From: Ali Younis Date: Sun, 9 Oct 2016 08:38:12 +0000 (-0700) Subject: Changes X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=20959f0d99a19ae367166d36556aa1764d25e7b7;p=iotcloud.git Changes --- diff --git a/version2/doc/iotcloud.tex b/version2/doc/iotcloud.tex index ce1142f..b63cbb2 100644 --- a/version2/doc/iotcloud.tex +++ b/version2/doc/iotcloud.tex @@ -94,142 +94,132 @@ \section{\textbf{Introduction}} -\section{\textbf{Approach}} +\section{\textbf{Device Approach}} \subsection{\textbf{Records}} Each record has the following information included in it: \begin{itemize} \item Machine ID of the device creating the record \item The vector clock using the largest clock values from each device it knows and its own largest clock value incremented by 1. - \item Add a random salt (or nonce) for the encryption safety \item Data payload \item HMAC of the record. \end{itemize} - +Records can be identified by the machine ID and the local machine clock, hereby referred to as the record ID. \subsubsection{\textbf{Types of Payloads}} The different types of record payloads are: \begin{itemize} - \item Delete notifications + + \item Transactions \begin{itemize} - \item Contains the HMAC of records that were deleted by devices, Their vector clocks and the server sequence numbers. - \item Generated when a device deletes a record. - \item The delete notification with the largest server sequence number in its delete payload is the live one (the one that contains the largest server sequence number of the record deleted to date). + \item Contains: + \begin{itemize} + \item Transaction ID + \item key-value pair gets (reads) + \item A guard condition (boolean condition) that can be evaluated on the key-value gets. + \item A set of key-value pairs that are to be updated if the guard condition is met. + \item Can only get and set key-value pairs that are from 1 arbitrator. Getting and/or setting key-value pairs from more than 1 arbitrator causes the transaction to be invalid and dead. + \end{itemize} \end{itemize} \item Commit notifications \begin{itemize} - \item Contains list of transactions that are committed in order of commit and the current key-value pair for that key. - \item Generated by the arbitrator of a key and only the for that key (1 arbitrator per key). - \item Used in the case that there is a key value pair that needs reordering. + \item Contains the commit of a single transaction, the whole transaction. + \item There is 1 commit per transaction. + \item Generated by the arbitrator for the set of key-value gets and sets in the transaction. \end{itemize} \item Abort notifications \begin{itemize} \item Contains a transaction ID of an aborted transaction and the machine ID of the device that created that transaction. - \item Causes a transaction to be aborted. - \end{itemize} - \item Abort acknowledgement notifications - \begin{itemize} - \item Contains a transaction ID of an aborted transaction, the machine ID of the device that created that transaction and the abort notification ID that this is acknowledging. - \item Causes an abort notification to become dead. - \item Is generated by the device that had created an aborted transaction as an acknowledgement that it saw the aborted transaction notification. - \item This payload type immediately becomes dead (not live) upon insertion into the data structure. + \item Causes a transaction to be aborted, key-values not used in updates. \end{itemize} \item Data structure re-size notifications \begin{itemize} \item Contains new size of data structure (number of record allowed in the data structure or something like that). - \item Causes old data Structure re-size notification to no longer be live. \end{itemize} - \item Server sequence number for a specific record notifications + \item Server sequence number confirmations. \begin{itemize} - \item Contains a record HMAC and the server sequence number for that record + \item Contains a record ID and the server sequence number for that record that the server reported. + \item Created by any device if that device finds a record with a server sequence number that does not have a server sequence number conformation yet. \end{itemize} - \item Transactions + \item Delete notifications \begin{itemize} - \item Contains: - \begin{itemize} - \item Transaction ID - \item A guard condition that can be evaluated - \item A set of key-value pairs that are to be updated if the guard condition is met. - \end{itemize} + \item Contain the server sequence number of the record that was deleted. + \item Generated when a device deletes a record. \end{itemize} \end{itemize} +\subsection{\textbf{Pulling the data structure}} +To pull the latest version of the data structure the following is done: +\begin{enumerate} + \item Make a pull request to the server and get all the records sent back. + \item Separate the records by machine ID. + \item For each machine ID, order the records based on that machine IDs clock within each of the records. + \item Check the data structure for any malicious activity (discussed below) +\end{enumerate} -\subsection{\textbf{Updates (Online Updates)}} +\subsection{\textbf{Updates}} Updates take