WO2012115896A2 - Multi-tenant services gateway - Google Patents

Multi-tenant services gateway Download PDF

Info

Publication number
WO2012115896A2
WO2012115896A2 PCT/US2012/025792 US2012025792W WO2012115896A2 WO 2012115896 A2 WO2012115896 A2 WO 2012115896A2 US 2012025792 W US2012025792 W US 2012025792W WO 2012115896 A2 WO2012115896 A2 WO 2012115896A2
Authority
WO
WIPO (PCT)
Prior art keywords
resource
request
subsystem
tenant
runtime
Prior art date
Application number
PCT/US2012/025792
Other languages
French (fr)
Other versions
WO2012115896A3 (en
Inventor
Clemens VASTERS
Ronen HILEWICZ
David Wortendyke
Original Assignee
Microsoft Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Corporation filed Critical Microsoft Corporation
Priority to EP12749623.0A priority Critical patent/EP2678984B1/en
Publication of WO2012115896A2 publication Critical patent/WO2012115896A2/en
Publication of WO2012115896A3 publication Critical patent/WO2012115896A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5011Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Definitions

  • Compute systems are moving toward an architecture known as cloud computing.
  • cloud computing servers that are remotely located provide resources in response to requests from clients or other servers. Resources may include data storage, processor usage, communications subsystems, queuing services, or various other computing services.
  • resources may include data storage, processor usage, communications subsystems, queuing services, or various other computing services.
  • cloud computing the physical location of servers is isolated from requesters.
  • a client device may communicate with multiple services, and may employ multiple communication protocols, each protocol corresponding to a service with which the client communicates.
  • a service may employ multiple protocols in order to accommodate clients communicating with different protocols.
  • changing services may involve changing a protocol that a client employs.
  • a system, method, and components operate to provide a gateway to a multiple services for multiple tenants.
  • a gateway acts as a front end for the various services.
  • mechanisms include receiving resource management requests, such as requests to allocate a resource, from tenants.
  • the system may determine, based on the specified resource type, a corresponding subsystem, forward the request to the determined subsystem, receive from the subsystem an identification of the resource, store resource data descriptive of the resource, including an identification of the resource, and send to the tenant the identification of the resource.
  • mechanisms may include receiving, from the tenant in a first protocol, a runtime request to perform an operation related to a resource, retrieve resource data, attach the resource data to the request, and forward the request in a second protocol to the corresponding subsystem.
  • multiple protocol heads may be included, each one implementing a corresponding protocol for communicating with tenants, extracting data from incoming requests, attaching resource data, and forwarding the data in a canonical form to a subsystem.
  • the protocol handlers may isolate the subsystems from the protocols used by the tenants. This may enable subsystems to be added to the system without being configured to process the protocols of the tenants. It may also enable new protocols to be handled by adding new protocol handlers, without reconfiguring the subsystems.
  • a system may include one or more pipeline components that selectively process incoming requests, based on resource data or other configuration data.
  • One configuration includes a pre-authorization component that authorizes incoming requests prior to forwarding them to subsystems.
  • an access control service selectively provides an access token based on a security token.
  • the pre- authorization component may process the access token to determine authorization.
  • a subsystem may be configured to subsequently perform additional authorization.
  • the system may provide, to a tenant, a management URI for requesting management operations related to a resource and a runtime URI for requesting runtime operations related to the resource.
  • the URI specifies a namespace and a component identifier.
  • the URI may include a string for private use by the corresponding subsystem.
  • FIGURE 1 is a block diagram of an example environment in which mechanisms described herein may be deployed;
  • FIGURE 2 is a block diagram of an example gateway system in which mechanisms described herein may be deployed;
  • FIGURE 3 is a flow diagram illustrating an example embodiment of a process for providing access to management services, in accordance with mechanisms described herein;
  • FIGURE 4 is a flow diagram illustrating an example embodiment of a process for providing access to runtime operations, in accordance with mechanisms described herein;
  • FIGURE 5 is a block diagram of an example system for providing access to services, in which authorization mechanisms described herein may be deployed;
  • FIGURE 6 is a flow diagram illustrating an example embodiment of a process for authorizing access to services, in accordance with mechanisms described herein;
  • FIGURE 7 is a block diagram showing one embodiment of a computing device, illustrating selected components of a computing device that may be used to perform functions described herein.
  • Example embodiments of the present invention now will be described more fully hereinafter with reference to the accompanying drawings, which form a part hereof, and which show, by way of illustration, specific example embodiments by which the invention may be practiced.
  • This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
  • the present invention may be embodied as methods or devices. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. The following detailed description is, therefore, not to be taken in a limiting sense.
  • processor refers to a physical component such as an integrated circuit that may include integrated logic to perform actions.
  • an application refers to a computer program or a portion thereof, and may include associated data.
  • An application may be an independent program, or it may be designed to provide one or more features to another application.
  • An "add-in” and a “plug-in” are examples of applications that interact with and provides features to a "host” application.
  • An application is made up of any combination of application components, which may include program instructions, data, text, object code, images or other media, security certificates, scripts, or other software components that may be installed on a computing device to enable the device to perform desired functions.
  • Application components may exist in the form of files, libraries, pages, binary blocks, or streams of data.
  • An application component may be implemented as a combination of physical circuitry and associated logic. For example, an ASIC may be used to implement an application component.
  • authenticate refers to confirming that facts or claims are true, to an acceptable degree of certainty. Authenticating a user or a user's identity applies to confirming that the stated identity of the user is sufficient and accurate.
  • Authenticating a request from a user may include confirming that the identity information included with the request is accurate, that the request originated with or is authorized by the identified user, that the request has not been improperly modified, or that other information in the request is accurate. Authentication has an associated degree of certainty, allowing for a situation in which information has been authenticated yet may be inaccurate.
  • the components described herein may execute from various computer-readable media having various data structures thereon.
  • the components may communicate via local or remote processes such as in accordance with a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, or across a network such as the Internet with other systems via the signal).
  • Software components may be stored, for example, on non-transitory computer-readable storage media including, but not limited to, an application specific integrated circuit (ASIC), compact disk (CD), digital versatile disk (DVD), random access memory (RAM), read only memory (ROM), floppy disk, hard disk, electrically erasable programmable read only memory (EEPROM), flash memory, or a memory stick in accordance with embodiments of the present invention.
  • ASIC application specific integrated circuit
  • CD compact disk
  • DVD digital versatile disk
  • RAM random access memory
  • ROM read only memory
  • floppy disk hard disk
  • EEPROM electrically erasable programmable read only memory
  • flash memory or
  • Computer-readable media includes both non-transitory storage media and communications media.
  • Communications media typically embody computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism and include any information-delivery media.
  • communications media include wired media, such as wired networks and direct-wired connections, and wireless media such as acoustic, radio, infrared, and other wireless media.
  • FIGURE 1 is a block diagram of an environment 100 in which embodiments may be practiced.
  • FIGURE 1 provides a basic understanding of an example environment, though many configurations may be employed and many details are not illustrated in FIGURE 1.
  • an example environment 100 includes one or more clients 102, 104, or 106.
  • each client is illustrated as a computing device.
  • client 102 is a hand-held computing device
  • client 102 is a laptop or other portable computing device
  • client 106 may be a desktop computer, server, or other relatively stationary computing device.
  • clients may be in the form of any one or more computing devices, computer processes, modules, or similar component.
  • tenants 101, 103, and 105 employ clients 102, 104, and 106 respectively to communicate with the system.
  • a tenant may be a person, a user account, a computing process, or other such entity that performs computing operations.
  • each tenant is illustrated corresponding to one client device, a tenant may employ multiple client devices concurrently or sequentially.
  • a tenant may log in to any client device to perform computing operations.
  • a tenant process may execute on one or more client devices.
  • each tenant is discussed as having one unique client computing device, though the invention is not so limited.
  • a tenant may itself be a system or cloud service that provides services to other clients.
  • each of clients 102, 104, or 106 communicates with one or more subsystems 114, 116, or 118.
  • Multiple tenants may communicate with a common subsystem.
  • there may be a many-to- many relationship between clients and subsystems.
  • client 102 communicates with subsystem 114
  • client 104 communicates with subsystem 116 and 118
  • client 106 communicates with subsystem 118.
  • Each of subsystems 114-118 may provide a corresponding set of services to requesting tenants. Services may be referred to as resources. Examples of resources include data storage and retrieval, computing processor time, queuing, messaging, or connectivity.
  • Each tenant may have a corresponding subscription to a set of services that it employs.
  • a subscription may be accounted for in a variety of ways. For example, a credit card model may charge a tenant for each service that the tenant uses, or the amount of a service that it uses. In another example, a lump sum subscription may charge a tenant on a periodic basis for services used up to a specified limit, or on an unlimited basis. Various other accounting mechanisms or combinations thereof may be used to implement subscriptions.
  • each tenant is provided with corresponding resources in a way that is isolated from other tenants' resources.
  • multiple tenants may each have a corresponding data storage resource that is only visible to the owning tenant. From the point of view of a tenant, it may appear as though it is the only tenant using the system, though the system is aware of multiple tenants.
  • Resources may be virtually separated, though they are not necessarily physically separated.
  • a resource provided to a tenant may be physically distributed across multiple processors, storage devices, or computing devices, though presented to a tenant as a virtually integrated resource. Over a period of time, a resource may be physically moved, though the location is transparent to the owning tenant.
  • gateway 112 functions as an intermediary between each of clients 102, 104, or 106 and subsystems 114, 116, or 118.
  • gateway 112 may process communications by canonicalization of communications between clients and subsystems in order to provide a unified way of processing multiple computer protocols or formats.
  • Gateway 112 may provide various preprocessing services, such as authentication or authorization of tenants, logging, filtering, tracing, transformations, or other services. Mechanisms of gateway 112 are discussed in further detail herein.
  • each of clients 102, 104, or 106 may communicate with any of subsystems 114-118 through network 110.
  • Network 110 may include a local area network, a wide area network, direct connections, or a combination thereof.
  • network 110 includes the Internet, which is a network of networks.
  • Network 110 may include wired communication mechanisms, wireless communication
  • Communications between clients 102, 104, or 106, and gateway 112 or subsystems 114-118 or other computing devices may employ one or more of various wired or wireless communication protocols, such as IP, TCP/IP, UDP, HTTP, SSL, TLS, FTP, SMTP, WAP, Bluetooth, or WLAN.
  • various wired or wireless communication protocols such as IP, TCP/IP, UDP, HTTP, SSL, TLS, FTP, SMTP, WAP, Bluetooth, or WLAN.
  • each of clients 102, 104, and 106, gateway 112, and subsystems 114, 116, and 118 is implemented by one or more computing devices.
  • a computing device may be a special purpose or general purpose computing device.
  • one embodiment of a computing device that may be employed includes one or more processing units, a memory, a display, keyboard and pointing device, and a
  • the one or more processing units may include one or more multiple core processors.
  • Example computing devices include mainframes, servers, blade servers, personal computers, portable computers, communication devices, consumer electronics, or the like.
  • a computing device may include a general or special purpose operating system.
  • the Windows® family of operating systems, by Microsoft Corporation, of Redmond, WA, are examples of operating systems that may execute on a computing device.
  • FIGURE 7 illustrates an example embodiment of a computing device that may be used to implement gateway 112, subsystems 114-118, or clients 102, 104, or 106.
  • FIGURE 2 is a block diagram of an example system 200 in which mechanisms described herein may be deployed.
  • the illustrated example system 200 may be used in environment 100 of FIGURE 1 or a variation thereof.
  • Example system 200 includes management gateway 202 and runtime gateway 204, which may be components of gateway 112.
  • Example system 200 further includes subsystem adapter 224 and subsystem backend 230, which may be components of subsystem 114, 116, or 118.
  • management gateway 202 includes protocol head 206;
  • runtime gateway 204 includes protocol heads 208, 210, and 212. Though three protocol heads are illustrated corresponding to runtime gateway 204 and one protocol head 206 corresponds to management gateway 202, a gateway may have more or less associated protocol heads.
  • a gateway may have an architecture that includes protocol heads, has protocol heads that plug into a gateway, or use protocol heads that are associated in another manner.
  • each protocol head implements a corresponding framing protocol.
  • a framing protocol is a protocol that employs a socket to implement a connection with a client device.
  • framing protocols include HyperText Transport Protocol (HTTP), .NET Message Framing Protocol (NMF), Session Initiation Protocol (SIP), Extensible Messaging and Presence Protocol (XMPP), and Advanced Message Queuing protocol (AMQP).
  • HTTP HyperText Transport Protocol
  • NMF .NET Message Framing Protocol
  • SIP Session Initiation Protocol
  • XMPP Extensible Messaging and Presence Protocol
  • AMQP Advanced Message Queuing protocol
  • a protocol head may listen for messages on one or more ports associated with the protocol.
  • configurations may include additional protocols or exclude one or more of these protocols.
  • Each protocol head may process incoming messages to provide a canonical form of messages and data to downstream components. Similarly, it may receive messages and data from internal components and process them to generate messages conforming to its corresponding protocol and to maintain communication sessions with tenants.
