Advances in computer technology (e.g., microprocessor speed, memory capacity, data transfer bandwidth, software functionality, and the like) have generally contributed to increased computer application in various industries. Ever more powerful server systems, which are often configured as an array of servers, are commonly provided to service requests originating from external sources such as the World Wide Web, for example.
As the amount of available electronic data grows, it becomes more important to store such data in a manageable manner that facilitates user friendly and quick data searches and retrieval. Today, a common approach is to store electronic data in one or more databases. A typical database can be referred to as an organized collection of information with data structured such that a computer program can quickly search and select desired pieces of data, for example. Moreover, in such environments a federation refers to a group of organizations or service providers that have built trust among each other and enable sharing of user identity information amongst themselves.
In general, digital identity corresponds to the electronic information associated with an individual in a particular identity system. With the advent of distributed computing models such as web services, there are increased interdependencies among entities such as a Service Providers (SP's.) Accordingly, a current trend is to focus on inter-organization and inter-dependent management of identity information rather than identity management solutions for internal use. Such can be referred to as federated identity management. In general, federated identity is a distributed computing construct that recognizes that individuals move between corporate boundaries at an increasingly frequent rate. Practical applications of federated identities are represented by large multinational companies that are required to manage several heterogeneous systems at the same time. For example, such an effort can be represented by the notion of Single Sign-On (SSO), which enables a user to login to multiple organizations or SP's by using the same username and password.
The following presents a simplified summary in order to provide a basic understanding of some aspects described herein. This summary is not an extensive overview of the claimed subject matter. It is intended to neither identify key or critical elements of the claimed subject matter nor delineate the scope thereof. Its sole purpose is to present some concepts in a simplified form as a prelude to the more detailed description that is presented later.
The subject innovation facilitates addition of a node to a federation via a link component thru three phases of join, introduce and advise. In the join phase, the joining node x routes a JOIN message targeted to its own ID. Likewise, in the introduce phase the introducing node continuously sends INTRODUCE message to nodes in its extended neighborhood to obtain a stable view of the extended neighborhood. Such extended neighborhood typically refers to a scenario wherein a node contains a plurality of advised nodes on each side (e.g. H advised nodes on each side, wherein H is an integer—as opposed to H introduced nodes on each side.) For example, when the federation is stable, every introduced node is also an advised node, and hence the two concepts are equal. Accordingly, when there exist nodes that actively join the federation, an extended neighborhood in fact becomes larger than the neighborhood (e.g., a neighborhood being extended to form the extended neighborhood). Typically, a node attempts to maintain its neighborhood, and in an introduce phase the introducing node will try to maintain an extended neighborhood. Such introduce phase supplies a snapshot of the extended neighborhood that typically ensures accuracy at some point of time.
Every node receiving the INTRODUCE message can respond with an INTRODUCERESPONSE message. Both messages contain the sending node's full neighborhood. Similarly, the advise phase will actually insert the advising node into its neighbor's neighborhood, wherein an advising node continuously sends ADVISE message to nodes in its extended neighborhood, to obtain a stable view of extended neighborhood. It is to be appreciated that such extended neighborhood can be different from the one when it completes the Introduce phase. Every node receiving the ADVISE message will simply reply with an ADVISERESPONSE message. Both messages contain the sender's full neighborhood.
In a related methodology, when a node boots up it can create an empty neighborhood with a neighborhood range that only covers its own node ID; and hence the node has no knowledge of the federation except for itself. After a node boots up, it can exchange messages with each other. For every message, the sending node can include nodes in its full neighborhood and its neighborhood range in the message so that the receiving node can update its neighborhood using the information in the message.
The nodes are part of a Federation, which represents a collection of domains that have established trust. The level of trust can vary, but typically include authentication and authorization. In general, a federation of the subject innovation can include a number of organizations that have established trust for shared access to a set of resources. At no time two nodes will ever claim ownership of the same token, and a message destined to the given id at any moment is accepted only by that node—(e.g., a safety property). Moreover, when a message is repeatedly sent to a target id, it is eventually accepted, (e.g., a liveness property.)
To the accomplishment of the foregoing and related ends, certain illustrative aspects of the claimed subject matter are described herein in connection with the following description and the annexed drawings. These aspects are indicative of various ways in which the subject matter may be practiced, all of which are intended to be within the scope of the claimed subject matter. Other advantages and novel features may become apparent from the following detailed description when considered in conjunction with the drawings.
The various aspects of the subject innovation are now described with reference to the annexed drawings, wherein like numerals refer to like or corresponding elements throughout. It should be understood, however, that the drawings and detailed description relating thereto are not intended to limit the claimed subject matter to the particular form disclosed. Rather, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope of the claimed subject matter.
