DISTRIBUTED SERVICES AUTHORIZATION MANAGEMENT

US 20110302315A1
Filed: 06/03/2010
Published: 12/08/2011
Est. Priority Date: 06/03/2010
Status: Active Grant

First Claim

Patent Images

1. A method for providing resource authorization to users of a distributed memory store, comprising:

accessing an authorization document stored in a distributed memory store using a session ID that identifies an authorization document location, the authorization document comprising a global section comprising a principal ID related to a user;

authorizing the user for a resource if a resource section, comprising resource authorization data, is present for the principal ID in the authorization document; and

if the resource section for the resource is not present in the authorization document;

creating a local resource section in the authorization document for the resource indicated by a resource identifier;

loading resource authorization data into the local resource section corresponding to the resource; and

saving the authorization document, comprising the global section and the local resource section indicated by the resource identifier, locally in the distributed memory store for the resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One or more techniques and/or systems are disclosed for providing resource authorization to users of a distributed memory store (e.g., a distributed web-based cloud service). A session ID that identifies a location of an authorization document in a distributed memory store is used to access the authorization document, which comprises a global section with a principal ID related to a user. The user can be authorized to utilize a resource (e.g., in a distributed cloud service) if a resource section is present for the principal ID in the authorization document, and has appropriate resource data for the resource. If the resource section is not present, it can be created in the authorization document, and identified by a resource identifier. Authorization data can be loaded into the newly created resource section, and the authorization document, with the global and resource sections, is saved to a local cache for the distributed memory store.

Citations

20 Claims

1. A method for providing resource authorization to users of a distributed memory store, comprising:
- accessing an authorization document stored in a distributed memory store using a session ID that identifies an authorization document location, the authorization document comprising a global section comprising a principal ID related to a user;
  
  authorizing the user for a resource if a resource section, comprising resource authorization data, is present for the principal ID in the authorization document; and
  
  if the resource section for the resource is not present in the authorization document;
  
  creating a local resource section in the authorization document for the resource indicated by a resource identifier;
  
  loading resource authorization data into the local resource section corresponding to the resource; and
  
  saving the authorization document, comprising the global section and the local resource section indicated by the resource identifier, locally in the distributed memory store for the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, comprising, upon user authentication:
    - creating the session ID for the user session; and
      
      providing the session ID to the user.
  - 3. The method of claim 2, comprising creating a session document indexed in memory of the distributed memory store by the session ID, the session document comprising the principal ID that references the authorization document.
  - 4. The method of claim 1, comprising, upon user authentication:
    - creating the authorization document, where the global section comprises user-related information; and
      
      storing the authorization document in memory of the distributed memory store.
  - 5. The method of claim 4, comprising creating the global section of the authorization document such that it is propagated to requesting memory components of the distributed memory store.
  - 6. The method of claim 1, using the session ID to access the authorization document comprising:
    - requesting access to the authorization document if it is cached locally to the resource; and
      
      requesting the authorization document, comprising the global section, is propagated locally to the resource in the distributed memory store if the authorization document is not cached locally to the resource.
  - 7. The method of claim 1, comprising rejecting an authorization request if one of:
    - a session document cannot be found in the distributed memory store; and
      
      the authorization document cannot be found in the distributed memory store.
  - 8. The method of claim 1, authorizing the user for a resource comprising using the resource identifier to access authorization data in the resource section of the authorization document for the resource.
  - 9. The method of claim 1, loading resource authorization data comprising loading a version of the resource authorization data as an update from a backing store.
  - 10. The method of claim 9, saving the authorization document comprising:
    - pushing the authorization document to a next level master cache;
      
      checking the version of the update against a master cache version; and
      
      updating the master cache if the version is later than the master cache version.
  - 11. The method of claim 1, if the resource section for the resource is not present in the authorization document, comprising adding an expiration time to the local resource section, comprising a time for the user to access the resource.
  - 12. The method of claim 1, comprising adding an expiration time to the authorization document comprising a time for the user to access the authorization document.
  - 13. The method of claim 1, comprising modifying authorization in the resource section of the authorization document, comprising:
    - receiving a request to modify the authorization comprising;
      
      the resource identifier; and
      
      the principal ID;
      
      accessing the authorization document using the principal ID;
      
      accessing the resource section using the resource identifier; and
      
      saving the authorization document comprising the modified resource section in memory in the distributed memory store.

14. A system for providing resource authorization to users of a distributed memory store, comprising:
- a distributed memory store comprising memory components configured to store resource authorization data; and
  
  a user authorization component operably coupled with the distributed memory store, and configured to, upon user authentication, create an authorization document identified by a principal ID related to a user and comprising a global section configured to be propagated to memory components of the distributed memory store upon request, the user authorization component comprising;
  
  a resource checking component configured to authorize the user for a resource if a resource section, comprising resource authorization data, is present for the principal ID in the authorization document;
  
  a resource section creation component configured to create a local resource section in the authorization document for the resource, indicated by a resource identifier, by loading resource authorization data into the local resource section corresponding to the resource, if the resource section for the resource is not present in the authorization document; and
  
  an authorization caching component configured to save the authorization document, comprising the global section and the local resource section indicated by the resource identifier, locally for the resource in the distributed memory store.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14, the user authorization component configured to, upon user authentication:
    - create a session document indexed in memory of the distributed memory store by a session ID that comprises a reference to the authorization document for an authenticated user; and
      
      return the session ID to the user.
  - 16. The system of claim 15, the session document stored in memory of the distributed memory store and comprising an authorization document access component, the authorization document access component accessed by the session ID for a user'"'"'s session.
  - 17. The system of claim 14, comprising a backup store operably coupled with the distributed memory store, and configured to provide resource authorization data for a resource section in the authorization document.
  - 18. The system of claim 14, the distributed memory store comprising one or more of:
    - local cache;
      
      master cache for a cluster comprising the distributed memory store; and
      
      a master datacenter cache for the one or more clusters comprising the distributed memory store.
  - 19. The system of claim 14, the authorization document comprising, when stored locally for a resource:
    - the global section, comprising the principal ID and user-related information; and
      
      a resource section comprising resource authorization data for the local resource.

20. A method for providing resource authorization to users of a distributed memory store, comprising:
- upon user authentication;
  
  creating an authorization document comprising a global section comprising a principal ID and user-related information;
  
  creating a session document indexed in memory of the distributed memory store by a session ID, the session document comprising the principal ID that references the authorization document; and
  
  providing the session ID to the user; and
  
  authorizing the user for a resource, comprising;
  
  accessing the authorization document stored in a distributed memory store using the session ID that identifies an authorization document location;
  
  authorizing the user for the resource if a resource section, comprising resource authorization data, is present for the principal ID in the authorization document; and
  
  if the resource section is not present in the authorization document;
  
  creating a local resource section in the authorization document for the resource indicated by a resource identifier;
  
  loading resource authorization data into the local resource section corresponding to the resource;
  
  adding an expiration time to the local resource section; and
  
  saving the authorization document, comprising the global section and the local resource section indicated by the resource identifier, locally for the resource in the distributed memory store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Copeland, Bruce W., Galvin, Thomas A.

Granted Patent

US 8,898,318 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/228
CPC Class Codes

G06F 15/16   Combinations of two or more...

G06F 9/46   Multiprogramming arrangements

G06F 9/5027   the resource being a machin...

H04L 41/5096   wherein the managed service...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 67/10   in which an application is ...

H04L 67/1097   for distributed storage of ...

DISTRIBUTED SERVICES AUTHORIZATION MANAGEMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DISTRIBUTED SERVICES AUTHORIZATION MANAGEMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links