  • protocol heads may enable components such as pipeline 218, subsystem adapter 224, or subsystem backend 230 to receive messages and data without having to process the various external framing protocols.
  • each protocol head may, in response to receiving an incoming message, retrieve corresponding data and attach the corresponding data to a canonical form of message.
  • a protocol head in response to receiving a request that specifies a resource, retrieves a corresponding resource handle and a resource description from policy store 214, attaches these to the received message, and forwards it in a canonical form independent of the external protocol. This process is described in further detail herein.
  • a protocol head may be configured to defer reading or canonicalization of an incoming message, or portions thereof.
  • a protocol head may provide a decoder component to a downstream component, the decoder component having logic to read a message and extract data.
  • a decoder component may be attached to the message itself.
  • a decoder component may be provided by another message or another mechanism.
  • a message may be considered to be a "lazily" constructed canonical message.
  • protocol heads 206-212 may have an associated "push” adapter or a "pull” adapter component that processes push protocols or pull protocols, respectively.
  • a push adapter may have a queue that enables subsystems to submit push tasks, sends messages to external entities, retrieves responses and forwards the responses back to the subsystem.
  • a pull adapter may solicit messages from external entities on a schedule and forward the messages to the appropriate subsystem via the runtime gateway.
  • management gateway protocol head 206 may be configured to handle the same protocol as one of runtime gateway protocol heads 208-212, or it may handle a different protocol than the runtime gateway protocol heads.
  • management gateway 202 may include mechanisms to facilitate management of resources by each subsystem. Management may include creation or allocation of resources, deletion or deallocation of resources, changing or reconfiguring resources, monitoring of resources, or other management tasks. In one embodiment, management gateway processes and forwards tenant requests to the management adapter 226 associated with the subsystem that corresponds to the requested resource.
  • configuration table 232 may include data that maps each resource type to a corresponding subsystem. In response to receiving a request for a resource, management gateway 202 may look up the identification of the corresponding subsystem, and forward the request to the management adapter 226 of the specified subsystem. Management adapter 226 may further process requests and forward them to one or more backend components of the subsystem for management processing.
  • management gateway 202 and runtime gateway 204 employ policy store 214, which serves as a database of settings and configurations. More specifically, in one implementation, in response to receiving a resource request, management gateway 202 stores, in policy store 214, a description of the requested resource and its characteristics. For example, this may include the maximum size of a queue or storage resource, expiration times, resource behaviors, or other characteristics. An example of a behavior is a policy of what action to take if a resource overflows or encounters error conditions. The set of desired resource characteristics is referred to as the "oughtness" of the resource.
  • management gateway 202 may receive, from management adapter 226 or subsystem backend, a description of the actual resource allocated in response to a request. This description may differ from the requested oughtness. For example, the allocated resource may have a smaller size than that requested. The description of the actual resource is referred to as the "isness" of the resource.
  • Management gateway 202 may store the isness of a resource in policy store 214.
  • management adapter 226 may return a handle corresponding to an allocated resource. The handle may be used to identify the resource.
  • management gateway 202 may receive the resource handle and the isness of the resource and store them in policy store 214.
  • the resource description may include a URI that corresponds to, and identifies the resource.
  • the URI may be sent to the requester in a response to the request.
  • the URI may be a projection into a namespace that is specified by a tenant and used by runtime gateway 204 to identify the resource in a subsequent tenant request.
  • the URI is in the form of a DNS name in which a prefix corresponds to a specified namespace and a suffix identifies the resource.
  • identification of the runtime or management gateways may be specified by a substring in a URI.
  • the URI prefix "http://foo-tenant” may specify a namespace of "foo” and a request destination of the runtime gateway.
  • a corresponding URI prefix "http://foo- mgmt" may specify the same namespace of "foo” and a request destination of the management gateway.
  • the runtime URI and the management URI may refer to a common namespace, as identified by a symbolic name, such as the example of "foo.”
  • the management URI and the runtime URI are not distinguished by different prefixes, as they are in these examples.
  • identification of resources corresponding to the gateway forms a tree structure, in which each subsystem or resource type in a designated namespace has a corresponding node, and each resource associated with each subsystem has a corresponding node that is a descendant of the subsystem or resource type node.
  • An example of such a URI is http ://foo-tenant. windows .net/resources/ queues/ a/b .
  • "foo" identifies the namespace
  • queues identifies a resource type
  • "a/b" identifies a specific queue resource in the namespace.
  • each such URI may have a corresponding management URI that identifies the same resource and directs the message flow to management gateway 202.
  • the URI http :// foo-tenant- mgmt.windows.net/resources/queues/a/b corresponds to the example queue resource, and may be used by a tenant to perform management tasks related to the resource.
  • Management gateway 202 may send a runtime URI and a management URI to a tenant, enabling the tenant to manage a resource with the former and perform runtime operations with the latter.
  • a second tenant may use a namespace "bar," such that the URI http://bar- tenant. windows.net/resources/queues/a/b corresponds to a resource owned by the second tenant and differs from a queue resource owned by the first tenant using the "foo" namespace.
  • runtime gateway 204 functions as a gateway to each subsystem, and communicates with runtime adapter 228 of subsystem adapter 224.
  • runtime gateway 204 includes one or more pipeline components in a processing pipeline, each component processing incoming requests prior to forwarding them.
  • pre-authorization pipeline component 220 may perform a preliminary authorization of a request and conditionally forward the request based on the authorization result. Further details of the pre-authorization pipeline component 220 are provided herein.
  • One or more filter pipeline components 222 may perform actions to conditionally forward incoming requests based on configured criteria. Various configurations may exclude pre-authorization component 220 or filter component 222, or include one or more other pipeline components.
  • Each pipeline component may be selectively used to process a message, based on a system configuration, resource data associated with a request, or other factors.
  • Pipeline components act as intermediaries between a tenant and a subsystem.
  • pipeline components may extract data or alter message headers, but do not alter the payload of an incoming request, though some embodiments may allow for payload alterations.
  • One or more pipeline components may be implemented as plug-ins to the gateway.
  • runtime gateway 204 may receive a request that includes a runtime URI corresponding to the resource that is the target of the request.
  • the URI or a portion thereof, may be used to look up and locate the description data corresponding to the resource in policy store 214.
  • the description data may include data that specifies which pipeline components are to process the request, how the request is to be processed, or other parameters of pipeline processing.
  • the description data may have settings that indicate the type of pre-authorization that is to be performed, criteria for determining authorization to access the resource, or other settings.
  • Runtime gateway 204 may determine a subsystem corresponding to the request based on the received URI.
  • the URI or the resource description data indicates the resource type.
  • Configuration table 232 may include a mapping of resource type to subsystem. After performing appropriate pipeline actions, runtime gateway 204 may forward the request to the corresponding subsystem. Specifically, in one
  • runtime gateway 204 may forward the request to the runtime adapter 228 of the appropriate subsystem.
  • runtime gateway retrieves from policy store 214 a resource handle corresponding to the resource specified in the received URI, and corresponding description data.
  • Runtime gateway 204 may attach the resource handle or description data to the forwarded message, or otherwise pass the resource handle or description data to a subsystem.
  • the gateway may wrap a message that is sent to the subsystem. Wrapping may include placing the message in the body of a surrounding message for transport.
  • the original message header may be wrapped together with the message payload.
  • the original message header may be excluded from the wrapped message.
  • the message may be received by runtime adapter 228.
  • runtime adapter 228 may initiate actions or operations on the designated resource. Initiation of actions or operations may include sending one or more commands to one or more components of the associated subsystem backend 230.
  • subsystem adapter 224 and subsystem backend 230 are components of a subsystem, such as subsystem 114, 116, or 118, and each subsystem may have a similar architecture.
  • subsystem backend 230 may be collocated with subsystem adapter 224, or remotely located.
  • subsystem adapter 224 may behave as a proxy for subsystem backend 230.
  • Subsystem backend components may therefore be unaware of tenant identities or locations, incoming request protocols, or other such data.
  • FIGURE 3 is a flow diagram illustrating an example embodiment of a process 300 for managing a resource, specifically allocating a resource, in accordance with some of the mechanisms described herein.
  • Process 300 or a portion thereof, may be performed by various embodiments of system 200 or a variation thereof. Components of system 200 are used as examples of an implementation herein, though in various embodiments, the correspondence of process actions and components may vary.
  • the illustrated portions of process 300 may be initiated at block 302, where a request to allocate a resource is received.
  • the request is received from a tenant, such as tenant 101, 103, or 105 of FIGURE 1.
  • the request may be received by management gateway 202, or another component that receives and forwards requests.
  • the request may specify a type of resource that is to be created, including various specifications of the resource.
  • Specifications may include, for example, a size limit, duration of time, or other
  • the process may flow to block 304, where the request, if not received by management gateway 202, is forwarded to management gateway 202.
  • the process may flow to block 306, where a determination is made of whether the resource already exists. If the resource does not already exist, the management gateway 202 may store the oughtness of the desired resource in a database, such as policy store 214. Though not illustrated in FIGURE 3, for management requests regarding an already existing resource, a process may abort if the resource is not found to exist.
  • management gateway 202 sends an allocate message to a subsystem associated with the resource type.
  • these actions include determining, based on a configuration table, the appropriate subsystem.
  • the process may flow to block 310, where the subsystem receiving the allocate message allocates a resource of the desired type.
  • the actual characteristics of the allocated resource may differ from the oughtness previously stored. If successful, the subsystem may report back to the management gateway 202 the isness of the resource, a resource handle, or other identifying information.
  • allocating a resource may be performed in a variety of ways, depending on the resource type, the implementations used, or the system configuration.
  • the resource may already exist and allocation may include reserving its use.
  • allocation may include creating the resource or a portion thereof.
  • a resource may be shared and allocation may be performed by increasing a use count or otherwise designating an association with the resource.
  • allocating a resource may thus include a variety of actions.
  • the process may flow to block 312, where the management gateway 202 may store the isness and the resource handle in the policy database.
  • the process may flow to block 314, where a response is sent to the requester.
  • the response may include a status. If the status is success, the response may include a URI that can be subsequently used to manage the resource. In one embodiment, the response includes a runtime URI that can be subsequently used to perform runtime operations with the resource.
  • the process may flow to other actions, not shown, exit, or return to a calling program.
  • FIGURE 4 is a flow diagram illustrating an example embodiment of a process 400 for providing access to runtime operations related to a resource, in accordance with some of the mechanisms described herein.
  • Process 400 or a portion thereof, may be performed by various embodiments of system 200 or a variation thereof.
  • Components of system 200 are used as examples of an implementation herein, though in various embodiments, the correspondence of process actions and components may vary or process 400 may be performed with a variation of system 200.
  • the illustrated portions of process 400 may be initiated at block 402, where a request to perform a runtime operation on a resource is received. In one configuration, the request is received from a tenant, such as tenant 101, 103, or 105 of FIGURE 1.
  • the request may be received by runtime gateway 204, or another component that receives and forwards requests. Examples of operations that may be requested are storing or retrieving a data item, adding an item to a queue, sending a message, processing data, or other operations.
  • the request may be in the form of one or more messages and may be received by a protocol head, such as protocol head 208, 210, or 212.
  • the process may flow to block 404, where information may be extracted from the request message.
  • This information may include one or more of a target address, a security token, a specification of a resource, a message payload, or other header data.
  • a subsystem and resource may be identified based on the extracted message information. In one embodiment, this may include looking up a resource based on at least a portion of the target address, which may be in the form of a URL.
  • a URI may include a string that indicates a subsystem, a resource type, or a resource. The URI, or portion thereof, may be used as a key to look up a resource in policy store 214.
  • lookup of a resource may include determining a longest prefix match based on a string from a URI.
  • a URI may include the string "AA/BB/CC”.
  • the policy store may include a match for the string "AA/BB”, and no match for "AA/BB/CC”. It may thus be determined that the resource corresponding to "AA/BB” is the matching resource.
  • This technique provides a way for a subsystem that provides a URI corresponding to the resource to include a suffix for its private use.
  • the substring "CC" in the above example may represent information passed back by the subsystem upon resource creation, wherein this information is used by the subsystem in subsequent requests.
  • the gateway may omit any configuration that uses or even understands the private information, and each subsystem may have its own system for use of the private suffix information.
  • the process may flow to decision block 408, where a conditional flow is determined based on the lookup of the resource. If, at block 408, a matching resource is not found, the process may flow to block 410, where the request is rejected. Rejecting a request may include sending a status response back to the requesting tenant, dropping the request, or another action. A status response may be based on the communications protocol employed with the tenant. For example, if the HTTP protocol is used, a 404 not found error may be returned. If the NMF protocol is used, a not-found fault may be sent. The process may exit or return to a calling program.
