Organizing permission associated with a cloud customer in a virtual computing infrastructure

US 8,850,528 B2
Filed: 11/17/2011
Issued: 09/30/2014
Est. Priority Date: 06/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method of authorizing a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:

receiving a request by a user for performing an action in the cloud computing system the request comprising a first key-value pair identifying the action and a second key-value pair identifying the object upon which the action is to be performed;

determining, from a plurality of permissions, whether an object permission exists having an identifier that matches the value of the key-value pair in the request identifying the object upon which the action is to be performed, each of the plurality of permissions comprising at least one object permission key-value pair defining a delegation path of permission for the object;

determining, from the plurality of permissions, whether a user permission exists for the user making the request to act upon the object, each of the plurality of permissions comprising at least one user permission key-value pair defining a delegation path of permission for the user;

authorizing the request based on the object permission and user permission for the action on the object in response to determining that both the object permission and the user permission exist; and

denying the request in response to determining that at least one of the object permission or the user permission does not exist.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Organizing permissions to authorize a subject to perform an action on an object in a cloud computing environment is described. A plurality of permissions associated with a cloud customer is created. A first set of permissions from the plurality of permissions is associated with one or more objects. Each of the first set of permissions describes an action performed on an object. A second set of permissions from the plurality of permissions is associated with one or more users. Each of the second set of permissions describes an action to be performed by one or more users.

163 Citations

View as Search Results

23 Claims

1. A method of authorizing a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
- receiving a request by a user for performing an action in the cloud computing system the request comprising a first key-value pair identifying the action and a second key-value pair identifying the object upon which the action is to be performed;
  
  determining, from a plurality of permissions, whether an object permission exists having an identifier that matches the value of the key-value pair in the request identifying the object upon which the action is to be performed, each of the plurality of permissions comprising at least one object permission key-value pair defining a delegation path of permission for the object;
  
  determining, from the plurality of permissions, whether a user permission exists for the user making the request to act upon the object, each of the plurality of permissions comprising at least one user permission key-value pair defining a delegation path of permission for the user;
  
  authorizing the request based on the object permission and user permission for the action on the object in response to determining that both the object permission and the user permission exist; and
  
  denying the request in response to determining that at least one of the object permission or the user permission does not exist.

2. A method of allowing at least one user to perform an action in a cloud computing environment having a plurality of computing nodes, the method comprising:
- receiving a request to permit the at least one user to perform an action on an object in the cloud computing system, the request comprising a first key-value pair identifying the action and a second key-value pair identifying the object upon which the action is to be performed;
  
  locating a set of user permissions and a set of object permissions based on the value of the key-value pair in the received request identifying the object upon which the action is to be performed each user permission comprising a key-value pair defining a delegation path for the user and each object permission comprising a key-value pair defining a delegation path for the object;
  
  determining at least one user permission and at least one object permission from the set of user and object permissions based on if the object is compatible with the requested object and the action is compatible with the requested action;
  
  determining if the user permission and the object permission are associated with a policy assertion, wherein the policy assertion is associated with a customer account that controls access to the cloud computing environment;
  
  authorizing the request based on the policy assertion if both the user permission and the object permission are associated with the policy assertion; and
  
  denying the request if at least one of the user permission and the object permission are not associated with the policy assertion.
- View Dependent Claims (3, 4)
- - 3. The method of claim 2, wherein:
    - the cloud computing environment is a home cloud;
      
      the request is received at the home cloud from a cloud remote from the home cloud; and
      
      the policy assertion resides locally in the home cloud.
  - 4. The method of claim 2, wherein:
    - the cloud computing environment is a cloud remote from a home cloud;
      
      the request is received at the remote cloud from the home cloud; and
      
      the policy assertion resides in the remote cloud.

5. A method of authorizing at least one user to perform an action in a cloud computing environment having a plurality of computing nodes, the method comprising:
- receiving a request from a user to perform an action on an object in the cloud computing system, the request comprising a first key-value pair identifying the action and a second key-value pair identifying the object upon which the action is to be performed;
  
  determining whether a user permission exists for the user making the request to perform the action identified by the request on the object identified by the request, the user permission comprising user;
  
  forwarding the request to a remote service in response to determining the user permission exists;
  
  receiving, from the remote service, an indication of a determination of whether an object permission exists for the object upon which the action is to be performed;
  
  authorizing the request based on the user permission and the object permission in response to determining the user permission for the action on the object exists and receiving the object permission from the remote service as an indication of a determination that the object permission exists;
  
  denying the request in response to at least one of determining the user permission does not exist or receiving from the remote service an indication of a determination by the remote service that the object permission does not exist.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5, wherein the request to perform an action on an object in the cloud computing system includes a request to perform an action at a remote cloud location.
  - 7. The method of claim 6, wherein the remote cloud location is at a private cloud site.
  - 8. The method of claim 6, wherein the remote cloud location is at a public cloud site.

