Mixed-mode authorization metadata manager for cloud computing environments

US 9,210,178 B1
Filed: 06/15/2012
Issued: 12/08/2015
Est. Priority Date: 06/15/2012
Status: Active Grant

First Claim

Patent Images

1. A system, comprising a plurality of computing devices configured to implement:

a plurality of service managers, wherein each service manager of the plurality of service managers is operable to coordinate a respective service of a plurality of distributed multitenant services implemented at least in part using a plurality of resources of a provider network; and

a metadata manager;

wherein the metadata manager is operable to;

in response to a metadata request identifying a particular authorization entity affiliated with a client account of a client of the provider network,identify a first service manager and a second service manager of the plurality of service managers, respectively coordinating a first service and a second service of the plurality of distributed multitenant services to which the client account has access, wherein the first service manager is configured to support a first authorization application programming interface (API) for the first service and the second service manager is configured to support a second authorization API for the second service; and

provide composite authorization metadata of the particular authorization entity based at least in part on (a) service authorization metadata provided by the first service manager and service authorization metadata provided by the second service manager and (b) identity authorization metadata provided by an identity manager of the provider network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus for a mixed-mode authorization metadata manager for cloud computing environments are disclosed. A system includes a plurality of service managers coordinating respective distributed multitenant services, and a metadata manager. In response to a metadata request for an authorization entity, the metadata manager identifies a first and a second service manager coordinating services in use by a client account with which the authorization entity is affiliated. The first and second service managers implement respective authorization APIs. The metadata manager provides composite authorization metadata of the authorization entity based at least in part on (a) service authorization metadata provided by each of the first and second service managers and (b) identity authorization metadata provided by an identity manager.

Citations

25 Claims

1. A system, comprising a plurality of computing devices configured to implement:
- a plurality of service managers, wherein each service manager of the plurality of service managers is operable to coordinate a respective service of a plurality of distributed multitenant services implemented at least in part using a plurality of resources of a provider network; and
  
  a metadata manager;
  
  wherein the metadata manager is operable to;
  
  in response to a metadata request identifying a particular authorization entity affiliated with a client account of a client of the provider network,identify a first service manager and a second service manager of the plurality of service managers, respectively coordinating a first service and a second service of the plurality of distributed multitenant services to which the client account has access, wherein the first service manager is configured to support a first authorization application programming interface (API) for the first service and the second service manager is configured to support a second authorization API for the second service; and
  
  provide composite authorization metadata of the particular authorization entity based at least in part on (a) service authorization metadata provided by the first service manager and service authorization metadata provided by the second service manager and (b) identity authorization metadata provided by an identity manager of the provider network.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system as recited in claim 1, wherein the metadata manager is further operable to:
    - in response to an authorization query, specifying a particular user affiliated with the client account and a target operation to be performed,use the composite authorization metadata to determine whether the particular user is authorized to perform the target operation; and
      
      in response to determining that the particular user is not authorized to perform the target operation, provide an enumeration of one or more recommended authorization requests to be submitted to obtain authorization for the particular user for the target operation.
  - 3. The system as recited in claim 1, wherein the metadata manager is further operable to:
    - collect records of (a) service authorization configuration operations from the first and second service managers and (b) identity authorization configuration operations from the identity manager.
  - 4. The system as recited in claim 3, wherein the metadata manager is further operable to:
    - in response to a causal analysis request specifying a particular result of an authorization request, examine the records of service authorization configuration operations from the first and second service managers and identity authorization configuration operations from the identity manager to identify a record of a candidate prerequisite configuration operation of the particular result.
  - 5. The system as recited in claim 3, wherein the metadata manager is further operable to:
    - implement a programmatic interface allowing a submission of an authorization event filter to limit types of authorization records collected to records associated with at least one of a specified set of users, a specified set of services, or a specified set of resources.
  - 6. The system as recited in claim 3, wherein the metadata manager is further operable to:
    - collect records of client-side authorization configuration operations from a client data source resident at a client-owned device specified by the client; and
      
      include metadata associated with a client-side authorization configuration operation in the composite authorization metadata.