  • a matching resource is found, the process may flow to block 412, where a resource data may be retrieved.
  • the resource data may be in the form of a document, structured data, or other format or combination thereof.
  • the resource data includes a handle to the resource, data indicating whether requests related to the resource are to be checked for authorization by the runtime gateway, parameters to the authorization determination, specifications of pipeline processing that is to be performed, maximum resource size, quotas, or other data descriptive of or associated with the resource.
  • the resource data may include a set of name-value pairs that indicate a contract between the runtime gateway and the subsystem corresponding to the resource. Example instructions of such a contract may include:
  • the actions of block 412 may include attaching the extracted data and the resource data, or portions thereof, to the request message. This enables the data to be available to downstream processes, and particularly to the receiving subsystem, in a canonical form.
  • attaching data to a message may be performed in any of a variety of ways.
  • One technique is to prepend or append the data to the message.
  • Other techniques may include replacing the original message header with a normalized header or associating links to the data with the message.
  • attaching data includes associating the data with the message so that it may be easily retrieved by another process that receives the annotated message, including a remote process.
  • the process may flow to block 414, where pipeline processing of the request message may be performed.
  • the pipeline components that process a request message may be based on a system configuration or specifications of the resource data.
  • FIGURES 5 and 6, and associated discussion illustrate an example of pipeline processing that may be performed. Though not illustrated in FIGURE 4, pipeline processing may result in the request being rejected, discarded, or modified.
  • the process may flow to block 416, where the message may be sent to a subsystem corresponding to the resource.
  • sending the message may include wrapping the message in another message, and sending the outer message to a remotely located subsystem.
  • the message may be received by the target subsystem.
  • the subsystem, or a portion thereof, may be remotely located.
  • the runtime adapter 228 may maintain information for use in locating the subsystem backend 230.
  • the process may flow to block 418, where the subsystem may process the request.
  • the subsystem may use at least some of the resource data attached to the message to process the request.
  • the actions of block 418 may include sending a response to the requesting tenant.
  • a response may include a status, requested data, or other information.
  • a response sent from the subsystem may be received and forwarded by runtime gateway 204.
  • This may include processing by a protocol head.
  • the protocol head may create an external message to send to the requesting tenant, employing the protocol in which the request message was received at block 402.
  • the process may exit or return to a calling program.
  • FIGURE 5 is a block diagram of a gateway system 500 that performs
  • System 500 includes at least some of the components of gateway system 200. Like numbered components are to be considered equivalent components, and discussions herein of system 200 apply to some embodiments of system 500. Some components of gateway system 200 are omitted from gateway system 500 for simplicity, though in one embodiment, gateway system 200 and gateway system 500 may be different views of the same gateway system.
  • gateway system 500 includes runtime gateway 204, subsystem adapter 224, subsystem backend 230, and policy store 214, as well as subcomponents of each.
  • Gateway system 500 further includes identity provider 502, tenant 504, and access control service (ACS) 506.
  • Identity provider 502 may be a local or remote network entity that issues security credentials to tenant 504. The credentials may represent claims about tenant 504 that can be trusted by ACS 506. In one embodiment, the security credentials include security token 508. Security token 508 may be sent to tenant 504 in response to identifying information, such as a name and password.
  • tenant 504 sends security token 508 to ACS 506.
  • ACS 506 may verify the authenticity of security token 508. If the verification is successful, ACS 506 may issue access token 510 to tenant 504.
  • An access token is a security token that is trusted by runtime gateway 204.
  • identity provider 502 may be one of a set of identity providers that are collectively referred to as an identity federation.
  • ACS 506 trusts each identity provider in the federation and is able to authenticate security tokens from each provider. By acting as an intermediary.
  • ACS 506 offloads from runtime gateway 204 the task of maintaining a trust relationship and authentication data with multiple identity providers in a federation that may change over time, or with protocols that may change.
  • An access token may contain a set of assertions or claims that are made by or granted to tenant 504.
  • Tenant 504 may use the access token to request services at runtime gateway 204.
  • pre-authorization pipeline component 220 (referred to herein as "pre-authN" 220) may authenticate the access token and determine whether the claims are sufficient to authorize tenant 504 to perform the requested operation with the specified resource. This is described in further detail in FIGURE 6 and the discussion herein.
  • FIGURE 6 is a flow diagram illustrating an example embodiment of a process 600 for authorizing a tenant, in accordance with some of the mechanisms described herein.
  • Process 600 or a portion thereof, may be performed by various embodiments of system 500 or a variation thereof.
  • Components of system 500 are used as examples of an implementation herein, though in various embodiments, the correspondence of process actions and components may vary.
  • the illustrated portions of process 600 may be initiated at block 602, where a tenant, such as tenant 504, provides identifying information to an identity provider, such as identity provider 502. This information may be sent in a message, as represented by arrow 512.
  • the identifying information may include one or more of a user name, password, digital signature, biometric data, or other data that identifies or authenticates the identity of tenant 504.
  • the identifying information is referred to as the context of tenant 504.
  • the process may flow to block 604, where, in response to receiving identifying information, the identity provider provides a security token to the tenant.
  • Identity provider may perform various authentication processes and selectively provide the security token based on the authentication.
  • security token 508 is sent in a message represented by arrow 514.
  • the process may flow to block 606, where the tenant sends the security token 508 to access control service 506. This may be sent in a request message represented by arrow 516.
  • the process may flow to block 608, where access control service 506 issues an access token based on the received security token.
  • access control service 506 may decline sending an access token if the security token is insufficient. For example, it may have been issued by an identity provider that is not trusted by the access control service.
  • access control service 506 may send access token 510 in a message to tenant 504.
  • the process may flow to block 610, where tenant 504 may send a request and an access token in a message, represented by arrow 520, to runtime gateway 204, and the gateway receives the request and token.
  • the request and access token may be passed to pre-authorization pipeline component 220.
  • the process may flow to block 612, where pre-authorization component 220 performs actions to verify the access token and to determine whether the claims of the access token match the resource of the request. Verification of the token may include determining whether a digital signature is valid, whether the token has been issued by a trusted access control service, or other verification actions.
  • the access token may include one or more claims, such as the identity of the tenant, a subscription that the tenant owns or controls, or other rights of the tenant.
  • pre- authorization component 220, runtime gateway 204, a protocol header, or another component may retrieve gateway settings 216 from policy store 214. In one
  • each resource has a corresponding data set, referred to as the gateway settings, that is stored in policy store 214.
  • the gateway settings may indicate the type of pre-authorization that is to be performed, a list of tenants or groups that are allowed access to the resource, or one or more claims to be matched in order to allow access.
  • the gateway settings corresponding to a resource may specify a set of one or more candidate claims, such that an access token is authorized if it contains at least one of the candidate claims.
  • pre-authorization component 220 may determine whether the claims match the resource and whether to authorize the request.
  • the process may flow to decision block 614, where a decision is made based on the determinations. If the access token is not authentic, or the claims do not correctly match the resource or the request, the process may flow to block 616, where the request is rejected. Rejecting a request may include sending a status response back to the requesting tenant, dropping the request, or another action. The process may exit or return to a calling program.
  • the process may authorize the request and flow to block 618, where at least a subset of the claims are extracted from the access token and attached to the request message.
  • the message may be forwarded toward the appropriate subsystem.
  • additional pipeline components may process the request on its way to the subsystem.
  • a protocol head 208, 210, or 212 may extract the claims and attach them to the message. By extracting the claims, the receiving subsystem is enabled to process the claims without being configured to understand the token format or protocol.
  • the subsystem may perform additional authorization actions on the request. By having a pre-authorization stage that is separate from the subsystem, the architecture of FIGURES 2 and 5 offloads some of the authorization from the subsystem. This may serve to offload some processing, particularly in a configuration in which authorization is an expensive process. It may also enhance the resiliency of each subsystem in the event of a security attack or heavy usage situation.
  • Process 600 may perform additional actions, not shown, exit, or return to a calling program.
  • System 500 and process 600 illustrate authorization and message processing mechanisms with a runtime gateway. In some embodiments these mechanisms, or a portion thereof, may be employed with a management gateway. Thus, management request processing may employ process 600, or a variation thereof.
  • FIGURE 7 is a block diagram showing one embodiment of a computing device 700, illustrating selected components of a computing device that may be used to implement mechanisms described herein, including systems 200 or 500 and processes 300, 400, or 600.
  • Computing device 700 may include many more components than those shown, or may include less than all of those illustrated.
  • Computing device 700 may be a standalone computing device or part of an integrated system, such as a blade in a chassis with one or more blades. Though the components of computing device 700 are illustrated as discrete components, any one or more of them may be combined or integrated into an integrated circuit, such as an ASIC.
  • computing device 700 includes one or more processors 702, which perform actions to execute instructions of various computer programs.
  • processors 702 which perform actions to execute instructions of various computer programs.
  • each processor 702 may include one or more central processing units, one or more processor cores, one or more ASICs, cache memory, or other hardware processing components and related program logic.
  • computing device 700 includes an operating system 704.
  • Operating system 704 may be a general purpose or special purpose operating system.
  • the Windows® family of operating systems, by Microsoft Corporation, of Redmond, WA, includes examples of operating systems that may execute on computing device 700.
  • computing device 700 includes one or more graphics processing units (GPU) 716.
  • GPU graphics processing units
  • a GPU is a processor that is configured to perform graphics operations, such as rendering a graphic image, or to perform stream processing.
  • Memory and storage 706 may include one or more of a variety of types of non- transitory computer storage media, including volatile or non-volatile memory, RAM, ROM, solid-state memory, disk drives, optical storage, or any other medium that can be used to store digital information.
  • Memory and storage 706 may store one or more components described herein or other components.
  • memory and storage 706 stores management gateway 202, runtime gateway 204, policy store 214, one or more subsystem adapters 224, and one or more subsystem backends 230.
  • one or more of these components may be omitted from memory and storage 706.
  • at least a portion of one or more components may be implemented in a hardware component, such as an ASIC.
  • multiple components implementing the functions or including the data of these components may be distributed among multiple computing devices. Communication among various distributed components may be performed over a variety of wired or wireless communications mechanisms.
  • any one or more of the components illustrated as stored in memory and storage 706 may be moved to different locations in RAM, non-volatile memory, or between RAM and non-volatile memory by operating system 704 or other components. In some configurations, these components may be distributed among one or more computing devices, including computing devices that are remotely located from each other.
  • Computing device 700 may include a video display adapter 712 that facilitates display of data, scene frames, or other information to a user. Though not illustrated in FIGURE 7, computing device 700 may include a basic input/output system (BIOS), and associated components. Computing device 700 may also include a network interface unit 710 for communicating with a network. Software components, such as those stored in memory and storage 706, may be received via transitory media and network interface unit 710. Computing device 700 may include one or more display monitors 714.
  • BIOS basic input/output system
  • Embodiments of computing device 700 may include one or more input devices (not shown), such as a keyboard, pointing device, touch screen, keypad, audio component, microphone, voice recognition component, or other input/output mechanisms.
  • input devices such as a keyboard, pointing device, touch screen, keypad, audio component, microphone, voice recognition component, or other input/output mechanisms.
  • each block of the flowchart illustrations of FIGURES 3-4 and 6, and combinations of blocks in each flowchart illustration can be implemented by software instructions. These program instructions may be provided to a processor to produce a machine, such that the instructions, which execute on the processor, create means for implementing the actions specified in the flowchart block or blocks. The software instructions may be executed by a processor to provide steps for implementing the actions specified in the flowchart block or blocks. In addition, one or more blocks or combinations of blocks in the flowchart illustrations may also be performed concurrently with other blocks or combinations of blocks, or even in a different sequence than illustrated without departing from the scope or spirit of the invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A system and method for providing services to multiple tenants. A system provides a gateway that acts as an intermediary between the tenants and multiple subsystems that provide resources. A management gateway handles requests to manage resources. A runtime gateway handles requests to perform operations related to the resources. A set of protocol handlers isolates the subsystems from protocols used by the tenants. A pipeline of components provides processing, such as authorization, of requests from tenants. Identification of resources is performed using a mechanism that enables multiple namespaces, which may be designated by tenants.

