Objects in a virtual computing infrastructure

US 9,087,352 B2
Filed: 11/17/2011
Issued: 07/21/2015
Est. Priority Date: 06/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method of performing an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:

determining a policy path from at least one permission within a policy of a customer, the at least one permission comprising a set of key-value pairs describing a delegation of privileges;

determining a first delegation path from within the determined policy path, the first delegation path being directed to at least one object permission for the object upon which the action is to be performed, the at least one object permission comprising permissions created by an owner of the object and describing what actions may be performed on the object and by whom those actions may be performed, wherein the first delegation path is defined by values of the at least one permission; and

assigning an authorized user from a second delegation path from within the determined policy path, the second delegation path being directed to at least one user permission for the action to be performed, the at least one user permission describing what actions may be performed by one or more users belonging to the customer, wherein the second delegation path is defined by values of the at least one permission;

wherein determining the policy path involves determining an existence of a path in a directed graph in which each vertex is a different permission from each other vertex in the directed graph.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An action is performed on an object in a cloud computing environment having a plurality of computing nodes. A policy path is determined from at least one permission within a policy of a customer. A first delegation path is determined from within the determined policy path. The first delegation path is directed to at least one object permission for the object upon which the action is to be performed. An authorized user is assigned from a second delegation path from within the determined policy path. The second delegation path is directed to at least one user permission for the action to be performed.

Citations

14 Claims

1. A method of performing an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
- determining a policy path from at least one permission within a policy of a customer, the at least one permission comprising a set of key-value pairs describing a delegation of privileges;
  
  determining a first delegation path from within the determined policy path, the first delegation path being directed to at least one object permission for the object upon which the action is to be performed, the at least one object permission comprising permissions created by an owner of the object and describing what actions may be performed on the object and by whom those actions may be performed, wherein the first delegation path is defined by values of the at least one permission; and
  
  assigning an authorized user from a second delegation path from within the determined policy path, the second delegation path being directed to at least one user permission for the action to be performed, the at least one user permission describing what actions may be performed by one or more users belonging to the customer, wherein the second delegation path is defined by values of the at least one permission;
  
  wherein determining the policy path involves determining an existence of a path in a directed graph in which each vertex is a different permission from each other vertex in the directed graph.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein determining a policy path includes determining thatthe authorized user is the same as or a descendant of a subject specified in the at least one user permission;
    - the object on which the action is to be performed is the same as or a descendant of the object specified in the at least one object permission; and
      
      an action in either the at least one user permission or the at least one object permission is unspecified or the same as the action requested.
  - 3. The method of claim 1, wherein the at least one user permission shares a same value as the at least one object permission.
  - 4. The method of claim 1, wherein the at least one user permission is a descendant of an object permission in a naming hierarchy.
  - 5. The method of claim 1, wherein the object is a machine image from which data is accessed.
  - 6. The method of claim 1, wherein the object is executed code.
  - 7. The method of claim 1, wherein the object is a data store.

8. A cloud computing system, comprising:
- a plurality of computing nodes;
  
  at least one storage device configured to store a plurality of processing instructions; and
  
  at least one hardware processor in communication with the at least one storage device, and configured to execute the plurality of processing instructions to;
  
  determine a policy path from at least one permission within a policy of a customer, the at least one permission comprising a set of key-value pairs describing a delegation of privileges;
  
  determine a first delegation path from within the determined policy path, the first delegation path being directed to at least one object permission for an object upon which an action is to be performed, the at least one object permission comprising permissions created by an owner of the object and describing what actions may be performed on the object and by whom those actions may be performed, wherein the first delegation path is defined by values of the at least one permission; and
  
  assign an authorized user from a second delegation path from within the determined policy path, the second delegation path being directed to at least one user permission for the action to be performed, the at least one user permission describing what actions may be performed by one or more users belonging to the customer and wherein the second delegation path is defined by values of the at least one permission;
  
  wherein the plurality of processing instructions to determine the policy path includes processing instructions to determine an existence of a path in a directed graph in which each vertex is a different permission from each other vertex in the directed graph.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the plurality of processing instructions to determine the policy path includes instructions to determine that:
    - the authorized user is the same as or a descendant of a subject specified in the at least one user permission;
      
      the object on which the action is to be performed is the same as or a descendant of the object specified in the at least one object permission; and
      
      an action in either the at least one user permission or the at least one object permission is unspecified or the same as the action requested.
  - 10. The system of claim 8, wherein the at least one user permission shares a same value as the at least one object permission.
  - 11. The system of claim 8, wherein the at least one user permission is a descendant of an object permission, in a naming hierarchy.
  - 12. The system of claim 8, wherein the object is a machine image from which data is accessed.
  - 13. The system of claim 8, wherein the object is executed code.
  - 14. The system of claim 8, wherein the object is a data store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Van Biljon, Willem Robert, Pinkham, Christopher Conway, Cloran, Russell Andrew, Gorven, Michael Carl, Hardy, Alexandre, Divey, Brynmor K. B., Hoole, Quinton Robin, Kalele, Girish
Primary Examiner(s)
Gee, Jason K.
Assistant Examiner(s)
BUCKNOR, OLANREWAJU J

Application Number

US13/299,262
Publication Number

US 20120110180A1
Time in Patent Office

1,342 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06Q 30/04   Billing or invoicing

G06Q 40/00   Finance; Insurance; Tax str...

G06Q 40/02   Banking, e.g. interest calc...

G06Q 40/10   Tax strategies

H04L 41/0213   Standardised network manage...

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 67/10   in which an application is ...

H04L 67/60   Scheduling or organising th...

H04L 9/40   Network security protocols

H04M 15/66   Policy and charging system

Objects in a virtual computing infrastructure

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Objects in a virtual computing infrastructure

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links