Abstract: At a managed control plane service, end-user application programming interfaces (APIs) of an application to be implemented at a provider network are determined. A set of common operational requirements of the application, to be fulfilled without obtaining program code for the requirements, are identified. In response to an invocation of an end-user API of the application, computations are performed at a resource selected by the managed control plane service, and one or more tasks to satisfy a common operational requirement are initiated by the managed control plane service.

Abstract: Techniques for intent-based access control are described. A method of intent-based access control may include receiving, via a user interface of an intent-based governance service, one or more intent statements associated with user resources in a provider network, the one or more intent statements expressing at least one type of action allowed to be performed on the user resources, compiling the one or more intent statements into at least one access control policy, and associating the at least one access control policy with the user resources.

Abstract: Techniques for intent-based access control are described. A method of intent-based access control may include receiving, via a user interface of an intent-based governance service, one or more intent statements associated with user resources in a provider network, the one or more intent statements expressing at least one type of action allowed to be performed on the user resources, compiling the one or more intent statements into at least one access control policy, and associating the at least one access control policy with the user resources.

Abstract: At a managed control plane service, end-user application programming interfaces (APIs) of an application to be implemented at a provider network are determined. A set of common operational requirements of the application, to be fulfilled without obtaining program code for the requirements, are identified. In response to an invocation of an end-user API of the application, computations are performed at a resource selected by the managed control plane service, and one or more tasks to satisfy a common operational requirement are initiated by the managed control plane service.

Abstract: Large amounts of human body movement data may be collected, possibly via streaming data, from one or more sensors worn by a user. The data may be analyzed along with other classification data to generate feedback for the user or for other interested people (e.g., a trainer, a coach, a team member, health professional, etc.). The analysis may utilize one or more machine learning (ML) algorithms that use training data to create one or more ML models. When a user is evaluated after receiving feedback, accuracy of the feedback may be evaluated and fed back to the ML model to continue training the ML model(s).

Abstract: Techniques are described for managing execution of programs on multiple computing systems, such as based at least in part of user-specified constraints. For example, constraints related to execution of a program may be based on a desired relative location of a host computing system to execute a copy of the program with respect to an indicated target (e.g., computing systems executing other copies of the program or copies of another indicated program), on particular geographic locations, and/or on factors not based on location (e.g., cost of use of a particular computing system, capabilities available from a particular computing system, etc.). Some or all of the multiple computing systems may be part of a program execution service for executing multiple programs on behalf of multiple users, and each may provide multiple virtual machines that are each capable of executing one or more programs for one or more users.

Abstract: Briefly, aspects of the subject matter described herein relate to job submission. In aspects, a client (which itself may be a scheduler) sends a request to a scheduler to execute a job. The client may indicate which extensions to a base job submission protocol the client supports. The scheduler may implement a base case protocol and may also implement extensions to the base case. The client and scheduler may communicate information and requests about a job based on extensions both support, if any. The scheduler maintains state information about executing jobs that may include substate information without affecting interoperability with clients that do not recognize substates. A job may be in multiple substates at the same time.

Abstract: A method for multicasting a message in a computer network is described, in which at least some nodes of a multicast group transmit fault recovery information to other nodes of the group in addition to, or as part of, the message itself. The fault recovery information allows nodes to determine what dissemination responsibility should be assigned to successor nodes in the event that one or more nodes of the multicast group fail.

Abstract: A file that has been encrypted using a symmetric key and that has a corresponding access control entry with the symmetric key encrypted using the public key of a public/private key pair can be accessed. An encrypted key cache is also accessed to determine whether an access control entry to symmetric key mapping exists in the cache for the access control entry corresponding to the file. If such a mapping exists in the cache, then the mapped-to symmetric key is obtained form the cache, otherwise the encrypted symmetric key is decrypted using the private key of the public/private key pair. The encrypted key cache itself can also be encrypted and stored as an encrypted file.

Abstract: A file that has been encrypted using a symmetric key and that has a corresponding access control entry with the symmetric key encrypted using the public key of a public/private key pair can be accessed. An encrypted key cache is also accessed to determine whether an access control entry to symmetric key mapping exists in the cache for the access control entry corresponding to the file. If such a mapping exists in the cache, then the mapped-to symmetric key is obtained form the cache, otherwise the encrypted symmetric key is decrypted using the private key of the public/private key pair. The encrypted key cache itself can also be encrypted and stored as an encrypted file.

