Systems and methods for associating a virtual machine with an access control right

US 8,943,606 B2
Filed: 05/01/2013
Issued: 01/27/2015
Est. Priority Date: 09/14/2012
Status: Active Grant

First Claim

Patent Images

1. A method for configuring a machine in a cloud-based computing environment, the method comprising:

receiving, by a management server for a cloud-based computing environment provided by a third-party cloud infrastructure service, a request from a first machine or virtual machine instance to configure a second machine or virtual machine instance hosted in the cloud-based computing environment;

identifying, by the management server, an access control right associated with the first machine or virtual machine instance making the request;

determining, by the management server, a scope associated with the first machine or virtual machine instance based on the access control right;

authorizing, by the management server, the request within the scope based on the access control right;

transmitting, by the management server, an instruction to perform the request using the determined scope.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is related to associating a machine or virtual machine instance with an access control right in a cloud-based computing environment. In one aspect, the present invention relates to an apparatus for or a method of associating a machine or virtual machine instance with an access control right in a cloud-based computing environment. In various embodiments, the apparatus is capable of, and the method includes, the following: receiving, in a cloud-based computing environment, a request to perform an action; using an identifier for the machine or virtual machine instance to determine that the received request was sent by, or on behalf of, the machine or virtual machine instance; and identifying an access control right associated with the machine or virtual machine instance making the request, to determine whether to perform the action on behalf of, or grant access by, the machine or virtual machine instance.

60 Citations

20 Claims

1. A method for configuring a machine in a cloud-based computing environment, the method comprising:
- receiving, by a management server for a cloud-based computing environment provided by a third-party cloud infrastructure service, a request from a first machine or virtual machine instance to configure a second machine or virtual machine instance hosted in the cloud-based computing environment;
  
  identifying, by the management server, an access control right associated with the first machine or virtual machine instance making the request;
  
  determining, by the management server, a scope associated with the first machine or virtual machine instance based on the access control right;
  
  authorizing, by the management server, the request within the scope based on the access control right;
  
  transmitting, by the management server, an instruction to perform the request using the determined scope.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the first machine or virtual machine instance is hosted in a cloud-based computing environment.
  - 3. The method of claim 1, wherein the request is one of:
    - a request to instantiate a virtual machine, a request to snapshot a virtual machine, a request for a list of running servers, a request for backup files or images, or a request to terminate a virtual machine instance.
  - 4. The method of claim 1, wherein transmitting comprises transmitting the instruction to one of the third-party cloud infrastructure service and the second machine or virtual machine instance hosted by the third-party cloud infrastructure service.
  - 5. The method of claim 1, wherein an identifier is included in or associated with the received request and identifying the access control right is based on the identifier.
  - 6. The method of claim 1, further comprising:
    - assigning an identifier to the second machine or virtual machine instance; and
      
      sending the identifier to the second machine or virtual machine instance.
  - 7. The method of claim 6, further comprising sending the identifier in an instruction to launch the second machine or virtual machine instance.
  - 8. The method of claim 6, wherein the identifier is unique to the second machine or virtual machine instance.
  - 9. The method of claim 6, wherein the identifier is associated with a group of one or more machines and/or one or more virtual machine instances of which the machine or virtual machine instance is a member.
  - 10. The method of claim 6, further comprisingreceiving, by the management server, a subsequent request from the second machine or virtual machine instance to access a third machine or virtual machine instance hosted in the cloud-based computing environment, the request comprising the assigned identifier;
    - identifying, by the management server, based on the identifier an access control right associated with the second machine or virtual machine instance making the request;
      
      determining, by the management server, a scope associated with the second machine or virtual machine instance based on the access control right; and
      
      transmitting, by the management server, an instruction permitting the requested access to the third machine or virtual machine instance within the determined scope.

11. An apparatus for configuring a machine in a cloud-based computing environment, the method comprising, the apparatus comprising:
- a cloud management service executing on a processor, the cloud management service configured to;
  
  receive a request from a first machine or virtual machine instance to configure a second machine or virtual machine instance hosted in a cloud-based computing environment provided by a third-party cloud infrastructure service;
  
  identify an access control right associated with the first machine or virtual machine instance making the request;
  
  determine a scope associated with the first machine or virtual machine instance based on the access control right;
  
  authorize the request within the scope based on the access control right; and
  
  transmit an instruction to perform the request using the determined scope.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The apparatus of claim 11, wherein the first machine or virtual machine instance is hosted in the cloud-based computing environment.
  - 13. The apparatus of claim 11, wherein the request is one of:
    - a request to instantiate a virtual machine, a request to snapshot a virtual machine, a request for a list of running servers, a request for backup files or images, or a request to terminate a virtual machine instance.
  - 14. The apparatus of claim 11, wherein the cloud management service configured to transmit the instruction to one of the third-party cloud infrastructure service and the second machine or virtual machine instance hosted by the third-party cloud infrastructure service.
  - 15. The apparatus of claim 11, wherein an identifier is included in or associated with the received request and the cloud management service configured to identify the access control right based on the identifier.
  - 16. The apparatus of claim 11, the cloud management service further configured to:
    - assign an identifier to the second machine or virtual machine instance; and
      
      send the identifier to the second machine or virtual machine instance.
  - 17. The apparatus of claim 16, the cloud management service configured to send the identifier in an instruction to launch the second machine or virtual machine instance.
  - 18. The apparatus of claim 16, wherein the identifier is unique to the second machine or virtual machine instance.
  - 19. The apparatus of claim 16, wherein the identifier is associated with a group of one or more machines and/or one or more virtual machine instances of which the machine or virtual machine instance is a member.
  - 20. The apparatus of claim 16, the cloud management service further configured to:
    - receive a subsequent request from the second machine or virtual machine instance to access a third machine or virtual machine instance hosted in the cloud-based computing environment, the request comprising the assigned identifier;
      
      identify, based on the identifier, an access control right associated with the second machine or virtual machine instance making the request;
      
      determine a scope associated with the second machine or virtual machine instance based on the access control right; and
      
      transmit an instruction permitting the requested access to the third machine or virtual machine instance within the determined scope.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RightScale Incorporated (Flexera Software LLC)
Original Assignee
RightScale Incorporated (Flexera Software LLC)
Inventors
Eicken, Thorsten von, Gonzalez, Jose Maria Blanquer, Simon, Raphael George Jacques
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US13/875,109
Publication Number

US 20140082699A1
Time in Patent Office

636 Days
Field of Search

None
US Class Current

726/27
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/00   Security arrangements for p...

G06F 21/335   for accessing specific reso...

G06F 21/53   by executing in a restricte...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

Systems and methods for associating a virtual machine with an access control right

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

60 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for associating a virtual machine with an access control right

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links