Multiple Redundant Services with Reputation
Multiple copies of web services reside on associated computing devices, each having an associated reputation. A client may desire to access the web service having the highest or best reputation to be ensured of a greater degree of accuracy and confidence. The client does a search, and attaches to whichever web service has the highest reputation. By running multiple copies of the web services, they may vote amongst themselves on the results in the event that one or more of the services starts giving incorrect or otherwise inconsistent results. Combining the voting with reputation data associated with each copy of the web service allows a service's reputation to be dynamically adjusted based upon how faithfully it computes the results of work items sent to it.
Latest Microsoft Patents:
This application is a divisional of, and claims priority to, U.S. patent application Ser. No. 10/909,139, filed Jul. 30, 2004 and titled, “Multiple Redundant Services with Reputation”, the disclosure of which is incorporated herein, in its entirety.
FIELD OF THE INVENTIONThe present invention relates generally to the field of information management, and, more particularly, to the identification and execution of multiple web services with reputation data.
BACKGROUND OF THE INVENTIONThere are many types of computing services, resources and data that computer users and applications need to manage and otherwise access. Such resources and data include services and data maintained locally, and data maintained on corporate networks and other remotely accessible sites including intranets and the internet.
The concept of web services is generally directed to providing a computing service to clients via protocols and standards that are cross-platform in nature. In general, web services provides the basic tools for wiring the nodes of a distributed application together, regardless of the type of platform on which the requesting client is running. As there are many different computing platforms, various platform-independent mechanisms and protocols that facilitate the exchange of network information are becoming commonplace in web services, including HTTP (HyperText Transfer Protocol), XML (eXtensible Markup Language), XML Schema, and SOAP (Simple Object Access Protocol) XML. Traditional web services, in which businesses, organizations, and other providers offer services to users and applications, are presently based on these standards. Moreover, a web service can represent other types of resources, such as hardware devices, databases, and the like.
Currently, the protocols by which web services exchange data with a client allow a client to send a message to a server port (e.g., URI) corresponding to the service and receive a message back at the client, in a manner agreed on according to a contract provided by the web service.
Reputation management systems are well-known in peer-to-peer networks, which provide a means of distributing many kinds of data, such as music, movies, and software. Given the open nature of these networks (that is, the fact that they allow anyone on the network to share any type and number of files), peer-to-peer networks are prone to abuses by anonymous malicious peers who share inauthentic files. The presence of these malicious peers can lead to the network becoming inundated with viruses, spam, and other inauthentic files. Recognizing this problem has led researchers to propose reputation management systems for these networks. These reputation management systems are algorithms that allow individual peers on a peer-to-peer network to rate each other according to the quality of their past transactions with each other. Once a peer has been rated, its rating can be used by other peers to help them find the best sources of good, authentic files and keep the effects of malicious peers on the network to a minimum.
There are several reputation management systems that are currently being used in situations such as online auctions and file sharing. eBay is a website where buyers and sellers can meet and conduct auctions entirely online. In eBay's reputation management system, buyers and sellers can rate each other based on their past transactions with each other. This is done via users' leaving comments on one another's eBay user pages, which can be positive, neutral, or negative. An eBay member's reputation is calculated by assigning each type of comment a point value (+1 point for positive comments, 0 points for neutral comments and −1 point for negative comments) and summing the point values of all of a member's transactions to obtain that member's “reputation,” which is the number of positive comments that the user has received. An eBay user's reputation score can then be used by other users as a factor in their decisions on whether to conduct a transaction with that user or not.
Kazaa is a peer-to-peer file sharing application that allows its users to share files with other Kazaa users. It also allows users to search for and download files from other users who are sharing them. Kazaa has implemented a reputation management system consisting of two components, “Integrity Rating” and “Participation Levels.” Integrity Rating allows peers who share files to rate their own files in terms of their technical merits, such as whether the files have accurate metadata and are of high quality. In order to guide other peers toward the highest-quality files available for download, users are encouraged to Integrity Rate their files and delete files that should not be shared (e.g., virus-infected files or files that are corrupted).
In Kazaa's reputation management system, each peer has a “Participation Level” that is based on the quality and amount of files that it shares. A peer's Participation Level is a number that reflects the ways in which that peer has used Kazaa to upload and download files. A peer's Participation Level is meant to reward peers who share many Integrity Rated files by providing those peers with increased bandwidth that they can use to download files from other peers on the network.
There are several other proposed reputation management systems, such as Debit-Credit Reputation Computation (DCRC), Credit-Only Reputation Computation (CORC), and Distributed Polling (Xrep). DCRC works by crediting peers' reputation scores for serving content and debits them for downloading. CORC credits peers' reputation scores for serving content, but does not debit them. Under CORC, the expiration of a peer's reputation score serves as a debit. In DCRC and CORC, peers can also earn credit for staying online and processing query requests sent to them by other peers. Since DCRC and CORC allow peers to store their own reputation scores, these reputation management schemes use a central Reputation Computation Agent which is contacted periodically by the peers to earn credit for their contribution to the network.
