-
公开(公告)号:US11762712B2
公开(公告)日:2023-09-19
申请号:US17740255
申请日:2022-05-09
Applicant: Styra, Inc.
Inventor: Teemu Koponen , Timothy L. Hinrichs
CPC classification number: G06F9/54 , G06F21/44 , H04L9/3236 , H04L9/3247
Abstract: Some embodiments provide a method for distributing a set of parameters associated with policies for authorizing Application Programming Interface (API) calls to an application. For a previously stored hierarchical first document that comprises a first set of elements in a first hierarchical structure, the method receives a hierarchical update second document that comprises a second set of elements in a second hierarchical structure corresponding to the first hierarchical structure, wherein at least a subset of elements in the first and the second documents correspond to the set of parameters for evaluating API calls. The method receives a first set of hash values for elements of the first document that are not specified in the second document, and generates a second set of hash values for a set of elements specified in the second document. The method generates an overall hash for the second document by using the received first set of hash values and the generated second set of hash values. The method uses the overall hash to validate a signature from an entity that is authorized to specify the set of parameters.
-
公开(公告)号:US11327815B1
公开(公告)日:2022-05-10
申请号:US16930301
申请日:2020-07-15
Applicant: Styra, Inc.
Inventor: Teemu Koponen , Timothy L. Hinrichs
Abstract: Some embodiments provide a method for distributing a set of parameters associated with policies for authorizing Application Programming Interface (API) calls to an application. For a previously stored hierarchical first document that comprises a first set of elements in a first hierarchical structure, the method receives a hierarchical update second document that comprises a second set of elements in a second hierarchical structure corresponding to the first hierarchical structure, wherein at least a subset of elements in the first and the second documents correspond to the set of parameters for evaluating API calls. The method receives a first set of hash values for elements of the first document that are not specified in the second document, and generates a second set of hash values for a set of elements specified in the second document. The method generates an overall hash for the second document by using the received first set of hash values and the generated second set of hash values. The method uses the overall hash to validate a signature from an entity that is authorized to specify the set of parameters.
-
公开(公告)号:US20210365571A1
公开(公告)日:2021-11-25
申请号:US17392072
申请日:2021-08-02
Applicant: Styra, Inc.
Inventor: Torin Sandall , Timothy L. Hinrichs , Teemu Koponen
IPC: G06F21/60
Abstract: Some embodiments provide a method for evaluating a policy for authorizing an API (Application Programming Interface) call to an application. Based on a first set of parameters available before receiving the API call, the method evaluates only a portion of the policy to produce a partially evaluated policy. The method stores the partially evaluated policy in a cache. The method then receives an API call to authorize, and determines whether the API call should be authorized by fully evaluating the policy, using the partially evaluated policy retrieved from the cache first storage, and a second set of parameters associated with the API call. The method responds to the API call with a policy decision based on the fully evaluated authorization policy.
-
公开(公告)号:US10984133B1
公开(公告)日:2021-04-20
申请号:US16050136
申请日:2018-07-31
Applicant: Styra, Inc.
Inventor: Timothy L. Hinrichs , Teemu Koponen , Andrew Curtis , Torin Sandall , Octavian Florescu
Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has a set of one or more servers that acts as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The server set in some embodiments also enforces these API-authorizing policies. Conjunctively, or alternatively, the server set in some embodiments distributes the defined policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls.
-
公开(公告)号:US10592302B1
公开(公告)日:2020-03-17
申请号:US16050130
申请日:2018-07-31
Applicant: Styra, Inc.
Inventor: Timothy L. Hinrichs , Teemu Koponen , Andrew Curtis , Torin Sandall , Octavian Florescu
IPC: G06F9/54 , H04L29/06 , G06F16/11 , G06F16/185
Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has a set of one or more servers that acts as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The server set in some embodiments also enforces these API-authorizing policies. Conjunctively, or alternatively, the server set in some embodiments distributes the defined policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls. From an associated application, a local agent receives API-authorization requests to determine whether API calls received by the application are authorized. In response to such a request, the local agent uses one or more parameters associated with the API call to identify a policy stored in its local policy storage to evaluate whether the API call should be authorized. To evaluate this policy, the agent might also retrieve one or more parameters from the local policy storage.
-
Patent Agency Ranking
公开(公告)号:US12170696B2
公开(公告)日:2024-12-17
申请号:US17967686
申请日:2022-10-17
Applicant: Styra, Inc.