place as follows: \begin{enumerate} \item A device pulls the latest version of the data structure. If the device cannot pull the latest version because of network connectivity or some other issues then that device will just work using the local copy of the data structure it has. + \item Check the pulled data structure for any malicious activity (as stated in a section below) if not done already. + \item Check if any records in the current server need to be deleted (have delete notifications in data structure but the delete never took place), if so then delete them. + \item Check that the size of the data structure will not exceed the max size when the new record is inserted. If it does then prepare to delete records by inserting delete payloads in the new record (discussed below). \item The device makes a record as follows: \begin{enumerate} \item Adds its machine ID. \item Creates a vector clock using the largest clock values from each device it knows and its own largest clock value incremented by 1. - \item Add a random salt (or nonce) for the encryption safety - \item Fill the record data section with the transactions, key-value pairs, ext. - \item Fill the remainder of the data section with rescued key-value pairs, transactions, ext (Discussed later). + \item Fill the record payload section with the transactions and other types of payloads. + \item Fill the empty space of the record payload with server sequence number confirmations for records that have yet to have their server sequence numbers confirmed. + \item Fill the empty space of the record payload with rescued key-value pairs, transactions, ext (Discussed later). \item Pad the record to be the same size for all records. \item Calculate the HMAC of the record and add that to the record \item Encrypt the record. \end{enumerate} \item Send the record to the server for insertion into the device's queue. - \item Wait for response from server stating the new records (the one just sent) server sequence number. Save this server sequence number for when creating the next record. - \item -\end{enumerate} - - -\subsection{\textbf{Updates when offline}} -When offline and making updates, the devices should use their local copy of the data structure but do no deletes. When connection is reestablished the following should take place: - -\begin{enumerate} - \item Pull the latest version of the data structure. - \item Update local copy of the data structure except for own devices device queue (do deletions as needed) - \item Calculate many records are "new" to the data structure and pick the same amount to be deleted - \item Push the updates and the deletes to the server - \item Wait for sequence numbers for the recently pushed records - \item Push the sequence numbers for the recently pushed records (using online updates from the section above) + \item Issue any server commands such as deletes to the server. \end{enumerate} -This kind of update will result in the latest key-value pair being the last pushed record from this update (if no other updates are occurring at the same time). The arbitrator can then commit or abort as needed but in the mean time the key-value pair may be an old one (but have the largest server sequence number). +If there is a connectivity issue then all the records will be held by the local device until connection is resumed then pushed to the server in the order which they occurred. Also the device can only delete records for which there is a server sequence number. At some point the device could run out of records to delete (it hasn't connected to the server in a while) in which case the device will not be able to delete any records. \subsection{\textbf{Deletions}} When deciding which records to delete the following is to be done: \begin{enumerate} \item Order all the records in order based on their server sequence numbers - \item Calculate the difference between the current size of the data structure and the minimum size of the data structure (lets call this $m$) + \item Calculate the difference between the current size of the data structure and the minimum size of the data structure (lets call this $m$). Note: count newly inserted records towards the total size of the data structure if doing deletes while doing updates. \item Delete the oldest m records based on the ordering from step 1. \begin{itemize} - \item If a record to be deleted has live data in it then the whole data structure needs to be resized. + \item If a record to be deleted has live data in it then the whole data structure needs to be re-sized. \end{itemize} \end{enumerate} -Note this makes that size of the data structure be bounded. +Note this makes that size of the data structure be bounded: If there are $n$ devices and the data structure has a minimum size of $m$. Then the max size of the data structure is given by $m + n -1$ for the case when all the devices make an update at the same time. \subsection{\textbf{Rescuing Transactions, Commits, Aborts, Ext}} -Data should be proactively rescued from the "oldest" records currently in the data structure. Unused space in new records should be used to rescue data from old records so that when it comes time to delete the old records, there are no live pieces of data that need to be rescued. When a piece of data is rescued, it is rescued with its vector clock as well (so that the time of that data can be saved). +Data should be proactively rescued from the "oldest" records currently in the data structure. Unused space in new records should be used to rescue data from old records so that when it comes time to delete the old records, there are no live pieces of data that need to be rescued. When a piece of data is rescued, it is rescued with its vector clock as well (so that the time of that data can be saved).