Distributed Polling (Xrep Protocol) determines whether peers are trustworthy based on votes that peer i takes regarding other peers' experiences with each peer j who responds to i's queries for content. In Xrep, each peer maintains a resource repository, which is a table that assigns a binary value describing whether a given resource is good (+) or bad (−). Each peer also has a servant repository, which is a table that keeps track of each servant, or other peer, that a peer has interacted with and records the numbers of successful and unsuccessful downloads from that peer.
When peer i receives responses to a search query from other peers, it will find the best download source for the file that it is looking for by polling its peers for their opinions of the resource and the peers that offer it. After receiving a set of votes from the other peers, i will discard any votes that have been tampered with and cluster the remaining votes by their IP addresses. i will then weight the votes within each cluster, such as by taking an average of the cluster's votes weighted on the size of the cluster. Next, i will contact the most reliable peer that hosts the file (based on the votes that i has received) to determine that the peer does indeed host the file. If this is true, then i will connect to the servant and download the file.
Web services do not currently provide reputation data and are not accommodated in reputation management systems. There is no way for multiple copies of web services to determine which result, when results among the web services differ, is correct. Moreover, there is no mechanism for determining which web services are important enough or desirable enough to be run as identical copies across multiple computing devices.
In view of the foregoing, there is a need for systems and methods that overcome these deficiencies.
SUMMARY OF THE INVENTIONThe following summary provides an overview of various aspects of the invention. It is not intended to provide an exhaustive description of all of the important aspects of the invention, nor to define the scope of the invention. Rather, this summary is intended to serve as an introduction to the detailed description and figures that follow.
The present invention is directed to web services, residing on associated computing devices, each having an associated reputation. A client may desire to access the web service having the highest or best reputation to be ensured of a greater degree of accuracy and confidence. The client calls the search service, passing in a contract that represents the requested service behaviors, and attaches to whichever has the highest reputation.
According to aspects of the invention, multiple copies of web services may vote amongst themselves on the results in the event that one or more of the services starts giving incorrect or otherwise inconsistent results. More particularly, the web services may run in lock-step with each other, starting from the same original state. Such web services desirably process identical protocols, and vote amongst themselves on the results of each protocol response back to the calling service. Desirably, an odd-numbered copy of services is used in scenarios involving voting, in order to prevent voting deadlocks or ties.
According to further aspects of the invention, by combining this voting with reputation data associated with each copy of the web service, a service's reputation can be dynamically adjusted based upon how faithfully it computes the results of work items (e.g., messages) sent to it. Once a web service on a particular node passes a certain reputation threshold (meaning that the web service's reputation has decreased beyond a predetermined acceptable level), the system can fail over to healthy node, shun the poorly behaving service, cut off its life support (e.g., scheduling, memory management), kill it, and/or restart the service on a known good node.
Further aspects of the invention involve determining which services should have multiple copies made and run on multiple computing devices. The worthy or important services may be dynamically determined at runtime based upon an observation of the resources the service requests, plus a notion of relative service priority.
Additional features and advantages of the invention will be made apparent from the following detailed description of illustrative embodiments that proceeds with reference to the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGSThe foregoing summary, as well as the following detailed description of preferred embodiments, is better understood when read in conjunction with the appended drawings. For the purpose of illustrating the invention, there is shown in the drawings exemplary constructions of the invention; however, the invention is not limited to the specific methods and instrumentalities disclosed. In the drawings:
The subject matter is described with specificity to meet statutory requirements. However, the description itself is not intended to limit the scope of this patent. Rather, the inventors have contemplated that the claimed subject matter might also be embodied in other ways, to include different steps or combinations of steps similar to the ones described in this document, in conjunction with other present or future technologies. Moreover, although the term “step” may be used herein to connote different elements of methods employed, the term should not be interpreted as implying any particular order among or between various steps herein disclosed unless and except when the order of individual steps is explicitly described.
Overview
Multiple copies of web services reside on associated computing devices, each having an associated reputation. A client may desire to access the web service having the highest or best reputation to be ensured of a greater degree of accuracy and confidence. The client calls the search service, passing in a contract that represents the requested service behaviors, and attaches to whichever web service has the highest reputation. Multiple copies of web services may vote amongst themselves on the results in the event that one or more of the services starts giving incorrect or otherwise inconsistent results. Combining the voting with reputation data associated with each copy of the web service allows a service's reputation to be dynamically adjusted based upon how faithfully it computes the results of work items sent to it.
Exemplary Computing Environment
Numerous embodiments of the present invention may execute on a computer.
Those skilled in the art will appreciate that the invention may be practiced with other computer system configurations, including handheld devices, multiprocessor systems, microprocessor based or programmable consumer electronics, network PCs, minicomputers, mainframe computers and the like. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network.
