I am building a platform, where I have few services. Lets say I have 2 elixir services (as standalone releases), 1 rust/golang service… and probably one or two more comming.
I would like to implement RBAC on the level of platform. My question/dilema is how to approach this due to the fact that it would not be just elixir codebase.
Options I am thinking about:
- Implement RBAC withing one of the elixir services and expose this for instance via REST to others
- Implement RBAC as standalone service and expose functionalities via REST to others.
2A. Here I was checking Casbin (https://casbin.org) and perhaps based on this (https://github.com/casbin/casbin-ex)
2B. Implement kind of my own RBAC - haven’t really find any nice library yet
Right now I feel like … this Authentication / Authorization part of elixir ecosystem is still a bit unmature, where I don’t mean libraries that exists are unmature, but common best practices, approaches how to solve problems, design patterns around this are still not well documented.
For me as a beginner for instance… you have Phx.gen.auth, Guardian, Ueberauth, Pow, Pow_assent, Bodyguard, … and many more. Should I go with this or that… what would be best approach to easily maintain and further develop not just for weekend project, but for a something that would need to run in production next 2 years for instance.
Next, dilemas… if I go with this… would I be able to cover SPAs, liveview, channels, OAuth, stateless, statefull… and all other buzzwords and components. What combination would be best. And I guess this is really important for options above. I am pretty sure, I will use channels/liveview too in my services, as regular templates too. There will be probably React SPA too as part of this. What to choose, how to aproach this?
I know one could say I mixed everthing in the same basket, but intentionaly I want to emphasize what probably someone who starts with this see.
It would be really great if there would be more documentation on this, based on examples.
I apprechiate @josevalim suggestion few days back on documenting more use cases around Phx.gen.auth. That would be really awesome.
Until then, … dilemas like this make mess in my head.
So if someone can share a bit of feedback on my options above I would really appreciate.