Highly parallel evaluation of XACML policies
First Claim
1. A method comprising:
- at an application service appliance device, receiving a request from a client device to access an application server;
extracting from the request a plurality of attributes comprising a user attribute identifying a user of the client device and an environment attribute identifying an environment associated with the user;
performing a plurality of individual searches concurrently, one for each of the attributes, in order to generate a plurality of individual search results, for one or more policies in a policy store to determine whether the policies, when compared to a corresponding one of the attributes, indicate that the client device is authorized to access the application server, wherein each of the policies is grouped into one or more policy sets and each policy has a plurality of child rules, and wherein a combining algorithm of each of the policies specifies that when one of the child rules produces an evaluation result, a corresponding policy also produces a same evaluation result without having to further evaluate the request;
combining the plurality of individual search results associated with the attributes;
generating a single final result from the combining;
determining whether the client device is eligible to access the application server based on the single final result; and
performing an open system interconnection (OSI) layer-7 access control process on packets of the request from the client device.
3 Assignments
0 Petitions
Accused Products
Abstract
Techniques for highly parallel evaluation of XACML policies are described herein. In one embodiment, attributes are extracted from a request for accessing a resource including at least one of a user attribute and an environment attribute. Multiple individual searches are concurrently performed, one for each of the extracted attributes, in a policy store having stored therein rules and policies written in XACML, where the rules and policies are optimally stored using a bit vector algorithm. The individual search results associated with the attributes are then combined to generate a single final result using a predetermined policy combination algorithm. It is then determined whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, where the network element operates as an application service gateway to the datacenter. Other methods and apparatuses are also described.
157 Citations
22 Claims
-
1. A method comprising:
-
at an application service appliance device, receiving a request from a client device to access an application server; extracting from the request a plurality of attributes comprising a user attribute identifying a user of the client device and an environment attribute identifying an environment associated with the user; performing a plurality of individual searches concurrently, one for each of the attributes, in order to generate a plurality of individual search results, for one or more policies in a policy store to determine whether the policies, when compared to a corresponding one of the attributes, indicate that the client device is authorized to access the application server, wherein each of the policies is grouped into one or more policy sets and each policy has a plurality of child rules, and wherein a combining algorithm of each of the policies specifies that when one of the child rules produces an evaluation result, a corresponding policy also produces a same evaluation result without having to further evaluate the request; combining the plurality of individual search results associated with the attributes; generating a single final result from the combining; determining whether the client device is eligible to access the application server based on the single final result; and performing an open system interconnection (OSI) layer-7 access control process on packets of the request from the client device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A machine-readable storage device having instructions stored therein, which when executed by a processor, cause the processor to:
-
extract from a request received from a client device to access an application server a plurality of attributes comprising a user attribute identifying a user of the client device and an environment attribute identifying an environment associated with the user; perform a plurality of individual searches concurrently, one for each of the attributes in order to generate a plurality of individual search results for one or more policies in a policy store to determine whether the policies, when compared to a corresponding one of the attributes, indicate that the client device is authorized to access the application server, wherein each of the policies is grouped into one or more policy sets and each policy has a plurality of child rules, and wherein a combining algorithm of each of the policies specifies that when one of the child rules produces an evaluation result, a corresponding policy also produces a same evaluations result without having to further evaluate the request; combine the plurality of individual search results associated with the attributes; generate a single final result from the combined individual search results; determine whether the client device is eligible to access the application server based on the single final result; and perform an open system interconnection (OSI) layer-7 access control process on packets of the request from the client device. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. An apparatus comprising:
-
a memory configured to store a policy store with a plurality of policies accessible by one or more processors; a network service processor; and an application service processor coupled to the network service processor and the policy store and configured to; receive a request from a client device to access an application server; extract from the request a plurality of attributes comprising a user attribute identifying a user of the client device and an environment attribute identifying an environment associated with the user; perform a plurality of individual searches concurrently, one for each of the attributes, in order to generate a plurality of individual search results, for one or more policies in the policy store to determine whether the policies, when compared to a corresponding one of the attributes, indicate that the client device is authorized to access the application server, wherein each of the policies is grouped into one or more policy sets and each policy has a plurality of child rules, and wherein a combining algorithm of each of the policies specifies that when one of the child rules produces an evaluation result, a corresponding policy also produces a same evaluation result without having to further evaluate the request; combine the plurality of individual search results associated with the attributes; generate a single final result from the combined individual search results; determine whether the client device is eligible to access the application server based on the single final result; and perform an open system interconnection (OSI) layer-7 access control process on packets of the request from the client device. - View Dependent Claims (18, 19, 20, 21, 22)
-
Specification