deregister on shutdown
Acceptance Criteria
- Authz Service is independently deployable
- Service entry point exists at
cmd/authz-service/main.go - Service registers with Consul on startup
- gRPC server starts on configured port (8083)
- Authorize RPC checks if user has permission
- HasPermission RPC returns boolean permission check
- GetUserPermissions RPC returns all user permissions
- Users inherit permissions through roles
- Permission checks are cached (Redis)
- Service has its own database connection (authz schema)
- Role and Permission entity schemas are defined and migrated
- Service uses IdentityServiceClient to get user roles
- Service uses AuditServiceClient for logging
- Service can be discovered by other services via Consul
- Health check endpoint works for Consul
Related ADRs
- ADR-0019: Permission DSL Format
- ADR-0029: Microservices Architecture
- ADR-0030: Service Communication Strategy
- ADR-0033: Service Discovery Implementation
Testing
# Test Authz Service
go test ./services/authz/...
# Test service startup
go run cmd/authz-service/main.go
# Test gRPC service
grpcurl -plaintext localhost:8083 list
grpcurl -plaintext -d '{"user_id":"123","permission":"blog.post.create"}' \
localhost:8083 authz.AuthzService/Authorize
Files to Create/Modify
cmd/authz-service/main.go- Service entry pointapi/proto/authz.proto- gRPC service definitionservices/authz/internal/api/server.go- gRPC server implementationservices/authz/internal/service/authz_service.go- Authz service logicservices/authz/ent/schema/role.go- Role entity schemaservices/authz/ent/schema/permission.go- Permission entity schemaservices/authz/ent/schema/role_permission.go- Relationship schemapkg/perm/perm.go- Permission typesconfig/default.yaml- Add authz service configuration