Search

US-12621301-B2 - Scalable architecture of servers providing access to data content

US12621301B2US 12621301 B2US12621301 B2US 12621301B2US-12621301-B2

Abstract

An access to resources and data management by servers is provided. In order to provide to users a universal access point to an application, while allowing a strict control of the ownership and localization of data, a first device receives from a user a request to access a resource, and, if the user has the right to access a resources, sends to the user an identifier of a communication endpoint of a second device, among a plurality of second devices, that is able to access the resource and deliver the resource to the client.

Inventors

  • Tony DUBREIL
  • Romain GUYONVARH
  • Jérôme STEUNOU
  • Mark Veldhuizen
  • Pierre PAGADOY
  • Matthieu BEUCHER

Assignees

  • KLAXOON

Dates

Publication Date
20260505
Application Date
20190710
Priority Date
20180710

Claims (8)

  1. 1 . A first device comprising: a first communication endpoint configured to establish a connection with a user device; an access to one or more first data storages storing: user credentials for a plurality of users; a set of identifiers of resources to be presented to one or more users belonging to said plurality of users stored on two or more second data storages accessed respectively by two or more second devices, each identifier in the set having associated therewith access rights, and an identifier of a second communication endpoint of a second device having an access to a second data storage storing a resource; one or more first processing logics configured, upon receiving a request from the user device to access the said resource, said request comprising an identifier of the resource previously received by the user device, to: verify, based on access rights associated with the received resource identifier, if a user has the right to access the requested resource; if said user associated with said user device has the right to access the requested resource, to send to the user device the identifier of the communication endpoint of the second device having an access to the second data storage storing the resource, allowing the user device to establish a communication with the second device that is able to deliver the resource; the first device further comprising a third communication endpoint configured to establish a connection with one or more fourth communication endpoints of the one or more second devices; the one or more first processing logics are further configured, upon the reception of a resource identifier generation request sent to the first device through the fourth communication endpoint from one of the second devices, to: create a unique identifier of a newly created resource; associate to said unique identifier of the resource an identifier of said one the two or more second devices, or a second communication endpoint thereof; and send to said one the two or more second devices the unique identifier of the resource, this unique identifier being sent to the user device by the two or more second devices, wherein said one or more first processing logics are configured, upon an authentication request from the user device further comprising a user credential, to authenticate the user associated with said user device based on said user credential and user credentials for the plurality of users; wherein the one or more first processing logics are further configured to: generate identification data allowing the one or more second devices to identify the user and grant access to the resource, and identification validation data allowing the validation of an identification of the user; send to the user device the identification data.
  2. 2 . The first device of claim 1 , wherein the one or more first processing logics are configured to generate the identification validation data based on the identification data and shared secret keys that are common the first device and the one or more second devices.
  3. 3 . The first device of claim 1 , wherein the identification data is a token, and the identification validation data is a signature of the token.
  4. 4 . The first device of claim 1 , wherein the one or more first processing logics are further configured to generate identification data allowing the one or more second devices to identify the user and grant access to the resource, and identification validation data allowing the validation of an identification of the user, and are configured to send to the user device the identification data, and wherein the one or more first processing logics are configured, upon a reception, from said second device having an access to the second data storage storing the resource, a request to identify the user comprising said identification data, to: validate an identification of the user based on said identification data and said identification validation data; if the identification is validated, send to said second device a validation of the identification of the user and the right of the user to access the resource.
  5. 5 . The first device of claim 1 , wherein the one or more first processing logics are further configured to generate identification data allowing the one or more second devices to identify the user and grant access to the resource, and identification validation data allowing the validation of an identification of the user, and are configured to send to the user device the identification data, and wherein the one or more first processing logics are configured, upon a reception, from said second device having an access to the second data storage storing the resource, of a request to identify the user comprising said identification data, to send to said second device having an access to the second data storage storing the resource said identification validation data.
  6. 6 . The first device of claim 1 , wherein the one or more first processing logics are further configured to generate identification data allowing the one or more second devices to identify the user and grant access to the resource, and identification validation data allowing the validation of an identification of the user, and are configured to send to the user device the identification data, and wherein the one or more first processing logics are configured, upon the generation of the user validation data, to send to the one or more second devices identification validation data.
  7. 7 . A method comprising: receiving a request from a user device to access a requested resource, wherein the user device is configured to establish a connection with a first communication endpoint of a first device, said request comprising an identifier of the requested resource previously received by the user device; accessing one or more first data storages storing: user credentials for a plurality of users; a set of identifiers of a set of resources to be presented to one or more users belonging to said plurality of users, comprising said requested resource, said set of resources stored on two or more second data storages accessed respectively by two or more second devices, each identifier in the set having associated therewith access rights, and an identifier of a second communication endpoint of a second device having an access to a second data storage storing the requested resource; verifying, based on access rights associated with an identifier of the resource, if a user associated with said user device has the right to access the requested resource; if the user associated with said user device has the right to access the requested resource, sending to the user device the identifier of the communication endpoint of the second device having an access to the second data storage storing the requested resource, allowing the user device to establish a communication with the second device that is able to deliver the requested resource, the first device further comprising a third communication endpoint configured to establish a connection with one or more fourth communication endpoints of the one or more second devices; upon the reception of a resource identifier generation request sent to the first device through the fourth communication endpoint from one of the second devices: creating a unique identifier of a newly created resource; associate to said unique identifier of the resource an identifier of said one the two or more second devices, or a second communication endpoint thereof; and sending to said one the two or more second devices the unique identifier of the resource, this unique identifier being sent to the user device by the two or more second devices, wherein said one or more first processing logics are configured, upon an authentication request from the user device further comprising a user credential, to authenticate the user associated with said user device based on said user credential and user credentials for the plurality of users; wherein the one or more first processing logics are further configured to: generate identification data allowing the one or more second devices to identify the user and grant access to the resource, and identification validation data allowing the validation of an identification of the user; send to the user device the identification data.
