Organizing Permission Associated with a Cloud Customer in a Virtual Computing Infrastructure
First Claim
1. A method of organizing permissions to authorize a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
- creating a plurality of permissions associated with a cloud customer;
associating, a first set of permissions from the plurality of permissions with one or more objects, wherein each of the first set of permissions describes an action performed on an object; and
associating a second set of permissions from the plurality of permissions with one or more users, wherein each of the second set of permissions describes an action to be performed by one or more users.
3 Assignments
0 Petitions
Accused Products
Abstract
Organizing permissions to authorize a subject to perform an action on an object in a cloud computing environment is described. A plurality of permissions associated with a cloud customer is created. A first set of permissions from the plurality of permissions is associated with one or more objects. Each of the first set of permissions describes an action performed on an object. A second set of permissions from the plurality of permissions is associated with one or more users. Each of the second set of permissions describes an action to be performed by one or more users.
139 Citations
63 Claims
-
1. A method of organizing permissions to authorize a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
-
creating a plurality of permissions associated with a cloud customer; associating, a first set of permissions from the plurality of permissions with one or more objects, wherein each of the first set of permissions describes an action performed on an object; and associating a second set of permissions from the plurality of permissions with one or more users, wherein each of the second set of permissions describes an action to be performed by one or more users. - View Dependent Claims (2, 3, 4)
-
-
5. A method of authorizing a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
-
receiving a request by a user for performing an action in the cloud computing system; determining, from a plurality of permissions, whether an object permission exists for the object upon which the action is to be performed; determining, from the plurality of permissions, whether a user permission exists for user to act upon the object; and authorizing the request upon determining the object permission and user permission for the action on the object.
-
-
6. A method of allowing an authorizing entity to grant permission to a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
-
defining an authorizer as the entity having granting authority to delegate a predetermined permission; defining a subject as a group to whom the permission is being delegated; defining an object upon which an action is authorized within the cloud computing environment; defining the action being authorized in the cloud computing environment; and allowing members of the subject group to perform the permitted action on the object. - View Dependent Claims (7, 8, 9)
-
-
10. A method of allowing at least one user to perform an action in a cloud computing environment having a plurality of computing nodes, the method comprising:
-
receiving a request to permit the at least one user to perform an action on an object in the cloud computing system; locating a set of user permissions and a set of object permissions compatible with the received request; determining at least one user permission and at least one object permission from the set of user and object permissions based on if the object is compatible with the requested object and the action is compatible with the requested action; determining if the user permission and the object permission are associated with a policy assertion, wherein the policy assertion is associated with a customer account that controls access to the cloud computing environment; authorizing the request if the user permission and the object permission are associated with the policy assertion. - View Dependent Claims (11, 12)
-
-
13. A method of organizing permissions to authorize a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
-
creating a plurality of permissions associated with a cloud customer; associating, a first set of permissions from the plurality of permissions with one or more objects, wherein each of the first set of permissions describes an action performed on an object; and associating a second set of permissions from the plurality of permissions with one or more users, wherein each of the second set of permissions describes an action permitted to be performed by one or more users. - View Dependent Claims (14, 15, 16)
-
-
17. A method of authorizing a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
-
receiving a request by a user for performing an action in the cloud computing system; determining, from a plurality of permissions, whether an object permission exists for the object upon which the action is to be performed; determining, from the plurality of permissions, whether a user permission exists for user to act upon the object; and authorizing the request upon determining the object permission and user permission for the action on the object. - View Dependent Claims (18)
-
-
19. A method of allowing at least one user to perform an action in a cloud computing environment having a plurality of computing nodes, the method comprising:
-
receiving a request to permit the at least one user to perform an action on an object in the cloud computing system; locating a set of user permissions and a set of object permissions compatible with the received request; determining at least one user permission and at least one object permission from the set of user and object permissions based on if the object is compatible with the requested object and the action is compatible with the requested action; determining if the user permission and the object permission are associated with a policy assertion, wherein the policy assertion is associated with a customer account that controls access to the cloud computing environment; authorizing the request if the user permission and the object permission are associated with the policy assertion. - View Dependent Claims (20)
-
-
21. A method of authorizing at least one user to perform an action in a cloud computing environment having a plurality of computing nodes, the method comprising:
-
receiving a request from a user to perform an action on an object in the cloud computing system; determining, whether a user permission exists for the user to perform the action on the object; forwarding the request to a remote service; receiving, from the remote service, a determination of whether an object permission exists for the object upon which the action is to be performed; and authorizing the request upon determining the user permission for the action on the object and receiving the object permission from the remove service. - View Dependent Claims (22, 23, 24)
-
-
25. A method of authenticating a user in a cloud computing environment having a plurality of computing nodes, the method comprising:
-
receiving login information from a user requesting access to the cloud computing environment; consulting an active directory to determine one or more permissions associated with the user, based on the user login information; and authenticating the user to grant access to the cloud computing system based on the result from consulting the active directory. - View Dependent Claims (26, 27, 28)
-
-
29. A cloud computing system, comprising:
-
a plurality of computing nodes; an application programming interface associated with the plurality of computing nodes; at least one storage unit; a controller configured to operate on each of the plurality of computing nodes and to select software operating on the associated node; a distributed control plane in communication with the controller and the storage unit, and configured to provide a platform to launch and manage one or more instances on one or more of the plurality of computing nodes; and a permissions system configured to associate one or more permissions to one or more instances and authorize the launching and managing of one or more instances on the distributed control plane. - View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
-
-
46. A system for networking in a cloud computing environment, the system comprising:
-
a plurality of virtual machines at each of the plurality of computing nodes (1301), each virtual machine configured to communicate with a virtual network layer at a virtual interface via at least one virtual Ethernet (vEthernet); a permissions system configured to determine an authorization of a virtual machine'"'"'s access to communicate with the virtual network layer via at least one vEthernet; a network control layer in communication with the plurality of virtual machines, the network control layer configured to, upon receiving authorization from the permissions system, provide at least one virtual network service to the plurality of virtual machines and provide an IP gateway to a network via at least one vEthernet at each virtual interface; and a physical communication interface configured to facilitate communications with the network control layer and a substrate Ethernet for routing communications between the IP gateway and the network. - View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63)
-
Specification