As we’ve described in this CONQUER series (Part 1, Part 3), distributed systems are information tools enabling volitional entities in relationships of permission and obligation to achieve their intents via purposeful dialogs, communicated among software components proxying their wills, consisting of imperative, declarative, and interrogative sentences: commands, queries, and events.
Let’s briefly consider the nature of permission and obligation in commands, queries and events.
In a command, the caller is responsible – legally and morally – for the outcome of the command. The recipient who executes the command is responsible to validate that the caller is who they profess to be, and that they have the authority to issue the command.
If an authorized app calls the ‘launch the nukes’ service, the apocalypse is on the user. If an unauthorized app calls the service, and the service obeys the command and launches the nukes, it’s on both of them.
But in both cases the caller is responsible for the outcome if and only if the consequences of the command are exactly as represented by the recipient.
If the app calls the ‘‘order Mentos’ service and the nukes launch, it’s on the service. When law is finally re-established, the post-apocalyptic judiciary will have to figure out who knew what when – so log everything.
In a query, the recipient is responsible to validate that the querier is who they profess to be, and that they have permission to get the answer.
If the caller has permission, any consequence of the release of the information is on them. If my app calls your query service, has permission to hear the answer, you tell me the password to Pandora’s Box, and the user uses it to open the box and unleash Evil on the world, it’s on the caller. If the caller did not have permission, but you released the password anyway, it’s on both of you.
In an event notification, the caller is responsible to validate that the recipient is who they profess to be, and that they have permission to get the notification.
In pub/sub implementations, the subscription manager is the proxy of the will of the event ‘owner’ with respect to its broadcast.
If the recipient has permission, any consequence of the release of the information is on them. If my service, with permission, tells Perez Hilton that Brad and Jen are back together, and he tells the world, it’s on him. If Perez did not have permission to hear the notification, but I told him anyway, it’s on both of us – and Jen will strike you from her Christmas card list like <snap>that</>.
Health IT Architect 