Granting access to a cloud computing environment using names in a virtual computing infrastructure

US 9,218,616 B2
Filed: 11/17/2011
Issued: 12/22/2015
Est. Priority Date: 06/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method of granting access to resources in a cloud computing environment, the method comprising:

assigning a first name to a group of users within the cloud computing environment, the first name specifying a first path;

assigning a second name to at least one subgroup of users from the group of users;

assigning a third name to an object;

receiving a request to access the object, the request specifying the second name and the third name;

receiving a plurality of permissions that form a graph, wherein each permission of the plurality of permissions includes a plurality of key-value pairs;

wherein a first key-value pair of the plurality of key-value pairs of the each permission includes a subject key and a name of a subject to whom the each permission is delegated;

wherein a second key-value pair of the plurality of key-value pairs of the each permission includes an object key and a name of a cloud object on which the each permission is delegated;

wherein a third key-value pair of the plurality of key-value pairs of the each permission includes an authorizer key and a name of an authorizer who is authorized to delegate the each permission;

wherein each permission of the plurality of permissions corresponds to a different vertex of vertices in the graph, the vertices connected by edges such that the each permission has at least one parent permission or at least one child permission corresponding to a different one of the vertices in the graph, wherein for each permission of the plurality of permissions having a parent permission in the graph, the name of the authorizer in the third key-value pair of the each permission matches the name of the subject in the first key-value pair of the parent permission, and wherein for each permission of the plurality of permissions having a child permission in the graph, the name of the subject in the first key-value pair of the each permission matches the name of the authorizer in the third key-value pair of the child permission;

receiving authorizer information indicating an authorizer name of an authorizer to grant permissions to access the object;

identifying a first permission from the plurality of permissions, the first permission having one or more child permissions connected in the graph and wherein the authorizer name matches a value in the third key-value pair of the first permission;

using the graph to identify a second permission from the one or more child permissions, wherein the name of the authorizer of the third key-value pair of the second permission matches or is a descendant of the name of the subject of the first key-value pair of the first permission; and

using the second permission to determine whether to grant the request by at least one of;

determining whether the second name matches or is a descendant of the name of the subject in the first key-value pair of the second permission, ordetermining whether the third name matches or is a descendant of the name of the cloud object in the second key-value pair of the second permission.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access to resources in a cloud computing environment having a plurality of computing nodes is described. A group of users is defined within the cloud computing environment. A first name is assigned to the group. At least one subgroup of users is defined from within the group. A second name is assigned to the at least one subgroup. The second name follows a hierarchical naming structure of the form/group/subgroup.

163 Citations

20 Claims

1. A method of granting access to resources in a cloud computing environment, the method comprising:
- assigning a first name to a group of users within the cloud computing environment, the first name specifying a first path;
  
  assigning a second name to at least one subgroup of users from the group of users;
  
  assigning a third name to an object;
  
  receiving a request to access the object, the request specifying the second name and the third name;
  
  receiving a plurality of permissions that form a graph, wherein each permission of the plurality of permissions includes a plurality of key-value pairs;
  
  wherein a first key-value pair of the plurality of key-value pairs of the each permission includes a subject key and a name of a subject to whom the each permission is delegated;
  
  wherein a second key-value pair of the plurality of key-value pairs of the each permission includes an object key and a name of a cloud object on which the each permission is delegated;
  
  wherein a third key-value pair of the plurality of key-value pairs of the each permission includes an authorizer key and a name of an authorizer who is authorized to delegate the each permission;
  
  wherein each permission of the plurality of permissions corresponds to a different vertex of vertices in the graph, the vertices connected by edges such that the each permission has at least one parent permission or at least one child permission corresponding to a different one of the vertices in the graph, wherein for each permission of the plurality of permissions having a parent permission in the graph, the name of the authorizer in the third key-value pair of the each permission matches the name of the subject in the first key-value pair of the parent permission, and wherein for each permission of the plurality of permissions having a child permission in the graph, the name of the subject in the first key-value pair of the each permission matches the name of the authorizer in the third key-value pair of the child permission;
  
  receiving authorizer information indicating an authorizer name of an authorizer to grant permissions to access the object;
  
  identifying a first permission from the plurality of permissions, the first permission having one or more child permissions connected in the graph and wherein the authorizer name matches a value in the third key-value pair of the first permission;
  
  using the graph to identify a second permission from the one or more child permissions, wherein the name of the authorizer of the third key-value pair of the second permission matches or is a descendant of the name of the subject of the first key-value pair of the first permission; and
  
  using the second permission to determine whether to grant the request by at least one of;
  
  determining whether the second name matches or is a descendant of the name of the subject in the first key-value pair of the second permission, ordetermining whether the third name matches or is a descendant of the name of the cloud object in the second key-value pair of the second permission.
- View Dependent Claims (2, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - defining a plurality of subgroups of users derived from the at least one subgroup, the plurality of subgroups being organized in a hierarchy; and
      