Typically, the ring 110 is associated with a federation can consist of the set of nodes that cooperate among themselves to form a dynamic and scalable network, wherein information can be systematically and efficiently disseminated and located. Moreover, the nodes participating in a federation as a sorted list using a binary relation that is reflexive, anti-symmetric, transitive, total, and defined over the domain of node identities. For example, both ends of the sorted list can be joined, thereby forming a ring 110. Such provides for each node in the list to view itself as being at the middle of the sorted list. In a related aspect, the list can be doubly linked such that a node can traverse the list in either direction. Moreover, a one-to-one mapping function can be defined from the value domain of the node identities to the nodes themselves. Such mapping function accounts for the sparseness of the nodes in the value domain when the mapping is not tight.
As such, every node participating in the federation is assigned a natural number that is between 0 and some appropriately chosen upper bound, inclusive, and that that range does not have to be consecutive—e.g., there can exist gaps between numbers assigned to nodes. Such number assigned to a node acts as its identity in the ring. The mapping function accounts for gaps in the number space by mapping a number being positioned in between two node identities to the node having an identity that is numerically closest to the number. Accordingly, by assigning each node a uniformly distributed number, it can be ensured that all segments of the ring are uniformly populated. Moreover and as described in detail infra, nodes that indicate the successor, predecessor, and neighborhood computations can be performed efficiently using modulo arithmetic.
Typically, every node maintains a neighborhood of H nodes (H being an integer) that are closest to it on each side. N(X) denotes the set of neighbors of node X, wherein Neighborhood edge is a node in N(X) that is furthest away from X. Every node has a neighborhood edge on each of the predecessor and successor directions. If a node Y is in N(X), Y is referred to as being IN X's neighborhood. If Y is closer to X than X's neighborhood edge (on the same side of X), Y is said to be WITHIN X's neighborhood. It is to be appreciated that it is possible for Y to be within X's neighborhood but not in the neighborhood if X is not aware of the existence of Y. Accordingly for a Node X, the subject innovation enables that if there exists another ready node Y that is within X's neighborhood—then Y must also be in X's neighborhood.
Likewise, the introduction component 202 continuously sends INTRODUCE message to nodes in its extended neighborhood until it obtains a stable view of the extended neighborhood. Every node receiving the INTRODUCE message will respond with an INTRODUCERESPONSE message. Both messages contain the sending node's full neighborhood.
In general the following acts can be performed based on encountered conditions
1. If the introducing node already has a view of its extended neighborhood, act or step 2 below can be performed, wherein the introducing node can obtain such a view from the JOINRESPONSE message directly if every introduced node contained in the JOINRESPONSE message is also an advised node, which is the typical case. Otherwise, it will keep sending INTRODUCE message to introduced nodes in its current view of (partial) extended neighborhood and update its view from the response. Such act is repeated until the introducing node obtains H advised node on each side.
2. When the introducing node obtains an initial view of its extended neighborhood, it tries to confirm that this view remains accurate. To do so, it sends an INTRODUCE message to every INTRODUCED node IN the extended neighborhood, plus every introducing node WITHIN the extended neighborhood. Whenever an INTRODUCERESPONSE message is received, it checks to see whether it needs to update its extended neighborhood or not. If so, such indicates that the initial view of extended neighborhood is no longer correct. It will then start from the updated extended neighborhood and repeat act or this step 2.
3. If the introducing node has received all the responses and its extended neighborhood does not change, it will complete the introduce phase and becomes an introduced node.
4. If during the process the introducing node loses the entire of its neighborhood on either side (all neighbors are down), it will return to the join phase.
It is to be appreciated that at the end of this phase, the introducing node has not been added to any other node's neighborhood yet because none of them will know that it has become introduced. However, they are aware that the node as introducing in their full neighborhood.
Similarly, the advisory component can implement the advisory phase that actually inserts the advising node into its neighbor's neighborhood, wherein an advising node continuously sends ADVISE message to nodes in its extended neighborhood, to obtain a stable view of extended neighborhood—(It is further appreciated that this extended neighborhood can be different from the one when it completes the Introduce phase). Every node receiving the ADVISE message will simply reply with an ADVISERESPONSE message. Both messages contain the sender's full neighborhood.
Exemplary details on the advising node side can be performed according to the following acts:
It is to be appreciated that at the end of such phase, every node in its neighborhood must typically have added it into their neighborhood. After the advise phase the node will transition into the synchronize phase where it can acquire routing token. Accordingly, with the combination of the neighborhood update/extension protocol and the join protocol, the federation can provide the neighborhood consistency guarantee, which is base for high level consistency guarantees such as routing consistency.