Description

MULTI-TENANT SERVICES GATEWAY
BACKGROUND
[001] Computing systems are moving toward an architecture known as cloud computing. In cloud computing, servers that are remotely located provide resources in response to requests from clients or other servers. Resources may include data storage, processor usage, communications subsystems, queuing services, or various other computing services. Generally, in cloud computing, the physical location of servers is isolated from requesters.
[002] Numerous protocols may be used when communicating across a network. A client device may communicate with multiple services, and may employ multiple communication protocols, each protocol corresponding to a service with which the client communicates. Conversely, a service may employ multiple protocols in order to accommodate clients communicating with different protocols. In some environments, changing services may involve changing a protocol that a client employs.
SUMMARY
[003] This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
[004] Briefly, in one embodiment, a system, method, and components operate to provide a gateway to a multiple services for multiple tenants. A gateway acts as a front end for the various services.
[005] In one embodiment, mechanisms include receiving resource management requests, such as requests to allocate a resource, from tenants. In response, the system may determine, based on the specified resource type, a corresponding subsystem, forward the request to the determined subsystem, receive from the subsystem an identification of the resource, store resource data descriptive of the resource, including an identification of the resource, and send to the tenant the identification of the resource.
[006] In one aspect of the mechanisms described herein, mechanisms may include receiving, from the tenant in a first protocol, a runtime request to perform an operation related to a resource, retrieve resource data, attach the resource data to the request, and forward the request in a second protocol to the corresponding subsystem. In some configurations, multiple protocol heads may be included, each one implementing a corresponding protocol for communicating with tenants, extracting data from incoming requests, attaching resource data, and forwarding the data in a canonical form to a subsystem. The protocol handlers may isolate the subsystems from the protocols used by the tenants. This may enable subsystems to be added to the system without being configured to process the protocols of the tenants. It may also enable new protocols to be handled by adding new protocol handlers, without reconfiguring the subsystems.
[007] In one embodiment, a system may include one or more pipeline components that selectively process incoming requests, based on resource data or other configuration data. One configuration includes a pre-authorization component that authorizes incoming requests prior to forwarding them to subsystems. In one embodiment, an access control service selectively provides an access token based on a security token. The pre- authorization component may process the access token to determine authorization. A subsystem may be configured to subsequently perform additional authorization.
[008] In one embodiment, the system may provide, to a tenant, a management URI for requesting management operations related to a resource and a runtime URI for requesting runtime operations related to the resource. In one implementation, the URI specifies a namespace and a component identifier. The URI may include a string for private use by the corresponding subsystem.
[009] To the accomplishment of the foregoing and related ends, certain illustrative aspects of the system are described herein in connection with the following description and the annexed drawings. These aspects are indicative, however, of but a few of the various ways in which the principles of the invention may be employed and the present invention is intended to include all such aspects and their equivalents. Other advantages and novel features of the invention may become apparent from the following detailed description of the invention when considered in conjunction with the drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
[010] Non-limiting and non-exhaustive embodiments of the present invention are described with reference to the following drawings. In the drawings, like reference numerals refer to like parts throughout the various figures unless otherwise specified.
[011] To assist in understanding the present invention, reference will be made to the following Detailed Description, which is to be read in association with the accompanying drawings, wherein:
[012] FIGURE 1 is a block diagram of an example environment in which mechanisms described herein may be deployed; [013] FIGURE 2 is a block diagram of an example gateway system in which mechanisms described herein may be deployed;
[014] FIGURE 3 is a flow diagram illustrating an example embodiment of a process for providing access to management services, in accordance with mechanisms described herein;
[015] FIGURE 4 is a flow diagram illustrating an example embodiment of a process for providing access to runtime operations, in accordance with mechanisms described herein;
[016] FIGURE 5 is a block diagram of an example system for providing access to services, in which authorization mechanisms described herein may be deployed;
[017] FIGURE 6 is a flow diagram illustrating an example embodiment of a process for authorizing access to services, in accordance with mechanisms described herein; and
[018] FIGURE 7 is a block diagram showing one embodiment of a computing device, illustrating selected components of a computing device that may be used to perform functions described herein.
DETAILED DESCRIPTION
[019] Example embodiments of the present invention now will be described more fully hereinafter with reference to the accompanying drawings, which form a part hereof, and which show, by way of illustration, specific example embodiments by which the invention may be practiced. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Among other things, the present invention may be embodied as methods or devices. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. The following detailed description is, therefore, not to be taken in a limiting sense.
[020] Throughout the specification and claims, the following terms take the meanings explicitly associated herein, unless the context clearly dictates otherwise. The phrase "in one embodiment" as used herein does not necessarily refer to a previous embodiment, though it may. Furthermore, the phrase "in another embodiment" as used herein does not necessarily refer to a different embodiment, although it may. Thus, various embodiments of the invention may be readily combined, without departing from the scope or spirit of the invention. Similarly, the phrase "in one implementation" as used herein does not necessarily refer to the same implementation, though it may, and techniques of various implementations may be combined.
[021] In addition, as used herein, the term "or" is an inclusive "or" operator, and is equivalent to the term "and/or," unless the context clearly dictates otherwise. The term "based on" is not exclusive and allows for being based on additional factors not described, unless the context clearly dictates otherwise. In addition, throughout the specification, the meaning of "a," "an," and "the" include plural references. The meaning of "in" includes "in" and "on."
[022] As used herein, the term "processor" refers to a physical component such as an integrated circuit that may include integrated logic to perform actions.
[023] As used herein, the term "application" refers to a computer program or a portion thereof, and may include associated data. An application may be an independent program, or it may be designed to provide one or more features to another application. An "add-in" and a "plug-in" are examples of applications that interact with and provides features to a "host" application.
[024] An application is made up of any combination of application components, which may include program instructions, data, text, object code, images or other media, security certificates, scripts, or other software components that may be installed on a computing device to enable the device to perform desired functions. Application components may exist in the form of files, libraries, pages, binary blocks, or streams of data. An application component may be implemented as a combination of physical circuitry and associated logic. For example, an ASIC may be used to implement an application component.
[025] As used herein, the term "authenticate" refers to confirming that facts or claims are true, to an acceptable degree of certainty. Authenticating a user or a user's identity applies to confirming that the stated identity of the user is sufficient and accurate.
Authenticating a request from a user may include confirming that the identity information included with the request is accurate, that the request originated with or is authorized by the identified user, that the request has not been improperly modified, or that other information in the request is accurate. Authentication has an associated degree of certainty, allowing for a situation in which information has been authenticated yet may be inaccurate.
[026] The components described herein may execute from various computer-readable media having various data structures thereon. The components may communicate via local or remote processes such as in accordance with a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, or across a network such as the Internet with other systems via the signal). Software components may be stored, for example, on non-transitory computer-readable storage media including, but not limited to, an application specific integrated circuit (ASIC), compact disk (CD), digital versatile disk (DVD), random access memory (RAM), read only memory (ROM), floppy disk, hard disk, electrically erasable programmable read only memory (EEPROM), flash memory, or a memory stick in accordance with embodiments of the present invention.
[027] The term computer-readable media as used herein includes both non-transitory storage media and communications media. Communications media typically embody computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism and include any information-delivery media. By way of example, and not limitation, communications media include wired media, such as wired networks and direct-wired connections, and wireless media such as acoustic, radio, infrared, and other wireless media.
[028] FIGURE 1 is a block diagram of an environment 100 in which embodiments may be practiced. FIGURE 1 provides a basic understanding of an example environment, though many configurations may be employed and many details are not illustrated in FIGURE 1. As illustrated in FIGURE 1, an example environment 100 includes one or more clients 102, 104, or 106. In FIGURE 1, each client is illustrated as a computing device. For example, client 102 is a hand-held computing device, client 102 is a laptop or other portable computing device, and client 106 may be a desktop computer, server, or other relatively stationary computing device. In various environments, clients may be in the form of any one or more computing devices, computer processes, modules, or similar component.
[029] In the example environment, tenants 101, 103, and 105 employ clients 102, 104, and 106 respectively to communicate with the system. A tenant may be a person, a user account, a computing process, or other such entity that performs computing operations. Though each tenant is illustrated corresponding to one client device, a tenant may employ multiple client devices concurrently or sequentially. For example, a tenant may log in to any client device to perform computing operations. Similarly, a tenant process may execute on one or more client devices. For ease of discussion, each tenant is discussed as having one unique client computing device, though the invention is not so limited. In one configuration, a tenant may itself be a system or cloud service that provides services to other clients.
[030] As illustrated in FIGURE 1, in example environment 100, each of clients 102, 104, or 106 communicates with one or more subsystems 114, 116, or 118. Multiple tenants may communicate with a common subsystem. Thus, there may be a many-to- many relationship between clients and subsystems. In the example illustrated
configuration, client 102 communicates with subsystem 114, client 104 communicates with subsystem 116 and 118, and client 106 communicates with subsystem 118.
Numerous other configurations may also exist, and configurations may change at various times.
[031] Each of subsystems 114-118 may provide a corresponding set of services to requesting tenants. Services may be referred to as resources. Examples of resources include data storage and retrieval, computing processor time, queuing, messaging, or connectivity.
[032] Each tenant may have a corresponding subscription to a set of services that it employs. In various embodiments, a subscription may be accounted for in a variety of ways. For example, a credit card model may charge a tenant for each service that the tenant uses, or the amount of a service that it uses. In another example, a lump sum subscription may charge a tenant on a periodic basis for services used up to a specified limit, or on an unlimited basis. Various other accounting mechanisms or combinations thereof may be used to implement subscriptions.
[033] In one embodiment, each tenant is provided with corresponding resources in a way that is isolated from other tenants' resources. For example, multiple tenants may each have a corresponding data storage resource that is only visible to the owning tenant. From the point of view of a tenant, it may appear as though it is the only tenant using the system, though the system is aware of multiple tenants. Resources may be virtually separated, though they are not necessarily physically separated. In some embodiments, a resource provided to a tenant may be physically distributed across multiple processors, storage devices, or computing devices, though presented to a tenant as a virtually integrated resource. Over a period of time, a resource may be physically moved, though the location is transparent to the owning tenant.
[034] As further illustrated, communications between each of clients 102, 104, or 106 and subsystems 114, 116, or 118 may pass through gateway 112. Thus gateway 112 functions as an intermediary between each of clients 102, 104, or 106 and subsystems 114- 118. Briefly, gateway 112 may process communications by canonicalization of communications between clients and subsystems in order to provide a unified way of processing multiple computer protocols or formats. Gateway 112 may provide various preprocessing services, such as authentication or authorization of tenants, logging, filtering, tracing, transformations, or other services. Mechanisms of gateway 112 are discussed in further detail herein.
[035] As illustrated, each of clients 102, 104, or 106 may communicate with any of subsystems 114-118 through network 110. Network 110 may include a local area network, a wide area network, direct connections, or a combination thereof. In one embodiment, network 110 includes the Internet, which is a network of networks. Network 110 may include wired communication mechanisms, wireless communication
mechanisms, or a combination thereof. Communications between clients 102, 104, or 106, and gateway 112 or subsystems 114-118 or other computing devices may employ one or more of various wired or wireless communication protocols, such as IP, TCP/IP, UDP, HTTP, SSL, TLS, FTP, SMTP, WAP, Bluetooth, or WLAN.
[036] In one embodiment, each of clients 102, 104, and 106, gateway 112, and subsystems 114, 116, and 118 is implemented by one or more computing devices. A computing device may be a special purpose or general purpose computing device. In brief, one embodiment of a computing device that may be employed includes one or more processing units, a memory, a display, keyboard and pointing device, and a
communications interface. The one or more processing units may include one or more multiple core processors. Example computing devices include mainframes, servers, blade servers, personal computers, portable computers, communication devices, consumer electronics, or the like. A computing device may include a general or special purpose operating system. The Windows® family of operating systems, by Microsoft Corporation, of Redmond, WA, are examples of operating systems that may execute on a computing device. FIGURE 7 illustrates an example embodiment of a computing device that may be used to implement gateway 112, subsystems 114-118, or clients 102, 104, or 106.
[037] FIGURE 2 is a block diagram of an example system 200 in which mechanisms described herein may be deployed. The illustrated example system 200 may be used in environment 100 of FIGURE 1 or a variation thereof. Example system 200 includes management gateway 202 and runtime gateway 204, which may be components of gateway 112. Example system 200 further includes subsystem adapter 224 and subsystem backend 230, which may be components of subsystem 114, 116, or 118. [038] As illustrated, management gateway 202 includes protocol head 206; runtime gateway 204 includes protocol heads 208, 210, and 212. Though three protocol heads are illustrated corresponding to runtime gateway 204 and one protocol head 206 corresponds to management gateway 202, a gateway may have more or less associated protocol heads. A gateway may have an architecture that includes protocol heads, has protocol heads that plug into a gateway, or use protocol heads that are associated in another manner.
