Organizing Permission Associated with a Cloud Customer in a Virtual Computing Infrastructure

US 20120110650A1
Filed: 11/17/2011
Published: 05/03/2012
Est. Priority Date: 06/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method of organizing permissions to authorize a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:

creating a plurality of permissions associated with a cloud customer;

associating, a first set of permissions from the plurality of permissions with one or more objects, wherein each of the first set of permissions describes an action performed on an object; and

associating a second set of permissions from the plurality of permissions with one or more users, wherein each of the second set of permissions describes an action to be performed by one or more users.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Organizing permissions to authorize a subject to perform an action on an object in a cloud computing environment is described. A plurality of permissions associated with a cloud customer is created. A first set of permissions from the plurality of permissions is associated with one or more objects. Each of the first set of permissions describes an action performed on an object. A second set of permissions from the plurality of permissions is associated with one or more users. Each of the second set of permissions describes an action to be performed by one or more users.

139 Citations

63 Claims

1. A method of organizing permissions to authorize a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
- creating a plurality of permissions associated with a cloud customer;
  
  associating, a first set of permissions from the plurality of permissions with one or more objects, wherein each of the first set of permissions describes an action performed on an object; and
  
  associating a second set of permissions from the plurality of permissions with one or more users, wherein each of the second set of permissions describes an action to be performed by one or more users.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the object is a machine image from which data is accessed.
  - 3. The method of claim 1, wherein the object is executed code.
  - 4. The method of claim 1, wherein the object is a data store.

5. A method of authorizing a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
- receiving a request by a user for performing an action in the cloud computing system;
  
  determining, from a plurality of permissions, whether an object permission exists for the object upon which the action is to be performed;
  
  determining, from the plurality of permissions, whether a user permission exists for user to act upon the object; and
  
  authorizing the request upon determining the object permission and user permission for the action on the object.

6. A method of allowing an authorizing entity to grant permission to a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
- defining an authorizer as the entity having granting authority to delegate a predetermined permission;
  
  defining a subject as a group to whom the permission is being delegated;
  
  defining an object upon which an action is authorized within the cloud computing environment;
  
  defining the action being authorized in the cloud computing environment; and
  
  allowing members of the subject group to perform the permitted action on the object.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, wherein the object is a machine image executed as a virtual machine.
  - 8. The method of claim 6, wherein the object is executed as code by a computing node.
  - 9. The method of claim 6, wherein the object is a data store being accessed by a computing node.

10. A method of allowing at least one user to perform an action in a cloud computing environment having a plurality of computing nodes, the method comprising:
- receiving a request to permit the at least one user to perform an action on an object in the cloud computing system;
  
  locating a set of user permissions and a set of object permissions compatible with the received request;
  
  determining at least one user permission and at least one object permission from the set of user and object permissions based on if the object is compatible with the requested object and the action is compatible with the requested action;
  
  determining if the user permission and the object permission are associated with a policy assertion, wherein the policy assertion is associated with a customer account that controls access to the cloud computing environment;
  
  authorizing the request if the user permission and the object permission are associated with the policy assertion.
- View Dependent Claims (11, 12)
- - 11. The method of claim 10, whereinthe cloud computing environment is a home cloud;
    - the request is received at the home cloud from a cloud remote from the home cloud; and
      
      the policy assertion resides locally in the home cloud.
  - 12. The method of claim 10, whereinthe cloud computing environment is a cloud remote from a home cloud;
    - the request is received at the remote cloud from the home cloud; and
      
      the policy assertion resides in remote cloud.

13. A method of organizing permissions to authorize a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
- creating a plurality of permissions associated with a cloud customer;
  
  associating, a first set of permissions from the plurality of permissions with one or more objects, wherein each of the first set of permissions describes an action performed on an object; and
  
  associating a second set of permissions from the plurality of permissions with one or more users, wherein each of the second set of permissions describes an action permitted to be performed by one or more users.
- View Dependent Claims (14, 15, 16)
- - 14. The method of claim 13, wherein the object is a machine image from which data is accessed.
  - 15. The method of claim 13, wherein the object is executed code.
  - 16. The method of claim 13, wherein the object is a data store.

17. A method of authorizing a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
- receiving a request by a user for performing an action in the cloud computing system;
  
  determining, from a plurality of permissions, whether an object permission exists for the object upon which the action is to be performed;
  
  determining, from the plurality of permissions, whether a user permission exists for user to act upon the object; and
  
  authorizing the request upon determining the object permission and user permission for the action on the object.
- View Dependent Claims (18)
- - 18. The method of claim 17, wherein authorizing the request includes associating a first key-value to the requested action by the user and associating a second key-value to the object permission.

