Methods and systems for efficient API integrated login in a multi-tenant database environment

US 8,676,979 B2
Filed: 02/15/2011
Issued: 03/18/2014
Est. Priority Date: 05/18/2010
Status: Active Grant

First Claim

Patent Images

1. A method in a first datacenter, the method comprising:

receiving a plurality of Application Programming Interface (API) login requests at a load balancer of the first datacenter, each of the plurality of API login requests specifying a user identifier (userID);

fanning, via the load balancer, the plurality of API login requests across a plurality of redundant instances executing within the first datacenter, assigning each API login request to one of the plurality of redundant instances for authentication; and

for each of the respective plurality of API login requests;

(i) performing a lookup request on the userID specified by the respective API login request via the assigned redundant instance,(ii) proxying the lookup request to one or more recursive redundant instances when the lookup request fails at the assigned redundant instance, and(iii) proxying the lookup request to a remote recursive redundant instance executing in a second datacenter, when the lookup request fails at the one or more recursive redundant instances within the first datacenter; and

wherein the method further comprises injecting into each header of the plurality of API login requests, a proxy flag indicating the respective login request is being proxied across a datacenter boundary geographically separating the first datacenter from the separate and distinct second datacenter when the userID associated with the respective API login request is not locatable within the first datacenter.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for efficient API integrated login in a multi-tenant database environment and for decreasing latency delays during an API login request authentication including receiving a plurality of API login requests at a load balancer of a datacenter, where each of the plurality of API login requests specify a user identifier (userID) and/or an organizational identifier (orgID), fanning the plurality of API login requests across a plurality of redundant instances executing within the datacenter, assigning each API login request to one of the plurality of redundant instances for authentication, and for each of the respective plurality of API login requests, performing a recursive query algorithm at the assigned redundant instance, at one or more recursive redundant instances within the datacenter, and at a remote recursive redundant instance executing in a second datacenter, as necessary, until the login request is authenticated or determined to be invalid.

Citations

22 Claims

1. A method in a first datacenter, the method comprising:
- receiving a plurality of Application Programming Interface (API) login requests at a load balancer of the first datacenter, each of the plurality of API login requests specifying a user identifier (userID);
  
  fanning, via the load balancer, the plurality of API login requests across a plurality of redundant instances executing within the first datacenter, assigning each API login request to one of the plurality of redundant instances for authentication; and
  
  for each of the respective plurality of API login requests;
  
  (i) performing a lookup request on the userID specified by the respective API login request via the assigned redundant instance,(ii) proxying the lookup request to one or more recursive redundant instances when the lookup request fails at the assigned redundant instance, and(iii) proxying the lookup request to a remote recursive redundant instance executing in a second datacenter, when the lookup request fails at the one or more recursive redundant instances within the first datacenter; and
  
  wherein the method further comprises injecting into each header of the plurality of API login requests, a proxy flag indicating the respective login request is being proxied across a datacenter boundary geographically separating the first datacenter from the separate and distinct second datacenter when the userID associated with the respective API login request is not locatable within the first datacenter.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 10, 11, 12, 13, 14, 15, 17, 18)
- - 2. The method of claim 1, wherein proxying the lookup request to the one or more recursive redundant instances comprises transmitting all post data associated with the API login request in an un-altered form to the one or more recursive redundant instances within the proxied lookup request.
  - 3. The method of claim 2, wherein transmitting all the post data in the un-altered form comprises proxying the lookup request via a byte for byte replication/forwarding mechanism.
  - 4. The method of claim 3, wherein proxying the lookup request to the one or more recursive redundant instances further comprises:
    - receiving, at the assigned redundant instance, a response from one of the one or more recursive redundant instances indicating a successful authentication responsive to the proxied lookup request; and
      
