Information Technology Reference
In-Depth Information
Case Study: Graceful Degradation in Google Apps
Google Docs deploys many graceful degradation techniques. Google's word pro-
cessor can switch into read-only mode when only a read-only database replica is
available. The client-side JavaScript can work with the cached data in the browser
if the server is inaccessible. Gmail provides a rich, JavaScript-based user interface
as well as a slimmer HTML-only interface that appears automatically as needed.
If the entire system is unavailable, the user is sent to a generic front page that dis-
plays the system status rather than simply receiving no response.
2.1.11 Access Controls and Rate Limits
If a service provides an API, that API should include an Access Control List (ACL) mech-
anismthatdetermineswhichusersarepermittedordeniedaccess,andalsodeterminesrate-
limiting settings.
An ACL is a list of users, along with an indication of whether they are authorized to
access the system. For example, access could be restricted to certain Internet Protocol (IP)
addresses or blocks, to certain users or processes, or by other identification mechanisms.
IP addresses are the weakest form of identification because they can be easily forged. So-
mething better should be used, such as a public key infrastructure (PKI) that uses digital
certificates to prove identity.
The most simple ACL is a list of users that are permitted access; everyone else is
banned. This is called a
default closed
policy; the list is called the
whitelist
. The reverse
would be a
default open
policy, where the default is to give access to all users unless they
appear on a
blacklist
.
A more sophisticated ACL is an ordered list of users and/or groups annotated as either
being “permitted” or “denied.” If a user is not mentioned in the ACL, the default action
might be to permit the user (
fail open
) or, alternatively, to deny the user (
fail closed
).
In addition to indicating permission, ACLs can indicate rate limits. Different users
mightbepermitted differentqueriespersecond(QPS)rates,withrequeststhatgooverthat
ratebeingdenied.Forexample,theservicemaygivepremiumcustomersanunlimitedQPS
rate, regular paid customers a moderate QPS rate, and unpaid customers a low QPS rate or
no access at all.
Search WWH ::
Custom Search