19. A method of allowing at least one user to perform an action in a cloud computing environment having a plurality of computing nodes, the method comprising:
- receiving a request to permit the at least one user to perform an action on an object in the cloud computing system;
  
  locating a set of user permissions and a set of object permissions compatible with the received request;
  
  determining at least one user permission and at least one object permission from the set of user and object permissions based on if the object is compatible with the requested object and the action is compatible with the requested action;
  
  determining if the user permission and the object permission are associated with a policy assertion, wherein the policy assertion is associated with a customer account that controls access to the cloud computing environment;
  
  authorizing the request if the user permission and the object permission are associated with the policy assertion.
- View Dependent Claims (20)
- - 20. The method of claim 19, whereinthe cloud computing environment is the home cloud, and the policy assertion resides locally in the home cloud, andthe request is received from a cloud remote from the home cloud.

21. A method of authorizing at least one user to perform an action in a cloud computing environment having a plurality of computing nodes, the method comprising:
- receiving a request from a user to perform an action on an object in the cloud computing system;
  
  determining, whether a user permission exists for the user to perform the action on the object;
  
  forwarding the request to a remote service;
  
  receiving, from the remote service, a determination of whether an object permission exists for the object upon which the action is to be performed; and
  
  authorizing the request upon determining the user permission for the action on the object and receiving the object permission from the remove service.
- View Dependent Claims (22, 23, 24)
- - 22. The method of claim 21, wherein the request to perform an action on an object in the cloud computing system includes a request to perform an action at a remote cloud location.
  - 23. The method of claim 22, wherein the remote cloud location is at a private cloud site.
  - 24. The method of claim 22, wherein the remote cloud location is at a public cloud site.

25. A method of authenticating a user in a cloud computing environment having a plurality of computing nodes, the method comprising:
- receiving login information from a user requesting access to the cloud computing environment;
  
  consulting an active directory to determine one or more permissions associated with the user, based on the user login information; and
  
  authenticating the user to grant access to the cloud computing system based on the result from consulting the active directory.
- View Dependent Claims (26, 27, 28)
- - 26. The method of claim 25, wherein consulting an active directory includes consulting an external identity provider.
  - 27. The method of claim 25, wherein login information is received over an SSL or TLS channel.
  - 28. The method of claim 25, wherein the login information includes a set of credentials known to the user.

29. A cloud computing system, comprising:
- a plurality of computing nodes;
  
  an application programming interface associated with the plurality of computing nodes;
  
  at least one storage unit;
  
  a controller configured to operate on each of the plurality of computing nodes and to select software operating on the associated node;
  
  a distributed control plane in communication with the controller and the storage unit, and configured to provide a platform to launch and manage one or more instances on one or more of the plurality of computing nodes; and
  
  a permissions system configured to associate one or more permissions to one or more instances and authorize the launching and managing of one or more instances on the distributed control plane.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 30. The system of claim 29, wherein the permissions system includes being configured to determine, from a plurality of permissions, at least one user permission to authorize the at least one user to act upon an object of the one or more instances.
  - 31. The system of claim 30, wherein the permissions system includes being configured to determine, from the plurality of permissions, an object permission for an object upon which an action is to be performed.
  - 32. The system of claim of claim 31, wherein the object is a machine image from which data is accessed.
  - 33. The system of claim 31, wherein the object is executed code.
  - 34. The system of claim 31, wherein the object is a data store.
  - 35. The system of claim 29, wherein the plurality of computing nodes are hierarchically organized into clusters, wherein each cluster includes a cluster controller.
  - 36. The system of claim 29, wherein the infrastructure controller is configured to run Dynamic Host configuration protocol to provide dynamic IP address allocation for one or more of the plurality of computing nodes.
  - 37. The system of claim 29, wherein the infrastructure controller is further configured to utilize Doman Name System for naming and IP address look up.
  - 38. The system of claim 29, wherein the infrastructure controller is further configured to utilize a Trivial File Transfer protocol and a web server for providing software across a network during installation.
  - 39. The system of claim 29, wherein the control plane further includes a cluster and workload component, authentication and permissions component, monitoring component, metering and billing component.
  - 40. The system of claim 29, further comprising a network component configured to interface with the infrastructure controller and control plane, and configured to interface with one or more network systems external to the cloud computing environment.
  - 41. The system of claim 29, further comprising a federation module configured to communicate with and launch instances to remote cloud sites.
  - 42. The system of claim 29, wherein the control plane is further configured to manage data files using a Distributed File System.
  - 43. The system of claim 29, further comprising an identity management and policy engines configured to provide policy control across networks.
  - 44. The system of claim 29, further comprising a metering, billing, and collection engine configured to manage consumption accountability.
  - 45. The system of claim 29, further including a virtualization layer configured to operate on each of the plurality of computing nodes, and configured to virtualize resources on each node.