  8. 8 . A computer program product comprising: a non-transitory computer-readable storage medium; and program code stored on the non-transitory computer-readable storage medium that, when executed by one or more processors, causes the one or more processors to: receive a request from a user device to access a requested resource, wherein the user device is configured to establish a connection with a first communication endpoint of a first device, said request comprising an identifier of the resource previously received by the user device; access one or more first data storages storing: user credentials for a plurality of users; a set of identifiers of a set of resources to be presented to one or more users belonging to said plurality of users, comprising said requested resource, said set of resources stored on two or more second data storages accessed respectively by two or more second devices, each identifier in the set having associated therewith access rights, and an identifier of a second communication endpoint of a second device having an access to a second data storage storing the resource; verify, based on access rights associated with an identifier of the resource, if a user associated with said user device has the right to access the requested resource; if the user associated with said user device has the right to access the requested resource, send to the user device the identifier of the communication endpoint of the second device having an access to the second data storage storing the requested resource, allowing the user device to establish a communication with the second device that is able to deliver the requested resource; the first device further comprising a third communication endpoint configured to establish a connection with one or more fourth communication endpoints of the one or more second devices; upon the reception of a resource identifier generation request sent to the first device through the fourth communication endpoint from one of the second devices: creating a unique identifier of a newly created resource; associate to said unique identifier of the resource an identifier of said one the two or more second devices, or a second communication endpoint thereof; and sending to said one the two or more second devices the unique identifier of the resource, this unique identifier being sent to the user device by the two or more second devices, wherein said one or more first processing logics are configured, upon an authentication request from the user device further comprising a user credential, to authenticate the user associated with said user device based on said user credential and user credentials for the plurality of users; wherein the one or more first processing logics are further configured to: generate identification data allowing the one or more second devices to identify the user and grant access to the resource, and identification validation data allowing the validation of an identification of the user; send to the user device the identification data.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application is a National Stage of International patent application PCT/EP2019/068615, filed on Jul. 10, 2019, which claims priority to foreign European patent application No. EP 18290076.1, filed on Jul. 10, 2018, the disclosures of which are incorporated by reference in their entirety. FIELD OF THE INVENTION The present invention generally relates to the field of computing and communications. More specifically, the invention relates to the access and management of resources using a plurality of servers. BACKGROUND PRIOR ART The access to resources and data stored in servers become nowadays more and more critical, as the amount of data provided to users, and the number of applications using such data increase sharply. In computing, a server is a computer program or device that provides functionality for other programs or devices, called “clients”. The computation of a server can be performed on a single device, or distributed across a plurality of devices. A number of different kinds of server exist, such as database server allowing a client to perform requests and retrieve information from a database, file servers that are intended to store files, mail servers that allow receiving and sending mails, etc. . . . . A number of servers are intended to provide to clients access to resources. A resource can be any data or information that is stored on a server, to be retrieved by a client in order to be presented to a user. For example, a resource can be a picture that is stored in a server, in order to be sent upon request from a client. Such servers intended to provide access to resources to clients are used in a number of applications. For example, servers dedicated to social networks store large amounts of resources (pictures, videos, posts . . . ) that are sent to clients upon request, to be displayed for example in web browsers or mobile apps. Such kinds of servers can also be used for professional applications. For example, the applicant has developed an innovative solution to perform interactive presentations wherein the user performing the presentation can insert interactive content (polls, games . . . ) in a presentation. The content of the presentations can be stored as a resource in servers, and be retrieved upon request by clients. Such content may comprise for example data to be presented/displayed by the dynamic presentation (images, videos, text . . . ), and/or data collected based on the inputs of users during the execution of the dynamic presentation (e.g. statistics, scores, or the like). As the number of clients increases, the amount of data stored in the servers for an application may also increase dramatically. The Quality of Service (QoS) offered by the servers may then get poorer, for a variety of reasons: the bandwidth and/or computing resources of the servers may become insufficient to manage the requests for an increasing number of clients, and the latency to manage the requests of the users may increase; when the resources are stored in database that are getting larger, the response time to query a resource in the database may also increase; in case of worldwide clients, if all servers are located in the same location, the clients that are based in a different country, or continent than the servers may also experience high latencies due to the communication times across different countries or continents. The term “scalability” designates the ability of a system, or service, to accommodate a growth in the demand, and to be able to preserve its QoS when responding to a higher demand (i.e an increasing number of clients, an increasing number of resources to provide, etc. . . . ). Some server architectures are qualified as “single tenant”, when a specific infrastructure is created for each client: for example, each client (or group of clients, for example a company) may be served by a dedicated infrastructure, for example servers and databases that are dedicated for its use only. This solution provides the advantage of ensuring that the data from a client will not be accessed by another client, and to precisely locate data. However, this solution does not achieve very good results in terms of scalability. Indeed, the infrastructure related to each client need to be adapted separately, which in the same time hardly allows using quickly additional resource when the resource needs of a client increase, and may result into a waste of resources when the resource needs of a client decrease. Other architectures of server applications are qualified as “multi tenant”. In such architectures, the same infrastructures (servers, storage . . . ) are used for a plurality of clients. This type of architecture is more efficient than single tenant architectures to achieve scalability, because the same resources are used for a plurality of clients, so resources can be allocated dynamically according to the needs of the client. However, in such architectures the