      transmitting the response to a client device having originated the respective API login request, wherein transmitting the response comprises sending the response via a byte for byte replication/forwarding mechanism to the client device, wherein the originating client device receives an identical byte for byte copy of a payload of the response received at the assigned redundant instance indicating the successful authentication.
  - 5. The method of claim 1, wherein each of the plurality of API login requests are received from one of:
    - a separate and distinct remote organization, an organizational group within a host organization that operates the first and second datacenters, a business partner of the host organization, or a customer organization that subscribes to cloud computing services provided by the host organization.
  - 6. The method of claim 5, wherein each of the plurality of redundant instances implements API login request functionality to validate and authenticate login credentials provided via the plurality of API login requests received.
  - 7. The method of claim 1, wherein the method further comprises:
    - injecting, via the load balancer, a new request flag into each of the plurality of API login requests received, the new request flag indicating an associated API login request is not yet assigned to one of the plurality of redundant instances; and
      
      wherein the one of the plurality of redundant instances becomes the assigned redundant instance for any API login request received having the new request flag present.
  - 8. The method of claim 7, wherein proxying the lookup request to the one or more recursive redundant instances when the lookup request fails at the assigned redundant instance comprises:
    - injecting, via the assigned redundant instance, a proxy flag into the proxied lookup request, the proxy flag indicating to any of the one or more recursive redundant instances receiving the proxied lookup request that the assigned redundant instance is managing a recursive discovery algorithm within the first datacenter to locate the userID specified by the respective API login request, the proxy flag further uniquely identifying the assigned redundant instance for the respective API login request, and the proxy flag further directing any of the one or more recursive redundant instances receiving the proxied lookup request not to initiate a second recursive discovery algorithm within the first datacenter responsive to the proxied lookup request.
  - 10. The method of claim 1, wherein the method further comprises:
    - injecting, via the load balancer, a plurality of data elements into the header of each of the plurality of API login requests received, wherein injecting the plurality of data elements comprises;
      
      injecting a client Internet Protocol Identifier (clientIP) into each header to store a value corresponding to the actual IP address of an originating client having sent each respective API login request;
      
      injecting a load balancer flag into each header indicating the load balancer has processed the respective incoming API login request.
  - 11. The method of claim 1:
    - wherein the assigned redundant instance executes within a first pod having a first subset of the plurality of redundant instances executing within the first datacenter; and
      
      wherein each of the one or more recursive redundant instances operate in a second one or more pods, each of the second one or more pods having a second one or more subsets of the plurality of the redundant instances executing within the first datacenter.
  - 12. The method of claim 11:
    - wherein the first pod and each of the second one or more pods each comprise a datastore having a plurality of userIDs stored therein; and
      
      wherein the datastore of each pod is accessible to the respective subset of redundant instances operating within the same pod.
  - 13. The method of claim 12:
    - wherein the assigned redundant instance operates within the first pod; and
      
      wherein the lookup request fails at the assigned redundant instance when the userID specified by the respective API login request cannot be located within the datastore of the first pod.
  - 14. The method of claim 13:
    - wherein each of the one or more recursive redundant instances operate within one of the second one or more pods without overlap; and
      
      wherein the lookup request fails at the one or more recursive redundant instances when the userID specified by the respective API login request cannot be located within the respective datastore within any of the second one or more pods.
  - 15. The method of claim 14, wherein proxying the lookup request to the remote recursive redundant instance executing in the second datacenter comprises the assigned redundant instance proxying the lookup request to the remote recursive redundant instance upon a determination that all pods located within the first datacenter have been checked for the userID.
  - 17. The method of claim 1:
    - wherein the lookup request fails at the assigned redundant instance when the userID specified by the respective API login request cannot be located within a datastore accessible via the assigned redundant instance;
      
      wherein the lookup request fails at the one or more recursive redundant instances when the userID specified by the respective API login request cannot be located within any datastore accessible via the one or more recursive redundant instances;
      
      wherein the lookup request fails at the remote recursive redundant instance when the userID specified by the respective API login request cannot be located within any datastore accessible via the remote recursive redundant instance; and
      
      wherein the method further comprises returning a response to the assigned redundant instance indicating the userID cannot be located.
  - 18. The method of claim 1:
    - wherein the load balancer operates at a login domain of a host organization within the first datacenter to receive the plurality of incoming API login requests from a plurality of customer organizations of the host organization; and
      
      wherein the load balancer further receives a plurality of service requests from the plurality of customer organizations, wherein each service request specifies transactions to be executed against a multi-tenant database system operated by the host organization, the multi-tenant database system comprising elements of hardware and software that are shared by a plurality of separate and distinct customer organizations, each of the separate and distinct customer organizations being remotely located from the host organization having the multi-tenant database system operating therein.