Inventor: Andrew Curtis , Mikol Graves , Bryan J. Fulton , Timothy L. Hinrichs , Marco Sanvido , Teemu Koponen
IPC: H04L9/40 , H04L67/133
Abstract: Some embodiments provide a method gaining insight into applicability of policies that authorize access to at least one service through application programming interface (API) calls by a plurality of users. The method receives an authentication policy that defines multiple users of a system providing the service, and also receives an authorization policy that defines access to the service by the users. The method generates an authorization policy for defining access to the service by authenticated users by combining the first and second policies. The method receives a query regarding access to the service from a particular set of one or more users, and uses the third policy to provide a response to the query that describes access to the service for the particular user set.
-
7.发明授权公开(公告)号:US12107866B2
公开(公告)日:2024-10-01
申请号:US18211537
申请日:2023-06-19
Applicant: Styra, Inc.
Inventor: Timothy L. Hinrichs , Teemu Koponen , Torin Sandall
CPC classification number: H04L63/108 , G06F8/65 , G06F9/542 , G06F9/547 , H04L63/10 , H04L63/20 , H04L67/10 , G06F21/54 , G06F21/6281
Abstract: Some embodiments provide a method for authorizing application programming interface (API) calls on a host computer in a local cluster of computers. The method is performed in some embodiments by an API-authorizing agent executing on the host computer in the local computer cluster. From a remote cluster of computers, the method receives (1) a set of API-authorizing policies to evaluate in order to determine whether API calls to an application executing on the host computer are authorized, and (2) a set of parameters needed for evaluating the policies. With the remote cluster of computers, the method registers for notifications regarding updates to the set of parameters. The method then receives notifications, from the remote cluster, regarding an update to the set of parameters, and modifies the set of parameters based on the update. In some embodiments, the notification includes the update, while in other embodiments the method directs the remote cluster to provide the update after receiving the notification regarding the update. In addition to the notifications, the method periodically polls the remote cluster to retrieve the set of parameters needed for the received set of policies, in order to supplement data received through the notifications.
-
公开(公告)号:US12032567B1
公开(公告)日:2024-07-09
申请号:US18114191
申请日:2023-02-24
Applicant: Styra, Inc.
Inventor: Torin Sandall , Timothy L. Hinrichs
IPC: G06F16/22 , G06F9/54 , G06F16/242 , G06F16/28
CPC classification number: G06F16/2445 , G06F9/547 , G06F16/2246 , G06F16/2272 , G06F16/288
Abstract: Some embodiments of the invention provide a method for defining code-based policies. The method generates a policy-builder first view of a policy for display in a graphical user interface (GUI) by processing a syntax tree that is generated from a code second view of the policy. The method receives, through the policy-builder first view, a modification to a portion of the policy. To reflect the modification, the method updates a portion of the syntax tree that corresponds to the portion of the policy that is affected by the modification. Based on the updating of the syntax tree, the method updates the code second view by modifying a portion of the code second view that corresponds to the updated portion of the syntax tree.
-
公开(公告)号:US11853463B1
公开(公告)日:2023-12-26
申请号:US16293513
申请日:2019-03-05
Applicant: Styra, Inc.
Inventor: Timothy L. Hinrichs , Teemu Koponen
IPC: G06F21/62 , H04L9/40 , H04L67/561
CPC classification number: G06F21/629 , H04L63/0807 , H04L63/10 , H04L67/561 , H04L2463/082
Abstract: Some embodiments provide a method for enforcing policies for authorizing API (Application Programming Interface) calls to an application operating on a host machine. The method receives a request to authenticate a client attempting to gain access to the application, and authenticates the client based on a first set of parameters associated with the request. Using a second set of parameters associated with the request, the method evaluates a set of one or more policies associated with a set of one or more API calls to the application. Based on the evaluated policies, the method defines a third set of one or more authentication field parameters that control the API calls that the client is authorized to make to the application. The method sends an authentication reply message with the defined third set of authentication field parameters in order to control the API calls that the client is authorized to make.
-
公开(公告)号:US11582235B1
公开(公告)日:2023-02-14
申请号:US16889761
申请日:2020-06-01
Applicant: Styra, Inc.
Inventor: Teemu Koponen , Timothy L. Hinrichs , Torin Sandall , Stan Lagun
Abstract: Some embodiments provide a local controller on a set of host computers that reduce the volume of data that is communicated between the server set and the set of host computers. The local controller executing on a particular host computer, in some embodiments, receives a portion of the namespace including only the policies (e.g., opcode) that are relevant to API-authorization processing for the applications executing on the particular host computer provided by a local agent executing on the computer to authorize the API requests based on policies and parameters. The local controller analyzes the received policies (e.g., policy opcodes) and identifies the parameters (e.g. operands), or parameter types, needed for API-authorization processing (e.g., evaluating the policy opcode upon receiving a particular API request) by the local agent. In some embodiments, the local controller performs this analysis for each updated set of policies (e.g., policy opcodes).
-
-
-
-
-
-
-
-
-
Search Results
45
records
(took 0.021 seconds)
