International Journal of Open Information Technologies

This paper explores the possibilities of using mutual TLS authentication (mTLS) together with attribute-based access control (ABAC) in a microservice architecture. The paper discusses the basic principles of mTLS, its role in providing secure authentication between services, and ways to integrate TLS certificates into ABAC for making access decisions. The proposed model involves using TLS certificates to identify and authorize subjects. An architectural approach is considered in which ABAC is implemented as microservices that provide flexibility, scalability, and compatibility with modern distributed systems Integration of mTLS and ABAC will allow building a secure and holistic authentication and authorization model that protects critical data and transactions in microservice systems. The main idea of the proposed model is to use TLS certificates not only as an authentication tool in the mTLS process, but also as a reliable source of attributes for the attribute-based access control (ABAC) system. Traditionally, tokens such as JWT have been used for authorization, and X.509 certificates are used exclusively to confirm the authenticity of the client and server when establishing a TLS connection. However, JWT tokens are vulnerable to interception and require additional validation mechanisms. In the proposed approach, all information required for authorization is embedded in X.509 certificates and verified cryptographically for each connection. A practical implementation of the attribute-based access control (ABAC) model using the mutual TLS (mTLS) mechanism in the Kubernetes infrastructure is performed. Ingress-NGINX is used as a PEP, Open Policy Agent (OPA) as a PDP, Rego as a language for describing policies in OPA are used as architectural components. 

The Open Web Application Security Project (OWASP) Top 10, https://owasp.org/Top10/#welcome-to-the-owasp-top-10-2021, 2021.

Fatima A. et al. Towards Attribute‐Centric Access Control: an ABAC versus RBAC argument //Security and Communication Networks. – 2016. – T. 9. – #. 16. – S. 3152-3166.

Yarygina T., Bagge A. H. Overcoming security challenges in microservice architectures //2018 IEEE Symposium on Service-Oriented System Engineering (SOSE). – IEEE, 2018. – S. 11-20.

Hu V. C. et al. Guide to attribute based access control (abac) definition and considerations (draft) //NIST special publication. – 2013. – T. 800. – #. 162. – S. 1-54.

Anderson A. et al. extensible access control markup language (xacml) version 1.0 //Oasis. – 2003.

Ingress-NGINX [Jelektronnyj resurs]. – Rezhim dostupa: https://kubernetes.github.io/ingress-nginx/, svobodnyj. – Data obrashhenija: 03.04.2025.

Open Policy Agent [Jelektronnyj resurs]. – Rezhim dostupa: https://www.openpolicyagent.org/, svobodnyj. – Data obrashhenija: 03.04.2025.

Rego: Policy Language for OPA [Jelektronnyj resurs]. – Rezhim dostupa: https://www.openpolicyagent.org/docs/latest/policy-language/, svobodnyj. – Data obrashhenija: 03.04.2025.

OWASP. Microservices Security Cheat Sheet [Jelektronnyj resurs]. Rezhim dostupa: https://cheatsheetseries.owasp.org/cheatsheets/Microservices_Security_Cheat_Sheet.html svobodnyj - Data obrashhenija: 16.04.2025.

Chandramouli R. Microservices-based application systems //NIST Special Publication. – 2019. – T. 800. – #. 204. – S. 800-204.

Chandramouli R. et al. Attribute-based access control for microservices-based applications using a service mesh //NIST Special Publication. – 2021. – T. 800. – S. 41.

Suhomlin, Vladimir Aleksandrovich. "Sozdanie profilja" Kiberbezopasnost' i iskusstvennyj intellekt" dlja napravlenija podgotovki FIIT na osnove kurrikulumnogo podhoda." Sovremennye informacionnye tehnologii i IT-obrazovanie 17.3 (2021): 724-734.

Zimina, K. I., and O. R. Laponina. "Mehanizmy mezhservisnoj autentifikacii v prilozhenijah s mikroservisnoj arhitekturoj." International Journal of Open Information Technologies 11.5 (2023): 146-154.

Ulbi, Timur V., and Olga R. Laponina. "Attribute based access control module for cross-origin web requests." International Journal of Open Information Technologies 11.5 (2023): 128-136.

Razvitie transportno-logisticheskih otraslej Evropejskogo Sojuza: otkrytyj BIM, Internet Veshhej i kiber-fizicheskie sistemy / V. P. Kuprijanovskij, V. V. Alen'kov, A. V. Stepanenko [i dr.] // International Journal of Open Information Technologies. – 2018. – T. 6, # 2. – S. 54-100. – EDN YNIRFG.

Umnaja infrastruktura, fizicheskie i informacionnye aktivy, Smart Cities, BIM, GIS i IoT / V. P. Kuprijanovskij, V. V. Alen'kov, I. A. Sokolov [i dr.] // International Journal of Open Information Technologies. – 2017. – T. 5, # 10. – S. 55-86. – EDN ZISODV.