9. A method in a first datacenter, the method comprising:
- receiving a plurality of Application Programming Interface (API) login requests at a load balancer of the first datacenter, each of the plurality of API login requests specifying a user identifier (userID);
  
  fanning, via the load balancer, the plurality of API login requests across a plurality of redundant instances executing within the first datacenter, assigning each API login request to one of the plurality of redundant instances for authentication; and
  
  for each of the respective plurality of API login requests;
  
  (i) performing a lookup request on the userID specified by the respective API login request via the assigned redundant instance,(ii) proxying the lookup request to one or more recursive redundant instances when the lookup request fails at the assigned redundant instance, and(iii) proxying the lookup request to a remote recursive redundant instance executing in a second datacenter, when the lookup request fails at the one or more recursive redundant instances within the first datacenter; and
  
  wherein proxying the lookup request to the remote recursive redundant instance executing in the second datacenter comprises;
  
  (i) injecting a proxy flag into the proxied lookup request, the proxy flag indicating to the remote recursive redundant instance receiving the proxied lookup request that the assigned redundant instance is managing a recursive discovery algorithm from the first datacenter and further directing the remote recursive redundant instance to return a reference link to the assigned redundant instance specifying which of a plurality of redundant instances executing within the second datacenter authenticated the corresponding API login request;
  
  (ii) sending the proxied lookup request to a second load balancer operating within the second data center having the proxy flag injected therein, wherein the second load balancer fans the proxied lookup request across the plurality of redundant instances executing within the second datacenter along with a plurality of API login requests received at the second load balancer of the second datacenter; and
  
  (iii) receiving, from the second datacenter, a response indicating authentication of the corresponding API login request was successful and uniquely identifying one of the plurality of redundant instances within the second datacenter that authenticated the API login request based on the received proxied lookup request.

16. A method in a first datacenter, the method comprising:
- receiving a plurality of Application Programming Interface (API) login requests at a load balancer of the first datacenter, each of the plurality of API login requests specifying a user identifier (userID);
  
  fanning, via the load balancer, the plurality of API login requests across a plurality of redundant instances executing within the first datacenter, assigning each API login request to one of the plurality of redundant instances for authentication; and
  
  for each of the respective plurality of API login requests;
  
  (i) performing a lookup request on the userID specified by the respective API login request via the assigned redundant instance,(ii) proxying the lookup request to one or more recursive redundant instances when the lookup request fails at the assigned redundant instance, and(iii) proxying the lookup request to a remote recursive redundant instance executing in a second datacenter, when the lookup request fails at the one or more recursive redundant instances within the first datacenter;
  
  entering a new userID for a new account into a datastore within the second datacenter;
  
  wherein the new userID is not synchronized to one or more datastores within the first datacenter when one of the plurality of API login requests are received at the first datacenter specifying the new userID due to a synchronization lag between the datastore within the second datacenter and the one or more datastores within the first datacenter;
  
  receiving a response at the assigned redundant instance within the first datacenter after authentication is successful by the remote recursive redundant instance within the second datacenter, the response indicating the API login request specifying the new userID has been authenticated; and
  
  returning a reference link to the originator of the API login request specifying the new userID, the reference link directing the originator to direct subsequent requests for services to the one of the plurality of redundant instances having authenticated the corresponding API login request.

19. A method in a first datacenter, the method comprising:
- receiving a plurality of Application Programming Interface (API) login requests at a load balancer of the first datacenter, each of the plurality of API login requests specifying a user identifier (userID);
  
  fanning, via the load balancer, the plurality of API login requests across a plurality of redundant instances executing within the first datacenter, assigning each API login request to one of the plurality of redundant instances for authentication; and
  
  for each of the respective plurality of API login requests;
  
