APPLYING HOST ACCESS CONTROL RULES FOR DATA USED IN APPLICATION CONTAINERS

US 20180247064A1
Filed: 02/24/2017
Published: 08/30/2018
Est. Priority Date: 02/24/2017
Status: Active Grant

First Claim

Patent Images

1. A method for applying host access control rules for application containers, by a processor device, comprising:

extracting a first set of user identifiers and permissions from a temporary container;

extracting a second set of user identifiers and permissions from a host on which a working container will reside;

combining the first set and the second set of user identifiers and permissions into an aggregate set of user identifiers and permissions; and

injecting the aggregate set of user identifiers and permissions into the working container.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments for applying host access control rules for application containers by one or more processors. A first set of user identifiers and permissions is extracted from a temporary container and a second set of user identifiers and permissions is extracted from a host on which a working container will reside. The first set and the second set of user identifiers and permissions are combined into an aggregate set of user identifiers and permissions and injected into the working container.

80 Citations

21 Claims

1. A method for applying host access control rules for application containers, by a processor device, comprising:
- extracting a first set of user identifiers and permissions from a temporary container;
  
  extracting a second set of user identifiers and permissions from a host on which a working container will reside;
  
  combining the first set and the second set of user identifiers and permissions into an aggregate set of user identifiers and permissions; and
  
  injecting the aggregate set of user identifiers and permissions into the working container.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the temporary container is started based on an equivalent application template or container template as the working container, and the first set of user identifiers and permissions is extracted and cached by examining runtime information of the temporary container;
    - andthe aggregate set of user identifiers and permissions is injected into the working container prior to commencing execution of an application inside the working container.
  - 3. The method of claim 1, further including combining an execution user of the working container with a list of intended users extracted from the temporary container into an input list of user identifiers, the input list of user identifiers used as input to an information injection agent;
    - andreceiving as output of the information injection agent user-related information for each of the user identifiers in the input list including at least one of a user name, a user identification (ID), a primary group ID, and an associated group ID.
  - 4. The method of claim 3, further including, for each user specified in the input to the information injection agent, determining whether each user exists as a user on the host;
    - andif a user is determined not to exist as the user on the host, determining if the user is a critical user;
      
      wherein if the user is a critical user, the extraction and combination of the first and second set of user identifications and permissions is aborted.
  - 5. The method of claim 4, further including, if the user is determined to exist as the user on the host, identifying whether the user is a local user or a Lightweight Directory Access Protocol (LDAP) user;
    - wherein the user-related information for each of the second set of user identifiers and permissions of the host is queried from a local user database if the user is the local user or a LDAP database if the user is the LDAP user.
  - 6. The method of claim 1, further including, upon combining the first set and the second set of user identifiers and permissions, searching for and removing duplicate users within the first and second set of user identifiers and permissions;
    - andsubsequent to removing the duplicate users, resolving any conflicted entries within the first and second set of user identifiers and permissions by performing at least one of;
      
      defaulting to using any user entries from the second set of user identifiers and permissions from the host in the aggregate set of user identifiers and permissions; and
      
      using any user entries having an importance value over a predetermined threshold in the aggregate set of user identifiers and permissions.
  - 7. The method of claim 2, wherein injecting the aggregate set of user identifiers and permissions into the working container includes writing the aggregate set of user identifiers and permissions to at least one file, the at least one file used to perform at least one of:
    - updating at least one of the application template and the container template used by the working container; and
      
      mounting a data volume into the working container, wherein the data volume includes the at least one file.

8. A system for applying host access control rules for application containers, the system comprising:
- a processor device executing instructions stored in a memory, wherein the processor device;
  
  extracts a first set of user identifiers and permissions from a temporary container;
  
  extracts a second set of user identifiers and permissions from a host on which a working container will reside;
  
  combines the first set and the second set of user identifiers and permissions into an aggregate set of user identifiers and permissions; and
  
  injects the aggregate set of user identifiers and permissions into the working container.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the temporary container is started based on an equivalent application template or container template as the working container, and the first set of user identifiers and permissions is extracted and cached by examining runtime information of the temporary container;
    - andthe aggregate set of user identifiers and permissions is injected into the working container prior to commencing execution of an application inside the working container.
  - 10. The system of claim 8, wherein the processor device combines an execution user of the working container with a list of intended users extracted from the temporary container into an input list of user identifiers, the input list of user identifiers used as input to an information injection agent;
    - andreceives as output of the information injection agent user-related information for each of the user identifiers in the input list including at least one of a user name, a user identification (ID), a primary group ID, and an associated group ID.
  - 11. The system of claim 10, wherein the processor device, for each user specified in the input to the information injection agent, determines whether each user exists as a user on the host;
    - andif a user is determined not to exist as the user on the host, determines if the user is a critical user;
      
