Victoria Ungureanu

Law-governed interaction: a coordination and control mechanism for heterogeneous distributed systems

Software technology is undergoing a transition form monolithic systems, constructed according to a single overall design, into conglomerates of semiautonomous, heterogeneous, and independently designed subsystems, constructed and managed by different organizations, with little, if any, knowledge of each other. Among the problems inherent in such conglomerates, none is more serious than the difficulty to control the activities of the disparate agents operating in it, and the difficulty for such agents to coordinate their activities with each other. We argue that the nature of coordination and control required for such systems calls for the following principles to be satisfied: (1) coordination policies need to be enforced: (2) the enforcement needs to be decentralized; and (3) coordination policies need to be formulated explicitly—rather than being implicit in the code of the agents involved—and they should be enforced by means of a generic, broad spectrum mechanism; and (4) it should be possible to deploy and enforce a policy incrementally, without exacting any cost from agents and activities not subject to it. We describe a mechansim called law-governed interaction (LGI), currently implemented by the Moses toolkit, which has been designed to satisfy these principles. We show that LGI is at least as general as a conventional centralized coordination mechanism (CCM), and that it is more scalable, and generally more efficient, then CCM.

Regulated Coordination in Open Distributed Systems

Modern distributed systems tend to be conglomerates of heterogeneous subsystems, which have been designed separately, by different people, with little, if any, knowledge of each other. A single agent operating within a hybrid system of this kind may have to coordinate its activities with members of several such subsystems, under different coordination policies. To support coordination in such hybrid systems, we introduce in this paper a new concept of regulated coordination that allows a single agent to engage in several different activities, subject to disparate policies. Coordination policies are enforced to ensure compliance with them by all participants. We introduce a toolkit called Moses that can support a wide range of useful coordination policies of this kind, in an efficient and unified manner.

Formal treatment of certificate revocation under communal access control

The conventional approach to distributed access control (AC) tends to be server-centric. Under this approach, each server establishes its own policy regarding the use of its resources and services by its clients. The choice of this policy, and its implementation, are generally considered the prerogative of each individual server. This approach to access control may be appropriate for many current client-server applications, where the server is an autonomous agent, in complete charge of its resources. It is not suitable for the growing class of applications where a group of servers, and sometimes their clients, belong to a single enterprise, and are subject to the enterprise-wide policy governing them all. One may not be able to entrust such an enterprise-wide policy to the individual servers, for two reasons: first, it is hard to ensure that an heterogeneous set of servers implement exactly the same policy. Second, as demonstrate, an AC policy can have aspects that cannot, in principle, be implemented by servers alone. As argued in a previous paper (Minsky, 2000), what is needed in this situation is a concept of communal policy that governs the interaction between the members of a distributed community of agents involved in some common activity along with a mechanism that provides for the explicit formulation of such policies, and for their scalable enforcement. We focus on the communal treatment of expiration and revocation of the digital certificates used for the authentication of the identity and roles of members of the community.

Effective load balancing for cluster-based servers employing job preemption

A cluster-based server consists of a front-end dispatcher and multiple back-end servers. The dispatcher receives incoming jobs, and then decides how to assign them to back-end servers, which in turn serve the jobs according to some discipline. Cluster-based servers have been widely deployed, as they combine good performance with low costs. Several assignment policies have been proposed for cluster-based servers, most of which aim to balance the load among back-end servers. There are two main strategies for load balancing: The first aims to balance the amount of workload at back-end servers, while the second aims to balance the number of jobs assigned to back-end servers. Examples of policies using these strategies are Dynamic and LC (Least Connected), respectively. In this paper we propose a policy, called LC*, which combines the two aforementioned strategies. The paper shows experimentally that when preemption is admitted (i.e., when jobs execute concurrently on back-end servers), LC* substantially outperforms bothDynamic and LC in terms of response-time metrics. This improved performance is achieved by using only information readily available to the dispatcher, rendering LC* a practical policy to implement. Finally, we study a refinement, called ALC* (Adaptive LC*), which further improves on the response-time performance of LC* by adapting its actions to incoming traffic rates.

Making tuple spaces safe for heterogeneous distributed systems

Abstractly speaking, the law Lof a policy is a functionthat returns a ruling for every possible regulated-event thatmight happen at a given agent. The ruling returned by thelaw is a possibly empty sequence of primitive operations,which is to be carried out locally at the location of the eventfrom which the ruling was derived (called the home of theevent). (By default, an empty ruling implies that the eventin question has no consequences—such an event is effectivelyignored.)Concretely, under the Moses implementation of LGI, thelaw is defined by means of a Prolog-like program 3 Lwhich,when presented with a goal e, representing a regulated-eventat a given agent x, is evaluated in the context of the control-state of this agent, producing the list of primitive-operationsrepresenting the ruling of the law for this event. Beforeintroducing the structure of such laws we define the types ofevents that are regulated by laws under Moses, the structureof an agent’s control-state, and the primitive operations thatcan be included in the ruling of a law.The Regulated Events:The events that are subject to thelaw of a policy are called regulated events. Each of theseevents occurs at a certain agent, called the home of theevent. The following are two of these event-types.1. sent(x,m,y)—occurswhen agent xsends an L-messagemaddressed to y. The sender xis considered the homeof this event.2. arrived(x,m,y)—occurswhen an L-message msent byxarrives at y. The receiver yis considered the homeof this event.The Control State: The control-state CS