As shown in
The personal computer 20 may further include a hard disk drive 27 for reading from and writing to a hard disk, not shown, a magnetic disk drive 28 for reading from or writing to a removable magnetic disk 29, and an optical disk drive 30 for reading from or writing to a removable optical disk 31 such as a CD-ROM or other optical media. The hard disk drive 27, magnetic disk drive 28, and optical disk drive 30 are connected to the system bus 23 by a hard disk drive interface 32, a magnetic disk drive interface 33, and an optical drive interface 34, respectively. The drives and their associated computer readable media provide nonvolatile storage of computer readable instructions, data structures, program modules and other data for the personal computer 20.
Although the exemplary environment described herein employs a hard disk, a removable magnetic disk 29 and a removable optical disk 31, it should be appreciated by those skilled in the art that other types of computer readable media which can store data that is accessible by a computer, such as magnetic cassettes, flash memory cards, digital video disks, Bernoulli cartridges, random access memories (RAMs), read only memories (ROMs) and the like may also be used in the exemplary operating environment.
A number of program modules may be stored on the hard disk, magnetic disk 29, optical disk 31, ROM 24 or RAM 25, including an operating system 35, one or more application programs 36, other program modules 37 and program data 38. A user may enter commands and information into the personal computer 20 through input devices such as a keyboard 40 and pointing device 42. Other input devices (not shown) may include a microphone, joystick, game pad, satellite disk, scanner or the like. These and other input devices are often connected to the processing unit 21 through a serial port interface 46 that is coupled to the system bus, but may be connected by other interfaces, such as a parallel port, game port or universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface, such as a video adapter 48. In addition to the monitor 47, personal computers typically include other peripheral output devices (not shown), such as speakers and printers. The exemplary system of
The personal computer 20 may operate in a networked environment using logical connections to one or more remote computers, such as a remote computer 49. The remote computer 49 may be another personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to the personal computer 20, although only a memory storage device 50 has been illustrated in
When used in a LAN networking environment, the personal computer 20 is connected to the LAN 51 through a network interface or adapter 53. When used in a WAN networking environment, the personal computer 20 typically includes a modem 54 or other means for establishing communications over the wide area network 52, such as the internet. The modem 54, which may be internal or external, is connected to the system bus 23 via the serial port interface 46. In a networked environment, program modules depicted relative to the personal computer 20, or portions thereof, may be stored in the remote memory storage device. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers may be used.
While it is envisioned that numerous embodiments of the present invention are particularly well-suited for computerized systems, nothing in this document is intended to limit the invention to such embodiments. On the contrary, as used herein the term “computer system” is intended to encompass any and all devices comprising press buttons, or capable of determining button presses, or the equivalents of button presses, regardless of whether such devices are electronic, mechanical, logical, or virtual in nature.
As illustrated in the block diagram of
In certain computer systems 200, and referring back to
The applications programs component 206 comprises various software programs including but not limited to compilers, database systems, word processors, business programs, videogames, and so forth. Application programs provide the means by which computer resources are utilized to solve problems, provide solutions, and process data for various users (e.g., machines, other computer systems, and/or end-users).
The operating system component 204 comprises the operating system itself and its shell and kernel. An operating system (OS) is a special program that acts as an intermediary between application programs and computer hardware, and the purpose of an operating system is to provide an environment in which a user can execute application programs. The goal of any operating system is to make the computer system convenient to use, as well as utilize the computer hardware in an efficient manner.
The operating system is generally loaded into a computer system at startup and thereafter manages all of the application programs (or simply “applications”) in the computer system. The application programs interact with the operating system by requesting services via an application program interface (API). Some application programs enable end-users to interact with the operating system via a user interface such as a command language or a graphical user interface (GUI).
An operating system traditionally performs a variety of services for applications. In a multitasking operating system where multiple programs may be running at the same time, the operating system determines which applications should run in what order and how much time should be allowed for each application before switching to another application for a turn. The operating system also manages the sharing of internal memory among multiple applications, and handles input and output to and from attached hardware devices. The operating system also sends messages to each application (and, in certain cases, to the end-user) regarding the status of operations and any errors that may have occurred.
An operating system's shell is the interactive end-user interface to an operating system. A shell is the outer layer of an operating system that is directly accessible by application programs and even directly by end-users. In contrast to a shell, the kernel is an operating system's innermost layer that interacts directly with the hardware components.
Distributed Operating System
A distributed operating system 302 is illustrated in
The distributed operating system 302 creates unity from multiplicity. The multiplicity includes devices 304, which include any piece of equipment or mechanism designed to serve a special purpose or perform a special function, such as a personal digital assistant, a cellular phone, or a monitor display, among others. The multiplicity also includes any piece of content 306, such as sound, graphics, animation, video, or other pieces of data or information. The multiplicity further includes applications 308, which are programs designed to assist in the performance of a specific task, such as word processing, accounting, or inventory management. Applications 308 are compositions of one or more services. The multiplicity yet further includes people 310. The people 310 are those individuals wishing to gain access to the distributed operating system 302 to use resources, such as devices 304, pieces of content 306, and applications 308.
