System and method for controlling access to web services resources

US 8,447,829 B1
Filed: 02/10/2006
Issued: 05/21/2013
Est. Priority Date: 02/10/2006
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more computers configured to provide a web service via a web services interface, wherein the web service is accessible via the interface to create a plurality of different web services resources for a plurality of different owners, wherein each web services resource is accessible via the interface;

a storage medium configured to store instructions; and

one or more processors configured to access said storage medium, wherein said instructions are executable by at least one of said one or more processors to implement a web services access control system, wherein said web services access control system is configured to;

provide access control for owners of web services resources to specify access control rights for the owners'"'"' respective web services resources;

receive, via the web services interface, grant requests from different owners of different web services resources accessible via the web service to grant different access types to different principals for the different web services resources of the respective owners;

in response to receiving said grant requests, generate in a data store an access control entry for each request that corresponds to a principal, a resource, and an access type specified in the grant request;

receive requests from different principals via the web services interface, wherein each request specifies one or more access operations to be performed;

for each received request;

identify a web services resource;

identify a principal; and

determine whether an access control entry exists in said data store that comprises;

a resource identifier matching said web services resource identified;

a principal identifier matching said principal identified; and

an access type identifying one or more access types sufficient to perform said one or more access operations specified by said received request; and

based at least in part on a determination that said access control entry does not exist for a given received request, deny said given received request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for controlling access to web services resources. A system may include a storage medium configured to store instructions and one or more processors configured to access the storage medium. The instructions may be executable by at least one of the processors to implement a web services access control system (ACS) configured to receive requests. Each request specifies an access operation to be performed with respect to a corresponding resource. Each of the requests is associated with a corresponding principal. For each received request, the ACS may be further configured to determine whether an access control entry exists that is associated with both the resource and principal associated with the request and that specifies an access type sufficient to perform the access operation. If no such entry exists, the ACS may deny the request.

139 Citations

48 Claims

1. A system, comprising:
- one or more computers configured to provide a web service via a web services interface, wherein the web service is accessible via the interface to create a plurality of different web services resources for a plurality of different owners, wherein each web services resource is accessible via the interface;
  
  a storage medium configured to store instructions; and
  
  one or more processors configured to access said storage medium, wherein said instructions are executable by at least one of said one or more processors to implement a web services access control system, wherein said web services access control system is configured to;
  
  provide access control for owners of web services resources to specify access control rights for the owners'"'"' respective web services resources;
  
  receive, via the web services interface, grant requests from different owners of different web services resources accessible via the web service to grant different access types to different principals for the different web services resources of the respective owners;
  
  in response to receiving said grant requests, generate in a data store an access control entry for each request that corresponds to a principal, a resource, and an access type specified in the grant request;
  
  receive requests from different principals via the web services interface, wherein each request specifies one or more access operations to be performed;
  
  for each received request;
  
  identify a web services resource;
  
  identify a principal; and
  
  determine whether an access control entry exists in said data store that comprises;
  
  a resource identifier matching said web services resource identified;
  
  a principal identifier matching said principal identified; and
  
  an access type identifying one or more access types sufficient to perform said one or more access operations specified by said received request; and
  
  based at least in part on a determination that said access control entry does not exist for a given received request, deny said given received request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system as recited in claim 1, wherein a given one of said requests is submitted by one of one or more web services clients on behalf of a principal corresponding to said given received request.
  - 3. The system as recited in claim 1, wherein a given one of said requests is received by said web services access control system via a web services interface.
  - 4. The system as recited in claim 1, wherein a given one of said requests corresponding to a particular web services resource is received by said web services access control system from said particular web services resource.
  - 5. The system as recited in claim 1, wherein to determine whether said access control entry exists, said web services access control system is further configured to submit a query to said data store.
  - 6. The system as recited in claim 5, wherein said data store comprises:
    - a plurality of storage hosts each configured to store and retrieve structured data records, wherein said structured data records include said access control entries; and
      
      a data store manager configured to;
      
