Optimizing Application Security: Delivering a Centralized, Multi-Application Authorization System with Casbin and Rust

Client Background

Our client, a multinational consultancy that operates across multiple regions and with a workforce of over 1,000 employees. Their client portofolio includes high-profile organizations, with a high standard on the application security in need of fine-grained control over resources that are served between multiple applications. As they continue to grow, they need a reliable approach to manage rules on protecting data resources across multiple applications.

Challenges

WIth multiple services already built-in and integrated with existing authentication system, there are some challenges in their authorization checks:

Complex Authorization Rules: Each application handles its own authorization logic, leading to inconsistencies and potential data loss when modifying database relationships to accommodate complex rules.
Slow Authorization Checks: Applications built on lower-performance platforms (e.g., Python for machine learning tasks) experience delays, as authorization checks further degrade overall performance.
Flexible Authorization Rules: With each application hard-coding its own rules, any policy changes require coordination across multiple teams and applications, slowing down updates and increasing complexity.

Objectives and Goals

The client had some objectives in mind:

Centralized and Abstracted Authorization Control: Consolidate authorization logic into a single, abstracted service to eliminate the need for application-specific rules, reducing complexity and the risk of inconsistencies.
Low Latency and High Performance Service: Implement a highly efficient authorization service that ensures minimal impact on application performance, even when handling complex rule evaluations across multiple services.

Project Scope and Timeline

The project aims to evaluate and compare high-performing, feature-rich open-source authorization frameworks. To achieve this, we conducted a thorough review of different frameworks, analyzing their capabilities and benchmarking their performance to identify the optimal solution. With multiple proposals to the client, we’ve completed the project in less than 2 months.

Approach and Strategy

Creating a Centralized Authorization Service on Performant and Memory-safe Language

We built the system using Rust to ensure:

Memory Safety: Eliminates memory-related vulnerabilities for improved stability.
High Performance: Delivers fast execution and low overhead for a more responsive system.
Bare Metal Deployment with Enhanced Security: Provides a robust solution with minimal layers, increasing security at the infrastructure level.
Abstracted Authorization Checks as Dynamic Rules

We implemented Casbin for abstracting authorization checks, enabling:

Dynamic Rule Modification: Allows for real-time adjustments to authorization rules without redeploying code.
Caching Support: Significantly reduces latency in authorization checks, improving overall system responsiveness.
Separating Resource Data Models and Resource Auth Models

By decoupling the resource data model from the authorization model, we achieved:

Reduced System Strain: Lightens the load on the core system, enhancing its efficiency.
Team Focus: Allows teams to concentrate on core functionalities while isolating authorization concerns for more streamlined development.

Implementation Details

Phase 1 Framework Reviews, Benchmarks, and Implementation Testing : We began by reviewing multiple open-source authorization frameworks, prioritizing features and performance. Extensive benchmarking was conducted to compare each framework’s speed, flexibility, and compatibility with the client’s architecture. During this phase, we also performed proof-of-concept tests to ensure the chosen framework would meet the client's high-performance and dynamic requirements.
Phase 2 Implementing Centralized System : After selecting the optimal framework (Casbin in this case), we implemented the centralized authorization service using Rust for its memory safety and high performance. This phase involved developing the core infrastructure, abstracting the authorization logic, and integrating dynamic rule modifications. We ensured caching mechanisms were in place to reduce latency, making the system highly responsive even under heavy loads.
Phase 3 Integrating with Existing System : In the final phase, the centralized service was integrated with the client's existing applications. We decoupled the resource data models from the authorization logic, migrating these into the new service to reduce the strain on legacy systems. This integration was done incrementally, ensuring seamless transitions without disrupting ongoing operations. The result was a fully centralized, efficient, and scalable authorization system, significantly improving overall performance and flexibility.

Results and Impact

Increased System Performance : Rust's high-performance execution, combined with Casbin's caching mechanisms, significantly reduces latency in authorization checks. Decoupling the resource data models further improves system efficiency by lowering the load on legacy systems, enhancing overall application responsiveness.
Enhanced Security and Stability : Implementing the system in Rust ensures memory safety, reducing security vulnerabilities and system crashes. The centralized authorization service also strengthens security by providing a consistent, robust approach to access control across all applications.
Greater Flexibility and Scalability : Using Casbin for abstracted authorization logic allows dynamic rule changes without manual code updates, making the system adaptable to evolving policies. The centralized service simplifies the onboarding of new applications, improving scalability without complicating the architecture.