Devices 304, content 306, applications 308, and people 310 can be abstracted as autonomous computation entities called services that exchange messages according to protocols, which are defined by each service. Services can be local to a computer system but can also be located at a remote computer system. Services can be accessed through a single trust domain but can also be accessed through another trust domain with its own security policy. Services can be discoverable through a directory service but can also be discovered by services that are not directory services.
The distributed operating system 302 unifies devices 304, content 306, applications 308, and people 310 to create a computing environment for composing services, and allows the discovery of services and the composition of services. Devices 304, content 306, applications 308, and people 310 are loosely coupled to the distributed operating system 302. Yet, the distributed operating system 302 can compose, arrange, or combine various pieces of the multiplicity. Each piece of the multiplicity 304-310 need not be known a priori by the distributed operating system 302, but each piece is preferably discoverable so that the distributed operating system 302 can compose, arrange, or combine to create the desired functionality. This unifying effect of the distributed operating system 302 allows every piece in the multiplicity to know how to communicate to every other one regardless of how diverse one piece of the multiplicity might be. Because devices 304, content 306, applications 308, and people 310 can be unified, each of them can be located locally or dispersed remotely and yet all of them can communicate with one another.
These primitives are capable of being applied at various levels, such as a retrogression to a less complex level of organization or a progression to a more complex level of organization: at a file containing a piece of content 306; at a device among devices 304, which can be either internal or external to a computer system; at an application among applications 308; at a computer system; across a home or an office; across an entire neighborhood or multiple offices of an organization; and across the entire world. This retrogression and progression is made possible by the use of a combination of these primitives everywhere.
Ports of services are endued with behavioral types, which are specified by the unilateral contracts. An exemplary communication mechanism of the distributed operating system 302 is through programmatically wired ports. Wired ports are possible if the behavior type of one port (of a service) is compatible with the behavior type of another port (of another service). When ports are programmatically wired to each other, which are identifiable by URIs 310A-1, 310B1, operating system services 310A, 310B communicate by sending messages to each other. Unilateral contracts 310A-2, 310B-2 are expressed in a language specifying an order of messages which flow in or out of operating system services 310A, 310B. By the use of messages, resources distributed in multiple trust domains, each with its own security policy, can communicate with one another.
Sharing of resources is possible through interaction in a compatible way with the behaviors of the resources. Behaviors of resources (represented by services) are expressed in unilateral contracts. For example, a file can be a service. A service can be regulated by a unilateral contract. Thus, one can attach behavioral conditions to files via unilateral contracts to govern access control. A read-only file should behave differently from a file available for both reading and writing. It is preferred to represent each file type through separate unilateral contracts. A read-only file unilateral contract may include the following behavioral expression: REC F (read.F+drop).0, whereas a read-write file's unilateral contract has the following behavioral expression: REC F (read.F+write.F+drop).0. In parsing the behavioral expressions, the term REC F indicates a recursion on a behavior phrase F; the behavior phrase F indicates the behavior expressions inside the pairs of parentheses; the verb “read” indicates a read operation; the period symbol “.” denotes a sequence in which the behavior phrase before the period symbol occurs and after which the behavior phrase following the period symbol will then occur; the plus sign symbol “+” indicates a choice between one or more behavior phrases; the verb “write” indicates a write operation; the verb “drop” indicates the termination of the communication between two services; and the zero symbol “0” denotes the termination of the behavior expression.
A portion of the unilateral contract 310A-2 is illustrated in
Lines 310A-8-310A-9 contain the behaviors of the operating system service 310A. Line 310A-8 contains a behavior sentence: B=OPEN.BPR, where B is a behavior rule; OPEN denotes that the OPEN operation is the first operation to be invoked in using the operating system service 310A; the period “.” denotes that additional behaviors are to follow the invocation of the OPEN operation; BPR refers to a second behavior sentence defined further on line 310A-9. Line 310A-9 contains the following behavioral sentence: BPR=PLAY.BPR+RECORD.BPR+CLOSE, where BPR denotes the second behavior; PLAY.BPR denotes the invocation of the PLAY operation, which is then followed by the second behavior again (a recursion); RECORD.BPR denotes the invocation of the RECORD operation, which is then followed, recursively, by the second behavior; CLOSE denotes the invocation of the CLOSE operation; and the plus signs “+” denote choices that other services, such as the operating system service 310B, can make to invoke among the PLAY operation, the RECORD operation, or the CLOSE operation.
A portion of the unilateral contract 310B-2 is illustrated in
Lines 310B-7-310B-8 contain the behaviors of the operating system service 310B. Line 310B-7 contains a behavior sentence: B=OPEN.BP, where B is a behavior rule; OPEN denotes that the OPEN operation is the first operation to be invoked in a session with the operating system service 310B; the period “.” denotes that the additional behaviors are to follow the invocation of the OPEN operation; and BP refers to a second behavior sentence defined further on line 310B-8. Line 310B-8 contains the following behavioral sentence: BP=PLAY.BP+CLOSE, where BP denotes the second behavior; PLAY.BP denotes the invocation of the PLAY operation, which is then followed by the second behavior again (a recursion); CLOSE denotes the invocation of the CLOSE operation; and the plus sign “+” denotes choices that an external service, such as the operating system service 310A, can make to invoke among the PLAY operation and the CLOSE operation.
