Granting access to a cloud computing environment using names in a virtual computing infrastructure
First Claim
Patent Images
1. A method of granting access to resources in a cloud computing environment, the method comprising:
- assigning a first name to a group of users within the cloud computing environment, the first name specifying a first path;
assigning a second name to at least one subgroup of users from the group of users;
assigning a third name to an object;
receiving a request to access the object, the request specifying the second name and the third name;
receiving a plurality of permissions that form a graph, wherein each permission of the plurality of permissions includes a plurality of key-value pairs;
wherein a first key-value pair of the plurality of key-value pairs of the each permission includes a subject key and a name of a subject to whom the each permission is delegated;
wherein a second key-value pair of the plurality of key-value pairs of the each permission includes an object key and a name of a cloud object on which the each permission is delegated;
wherein a third key-value pair of the plurality of key-value pairs of the each permission includes an authorizer key and a name of an authorizer who is authorized to delegate the each permission;
wherein each permission of the plurality of permissions corresponds to a different vertex of vertices in the graph, the vertices connected by edges such that the each permission has at least one parent permission or at least one child permission corresponding to a different one of the vertices in the graph, wherein for each permission of the plurality of permissions having a parent permission in the graph, the name of the authorizer in the third key-value pair of the each permission matches the name of the subject in the first key-value pair of the parent permission, and wherein for each permission of the plurality of permissions having a child permission in the graph, the name of the subject in the first key-value pair of the each permission matches the name of the authorizer in the third key-value pair of the child permission;
receiving authorizer information indicating an authorizer name of an authorizer to grant permissions to access the object;
identifying a first permission from the plurality of permissions, the first permission having one or more child permissions connected in the graph and wherein the authorizer name matches a value in the third key-value pair of the first permission;
using the graph to identify a second permission from the one or more child permissions, wherein the name of the authorizer of the third key-value pair of the second permission matches or is a descendant of the name of the subject of the first key-value pair of the first permission; and
using the second permission to determine whether to grant the request by at least one of;
determining whether the second name matches or is a descendant of the name of the subject in the first key-value pair of the second permission, ordetermining whether the third name matches or is a descendant of the name of the cloud object in the second key-value pair of the second permission.
3 Assignments
0 Petitions
Accused Products
Abstract
Access to resources in a cloud computing environment having a plurality of computing nodes is described. A group of users is defined within the cloud computing environment. A first name is assigned to the group. At least one subgroup of users is defined from within the group. A second name is assigned to the at least one subgroup. The second name follows a hierarchical naming structure of the form/group/subgroup.
163 Citations
20 Claims
-
1. A method of granting access to resources in a cloud computing environment, the method comprising:
-
assigning a first name to a group of users within the cloud computing environment, the first name specifying a first path; assigning a second name to at least one subgroup of users from the group of users; assigning a third name to an object; receiving a request to access the object, the request specifying the second name and the third name; receiving a plurality of permissions that form a graph, wherein each permission of the plurality of permissions includes a plurality of key-value pairs; wherein a first key-value pair of the plurality of key-value pairs of the each permission includes a subject key and a name of a subject to whom the each permission is delegated; wherein a second key-value pair of the plurality of key-value pairs of the each permission includes an object key and a name of a cloud object on which the each permission is delegated; wherein a third key-value pair of the plurality of key-value pairs of the each permission includes an authorizer key and a name of an authorizer who is authorized to delegate the each permission; wherein each permission of the plurality of permissions corresponds to a different vertex of vertices in the graph, the vertices connected by edges such that the each permission has at least one parent permission or at least one child permission corresponding to a different one of the vertices in the graph, wherein for each permission of the plurality of permissions having a parent permission in the graph, the name of the authorizer in the third key-value pair of the each permission matches the name of the subject in the first key-value pair of the parent permission, and wherein for each permission of the plurality of permissions having a child permission in the graph, the name of the subject in the first key-value pair of the each permission matches the name of the authorizer in the third key-value pair of the child permission; receiving authorizer information indicating an authorizer name of an authorizer to grant permissions to access the object; identifying a first permission from the plurality of permissions, the first permission having one or more child permissions connected in the graph and wherein the authorizer name matches a value in the third key-value pair of the first permission; using the graph to identify a second permission from the one or more child permissions, wherein the name of the authorizer of the third key-value pair of the second permission matches or is a descendant of the name of the subject of the first key-value pair of the first permission; and using the second permission to determine whether to grant the request by at least one of; determining whether the second name matches or is a descendant of the name of the subject in the first key-value pair of the second permission, or determining whether the third name matches or is a descendant of the name of the cloud object in the second key-value pair of the second permission. - View Dependent Claims (2, 7, 8, 9, 10, 11, 12, 13)
-
-
3. A method of granting access to resources in a cloud computing environment, the method comprising:
-
assigning a first name to a group of users within the cloud computing environment, the first name specifying a first path; assigning a second name to at least one subgroup of users from the group of users; assigning a third name to an object; receiving a request to access the object, the request specifying the second name and the third name; receiving a plurality of permissions that form a graph, wherein each permission of the plurality of permissions includes a plurality of key-value pairs; wherein a first key-value pair of the plurality of key-value pairs of the each permission includes a subject key and a name of a subject to whom the each permission is delegated; wherein a second key-value pair of the plurality of key-value pairs of the each permission includes an object key and a name of a cloud object on which the each permission is delegated; wherein a third key-value pair of the plurality of key-value pairs of the each permission includes an authorizer key and a name of an authorizer who is authorized to delegate the each permission; wherein each permission of the plurality of permissions corresponds to a different vertex of vertices in the graph, the vertices connected by edges such that the each permission has at least one parent permission or at least one child