Policy and identity based workload provisioning
First Claim
Patent Images
1. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors configured to perform the method, comprising:
- interrogating a resource infrastructure to acquire resource identities for resources within the resource infrastructure and to determine a stage of readiness for each resource within the resource infrastructure, hardware of the resource infrastructure for each resource is interrogated without interacting with an operating system or hypervisor of the resource infrastructure, the resource identities are specific to the resource infrastructure;
managing policy specifications assigned to workload identities for workloads and assigned to requestor identities for requestors of the workloads, and each workload identity and each requester identity formulated from that identity'"'"'s one or more identifiers and secrets that provide a statement of roles and permissions, which that identity has in relation to the resource identities; and
dynamically provisioning the resources for handling the workloads based on;
requests from the requestors, the stage of readiness for each of the resources, enforcement of the policy specifications, and the resource identities within the resource infrastructure and ensuring that policy and identity-based constraints are enforced when dynamically provisioning.
8 Assignments
0 Petitions
Accused Products
Abstract
Techniques for policy and identity-based workload provisioning are presented. Identities for requestors or workloads and identities for workloads are tied to specific policies. The specific policies are evaluated based on a stage of readiness for resources within a resource pool and based on resource identities for the resources within the resource pool. Resources are then dynamically provisioned based on the identity-based policy evaluation to handle workloads from the resource pool.
24 Citations
19 Claims
-
1. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors configured to perform the method, comprising:
-
interrogating a resource infrastructure to acquire resource identities for resources within the resource infrastructure and to determine a stage of readiness for each resource within the resource infrastructure, hardware of the resource infrastructure for each resource is interrogated without interacting with an operating system or hypervisor of the resource infrastructure, the resource identities are specific to the resource infrastructure; managing policy specifications assigned to workload identities for workloads and assigned to requestor identities for requestors of the workloads, and each workload identity and each requester identity formulated from that identity'"'"'s one or more identifiers and secrets that provide a statement of roles and permissions, which that identity has in relation to the resource identities; and dynamically provisioning the resources for handling the workloads based on;
requests from the requestors, the stage of readiness for each of the resources, enforcement of the policy specifications, and the resource identities within the resource infrastructure and ensuring that policy and identity-based constraints are enforced when dynamically provisioning. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method implemented in a non-transitory machine-readable storage medium and processed by one or more processors configured to perform the method, comprising:
-
receiving a request to provision a resource from a requestor; identifying a workload associated with the request, the request does not directly identify the workload and the workload comprising tasks that are to be performed via resources designated for handing the tasks and the request indirectly assists in identifying the workload via a type associated with one of the tasks, workload is identified by deriving the workload based on a particular type of task associated with the tasks; obtaining a policy specification having policies to resolve the request based on a requestor identity for the requestor and a workload identity for the workload, and each identity formulated from that identity'"'"'s one or more identifiers and secrets that provide a statement of roles and permissions, which that identity has in relation to the resources; evaluating the policies in view of a resource pool of available resources within a resource infrastructure, each resource annotated within the resource pool with a stage of readiness attribute; and provisioning a particular resource to handle the workload based on evaluation of the policies. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A multi-processor implemented system, comprising:
-
one or more processors having a workload deployment service residing as executable instructions in a non-transitory medium that is configured to execute on the one or more processors; one or more of the processors having a resource prospector service residing as executable instructions in a non-transitory medium that is configured to execute on one or more of the processors; and one or more of the processors having a plurality of resource scouting services residing as executable instructions in a non-transitory medium that is configured to execute on one or more of the processors; the workload deployment service configured to dynamically provision resources within a resource infrastructure to handle workloads based on policies and identities associated with requestors, each requestor identity formulated from that identity'"'"'s one or more identifiers and secrets that provide a statement of roles and permissions, which that identity has in relation to the resources, the workloads, and the resources, and the resource prospector service is configured to interrogate the resource infrastructure to identify the resources and acquire resource identities for the resources, and a stage of readiness associated with each of the resources, hardware of the resource infrastructure for each resource is interrogated without interacting with an operating system or hypervisor of the resource infrastructure, and the identifies of the resources are specific to the resource infrastructure, each stage of readiness for a particular resource including a particular scouting service that is configured to communicate with that particular resource in that resource'"'"'s particular stage of readiness, the scouting services communicate with the resource prospector service and the resource prospector service communicates with the workload deployment service to dynamically provision the resources and to annotate particular stages or readiness within a resource pool for each resource of the resource infrastructure and ensuring that policy and identity-based constraints are enforced when dynamically provisioning. - View Dependent Claims (17, 18, 19)
-
Specification