Method and apparatus for multi-tenant policy management in a network device
First Claim
1. A method, comprising:
- in response to receipt of a request from a client to obtain an object stored by a server, said request being received at an intermediary device logically disposed between the client and the server, a transactor of the intermediary device opening a session for the request and referring the request to a policy administrator of the intermediary device for determining which of a plurality of tenants serviced by the intermediary device is a tenant associated with the client making the request;
upon determining the tenant associated with the client making the request, the policy administrator selecting a then-current tenant-specific policy by which the request is to be processed and providing the selected tenant-specific policy to the transactor;
instantiating the tenant-specific policy provided by the policy administrator as a policy ticket and thereafter the transactor and a policy evaluator cooperating to evaluate and process the request and any response thereto at one or more communication flow checkpoints according to rules reflected in the policy ticket.
11 Assignments
0 Petitions
Accused Products
Abstract
A communication between a client and an intermediary device on a network is evaluated at multiple communication flow checkpoints according to a tenant-specific policy current at the outset of the communication and selected according to an identification of a tenant with which the client is associated, the identified tenant being one of a plurality of tenants services by the intermediary device. Non-current policies are maintained by the intermediary device for use in connection with communications that have not yet been fully processed so that consistency of policy enforcement is maintained even if policies change while transactions are in process. Further, long-standing transactions may be reevaluated in light of changed policies to determine whether or not the transactions should be dropped.
43 Citations
11 Claims
-
1. A method, comprising:
-
in response to receipt of a request from a client to obtain an object stored by a server, said request being received at an intermediary device logically disposed between the client and the server, a transactor of the intermediary device opening a session for the request and referring the request to a policy administrator of the intermediary device for determining which of a plurality of tenants serviced by the intermediary device is a tenant associated with the client making the request; upon determining the tenant associated with the client making the request, the policy administrator selecting a then-current tenant-specific policy by which the request is to be processed and providing the selected tenant-specific policy to the transactor; instantiating the tenant-specific policy provided by the policy administrator as a policy ticket and thereafter the transactor and a policy evaluator cooperating to evaluate and process the request and any response thereto at one or more communication flow checkpoints according to rules reflected in the policy ticket. - View Dependent Claims (2, 3, 4)
-
-
5. An apparatus, comprising:
-
a processor; a storage device connected to the processor; and a set of instructions on the storage device that are executable by the processor, including; a policy administrator software subroutine configured to identify a particular tenant associated with a communication received at the apparatus, said particular tenant being one of a plurality of tenants serviced by the apparatus, and to select, based on said identification, a version of tenant-specific policy current at the beginning of the communication; a transactor software subroutine configured to receive from the policy administrator the selected version of the tenant-specific policy and facilitate progress of the communication through a plurality of communication flow checkpoints; and a policy evaluator software subroutine configured to process the communication at each of the checkpoints by cooperating with the transactor to receive the selected version of the tenant-specific policy and evaluate the communication according thereto at each of the checkpoints. - View Dependent Claims (6, 7)
-
-
8. A method for managing policies within a network intermediary device, comprising:
-
opening a network connection between a client and the network intermediary device when said connection is permitted by a tenant-specific policy comprising a first rule set relating to network connections, said tenant specific policy having been selected from among a plurality of policies each associated with respective ones of a plurality of tenants serviced by the network intermediary device; processing a transaction over the network connection according to at least one additional tenant-specific policy, said additional tenant-specific policy comprising a second rule set for processing data received at the intermediary device for the transaction, said second rule set being different from the first rule set, the transaction comprising a request received from the client over the network connection; upon completion of the transaction, closing the network connection when an evaluation determines that the connection should be closed, and not closing the connection when an evaluation determines that the connection should not be closed; and in the event the connection is not closed, reusing, subject to the at least one additional tenant-specific policy, the connection for further transactions with the client. - View Dependent Claims (9, 10, 11)
-
Specification