[039] In one embodiment, each protocol head implements a corresponding framing protocol. A framing protocol is a protocol that employs a socket to implement a connection with a client device. Examples of framing protocols include HyperText Transport Protocol (HTTP), .NET Message Framing Protocol (NMF), Session Initiation Protocol (SIP), Extensible Messaging and Presence Protocol (XMPP), and Advanced Message Queuing protocol (AMQP). In some implementations, a protocol head may listen for messages on one or more ports associated with the protocol. Various
configurations may include additional protocols or exclude one or more of these protocols.
[040] Each protocol head may process incoming messages to provide a canonical form of messages and data to downstream components. Similarly, it may receive messages and data from internal components and process them to generate messages conforming to its corresponding protocol and to maintain communication sessions with tenants. Thus, in one embodiment, protocol heads may enable components such as pipeline 218, subsystem adapter 224, or subsystem backend 230 to receive messages and data without having to process the various external framing protocols.
[041] In one embodiment, each protocol head may, in response to receiving an incoming message, retrieve corresponding data and attach the corresponding data to a canonical form of message. In one embodiment, in response to receiving a request that specifies a resource, a protocol head retrieves a corresponding resource handle and a resource description from policy store 214, attaches these to the received message, and forwards it in a canonical form independent of the external protocol. This process is described in further detail herein.
[042] In some implementations a protocol head may be configured to defer reading or canonicalization of an incoming message, or portions thereof. For example, a protocol head may provide a decoder component to a downstream component, the decoder component having logic to read a message and extract data. In one implementation, a decoder component may be attached to the message itself. In some implementations, a decoder component may be provided by another message or another mechanism. In these implementations, a message may be considered to be a "lazily" constructed canonical message.
[043] Though not illustrated, protocol heads 206-212 may have an associated "push" adapter or a "pull" adapter component that processes push protocols or pull protocols, respectively. A push adapter may have a queue that enables subsystems to submit push tasks, sends messages to external entities, retrieves responses and forwards the responses back to the subsystem. A pull adapter may solicit messages from external entities on a schedule and forward the messages to the appropriate subsystem via the runtime gateway.
[044] In various configurations, management gateway protocol head 206 may be configured to handle the same protocol as one of runtime gateway protocol heads 208-212, or it may handle a different protocol than the runtime gateway protocol heads.
[045] In one embodiment, management gateway 202 may include mechanisms to facilitate management of resources by each subsystem. Management may include creation or allocation of resources, deletion or deallocation of resources, changing or reconfiguring resources, monitoring of resources, or other management tasks. In one embodiment, management gateway processes and forwards tenant requests to the management adapter 226 associated with the subsystem that corresponds to the requested resource. In one implementation, configuration table 232 may include data that maps each resource type to a corresponding subsystem. In response to receiving a request for a resource, management gateway 202 may look up the identification of the corresponding subsystem, and forward the request to the management adapter 226 of the specified subsystem. Management adapter 226 may further process requests and forward them to one or more backend components of the subsystem for management processing.
[046] In the illustrated configuration, management gateway 202 and runtime gateway 204 employ policy store 214, which serves as a database of settings and configurations. More specifically, in one implementation, in response to receiving a resource request, management gateway 202 stores, in policy store 214, a description of the requested resource and its characteristics. For example, this may include the maximum size of a queue or storage resource, expiration times, resource behaviors, or other characteristics. An example of a behavior is a policy of what action to take if a resource overflows or encounters error conditions. The set of desired resource characteristics is referred to as the "oughtness" of the resource.
[047] In one embodiment, management gateway 202 may receive, from management adapter 226 or subsystem backend, a description of the actual resource allocated in response to a request. This description may differ from the requested oughtness. For example, the allocated resource may have a smaller size than that requested. The description of the actual resource is referred to as the "isness" of the resource.
Management gateway 202 may store the isness of a resource in policy store 214. In one implementation, management adapter 226 may return a handle corresponding to an allocated resource. The handle may be used to identify the resource. In one
implementation, management gateway 202 may receive the resource handle and the isness of the resource and store them in policy store 214.
[048] The resource description may include a URI that corresponds to, and identifies the resource. The URI may be sent to the requester in a response to the request. The URI may be a projection into a namespace that is specified by a tenant and used by runtime gateway 204 to identify the resource in a subsequent tenant request. In one
implementation, the URI is in the form of a DNS name in which a prefix corresponds to a specified namespace and a suffix identifies the resource. In one embodiment,
identification of the runtime or management gateways may be specified by a substring in a URI. For example, the URI prefix "http://foo-tenant" may specify a namespace of "foo" and a request destination of the runtime gateway. A corresponding URI prefix "http://foo- mgmt" may specify the same namespace of "foo" and a request destination of the management gateway. Thus, the runtime URI and the management URI may refer to a common namespace, as identified by a symbolic name, such as the example of "foo." In one embodiment, the management URI and the runtime URI are not distinguished by different prefixes, as they are in these examples.
[049] In one embodiment, identification of resources corresponding to the gateway forms a tree structure, in which each subsystem or resource type in a designated namespace has a corresponding node, and each resource associated with each subsystem has a corresponding node that is a descendant of the subsystem or resource type node. An example of such a URI is http ://foo-tenant. windows .net/resources/ queues/ a/b . In this URI, "foo" identifies the namespace, "queues" identifies a resource type, and "a/b" identifies a specific queue resource in the namespace. In one implementation, each such URI may have a corresponding management URI that identifies the same resource and directs the message flow to management gateway 202. For example, the URI http :// foo-tenant- mgmt.windows.net/resources/queues/a/b corresponds to the example queue resource, and may be used by a tenant to perform management tasks related to the resource.
Management gateway 202 may send a runtime URI and a management URI to a tenant, enabling the tenant to manage a resource with the former and perform runtime operations with the latter. A second tenant may use a namespace "bar," such that the URI http://bar- tenant. windows.net/resources/queues/a/b corresponds to a resource owned by the second tenant and differs from a queue resource owned by the first tenant using the "foo" namespace.
[050] In one embodiment, runtime gateway 204 functions as a gateway to each subsystem, and communicates with runtime adapter 228 of subsystem adapter 224. In one embodiment, runtime gateway 204 includes one or more pipeline components in a processing pipeline, each component processing incoming requests prior to forwarding them. For example, pre-authorization pipeline component 220 may perform a preliminary authorization of a request and conditionally forward the request based on the authorization result. Further details of the pre-authorization pipeline component 220 are provided herein. One or more filter pipeline components 222 may perform actions to conditionally forward incoming requests based on configured criteria. Various configurations may exclude pre-authorization component 220 or filter component 222, or include one or more other pipeline components. Each pipeline component may be selectively used to process a message, based on a system configuration, resource data associated with a request, or other factors.
[051] Pipeline components act as intermediaries between a tenant and a subsystem. In some embodiments, pipeline components may extract data or alter message headers, but do not alter the payload of an incoming request, though some embodiments may allow for payload alterations. One or more pipeline components may be implemented as plug-ins to the gateway.
[052] In one embodiment, runtime gateway 204 may receive a request that includes a runtime URI corresponding to the resource that is the target of the request. The URI, or a portion thereof, may be used to look up and locate the description data corresponding to the resource in policy store 214. The description data may include data that specifies which pipeline components are to process the request, how the request is to be processed, or other parameters of pipeline processing. For example, the description data may have settings that indicate the type of pre-authorization that is to be performed, criteria for determining authorization to access the resource, or other settings.
[053] Runtime gateway 204 may determine a subsystem corresponding to the request based on the received URI. In one embodiment, the URI or the resource description data indicates the resource type. Configuration table 232 may include a mapping of resource type to subsystem. After performing appropriate pipeline actions, runtime gateway 204 may forward the request to the corresponding subsystem. Specifically, in one
embodiment, runtime gateway 204 may forward the request to the runtime adapter 228 of the appropriate subsystem. In one embodiment, runtime gateway retrieves from policy store 214 a resource handle corresponding to the resource specified in the received URI, and corresponding description data. Runtime gateway 204 may attach the resource handle or description data to the forwarded message, or otherwise pass the resource handle or description data to a subsystem.
[054] In one embodiment, the gateway may wrap a message that is sent to the subsystem. Wrapping may include placing the message in the body of a surrounding message for transport. In one implementation, the original message header may be wrapped together with the message payload. In one implementation the original message header may be excluded from the wrapped message.
[055] The message may be received by runtime adapter 228. In response to receiving a runtime request, runtime adapter 228 may initiate actions or operations on the designated resource. Initiation of actions or operations may include sending one or more commands to one or more components of the associated subsystem backend 230. In one embodiment, subsystem adapter 224 and subsystem backend 230 are components of a subsystem, such as subsystem 114, 116, or 118, and each subsystem may have a similar architecture. For each subsystem, subsystem backend 230 may be collocated with subsystem adapter 224, or remotely located. In one implementation, subsystem adapter 224 may behave as a proxy for subsystem backend 230. It may wrap an incoming request and send a message containing the request to one or more subsystem backend components, receive a response, and subsequently respond to the requester. Subsystem backend components may therefore be unaware of tenant identities or locations, incoming request protocols, or other such data.
[056] FIGURE 3 is a flow diagram illustrating an example embodiment of a process 300 for managing a resource, specifically allocating a resource, in accordance with some of the mechanisms described herein. Process 300, or a portion thereof, may be performed by various embodiments of system 200 or a variation thereof. Components of system 200 are used as examples of an implementation herein, though in various embodiments, the correspondence of process actions and components may vary. The illustrated portions of process 300 may be initiated at block 302, where a request to allocate a resource is received. In one configuration, the request is received from a tenant, such as tenant 101, 103, or 105 of FIGURE 1. The request may be received by management gateway 202, or another component that receives and forwards requests. The request may specify a type of resource that is to be created, including various specifications of the resource.
Specifications may include, for example, a size limit, duration of time, or other
characteristics of the resource.
[057] The process may flow to block 304, where the request, if not received by management gateway 202, is forwarded to management gateway 202. The process may flow to block 306, where a determination is made of whether the resource already exists. If the resource does not already exist, the management gateway 202 may store the oughtness of the desired resource in a database, such as policy store 214. Though not illustrated in FIGURE 3, for management requests regarding an already existing resource, a process may abort if the resource is not found to exist.
[058] The process may flow to block 308, where management gateway 202 sends an allocate message to a subsystem associated with the resource type. As discussed herein, in one embodiment these actions include determining, based on a configuration table, the appropriate subsystem.
[059] The process may flow to block 310, where the subsystem receiving the allocate message allocates a resource of the desired type. In some configurations, the actual characteristics of the allocated resource may differ from the oughtness previously stored. If successful, the subsystem may report back to the management gateway 202 the isness of the resource, a resource handle, or other identifying information.
[060] It is to be noted that allocating a resource may be performed in a variety of ways, depending on the resource type, the implementations used, or the system configuration. In some situations, the resource may already exist and allocation may include reserving its use. In some situations, allocation may include creating the resource or a portion thereof. In some situations, a resource may be shared and allocation may be performed by increasing a use count or otherwise designating an association with the resource. As used herein, allocating a resource may thus include a variety of actions.
[061] The process may flow to block 312, where the management gateway 202 may store the isness and the resource handle in the policy database. The process may flow to block 314, where a response is sent to the requester. The response may include a status. If the status is success, the response may include a URI that can be subsequently used to manage the resource. In one embodiment, the response includes a runtime URI that can be subsequently used to perform runtime operations with the resource. [062] The process may flow to other actions, not shown, exit, or return to a calling program.
[063] FIGURE 4 is a flow diagram illustrating an example embodiment of a process 400 for providing access to runtime operations related to a resource, in accordance with some of the mechanisms described herein. Process 400, or a portion thereof, may be performed by various embodiments of system 200 or a variation thereof. Components of system 200 are used as examples of an implementation herein, though in various embodiments, the correspondence of process actions and components may vary or process 400 may be performed with a variation of system 200. The illustrated portions of process 400 may be initiated at block 402, where a request to perform a runtime operation on a resource is received. In one configuration, the request is received from a tenant, such as tenant 101, 103, or 105 of FIGURE 1. The request may be received by runtime gateway 204, or another component that receives and forwards requests. Examples of operations that may be requested are storing or retrieving a data item, adding an item to a queue, sending a message, processing data, or other operations. In one embodiment, the request may be in the form of one or more messages and may be received by a protocol head, such as protocol head 208, 210, or 212.
[064] The process may flow to block 404, where information may be extracted from the request message. This information may include one or more of a target address, a security token, a specification of a resource, a message payload, or other header data.
[065] The process may flow to block 406, where a subsystem and resource may be identified based on the extracted message information. In one embodiment, this may include looking up a resource based on at least a portion of the target address, which may be in the form of a URL As discussed herein, a URI may include a string that indicates a subsystem, a resource type, or a resource. The URI, or portion thereof, may be used as a key to look up a resource in policy store 214.
[066] In one embodiment, lookup of a resource may include determining a longest prefix match based on a string from a URI. For example, a URI may include the string "AA/BB/CC". The policy store may include a match for the string "AA/BB", and no match for "AA/BB/CC". It may thus be determined that the resource corresponding to "AA/BB" is the matching resource. This technique provides a way for a subsystem that provides a URI corresponding to the resource to include a suffix for its private use. For example, the substring "CC" in the above example may represent information passed back by the subsystem upon resource creation, wherein this information is used by the subsystem in subsequent requests. The gateway may omit any configuration that uses or even understands the private information, and each subsystem may have its own system for use of the private suffix information.