46. A system for networking in a cloud computing environment, the system comprising:
- a plurality of virtual machines at each of the plurality of computing nodes (1301), each virtual machine configured to communicate with a virtual network layer at a virtual interface via at least one virtual Ethernet (vEthernet);
  
  a permissions system configured to determine an authorization of a virtual machine'"'"'s access to communicate with the virtual network layer via at least one vEthernet;
  
  a network control layer in communication with the plurality of virtual machines, the network control layer configured to, upon receiving authorization from the permissions system, provide at least one virtual network service to the plurality of virtual machines and provide an IP gateway to a network via at least one vEthernet at each virtual interface; and
  
  a physical communication interface configured to facilitate communications with the network control layer and a substrate Ethernet for routing communications between the IP gateway and the network.
- View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63)
- - 47. The system of claim 46, wherein the network control layer includes a virtual DHCP server configured to provide address allocation instantiated on the vEthernet.
  - 48. The system of claim 46, wherein the network control layer includes a virtual DNS server configured to provide a local address resolution service.
  - 49. The system of claim 46, wherein the network control layer is further configured to associate with other networks via one or more virtual Ethernets to provide ingress and egress IP routing.
  - 50. The system of claim 46, wherein a customer of the cloud computing environment has authority to create more vEthernets or delete existing ones.
  - 51. The system of claim 46, wherein each of the virtual interfaces of the plurality of virtual machines is associated with a single vEthernet.
  - 52. The system of claim 46, wherein each of the virtual interfaces being associated with at least one vEthernet is subject to at least one from a group consisting of administrative authorization, filtering, or one or more rate limiting policies.
  - 53. The system of claim 46, wherein each virtual interface on a vEthernet is configured to be like a physical interface connected to a physical Ethernet switch.
  - 54. The system of claim 46, wherein the network control layer is further configured to route vEthernet communications to the network to access a customer'"'"'s IP network.
  - 55. The system of claim 46, wherein the network control layer is further configured to use a customer'"'"'s existing internet firewall, proxy or NAT when vEthernet communications are routed between the IP gateway and the network.
  - 56. The system of claim 46, wherein the network is a virtual LAN.
  - 57. The system of claim 46, wherein the network is an IP network.
  - 58. The system of claim 46, wherein the plurality of virtual machines are further configured to accept dynamically created one or more vEthernets and associate the created vEthernets with an instance using the virtual interface.
  - 59. The system of claim 46, wherein the network control layer is further configured to support full layer 2 networking functionality.
  - 60. The system of claim 59, wherein the network control layer is further configured to enable a point-to-point tunnel carrying a layer 2 frame across a layer 3 network.
  - 61. The system of claim 60, wherein the network control layer is further configured to aggregate point-to-point tunnels to provide a virtual layer 2 overlay network topology layered on top of an arbitrary layer 3 network topology.
  - 62. The system of claim 46, wherein the permissions system includes being configured to determine, from a plurality of permissions, a user permission granting authorization to access communications to the network via one or more virtual machines on at least one vEthernet.
  - 63. The system of claim 62, wherein the permissions system includes being configured to determine, from the plurality of permissions, an object permission for an object upon which an action is to be performed via one or more virtual machines on at least one vEthernet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
VAN BILJON, Willem Robert, PINKHAM, Christopher Conway, GORVEN, Michael Carl, HARDY, Alexandre, HOOLE, Quinton Robin, KALELE, Girish, CLORAN, Russell Andrew, DIVEY, Brynmor K. B.

Granted Patent

US 8,850,528 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06Q 30/04   Billing or invoicing

G06Q 40/00   Finance; Insurance; Tax str...

G06Q 40/02   Banking, e.g. interest calc...

G06Q 40/10   Tax strategies

H04L 41/0213   Standardised network manage...

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 67/10   in which an application is ...

H04L 67/60   Scheduling or organising th...

H04L 9/40   Network security protocols

H04M 15/66   Policy and charging system

Organizing Permission Associated with a Cloud Customer in a Virtual Computing Infrastructure

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

139 Citations

63 Claims

Specification

Use Cases

Quick Links

Others

Organizing Permission Associated with a Cloud Customer in a Virtual Computing Infrastructure

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

139 Citations

63 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others