      assigning a name to each subgroup of the plurality of subgroups, wherein the name of each subgroup of the pluraltiy of subgroups is defined using a hierarchical naming structure, and wherein the name of each subgroup includes concatenated two or more names of subgroups according to the hierarchy.
  - 7. The method of claim 1, further comprising:
    - selecting, from the graph, a first set of permissions that specifies permissions that are compatible with the object;
      
      setting a second set of permissions equal to the first set of permissions;
      
      for each particular permission in the first set of permissions, adding, to a third set of permissions, a related permission that is related to the particular permission by an edge connecting the particular permission to the related permission in the graph;
      
      removing, from the third set of permissions, all permissions that are in the second set of permissions;
      
      after said removing, adding, to the second set of permissions, all permissions that are in the third set of permissions; and
      
      responding to a particular request with a rejection in response to determining that the first set of permissions is an empty set.
  - 8. The method of claim 1, further comprising:
    - upon determining not to grant the request using the second permission, using the graph to further identify a set of permissions based on the first permission, wherein the name of the authorizer of the third key-value pair of the each of the set of permissions matches or is a descendant of the name of the subject of the first key-value pair of the first permission; and
      
      using the set of permissions to determine whether to grant the request by at least one of;
      
      determining whether the second name matches or is a descendant of the name of the subject in the first key-value pair of one of the set of permissions, ordetermining whether the third name matches or is a descendant of the name of the cloud object in the second key-value pair of one of the set of permissions.
  - 9. The system of claim 1, wherein the second name is defined using a hierarchical naming structure and the second name includes concatenated two or more names of the group and subgroups along a permission delegation path from the group to the subgroup.
  - 10. The system of claim 1, wherein the third name is defined using a hierarchical naming structure and the third name includes concatenated two or more names of objects along a second path.
  - 11. The method of claim 1, wherein the name of the subject of the first key-value pair of the each permission is defined using a hierarchical naming structure and the name of the subject of the first key-value pair of the each permission includes concatenated two or more names of subjects.
  - 12. The method of claim 1, wherein the name of the cloud object of the second key-value pair of the each permission is defined using a hierarchical naming structure and the name of the cloud object of the second key-value pair of the each permission includes concatenated two or more names of cloud objects.
  - 13. The method of claim 1,wherein the second name is defined using a hierarchical naming structure and the second name includes concatenated two or more names of the group and subgroups along a permission delegation path from the group to the at least one subgroup;
    - wherein the third name is defined using the hierarchical naming structure and the third name includes concatenated two or more names of objects along a second path;
      
      wherein the name of the subject of the first key-value pair of the each permission is defined using the hierarchical naming structure and the name of the subject of the first key-value pair of the each permission includes concatenated two or more names of subjects; and
      
      wherein the name of the cloud object of the second key-value pair of the each permission is defined using the hierarchical naming structure and the name of the cloud object of the second key-value pair of the each permission includes concatenated two or more names of cloud objects.

3. A method of granting access to resources in a cloud computing environment, the method comprising:
- assigning a first name to a group of users within the cloud computing environment, the first name specifying a first path;
  
  assigning a second name to at least one subgroup of users from the group of users;
  
  assigning a third name to an object;
  
  receiving a request to access the object, the request specifying the second name and the third name;
  
  receiving a plurality of permissions that form a graph, wherein each permission of the plurality of permissions includes a plurality of key-value pairs;
  
  wherein a first key-value pair of the plurality of key-value pairs of the each permission includes a subject key and a name of a subject to whom the each permission is delegated;
  
  wherein a second key-value pair of the plurality of key-value pairs of the each permission includes an object key and a name of a cloud object on which the each permission is delegated;
  
  wherein a third key-value pair of the plurality of key-value pairs of the each permission includes an authorizer key and a name of an authorizer who is authorized to delegate the each permission;
  
  wherein each permission of the plurality of permissions corresponds to a different vertex of vertices in the graph, the vertices connected by edges such that the each permission has at least one parent permission or at least one child permission corresponding to a different one of the vertices in the graph, wherein for each permission of the plurality of permissions having a parent permission in the graph, the name of the authorizer in the third key-value pair of the each permission matches the name of the subject in the first key-value pair of the parent permission, and wherein for each permission of the plurality of permissions having child permission in the graph, the name of the subject in the first key-value pair of the each permission matches the name of the authorizer in the third key-value pair of the child permission;
  
  receiving authorizer information indicating an authorizer name of an authorizer to grant permissions to access the object;
  
  identifying a first permission from the plurality of permissions, the first permission having one or more child permissions connected in the graph, and wherein the authorizer name matches a value in the third key-value pair of the first permission;
  