      receive a request from said web services access control system to store a structured data record;
      
      in response to receiving said request, map said structured data record to a block according to a partition key value of said structured data record;
      
      map said block to a subset comprising at least two of said plurality of storage hosts; and
      
      upon successfully storing said structured data record to said block within at least two storage hosts within said subset, return to said web services access control system an indication that said request is complete.
  - 7. The system as recited in claim 5, wherein a given one of said plurality of access control entries specifies a resource identifier of a given one of said resources, an access identifier of a given one of said one or more principals, and one or more access types.
  - 8. The system as recited in claim 7, wherein said resource identifier includes a Uniform Resource Indicator (URI) corresponding to said given web services resource.
  - 9. The system as recited in claim 7, wherein said access identifier includes an indication of a principal identifier and an indication of a particular one of one or more subject pools within which said principal identifier is defined.
  - 10. The system as recited in claim 1, wherein said web services access control system is further configured to:
    - receive a grant request to grant a particular access type to a given one of said principals for a given one of said resources, wherein said grant request is submitted on behalf of an owner of said given resource; and
      
      in response to receiving said grant request, generate an access control entry that corresponds to said given principal and said given resource, and that specifies said particular access type.
  - 11. The system as recited in claim 1, wherein said web services access control system is further configured to:
    - receive a revoke request to revoke a particular access type from a given one of said principals for a given one of said resources, wherein said revoke request is submitted on behalf of an owner of said given resource; and
      
      in response to receiving said revoke request, delete an access control entry that corresponds to said given principal and said given resource, and that specifies said particular access type.
  - 12. The system as recited in claim 1, wherein said web services resource corresponding to said received request is configured as a child of a parent web services resource, and wherein to determine whether said access control entry exists, said web services access control system is further configured to determine whether an access control entry exists that corresponds to said parent web services resource and said identified principal, and that specifies one or more access types, wherein said one or more access types are sufficient to perform said one or more access operations specified by said received request.
  - 13. The system as recited in claim 1, wherein to determine whether an access control entry exists, said web services access control system is further configured to:
    - determine whether said principal is a member of a group of principals; and
      
      in response to determining that said principal is a member of said group, determine whether an access control entry exists that is associated with both said web services resource corresponding to said received request and said group, and that specifies one or more access types, wherein said one or more access types of the respective access control entry are sufficient to perform said one or more access operations specified by said received request.
  - 14. The system as recited in claim 13, wherein membership information of said group is implemented as a web services resource.
  - 15. The system as recited in claim 1, wherein a given one of said requests is received as a command formatted according to a version of Hypertext Transfer Protocol (HTTP), wherein parameters of said given request are formatted as components of said command.
  - 16. The system as recited in claim 1, wherein a given one of said requests is received as a document formatted according to a version of eXtensible Markup Language (XML), wherein parameters of said given request are formatted as elements included in said document.
  - 17. The system as recited in claim 16, wherein said document is encapsulated according to a version of SOAP protocol or Simple Object Access Protocol.
  - 18. The system as recited in claim 1, wherein the web services interface is further configured to:
    - receive a given one of said requests;
      
      receive credential information indicating an identity of a principal corresponding to said given request;
      
      attempt to authenticate said credential information; and
      
      in response to successfully authenticating said credential information, forward said given request to said web services access control system.

19. A method, comprising:
- providing a web service via a web services interface, wherein the web service is accessible via the interface to host a plurality of different web services resources for a plurality of different owners, wherein each web services resource is accessible via the interface;
  
  providing access control for owners of web services resources to specify access control rights for the owners'"'"' respective web services resources;
  
  receiving, via the web services interface, grant requests from different owners of different web services resources accessible via the web service to grant different access types to different principals for the different web services resources of the respective owners;
  
  in response to receiving said grant requests, generating in a data store an access control entry for each request that corresponds to a principal, a resource, and an access type specified in the grant request;
  
  receiving requests from different principals via the web services interface, wherein each request specifies one or more access operations to be performed;
  
