Distributed policy enforcement with optimizing policy transformations
First Claim
1. A computer-implemented method for distributed policy enforcement, comprising:
- under control of one or more computer systems configured with executable instructions,receiving, at a policy management component of a virtual resource provider, a user-specified policy with respect to at least one action capable of being performed by the virtual resource provider;
incorporating the user-specified policy into a first set of normal form policies at least in part by determining whether the user-specified policy is redundant with respect to the first set of normal form policies by generating a second set of normal form policies having a common form that correspond to the user-specified policy, each of the first set of normal form policies having the common form;
generating an index of the first set of normal form policies based at least in part on a common set of policy elements of the common form;
identifying, based at least in part on the index, at least one subset of the first set of normal form policies that is relevant to at least one of a plurality of policy enforcement components;
providing said at least one subset of the first set of normal form policies to at least one of the plurality of policy enforcement components of the virtual resource provider identified as relevant;
receiving a request to perform said at least one action at a user interface of the virtual resource provider; and
enforcing the user-specified policy received at the policy management component at least in part by evaluating the request with respect to said at least one subset of the first set of normal form policies at said at least one of the plurality of policy enforcement components.
1 Assignment
0 Petitions
Accused Products
Abstract
User-specified policies may be efficiently implemented and enforced with a distributed set of policy enforcement components. User-specified policies may be transformed into a normal form. Sets of normal form policies may be optimized. The optimized policies may be indexed and/or divided and provided to the distributed set of policy enforcement components. The distributed policy enforcement may have a sandbox mode and/or verification mode enabling policy configuration verification. With appropriate authorization, substitute data may be used in verification mode to evaluate requests with respect to policies. Evaluation results, relevant policies, and decision data utilized during request evaluation may be collected, filtered and reported at a variety of levels of detail. Originating user-specified policies may be tracked during the policy normalization process to enable reference to user-specified policies in verification mode reports.
42 Citations
21 Claims
-
1. A computer-implemented method for distributed policy enforcement, comprising:
-
under control of one or more computer systems configured with executable instructions, receiving, at a policy management component of a virtual resource provider, a user-specified policy with respect to at least one action capable of being performed by the virtual resource provider; incorporating the user-specified policy into a first set of normal form policies at least in part by determining whether the user-specified policy is redundant with respect to the first set of normal form policies by generating a second set of normal form policies having a common form that correspond to the user-specified policy, each of the first set of normal form policies having the common form; generating an index of the first set of normal form policies based at least in part on a common set of policy elements of the common form; identifying, based at least in part on the index, at least one subset of the first set of normal form policies that is relevant to at least one of a plurality of policy enforcement components; providing said at least one subset of the first set of normal form policies to at least one of the plurality of policy enforcement components of the virtual resource provider identified as relevant; receiving a request to perform said at least one action at a user interface of the virtual resource provider; and enforcing the user-specified policy received at the policy management component at least in part by evaluating the request with respect to said at least one subset of the first set of normal form policies at said at least one of the plurality of policy enforcement components. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A computerized system for policy enforcement, comprising:
-
a plurality of policy enforcement components each configured to, at least; maintain a local set of policies; receive, at a user interface of a virtual resource provider, a request to perform at least one action capable of being performed by the virtual resource provider; and enforce the set of policies with respect to received requests; at least one policy management component configured to, at least; maintain a global set of policies having policies in a normal form corresponding to a set of policy elements; receive at least one new policy with respect to the at least one action; incorporate the at least one new policy into the global set of policies at least in part by generating a normal set of policies corresponding to said at least one new policy, each of the normal set of policies being in the normal form; identify a plurality of subsets of the global set of policies that are relevant to a subset of a plurality of policy enforcement components, wherein each of the subset of the plurality of policy enforcement components is further configured at least to update the local set of policies of the policy enforcement component with one of the plurality of subsets of the global set of policies provided by said at least one policy management component; and provide the plurality of subsets of the global set of policies to at least the subset of the plurality of policy enforcement components identified as relevant; and one or more processors collectively facilitating at least the plurality of policy enforcement components and said at least one policy management component. - View Dependent Claims (18, 19)
-
-
20. One or more non-transitory computer-readable media having collectively thereon computer-executable instructions that configure one or more computers to collectively, at least:
-
receive, at a policy management component of a virtual resource provider, a user-specified policy with respect to at least one action capable of being performed by the virtual resource provider; incorporate the user-specified policy into a first set of normal form policies at least in part by determining whether the user-specified policy is redundant with respect to the first set of normal form policies by generating a second set of normal form policies having a common form that correspond to the user-specified policy, each of the first set of normal form policies having the common form;
generate an index of the first set of normal form policies based at least in part on a common set of policy elements of the common form;identify, based at least in part on the index, at least one subset of the first set of normal form policies that is relevant to at least one of a plurality of policy enforcement components; provide said at least one subset of the first set of normal form policies to at least one of the plurality of policy enforcement components of the virtual resource provider identified as relevant; receive a request to perform said at least one action at a user interface of the virtual resource provider; and enforce the user-specified policy received at the policy management component at least in part by evaluating the request with respect to said at least one subset of the first set of normal form policies at said at least one of the plurality of policy enforcement components. - View Dependent Claims (21)
-
Specification