The unilateral contract 310A-2, when accepted by the operating system service 310B, and the unilateral contract 310B-2, when accepted by the operating system service 310A, creates an instance of communication between the operating system service 310A and the operating system service 310B. Each unilateral contract 310A-2, 310B-2 cannot be accepted by the operating system services 310A, 310B by a mere promise to perform, but preferably by the performance of unilateral contracts 310A-2, 310B-2 in accordance with the behaviors expressed in those unilateral contracts. Thus, if the operating system service 310B complies with and performs the behaviors as expressed by behavior sentences 310A-8, 310A-9 of the unilateral contract 310A-2, the operating system service 310B is bound to provide the promised services. For example, if the operating system service 310B has performed by first invoking the OPEN operation as specified by the behavioral sentence 310A-8 and then either invoking the PLAY operation or the RECORD operation or the CLOSE operation as specified by the behavioral sentence shown on line 310A-9, then the operating system service 310A complies with the requested invocations to provide the desired services, such as opening a file, playing the content of the file, recording content into a file, or closing the file.
Web Service Application Protocol and SOAP Processing Model
An exemplary protocol for using web services is the web services application protocol (WSAP), that, among other things, formally represents the state and behavior of a service via a port (e.g., URI), whereby the entities in a service may be contacted directly for interaction. In other words, unlike other protocols, WSAP describes the behaviors of a web service in a formalized manner, e.g., with each behavior of a service having its own port. The WSAP protocol also facilitates the usage of intermediaries by defining shared semantics on verbs, which identify what a message is, what the processing of message is, and how it affects the state/behavior of the receiver. Further, the ordering of messages and operations provides context to what is occurring.
In general, anytime the behaviors (or states) of a service's logical entities diverge, WSAP allows the service to give each behavior/state its own port (e.g., an identity such as URI). In this way, the client can communicate directly with the logical entity within the service that controls the behavior/state. By way of example, consider a web service that provides access to a storage device such as a hard disk drive. Traditionally, after opening a file via a file system and receiving a file handle, to read and write data to the open file, the client would send the file handle to the file system. With WSAP, instead of returning a file handle, an arbiter service returns a URI to another logical entity (another service) of the web service that provides access to the behavior (the operation to perform) on the appropriate state (the data). In this example, with WSAP the client would receive a port for writing (e.g., using a suitable XML schema) to allowed locations on the storage medium itself, and another port for reading from the storage medium, without again going through the arbiter. Note that a read operation corresponds to one behavior of a storage medium, and thus may have a different URI from a write operation, which corresponds to another behavior. As can be appreciated, this model of data access is more efficient than going to a file system controller for each operation, particularly if the file system would otherwise be a bottleneck.
Moreover, in addition to the WSAP's clear interaction points in the form of ports that expose state and behavior, WSAP messages use shared semantics that describe what can be done on the interaction point. The semantics comprise shared message verbs that are separate from the possibly proprietary) message details, allowing any arbitrary intermediary to observe, to a known extent, what is taking place, while leaving the message contents secure.
Message ordering can also serve to provide context to an observer. For example, each service may define which WSAP operations it accepts, and in which order. Further, the communication with each port ordinarily identifies the behavior that is being requested, since each behavior may be assigned its own port. These interaction patterns between service ports, which in fact may be maintained as a list of ports, provide a readily observable directory of what WSAP operations occurred, and in what order they occurred.
As a result, an intermediary can process exchanged messages to add value to communications. For example, when it is known from the requested operation type and/or known URI that a message will not change the state of a resource, an intermediary such as a cache service can safely read data from its own cache to satisfy the request, rather than invalidate the cache and pass the message (to another service) to access other storage media. Note that the intermediate cache service need only know the operation type from the protocol's semantics, or the URI if known to be to a read-only service, and not the internal contents of the message, which may remain secure (and indeed may have been encrypted via another intermediary service). Examples of such read-like operations in WSAP in which no state changes are involved include operations referred to using the shared semantics of QUERY or GET. Such operations each have the characteristic of being safe, essentially meaning read-only access is sufficient to satisfy the operation request, and idempotent, essentially meaning that the same operation can be repeated indefinitely without changing state. Note that a cache is only one example of such an intermediary, and an intermediary can be any other service as appropriate, e.g., a load balancer, data compressor, replication service, encryption/decryption mechanism, and so forth.
Moreover, because of behaviors having their own ports, a SOAP processing model is provided that defines how to compose multiple web services to run in parallel or sequentially. The model allows the implementation of several services, such as the SOAP-aware serializer, to serialize or deserialize the header and body of a given SOAP message concurrently. This allows services that depend upon parts of the SOAP envelope to unblock whenever a header that a service cares about is available. Note that when two communicating parties are co-located, e.g., on the same device, the forwarding and transport services do not serialize the SOAP envelope for performance reasons.
