Individual domains have requirements on storing various documents (objects) originating either from the Customer or the Bank.
Example of such documents (as per
Images of ID card and customer’s Face captured during KYC
Video recordings of the video call with customer during KYC
Transaction statements generated in the end of the month for each customer
General bank documents, not specific to a customer (such as TnC, Terms of use documents)
The services which own the documents should also own the storage of them the same way as they own the storage of the data they maintain in the Database.
Object storage provider choice
GCS was chosen as the object storage provider.
Domain service approach
Each service has the ability to store documents related to its domain within a bucket in the GCS dedicated to the service only. The specific bucket is accessible only and solely to the service owning it in order to allow a separation of permissions similar to the approach with Database segregation in microservices.
Any access to the documents stored in GCS needs to be granted by the domain service owning the document.
An implementation guide on how to connect to GCS is available here Google Cloud Storage on Micronaut (Kotlin)
Accessing a document
The document access should be arranged through the owning service. The owning domain service decides whether or not the client has access to the specific document the service owns.
If the client has access to the document, the owning service will create a signed URL for the object in GCS, and send the URL to the client. The client will then use it to fetch the document from the GCS directly.
The time validity of the URL is on the owning service to decide based on the sensitiveness of the document.
Storing a document
Documents should be stored by proxying the upload through the document owning service. The service verifies whether the client is permitted to upload such document and then the service stores the document in its dedicated path with a unique (UUID4) fileId.
The owning service should store a reference to the file in its own Database for the purpose of:
granting access to the file by Id to clients
providing any other search, filtering or aggregation functionalities which are specific to the domain
Attachments:
~drawio~557058:27349720-65fa-4129-b290-8abf5953e7fb~storage-access.tmp (application/vnd.jgraph.mxfile)
~drawio~557058:27349720-65fa-4129-b290-8abf5953e7fb~storage-access.tmp (application/vnd.jgraph.mxfile)
~drawio~557058:27349720-65fa-4129-b290-8abf5953e7fb~storage-access.tmp (application/vnd.jgraph.mxfile)
~drawio~557058:27349720-65fa-4129-b290-8abf5953e7fb~storage-access.tmp (application/vnd.jgraph.mxfile)
~drawio~557058:27349720-65fa-4129-b290-8abf5953e7fb~storage-access.tmp (application/vnd.jgraph.mxfile)
~drawio~557058:27349720-65fa-4129-b290-8abf5953e7fb~storage-access.tmp (application/vnd.jgraph.mxfile)
~drawio~557058:27349720-65fa-4129-b290-8abf5953e7fb~storage-access.tmp (application/vnd.jgraph.mxfile)
~drawio~557058:27349720-65fa-4129-b290-8abf5953e7fb~storage-access.tmp (application/vnd.jgraph.mxfile)
~drawio~557058:27349720-65fa-4129-b290-8abf5953e7fb~storage-access.tmp (application/vnd.jgraph.mxfile)
~drawio~557058:27349720-65fa-4129-b290-8abf5953e7fb~storage-access.tmp (application/vnd.jgraph.mxfile)
storage-access (application/vnd.jgraph.mxfile)
storage-access.png (image/png)
~drawio~557058:27349720-65fa-4129-b290-8abf5953e7fb~storage-access-sequence.tmp (application/vnd.jgraph.mxfile)
~drawio~557058:27349720-65fa-4129-b290-8abf5953e7fb~storage-access-sequence.tmp (application/vnd.jgraph.mxfile)
plantuml_1656597937625 (text/plain)
plantuml_1656597937625.svg (image/svg+xml)
plantuml_1656597937625.png (image/png)
~storage-access.tmp (application/vnd.jgraph.mxfile)
~storage-access.tmp (application/vnd.jgraph.mxfile)
storage-access (application/vnd.jgraph.mxfile)
storage-access.png (image/png)
plantuml_1656597937625 (text/plain)
plantuml_1656597937625.svg (image/svg+xml)
plantuml_1656597937625.png (image/png)
