Scalable fine-grained multi-service authorization
First Claim
1. A method comprising:
- at an authorization server, storing data representing operations that can be performed on a plurality of resources of a service provider at the request of users of a user population;
generating a set of {resource,operations} tuples, wherein a resource describes an endpoint for a network service and operations is a list of operations that are authorized on the endpoint;
de-duplicating the set of {resource,operations} tuples to eliminate duplicate tuples;
partitioning the de-duplicated set of {resource,operations} tuples into one or more subsets to minimize the number of subsets needed to describe authorizations across the user population and maximize a number of hash collisions in hash results to be computed across the one or more subsets;
combining a subset of the set of {resource,operations} tuples into a string according to a predetermined rule;
computing a hash of the string according to a hash function to generate hash results; and
in response to a request from a client, generating from the request a token that includes a list of one or more hash results each associated with a prefix to indicate a service provider on which the subset of {resource,operations} tuples corresponding to the hash result may be used, wherein the generating includes selecting a subset of {resource,operations} tuples that minimizes redundancy of data in the token and minimizes token size.
1 Assignment
0 Petitions
Accused Products
Abstract
A scalable cross-protocol mechanism is provided for describing, transmitting and checking large lists of authorizations for operations on network resources. At an authorization server, data is stored that represents operations that can be performed on a plurality of resources of a service provider at the request of one or more users. A set of {resource,operations} tuples is generated, wherein a resource describes an endpoint for a network service and operations is a list of operations that are authorized on an endpoint. The set of {resource,operations} tuples is partitioned into one or more subsets. A subset of the set of {resource,operations} tuples is combined into a string according to a predetermined rule. A hash is then computed, according to a hash function, to generate hash results. Hashes are passed instead of the lists themselves to minimize data transfer and latency.
21 Citations
26 Claims
-
1. A method comprising:
-
at an authorization server, storing data representing operations that can be performed on a plurality of resources of a service provider at the request of users of a user population; generating a set of {resource,operations} tuples, wherein a resource describes an endpoint for a network service and operations is a list of operations that are authorized on the endpoint; de-duplicating the set of {resource,operations} tuples to eliminate duplicate tuples; partitioning the de-duplicated set of {resource,operations} tuples into one or more subsets to minimize the number of subsets needed to describe authorizations across the user population and maximize a number of hash collisions in hash results to be computed across the one or more subsets; combining a subset of the set of {resource,operations} tuples into a string according to a predetermined rule; computing a hash of the string according to a hash function to generate hash results; and in response to a request from a client, generating from the request a token that includes a list of one or more hash results each associated with a prefix to indicate a service provider on which the subset of {resource,operations} tuples corresponding to the hash result may be used, wherein the generating includes selecting a subset of {resource,operations} tuples that minimizes redundancy of data in the token and minimizes token size. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 24)
-
-
14. One or more computer readable storage media encoded with software comprising computer executable instructions and when the software is executed operable to:
-
store data representing operations that can be performed on a plurality of resources of a service provider at the request of users in a user population; generate a set of {resource,operations} tuples, wherein a resource describes an endpoint for a network service and operations is a list of operations that are authorized on the endpoint; de-duplicate the set of {resource,operations} tuples do eliminate duplicate tuples; partition the de-duplicated set of {resource,operations} tuples into one or more subsets to minimize the number of subsets needed to describe authorizations across the user population and maximize a number of hash collisions in hash results to be computed across the one or more subsets; combine a subset of the set of {resource,operations} tuples into a string according to a predetermined rule; compute a hash of the string according to a hash function to generate hash results; and in response to a request from a client, generate from the request a token that includes a list of one or more hash results each associated with a prefix to indicate a service provider on which the subset of {resource,operations} tuples corresponding to the hash result may be used, wherein the generation of the set of {resource,operations} tuples includes selecting a subset of {resource,operations} tuples that minimizes redundancy of data in the token and minimizes token size. - View Dependent Claims (15, 16, 25)
-
-
17. An apparatus comprising:
-
a network interface unit configured to enable network communications; a memory; a processor coupled to the network interface unit and the memory, wherein the processor is configured to; store in the memory data representing operations that can be performed on a plurality of resources of a service provider at the request of users in a user population; generate a set of {resource,operations} tuples, wherein a resource describes an endpoint for a network service and operations is a list of operations that are authorized on the endpoint; de-duplicate the set of {resource,operations} tuples to eliminate duplicate tuples; partition the de-duplicated set of {resource,operations} tuples into one or more subsets to minimize the number of subsets needed to describe authorizations across the user population and maximize a number of hash collisions in hash results to be computed across the one or more subsets; combine a subset of the set of {resource,operations} tuples into a string according to a predetermined rule; compute a hash of the string according to a hash function to generate hash results; and in response to a request from a client, generate from the request a token that includes a list of one or more hash results each associated with a prefix to indicate a service provider on which the subset of {resource,operations} tuples corresponding to the hash result may be used, wherein generating the set of {resource,operations} tuples includes selecting a subset of {resource,operations} tuples that minimizes redundancy of data in the token and minimizes token size. - View Dependent Claims (18, 19, 20, 21, 22, 23, 26)
-
Specification