Method and apparatus for multi-tenant policy management in a network device

US 8,612,541 B2
Filed: 04/29/2011
Issued: 12/17/2013
Est. Priority Date: 04/29/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

in response to receipt of a request from a client to obtain an object stored by a server, said request being received at an intermediary device logically disposed between the client and the server, a transactor of the intermediary device opening a session for the request and referring the request to a policy administrator of the intermediary device for determining which of a plurality of tenants serviced by the intermediary device is a tenant associated with the client making the request;

upon determining the tenant associated with the client making the request, the policy administrator selecting a then-current tenant-specific policy by which the request is to be processed and providing the selected tenant-specific policy to the transactor;

instantiating the tenant-specific policy provided by the policy administrator as a policy ticket and thereafter the transactor and a policy evaluator cooperating to evaluate and process the request and any response thereto at one or more communication flow checkpoints according to rules reflected in the policy ticket.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication between a client and an intermediary device on a network is evaluated at multiple communication flow checkpoints according to a tenant-specific policy current at the outset of the communication and selected according to an identification of a tenant with which the client is associated, the identified tenant being one of a plurality of tenants services by the intermediary device. Non-current policies are maintained by the intermediary device for use in connection with communications that have not yet been fully processed so that consistency of policy enforcement is maintained even if policies change while transactions are in process. Further, long-standing transactions may be reevaluated in light of changed policies to determine whether or not the transactions should be dropped.

43 Citations

View as Search Results

11 Claims

1. A method, comprising:
- in response to receipt of a request from a client to obtain an object stored by a server, said request being received at an intermediary device logically disposed between the client and the server, a transactor of the intermediary device opening a session for the request and referring the request to a policy administrator of the intermediary device for determining which of a plurality of tenants serviced by the intermediary device is a tenant associated with the client making the request;
  
  upon determining the tenant associated with the client making the request, the policy administrator selecting a then-current tenant-specific policy by which the request is to be processed and providing the selected tenant-specific policy to the transactor;
  
  instantiating the tenant-specific policy provided by the policy administrator as a policy ticket and thereafter the transactor and a policy evaluator cooperating to evaluate and process the request and any response thereto at one or more communication flow checkpoints according to rules reflected in the policy ticket.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein as each communication flow checkpoint is encountered, the processing of the request includes determining, by consulting the policy ticket, whether the request should be denied.
  - 3. The method of claim 2, wherein if the request is denied, then the transactor closing the session;
    - otherwise continuing to evaluate the request at each successive checkpoint, until processing of the request is complete.
  - 4. The method of claim 1, further comprising transferring data satisfying the request to the client after encountering a final checkpoint.

5. An apparatus, comprising:
- a processor;
  
  a storage device connected to the processor; and
  
  a set of instructions on the storage device that are executable by the processor, including;
  
  a policy administrator software subroutine configured to identify a particular tenant associated with a communication received at the apparatus, said particular tenant being one of a plurality of tenants serviced by the apparatus, and to select, based on said identification, a version of tenant-specific policy current at the beginning of the communication;
  
  a transactor software subroutine configured to receive from the policy administrator the selected version of the tenant-specific policy and facilitate progress of the communication through a plurality of communication flow checkpoints; and
  
  a policy evaluator software subroutine configured to process the communication at each of the checkpoints by cooperating with the transactor to receive the selected version of the tenant-specific policy and evaluate the communication according thereto at each of the checkpoints.
- View Dependent Claims (6, 7)
- - 6. The apparatus of claim 5, further comprising a software subroutine configured to retain non-current versions of tenant-specific policy used by incomplete transactions being processed by the apparatus.
  - 7. The apparatus of claim 5, further comprising a software subroutine configured to trigger re-evaluation of in-progress transactions when an associated tenant-specific policy is revised.

8. A method for managing policies within a network intermediary device, comprising:
- opening a network connection between a client and the network intermediary device when said connection is permitted by a tenant-specific policy comprising a first rule set relating to network connections, said tenant specific policy having been selected from among a plurality of policies each associated with respective ones of a plurality of tenants serviced by the network intermediary device;
  
  processing a transaction over the network connection according to at least one additional tenant-specific policy, said additional tenant-specific policy comprising a second rule set for processing data received at the intermediary device for the transaction, said second rule set being different from the first rule set, the transaction comprising a request received from the client over the network connection;
  
  upon completion of the transaction, closing the network connection when an evaluation determines that the connection should be closed, and not closing the connection when an evaluation determines that the connection should not be closed; and
  
  in the event the connection is not closed, reusing, subject to the at least one additional tenant-specific policy, the connection for further transactions with the client.
- View Dependent Claims (9, 10, 11)
- - 9. The method of claim 8, further comprising utilizing a policy ticket describing actions and properties to be taken during a communication, said actions and properties corresponding to a version of tenant-specific policy rules current at a beginning of the communication and updated thereafter, as the policy ticket is evaluated as the communication reaches a plurality of checkpoints defining a flow of the communication and according to determinations, at any of the plurality of checkpoints, of actions to be taken during the communication.
  - 10. The method of claim 9, wherein the communication is any one of a connection or a transaction.
  - 11. The method of claim 9, wherein determinations of actions to be taken during the communications comprise evaluations of the tenant-specific policy rules according to information stored on the policy ticket.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Blue Coat Systems Incorporated (Gen Digital Inc.)
Inventors
Maxted, Mark
Primary Examiner(s)
BOUTAH, ALINA A

Application Number

US13/098,268
Publication Number

US 20120278425A1
Time in Patent Office

963 Days
Field of Search

709/217, 709/223, 709/225, 709/227, 726/1
US Class Current

709/217
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/0281 Proxies

Method and apparatus for multi-tenant policy management in a network device

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for multi-tenant policy management in a network device

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links