If node Y is IN X's neighborhood and it becomes shutdown, X will remove it from its neighborhood. If Y happens to be X's neighborhood edge, X will adjust (shrink) its neighborhood range. In the following example it is assumed that H=2. Assuming that node 100 initially has a neighborhood range of 80-120 with nodes 80, 90, 110 and 120. If a new node 105 joins the federation and becomes introduced, 100 will add to its neighborhood and adjust its neighborhood range to 80-110, which contains 80, 90, 105 and 110. Subsequently, if node 90 leaves the federation—as will be described in detail infra (e.g., a shutdown)-100 will remove 90 from its neighborhood but retain the same range of 80-110. It is to be appreciated that that this neighborhood is no longer complete because it contains only one node on the predecessor side. If node 110 also leaves the federation, 100 will further adjust its neighborhood range to be 80-105 with nodes 80 and 105.
A more complex scenario involves the cases wherein a node requires extending its neighborhood. Accordingly, continuing with the previous example, if node 70 joins the federation and become introduced, node 80 cannot add 70 to its neighborhood and adjust its range to 70-105 blindly, because there can be another node 75 that has also joined the federation as an advised node and thus extending the range to 70 can violate the consistency guarantee. Therefore, extending the neighborhood should be done with a guarantee that there does not exist any advised node within the extended range. Such rules can be specified as follows: For node X to extend its neighborhood edge from introduced node Y to another introduced node Z, the following are to be satisfied:
In general, rule “d” is to prevent stale message. For example, assuming that initially there are the following consecutive nodes in the federation: 40, 50, 60, 70, 80, 90, 100, 110 and 120. Also, suppose that node 60 sends a message to 100 conveying 60's neighborhood which contains 40, 50, 70 and 80 with a range of 40-80, and the message is delayed. Before the message reaches node 100, node 75 joins the federation and becomes advised. Now node 80 shuts down and node 100 shrinks its neighborhood edge from 80 to 90. Without rule d, when node 100 receives the delayed message from 60, it can extend its neighborhood edge to 70—yet such creates errors because it missed 75 and broke the consistency. With rule d, node 100 will perform the extension only if node 60 already knows that node 80 is down and therefore node 60's guarantee is still relevant. For example, if after node 80 shuts down node 70 notices such change and sends a message to node 100, this message can contain 75 and 90 in its neighborhood with a range of 50-90, with the shutdown node information about node 80. Accordingly, all the rules are satisfied and node 100 can safely extend its neighborhood edge from 90 to 75.
Moreover, the actual neighborhood extension protocol can be as follows: When a node X detects that it does not have a complete neighborhood, it should send an EDGEPROBE message to its current neighborhood edge. The receiving node can reply with an EDGEPROBERESPONSE message. Both messages contain the sender's full neighborhood. This process is repeated until X has a complete neighborhood.
In the example, above, when node 100 detects that node 80 is down and therefore it no longer has a complete neighborhood, it should send an EDGEPROBE message to its current edge 90. With such message node 90 is notified that node 80 is down (if it has not known about it yet) and will respond with its neighborhood: 70, 75, 100 and 110. This message will enable node 100 to update its neighborhood and regain a complete neighborhood. It is noted that if node 90 (or 70) happens to send another message to node 100, it will achieve the same effect. It is to be appreciated that the EDGEPROBE message is a mere example for node 100 to ask latest information from its edge node to repair its neighborhood. Also note that message loss for either the EDGEPROBE or the EDGEPROBERESPONSE is not critical since the node detecting incomplete neighborhood will keep sending the EDGEPROBE message periodically.
Likewise, the rules described above can be employed for updating initial neighborhood. For example, if node 100 merely boots up with an empty neighborhood, it then receives a message from 110 that includes 110's view of neighborhood: 80, 90, 120 and 130, with a neighborhood range of 80-130. Node 100 can then update its own neighborhood to be 80, 90, 110 and 120, with a range of 80—120—wherein such update actually involves four neighborhood extensions, each extension meets the rules described above.
As illustrated in
The word “exemplary” is used herein to mean serving as an example, instance or illustration. Any aspect or design described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other aspects or designs. Similarly, examples are provided herein solely for purposes of clarity and understanding and are not meant to limit the subject innovation or portion thereof in any manner. It is to be appreciated that a myriad of additional or alternate examples could have been presented, but have been omitted for purposes of brevity.
As used in this application, the terms “component”, “system”, are intended to refer to a computer-related entity, either hardware, a combination of hardware and software, software, or software in execution. For example, a component can be, but is not limited to being, a process running on a processor, a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on a server and the server can be a component. One or more components can reside within a process and/or thread of execution, and a component can be localized on one computer and/or distributed between two or more computers.
