Abstract: Server-specified subscription filters for long-lived client requests to fetch data in response to events. In one aspect, the techniques encompass a method performed by a set of one or more computing devices. The method includes the step of receiving a long-lived request to fetch data in response to events sent by a client computing device. The method further includes receiving a server-specified subscription filter for the long-lived request and executing the long-lived request. Executing the long-lived request includes creating a persistent function that uses the server-specified subscription filter to map a source event stream to a response event stream. The response event stream is provided to the client computing device. The server-specified subscription filter facilitates filtering of events fetched for the long-lived request in a way that may not be possible or impractical if the subscription client were required to specify the filter in the long-lived request.

Abstract: Fair queuing of request tasks spawned by requests to execute generative operations such as, for example, graph query language requests to execute a graph query language query, mutation, or subscription operations. Queuing techniques are used to prevent a heavy generative operation from dominating usage of computing resources of a host that executes many generative operations concurrently including a mix of heavy and normal generative operations. Generative operations are analyzed and classified as heavy or normal as the request tasks they spawn are being executed. If a generative operation is classified as heavy, then subsequent request tasks spawned by the heavy generative operation are added to an overload queue while request tasks spawned by concurrently executing normal generative operations as added to a main queue. For fairness, request tasks are polled from the main queue for execution at greater frequency than request tasks in the overload queue.

Abstract: A distributed database may comprise a plurality of nodes maintaining a collection of data items indexed by key values. Upon receiving a request to store a data item, a node of the database may be selected based on the node's suitability for storing the data item. The distributed database may generate a key to identify the data item, such that the generated key identifies the data item and comprises information indicative of the selected node. The distributed database may provide the generated key to an application programming interface client in response to the request.

Abstract: A centralized datastore maintained by a service provider may maintain current versions of objects (e.g., applications, documents, websites, etc.). A local datastore residing on user devices of users may maintain local versions of the objects. A user may submit a modification to the object and, upon determining that a version of the local object is the same as the version of current version of the object, a current version of the object may be updated to include the modification. If the version and the current version are different, individual fields of the object may be analyzed to determine if the modification involves a change to data that conflicts with data within the same field in the current version of the object. If not, the objects may be merged and the current version of the object may be updated to include the modification. Otherwise, the modification will be rejected.

Abstract: One or more clients of a service may obtain access to resources of the service using one or more roles. A role may be used to delegate access to resources that a client normally would not otherwise have access to. A requestor may make a request to assume an intermediary role and receive a first token that enables assumption of the intermediary role. The requestor, after assuming the intermediary role, may request to assume to assume a destination role and receive a second token that enables the requestor to access one or more computing resources by assuming the destination role.

Abstract: A technology is provided for a fan out for a subscription. A mutation may be received at a data proxy from an application. The mutation may be sent to the data source via a data access resolver associated with the data proxy. Results for the mutation may be received. At least one subscription may be identified which matches combinations of fields in the results for the mutation. A message for the at least one subscription regarding the mutation may be sent to a messaging service to enable the messaging service to publish the message to devices subscribed to at least one topic for the at least one subscription.

Abstract: A technology is provided for conflict resolution in a data proxy for a mutation. A mutation may be received at a data proxy from an application, and the data proxy is in a service provider environment. The mutation may be sent to be processed by a data store via a data access resolver. A conflict message may be received at the data proxy via the data access resolver for a conflict mutation at the data store for the mutation. The conflict may be resolved at the data proxy using a conflict resolution function in the data proxy.

Abstract: A technology is provided for synchronizing data with delayed subscriptions. A request may be received at a data proxy for a data snapshot for an application that has been offline at the client. A subscription may be held for a pre-determined amount of time after the request for the snapshot. The data snapshot may be sent to the client. The data for the subscription may be sent after the pre-determined amount of time.

Abstract: A technology is provided for mutations with immediate feedback. A mutation may be received at a data proxy from an application. The mutation may be sent to a data source via a data access resolver associated with the data proxy. Results of the mutation may be received from the data source. A subscription may be triggered based on receiving the results of the mutation. A message may be sent via a topic provided by the subscription by using a messaging service such that the messaging service publishes the message with the mutation to devices subscribed to the topic.

