Flattening permission trees in a virtualization environment

US 9,178,886 B2
Filed: 08/29/2012
Issued: 11/03/2015
Est. Priority Date: 08/29/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a permission request, the request indicating a user and an entity in a virtual machine system;

flattening, by a processing device, a permissions database associated with the virtual machine system to generate a flattened database view, wherein the permissions database to store descriptive labels of entities in the virtual machine system, and wherein the flattened database view defines permissions for the user to access the entities in the virtual machine system in view of the descriptive labels, wherein flattening the permissions database comprises;

identifying a first set of entities in the virtual machine system for which the user has explicit permissions defined in the permissions database,identifying a second set of entities in the virtual machine system for which a role to which the user is assigned has explicit permissions defined in the permissions database;

identifying a third set of entities in the virtual machine system that inherit the explicit permissions of entities in the first and second sets of entities, wherein entities in the third set of entities are assigned child labels in a labeling hierarchy of entities in the virtual machine system, andcreating a separate entry in the flattened database view for each unique combination of the user and one of the entities in the first, second and third sets of entities in the virtual machine system, wherein the flattened database view comprises a stored query accessible as a virtual table in the permissions database computed from data stored in the permissions database;

determining, using the flattened database view, whether the user has permission to access the entity in the virtual machine system, wherein determining whether the user has permission to access the entity in the virtual machine system comprises issuing a single query to the flattened database view for an entry comprising the user and the entity; and

returning an indication of whether the user has permission to access the entity in the virtual machine system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A virtualization manager receives a permission request indicating a user and an entity in a virtual machine system. The virtualization manager flattens a permissions database to generate a flattened database view. Using the flattened database view, the virtualization manager determines whether the user has permission to access the entity in the virtual machine system and returns an indication of whether the user has permission to access the entity in the virtual machine system.

37 Citations

22 Claims

1. A method comprising:
- receiving a permission request, the request indicating a user and an entity in a virtual machine system;
  
  flattening, by a processing device, a permissions database associated with the virtual machine system to generate a flattened database view, wherein the permissions database to store descriptive labels of entities in the virtual machine system, and wherein the flattened database view defines permissions for the user to access the entities in the virtual machine system in view of the descriptive labels, wherein flattening the permissions database comprises;
  
  identifying a first set of entities in the virtual machine system for which the user has explicit permissions defined in the permissions database,identifying a second set of entities in the virtual machine system for which a role to which the user is assigned has explicit permissions defined in the permissions database;
  
  identifying a third set of entities in the virtual machine system that inherit the explicit permissions of entities in the first and second sets of entities, wherein entities in the third set of entities are assigned child labels in a labeling hierarchy of entities in the virtual machine system, andcreating a separate entry in the flattened database view for each unique combination of the user and one of the entities in the first, second and third sets of entities in the virtual machine system, wherein the flattened database view comprises a stored query accessible as a virtual table in the permissions database computed from data stored in the permissions database;
  
  determining, using the flattened database view, whether the user has permission to access the entity in the virtual machine system, wherein determining whether the user has permission to access the entity in the virtual machine system comprises issuing a single query to the flattened database view for an entry comprising the user and the entity; and
  
  returning an indication of whether the user has permission to access the entity in the virtual machine system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 15)
- - 2. The method of claim 1, wherein the permission request is received from a client device.
  - 3. The method of claim 1, wherein flattening the permissions database comprises:
    - identifying a first entity in the virtual machine system for which the user has explicit permissions defined in the permissions database; and
      
      identifying a second entity in the virtual machine system that is a child of the first entity using the labeling hierarchy of entities in the virtual machine system.
  - 4. The method of claim 3, wherein flattening the permissions database further comprises:
    - identifying the role to which the user is assigned;
      
      identifying a third entity in the virtual machine system for which the role has permissions defined in the permissions database; and
      
      identifying a fourth entity in the virtual machine system that is a child of the third entity using the labeling hierarchy of entities in the virtual machine system.
  - 5. The method of claim 4, wherein flattening the permissions database further comprises:
    - creating a separate entry in the flattened database view for each unique combination of the user and one of the first, second, third and fourth entities.
  - 6. The method of claim 1, wherein the indication of whether the user has permission to access the entity is affirmative if the entry in the flattened database view comprising the user and the entity is located.
  - 7. The method of claim 1, wherein the indication of whether the user has permission to access the entity is negative if the entry in the flattened database view comprising the user and the entity is not located.
  - 8. The method of claim 1, wherein the entity in the virtual machine system comprises at least one of a virtual machine, a virtual disk, a host server, or a virtual data center.
  - 15. The system of claim 5, wherein the entity in the virtual machine system comprises at least one of a virtual machine, a virtual disk, a host server, or a virtual data center.

9. A system comprising:
- a processing device;
  
  a memory coupled to the processing device; and
  
  a virtualization manager, executable by the processing device from the memory, to;
  
  receive a permission request from a client, the request indicating a user and an entity in a virtual machine system;
  
  flatten a permissions database associated with the virtual machine system to generate a flattened database view, wherein the permissions database to store descriptive labels of entities in the virtual machine system, wherein the flattened database view defines permissions for the user to access the entities in the virtual machine system in view of the descriptive labels, wherein to generate the flattened database view, the virtualization manager is executable to;
  
  identify a first set of entities in the virtual machine system for which the user has explicit permissions defined in the permissions database,identify a second set of entities in the virtual machine system for which a role to which the user is assigned has explicit permissions defined in the permissions database,identify a third set of entities in the virtual machine system that inherit the explicit permissions of entities in the first and second sets of entities, wherein entities in the third set of entities are assigned child labels in a labeling hierarchy of entities in the virtual machine system, andcreate a separate entry in the flattened database view for each unique combination of the user and one of the entities in the first, second and third sets of entities in the virtual machine system, wherein the flattened database view comprises a stored query accessible as a virtual table in the permissions database computed from data stored in the permissions database;
  
