Design and Implementation of Unified Permission Management Service (MPS) at Baidu

This article provides a comprehensive exploration of the Unified Permission Management Service (MPS) designed to address the fragmented permission management challenges across Baidu's internal platforms. The solution integrates RBAC, ACL, and DAC permission models to deliver flexible and precise access control.

Background and Requirements: With the proliferation of internal applications and data platforms, each platform maintained its own permission system, leading to management chaos and unclear hierarchical structures. The MPS was developed to centralize permission management across all data middle platform services.

Technology Selection: MPS utilizes Baidu's internal GDP (Go Develop Platform) framework, which offers advantages including seamless integration with Baidu's infrastructure, flexible configuration, robust RPC capabilities, and Prometheus-based monitoring support.

Permission Model Design: The system implements a hybrid approach combining three access control models: ACL for fine-grained resource-based access, DAC for owner-controlled permissions with role definitions (super admin, node admin, regular user), and RBAC for role-based permission management through permission packages.

Functional Modules: The system comprises four main modules: (1) Platform & Node Management - supporting multiple platform integrations with push/pull synchronization options; (2) Permission Management - historical data import, CRUD operations, and authentication services; (3) Application & Authorization - online request workflows with customizable approval processes and automatic authorization; (4) Permission Audit & Recovery - automated permission expiration detection, user departure/transfer handling, and comprehensive logging.

Implementation Results: MPS has been successfully deployed across nearly 40 business platforms, managing over 100,000 permission nodes with 50+ approval models. The system processes 20,000-30,000 monthly permission requests, serves 20,000+ users, and handles 1.3 million daily API calls with 300,000 daily authentication requests.