[067] The process may flow to decision block 408, where a conditional flow is determined based on the lookup of the resource. If, at block 408, a matching resource is not found, the process may flow to block 410, where the request is rejected. Rejecting a request may include sending a status response back to the requesting tenant, dropping the request, or another action. A status response may be based on the communications protocol employed with the tenant. For example, if the HTTP protocol is used, a 404 not found error may be returned. If the NMF protocol is used, a not-found fault may be sent. The process may exit or return to a calling program.
[068] If, at decision block 408, a matching resource is found, the process may flow to block 412, where a resource data may be retrieved. The resource data may be in the form of a document, structured data, or other format or combination thereof. In one
embodiment, the resource data includes a handle to the resource, data indicating whether requests related to the resource are to be checked for authorization by the runtime gateway, parameters to the authorization determination, specifications of pipeline processing that is to be performed, maximum resource size, quotas, or other data descriptive of or associated with the resource. In one implementation, the resource data may include a set of name-value pairs that indicate a contract between the runtime gateway and the subsystem corresponding to the resource. Example instructions of such a contract may include:
authorization = TRUE;
size limit = 64K;
[069] The actions of block 412 may include attaching the extracted data and the resource data, or portions thereof, to the request message. This enables the data to be available to downstream processes, and particularly to the receiving subsystem, in a canonical form.
[070] As used herein, "attaching" data to a message may be performed in any of a variety of ways. One technique is to prepend or append the data to the message. Other techniques may include replacing the original message header with a normalized header or associating links to the data with the message. Generally, attaching data includes associating the data with the message so that it may be easily retrieved by another process that receives the annotated message, including a remote process. [071] The process may flow to block 414, where pipeline processing of the request message may be performed. As discussed herein, the pipeline components that process a request message may be based on a system configuration or specifications of the resource data. FIGURES 5 and 6, and associated discussion illustrate an example of pipeline processing that may be performed. Though not illustrated in FIGURE 4, pipeline processing may result in the request being rejected, discarded, or modified.
[072] The process may flow to block 416, where the message may be sent to a subsystem corresponding to the resource. As discussed herein, sending the message may include wrapping the message in another message, and sending the outer message to a remotely located subsystem. At block 416, the message may be received by the target subsystem. In some configurations, the subsystem, or a portion thereof, may be remotely located. In one embodiment, the runtime adapter 228 may maintain information for use in locating the subsystem backend 230.
[073] The process may flow to block 418, where the subsystem may process the request. The subsystem may use at least some of the resource data attached to the message to process the request. The actions of block 418 may include sending a response to the requesting tenant. A response may include a status, requested data, or other information.
Though not illustrated in FIGURE 4, in one embodiment, a response sent from the subsystem may be received and forwarded by runtime gateway 204. This may include processing by a protocol head. The protocol head may create an external message to send to the requesting tenant, employing the protocol in which the request message was received at block 402.
[074] The process may exit or return to a calling program.
[075] FIGURE 5 is a block diagram of a gateway system 500 that performs
authorization of a tenant. System 500 includes at least some of the components of gateway system 200. Like numbered components are to be considered equivalent components, and discussions herein of system 200 apply to some embodiments of system 500. Some components of gateway system 200 are omitted from gateway system 500 for simplicity, though in one embodiment, gateway system 200 and gateway system 500 may be different views of the same gateway system.
[076] In the illustrated configuration, gateway system 500 includes runtime gateway 204, subsystem adapter 224, subsystem backend 230, and policy store 214, as well as subcomponents of each. Gateway system 500 further includes identity provider 502, tenant 504, and access control service (ACS) 506. [077] Identity provider 502 may be a local or remote network entity that issues security credentials to tenant 504. The credentials may represent claims about tenant 504 that can be trusted by ACS 506. In one embodiment, the security credentials include security token 508. Security token 508 may be sent to tenant 504 in response to identifying information, such as a name and password.
[078] In one embodiment, tenant 504 sends security token 508 to ACS 506. ACS 506 may verify the authenticity of security token 508. If the verification is successful, ACS 506 may issue access token 510 to tenant 504. An access token is a security token that is trusted by runtime gateway 204.
[079] Though not shown in FIGURE 5, identity provider 502 may be one of a set of identity providers that are collectively referred to as an identity federation. ACS 506 trusts each identity provider in the federation and is able to authenticate security tokens from each provider. By acting as an intermediary. ACS 506 offloads from runtime gateway 204 the task of maintaining a trust relationship and authentication data with multiple identity providers in a federation that may change over time, or with protocols that may change.
[080] An access token may contain a set of assertions or claims that are made by or granted to tenant 504. Tenant 504 may use the access token to request services at runtime gateway 204. In one embodiment, pre-authorization pipeline component 220 (referred to herein as "pre-authN" 220) may authenticate the access token and determine whether the claims are sufficient to authorize tenant 504 to perform the requested operation with the specified resource. This is described in further detail in FIGURE 6 and the discussion herein.
[081] FIGURE 6 is a flow diagram illustrating an example embodiment of a process 600 for authorizing a tenant, in accordance with some of the mechanisms described herein. Process 600, or a portion thereof, may be performed by various embodiments of system 500 or a variation thereof. Components of system 500 are used as examples of an implementation herein, though in various embodiments, the correspondence of process actions and components may vary. The illustrated portions of process 600 may be initiated at block 602, where a tenant, such as tenant 504, provides identifying information to an identity provider, such as identity provider 502. This information may be sent in a message, as represented by arrow 512. The identifying information may include one or more of a user name, password, digital signature, biometric data, or other data that identifies or authenticates the identity of tenant 504. The identifying information is referred to as the context of tenant 504. [082] The process may flow to block 604, where, in response to receiving identifying information, the identity provider provides a security token to the tenant. Identity provider may perform various authentication processes and selectively provide the security token based on the authentication. In one implementation, security token 508 is sent in a message represented by arrow 514.
[083] The process may flow to block 606, where the tenant sends the security token 508 to access control service 506. This may be sent in a request message represented by arrow 516.
[084] The process may flow to block 608, where access control service 506 issues an access token based on the received security token. Though not illustrated in FIGURE 6, access control service 506 may decline sending an access token if the security token is insufficient. For example, it may have been issued by an identity provider that is not trusted by the access control service. As represented by arrow 518, access control service 506 may send access token 510 in a message to tenant 504.
[085] The process may flow to block 610, where tenant 504 may send a request and an access token in a message, represented by arrow 520, to runtime gateway 204, and the gateway receives the request and token. In one embodiment, the request and access token may be passed to pre-authorization pipeline component 220.
[086] The process may flow to block 612, where pre-authorization component 220 performs actions to verify the access token and to determine whether the claims of the access token match the resource of the request. Verification of the token may include determining whether a digital signature is valid, whether the token has been issued by a trusted access control service, or other verification actions. In one embodiment, the access token may include one or more claims, such as the identity of the tenant, a subscription that the tenant owns or controls, or other rights of the tenant. In one embodiment, pre- authorization component 220, runtime gateway 204, a protocol header, or another component may retrieve gateway settings 216 from policy store 214. In one
implementation, each resource has a corresponding data set, referred to as the gateway settings, that is stored in policy store 214. The gateway settings may indicate the type of pre-authorization that is to be performed, a list of tenants or groups that are allowed access to the resource, or one or more claims to be matched in order to allow access. For example, the gateway settings corresponding to a resource may specify a set of one or more candidate claims, such that an access token is authorized if it contains at least one of the candidate claims. Based on the gateway settings corresponding to the resource, the request, and the claims of the access token, pre-authorization component 220 may determine whether the claims match the resource and whether to authorize the request.
[087] The process may flow to decision block 614, where a decision is made based on the determinations. If the access token is not authentic, or the claims do not correctly match the resource or the request, the process may flow to block 616, where the request is rejected. Rejecting a request may include sending a status response back to the requesting tenant, dropping the request, or another action. The process may exit or return to a calling program.
[088] If, at decision block 614, it is determined that the access token is authentic and the claims match the resource or request, the process may authorize the request and flow to block 618, where at least a subset of the claims are extracted from the access token and attached to the request message. The message may be forwarded toward the appropriate subsystem. Based on the gateway configuration or the gateway settings, additional pipeline components may process the request on its way to the subsystem.
[089] In some configurations, a protocol head 208, 210, or 212 may extract the claims and attach them to the message. By extracting the claims, the receiving subsystem is enabled to process the claims without being configured to understand the token format or protocol. In one embodiment, the subsystem may perform additional authorization actions on the request. By having a pre-authorization stage that is separate from the subsystem, the architecture of FIGURES 2 and 5 offloads some of the authorization from the subsystem. This may serve to offload some processing, particularly in a configuration in which authorization is an expensive process. It may also enhance the resiliency of each subsystem in the event of a security attack or heavy usage situation.
[090] Process 600 may perform additional actions, not shown, exit, or return to a calling program.
[091] System 500 and process 600 illustrate authorization and message processing mechanisms with a runtime gateway. In some embodiments these mechanisms, or a portion thereof, may be employed with a management gateway. Thus, management request processing may employ process 600, or a variation thereof.
[092] FIGURE 7 is a block diagram showing one embodiment of a computing device 700, illustrating selected components of a computing device that may be used to implement mechanisms described herein, including systems 200 or 500 and processes 300, 400, or 600. Computing device 700 may include many more components than those shown, or may include less than all of those illustrated. Computing device 700 may be a standalone computing device or part of an integrated system, such as a blade in a chassis with one or more blades. Though the components of computing device 700 are illustrated as discrete components, any one or more of them may be combined or integrated into an integrated circuit, such as an ASIC.
[093] As illustrated, computing device 700 includes one or more processors 702, which perform actions to execute instructions of various computer programs. In one
configuration, each processor 702 may include one or more central processing units, one or more processor cores, one or more ASICs, cache memory, or other hardware processing components and related program logic. As illustrated, computing device 700 includes an operating system 704. Operating system 704 may be a general purpose or special purpose operating system. The Windows® family of operating systems, by Microsoft Corporation, of Redmond, WA, includes examples of operating systems that may execute on computing device 700.
[094] In one embodiment, computing device 700 includes one or more graphics processing units (GPU) 716. A GPU is a processor that is configured to perform graphics operations, such as rendering a graphic image, or to perform stream processing.
[095] Memory and storage 706 may include one or more of a variety of types of non- transitory computer storage media, including volatile or non-volatile memory, RAM, ROM, solid-state memory, disk drives, optical storage, or any other medium that can be used to store digital information.
[096] Memory and storage 706 may store one or more components described herein or other components. In one embodiment, memory and storage 706 stores management gateway 202, runtime gateway 204, policy store 214, one or more subsystem adapters 224, and one or more subsystem backends 230. In various embodiments, one or more of these components may be omitted from memory and storage 706. In some embodiments, at least a portion of one or more components may be implemented in a hardware component, such as an ASIC. In various configurations, multiple components implementing the functions or including the data of these components may be distributed among multiple computing devices. Communication among various distributed components may be performed over a variety of wired or wireless communications mechanisms.
[097] Any one or more of the components illustrated as stored in memory and storage 706 may be moved to different locations in RAM, non-volatile memory, or between RAM and non-volatile memory by operating system 704 or other components. In some configurations, these components may be distributed among one or more computing devices, including computing devices that are remotely located from each other.
[098] Computing device 700 may include a video display adapter 712 that facilitates display of data, scene frames, or other information to a user. Though not illustrated in FIGURE 7, computing device 700 may include a basic input/output system (BIOS), and associated components. Computing device 700 may also include a network interface unit 710 for communicating with a network. Software components, such as those stored in memory and storage 706, may be received via transitory media and network interface unit 710. Computing device 700 may include one or more display monitors 714.
Embodiments of computing device 700 may include one or more input devices (not shown), such as a keyboard, pointing device, touch screen, keypad, audio component, microphone, voice recognition component, or other input/output mechanisms.
[099] It will be understood that each block of the flowchart illustrations of FIGURES 3-4 and 6, and combinations of blocks in each flowchart illustration, can be implemented by software instructions. These program instructions may be provided to a processor to produce a machine, such that the instructions, which execute on the processor, create means for implementing the actions specified in the flowchart block or blocks. The software instructions may be executed by a processor to provide steps for implementing the actions specified in the flowchart block or blocks. In addition, one or more blocks or combinations of blocks in the flowchart illustrations may also be performed concurrently with other blocks or combinations of blocks, or even in a different sequence than illustrated without departing from the scope or spirit of the invention.
[0100] The above specification, examples, and data provide a complete description of the manufacture and use of the composition of the invention. Since many embodiments of the invention can be made without departing from the spirit and scope of the invention, the invention resides in the claims hereinafter appended.

