2206 views • Backend System Design
Building a central, robust, extensible and highly available authorization service is no joke
and @Airbnb does it beautifully
here’s a thread about its architecture and key design decisions… 🧵👇
It is all about managing fine-grained control over different entities, for example:
why do we need a service for this?
If each microservice handles its own authorization, then there would be
hence, it is beneficial to create a central auth service. Let’s see how it is modeled.
can user A edit comment C?
A - is the principal, C - is the entity, and edit - is the relation
The tuple is represented and (optionally stored) in the database as
<entity> # <relation> @ <principal>
if user A has owner privileges on comment C, it will be represented (and optionally stored) as
C # OWNER @ A
Storing one entry for each entity and relation will make the data explode, For example:
if A owns a comment C, then he/she can read and write to it as well. This would make us have 3 entries in the database
C # READ @ A
C # WRITE @ A
C # OWNER @ A
we need a way to define relations between relations and entities to reduce the size of the data.
A simple YAML-based config would look like this
LISTING: # WRITE: union: - # WRITE - # OWNER # READ: union: - # READ - # WRITE
The above configuration implies,
Anyone with the write and owner relation can write and anyone with read and write (and transitively owner) relations can read the listing on Airbnb.
To check if user A can read listing L, we hit
check (listing:L, READ, user:A)
It evaluates as
union, if anyone of these exists in DB,
check evaluates to True.
Himeji (authorization) service is consist of 3 layers
Let’s take a detailed look at each in detail.
The data layer of the Himeji service consists of
The caching layer of the Himeji service is super-critical for performance as it ensures low response time at scale.
The orchestration layer is used by clients and internal jobs to interact with the service. The layer
This design is taken from @Airbnb’s Engineering Blog and it is linked in the description of the video attached.
If you like what you read subscribe you can always subscribe to my newsletter and get the post delivered straight to your inbox. I write essays on various engineering topics and share it through my weekly newsletter.
924 views • 54 likes • 2022-11-14
When a company scales, they adopt microservices and each service typically gets its own independent database. With data ...
2206 views • 98 likes • 2022-11-07
Authorization plays a critical role in ensuring that the platform is not abused. For example, Instagram ensures that if ...
2572 views • 152 likes • 2022-10-31
Do hyperlocal companies like Uber, Ola, Swiggy, Gojek, Zomato, etc share our phone numbers with the delivery people or t...
2193 views • 81 likes • 2022-10-24
Elasticsearch is a great search engine, but Yelp was not happy with its performance, so they built their own HTTP layer ...
A set of courses designed to make you a better engineer and excel at your career; no-fluff, pure engineering.
Being a passionate engineer, I love to talk about a wide range of topics, but these are my personal favourites.
Arpit's Newsletter read by 21000+ engineers
Weekly essays on real-world system design, distributed systems, or a deep dive into some super-clever algorithm.
Powered by this tech stack.