In a distributed programming model, a basic programming primitive is a lightweight port, comprising an unordered collection of messages that can be used to store state and effect communication. Items are stored by reference, and ports support (at least) two primitive operations: Post( ) and Get( ). Posting an item, such as a class instance, buffers the reference and returns immediately. Retrieving an item based on a supplied key can block if no item with the key has been posted by the remote service. Although ports can be used directly by services, they are typically used within the context of a port collection that associates a specific message type with each port in the collection. Port collections can be created with a fixed or a dynamic set of supported message types depending on the flexibility needed, but from a programmer's point of view, a port collection is simply a typed port.
Using strictly port communication, service code can implement critical sections and complicated I/O protocols and produce a very concurrent processing model. To this end, as described further below, WSAP communicates with a web service, in which a client consumer requests a server provider to perform some service for the client, and provide the client with an appropriate response. As will be understood, however, the general web service model is not limited to a server running software for a client, but applies to any resource that a client wants to access, e.g., the uniform service model supported by WSAP can be used to model files, devices, services, and people. For example, hardware may be componentized to an extent, and in many ways will be virtually indistinguishable from software-oriented web services, in that a user may select a set of hardware components and interconnect them to perform a computing task. As long as each device obeys the communication protocols (and the appropriate amount of bandwidth is available), virtually any authorized device will be able to communicate with another device to use its resources.
As with other web services, WSAP-capable services operate by offering a contract in response to a contract request, as represented in
WSAP is a SOAP-based protocol useful in a distributed computing environment that defines a web service in terms of identity, state, and a set of operations that can be used according to the behavior of the service. This effectively enables services and their state to be operated upon in a consistent and observable manner. In WSAP, a behavioral web service is an abstract notion of a process that has an identity and a behavior. This concept is abstract in the sense that it can apply to many different application models and namespaces. WSAP defines one such application model which has been designed to scale to the internet at large, but many other application models are possible.
The notion of identity in WSAP is similar to that of a resource identified by a URI in the traditional web model, namely anything that has identity. The purpose of identity is to enable a service to differentiate itself from other services that may exist within the same namespace. The scope of WSAP web services may be the internet, which means that DNS or IP is the naming authority for the URI “authority” component, although in more a limited scope such as within a device or limited network, another naming authority is feasible.
Each WSAP web service has a unique identity or URI. As with any other URI (such as on the web), no semantic knowledge is obtained based on the URI alone, and similarly, a relationship (e.g., a containment relationship) between two WSAP web services cannot be deduced from their URIs. In WSAP, URIs may be either relative or absolute. If a URI is relative then its base is determined by XML Base. WSAP does not place any limit on the length of a URI, and thus any WSAP receiver needs to be able to handle the length of any URI that it publishes; WSAP implementations should be able to deal with URIs of at least two kilobytes in length.
The interaction between services (which can be thought of as a protocol) is the behavior of a service, and can be formally described as a behavioral type, with the contract being the description of a service using behavioral types. A service can be implemented in any number of ways, as long as it conforms to the contract it claims to implement. Note that in WSAP, a contract is a service like essentially everything else, whereby contracts are identified by ports (e.g., URIs) and can be operated on as any other service, according to its contract.
The notion of behavior is based on how a service interacts with its environment in terms of the sequence of message types that it generates and accepts. Behavior enables a service to differentiate its particular behavior from the behavior of other services that may exist within the same namespace, and behavior is relative to the set of possible behaviors defined for a particular namespace in which the service is defined. In other words, behavior is a distributed state machine exposed by the service. Thus, by including the interactions of those resources or services with other services, behavior augments the current web model for identifying resources. Two services need to have compatible behaviors to communicate; that is, they must compose. If the behavior of a service is not known by another service, this implies that the two services cannot interact, which is similar to the web model of a resource wherein a URI cannot be dereferenced because the mechanism for doing so is unknown to the holder of that URI.
Exemplary EmbodimentsThe exemplary embodiments described herein can be used in a distributed operating system, such as the one described above, and use a protocol, such as WSAP, described above, though the invention can be implemented in any appropriate system using any appropriate protocol, and is not limited to a distributed operating system and/or WSAP.
A web service in accordance with the present invention may comprise components such as a location, a behavior, and semantics. For example, a service may include a designation primitive, a behavioral primitive that comprises a unilateral contract, and a communication primitive. An exemplary system may include a distributed operating system for orchestrating the services executing on a computer system so as to control and coordinate resources.
Exemplary web services include a data service and a stateless control service. For example, a data service and a stateless control service may run on a single node, such as a computing device. A block diagram of an exemplary system with nodes and web services is shown in
Each computing device preferably comprises a stateless control service and a data service, though other services and arrangements are contemplated, and the general term “web service” is shown in
Each web service, residing on an associated computing device, may have an associated reputation. Although the web services should be identical, and hence have identical reputations, there may be instances in which this is not the case. For example, a web service may be affected by a virus, in which case, it gives incorrect results, or results that are not in sync with what the other web services would generate. Thus, a client may desire to access the web service having the highest or best reputation to be ensured of a greater degree of accuracy and confidence. Thus, the client 500 may check the reputation of each potential web service, and then select which one to attach to, or select which one's result to use (e.g., the client 500 will use the result of the web service having the highest reputation).