Claims

1. A computer-based method of providing a set of one or more services to one or more tenants, the method comprising:
a) receiving a request from a tenant to allocate a resource having a resource type;
b) determining, based on the resource type, a subsystem corresponding to the resource type;
c) forwarding the request to the determined subsystem;
d) receiving, from the determined subsystem, an identification of the resource; e) storing resource data descriptive of the resource, the resource data including the identification of the resource;
f) receiving, from the tenant in a first protocol, a request to perform an operation related to the resource;
g) retrieving the resource data and attaching the resource data to the request to perform the operation;
h) forwarding, in a second protocol, the request to perform the operation to the determined subsystem.
2. The computer-based method of Claim 1, further retrieving the resource data based on a component identifier in a URI of the request to perform the operation.
3. The computer-based method of Claim 1, further comprising providing a plurality of protocol components, each protocol component having a corresponding protocol and computer instructions for performing as an intermediary between an external component in the corresponding protocol and the subsystem in the second protocol.
4. The computer-based method of Claim 1, further comprising:
a) providing, to the tenant, a first URI for requesting one or more management operations related to the resource, the management operations including deleting the resource, deallocating the resource, modifying the resource, or monitoring the resource; and
b) providing, to the tenant, a second URI for requesting one or more runtime operations related to the resource.
5. A computer-readable storage medium comprising computer program instructions for providing a set of resources to a plurality of tenants, the program instructions executable by one or more processors to perform actions including:
a) facilitating management of each resource by a corresponding subsystem; b) providing access to runtime operations related to the resources, each operation performed by the corresponding subsystem;
c) communicating with the plurality of tenants by using one or more tenant protocols;
d) communicating with each subsystem using a subsystem protocol;
e) storing resource data corresponding to each resource; and
f) receiving requests to perform the runtime operations related to the resources, retrieving the resource data corresponding to each resource, attaching the corresponding resource data to each request, and selectively sending each request to the corresponding subsystem.
6. A computer-based system for providing a set of services to a set of tenants comprising:
a) a management gateway configured to perform actions including:
i) receiving tenant management requests to allocate a computer resource; and
ii) for each received tenant request, determining a corresponding subsystem based on a resource type specified in the received management request, forwarding the request to the determined subsystem, storing resource data corresponding to the computer resource, and sending a response to a requester of the computer resource; b) a runtime gateway configured to perform actions related to a specified computer resource, including:
i) receiving tenant runtime requests; and
ii) in response to receiving a runtime tenant request, retrieving the resource data corresponding to the specified computer resource, selectively performing processing actions based on the retrieved resource data, determining a subsystem based on a type of the resource data, and forwarding the runtime request to the determined subsystem; and
c) a set of one or more protocol components, each protocol component configured to receive each tenant runtime request in a corresponding protocol, extract data from the tenant runtime request, and forward the tenant runtime request in another protocol.
7. The computer-based system of Claim 6, further comprising a set of one or more pipeline components, the runtime actions further including, in response to receiving each tenant runtime request, selectively each pipeline component based on the retrieved resource data.
8. The computer-based system of Claim 6, further comprising a pre-authorization component configured to authorize each tenant runtime request prior to forwarding the runtime request to the determined subsystem.
9. The computer-based system of Claim 6, further comprising a mechanism that enables a tenant to specify a namespace and employs one or more URIs to specify a resource within the specified namespace.
10. The computer-based system of Claim 6, the management gateway and runtime gateway comprising one or more processors configured with computer instructions to implement the management gateway actions and the runtime gateway actions.
PCT/US2012/025792 2011-02-21 2012-02-20 Multi-tenant services gateway WO2012115896A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
EP12749623.0A EP2678984B1 (en) 2011-02-21 2012-02-20 Multi-tenant services gateway

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US13/031,263 2011-02-21
US13/031,263 US8903884B2 (en) 2011-02-21 2011-02-21 Multi-tenant services gateway

Publications (2)

Publication Number Publication Date
WO2012115896A2 true WO2012115896A2 (en) 2012-08-30
WO2012115896A3 WO2012115896A3 (en) 2012-11-01

Family

ID=46653688

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2012/025792 WO2012115896A2 (en) 2011-02-21 2012-02-20 Multi-tenant services gateway

Country Status (4)

Country Link
US (1) US8903884B2 (en)
EP (1) EP2678984B1 (en)
CN (1) CN102710590B (en)
WO (1) WO2012115896A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3056993A1 (en) * 2015-02-16 2016-08-17 International Business Machines Corporation Enabling an on-premises resource to be exposed to a public cloud application securely and seamlessly

