公开(公告)号：US12149537B2

公开(公告)日：2024-11-19

申请号：US17574306

申请日：2022-01-12

Applicant: VMware Inc.

Inventor： Stanimir Lukanov ,  Georgi Lyubomirov Dimitrov ,  Georgi Lekov

IPC: H04L9/40

Abstract: Access control management to shared resources in a common resource directory between different users of cloud data centers can be implemented as computer-readable methods, media and systems. A resource managing service receives a request to access resources of a resource directory managed by the resource managing service. The request includes a token for identity authentication. The resource managing service determined a container membership associated with the token, where the container membership is associated with a container from a set of containers for the resource directory. The container includes one or more resources in a tree data structure of the resource directory. The resource managing service filters access rights defined in authorization primitives associated with the container membership based on container policy rules for the set of containers in the resource directory. The resource managing service provides access to a set of resources from the resource directory.

公开(公告)号：US20230353557A1

公开(公告)日：2023-11-02

申请号：US17732311

申请日：2022-04-28

Applicant: VMware, Inc.

Inventor： Stanimir Lukanov ,  Kamen Mazdrashki ,  Georgi Lyubomirov Dimitrov ,  Dimo Raychev ,  Georgi Lekov

IPC: H04L9/40

CPC classification number: H04L63/083 ,  H04L63/0823

Abstract: Bootstrapping a new remote appliance based on a request received at a main appliance based on established trust between the two appliances can be implemented as computer-implemented methods, media, and systems. A request is received at an authentication orchestrator at the main appliance to perform an operation requested by a user for execution on a remote appliance. The authentication orchestrator at the main appliance obtains an authentication token issued by an identity provider at the main appliance for the user associated with the request. The authentication orchestrator requests to exchange the authentication token issued by the identity provider at the main appliance for a new authentication token that is issued by an identity provider at the remote appliance. The authentication orchestrator at the main appliance initiates an authentication of the user at an appliance manager at the remote appliance based on providing the new authentication token.

公开(公告)号：US20230224304A1

公开(公告)日：2023-07-13

申请号：US17574306

申请日：2022-01-12

Applicant: VMware Inc.

Inventor： Stanimir Lukanov ,  Georgi Lyubomirov Dimitrov ,  Georgi Lekov

IPC: H04L9/40

CPC classification number: H04L63/105 ,  H04L63/0853 ,  H04L63/20

Abstract: Access control management to shared resources in a common resource directory between different users of cloud data centers can be implemented as computer-readable methods, media and systems. A resource managing service receives a request to access resources of a resource directory managed by the resource managing service. The request includes a token for identity authentication. The resource managing service determined a container membership associated with the token, where the container membership is associated with a container from a set of containers for the resource directory. The container includes one or more resources in a tree data structure of the resource directory. The resource managing service filters access rights defined in authorization primitives associated with the container membership based on container policy rules for the set of containers in the resource directory. The resource managing service provides access to a set of resources from the resource directory.

公开(公告)号：US11711351B2

公开(公告)日：2023-07-25

申请号：US16742881

申请日：2020-01-14

Applicant: VMware, Inc.

Inventor： Georgi Lekov ,  Rusko Atanasov ,  Stanimir Lukanov ,  Elena Dimitrova ,  Dimo Raychev

IPC: H04L29/06 ,  H04L9/40

CPC classification number: H04L63/062 ,  H04L63/0823 ,  H04L63/166

Abstract: Hosts in a cluster in a virtualized computing environment bypass a management layer when communicating with an external key management service (KMS). One of the hosts is configured with KMS configuration information (including digital certificate information) that enables the host to directly communicate with the KMS via a secure communication connection, instead of communicating with the KMS via the management layer. This KMS configuration information is replicated in a distributed manner from the host to the other hosts in the cluster, thereby enabling the other hosts in the cluster to also directly and independently communicate with the KMS to obtain encryption keys to perform cryptographic operations.

公开(公告)号：US11695777B2

公开(公告)日：2023-07-04

申请号：US16286240

申请日：2019-02-26

Applicant: VMware, Inc.

Inventor： Stanimir Lukanov ,  Georgi Lyubomirov Dimitrov ,  Hristo Hristov

IPC: H04L9/40 ,  G06F21/62 ,  G06F21/60

CPC classification number: H04L63/105 ,  G06F21/604 ,  G06F21/6218 ,  H04L63/104 ,  H04L63/205 ,  G06F2221/2141 ,  G06F2221/2145

Abstract: Techniques for providing hybrid access control in a cloud-services computing environment are provided. In one embodiment, a method for providing hybrid access control is provided at a host computing device. The method includes obtaining access control settings including at least a first user's role-based access settings with respect to a first sub-system of a hierarchical computing-resource system. The method further includes propagating the access control settings from the first sub-system to a second sub-system; obtaining user group domains assigned to a plurality of sub-systems; and obtaining a group membership associated with the first user. The method further includes determining, based on the obtained user group domains and the obtained group membership associated with the first user, whether the first user's role-based access settings propagated to the second sub-system are to be adjusted; and making adjustments accordingly.