HIGHLY PARALLEL EVALUATION OF XACML POLICIES

US 20090288136A1
Filed: 05/19/2008
Published: 11/19/2009
Est. Priority Date: 05/19/2008
Status: Active Grant

First Claim

Patent Images

1. A method performed by a network element, the method comprising:

in response to a request received from a client for accessing a resource of an application server of a datacenter having a plurality of servers, extracting a plurality of attributes from the request, the attributes including at least one of a user attribute identifying a user of the client and an environment attribute identifying an environment associated with the user;

concurrently performing a plurality of individual searches, one for each of the extracted attributes, in a policy store having stored therein a plurality of rules and policies written in XACML (extensible access control markup language), wherein the rules and policies are optimally stored including being indexed using a bit vector algorithm;

combining individual search results associated with the attributes to generate a single final result using a predetermined policy combination algorithm; and

determining whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, wherein the network element operates as an application service gateway to the datacenter.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for highly parallel evaluation of XACML policies are described herein. In one embodiment, attributes are extracted from a request for accessing a resource including at least one of a user attribute and an environment attribute. Multiple individual searches are concurrently performed, one for each of the extracted attributes, in a policy store having stored therein rules and policies written in XACML, where the rules and policies are optimally stored using a bit vector algorithm. The individual search results associated with the attributes are then combined to generate a single final result using a predetermined policy combination algorithm. It is then determined whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, where the network element operates as an application service gateway to the datacenter. Other methods and apparatuses are also described.

Citations

20 Claims

1. A method performed by a network element, the method comprising:
- in response to a request received from a client for accessing a resource of an application server of a datacenter having a plurality of servers, extracting a plurality of attributes from the request, the attributes including at least one of a user attribute identifying a user of the client and an environment attribute identifying an environment associated with the user;
  
  concurrently performing a plurality of individual searches, one for each of the extracted attributes, in a policy store having stored therein a plurality of rules and policies written in XACML (extensible access control markup language), wherein the rules and policies are optimally stored including being indexed using a bit vector algorithm;
  
  combining individual search results associated with the attributes to generate a single final result using a predetermined policy combination algorithm; and
  
  determining whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, wherein the network element operates as an application service gateway to the datacenter.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein each of the individual searches is performed using a particular type of data structure optimally designed for a type of content associated with the respective individual search.
  - 3. The method of claim 2, wherein a data structure having an interval tree hierarchy is utilized for an individual search based on one or more numeric operators.
  - 4. The method of claim 3, wherein the numeric operators comprise at least one of “
    - <
      
      ”
      
      ,
  - 5. The method of claim 2, wherein a data structure having Aho-Corasick DFA (deterministic finite automaton) hierarchy is utilized for an individual search based on one or more substrings.
  - 6. The method of claim 2, wherein a data structure having Patricia tree hierarchy is utilized for an individual search based on one or more prefixes.
  - 7. The method of claim 1, wherein the predetermined policy combination algorithm includes one of a deny-override algorithm and a permit override algorithm.

8. A machine-readable storage medium having instructions stored therein, which when executed by a processing logic, cause the processing logic to perform a method, the method comprising:
- in response to a request received from a client for accessing a resource of an application server of a datacenter having a plurality of servers, extracting a plurality of attributes from the request, the attributes including at least one of a user attribute identifying a user of the client and an environment attribute identifying an environment associated with the user;
  
  concurrently performing a plurality of individual searches, one for each of the extracted attributes, in a policy store having stored therein a plurality of rules and policies written in XACML (extensible access control markup language), wherein the rules and policies are optimally stored including being indexed using a bit vector algorithm;
  
  combining individual search results associated with the attributes to generate a single final result using a predetermined policy combination algorithm; and
  
  determining whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, wherein the network element operates as an application service gateway to the datacenter.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The machine-readable storage medium of claim 8, wherein each of the individual searches is performed using a particular type of data structure optimally designed for a type of content associated with the respective individual search.
  - 10. The machine-readable storage medium of claim 9, wherein a data structure having an interval tree hierarchy is utilized for an individual search based on one or more numeric operators.
  - 11. The machine-readable storage medium of claim 10, wherein the numeric operators comprise at least one of “
    - <
      
      ”
      
      , “
      
      ( )”
      
      , “
      
      [ ]”
      
      , “
      
      >
      
      ”
      
      , “
      
      <
      
      =”
      
      , “
      
      >
      
      =”
      
      , and “
      
      ==”
      
      .
  - 12. The machine-readable storage medium of claim 9, wherein a data structure having Aho-Corasick DFA (deterministic finite automaton) hierarchy is utilized for an individual search based on one or more substrings.
  - 13. The machine-readable storage medium of claim 9, wherein a data structure having Patricia tree hierarchy is utilized for an individual search based on one or more prefixes.
  - 14. The machine-readable storage medium of claim 8, wherein the predetermined policy combination algorithm includes one of a deny-override algorithm and a permit override algorithm.

15. A network element, comprising:
- a policy information point, in response to a request received from a client for accessing a resource of an application server of a datacenter having a plurality of servers, to extract a plurality of attributes from the request, the attributes including at least one of a user attribute identifying a user of the client and an environment attribute identifying an environment associated with the user;
  
  a policy decision point to concurrently perform a plurality of individual searches, one for each of the extracted attributes, in a policy store having stored therein a plurality of rules and policies written in XACML (extensible access control markup language), wherein the rules and policies are optimally stored including being indexed using a bit vector algorithm, and to combine individual search results associated with the attributes to generate a single final result using a predetermined policy combination algorithm; and
  
  a policy enforcement point to determine whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, wherein the network element operates as an application service gateway to the datacenter.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The network element of claim 15, wherein each of the individual searches is performed using a particular type of data structure optimally designed for a type of content associated with the respective individual search.
  - 17. The network element of claim 16, wherein a data structure having an interval tree hierarchy is utilized for an individual search based on one or more numeric operators, including at least one of “
    - <
      
      ”
      
      , “
      
      ( )”
      
      , “
      
      [ ]”
      
      , “
      
      >
      
      ”
      
      , “
      
      <
      
      =”
      
      , “
      
      >
      
      =”
      
      , and “
      
      ==”
      
      .
  - 18. The network element of claim 16, wherein a data structure having Aho-Corasick DFA (deterministic finite automaton) hierarchy is utilized for an individual search based on one or more substrings.
  - 19. The network element of claim 16, wherein a data structure having Patricia tree hierarchy is utilized for an individual search based on one or more prefixes.
  - 20. The network element of claim 15, wherein the predetermined policy combination algorithm includes one of a deny-override algorithm and a permit override algorithm.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Rohati Systems, Inc. (Cisco Systems, Inc.)
Inventors
Narayan, Harsha, Patra, Abhijit, Chang, David, Bagepalli, Nagaraj

Granted Patent

US 8,677,453 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/101   Access control lists [ACL]

HIGHLY PARALLEL EVALUATION OF XACML POLICIES

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

HIGHLY PARALLEL EVALUATION OF XACML POLICIES

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links