7. A method, comprising:
- in response to a metadata request identifying a particular authorization entity affiliated with a client account of a client of a provider network,identifying one or more service managers of the provider network, coordinating one or more services to which the client account has access; and
  
  generating composite authorization metadata of the particular authorization entity based at least in part on (a) service authorization metadata provided by the one or more service managers and (b) identity authorization metadata provided by an identity manager of the provider network.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. The method as recited in claim 7, further comprising:
    - in response to an authorization query, specifying a particular user affiliated with the client account and a target operation to be performed,determining whether the particular user is authorized to perform the target operation; and
      
      in response to determining that the particular user is not authorized to perform the target operation, providing an enumeration of one or more recommended authorization requests to be submitted to obtain authorization for the particular user for the target operation.
  - 9. The method as recited in claim 8, further comprising:
    - prior to providing the enumeration, determining, via a simulation of the one or more recommended authorization requests, an estimated probability of success of the one or more recommended authorization requests.
  - 10. The method as recited in claim 7, further comprising:
    - collecting records of (a) service authorization configuration operations from the one or more service managers and (b) identity authorization configuration operations from the identity manager.
  - 11. The method as recited in claim 10, further comprising:
    - in response to a causal analysis request specifying a particular result of an authorization request, examining the records of service authorization configuration operations from the one or more service managers and identity authorization configuration operations from the identity manager to identify a record of a candidate prerequisite configuration operation of the particular result.
  - 12. The method as recited in claim 10, further comprising:
    - implementing a programmatic interface allowing a submission of an authorization event filter to limit types of authorization records to be collected to records associated with at least one of a specified set of users, a specified set of services, or a specified set of resources.
  - 13. The method as recited in claim 10, further comprising:
    - collecting records of client-side authorization configuration operations from a data source specified by the client.
  - 14. The method as recited in claim 7, wherein the service authorization metadata provided by a service manager of the one or more service managers comprises an access control list (ACL) associated with a particular resource implementing at least a portion of the functionality of a service coordinated by the service manager.
  - 15. The method as recited in claim 7, wherein the identity authorization metadata comprises an indication of one or more roles assigned to the entity, and an indication of one or more capabilities assigned to a role of the one or more roles.

16. A non-transitory computer-accessible storage medium storing program instructions that when executed on one or more processors:
- in response to a metadata request identifying a particular authorization entity affiliated with a client account of a client of a provider network,identify one or more service managers of the provider network, coordinating one or more services to which the client account has access; and
  
  generate composite authorization metadata of the particular authorization entity based at least in part on service authorization metadata provided by the one or more service managers.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The non-transitory computer-accessible storage medium as recited in claim 16, wherein the instructions when executed on the one or more processors:
    - in response to an authorization query, specifying a particular user affiliated with the client account and a target operation to be performed,determine whether the particular user is authorized to perform the target operation; and
      
      in response to determining that the particular user is not authorized to perform the target operation, provide an enumeration of one or more recommended authorization requests to be submitted to obtain authorization for the particular user for the target operation.
  - 18. The non-transitory computer-accessible storage medium as recited in claim 17, wherein the instructions when executed on the one or more processors:
    - prior to providing the enumeration, determine, via a simulation of the one or more recommended authorization requests, an estimated probability of success of the one or more recommended authorization requests.
  - 19. The non-transitory computer-accessible storage medium as recited in claim 16, wherein the composite authorization metadata is based at least in part on identity authorization metadata.
  - 20. The non-transitory computer-accessible storage medium as recited in claim 19, wherein the identity authorization metadata is received from a service manager of the one or more service managers.
  - 21. The non-transitory computer-accessible storage medium as recited in claim 19, wherein the identity authorization metadata comprises an indication of one or more roles assigned to the entity, and an indication of one or more capabilities assigned to a role of the one or more roles.
  - 22. The non-transitory computer-accessible storage medium as recited in claim 19, wherein the instructions when executed on the one or more processors:
    - collect records of service authorization configuration operations from the one or more service managers, and records of identity authorization configuration operations from an identity manager.
  - 23. The non-transitory computer-accessible storage medium as recited in claim 22, wherein the instructions when executed on the one or more processors:
    - in response to a causal analysis request specifying a particular result of an authorization request, examine the records of service authorization configuration operations from the one or more service managers and identity authorization configuration operations from an identity manager to identify a record of a candidate prerequisite configuration operation of the particular result.
  - 24. The non-transitory computer-accessible storage medium as recited in claim 16, wherein the instructions when executed on the one or more processors:
    - collect records of client-side authorization configuration operations from a data source specified by the client.
  - 25. The non-transitory computer-accessible storage medium as recited in claim 16, wherein the service authorization metadata provided by a service manager of the one or more service managers comprises an access control list (ACL) associated with a particular resource implementing at least a portion of the functionality of a service coordinated by the service manager.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory B., Scharf, James E. Jr., Ramachandran, Rajiv, Samuelsson, Anders, Carlson, Keith A.
Primary Examiner(s)
Jean, Frantz

Application Number

US13/524,933
Time in Patent Office

1,271 Days
Field of Search

709/203, 709/217, 709/219, 709/220, 726/5, 726/6, 726/21, 726 1- 4, 726/15, 726/154, 725/25, 713/153
US Class Current

1/1
CPC Class Codes

H04L 63/00   Network architectures or ne...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

Mixed-mode authorization metadata manager for cloud computing environments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Mixed-mode authorization metadata manager for cloud computing environments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links