  for each received request;
  
  identify a web services resource;
  
  identify a principal; and
  
  determining, using a computer, whether an access control entry exists in the data store that comprises;
  
  a resource identifier matching said web services resource identified;
  
  a principal identifier matching said principal identified; and
  
  an access type identifying one or more access types sufficient to perform said one or more access operations specified by said received request,wherein said data store comprises a plurality of access control entries, each entry comprising;
  
  a resource identifier identifying a particular resource to be accessed;
  
  a principal identifier uniquely identifying a principal; and
  
  an access type identifying one or more access types indicative of one or more access types allowed by the associated principal to the particular resource; and
  
  based at least in part on a determination that said access control entry does not exist for a given received request, denying said given received request.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. The method as recited in claim 19, wherein a given one of said requests is submitted by one of one or more web services clients on behalf of a principal corresponding to said given received request.
  - 21. The method as recited in claim 19, wherein receiving a given one of said requests comprises receiving said given request via a web services interface.
  - 22. The method as recited in claim 19, wherein receiving a given one of said requests corresponding to a particular web services resource comprises receiving said given request from said particular web services resource.
  - 23. The method as recited in claim 19, wherein determining whether said access control entry exists further comprises submitting a query to said data store.
  - 24. The method as recited in claim 23, further comprising submitting to said data store a request to store a structured data record including one of said access control entries, wherein said data store is further configured to:
    - in response to receiving said request, map said structured data record to a block according to a partition key value of said structured data record;
      
      map said block to a subset comprising at least two of a plurality of storage hosts; and
      
      upon successfully storing said structured data record to said block within at least two storage hosts within said subset, return an indication that said request is complete.
  - 25. The method as recited in claim 24, wherein a given one of said plurality of access control entries specifies a resource identifier of a given one of said resources, an access identifier of a given one of said one or more principals, and one or more access types.
  - 26. The method as recited in claim 25, wherein said resource identifier includes a Uniform Resource Indicator (URI) corresponding to said given web services resource.
  - 27. The method as recited in claim 25, wherein said access identifier includes an indication of a principal identifier and an indication of a particular one of one or more subject pools within which said principal identifier is defined.
  - 28. The method as recited in claim 19, further comprising:
    - receiving a grant request to grant a particular access type to a given one of said principals for a given one of said resources, wherein said request is submitted on behalf of an owner of said given resource; and
      
      in response to receiving said grant request, generating an access control entry that corresponds to said given principal and said given resource, and that specifies said particular access type.
  - 29. The method as recited in claim 19, further comprising:
    - receiving a revoke request to revoke a particular access type from a given one of said principals for a given one of said resources, wherein said request is submitted on behalf of an owner of said given resource; and
      
      in response to receiving said revoke request, deleting an access control entry that corresponds to said given principal and said given resource, and that specifies said particular access type.
  - 30. The method as recited in claim 19, wherein said web services resource corresponding to said received request is configured as a child of a parent web services resource, and wherein determining whether said access control entry exists further comprises determining whether an access control entry exists that corresponds to said parent web services resource and said identified principal, and that specifies one or more access types, wherein said one or more access types are sufficient to perform said one or more access operations specified by said received request.
  - 31. The method as recited in claim 19, wherein determining whether an access control entry exists further comprises:
    - determining whether said principal is a member of a group of principals; and
      
      in response to determining that said principal is a member of said group, determining whether an access control entry exists that is associated with both said web services resource corresponding to said received request and said group, and that specifies one or more access types, wherein said one or more access types of the respective access control entry are sufficient to perform said one or more access operations specified by said received request.
  - 32. The method as recited in claim 31, wherein membership information of said group is implemented as a web services resource.
  - 33. The method as recited in claim 19, further comprising receiving a given one of said requests as a command formatted according to a version of Hypertext Transfer Protocol (HTTP), wherein parameters of said given request are formatted as components of said command.
  - 34. The method as recited in claim 19, further comprising receiving a given one of said requests as a document formatted according to a version of eXtensible Markup Language (XML), wherein parameters of said given request are formatted as elements included in said document.
  - 35. The method as recited in claim 34, wherein said document is encapsulated according to a version of SOAP protocol or Simple Object Access Protocol.
  - 36. The method as recited in claim 19, further comprising:
    - receiving credential information indicating an identity of a principal corresponding to a given one of said requests; and
      
      attempting to authenticate said credential information;
      
      wherein said determining whether an access control entry exists is dependent upon successfully authenticating said credential information.

