Access controls on the use of freeform metadata

US 9,576,141 B2
Filed: 01/22/2013
Issued: 02/21/2017
Est. Priority Date: 01/22/2013
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for controlling association of metadata with computing resources, the method comprising:

associating an access control list with the metadata, the access control list specifying principals that are allowed to assign, modify, or delete the metadata and for which computing resources the principals are allowed to assign, modify or delete the metadata, wherein the metadata is usable to determine whether to grant or deny operations on corresponding computing resources;

receiving, from a first user, a first request to assign one of the metadata to at least one computing resource;

in response to receiving the first request, evaluating the access control list to determine whether the first user matches at least one of the principals specified in the access control list;

associating the one of the metadata with the at least one computing resource upon determining that the first user matches at least one of the principals specified in the access control list;

receiving a second request from a second user to perform an operation on the at least one computing resource, wherein the second user is associated with an access control policy, the access control policy specifying operations permitted by the second user on the at least one computing resource based at least in part on the one of the metadata;

identifying a reference to the one of the metadata in the access control policy; and

resolving the second request based at least in part on the one of the metadata specifying an access condition for the access control policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Approaches are described for security and access control for computing resources. Various embodiments utilize metadata, e.g., tags that can be applied to one or more computing resources (e.g., virtual machines, host computing devices, applications, databases, etc.) to control access to these and/or other computing resources. In various embodiments, the tags and access control policies described herein can be utilized in a multitenant shared resource environment.

18 Citations

View as Search Results

22 Claims

1. A computer implemented method for controlling association of metadata with computing resources, the method comprising:
- associating an access control list with the metadata, the access control list specifying principals that are allowed to assign, modify, or delete the metadata and for which computing resources the principals are allowed to assign, modify or delete the metadata, wherein the metadata is usable to determine whether to grant or deny operations on corresponding computing resources;
  
  receiving, from a first user, a first request to assign one of the metadata to at least one computing resource;
  
  in response to receiving the first request, evaluating the access control list to determine whether the first user matches at least one of the principals specified in the access control list;
  
  associating the one of the metadata with the at least one computing resource upon determining that the first user matches at least one of the principals specified in the access control list;
  
  receiving a second request from a second user to perform an operation on the at least one computing resource, wherein the second user is associated with an access control policy, the access control policy specifying operations permitted by the second user on the at least one computing resource based at least in part on the one of the metadata;
  
  identifying a reference to the one of the metadata in the access control policy; and
  
  resolving the second request based at least in part on the one of the metadata specifying an access condition for the access control policy.
- View Dependent Claims (2)
- - 2. The computer implemented method of claim 1, wherein a string pattern matching algorithm is applied in the access control list to identify which principals are allowed to assign which metadata.

3. A computer implemented method, comprising:
- receiving, from a user, a first request to apply a tag from available tags to at least one computing resource, the available tags associated with corresponding policies and usable to determine whether to grant or deny operations on corresponding computing resources, wherein the first request is associated with a first policy, and wherein at least one of the corresponding policies indicates one or more principals that are permitted to apply the tag to the at least one computing resource;
  
  in response to receiving the first request, evaluating the first policy to determine whether the user is permitted to apply the tag to the at least one computing resource, wherein evaluating the first policy includes determining whether the user matches the one or more principals;
  
  associating the tag with the at least one computing resource upon determining that the user is permitted to apply the tag;
  
  receiving a second request to perform an operation on the at least one computing resource, the second request associated with a second policy of the corresponding policies and which specifies operations permitted on the at least one computing resource based at least in part on a respective tag associated with the at least one computing resource;
  
  identifying a reference to the tag in the second policy; and
  
  resolving the second request based at least in part on the tag specifying an access condition in the second policy.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10, 11)
- - 4. The computer implemented method of claim 3, wherein the tag includes a freeform character string that specifies a key and a value.
  - 5. The computer implemented method of claim 4, wherein the second policy includes at least one restriction that is based at least in part on the key and any value.
  - 6. The computer implemented method of claim 4, wherein the second policy includes at least one restriction that is based at least in part on both (a) the key and (b) the value specified in the tag.
  - 7. The computer implemented method of claim 3, wherein the first request is denied if the evaluation of the first policy does not permit the user to apply the tag.
  - 8. The computer implemented method of claim 3, wherein a string pattern matching algorithm is applied in the first policy to specify which principals are allowed to apply the tag.
  - 9. The computer implemented method of claim 3, wherein the at least one computing resource includes at least one of:
    - a virtual machine instance, a host computing device, an application, a storage device, a database, a virtual network including a plurality of virtual machines, or an interface.
  - 10. The computer implemented method of claim 3, wherein the at least one computing resource includes at least one virtual machine provided to the user by a service provider in a multitenant computing environment.
  - 11. The computer implemented method of claim 10, wherein receiving, from the user, the first request further includes:
    - receiving an application programming interface (API) call over a network, the API provided by the service provider in the multitenant computing environment.

