Context based firewall services for data message flows for multiple concurrent users on one machine

We claim: 1. A method for performing firewall operations on a host computer on which a plurality of virtual machines (VMs) execute, the method comprising: at a firewall executing on the host computer, concurrently receiving data messages that are a part of first and second data message flows sent by a first VM executing on the host computer for first and second users that are concurrently logged into the first VM; for each data message flow, providing an identifier of the data message flow to a context collector that executes on the host computer in a query to obtain a set of one or more contextual attributes including a user identifier that identifies the first user or the second user as the user associated with the data message flow, the context collector communicating with guest introspectors installed on the VMs to collect contextual attributes regarding flows starting on the plurality of VMs and to store the contextual attributes to subsequently provide to the firewall executing on the host computer, the collected contextual attributes comprising user identifiers; using the user identifiers obtained for the first and second data message flows to identify respectively a first firewall rule to enforce for the first data message flow associated with the first user and a second firewall rule to enforce for the second data message flow associated with the second user; performing a first firewall operation on the data messages of the first data message flow based on the identified first firewall rule; and performing a second firewall operation on the data messages of the second data message flow based on the identified second firewall rule. 2. The method of claim 1 , wherein the obtained contextual attribute set further comprises application identifiers (AppIDs) that specify the type of traffic contained in the first and second data message flows, and using the user identifiers comprises using the obtained user identifiers and AppIDs to identify the first and second firewall rules to enforce respectively for the first and second data message flows. 3. The method of claim 1 , wherein the obtained contextual attribute set further comprises threat indicators that specifies security threat levels associated with the first and second data message flows, and using the user identifiers comprises using the obtained user identifiers and threat indicators to identify the first and second firewall rules to enforce respectively for the first and second data message flows. 4. The method of claim 1 , wherein the obtained contextual attribute set further comprises identifiers indicating resource consumption associated with the first and second data message flows, and using the user identifiers comprises using the obtained user identifiers and resource consumption identifiers to identify the first and second firewall rules to enforce respectively for the first and second data message flows. 5. The method of claim 1 , wherein the user identifiers are group identifiers. 6. The method of claim 1 , wherein the obtained contextual attribute set further comprises identifiers identifying the application-version identifiers associated with the first and second data message flows, and using the user identifiers comprises using the obtained user identifiers and application-version identifiers to identify the first and second firewall rules to enforce respectively for the first and second data message flows. 7. The method of claim 1 , wherein at least one user identifier identifies an individual user. 8. The method of claim 1 , wherein the user identifiers comprise (i) a first user identifier that identifies the first user logged into the first VM, and (ii) a second user identifier that is an administrative identifier of a service process running on the first VM while the first user is concurrently logged into the first VM. 9. A non-transitory machine readable medium storing a program for performing firewall operations for a first machine executing on a host with a plurality of other machines, the program comprising: concurrently receiving data messages that are part of first and second data message flows sent by a first machine executing on the host computer for first and second user that are concurrently logged into the first machine; for each data message flow, providing an identifier of the data message flow to a context collector that executes on the host computer in a query to obtain a set of one or more contextual attributes including a user identifier that identifies the first user or the second user as the user associated with the data message flow, the context collector communicating with guest introspectors installed on the machines to collect contextual attributes regarding flows starting on the plurality of machines and to store the contextual attributes to subsequently provide to the firewall executing on the host computer, the collected contextual attributes comprising user identifiers; using the user identifiers obtained for the first and second data message flows to identify respectively a first firewall rule to enforce for the first data message flow associated with the first user and a second firewall rule to enforce for the second data message flow associated with the second user; performing a first firewall operation on the data messages of the first data message flow based on the identified first firewall rule; and performing a second firewall operation on the data messages of the second data message flow based on the identified second firewall rule. 10. The non-transitory machine readable medium of claim 9 , wherein the first machine operates as a terminal server. 11. The non-transitory machine readable medium of claim 10 , wherein the first data message flow is associated with the first user's operations on the terminal server and the second data message flow is associated with the second user's operations on the terminal server. 12. The non-transitory machine readable medium of claim 9 further comprising identifying a user identifier each time a new network connection starts. 13. The non-transitory machine readable medium of claim 9 , wherein the user identifiers are group identifiers. 14. The non-transitory machine readable medium of claim 13 , wherein the group identifiers are group identifiers in an active directory. 15. The non-transitory machine readable medium of claim 9 , wherein at least one user identifier identifies an individual user. 16. The non-transitory machine readable medium of claim 9 , wherein the first machine is a virtual machine (VM). 17. The non-transitory machine readable medium of claim 9 , wherein the first machine is a container. 18. The non-transitory machine readable medium of claim 9 , wherein the user identifiers comprise (i) a first user identifier that identifies the first user logged into the first machine, and (ii) a second user identifier that is an administrative identifier of a service process running on the first machine while the first user is concurrently logged into the first machine.