As described herein, multiple, identical copies of desired web services (e.g., web services 515, 525, 535) may be run across computing devices (e.g., devices 510, 520, 530 in a distributed operating system) to provide reliability in the face of failure in any one node (which may be considered to be resident on, or coincident with, an associated computing device). By running multiple copies of these services, the services may vote amongst themselves on the results in the event that one or more of the services starts giving incorrect or otherwise inconsistent results. Such results can be from sickness in the underlying hardware, or via a malicious virus infecting one of the nodes, for example. Desirably, an odd-numbered copy of services is used in scenarios involving voting, in order to prevent voting deadlocks or ties. However, other methods of determining the preferred result may be used, such as considering additional factors like the reputation of the particular web service, how long the particular web service has been active, and how many inward links exist to the particular web service.
The result that is most prevalent is determined to be the accurate or “correct” result, at step 720, and this result is reported back to the calling party or client device. For example, if web service 515 and 525 each determined the result to a client's request to be “1” and if web service 535 determined the result to the same request to be “2”, the result of “1” would be most prevalent (two result occurrences of “1” versus one result occurrence of “2”), and this result would be reported back to the client.
By combining this voting with reputation data associated with each copy of the web service, a service's reputation can be dynamically adjusted, at step 730, based upon how faithfully it computes the results of work items (e.g., messages) sent to it. For example, a service which has been taken over by a virus may still have the desired cryptographic keys to communicate to its brethren nodes; however, any variance from its contract will desirably result in a decrement to its reputation. Continuing with the example in which web service 515 and 525 each determined the result to a client's request to be “1” and web service 535 determined the result to the same request to be “2”, because web service 535 got the less popular, and hence incorrect, answer, the reputation of web service 535 is decreased. Moreover, the reputations of web services 515 and 525 may be increased because they got the correct result. It is contemplated that other factors may affect a web service's reputation, such as responsiveness, latency, and uptime.
Once a web service on a particular node passes a certain reputation threshold (meaning that the web service's reputation has decreased beyond a predetermined acceptable level), the system can fail over to healthy node, shun the poorly behaving service, cut off its life support (e.g., scheduling, memory management), kill it, and/or restart the service on a known good node. Thus, a trustworthy system can be created from multiple untrusted sources. With respect to
Thus, each of the web services, when in communication with each other, may check and compare their respective results with each others' results. Based on these results, the services vote to determine which result is “correct”. Each service's reputation is then adjusted based on how its result compared to the “correct” result. It is noted that a positive feedback loop is desirably created. A larger community of service reputations leads to greater overall trust, which attracts a larger community of services, which increases the overall trust in the composite system.
In a typical computing system, resources are scarce and must be allocated appropriately. Not every web service would be considered “worthy” or “important” enough to warrant providing and executing multiple redundant copies across computing devices, in such a scarce resource environment.
At step 800, a web service is monitored at runtime. It is determined how many resources the service requests at step 810, and how many inward links exist to the web service, at step 820. The results of steps 810 and 820 are considered and compared to a threshold value, at step 830. Based on the comparison to the threshold value, it is determined whether or not to create multiple redundant copies of the web service. If so, then the multiple redundant copies are created on various computing devices, at step 840.
Services can be intermediaries for other services. A first tier of services may be controlled by a second tier of services, for example. Thus, multiple tiers of services may be implemented into an exemplary computing system. The services on a given node compete for resources (memory and bandwidth) which are allocated by a local scheduler. For example, multiple first-tier nodes vote for an elected second-tier leader node which is responsible for allocating competing resources across the multiple first-tier nodes. Depending upon the depth of the service composition, the second-tier leaders may elect third tier leaders as desired.
CONCLUSIONThe subject matter is described with specificity to meet statutory requirements. However, the description itself is not intended to limit the scope of this patent. Rather, the inventors have contemplated that the claimed subject matter might also be embodied in other ways, to include different steps or combinations of steps similar to the ones described in this document, in conjunction with other present or future technologies. Moreover, although the term “step” may be used herein to connote different elements of methods employed, the term should not be interpreted as implying any particular order among or between various steps herein disclosed unless and except when the order of individual steps is explicitly described.
The various systems, methods, and techniques described herein may be implemented with hardware or software or, where appropriate, with a combination of both. Thus, the methods and apparatus of the present invention, or certain aspects or portions thereof may take the form of program code (i.e., instructions) embodied in tangible media, such as floppy diskettes, CD-ROMs, hard drives, or any other machine-readable storage medium, wherein, when the program code is loaded into and executed by a machine, such as a computer, the machine becomes an apparatus for practicing the invention. In the case of program code execution on programmable computers, the computer will generally include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and at least one output device. One or more programs are preferably implemented in a high level procedural or object oriented programming language to communicate with a computer system. However, the program(s) can be implemented in assembly or machine language, if desired. In any case, the language may be a compiled or interpreted language, and combined with hardware implementations.