  using the graph to identify a second permission from the one or more child permissions, wherein the name of the authorizer of the third key-value pair of the second permission matches or is a descendant of the name of the subject of the first key-value pair of the first permission; and
  
  using the second permission to determine whether to grant the request by at least one of;
  
  determining whether the second name matches or is a descendant of the name of the subject in the first key-value pair of the second permission, ordetermining whether the third name matches or is a descendant of the name of the cloud object in the second key-value pair of the second permission.
- View Dependent Claims (14)
- - 14. The method of claim 3,wherein the second name is defined using a hierarchical naming structure and the second name includes concatenated two or more names of the group and subgroups along a permission delegation path from the group to the at least one subgroup;
    - wherein the third name is defined using the hierarchical naming structure and the third name includes concatenated two or more names of cloud resources along a second path;
      
      wherein the name of the subject of the first key-value pair of the each permission is defined using the hierarchical naming structure and the name of the subject of the first key-value pair of the each permission includes concatenated two or more names of subjects; and
      
      wherein the name of the cloud object of the second key-value pair of the each permission is defined using the hierarchical naming structure and the name of the cloud object of the second key-value pair of the each permission includes concatenated two or more names of cloud objects.

4. A cloud computing system, comprising:
- at least one storage that stores a plurality of processing instructions; and
  
  at least one processor in communication with the at least one storage, and the at least one processor configured to execute the plurality of processing instructions to;
  
  assign a first name to a group of users within a cloud computing environment, the first name specifying a first path;
  
  assign a second name to at least one subgroup of users from the group of users;
  
  assign a third name to an object;
  
  receive a request to access the object, the request specifying the second name and the third name;
  
  receive a plurality of permissions that form a graph, wherein each permission of the plurality of permissions includes a plurality of key-value pairs;
  
  wherein a first key-value pair of the plurality of key-value pairs of the each permission includes a subject key and a name of a subject to whom the each permission is delegated;
  
  wherein a second key-value pair of the plurality of key-value pairs of the each permission includes an object key and a name of a cloud object on which the each permission is delegated;
  
  wherein a third key-value pair of the plurality of key-value pairs of the each permission includes an authorizer key and a name of an authorizer who is authorized to delegate the each permission;
  
  wherein each permission of the plurality of permissions corresponds to a different vertex of vertices in the graph, the vertices connected by edges such that the each permission has at least one parent permission or at least one child permission corresponding to a different one of the vertices in the graph, wherein for each permission of the plurality of permissions having a parent permission in the graph, the name of the authorizer in the third key-value pair of the each permission matches the name of the subject in the first key-value pair of the parent permission, and wherein for each permission of the plurality of permissions having a child permission in the graph, the name of the subject in the first key-value pair of the each permission matches the name of the authorizer in the third key-value pair of the child permission;
  
  receive authorizer information indicating an authorizer name of an authorizer to grant permissions to access the object;
  
  identify a first permission from the plurality of permissions, the first permission having one or more child permissions connected in the graph and wherein the authorizer name matches a value in the third key-value pair of the first permission;
  
  use the graph to identify a second permission from the one or more child permissions, wherein the name of the authorizer of the third key-value pair of the second permission matches or is a descendant of the name of the subject of the first key-value pair of the first permission; and
  
  use the second permission to determine whether to grant the request by at least one of;
  
  determining whether the second name matches or is a descendant of the name of the subject in the first key-value pair of the second permission, ordetermining whether the third name matches or is a descendant of the name of the cloud object in the second key-value pair of the second permission.
- View Dependent Claims (5, 15, 16, 17, 18, 19)
- - 5. The system of claim 4, wherein the at least one processor is further configured to execute instructions to:
    - define a plurality of subgroups of users derived from the at least one subgroup, the plurality of subgroups being organized in a hierarchy; and
      
      assign a name to each subgroup of the plurality of subgroups, wherein the name of each subgroup of the pluraltiy of subgroups is defined using a hierarchical naming structure, and the name of each subgroup includes concatenated two or more names of subgroups according to the hierarchy.
  - 15. The system of claim 4, wherein the second name is defined using a hierarchical naming structure and the second name includes concatenated two or more names of the group and subgroups along a permission delegation path from the group to the at least one subgroup.
  - 16. The system of claim 4, wherein the third name is defined using a hierarchical naming structure and the third name includes concatenated two or more names of objects along a second path.
  - 17. The system of claim 4, wherein the name of the subject of the first key-value pair of the each permission is defined using a hierarchical naming structure and the name of the subject of the first key-value pair of the each permission includes concatenated two or more names of subjects.
  - 18. The system of claim 4, wherein the name of the cloud object of the second key-value pair of the each permission is defined using a hierarchical naming structure and the name of the cloud object of the second key-value pair of the each permission includes concatenated two or more names of cloud objects.
  - 19. The system of claim 4,wherein the second name is defined using a hierarchical naming structure and the second name includes concatenated two or more names of the group and subgroups along a permission delegation path from the group to the at least one subgroup;
    - wherein the third name is defined using the hierarchical naming structure and the third name includes concatenated two or more names of objects along a second path;
      
      wherein the name of the subject of the first key-value pair of the each permission is defined using the hierarchical naming structure and the name of the subject of the first key-value pair of the each permission includes concatenated two or more names of subjects; and
      
      wherein the name of the cloud object of the second key-value pair of the each permission is defined using the hierarchical naming structure and the name of the cloud object of the second key-value pair of the each permission includes concatenated two or more names of cloud objects.

