Method and System for Identity-Based Authentication of Virtual Machines

US 20140282889A1
Filed: 03/14/2013
Published: 09/18/2014
Est. Priority Date: 03/14/2013
Status: Active Grant

First Claim

Patent Images

1. A cloud computing system, the system comprising:

a resource having configuration information;

a virtual machine instance operably coupled to the resource, wherein the virtual machine instance has an identity; and

an authentication manager configured to control access by the virtual machine instance to the resource based on the identity of the virtual machine instance.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A cloud computing system configured to run virtual machine instances is disclosed. The cloud computing system assigns an identity to each virtual machine instance. When the virtual machine instance accesses initial configuration resources, it provides this identity to the resources to authenticate itself. This allows for flexible and extensible initial configuration of virtual machine instances.

290 Citations

20 Claims

1. A cloud computing system, the system comprising:
- a resource having configuration information;
  
  a virtual machine instance operably coupled to the resource, wherein the virtual machine instance has an identity; and
  
  an authentication manager configured to control access by the virtual machine instance to the resource based on the identity of the virtual machine instance.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The cloud computing system of claim 1, wherein the identity is a MAC address.
  - 3. The cloud computing system of claim 1, wherein the resource is a second virtual machine instance.
  - 4. The cloud computing system of claim 1, wherein the resource is a metadata service configured to store configuration information.
  - 5. The cloud computing system of claim 1, wherein the resource is a network controller configured to provide network configuration information to the virtual machine instance.
  - 6. The cloud computing system of claim 1, wherein the authentication manager is further configured to allow a user to setup permissions for the identity, and to control access by the virtual machine instance to the resource based on the permissions.
  - 7. The cloud computing system of claim 1, wherein the authentication manager is further configured to allow a user to setup permissions for a group of identities.

8. A method for controlling access to a resource, the method comprising:
- instantiating a virtual machine instance;
  
  assigning an identity to the virtual machine instance;
  
  receiving a request for access to the resource from the virtual machine instance, the request including the identity of the virtual machine instance; and
  
  determining whether the virtual machine instance may access the resource based on the identity in the request.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, further comprising:
    - permitting the virtual machine instance to access the resource based on the result of the determining step.
  - 10. The method of claim 8, further comprising:
    - denying the virtual machine instance access to the resource based on the result of the determining step.
  - 11. The method of claim 8, further comprising:
    - receiving permission information from a user, the permission information defining access rights to the resource for the identity;
      
      wherein the determining step further includes determining whether the virtual machine instance may access the resource based on the permissions information.
  - 12. The method of claim 8, wherein the step of assigning an identity to the virtual machine instance is performed before the step of instantiating the virtual machine.
  - 13. The method of claim 8, wherein the step of assigning an identity to the virtual machine instance is performed after the step of instantiating the virtual machine.
  - 14. The method of claim 8, wherein assign the identity to the virtual machine instance includes assigning a MAC address to the virtual machine instance.

15. A method for controlling access of virtual machines to resources in a cloud computing system, the method comprising:
- receiving a request to instantiate a virtual machine instance;
  
  instantiating the virtual machine instance;
  
  assigning the virtual machine instance a unique, immutable attribute;
  
  performing an initial boot of the virtual machine instance;
  
  receiving a request from the virtual machine instance to access a resource, the request including the unique, immutable attribute;
  
  determining whether to allow or deny the request from the virtual machine instance to access the resource based on permissions configured for the unique, immutable attribute assigned to the virtual machine instance;
  
  if it is determined that the request should be allowed, transmitting a response to the virtual machine instance;
  
  if it is determined that the request should not be allowed, transmitting an error response to the virtual machine instance.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein assigning the unique, immutable attribute includes assigning a MAC address.
  - 17. The method of claim 15, wherein transmitting the response to the virtual machine instance includes transmitting supplemental authentication credentials.
  - 18. The method of claim 15, wherein the step of assigning an identity to the virtual machine instance is performed after the step of instantiating the virtual machine.
  - 19. The method of claim 15, wherein the step of assigning an identity to the virtual machine instance is performed before the step of instantiating the virtual machine.
  - 20. The method of claim 15, wherein determining whether to allow or deny the request includes determining whether the type of the request is included in a set of request types that are allowed for an access level associated with the unique, immutable attribute.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rackspace US Incorporated (Apollo Global Management, Inc.)
Original Assignee
Rackspace US Incorporated (Apollo Global Management, Inc.)
Inventors
Voccio, Paul, Ishaya, Vishvananda, Carlin, Erik

Granted Patent

US 9,027,087 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 9/45558   Hypervisor-specific managem...

G06F 9/468   Specific access rights for ...

G06F 9/5072   Grid computing

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 67/10   in which an application is ...

Method and System for Identity-Based Authentication of Virtual Machines

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

290 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and System for Identity-Based Authentication of Virtual Machines

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

290 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links