Furthermore, all or portions of the subject innovation can be implemented as a system, method, apparatus, or article of manufacture using standard programming and/or engineering techniques to produce software, firmware, hardware or any combination thereof to control a computer to implement the disclosed innovation. For example, computer readable media can include but are not limited to magnetic storage devices (e.g., hard disk, floppy disk, magnetic strips . . . ), optical disks (e.g., compact disk (CD), digital versatile disk (DVD) . . . ), smart cards, and flash memory devices (e.g., card, stick, key drive . . . ). Additionally it should be appreciated that a carrier wave can be employed to carry computer-readable electronic data such as those used in transmitting and receiving electronic mail or in accessing a network such as the Internet or a local area network (LAN). Of course, those skilled in the art will recognize many modifications may be made to this configuration without departing from the scope or spirit of the claimed subject matter.
In order to provide a context for the various aspects of the disclosed subject matter,
With reference to
The system bus 618 can be any of several types of bus structure(s) including the memory bus or memory controller, a peripheral bus or external bus, and/or a local bus using any variety of available bus architectures including, but not limited to, 11-bit bus, Industrial Standard Architecture (ISA), Micro-Channel Architecture (MSA), Extended ISA (EISA), Intelligent Drive Electronics (IDE), VESA Local Bus (VLB), Peripheral Component Interconnect (PCI), Universal Serial Bus (USB), Advanced Graphics Port (AGP), Personal Computer Memory Card International Association bus (PCMCIA), and Small Computer Systems Interface (SCSI).
The system memory 616 includes volatile memory 620 and nonvolatile memory 622. The basic input/output system (BIOS), containing the basic routines to transfer information between elements within the computer 612, such as during start-up, is stored in nonvolatile memory 622. For example, nonvolatile memory 622 can include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM), or flash memory. Volatile memory 620 includes random access memory (RAM), which acts as external cache memory. By way of illustration and not limitation, RAM is available in many forms such as synchronous RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), Synchlink DRAM (SLDRAM), and direct Rambus RAM (DRRAM).
Computer 612 also includes removable/non-removable, volatile/non-volatile computer storage media.
It is to be appreciated that
A user enters commands or information into the computer 612 through input device(s) 636. Input devices 636 include, but are not limited to, a pointing device such as a mouse, trackball, stylus, touch pad, keyboard, microphone, joystick, game pad, satellite dish, scanner, TV tuner card, digital camera, digital video camera, web camera, and the like. These and other input devices connect to the processing unit 614 through the system bus 618 via interface port(s) 638. Interface port(s) 638 include, for example, a serial port, a parallel port, a game port, and a universal serial bus (USB). Output device(s) 640 use some of the same type of ports as input device(s) 636. Thus, for example, a USB port may be used to provide input to computer 612, and to output information from computer 612 to an output device 640. Output adapter 642 is provided to illustrate that there are some output devices 640 like monitors, speakers, and printers, among other output devices 640 that require special adapters. The output adapters 642 include, by way of illustration and not limitation, video and sound cards that provide a means of connection between the output device 640 and the system bus 618. It should be noted that other devices and/or systems of devices provide both input and output capabilities such as remote computer(s) 644.
Computer 612 can operate in a networked environment using logical connections to one or more remote computers, such as remote computer(s) 644. The remote computer(s) 644 can be a personal computer, a server, a router, a network PC, a workstation, a microprocessor based appliance, a peer device or other common network node and the like, and typically includes many or all of the elements described relative to computer 612. For purposes of brevity, only a memory storage device 646 is illustrated with remote computer(s) 644. Remote computer(s) 644 is logically connected to computer 612 through a network interface 648 and then physically connected via communication connection 650. Network interface 648 encompasses communication networks such as local-area networks (LAN) and wide-area networks (WAN). LAN technologies include Fiber Distributed Data Interface (FDDI), Copper Distributed Data Interface (CDDI), Ethernet/IEEE 802.3, Token Ring/IEEE 802.5 and the like. WAN technologies include, but are not limited to, point-to-point links, circuit switching networks like Integrated Services Digital Networks (ISDN) and variations thereon, packet switching networks, and Digital Subscriber Lines (DSL).
Communication connection(s) 650 refers to the hardware/software employed to connect the network interface 648 to the bus 618. While communication connection 650 is shown for illustrative clarity inside computer 612, it can also be external to computer 612. The hardware/software necessary for connection to the network interface 648 includes, for exemplary purposes only, internal and external technologies such as, modems including regular telephone grade modems, cable modems and DSL modems, ISDN adapters, and Ethernet cards.
What has been described above includes various exemplary aspects. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing these aspects, but one of ordinary skill in the art may recognize that many further combinations and permutations are possible. Accordingly, the aspects described herein are intended to embrace all such alterations, modifications and variations that fall within the spirit and scope of the appended claims.
Furthermore, to the extent that the term “includes” is used in either the detailed description or the claims, such term is intended to be inclusive in a manner similar to the term “comprising” as “comprising” is interpreted when employed as a transitional word in a claim.