6. A cloud computing system, comprising:
- at least one storage that stores a plurality of processing instructions; and
  
  at least one processor in communication with the at least one storage, and configured to execute the plurality of processing instructions to;
  
  assign a first name to a group of users within the cloud computing environment, the first name specifying a first path;
  
  assign a second name to at least one subgroup of users from the group of users;
  
  assign a third name to an object;
  
  receive a request to access the object, the request specifying the second name and the third name;
  
  receive a plurality of permissions that form a graph, wherein each permission of the plurality of permissions includes a plurality of key-value pairs;
  
  wherein a first key-value pair of the plurality of key-value pairs of the each permission includes a subject key and a name of a subject to whom the each permission is delegated;
  
  wherein a second key-value pair of the plurality of key-value pairs of the each permission includes an object key and a name of a cloud object on which the each permission is delegated;
  
  wherein a third key-value pair of the plurality of key-value pairs of the each permission includes an authorizer key and a name of an authorizer who is authorized to delegate the each permission;
  
  wherein each permission of the plurality of permissions corresponds to a different vertex of vertices in the graph, the vertices connected by edges such that the each permission has at least one parent permission or at least one child permission corresponding to a different one of the vertices in the graph, wherein for each permission of the plurality of permissions having a parent permission in the graph, the name of the authorizer in the third key-value pair of the each permission matches the name of the subject in the first key-value pair of the parent permission, and wherein for each permission of the plurality of permissions having a child permission in the graph, the name of the subject in the first key-value pair of the each permission matches the name of the authorizer in the third key-value pair of the child permission;
  
  receive authorizer information indicating an authorizer name of an authorizer to grant permissions to access the object;
  
  identify a first permission from the plurality of permissions, the first permission having one or more child permissions connected in the graph and wherein the authorizer name matches a value in the third key-value pair of the first permission;
  
  use the graph to identify a second permission from the one or more child permissions, wherein the name of the authorizer of the third key-value pair of the second permission matches or is a descendant of the name of the subject of the first key-value pair of the first permission; and
  
  using the second permission to determine whether to grant the request by at least one of;
  
  determining whether the second name matches or is a descendant of the name of the subject in the first key-value pair of the second permission, ordetermining whether the third name matches or is a descendant of the name of the cloud object in the second key-value pair of the second permission.
- View Dependent Claims (20)
- - 20. The system of claim 6,wherein the second name is defined using a hierarchical naming structure and the second name includes concatenated two or more names of the group and subgroups along a permission delegation path from the group to the at least one subgroup;
    - wherein the third name is defined using the hierarchical naming structure and the third name includes concatenated two or more names of cloud resources along a second path;
      
      wherein the name of the subject of the first key-value pair of the each permission is defined using the hierarchical naming structure and the name of the subject of the first key-value pair of the each permission includes concatenated two or more names of subjects; and
      
      wherein the name of the cloud object of the second key-value pair of the each permission is defined using the hierarchical naming structure and the name of the cloud object of the second key-value pair of the each permission includes concatenated two or more names of cloud objects.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Van Biljon, Willem Robert, Pinkham, Christopher Conway, Cloran, Russell Andrew, Gorven, Michael Carl, Hardy, Alexandre, Divey, Brynmor K. B., Hoole, Quinton Robin, Kalele, Girish
Primary Examiner(s)
Vaughan, Michael R
Assistant Examiner(s)
MCCOY, RICHARD ANTHONY

Application Number

US13/299,066
Publication Number

US 20120110651A1
Time in Patent Office

1,496 Days
Field of Search

726 1- 4, 726 26- 30
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06Q 30/04   Billing or invoicing

G06Q 40/00   Finance; Insurance; Tax str...

G06Q 40/02   Banking, e.g. interest calc...

G06Q 40/10   Tax strategies

H04L 41/0213   Standardised network manage...

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 67/10   in which an application is ...

H04L 67/60   Scheduling or organising th...

H04L 9/40   Network security protocols

H04M 15/66   Policy and charging system

Granting access to a cloud computing environment using names in a virtual computing infrastructure

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

163 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Granting access to a cloud computing environment using names in a virtual computing infrastructure

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

163 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others