Secure administration of virtual machines

US 9,258,290 B2
Filed: 10/10/2013
Issued: 02/09/2016
Est. Priority Date: 04/25/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a first request from an unverified entity to instantiate a first instance of a virtual machine, said first request defining a first set of one or more resources to be made available by a virtual machine server device to the first instance of the virtual machine, said first request including first security information;

validating the first request by verifying the unverified entity using the first security information;

accessing an authorization database, said authorization database identifying one or more resources, based on the verified entity, that the first instance of the virtual machine is authorized to use on the virtual machine server device, said authorization database defining one or more affinity-based restrictions for a multitenancy environment of the vitual machine server device;

based on the one or more resources and the one or more affinity-based restrictions identified by the authorization database, determining a subset of the first set of one or more resources that exists on the virtual machine server device and is available to be provided by the virtual machine server device to the first instance of the virtual machine; and

responsive to validating the first request;

instantiating the first instance of the virtual machine with access to the subset of the first set of one or more resources.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for performing secure administration of virtual domain resource allocation are provided herein. A cloud service provider (CSP) may provide instances of virtual machines to one or more contracting user entities. The cloud service provider may store an authorization database identifying one or more resources (e.g., storage, CPU, etc.) that each of the different contracting user entities is authorized to use on a virtual machine server device. The CSP may subsequently receive a request from an unverified entity to instantiate a virtual machine with access to one or more resources. The request may include security information. The CSP validates the request by verifying the unverified entity using the first security information (e.g., checking a PKI certificate, requiring a login/password, etc.) and, when the request is validated, provides access to the verified entity to a subset of the requested one or more resources based on the authorization database.

Citations

20 Claims

1. A method comprising:
- receiving a first request from an unverified entity to instantiate a first instance of a virtual machine, said first request defining a first set of one or more resources to be made available by a virtual machine server device to the first instance of the virtual machine, said first request including first security information;
  
  validating the first request by verifying the unverified entity using the first security information;
  
  accessing an authorization database, said authorization database identifying one or more resources, based on the verified entity, that the first instance of the virtual machine is authorized to use on the virtual machine server device, said authorization database defining one or more affinity-based restrictions for a multitenancy environment of the vitual machine server device;
  
  based on the one or more resources and the one or more affinity-based restrictions identified by the authorization database, determining a subset of the first set of one or more resources that exists on the virtual machine server device and is available to be provided by the virtual machine server device to the first instance of the virtual machine; and
  
  responsive to validating the first request;
  
  instantiating the first instance of the virtual machine with access to the subset of the first set of one or more resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein verifying the unverified entity comprises determining whether the first request was signed using a certificate corresponding to the unverified entity.
  - 3. The method of claim 2, wherein the certificate comprises a cryptographically signed public key infrastructure (PKI) certificate.
  - 4. The method of claim 1, wherein providing access comprises superseding a resource requested in the first request based on information in the authorization database.
  - 5. The method of claim 1, wherein providing access is limited by a time-based limitation for a requested resource based on information in one of the first request and the authorization database.
  - 6. The method of claim 5, wherein the time-based limitation is selected from a group comprising:
    - a time limitation on consecutive use of the resource;
      
      a time limitation on total use of the resource;
      
      a limitation on hours of one or more days the resource may be used;
      
      a limitation on days of the week the resource may be used; and
      
      an expiration date of the resource.
  - 7. The method of claim 1, wherein providing access is limited by the one or more affinity-based restrictions defined within the authorization database, wherein the one or more affinity-based restrictions define restrictions on co-tenants on the virtual machine service device.

8. One or more nontransitory computer readable media comprising computer readable instructions that, when executed, configure a virtualization server to perform:
- receiving a first request from an unverified entity to instantiate a first instance of a virtual machine, said first request defining a first set of one or more resources to be made available by the virtualization server to the first instance of the virtual machine, said first request including first security information;
  
  validating the first request by verifying the unverified entity using the first security information; and
  
  responsive to validating the first request;
  
  based on an authorization database identifying one or more resources that each of a plurality of entities is authorized to access and based on one or more affinity-based restrictions for a multitenancy environment of the virtualization server, determining a subset of the first set of one or more resources that exists on the virtualization server and is available to be provided by the virtualization server to the first instance of the virtual machine, andinstatiating the first instance of the virtual machine with the subset of the first set of one or more resources.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer readable media of claim 8, wherein verifying the unverified entity comprises determining whether the first request was signed using a certificate corresponding to the unverified entity.
  - 10. The computer readable media of claim 9, wherein the certificate comprises a cryptographically signed public key infrastructure (PKI) certificate.
  - 11. The computer readable media of claim 8, wherein providing access comprises superseding a resource requested in the first request based on information in the authorization database.
  - 12. The computer readable media of claim 8, wherein providing access is limited by a time-based limitation for a requested resource based on information in one of the first request and the authorization database.
  - 13. The computer readable media of claim 12, wherein the time-based limitation is selected from a group comprising:
    - a time limitation on consecutive use of the resource;
      
      a time limitation on total use of the resource;
      
      a limitation on hours of one or more days the resource may be used;
      
      a limitation on days of the week the resource may be used; and
      
      an expiration date of the resource.
  - 14. The computer readable media of claim 8, wherein providing access is limited by the one or more affinity-based resrictions defined within one of the first request and the authorization database, wherein the one or more affinity-based restrictions define restrictions on co-tenants on the virtual machine server device.

15. A virtualization server, comprising:
- a processor; and
  
  memory storing computer readable instructions that, when executed by the processor, configure the virtualization server to perform;
  
  receiving a first request from an unverified entity to instantiate a first instance of a virtual machine, said first request defining a first set of one or more resources to be made available by the virtualization server to the first instance of the virtual machine, said first request including first security information, said first request defining one or more affinity-based restrictions for a multitenancy environment of the virtualization server;
  
  validating the first request by verifying the unverified entity using the first security information; and
  
  responsive to validating the first request;
  
  based on an authorization database identifying one or more resources that each of a plurality of entities is authorized to access and based on the one or more affinity-based restrictions, determining a subset of the first set of one or more resources that exists on the virtualization server and is available to be provided by the virtualization server to the first instance of the virtual machine, andinstantiating the first instance of the virtual machine with the subset of the first set of one or more resources.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The virtualization server of claim 15, wherein verifying the unverified entity comprises determining whether the first request was signed using a certificate corresponding to the unverified entity.
  - 17. The virtualization server of claim 16, wherein the certificate comprises a cryptographically signed public key infrastructure (PKI) certificate.
  - 18. The virtualization server of claim 15, wherein providing access comprises superseding a resource requested in the first request based on information in the authorization database.
  - 19. The virtualization server of claim 15, wherein providing access is limited by a time-based limitation for a requested resource based on information in one of the first request and the authorization database.
  - 20. The virtualization server of claim 19, wherein the time-based limitation is selected from a group comprising:
    - a time limitation on consecutive use of the resource;
      
      a time limitation on total use of the resource;
      
      a limitation on hours of one or more days the resource may be used;
      
      a limitation on days of the week the resource may be used; and
      
      an expiration date of the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Bursell, Michael Hingston McLaughlin
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US14/050,488
Publication Number

US 20140040995A1
Time in Patent Office

852 Days
Field of Search

713/164, 726/1, 726/21, 726 27- 30
US Class Current

1/1
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/629   to features or functions of...

G06F 2221/2137   Time limited access, e.g. t...

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

Secure administration of virtual machines

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure administration of virtual machines

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links