System and method for transparently injecting policy in a platform as a service infrastructure

US 9,553,894 B2
Filed: 03/10/2014
Issued: 01/24/2017
Est. Priority Date: 03/14/2013
Status: Active Grant

First Claim

Patent Images

1. A method for enforcing policy in a distributed computing environment with a plurality of hosts comprising:

establishing a policy update specified through a namespaced addressing syntax;

at a set of components, subscribing to policy update publications of at least one component namespace so as to establish a set of subscribed components, the set of subscribed components being a subset of the set of components, and said set of components being software components within the distributed computing environment;

publishing the policy update to the set of subscribed components, wherein the set of subscribed components have subscriptions associated with a component namespace referenced by the policy update, and wherein operation of the set of subscribed components is governed by the policy update;

at a host of the set of subscribed components, authenticating the published policy update to at least verify that the published policy update is valid;

at the host, locally verifying policy compliance of an operation request by a first component of the set of subscribed components, wherein the operation request is directed towards at least a second component of the set of components; and

applying results of verifying the policy compliance of the operation request within a communication channel flow, which comprises routing the operational request through the communication channel to the second component if the operational request is permitted and preventing the operational request if the operational request is not permitted.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for enforcing policy in a computing environment with a plurality of hosts that includes establishing a policy update specified through a namespaced addressing syntax; publishing the policy update to a set of components associated with a referenced component namespace; at a host of the set of components, authenticating the policy update; at the host, locally verifying policy compliance of an operation request by the host directed towards at least a second component; applying results of verifying the policy compliance of the operation request within a communication channel flow, which comprises routing the operational request through the communication channel to the second component if the operational request is permitted and preventing the operational request if the operational request is not permitted.

43 Citations

16 Claims

1. A method for enforcing policy in a distributed computing environment with a plurality of hosts comprising:
- establishing a policy update specified through a namespaced addressing syntax;
  
  at a set of components, subscribing to policy update publications of at least one component namespace so as to establish a set of subscribed components, the set of subscribed components being a subset of the set of components, and said set of components being software components within the distributed computing environment;
  
  publishing the policy update to the set of subscribed components, wherein the set of subscribed components have subscriptions associated with a component namespace referenced by the policy update, and wherein operation of the set of subscribed components is governed by the policy update;
  
  at a host of the set of subscribed components, authenticating the published policy update to at least verify that the published policy update is valid;
  
  at the host, locally verifying policy compliance of an operation request by a first component of the set of subscribed components, wherein the operation request is directed towards at least a second component of the set of components; and
  
  applying results of verifying the policy compliance of the operation request within a communication channel flow, which comprises routing the operational request through the communication channel to the second component if the operational request is permitted and preventing the operational request if the operational request is not permitted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising at an auth server, sending a heartbeat signal at periodic intervals to the host of the set of components;
    - and wherein verifying policy compliance comprises checking the heartbeat signal, requesting a second policy update from the auth server if the heartbeat signal is expired, and using the second policy update to verify policy compliance of the operation request.
  - 3. The method of claim 1, further comprising:
    - at an auth server, cryptographically signing a token to describe a sender of the policy update, transferring the token to the host of the set of components; and
      
      wherein authenticating the policy update includes decoding the token and verifying the sender of the policy update is the auth server.
  - 4. The method of claim 1, wherein publishing the policy update to the set of subscribed components comprises publishing the policy update to a class of components that hierarchically depend on the referenced component namespace.
  - 5. The method of claim 1, further comprising at least partially isolating one or more of the components in the set of subscribed components in respective isolation containers so that component dependencies can be controlled according to subscribed policies.
  - 6. The method of claim 1, further comprising:
    - at the host, cryptographically signing a validating token to describe a sender of the operational request, transferring the token to the second component with the operational request; and
      
      wherein authenticating the published policy update includes decoding the validating token and verifying the sender of the operational request.
  - 7. The method of claim 6, further comprising logging operational requests with information of the validating token.
  - 8. The method of claim 6, further comprising sending notification communications of the operational request.
  - 9. The method of claim 1, further comprising:
    - receiving a platform update, wherein a platform update defines at least a portion of operation of a component;
      
      processing the platform update through a staging pipeline, which comprises enforcing staging policies; and
      
      instantiating the processed platform update in at least one component operated within an isolated container and establishing a local policy of the at least one component in a policy injector at the host.
  - 10. The method of claim 1, wherein policy is updated from multiple accounts with different policy setting privileges within the namespaced addressing syntax.
  - 11. The method of claim 1, wherein if the operational request is permitted according to a component access policy, routing the operational request through the communication channel to the second component.
  - 12. The method of claim 1, wherein if the operational request is permitted according to a component resource consumption policy, routing the operational request through the communication channel to the second component.

13. A method for component policy enforcement within a distributed computing environment comprising:
- establishing staging policies and local operational policies through a component namespace syntax, wherein the staging policies define policies enforced during staging of a platform update, and wherein the local operational policies define policies applied at a policy injector of a component, said component being software component in the distributed computing environment;
  
  receiving the platform update, wherein a platform update is an update that defines an at least partial change of component operation;
  
  processing the platform update through a staging pipeline that comprises enforcing the staging policies on the platform update;
  
  instantiating the processed platform update in at least one component operated within an isolation container of least one component, and wherein a local operational policy of the local operational policies is locally established in a policy injector at a host of the isolation container of the at least one component, said isolation container isolating the at least one component so that component dependencies are controlled according to the local operational policy; and
  
  routing operational requests of the at least one component through a communication channel policy injector.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, wherein processing the platform update comprises processing the platform update in a package contents policy stage, processing the platform update in an application dependency policy stage, and processing the platform update in a testing policy stage.
  - 15. The method of claim 14, wherein processing the platform update in an application dependency policy stage comprises updating a component on which at least one staged component is dependent.
  - 16. The method of claim 14, wherein processing the platform update comprises processing the platform update in an authoritative check policy stage that comprises requesting approval to proceed with processing of the platform update.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apcera, Inc. (Telefonaktiebolaget LM Ericsson)
Original Assignee
Apcera, Inc. (Telefonaktiebolaget LM Ericsson)
Inventors
Collison, Derek, Catherman, Brady, Smith, Justin Joseph, Khazanovsky, Kirill, Robertson, Kenneth Michael
Primary Examiner(s)
McNally, Michael S
Assistant Examiner(s)
NGUYEN, TRONG H

Application Number

US14/203,273
Publication Number

US 20140282849A1
Time in Patent Office

1,051 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/12   Applying verification of th...

H04L 63/20   for managing network securi...

H04W 12/68   Gesture-dependent or behavi...

System and method for transparently injecting policy in a platform as a service infrastructure

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

System and method for transparently injecting policy in a platform as a service infrastructure

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others