  (i) performing a lookup request on the userID specified by the respective API login request via the assigned redundant instance,(ii) proxying the lookup request to one or more recursive redundant instances when the lookup request fails at the assigned redundant instance, and(iii) proxying the lookup request to a remote recursive redundant instance executing in a second datacenter, when the lookup request fails at the one or more recursive redundant instances within the first datacenter;
  
  wherein when the userID specified by the respective API login request cannot be located within a datastore accessible via the assigned redundant instance, the assigned redundant instance initiates a recursive discovery algorithm comprising;
  
  exhausting, by executing in parallel, the proxied lookup request against all datastores within a plurality of remaining pods operating within the first datacenter, the plurality of remaining pods within the first datacenter each having non-overlapping subsets of the plurality of redundant instances allocated thereto and operating therein;
  
  exhausting, by executing the proxied lookup request against the second datacenter, all datastores within a plurality of pods operating within the second datacenter; and
  
  repeating the proxied lookup request against any remaining one or more additional datacenters by executing the proxied lookup request against each of the second datacenter and the one or more additional datacenters in serial.

20. A non-transitory computer readable storage medium having instructions stored thereon that, when executed by a processor in a first datacenter, cause the first datacenter to perform a method comprising:
- receiving a plurality of Application Programming Interface (API) login requests at a load balancer of the first datacenter, each of the plurality of API login requests specifying a user identifier (userID);
  
  fanning the plurality of API login requests across a plurality of redundant instances executing within the first datacenter, assigning each API login request to one of the plurality of redundant instances for authentication; and
  
  for each of the respective plurality of API login requests;
  
  (i) performing a lookup request on the userID specified by the respective API login request via the assigned redundant instance,(ii) proxying the lookup request to one or more recursive redundant instances when the lookup request fails at the assigned redundant instance, and(iii) proxying the lookup request to a remote recursive redundant instance executing in a second datacenter, when the lookup request fails at the one or more recursive redundant instances within the first datacenter; and
  
  wherein the method further comprises injecting into each header of the plurality of API login requests, a proxy flag indicating the respective login request is being proxied across a datacenter boundary geographically separating the first datacenter from the separate and distinct second datacenter when the userID associated with the respective API login request is not locatable within the first datacenter.

21. A datacenter comprising:
- a processor and a memory;
  
  a login domain to receive a plurality of Application Programming Interface (API) login requests, each specifying a user identifier (userID);
  
  a load balancer to implement a fanning algorithm to distribute the plurality of API login requests across a plurality of redundant instances within the datacenter, each API login request to be assigned to one of the plurality of redundant instances for authentication;
  
  wherein for each of the respective plurality of API login requests;
  
  (i) an assigned redundant instance to execute via the processor and the memory, wherein the assigned redundant instance to perform a lookup request on the userID specified by the respective API login request;
  
  (ii) the assigned redundant instance to proxy the lookup request to one or more recursive redundant instances, each to execute via the processor and the memory, when the lookup request fails at the assigned redundant instance; and
  
  (iii) the assigned redundant instance to proxy the lookup request to a remote recursive redundant instance at a second datacenter, when the lookup request fails at the one or more recursive redundant instances within the datacenter; and
  
  a flag injector to inject into each header of the plurality of API login requests, a proxy flag indicating the respective login request is being proxied across a datacenter boundary geographically separating the first datacenter from the separate and distinct second datacenter when the userID associated with the respective API login request is not locatable within the first datacenter.
- View Dependent Claims (22)
- - 22. The datacenter of claim 21, wherein a byte for byte replication and forwarding module of the datacenter generates and forwards the proxied lookup request to each of the one or more recursive redundant instances, the proxied lookup request having encoded therein all post data associated with the API login request in an un-altered form.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Mehra, Vinod, Fell, Simon Z
Primary Examiner(s)
Chriss, Andrew
Assistant Examiner(s)
PEREZ, JOSE L

Application Number

US13/027,992
Publication Number

US 20110289508A1
Time in Patent Office

1,127 Days
Field of Search

718/105, 709/201, 709/203, 709/208, 709/209, 709/217, 709/218, 709/219, 709/225, 709/226, 709/227, 709/228, 709/229, 709/249, 709/250
US Class Current

709/226
CPC Class Codes

G06F 9/5083   Techniques for rebalancing ...

H04L 63/08   for authentication of entit...

H04L 67/1004   Server selection for load b...

H04L 67/563   Data redirection of data ne...

Methods and systems for efficient API integrated login in a multi-tenant database environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for efficient API integrated login in a multi-tenant database environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links