12. A computing system, comprising:
- at least one processor; and
  
  memory including instructions that, when executed by the at least one processor, cause the computing system to;
  
  receive, from a user, a first request to apply a tag from available tags to at least one computing resource, the available tags associated with corresponding policies and usable to determine whether to grant or deny operations on corresponding computing resources, wherein the first request is associated with a first policy, and wherein at least one of the corresponding policies indicates one or more principals that are permitted to apply the tag to the at least one computing resource;
  
  in response to receiving the first request, evaluate the first policy to determine whether the user is permitted to apply the tag to the at least one computing resource, wherein evaluating the first policy includes determining whether the user matches the one or more principals;
  
  associate the tag with the at least one computing resource upon determining that the user is permitted to apply the tag;
  
  receive a second request to perform an operation on the at least one computing resource, the second request associated with a second policy of the corresponding policies and which specifies operations permitted on the at least one computing resource based at least in part on a respective tag associated with the at least one computing resource;
  
  identify a reference to the tag in the second policy; and
  
  resolve the second request based at least in part on the tag specifying an access condition in the second policy.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computing system of claim 12, wherein the tag includes a freeform character string that specifies a key and a value.
  - 14. The computing system of claim 13, wherein the second policy includes at least one restriction that is based at least in part on the key and any value.
  - 15. The computing system of claim 13, wherein the second policy includes at least one restriction that is based at least in part on both (a) the key and (b) the value associated with the key specified in the tag.
  - 16. The computing system of claim 12, wherein the first request fails if the first policy is evaluated to deny the user from applying the tag.
  - 17. The computing system of claim 12, wherein a string matching algorithm is applied in the first policy to specify which principals are allowed to apply the tag.

18. A non-transitory computer readable storage medium storing one or more sequences of instructions executable by one or more processors to perform a set of operations comprising:
- receiving, from a user, a first request to apply a tag from available tags to at least one computing resource, the available tags associated with corresponding policies, wherein the first request is associated with a first policy, and wherein at least one of the corresponding policies indicates one or more principals that are permitted to apply the tag to the at least one computing resource;
  
  in response to receiving the first request, evaluating the first policy to determine whether the user is permitted to apply the tag to the at least one computing resource, wherein evaluating the first policy includes determining whether the user matches the one or more principals;
  
  associating the tag with the at least one computing resource upon determining that the user is permitted to apply the tag;
  
  receiving a second request to perform an operation on the at least one computing resource, the second request associated with a second policy of the corresponding policies and which specifies operations permitted on the at least one computing resource based at least in part on a respective tag associated with the at least one computing resource;
  
  identify a reference to the tag in the second policy; and
  
  resolving the second request based at least in part on the tag specifying an access condition in the second policy.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The non-transitory computer readable storage medium of claim 18, wherein the tag includes a freeform character string that specifies a key and a value.
  - 20. The non-transitory computer readable storage medium of claim 19, wherein the second policy includes at least one restriction that is based at least in part on the key and any value.
  - 21. The non-transitory computer readable storage medium of claim 19, wherein the second policy includes at least one restriction that is based at least in part on both (a) the key and (b) the value specified in the tag.
  - 22. The non-transitory computer readable storage medium of claim 18, wherein the first request is denied if the evaluation of the first policy does not permit the user to apply the tag.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Brandwine, Eric Jason, DeSantis, Peter Nicholas, Thrane, Lon
Primary Examiner(s)
Alam, Hosain
Assistant Examiner(s)
May, Robert F

Application Number

US13/747,239
Publication Number

US 20140207824A1
Time in Patent Office

1,491 Days
Field of Search

707/785, 709/217
US Class Current

1/1
CPC Class Codes

G06F 21/6209 to a single file or object,...

Access controls on the use of freeform metadata

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Access controls on the use of freeform metadata

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links