\\ + +When rescuing transactions and commits: only keep the key-value pair sets that do not have a newer key-value pair set (no other transaction/commits sets that key-value pair later in the future). This means that transactions/commits can shrink in size. When deciding which data to rescue the following is to be done: \begin{enumerate} \item Order all the records in order based on their server sequence numbers - \item Create an ordered list of currently live transactions, commits, aborts, ext from the oldest $n$ records from step one where the order is based on the age of the data (how old the record . - \item Randomly select from the list of live data to save. Save as much as can fit in the current new record. The random selection could give higher probability to data from records that are to be deleted sooner. + \item Create an ordered list of currently live transactions, commits, aborts, ext from the oldest $n$ records from step one where the order is based on the age of the data (how old the record is). + \item Randomly select from the list of live transactions, commits, aborts, ext to save. Save as much as can fit in the current new record. The random selection could give higher probability to transactions, commits, aborts, ext from records that are to be deleted sooner. \end{enumerate} -If a record needs to be deleted but still contains live data then the data structure needs to be resized. - \subsection{\textbf{Checking the Data Structure}} Checking the data structure for consistency is done as follows: \begin{enumerate} \item Verify that each record in the data structure has an HMAC that matches the data in the record. - \item Verify that there are at least as many records in the data structure as stated in the largest data structure size record. - \item Make sure that for each device queue the difference between the vector clock value of the device queues clock is at most 1 between 2 consecutive messages. + \item Verify that the oldest record the server sent has a server sequence number that is equal to or less than the server sequence number in the most recent delete notification (currently live delete notification) + 1. + \item Make sure that for each device queue the difference between the vector clock value of the device queues clock is at most 1 between 2 consecutive messages for all records with server sequence numbers above the last deleted records server sequence numbers. \item Verify that no currently live data Structure re-size notification is smaller than the last known data structure size. Data structure can only grow in size. - \item Verify that all the server sequence numbers for the records that are currently present have unique numbers that have a difference of 1 (no gaps). + \item Verify that all the server sequence numbers for the records that are currently present have unique numbers. + \item Verify that all the server sequence numbers for the records have a difference of 1 (no gaps) for all records with server sequence numbers above the last deleted records server sequence numbers. \item Verify record server sequence numbers against the stated server sequence numbers in the server sequence number notification payloads (make sure the server is not changing the sequence number on the fly). - \item Verify that no to records have the same server sequence number \end{enumerate} - \subsection{\textbf{The Arbitrator}} The arbitrator can: \begin{enumerate} @@ -240,38 +230,88 @@ The arbitrator can: \subsubsection{\textbf{Commits}} Commits have the following properties \begin{itemize} - \item Agree with the ordering of the server sequence numbers - \item Once a key-value pair is commited it can not be commited again. + \item Agree with the ordering of the server sequence numbers most of the time. \item Cannot commit an already aborted transaction. \item Commits state the ordering of key-value pairs. - \item Can disagree with the ordering of server sequence numbers but + \item Can disagree with the ordering of server sequence numbers if arbitrator decides to do so. \item Should occur frequently as to make sure that the commit order matches the server sequence ordering as closely as possible (prevent large divergence of the 2 orderings) \end{itemize} \subsubsection{\textbf{Aborts}} -Aborts are used to show which transactions have been aborted and will not be used in the total ordering of the transactions. Aborts are considered live until an abort acknowledgement is presented. -When the transaction is aborted then the devices should simply act as if it