Organizing permission associated with a cloud customer in a virtual computing infrastructure
First Claim
1. A method of authorizing a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
- receiving a request by a user for performing an action in the cloud computing system the request comprising a first key-value pair identifying the action and a second key-value pair identifying the object upon which the action is to be performed;
determining, from a plurality of permissions, whether an object permission exists having an identifier that matches the value of the key-value pair in the request identifying the object upon which the action is to be performed, each of the plurality of permissions comprising at least one object permission key-value pair defining a delegation path of permission for the object;
determining, from the plurality of permissions, whether a user permission exists for the user making the request to act upon the object, each of the plurality of permissions comprising at least one user permission key-value pair defining a delegation path of permission for the user;
authorizing the request based on the object permission and user permission for the action on the object in response to determining that both the object permission and the user permission exist; and
denying the request in response to determining that at least one of the object permission or the user permission does not exist.
3 Assignments
0 Petitions
Accused Products
Abstract
Organizing permissions to authorize a subject to perform an action on an object in a cloud computing environment is described. A plurality of permissions associated with a cloud customer is created. A first set of permissions from the plurality of permissions is associated with one or more objects. Each of the first set of permissions describes an action performed on an object. A second set of permissions from the plurality of permissions is associated with one or more users. Each of the second set of permissions describes an action to be performed by one or more users.
163 Citations
23 Claims
-
1. A method of authorizing a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
-
receiving a request by a user for performing an action in the cloud computing system the request comprising a first key-value pair identifying the action and a second key-value pair identifying the object upon which the action is to be performed; determining, from a plurality of permissions, whether an object permission exists having an identifier that matches the value of the key-value pair in the request identifying the object upon which the action is to be performed, each of the plurality of permissions comprising at least one object permission key-value pair defining a delegation path of permission for the object; determining, from the plurality of permissions, whether a user permission exists for the user making the request to act upon the object, each of the plurality of permissions comprising at least one user permission key-value pair defining a delegation path of permission for the user; authorizing the request based on the object permission and user permission for the action on the object in response to determining that both the object permission and the user permission exist; and denying the request in response to determining that at least one of the object permission or the user permission does not exist.
-
-
2. A method of allowing at least one user to perform an action in a cloud computing environment having a plurality of computing nodes, the method comprising:
-
receiving a request to permit the at least one user to perform an action on an object in the cloud computing system, the request comprising a first key-value pair identifying the action and a second key-value pair identifying the object upon which the action is to be performed; locating a set of user permissions and a set of object permissions based on the value of the key-value pair in the received request identifying the object upon which the action is to be performed each user permission comprising a key-value pair defining a delegation path for the user and each object permission comprising a key-value pair defining a delegation path for the object; determining at least one user permission and at least one object permission from the set of user and object permissions based on if the object is compatible with the requested object and the action is compatible with the requested action; determining if the user permission and the object permission are associated with a policy assertion, wherein the policy assertion is associated with a customer account that controls access to the cloud computing environment; authorizing the request based on the policy assertion if both the user permission and the object permission are associated with the policy assertion; and denying the request if at least one of the user permission and the object permission are not associated with the policy assertion. - View Dependent Claims (3, 4)
-
-
5. A method of authorizing at least one user to perform an action in a cloud computing environment having a plurality of computing nodes, the method comprising:
-
receiving a request from a user to perform an action on an object in the cloud computing system, the request comprising a first key-value pair identifying the action and a second key-value pair identifying the object upon which the action is to be performed; determining whether a user permission exists for the user making the request to perform the action identified by the request on the object identified by the request, the user permission comprising user; forwarding the request to a remote service in response to determining the user permission exists; receiving, from the remote service, an indication of a determination of whether an object permission exists for the object upon which the action is to be performed; authorizing the request based on the user permission and the object permission in response to determining the user permission for the action on the object exists and receiving the object permission from the remote service as an indication of a determination that the object permission exists; denying the request in response to at least one of determining the user permission does not exist or receiving from the remote service an indication of a determination by the remote service that the object permission does not exist. - View Dependent Claims (6, 7, 8)
-
-
9. A cloud computing system, comprising:
-
a plurality of computing nodes; an application programming interface associated with the plurality of computing nodes; at least one storage unit; a controller configured to operate on each of the plurality of computing nodes and to select software operating on the associated node; a distributed control plane in communication with the controller and the storage unit, and configured to provide a platform to launch and manage one or more instances on one or more of the plurality of computing nodes; and a permissions system configured to associate one or more permissions to one or more instances and authorize the launching and managing of one or more instances on the distributed control plane, wherein the permissions system includes being configured to determine, from a plurality of permissions, at least one user permission to authorize the at least one user to act upon an object of the one or more instances, each user permission comprising a key-value pair defining a delegation path for the user, wherein the permissions system includes being configured to determine, from the plurality of permissions, an object permission for an object upon which an action is to be performed each object permission comprising a key-value pair defining a delegation path for the object, and wherein the permission system authorizes the launching and managing of the one or more instances based on the user permission and object permission and only if both the user permission and object permission exist. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
Specification