Families Citing this family (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8539078B2 (en) * 2010-07-08 2013-09-17 International Business Machines Corporation Isolating resources between tenants in a software-as-a-service system using the estimated costs of service requests
US9160787B2 (en) 2012-01-20 2015-10-13 International Business Machines Corporation Collaboration and interaction with system terminals
US9710626B2 (en) 2012-07-06 2017-07-18 International Business Machines Corporation Security model for network information service
US9692858B2 (en) * 2012-07-17 2017-06-27 International Business Machines Corporation Security model for a memory of a network information system
US9710664B2 (en) * 2012-09-07 2017-07-18 Amrita Vishwa Vidyapeetham Security layer and methods for protecting tenant data in a cloud-mediated computing network
US10225164B2 (en) * 2012-09-07 2019-03-05 Oracle International Corporation System and method for providing a cloud computing environment
US9477710B2 (en) * 2013-01-23 2016-10-25 Microsoft Technology Licensing, Llc Isolating resources and performance in a database management system
US9270621B1 (en) * 2013-02-25 2016-02-23 Ca, Inc. Securely providing messages from the cloud
US9411973B2 (en) 2013-05-02 2016-08-09 International Business Machines Corporation Secure isolation of tenant resources in a multi-tenant storage system using a security gateway
US9760847B2 (en) 2013-05-29 2017-09-12 Sap Se Tenant selection in quota enforcing request admission mechanisms for shared applications
US20150006730A1 (en) * 2013-06-27 2015-01-01 Sap Ag Enabling multi-tenant virtual servers in a cloud system
US9584588B2 (en) 2013-08-21 2017-02-28 Sap Se Multi-stage feedback controller for prioritizing tenants for multi-tenant applications
US10524122B2 (en) 2014-01-31 2019-12-31 Microsoft Technology Licensing, Llc Tenant based signature validation
US9565198B2 (en) 2014-01-31 2017-02-07 Microsoft Technology Licensing, Llc Tenant based signature validation
GB2533385B (en) * 2014-12-18 2021-05-26 Advanced Risc Mach Ltd Assignment of tenancy to devices
EP3051469B1 (en) 2015-01-28 2024-05-22 Inexto Sa Method and apparatus for unit and container identification and tracking
EP3051372B1 (en) 2015-01-31 2019-03-06 Inexto Sa Secure product identification and verification
US10410155B2 (en) 2015-05-01 2019-09-10 Microsoft Technology Licensing, Llc Automatic demand-driven resource scaling for relational database-as-a-service
US20180205543A1 (en) 2015-08-13 2018-07-19 Inexto Sa Enhanced obfuscation or randomization for secure product identification and verification
EP3341880B1 (en) 2015-08-25 2022-03-30 Inexto Sa Verification with error tolerance for secure product identifiers
WO2017032860A1 (en) * 2015-08-25 2017-03-02 Inexto Sa Multiple authorization modules for secure production and verification
US10148503B1 (en) * 2015-12-29 2018-12-04 EMC IP Holding Company LLC Mechanism for dynamic delivery of network configuration states to protocol heads
US11070446B2 (en) 2017-10-24 2021-07-20 At&T Intellectual Property I, L.P. Intelligent network resource orchestration system and method for internet enabled device applications and services
US11941643B2 (en) * 2018-04-05 2024-03-26 Visa International Service Association System, method, and apparatus for authenticating a user
CN111988173B (en) * 2020-08-19 2023-09-12 北京安瑞志远科技有限公司 Tenant management platform and tenant management method based on multi-layer father-son structure tenant
CN113657960B (en) * 2020-08-28 2024-09-13 支付宝(杭州)信息技术有限公司 Matching method, device and equipment based on trusted asset data
CN112101589B (en) * 2020-09-07 2022-08-05 中国人民解放军海军工程大学 Ship remote technical support system based on cloud computing
CN112235400B (en) * 2020-10-14 2024-02-02 腾讯科技(深圳)有限公司 Communication method, communication system, communication device, server, and storage medium
CN112637328A (en) * 2020-12-21 2021-04-09 上海商汤智能科技有限公司 Cloud service method, device, equipment and storage medium
CN114301982A (en) * 2022-01-04 2022-04-08 徐工汉云技术股份有限公司 Internet of things equipment terminal access system and method based on tenants and gateways

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005026947A2 (en) 2003-09-17 2005-03-24 International Business Machines Corporation Managing processing within computing environments including initiation of virtual machines

Family Cites Families (34)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6405254B1 (en) * 1996-01-03 2002-06-11 Sterling Commerce, Inc. System and method for protocol conversion using facilities and utilities
US5928323A (en) * 1996-05-30 1999-07-27 Sun Microsystems, Inc. Apparatus and method for dynamically generating information with server-side software objects
US6629127B1 (en) * 1999-07-26 2003-09-30 Microsoft Corporation Methods and systems for processing HTTP requests
US6654796B1 (en) * 1999-10-07 2003-11-25 Cisco Technology, Inc. System for managing cluster of network switches using IP address for commander switch and redirecting a managing request via forwarding an HTTP connection to an expansion switch
US7240100B1 (en) * 2000-04-14 2007-07-03 Akamai Technologies, Inc. Content delivery network (CDN) content server request handling mechanism with metadata framework support
US6826626B1 (en) * 2000-07-21 2004-11-30 Clear Blue Technologies Management, Inc. Method of and apparatus for rapid retrieval of data in a content distribution network
US20040030788A1 (en) * 2002-05-15 2004-02-12 Gaetano Cimo Computer message validation system
US7571206B2 (en) 2002-08-12 2009-08-04 Equallogic, Inc. Transparent request routing for a partitioned application service
US20040179035A1 (en) * 2003-03-13 2004-09-16 International Business Machines Corporation Group administration of universal resource identifiers with asynchronous playback
US20040236674A1 (en) * 2003-05-23 2004-11-25 Allen Chen Real-time credit authorization in e-commerce
US20050076336A1 (en) * 2003-10-03 2005-04-07 Nortel Networks Limited Method and apparatus for scheduling resources on a switched underlay network
US7266827B1 (en) * 2003-10-06 2007-09-04 Unisys Corporation Exposing an application object model to web-based clients via object model traversal
US20050163136A1 (en) 2003-11-17 2005-07-28 Leo Chiu Multi-tenant self-service VXML portal
US7676562B2 (en) * 2004-01-20 2010-03-09 Microsoft Corporation Computer system for accessing instrumentation information
US7448047B2 (en) * 2004-04-29 2008-11-04 Sybase, Inc. Database system with methodology for providing stored procedures as web services
US7519684B2 (en) * 2004-09-28 2009-04-14 International Business Machines Corporation Extensible URI-pattern-based servlet request processing framework
US20060075042A1 (en) * 2004-09-30 2006-04-06 Nortel Networks Limited Extensible resource messaging between user applications and network elements in a communication network
US20060235715A1 (en) * 2005-01-14 2006-10-19 Abrams Carl E Sharable multi-tenant reference data utility and methods of operation of same
US8554916B2 (en) 2005-04-11 2013-10-08 Accenture Global Services Gmbh Service delivery platform and development of new client business models
US20070050707A1 (en) * 2005-08-30 2007-03-01 Erxiang Liu Enablement of multiple schema management and versioning for application-specific xml parsers
US20070291767A1 (en) * 2006-06-16 2007-12-20 Harris Corporation Systems and methods for a protocol transformation gateway for quality of service
US20080144655A1 (en) * 2006-12-14 2008-06-19 James Frederick Beam Systems, methods, and computer program products for passively transforming internet protocol (IP) network traffic
US7657591B2 (en) * 2007-02-23 2010-02-02 Microsoft Corporation Dispatching client requests to appropriate server-side methods
US8019812B2 (en) * 2007-04-13 2011-09-13 Microsoft Corporation Extensible and programmable multi-tenant service architecture
WO2009055827A1 (en) 2007-10-25 2009-04-30 Starent Networks, Corp. Interworking gateway for mobile nodes
US8336089B1 (en) * 2007-12-21 2012-12-18 Emc Corporation Method and apparatus for providing authentication and encryption services by a software as a service platform
US8424059B2 (en) * 2008-09-22 2013-04-16 International Business Machines Corporation Calculating multi-tenancy resource requirements and automated tenant dynamic placement in a multi-tenant shared environment
US20100094847A1 (en) * 2008-10-10 2010-04-15 Malan Steven J Method and apparatus for multiple-protocol access to object-based storage
US9450783B2 (en) 2009-05-28 2016-09-20 Red Hat, Inc. Abstracting cloud management
US9135094B2 (en) 2009-06-22 2015-09-15 Microsoft Technology Licensing, Llc Adding configurable messaging functionality to an infrastructure
US20110126197A1 (en) * 2009-11-25 2011-05-26 Novell, Inc. System and method for controlling cloud and virtualized data centers in an intelligent workload management system
US20110289141A1 (en) * 2010-05-20 2011-11-24 Salesforce.Com, Inc. Methods and systems for providing a user interface in a multi-tenant database environment
US8812627B2 (en) * 2010-08-20 2014-08-19 Adobe Systems Incorporated System and method for installation and management of cloud-independent multi-tenant applications
US9460169B2 (en) * 2011-01-12 2016-10-04 International Business Machines Corporation Multi-tenant audit awareness in support of cloud environments

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005026947A2 (en) 2003-09-17 2005-03-24 International Business Machines Corporation Managing processing within computing environments including initiation of virtual machines

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP2678984A4

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3056993A1 (en) * 2015-02-16 2016-08-17 International Business Machines Corporation Enabling an on-premises resource to be exposed to a public cloud application securely and seamlessly
US10038721B2 (en) 2015-02-16 2018-07-31 International Business Machines Corporation Enabling an on-premises resource to be exposed to a public cloud application securely and seamlessly

Also Published As

Publication number Publication date
CN102710590B (en) 2017-09-22
CN102710590A (en) 2012-10-03
EP2678984A4 (en) 2018-01-03
EP2678984B1 (en) 2020-08-12
US8903884B2 (en) 2014-12-02
WO2012115896A3 (en) 2012-11-01
EP2678984A2 (en) 2014-01-01
US20120215918A1 (en) 2012-08-23

Similar Documents

Publication Publication Date Title
US8903884B2 (en) Multi-tenant services gateway
US10230763B2 (en) Application layer-based single sign on
CN106716404B (en) Proxy server in computer subnet
US9094398B2 (en) Enhancing directory service authentication and authorization using contextual information
US8869258B2 (en) Facilitating token request troubleshooting
US20190141022A1 (en) On-premise and off-premise communication
US20120198512A1 (en) System and method for combining an access control system with a traffic management system
US12088623B2 (en) Edge network-based account protection service
US9276869B2 (en) Dynamically selecting an identity provider for a single sign-on request
US9338165B2 (en) Common internet file system proxy authentication of multiple servers
JP2020522768A (en) Data loss prevention using a category-oriented parser
US8813197B2 (en) Techniques for network process identity enablement
CN112788031A (en) Envoy architecture-based micro-service interface authentication system, method and device
US11863528B1 (en) Glue layer that abstracts dynamic endpoints to static endpoints
US11838214B2 (en) Stateful packet inspection and classification
US11290472B2 (en) Threat intelligence information access via a DNS protocol
US11297036B1 (en) Single whitelisted ingress endpoint on 1 and 2 way TLS connections
TW201828093A (en) Visit request conversion method and device that identifies a target service type of a visit request and breaks down the visit request to a data structure corresponding to the target service type to be supplied to a corresponding server
US10142440B2 (en) Enforced registry of cookies in a tiered delivery network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12749623

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2012749623

Country of ref document: EP