37. A system, comprising:
- a web services interface configured to receive a web services request from a web services client, wherein said web services request specifies;
  
  a principal;
  
  a web services resource; and
  
  an access operation,wherein said access operation is requested to be performed with respect to said web services resource on behalf of said principal;
  
  a data store comprising a plurality of access control entries each comprising;
  
  a resource identifier identifying a particular resource to be accessed;
  
  a principal identifier uniquely identifying a principal; and
  
  an access type identifying one or more access types allowed by the associated principal to the particular resource; and
  
  a web services access control system comprising one or more computers configured to;
  
  provide access control for the owners of network resources to specify access control rights for the owners'"'"' respective resources;
  
  receive, via the web services interface, grant requests from different owners of different network resources to grant different access types to different principals for the different resources of the respective owners;
  
  in response to receiving said grant requests, generate in the data store an access control entry for each request that corresponds to a principal, a resource, and an access type specified in the grant request;
  
  receive said web services request from said web services interface;
  
  in response to receiving said web services request, access said data store to determine whether said principal has sufficient access privileges to perform said access operation with respect to said web services resource; and
  
  return an indication to said web services client of whether or not said principal has sufficient access privileges to perform said access operation with respect to said web services resource.
- View Dependent Claims (38, 39, 40, 41, 42)
- - 38. The system as recited in claim 37, wherein to determine whether said principal has sufficient access privileges to perform said access operation with respect to said web services resource, said web services access control system is further configured to:
    - determine whether an access control entry exists in said data store that comprises;
      
      a resource identifier matching said web services resource corresponding to said received web services request;
      
      a principal identifier matching said corresponding principal associated with said received web services request; and
      
      an access type identifying one or more access types sufficient to perform said access operation with respect to said web services resource;
      
      determine that said principal has sufficient access privileges to perform said access operation based on a determination that said access control entry exists; and
      
      determine that said principal does not have sufficient access privileges to perform said access operation based on a determination that said access control entry does not exist.
  - 39. The system as recited in claim 38, wherein to determine whether said access control entry exists, said web services access control system is further configured to submit a query to said data store configured to store a plurality of access control entries.
  - 40. The system as recited in claim 39, wherein said data store comprises:
    - a plurality of storage hosts each configured to store and retrieve structured data records, wherein said structured data records include said access control entries; and
      
      a data store manager configured to;
      
      receive a request from said web services access control system to store a structured data record;
      
      in response to receiving said request, map said structured data record to a block according to a partition key value of said structured data record;
      
      map said block to a subset comprising at least two of said plurality of storage hosts; and
      
      upon successfully storing said structured data record to said block within at least two storage hosts within said subset, return to said web services access control system an indication that said request is complete.
  - 41. The system as recited in claim 37, wherein said web services access control system is further configured to:
    - receive, via said web services interface, a grant request to grant a particular access type to said principal for said web services resource, wherein said grant request is submitted on behalf of an owner of said web services resource; and
      
      in response to receiving said grant request, generate an access control entry that corresponds to said principal and said web services resource, and that specifies said particular access type.
  - 42. The system as recited in claim 37, wherein said web services access control system is further configured to:
    - receive, via said web services interface, a revoke request to revoke a particular access type from said principal for said web services resource, wherein said revoke request is submitted on behalf of an owner of said web services resource; and
      
      in response to receiving said revoke request, delete an access control entry that corresponds to said principal and said web services resource, and that specifies said particular access type.