were never present when evaluating for the latest key-value pair. + +\begin{itemize} + \item Aborts are used to show which transactions have been aborted based on the arbitrators decision. + \item Aborts are considered live until an abort acknowledgement is presented. + +\end{itemize} + \subsection{\textbf{Live Status}} Live Status of entries: \begin{enumerate} - \item Key-Value Entry/Data Entry is dead if either: - \begin{enumerate} - \item There is a newer key-value pair: + + \item Delete notifications + \begin{itemize} + \item Live if it deleted the largest known server sequence number to be deleted (most recent delete). + \end{itemize} + + \item Commit notifications + \begin{itemize} + \item Live until all the key-value pair sets in the transaction commit are dead. + \begin{itemize} + \item key-value pairs are dead when a commit for a transaction that sets the same key-value pair occurs with a larger vector clock. + \end{itemize} + \end{itemize} + + \item Abort notifications + \begin{itemize} + \item Live until the device whos machine ID is in the abort notification makes an update to the data structure that contains a vector clock that is more in the future than the vector clock for this abort notification. + \end{itemize} + + \item Data structure re-size notifications \begin{itemize} - \item There is a transaction with a newer vector clock value. - \item There is a commit that for this key-value pair. - \item There is an abort for this key-value pair. + \item Live if it contains the largest target size of the data structure. \end{itemize} - \item It is incomplete. - \item It is an abort notification that has an abort notification acknowledgment - \item It is an abort notification acknowledgment (dead on arrival). - \end{enumerate} - \item Data is live if there are multiple versions of the same data (key-value pair) in which the vector clock values show concurrency. All versions are kept live the arbitrator arbitrates. - \item Multiple versions of the same data (same transaction ID for example) are not all live. Only the version with the largest server sequence number is live. + \item Server sequence number confirmations. + \begin{itemize} + \item Live until the record that this notification is reporting on is deleted. + \end{itemize} + + \item Transactions + \begin{itemize} + \item Is dead if it is invalid (contains keys-values for multiple arbitrators) + \item Live until a commit or abort notification for this transaction is generated. + \end{itemize} + +\end{enumerate} + + +\section{\textbf{Server Approach}} + +The servers view of the system is in terms of data slots where each data slot holds a single record, has a monotonically increasing number associated with it (server sequence number) for the record that currently is present in that data slot and can be set or deleted. A server may have a finite amount of memory which it can partition into slots, reusing memory that newly deleted slots used to occupy. + +There are 3 types of requests from a device that the server must respond to: +\begin{enumerate} + \item Pull all current slots. + \item Put a new record in a slot. + \item Delete a slot. +\end{enumerate} + +\subsection{\textbf{Pull all current slots}} +In this case the server will simply send back all active slots (slots that have data) in any order along with each slots server sequence number. It is the job of the devices to order the slots. + +\subsection{\textbf{Put a new record in a slot}} +In this case the server will: +\begin{enumerate} + \item Receive a record data from a device. + \item Put this record data in an empty slot. + \item Assign the just received record the next number in the server sequence numbers. \end{enumerate} +If more than 1 put request is made at the same time, the server is free to order the requests however it wishes. +\subsection{\textbf{Delete a slot}} +In this case the server will delete the data in the slot that has the server sequence number that matches the server sequence number in the delete request. The server could delay the delete if it wishes (if it has plenty of space for new slots). \section{\textbf{System Guarantees}} \begin{itemize} @@ -287,9 +327,11 @@ Live Status of entries: \item Devices can operate offline and re-sync with the system and get a consistent view of the system \item If the server tries to hold a device on an older version of the data structure, that device can eventually rejoin the main data structure without problems. \item Devices that have a transaction aborted will be able to be notified about the abort indefinitely (no time frame when notification must be accepted). - \items Server cannot hold a device on an old version of the data structure and then move them to a newer version of the data structure without being detected (The server sequence numbers would reveal conflicts or gaps or both). + \item Server cannot hold a device on an old version of the data structure and then move them to a newer version of the data structure without being detected (The server sequence numbers would reveal conflicts or gaps or both). \end{itemize} +\section{System Correctness} + \end{document} \ No newline at end of file