Establishing Business Rules for Inter-Enterprise Electronic Commerce

Conventional mechanisms for electronic commerce provide strong means for securing transfer of funds, and for ensuring such things as authenticity and non-repudiation. But they generally do not attempt to regulate the activities of the participants in an e-commerce transaction, treating them, implicitly, as autonomous agents. This is adequate for most cases of client-to-vendor commerce, but is quite unsatisfactory for inter-enterprise electronic commerce. The participants in this kind of e-commerce are not autonomous agents, since their commercial activities are subject to the business rules of their respective enterprises, and to the preexisting agreements and contracts between the enterprises involved. These policies are likely to be independently developed, and may be quite heterogeneous. Yet, they have to interoperate, and be brought to bear in regulating each e-commerce transaction. This paper presents a mechanism that allows such interoperation between policies, and thus provides for inter-enterprise electronic commerce.

Building reconfiguration primitives into the law of a system

Given a certain class C of reconfigurations, deemed to be potentially important for a given system, we define a reconfiguration suite S/sub c/ to be a set of primitive operations that satisfy the following conditions: any reconfiguration in C can be carried out by a sequence of primitives from S/sub c/. The correctness of S/sub c/ should be independent of the functionality of the system, and invariant of its reconfigurations (for a given set of possible configurations of the system at hand). We describe a mechanism for implementing such reconfiguration suites, for a system that operates under law-governed interaction (LGI), currently supported by an experimental toolkit called Moses. LGI is a mode of interaction between the members of a given group (or system) of agents, which is governed by an explicit and strictly enforced set of rules, called the law of this group. The existence of such a law under LGI provides us with an architectural model of the system, which can be made to include the definition of reconfiguration suites.

Deferred Assignment Scheduling in Cluster-Based Servers

This paper proposes a new scheduling policy for cluster-based servers called DAS (Deferred Assignment Scheduling). The main idea in DAS is to defer scheduling as much as possible in order to make better use of the accumulated information on job sizes. In broad outline, DAS operates as follows: (1) incoming jobs are held by the dispatcher in a buffer; (2) the dispatcher monitors the number of jobs being processed by each server; (3) when the number of jobs at a server queue drops below a prescribed threshold, the dispatcher sends to it the shortest job in its buffer.To gauge the efficacy of DAS, the paper presents simulation studies, using various data traces. The studies collected response times and slowdowns for two cluster configurations under multi-threaded and multi-process back-end server architectures. The experimental results show that in both architectures, DAS outperforms the Round-Robin policy in all traffic regimes, and the JSQ (Join Shortest Queue) policy in medium and heavy traffic regimes.

Scalable Regulation of Inter-enterprise Electronic Commerce

In the current electronic-commerce literature, a commercial transaction is commonly viewed as an exchange between two autonomous principals operating under some kind of contract between them--which needs to be formalized and enforced. But the situation can be considerably more complex in the case of inter-enterprise (also called business-to-business, or B2B) commerce. The participants in a B2B transaction are generally not autonomous agents, since their commercial activities are subject to the policies of their respective enterprises.It is our thesis, therefore, that a B2B transaction should be viewed as being governed by three distinct policies: the two policies that regulate the activities of the two principals, while operating as representatives of their respective enterprises, and the policy that reflects the contract between the two enterprises. These policies are likely to be independently developed, and may be quite heterogeneous. Yet, they have to interoperate, and must all be brought to bear in regulating each B2B transaction. This paper presents a mechanism for formulating such interoperating policies, and for their scalable enforcement, thus providing for regulated inter-enterprise electronic commerce.

Law-Governed Internet Communities

We consider the problem of coordination and control of large heterogeneous groups of agents distributed over the Internet in the context of Law-Governed Interaction (LGI) [2][5]. LGI is a mode of interaction that allows a group of distributed heterogeneous agents to interact with each other with confidence that an explicitly specified policy, called the law of the group, is complied with by everyone in the group. The originalLGI model5. supported only explicit groups, whose membership is maintained and controlled by a central server. Such a central server is necessary for applications that require each member of the group to know about the membership of the entire group. However, in the case where members do not need to know the membership of the entire group, such a central server can become an unnecessary performance bottleneck, as group size increases, as well as a single point of failure. In this paper, we present an extension to LGI allowing it to support implicit groups, also called communities, which require no centralcon trol of any kind, and whose membership does not have to be regulated, and might not be completely known to anybody.