Abstract: One or more clients of a service may obtain access to resources of the service using one or more roles. A role may be used to delegate access to resources that a client normally would not otherwise have access to. A requestor may make a request to assume an intermediary role and receive a first token that enables assumption of the intermediary role. The requestor, after assuming the intermediary role, may request to assume to assume a destination role and receive a second token that enables the requestor to access one or more computing resources by assuming the destination role.

Abstract: One or more clients of a service may obtain access to resources of the service using one or more roles. A role may be used to delegate access to resources that a principal normally would not otherwise have access to. Assuming a role may allow a principal to receive a token that provides access to resources according to permission associated with the role. Upon detecting an event in connection with the invalidation of a token associated with a role, a service may perform a workflow in connection with the principal.

Abstract: One or more clients of a service may obtain access to resources of the service using one or more roles. A role may be used to delegate access to resources that a client normally would not otherwise have access to. A system of the service may be used to detect the occurrence of an event associated with a principal that has assumed a role to obtain a token that enables access to a computing resource. The system may prevent one or more principals from use of the token for future access to the resource, and may update permissions associated with the role to prevent one or more principals from assuming the role.

Abstract: One or more clients of a service may obtain access to resources of the service using one or more roles. A role may be used to delegate access to resources that a client normally would not otherwise have access to. A requestor may make a request to assume an intermediary role and receive a first token that enables assumption of the intermediary role. The requestor, after assuming the intermediary role, may request to assume to assume a destination role and receive a second token that enables the requestor to access one or more computing resources by assuming the destination role.

Abstract: A computer in a network has an operating system. The operating system is configured to prevent running of software not identified in a list of approved software referred to as a white list. Software absent from the list is prevented from running by the operating system. The network has a server which determines, for each item of software on the white list, the administration rights of the users of computers having that item of software. If a white listed software item is present on one or more computers used by users without admin rights, then the admin rights of any user of other computers having the same white listed software item are withdrawn by instructions sent by the server to the computer.

Abstract: Software is installed and/or un-installed in networks. Each of a plurality of networks has a network management system storing metadata comprising at least the identities and command lines of software installed using installation systems of the management systems. On each network the network management system of the network is accessed to obtaining the metadata of items of software run on the network. That metadata is sent to a server which serves all the networks. At the server, a comparison is done to compare the metadata of instances of the same software on different networks. For those instances of the same software having the same metadata on different networks, the metadata is storing in a database. The networks use the metadata stored in the database to automatically install or un-install software.

Abstract: A computer in a network has an operating system. The operating system is configured to prevent running of software not identified in a list of approved software referred to as a white list. Software absent from the list is prevented from running by the operating system. The network has a server which determines, for each item of software on the white list, the administration rights of the users of computers having that item of software. If a white listed software item is present on one or more computers used by users without admin rights, then the admin rights of any user of other computers having the same white listed software item are withdrawn by instructions sent by the server to the computer.

Abstract: A computer has an operating system having a kernel. The operating system is configured to prevent running of software not identified in a list of approved software referred to as a white list. The computer is linked by a communications link to a server which has a comparison program which compares the identities of software present on the computer with software identified in the list to determine what software installed on the computer is not on the white list. A risk determination program determines for each software not on the list whether the software complies with a plurality of risk criteria, and automatically adds to the list the identity of any software determined to be of low risk according to a risk calculation. The list is supplied to the computer. Software absent from the list is prevented from running by the kernel of the operating system.

Abstract: Software is installed and/or un-installed in networks. Each of a plurality of networks has a network management system storing metadata comprising at least the identities and command lines of software installed using installation systems of the management systems. On each network the network management system of the network is accessed to obtaining the metadata of items of software run on the network. That metadata is sent to a server which serves all the networks. At the server, a comparison is done to compare the metadata of instances of the same software on different networks. For those instances of the same software having the same metadata on different networks, the metadata is storing in a database. The networks use the metadata stored in the database to automatically install or un-install software.

Abstract: A network of computers has a network management system which stores metadata comprising at least the identities of software present on computers of the network. A computer of the network runs a monitoring program which accesses the metadata stored in the network management system to provide a measure of the extent to which one or more of a plurality of security controls are implemented in the network. The security controls are the application of Operating System patches, the application of third party software patches, allowing only applications on a list of approved software to run, and limiting administrator privileges. The measure comprises risk ratings dependent on the extents to which the controls are implemented.