Who authenticates where

From Filtered Push Wiki
Jump to: navigation, search

The native database software (e.g. specify), a local network node, and other network nodes are all likely to be spread across the network, with the native database software to local network node API using some form of web service or other network communication. Authentication of users could occur in several ways. Login overlay.png.

On one end of the range of possibilities, authentication could be by just the user to the native database software, with implicit trust between the native database software and a local network node. This is clearly susceptible to attack (in both directions if the API calls for the local node to contact the native db). Login plain.png

At the other end of the range of possibilities, users could be authenticated individually into the network, with user credentials being maintained in some centralized manner. We most likely don't want to do this, as it could add a substantial system administration burden. Remote login.png

Another possibility would be to authenticate users individually at local nodes, with the local node managing its own set of users. Local user login.png

Another possibility would be to authenticate users individually into native database software, and then have that software authenticate into the local node Local node login.png

Handling authentication isn't quite as simple as saying we will let it happen on the edges and let nodes in the network authenticate with each other - the API for connecting to local nodes from native database software provides a potential attack route into the network and needs some thought about access control. Bold text