9. A cloud computing system, comprising:
- a plurality of computing nodes;
  
  an application programming interface associated with the plurality of computing nodes;
  
  at least one storage unit;
  
  a controller configured to operate on each of the plurality of computing nodes and to select software operating on the associated node;
  
  a distributed control plane in communication with the controller and the storage unit, and configured to provide a platform to launch and manage one or more instances on one or more of the plurality of computing nodes; and
  
  a permissions system configured to associate one or more permissions to one or more instances and authorize the launching and managing of one or more instances on the distributed control plane, wherein the permissions system includes being configured to determine, from a plurality of permissions, at least one user permission to authorize the at least one user to act upon an object of the one or more instances, each user permission comprising a key-value pair defining a delegation path for the user, wherein the permissions system includes being configured to determine, from the plurality of permissions, an object permission for an object upon which an action is to be performed each object permission comprising a key-value pair defining a delegation path for the object, and wherein the permission system authorizes the launching and managing of the one or more instances based on the user permission and object permission and only if both the user permission and object permission exist.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 10. The system of claim of claim 9, wherein the object is a machine image from which data is accessed.
  - 11. The system of claim 9, wherein the object is executed code.
  - 12. The system of claim 9, wherein the object is a data store.
  - 13. The system of claim 9, wherein the plurality of computing nodes are hierarchically organized into clusters, wherein each cluster includes a cluster controller.
  - 14. The system of claim 9, wherein the infrastructure controller is configured to run Dynamic Host configuration protocol to provide dynamic IP address allocation for one or more of the plurality of computing nodes.
  - 15. The system of claim 9, wherein the infrastructure controller is further configured to utilize Domain Name System for naming and IP address look up.
  - 16. The system of claim 9, wherein the infrastructure controller is further configured to utilize a Trivial File Transfer protocol and a web server for providing software across a network during installation.
  - 17. The system of claim 9, wherein the control plane further includes a cluster and workload component, authentication and permissions component, monitoring component, metering and billing component.
  - 18. The system of claim 9, further comprising a network component configured to interface with the infrastructure controller and control plane, and configured to interface with one or more network systems external to the cloud computing environment.
  - 19. The system of claim 9, further comprising a federation module configured to communicate with and launch instances to remote cloud sites.
  - 20. The system of claim 9, wherein the control plane is further configured to manage data files using a Distributed File System.
  - 21. The system of claim 9, further comprising an identity management engine and policy engines configured to provide policy control across networks.
  - 22. The system of claim 9, further comprising a metering, billing, and collection engine configured to manage consumption accountability.
  - 23. The system of claim 9, further including a virtualization layer configured to operate on each of the plurality of computing nodes, and configured to virtualize resources on each node.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Van Biljon, Willem Robert, Pinkham, Christopher Conway, Cloran, Russell Andrew, Gorven, Michael Carl, Divey, Brynmor K. B., Hoole, Quinton Robin, Kalele, Girish, Hardy, Alexandre
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
FIELDS, COURTNEY D

Application Number

US13/299,004
Publication Number

US 20120110650A1
Time in Patent Office

1,048 Days
Field of Search

726/4, 726/1, 709/224, 709/225, 709/226, 707/103, 707/9, 707/783, 713/193, 715/733
US Class Current

726/4
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06Q 30/04   Billing or invoicing

G06Q 40/00   Finance; Insurance; Tax str...

G06Q 40/02   Banking, e.g. interest calc...

G06Q 40/10   Tax strategies

H04L 41/0213   Standardised network manage...

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 67/10   in which an application is ...

H04L 67/60   Scheduling or organising th...

H04L 9/40   Network security protocols

H04M 15/66   Policy and charging system

Organizing permission associated with a cloud customer in a virtual computing infrastructure

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

163 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Organizing permission associated with a cloud customer in a virtual computing infrastructure

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

163 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others