How Uber Reinvented Access Control for Microservices

· Source: ByteByteGo Newsletter · Field: Technology & Digital — Software Development & Engineering, Cybersecurity & Data Privacy, Cloud Computing & IT Infrastructure · Depth: Intermediate, medium

Summary

Uber developed Charter, an attribute-based access control (ABAC) system, to manage authorization across its thousands of microservices, which require decisions in microseconds. Traditional access control proved insufficient for complex conditions involving user location, time of day, or data relationships. Charter centralizes policy management and distributes policies to services, where a local library, authfx, evaluates them. The system defines authorization requests using Actor, Action, Resource (UON format), and Context. ABAC extends this by adding conditions, which are Boolean expressions evaluated against attributes fetched from various Attribute Stores (Policy Information Points) at runtime. Uber selected Google's Common Expression Language (CEL) for condition expressions due to its familiar syntax, data type support, built-in functions, and microsecond-level performance. This approach allows for dynamic, fine-grained, and scalable authorization, as demonstrated by a single generic policy managing thousands of Kafka topics based on dynamic ownership data from the uOwn service.

Key takeaway

For Software Engineers building or maintaining large-scale microservice architectures, adopting an ABAC system like Uber's Charter can significantly enhance security and operational agility. You can define complex, dynamic authorization policies that adapt to changing attributes without code deployments, reducing maintenance overhead and improving precision. Consider leveraging existing expression languages like CEL and structuring your authorization requests around Actor, Action, Resource, and Context to streamline implementation.

Key insights

Attribute-based access control (ABAC) provides dynamic, fine-grained authorization for complex, large-scale microservice architectures.

Principles

Method

Define authorization as Actor, Action, Resource, Context. Use an expression language (like CEL) to evaluate conditions against attributes fetched from dedicated attribute stores (PIPs) at runtime for dynamic, fine-grained access control.

In practice

Topics

Best for: Software Engineer, Security Engineer, DevOps Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by ByteByteGo Newsletter.