Authentication for Metamodel Interchanger

[jbaird123]

Currently the Metamodel Interchanger does not have any authentication. Is it necessary to implement authentication?

@stuartasutton

[stuartasutton]

@jbaird123 (@jeannekitchens), that is an interesting question that we should probably ask Fritz. I can't see an immediate need if what's returned from it is fulfillment of a request from the Request Broker. However, I know that Fritz had to implement some sort of API to make the interchanger work in its current configuration. I guess my question is who if authenticating with whom...Interchanger to Request Broker or Request Broker to Interchanger?

[jbaird123]

@stuartasutton - this question came from Fritz. We would just be authenticating the request broker to the interchanger. Fritz just asked if authentication was required, so I thought I should check with you. Doesn't matter to me, and I don't see anything one way or another in the spec.

[jeannekitchens]

When we talked about this with Eduworks there was no requirement for authentication via CaSS because users are already authenticated. Fritz could likely set it up to require keys if needed. This brings to mind another question. Is CaSS storing the framework that is exchanged after the exchange is completed. I don't think we want CaSs to store frameworks that are exchanged, true? This came to mind thinking about why additional authentication to CaSS might be needed or unnessary.

[jbaird123]

@jeannekitchens - I'll leave the question about whether CaSS is storing the exchange to @stuartasutton since I don't think it makes a difference to the development team. Regarding the authentication, I will let Fritz know that it's up to him - if he wants to implement authentication he can, and if not, that's fine too.

[stuartasutton]

Yes! Good point, Jeanne. Basically, we do not want them storing them. We've committed to the transacted frameworks living nowhere on the network...which I would assume logically means not storing them in a companion service relied on by the network.

[stuartasutton]

@jbaird123 & @jeannekitchens, has this issue of NOT permanently storing in CaSS the schemas that have had their meta-model's exchanged by the Rosetta Lens been discussed with Fritz?

[neaf]

My take on the authentication: We don't really need that. If they are fine with having the service exposed publicly that's a risk on their part (of course if they handle the deployment and infrastructure). I raised the topic because having authentication is a sane thing to do from the service owner perspective.

[stuartasutton]

@jbaird123, I have no opinion on interchanger authentication. If it is not needed on either end--RB authenticates the the Interchanger or Interchanger authenticates with the RB--then there is no need to impose doing so.