Abstract: Cryptographic protocols and methods of employing the same are described. The described protocols advantageously enable two or more identical encryptable objects that are coded for encryption with different keys to be identified as identical without access to either the unencrypted objects or the keys that are used in the encryption process. Additionally, the protocols enable two or more identical encryptable objects to be processed with different encryption keys, yet be stored in a manner so that the total required storage space is proportional to the space that is required to store a single encryptable object, plus a constant amount for each distinct encryption key. In various embodiments, the encryptable objects comprise files and the cryptographic protocols enable encrypted files to be used in connection with single instance store (SIS) systems.

Abstract: Cryptographic protocols and methods of employing the same are described. The described protocols advantageously enable two or more identical encryptable objects that are coded for encryption with different keys to be identified as identical without access to either the unencrypted objects or the keys that are used in the encryption process. Additionally, the protocols enable two or more identical encryptable objects to be processed with different encryption keys, yet be stored in a manner so that the total required storage space is proportional to the space that is required to store a single encryptable object, plus a constant amount for each distinct encryption key. In various embodiments, the encryptable objects comprise files and the cryptographic protocols enable encrypted files to be used in connection with single instance store (SIS) systems.

Abstract: Potentially identical objects (e.g., files) are located across multiple computers based on stochastic partitioning of workload. For each of a plurality of objects stored on a plurality of computers in a network, a portion of object information corresponding to the object is selected. The object information can be generated in a variety of manners (e.g., based on hashing the object, based on characteristics of the object, and so forth). Any of a variety of portions of the object information can be used (e.g., the least significant bits of the object information). A stochastic partitioning process is then used to identify which of the plurality of computers to communicate the object information to for identification of potentially identical objects on the plurality of computers.

Abstract: Potentially identical objects (e.g., files) are located across multiple computers based on stochastic partitioning of workload. For each of a plurality of objects stored on a plurality of computers in a network, a portion of object information corresponding to the object is selected. The object information can be generated in a variety of manners (e.g., based on hashing the object, based on characteristics of the object, and so forth). Any of a variety of portions of the object information can be used (e.g., the least significant bits of the object information). A stochastic partitioning process is then used to identify which of the plurality of computers to communicate the object information to for identification of potentially identical objects on the plurality of computers.

Abstract: A method and system for managing data records on a computer network is described, in which copies of data records are distributed among various servers in a hierarchical tree structure, and in which servers that experience an excessive number of requests for a particular data record transmit replicas of that data record to other servers to distribute the load.

Abstract: A serverless distributed file system manages the storage of files and directories using one or more directory groups. The directories may be managed using Byzantine-fault-tolerant groups, whereas files are managed without using Byzantine-fault-tolerant groups. Additionally, the file system may employ a hierarchical namespace to store files. Furthermore, the directory group may employ a plurality of locks to control access to objects (e.g., files and directories) in each directory.

Abstract: Potentially identical objects (e.g., files) are located across multiple computers based on stochastic partitioning of workload. For each of a plurality of objects stored on a plurality of computers in a network, a portion of object information corresponding to the object is selected. The object information can be generated in a variety of manners (e.g., based on hashing the object, based on characteristics of the object, and so forth). Any of a variety of portions of the object information can be used (e.g., the least significant bits of the object information). A stochastic partitioning process is then used to identify which of the plurality of computers to communicate the object information to for identification of potentially identical objects on the plurality of computers.

Abstract: A guaranteed distributed failure notification method is described, wherein a failure notification (FN) facility allows applications using the facility to create FN groups to which the application associates an application state. The application registers failure handlers with the FN facility on nodes in the FN group; each failure handler is associated with a specific FN group. When, on a given node, the FN facility learns of a failure in the FN group, the facility executes the associated failure handler on that node. System failures detected by the application are signaled to other FN group members using the facility. The facility detects system failures that occur in an overlay network on which the facility is implemented, and signals a failure notification to the other FN group members.

Abstract: A scalable, fault-tolerant, federated event notification method is described, wherein clients express interest in a topic by subscribing, and published event notifications are delivered to all current topic-subscribers. Event notifications are disseminated by a multicast tree that does not require participation by unwilling nodes. The multicast tree is constructed so that nodes belonging to the organization owning the tree do not rely on nodes outside the organization to forward message traffic. Event notifications are delivered using redundant tree-based application-level multicast to ensure reliable delivery.

Abstract: Potentially identical objects (e.g., files) are located across multiple computers based on stochastic partitioning of workload. For each of a plurality of objects stored on a plurality of computers in a network, a portion of object information corresponding to the object is selected. The object information can be generated in a variety of manners (e.g., based on hashing the object, based on characteristics of the object, and so forth). Any of a variety of portions of the object information can be used (e.g., the least significant bits of the object information). A stochastic partitioning process is then used to identify which of the plurality of computers to communicate the object information to for identification of potentially identical objects on the plurality of computers.