43. A method, comprising:
- providing, via a web services interface, access control for owners of network resources to specify access control rights for the owners'"'"' respective resources;
  
  receive, via the web services interface, grant requests from different owners of different network resources to grant different access types to different principals for the different resources of the respective owners;
  
  in response to receiving said grant requests, generate in a data store an access control entry for each request that corresponds to a principal, a resource, and an access type specified in the grant request;
  
  receiving, via the web services interface, a web services request from a web services client, wherein said web services request specifies;
  
  a principal;
  
  a web services resource; and
  
  an access operation,wherein said access operation is requested to be performed with respect to said web services resource on behalf of said principal;
  
  in response to receiving said web services request, a computer accessing the data store for determining whether said principal has sufficient access privileges to perform said access operation with respect to said web services resource, wherein said data store comprises a plurality of access control entries, each entry comprising;
  
  a resource identifier identifying a particular resource to be accessed;
  
  a principal identifier uniquely identifying a principal corresponding to at least one uniquely identifiable entity; and
  
  an access type identifying one or more access types allowed by the associated principal to the particular resource; and
  
  returning an indication to said web services client of whether or not said principal has sufficient access privileges to perform said access operation with respect to said web services resource.
- View Dependent Claims (44, 45, 46, 47, 48)
- - 44. The method as recited in claim 43, wherein determining whether said principal has sufficient access privileges to perform said access operation with respect to said web services resource further comprises:
    - determining whether an access control entry exists in said data store that comprises;
      
      a resource identifier matching said web services resource;
      
      a principal identifier matching said principal; and
      
      an access type identifying one or more access types sufficient to perform said access operation with respect to said web services resource;
      
      determining that said principal has sufficient access privileges to perform said access operation based on a determination that said access control entry exists; and
      
      determining that said principal does not have sufficient access privileges to perform said access operation based on a determination that said access control entry does not exist.
  - 45. The method as recited in claim 44, wherein determining whether said access control entry exists further comprises submitting a query to said data store configured to store a plurality of access control entries.
  - 46. The method as recited in claim 45, further comprising submitting to said data store a request to store a structured data record including one of said access control entries, wherein said data store is further configured to:
    - in response to receiving said request, map said structured data record to a block according to a partition key value of said structured data record;
      
      map said block to a subset comprising at least two of a plurality of storage hosts; and
      
      upon successfully storing said structured data record to said block within at least two storage hosts within said subset, return an indication that said request is complete.
  - 47. The method as recited in claim 43, further comprising:
    - receiving, via a web services interface, a grant request to grant a particular access type to said principal for said web services resource, wherein said grant request is submitted on behalf of an owner of said web services resource; and
      
      in response to receiving said grant request, generating an access control entry that corresponds to said principal and said web services resource, and that specifies said particular access type.
  - 48. The method as recited in claim 43, further comprising:
    - receiving, via a web services interface, a revoke request to revoke a particular access type from said principal for said web services resource, wherein said revoke request is submitted on behalf of an owner of said web services resource; and
      
      in response to receiving said revoke request, deleting an access control entry that corresponds to said principal and said web services resource, and that specifies said particular access type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Geller, Alan S., Singh, Rahul
Primary Examiner(s)
CHRISTENSEN, SCOTT B

Application Number

US11/351,904
Time in Patent Office

2,657 Days
Field of Search

709/220, 709/222, 709/223, 709/225, 707/1, 707/2, 707/9, 726/1, 726/2, 726/3, 726/4, 726/16, 726/17, 726/21
US Class Current

709/217
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 9/468   Specific access rights for ...

H04L 47/70   Admission control; Resource...

H04L 63/101   Access control lists [ACL]

H04L 67/10   in which an application is ...

H04L 9/3239   involving non-keyed hash fu...

System and method for controlling access to web services resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

139 Citations

48 Claims

Specification

Use Cases

Quick Links

Others

System and method for controlling access to web services resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

139 Citations

48 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others