  determine whether the user has permission to access the entity in the virtual machine system using the flattened database view, wherein to determine whether the user has permission to access the entity in the virtual machine system, the virtualization manager is executable to issue a single query to the flattened database view for an entry comprising the user and the entity; and
  
  return an indication of whether the user has permission to access the entity in the virtual machine system.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The system of claim 9, wherein to flatten the permissions database, the virtualization manager is executable to:
    - identify a first entity in the virtual machine system for which the user has explicit permissions defined in the permissions database; and
      
      identify a second entity in the virtual machine system that is a child of the first entity using the labeling hierarchy of entities in the virtual machine system.
  - 11. The system of claim 10, wherein to flatten the permissions database, the virtualization manager is further executable to:
    - identify the role to which the user is assigned;
      
      identify a third entity in the virtual machine system for which the role has permissions defined in the permissions database; and
      
      identify a fourth entity in the virtual machine system that is a child of the third entity using the labeling hierarchy of entities in the virtual machine system.
  - 12. The system of claim 11, wherein to flatten the permissions database, the virtualization manager is further executable to:
    - create a separate entry in the flattened database view for each unique combination of the user and one of the first, second, third and fourth entities.
  - 13. The system of claim 9, wherein the indication of whether the user has permission to access the entity is affirmative if the entry in the flattened database view comprising the user and the entity is located.
  - 14. The system of claim 9, wherein the indication of whether the user has permission to access the entity is negative if the entry in the flattened database view comprising the user and the entity is not located.

16. A non-transitory machine-readable storage medium storing instructions which, when executed, cause a processing device to:
- receive a permission request, the request indicating a user and an entity in a virtual machine system;
  
  flatten a permissions database associated with the virtual machine system to generate a flattened database view, wherein the permissions database to store descriptive labels of entities in the virtual machine system, and wherein the flattened database view defines permissions for the user to access the entities in the virtual machine system in view of the descriptive labels, wherein to flatten the permissions database, the instructions to cause the processing device to;
  
  identify a first set of entities in the virtual machine system for which the user has explicit permissions defined in the permissions database,identify a second set of entities in the virtual machine system for which a role to which the user is assigned has explicit permissions defined in the permissions database,identify a third set of entities in the virtual machine system that inherit the explicit permissions of entities in the first and second sets of entities, wherein entities in the third set of entities are assigned child labels in a labeling hierarchy of entities in the virtual machine system, andcreate a separate entry in the flattened database view for each unique combination of the user and one of the entities in the first, second and third sets of entities in the virtual machine system, wherein the flattened database view comprises a stored query accessible as a virtual table in the permissions database computed from data stored in the permissions database;
  
  determine, using the flattened database view, whether the user has permission to access the entity in the virtual machine system, wherein to determine whether the user has permission to access the entity in the virtual machine system, the instructions to cause the processing device to issue a single query to the flattened database view for an entry comprising the user and the entity; and
  
  return an indication of whether the user has permission to access the entity in the virtual machine system.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The non-transitory machine-readable storage medium of claim 16, wherein to flatten the permissions database, the instructions to cause the processing device to:
    - identify a first entity in the virtual machine system for which the user has explicit permissions defined in the permissions database; and
      
      identify a second entity in the virtual machine system that is a child of the first entity using the labeling hierarchy of entities in the virtual machine system.
  - 18. The non-transitory machine-readable storage medium of claim 17, wherein to flatten the permissions database, the instructions to cause the processing device further to:
    - identify the role to which the user is assigned;
      
      identify a third entity in the virtual machine system for which the role has permissions defined in the permissions database; and
      
      identify a fourth entity in the virtual machine system that is a child of the third entity using the labeling hierarchy of entities in the virtual machine system.
  - 19. The non-transitory machine-readable storage medium of claim 18, wherein to flatten the permissions database, the instructions to cause the processing device further to:
    - create a separate entry in the flattened database view for each unique combination of the user and one of the first, second, third and fourth entities.
  - 20. The non-transitory machine-readable storage medium of claim 16, wherein the indication of whether the user has permission to access the entity is affirmative if the entry in the flattened database view comprising the user and the entity is located.
  - 21. The non-transitory machine-readable storage medium of claim 16, wherein the indication of whether the user has permission to access the entity is negative if the entry in the flattened database view comprising the user and the entity is not located.
  - 22. The non-transitory machine-readable storage medium of claim 16, wherein the entity in the virtual machine system comprises at least one of a virtual machine, a virtual disk, a host server, or a virtual data center.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat Israel Ltd. (International Business Machines Corporation)
Original Assignee
Red Hat Israel Ltd. (International Business Machines Corporation)
Inventors
Mureinik, Allon
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
RUPRECHT, CHRISTOPHER S

Application Number

US13/597,695
Publication Number

US 20140068718A1
Time in Patent Office

1,161 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 16/2246   Trees, e.g. B+trees

G06F 16/2445   Data retrieval commands; Vi...

G06F 16/245   Query processing

G06F 16/24539   using cached or materialise...

G06F 2009/45587   Isolation or security of vi...

G06F 21/00   Security arrangements for p...

G06F 21/121   Restricting unauthorised ex...

G06F 21/31   User authentication

G06F 21/53   by executing in a restricte...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 21/629   to features or functions of...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/105 : Multiple levels of security

H04W 12/08 : Access security

View All

Flattening permission trees in a virtualization environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Flattening permission trees in a virtualization environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links