Defining an authorizer in a virtual computing infrastructure

摘要

An authorizing entity is allowed to grant permission to a subject to perform an action on an object in a cloud computing environment. An authorizer is defined as the entity having granting authority to delegate a predetermined permission. A subject is defined as a group to whom the permission is being delegated. An object is defined upon which an action is authorized within the cloud computing environment. The action being authorized in the cloud computing environment is defined. Members of the subject group are authorized to perform the permitted action on the object.

主权项

1. A method of allowing an authorizing entity to grant permission to a subject to perform an action on an object in a cloud computing environment having a plurality of computing nodes, the method comprising:
defining an authorizer value for an authorizer key in a permission, the authorizer value identifying an entity delegating the permission; defining a subject value for a subject key in the permission, the subject value identifying a group to whom the permission is being delegated; defining an object value for an object key in the permission, the object value identifying an object upon which action is authorized by the permission within the cloud computing environment; defining an action value for an action key in the permission, the action value identifying an action authorized by the permission in the cloud computing environment; determining that a path exists in a directed graph between (a) a node corresponding to the authorizer value and (b) another node corresponding to an initial set of permissions created in connection with a creation of a customer to which the group belongs; and authorizing members of the subject group to perform a requested action on a requested object based on the defined values of the permission and the existence of the path.