System and method for transparently injecting policy in a platform as a service infrastructure
First Claim
1. A method for enforcing policy in a distributed computing environment with a plurality of hosts comprising:
- establishing a policy update specified through a namespaced addressing syntax;
at a set of components, subscribing to policy update publications of at least one component namespace so as to establish a set of subscribed components, the set of subscribed components being a subset of the set of components, and said set of components being software components within the distributed computing environment;
publishing the policy update to the set of subscribed components, wherein the set of subscribed components have subscriptions associated with a component namespace referenced by the policy update, and wherein operation of the set of subscribed components is governed by the policy update;
at a host of the set of subscribed components, authenticating the published policy update to at least verify that the published policy update is valid;
at the host, locally verifying policy compliance of an operation request by a first component of the set of subscribed components, wherein the operation request is directed towards at least a second component of the set of components; and
applying results of verifying the policy compliance of the operation request within a communication channel flow, which comprises routing the operational request through the communication channel to the second component if the operational request is permitted and preventing the operational request if the operational request is not permitted.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for enforcing policy in a computing environment with a plurality of hosts that includes establishing a policy update specified through a namespaced addressing syntax; publishing the policy update to a set of components associated with a referenced component namespace; at a host of the set of components, authenticating the policy update; at the host, locally verifying policy compliance of an operation request by the host directed towards at least a second component; applying results of verifying the policy compliance of the operation request within a communication channel flow, which comprises routing the operational request through the communication channel to the second component if the operational request is permitted and preventing the operational request if the operational request is not permitted.
43 Citations
16 Claims
-
1. A method for enforcing policy in a distributed computing environment with a plurality of hosts comprising:
-
establishing a policy update specified through a namespaced addressing syntax; at a set of components, subscribing to policy update publications of at least one component namespace so as to establish a set of subscribed components, the set of subscribed components being a subset of the set of components, and said set of components being software components within the distributed computing environment; publishing the policy update to the set of subscribed components, wherein the set of subscribed components have subscriptions associated with a component namespace referenced by the policy update, and wherein operation of the set of subscribed components is governed by the policy update; at a host of the set of subscribed components, authenticating the published policy update to at least verify that the published policy update is valid; at the host, locally verifying policy compliance of an operation request by a first component of the set of subscribed components, wherein the operation request is directed towards at least a second component of the set of components; and applying results of verifying the policy compliance of the operation request within a communication channel flow, which comprises routing the operational request through the communication channel to the second component if the operational request is permitted and preventing the operational request if the operational request is not permitted. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for component policy enforcement within a distributed computing environment comprising:
-
establishing staging policies and local operational policies through a component namespace syntax, wherein the staging policies define policies enforced during staging of a platform update, and wherein the local operational policies define policies applied at a policy injector of a component, said component being software component in the distributed computing environment; receiving the platform update, wherein a platform update is an update that defines an at least partial change of component operation; processing the platform update through a staging pipeline that comprises enforcing the staging policies on the platform update; instantiating the processed platform update in at least one component operated within an isolation container of least one component, and wherein a local operational policy of the local operational policies is locally established in a policy injector at a host of the isolation container of the at least one component, said isolation container isolating the at least one component so that component dependencies are controlled according to the local operational policy; and routing operational requests of the at least one component through a communication channel policy injector. - View Dependent Claims (14, 15, 16)
-
Specification