permission corresponding to a different one of the vertices in the graph, wherein for each permission of the plurality of permissions having a parent permission in the graph, the name of the authorizer in the third key-value pair of the each permission matches the name of the subject in the first key-value pair of the parent permission, and wherein for each permission of the plurality of permissions having child permission in the graph, the name of the subject in the first key-value pair of the each permission matches the name of the authorizer in the third key-value pair of the child permission; receiving authorizer information indicating an authorizer name of an authorizer to grant permissions to access the object; identifying a first permission from the plurality of permissions, the first permission having one or more child permissions connected in the graph, and wherein the authorizer name matches a value in the third key-value pair of the first permission; using the graph to identify a second permission from the one or more child permissions, wherein the name of the authorizer of the third key-value pair of the second permission matches or is a descendant of the name of the subject of the first key-value pair of the first permission; and using the second permission to determine whether to grant the request by at least one of; determining whether the second name matches or is a descendant of the name of the subject in the first key-value pair of the second permission, or determining whether the third name matches or is a descendant of the name of the cloud object in the second key-value pair of the second permission. - View Dependent Claims (14)
-
-
4. A cloud computing system, comprising:
-
at least one storage that stores a plurality of processing instructions; and at least one processor in communication with the at least one storage, and the at least one processor configured to execute the plurality of processing instructions to; assign a first name to a group of users within a cloud computing environment, the first name specifying a first path; assign a second name to at least one subgroup of users from the group of users; assign a third name to an object; receive a request to access the object, the request specifying the second name and the third name; receive a plurality of permissions that form a graph, wherein each permission of the plurality of permissions includes a plurality of key-value pairs; wherein a first key-value pair of the plurality of key-value pairs of the each permission includes a subject key and a name of a subject to whom the each permission is delegated; wherein a second key-value pair of the plurality of key-value pairs of the each permission includes an object key and a name of a cloud object on which the each permission is delegated; wherein a third key-value pair of the plurality of key-value pairs of the each permission includes an authorizer key and a name of an authorizer who is authorized to delegate the each permission; wherein each permission of the plurality of permissions corresponds to a different vertex of vertices in the graph, the vertices connected by edges such that the each permission has at least one parent permission or at least one child permission corresponding to a different one of the vertices in the graph, wherein for each permission of the plurality of permissions having a parent permission in the graph, the name of the authorizer in the third key-value pair of the each permission matches the name of the subject in the first key-value pair of the parent permission, and wherein for each permission of the plurality of permissions having a child permission in the graph, the name of the subject in the first key-value pair of the each permission matches the name of the authorizer in the third key-value pair of the child permission; receive authorizer information indicating an authorizer name of an authorizer to grant permissions to access the object; identify a first permission from the plurality of permissions, the first permission having one or more child permissions connected in the graph and wherein the authorizer name matches a value in the third key-value pair of the first permission; use the graph to identify a second permission from the one or more child permissions, wherein the name of the authorizer of the third key-value pair of the second permission matches or is a descendant of the name of the subject of the first key-value pair of the first permission; and use the second permission to determine whether to grant the request by at least one of; determining whether the second name matches or is a descendant of the name of the subject in the first key-value pair of the second permission, or determining whether the third name matches or is a descendant of the name of the cloud object in the second key-value pair of the second permission. - View Dependent Claims (5, 15, 16, 17, 18, 19)
-
-
6. A cloud computing system, comprising:
-
at least one storage that stores a plurality of processing instructions; and at least one processor in communication with the at least one storage, and configured to execute the plurality of processing instructions to; assign a first name to a group of users within the cloud computing environment, the first name specifying a first path; assign a second name to at least one subgroup of users from the group of users; assign a third name to an object; receive a request to access the object, the request specifying the second name and the third name; receive a plurality of permissions that form a graph, wherein each permission of the plurality of permissions includes a plurality of key-value pairs; wherein a first key-value pair of the plurality of key-value pairs of the each permission includes a subject key and a name of a subject to whom the each permission is delegated; wherein a second key-value pair of the plurality of key-value pairs of the each permission includes an object key and a name of a cloud object on which the each permission is delegated; wherein a third key-value pair of the plurality of key-value pairs of the each permission includes an authorizer key and a name of an authorizer who is authorized to delegate the each permission; wherein each permission of the plurality of permissions corresponds to a different vertex of vertices in the graph, the vertices connected by edges such that the each permission has at least one parent permission or at least one child permission corresponding to a different one of the vertices in the graph, wherein for each permission of the plurality of permissions having a parent permission in the graph, the name of the authorizer in the third key-value pair of the each permission matches the name of the subject in the first key-value pair of the parent permission, and wherein for each permission of the plurality of permissions having a child permission in the graph, the name of the subject in the first key-value pair of the each permission matches the name of the authorizer in the third key-value pair of the child permission; receive authorizer information indicating an authorizer name of an authorizer to grant permissions to access the object; identify a first permission from the plurality of permissions, the first permission having one or more child permissions connected in the graph and wherein the authorizer name matches a value in the third key-value pair of the first permission; use the graph to identify a second permission from the one or more child permissions, wherein the name of the authorizer of the third key-value pair of the second permission matches or is a descendant of the name of the subject of the first key-value pair of the first permission; and using the second permission to determine whether to grant the request by at least one of; determining whether the second name matches or is a descendant of the name of the subject in the first key-value pair of the second permission, or determining whether the third name matches or is a descendant of the name of the cloud object in the second key-value pair of the second permission. - View Dependent Claims (20)
-
Specification