That implies that every service has a `user -> permissions` table, no? That seems to contradict the idea brought up elsewhere in the thread that microservices should all be the size of one table.
For RBAC or capability-based permissions, the gateway can enrich the request or the it can be in (eg) a JWT. Then each service only has to know how to map roles/capabilities to permissions.
For ABAC it depends on lots of things, but you often evaluate access based on user attributes and context (which once again can be added to the request or go into the JWT) plus resource attributes (which is already in the microservice anyway).
For ACL you would need a list of users indeed...
Something like Google Zanzibar can theoretically live on the gateway and apply rules to different routes. Dunno how it would deal with lists, though.
After writing it down: sounds like an awful lot of work for a lot of cases.
Btw: the rule for microservices that I know of, is that they must have their own database, not their own table.
Good points about RBAC and ABAC, although my concern is now the gateway must know what capabilities are possible within the service. It seems like a lot of work, indeed.
> the rule for microservices that I know of, is that they must have their own database, not their own table.
That's the rule for microservices that I'm familiar with too, which is why I found the assertion elsewhere that microservices should just be "one table" pretty odd.
The simplest path is often auth offloaded onto STS or something like that with more complicated permissions needs handled by the services internally, if necessary (often it's not needed).
Not sure if I agree its really the best way to do things but it can be done.