The methods and apparatus of the present invention may also be embodied in the form of program code that is transmitted over some transmission medium, such as over electrical wiring or cabling, through fiber optics, or via any other form of transmission, wherein, when the program code is received and loaded into and executed by a machine, such as an EPROM, a gate array, a programmable logic device (PLD), a client computer, a video recorder or the like, the machine becomes an apparatus for practicing the invention. When implemented on a general-purpose processor, the program code combines with the processor to provide a unique apparatus that operates to perform the functionality of the present invention.
While the present invention has been described in connection with the preferred embodiments of the various figures, it is to be understood that other similar embodiments may be used or modifications and additions may be made to the described embodiments for performing the same functions of the present invention without deviating therefrom. Therefore, the present invention should not be limited to any single embodiment, but rather construed in breadth and scope in accordance with the appended claims.
Claims
1. A web service system, comprising:
- a first computing device having a first web service with a first reputation; and
- a second computing device having a second web service with a second reputation;
- the first and second computing devices each adapted to: receive a request and determine a first and second result, respectively; determine a preferred result based on the determined first and second results; adjust the first reputation if the first result is inconsistent with the preferred result; and adjust the second reputation if the second result is inconsistent with the preferred result.
2. The system of claim 1, wherein the second web service is a second, independent instance of the first web service.
3. The system of claim 1, wherein the first web service is de-activated if the first reputation exceeds a first threshold, and the second web service is de-activated if the second reputation exceeds a second threshold.
4. The system of claim 1, further comprising a client that sends the request to the first and second computing devices, the client connected within a distributed operating system.
5. The system of claim 4, wherein the client polls the first and second web services for their respective reputations, and attaches to one of the web services based on their respective reputations.
6. A method comprising:
- sending a request to a web service system, wherein the web service system comprises a plurality of web services;
- receiving data from each of the plurality of web services, wherein the data indicates a respective reputation of each of the plurality of web services;
- analyzing the respective reputations to determine a particular one of the plurality of web services having a sufficient reputation; and
- establishing a connection with the particular one of the plurality of web services;
- wherein the method is implemented by a client device.
7. The method as recited in claim 6, wherein for each of the plurality of web services, the respective reputation is determined based, at least in part, on a result generated by the web service in response to the request.
8. The method as recited in claim 6, wherein the web service determined to have a sufficient reputation is the web service determined to have the best reputation of the plurality of web services.
9. The method as recited in claim 6, wherein a particular one of the plurality of web services determined to have a reputation below a minimum threshold is deactivated.
10. The method as recited in claim 6, wherein each of the plurality of web services comprise a distinct copy of the same web service.
11. The method as recited in claim 6, wherein:
- a first web service of the plurality of web services generates a result in response to the request;
- a second web service of the plurality of web services generates a result in response to the request; and
- the respective reputations of the first and second web services are determined based, at least in part, on a comparison of the results generated by the first and second web services in response to the request.
12. The method as recited in claim 6, wherein:
- each of the plurality of web services generates a result in response to the request;
- a correct result is determined; and
- the respective reputations of each of the plurality of web services is determined based, at least in part, on a comparison of the respective results generated by each of the plurality of web services and the correct result.
13. The method as recited in claim 12, wherein, the correct result is determined to be the result generated in response to the request by the greatest number of the plurality of web services.
14. The method as recited in claim 12, wherein, the reputation is negatively adjusted for each of the plurality of web services that generates a result in response to the request that is not the correct result.
15. The method as recited in claim 12, wherein, the reputation is positively adjusted for each of the plurality of web services that generates a result in response to the request that is equal to the correct result.
16. One or more non-volatile computer-readable media comprising computer-executable instructions that, when executed, direct a web service system to:
- associate respective reputations with each of a plurality of web services;
- receive a client request such that the client request is received by each of the plurality of web services;
- determine a correct response to the client request;
- validate the respective reputations by comparing responses to the client request from each of the plurality of web services with the correct response, such that for a web service providing a response to the client request that does not match the correct response, the respective reputation is reduced; and
- establish a connection between the client and a particular one of the plurality of web services, wherein the particular one of the plurality of web services has a sufficiently positive reputation.
17. The one or more non-volatile computer-readable media as recited in claim 16, wherein each of the plurality of web services comprises a distinct, independent copy of a single web service.
18. The one or more non-volatile computer-readable media as recited in claim 16, further comprising computer-executable instructions that, when executed, direct the web service system to deactivate any of the plurality of web services for which the respective reputation is reduced to be below a reputation threshold.
Type: Application
Filed: Nov 26, 2007
Publication Date: Mar 20, 2008
Applicant: Microsoft Corporation (Redmond, WA)
Inventors: George Moore (Redmond, WA), Georgios Chrysanthakopoulos (Seattle, WA), Henrik Nielson (Hunts Point, WA)
Application Number: 11/945,188
International Classification: G06F 15/16 (20060101);