      wherein if the user is a critical user, the extraction and combination of the first and second set of user identifications and permissions is aborted.
  - 12. The system of claim 11, wherein the processor device, if the user is determined to exist as the user on the host, identifies whether the user is a local user or a Lightweight Directory Access Protocol (LDAP) user;
    - wherein the user-related information for each of the second set of user identifiers and permissions of the host is queried from a local user database if the user is the local user or a LDAP database if the user is the LDAP user.
  - 13. The system of claim 8, wherein the processor device, upon combining the first set and the second set of user identifiers and permissions, searches for and removes duplicate users within the first and second set of user identifiers and permissions;
    - andsubsequent to removing the duplicate users, resolves any conflicted entries within the first and second set of user identifiers and permissions by performing at least one of;
      
      defaulting to using any user entries from the second set of user identifiers and permissions from the host in the aggregate set of user identifiers and permissions; and
      
      using any user entries having an importance value over a predetermined threshold in the aggregate set of user identifiers and permissions.
  - 14. The system of claim 9, wherein injecting the aggregate set of user identifiers and permissions into the working container includes writing the aggregate set of user identifiers and permissions to at least one file, the at least one file used to perform at least one of:
    - updating at least one of the application template and the container template used by the working container; and
      
      mounting a data volume into the working container, wherein the data volume includes the at least one file.

15. A computer program product for applying host access control rules for application containers, by a processor device, the computer program product embodied on a non-transitory computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable program code portions comprising:
- an executable portion that extracts a first set of user identifiers and permissions from a temporary container;
  
  an executable portion that extracts a second set of user identifiers and permissions from a host on which a working container will reside;
  
  an executable portion that combines the first set and the second set of user identifiers and permissions into an aggregate set of user identifiers and permissions; and
  
  an executable portion that injects the aggregate set of user identifiers and permissions into the working container.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product of claim 15, wherein the temporary container is started based on an equivalent application template or container template as the working container, and the first set of user identifiers and permissions is extracted and cached by examining runtime information of the temporary container;
    - andthe aggregate set of user identifiers and permissions is injected into the working container prior to commencing execution of an application inside the working container.
  - 17. The computer program product of claim 15, further including an executable portion that combines an execution user of the working container with a list of intended users extracted from the temporary container into an input list of user identifiers, the input list of user identifiers used as input to an information injection agent;
    - andan executable portion that receives as output of the information injection agent user-related information for each of the user identifiers in the input list including at least one of a user name, a user identification (ID), a primary group ID, and an associated group ID.
  - 18. The computer program product of claim 17, further including an executable portion that, for each user specified in the input to the information injection agent, determines whether each user exists as a user on the host;
    - andan executable portion that, if a user is determined not to exist as the user on the host, determines if the user is a critical user;
      
      wherein if the user is a critical user, the extraction and combination of the first and second set of user identifications and permissions is aborted.
  - 19. The computer program product of claim 18, further including an executable portion that, if the user is determined to exist as the user on the host, identifies whether the user is a local user or a Lightweight Directory Access Protocol (LDAP) user;
    - wherein the user-related information for each of the second set of user identifiers and permissions of the host is queried from a local user database if the user is the local user or a LDAP database if the user is the LDAP user.
  - 20. The computer program product of claim 15, further including an executable portion that, upon combining the first set and the second set of user identifiers and permissions, searches for and removes duplicate users within the first and second set of user identifiers and permissions;
    - andan executable portion that, subsequent to removing the duplicate users, resolves any conflicted entries within the first and second set of user identifiers and permissions by performing at least one of;
      
      defaulting to using any user entries from the second set of user identifiers and permissions from the host in the aggregate set of user identifiers and permissions; and
      
      using any user entries having an importance value over a predetermined threshold in the aggregate set of user identifiers and permissions.
  - 21. The computer program product of claim 16, wherein injecting the aggregate set of user identifiers and permissions into the working container includes writing the aggregate set of user identifiers and permissions to at least one file, the at least one file used to perform at least one of:
    - updating at least one of the application template and the container template used by the working container; and
      
      mounting a data volume into the working container, wherein the data volume includes the at least one file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
ARONOVICH, Lior, MA, Shibin I.

Granted Patent

US 10,691,816 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 16/24552   Database cache management

G06F 21/604   Tools and structures for ma...

G06F 21/6209   to a single file or object,...

APPLYING HOST ACCESS CONTROL RULES FOR DATA USED IN APPLICATION CONTAINERS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

80 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

APPLYING HOST ACCESS CONTROL RULES FOR DATA USED IN APPLICATION CONTAINERS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

80 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links