Flattening permission trees in a virtualization environment
First Claim
Patent Images
1. A method comprising:
- receiving a permission request, the request indicating a user and an entity in a virtual machine system;
flattening, by a processing device, a permissions database associated with the virtual machine system to generate a flattened database view, wherein the permissions database to store descriptive labels of entities in the virtual machine system, and wherein the flattened database view defines permissions for the user to access the entities in the virtual machine system in view of the descriptive labels, wherein flattening the permissions database comprises;
identifying a first set of entities in the virtual machine system for which the user has explicit permissions defined in the permissions database,identifying a second set of entities in the virtual machine system for which a role to which the user is assigned has explicit permissions defined in the permissions database;
identifying a third set of entities in the virtual machine system that inherit the explicit permissions of entities in the first and second sets of entities, wherein entities in the third set of entities are assigned child labels in a labeling hierarchy of entities in the virtual machine system, andcreating a separate entry in the flattened database view for each unique combination of the user and one of the entities in the first, second and third sets of entities in the virtual machine system, wherein the flattened database view comprises a stored query accessible as a virtual table in the permissions database computed from data stored in the permissions database;
determining, using the flattened database view, whether the user has permission to access the entity in the virtual machine system, wherein determining whether the user has permission to access the entity in the virtual machine system comprises issuing a single query to the flattened database view for an entry comprising the user and the entity; and
returning an indication of whether the user has permission to access the entity in the virtual machine system.
1 Assignment
0 Petitions
Accused Products
Abstract
A virtualization manager receives a permission request indicating a user and an entity in a virtual machine system. The virtualization manager flattens a permissions database to generate a flattened database view. Using the flattened database view, the virtualization manager determines whether the user has permission to access the entity in the virtual machine system and returns an indication of whether the user has permission to access the entity in the virtual machine system.
37 Citations
22 Claims
-
1. A method comprising:
-
receiving a permission request, the request indicating a user and an entity in a virtual machine system; flattening, by a processing device, a permissions database associated with the virtual machine system to generate a flattened database view, wherein the permissions database to store descriptive labels of entities in the virtual machine system, and wherein the flattened database view defines permissions for the user to access the entities in the virtual machine system in view of the descriptive labels, wherein flattening the permissions database comprises; identifying a first set of entities in the virtual machine system for which the user has explicit permissions defined in the permissions database, identifying a second set of entities in the virtual machine system for which a role to which the user is assigned has explicit permissions defined in the permissions database; identifying a third set of entities in the virtual machine system that inherit the explicit permissions of entities in the first and second sets of entities, wherein entities in the third set of entities are assigned child labels in a labeling hierarchy of entities in the virtual machine system, and creating a separate entry in the flattened database view for each unique combination of the user and one of the entities in the first, second and third sets of entities in the virtual machine system, wherein the flattened database view comprises a stored query accessible as a virtual table in the permissions database computed from data stored in the permissions database; determining, using the flattened database view, whether the user has permission to access the entity in the virtual machine system, wherein determining whether the user has permission to access the entity in the virtual machine system comprises issuing a single query to the flattened database view for an entry comprising the user and the entity; and returning an indication of whether the user has permission to access the entity in the virtual machine system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 15)
-
-
9. A system comprising:
-
a processing device; a memory coupled to the processing device; and a virtualization manager, executable by the processing device from the memory, to; receive a permission request from a client, the request indicating a user and an entity in a virtual machine system; flatten a permissions database associated with the virtual machine system to generate a flattened database view, wherein the permissions database to store descriptive labels of entities in the virtual machine system, wherein the flattened database view defines permissions for the user to access the entities in the virtual machine system in view of the descriptive labels, wherein to generate the flattened database view, the virtualization manager is executable to; identify a first set of entities in the virtual machine system for which the user has explicit permissions defined in the permissions database, identify a second set of entities in the virtual machine system for which a role to which the user is assigned has explicit permissions defined in the permissions database, identify a third set of entities in the virtual machine system that inherit the explicit permissions of entities in the first and second sets of entities, wherein entities in the third set of entities are assigned child labels in a labeling hierarchy of entities in the virtual machine system, and create a separate entry in the flattened database view for each unique combination of the user and one of the entities in the first, second and third sets of entities in the virtual machine system, wherein the flattened database view comprises a stored query accessible as a virtual table in the permissions database computed from data stored in the permissions database; determine whether the user has permission to access the entity in the virtual machine system using the flattened database view, wherein to determine whether the user has permission to access the entity in the virtual machine system, the virtualization manager is executable to issue a single query to the flattened database view for an entry comprising the user and the entity; and return an indication of whether the user has permission to access the entity in the virtual machine system. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
16. A non-transitory machine-readable storage medium storing instructions which, when executed, cause a processing device to:
-
receive a permission request, the request indicating a user and an entity in a virtual machine system; flatten a permissions database associated with the virtual machine system to generate a flattened database view, wherein the permissions database to store descriptive labels of entities in the virtual machine system, and wherein the flattened database view defines permissions for the user to access the entities in the virtual machine system in view of the descriptive labels, wherein to flatten the permissions database, the instructions to cause the processing device to; identify a first set of entities in the virtual machine system for which the user has explicit permissions defined in the permissions database, identify a second set of entities in the virtual machine system for which a role to which the user is assigned has explicit permissions defined in the permissions database, identify a third set of entities in the virtual machine system that inherit the explicit permissions of entities in the first and second sets of entities, wherein entities in the third set of entities are assigned child labels in a labeling hierarchy of entities in the virtual machine system, and create a separate entry in the flattened database view for each unique combination of the user and one of the entities in the first, second and third sets of entities in the virtual machine system, wherein the flattened database view comprises a stored query accessible as a virtual table in the permissions database computed from data stored in the permissions database; determine, using the flattened database view, whether the user has permission to access the entity in the virtual machine system, wherein to determine whether the user has permission to access the entity in the virtual machine system, the instructions to cause the processing device to issue a single query to the flattened database view for an entry comprising the user and the entity; and return an indication of whether the user has permission to access the entity in the virtual machine system. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
Specification