Systems and methods for flexible, extensible authentication subsystem that enabled enhance security for applications
US-2016381080-A1 · Dec 29, 2016 · US
Secure access to application instances in a multi-user, multi-tenant computing environment
US2020028848A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2020028848-A1 |
| Application number | US-201715674923-A |
| Country | US |
| Kind code | A1 |
| Filing date | Aug 11, 2017 |
| Priority date | Aug 11, 2017 |
| Publication date | Jan 23, 2020 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and methods for computer security in computer clusters. Techniques provide secure user access to applications that run in shared resource computing environments. A method embodiment commences upon identifying an application digital certificate corresponding to a subject application. The subject application is stored for access by a reverse proxy authorization service that also runs in the shared computing environment. Individual user processes are uniquely identified by corresponding user credentials. The reverse proxy authorization service processes a request to access the subject application, whereupon a generated subject application instance specific to the requestor is installed. Installation includes authentication using the application digital certificate for the subject application and authorization using the requestor's credentials. A second request from a second user to access the same subject application uses the same application digital certificate combined with the second requestor's credentials. The reverse proxy authorization service generates scope-specific access tokens for each generated instance.
First claim
Opening claim text (preview).
1 . A method, comprising: receiving a digital certificate that is generated for an application, wherein different digital certificates are generated for different applications; receiving multiple requests to access the application from multiple users; and servicing the multiple requests from the multiple users at least by authorizing the multiple users to access respective instances of the application based at least in part upon separate user credentials of the multiple users and the digital certificate, wherein the digital certificate is common to the respective instances of the application. 2 . The method of claim 1 , wherein the digital certificate that corresponds to the application is a tenant-provided application digital certificate that is common to the multiple users. 3 . The method of claim 1 , further comprising storing a copy of the application at a storage location accessible by multiple user processes running in a shared computing system. 4 . The method of claim 1 , further comprising authenticating the respective instances of the application using the same digital certificate. 5 . The method of claim 1 , further comprising mapping, by a reverse proxy authorization service, the respective instances to the multiple requests from the multiple users, wherein mapping the respective instances to the multiple requests comprises accessing a mapping data structure that comprises an instance attribute of the application. 6 . The method of claim 5 , wherein the instance attribute comprises an application identifier, the separate user credentials, a public key, an IP address, or a port. 7 . The method of claim 6 , further comprising querying a mapping data structure to identify a particular instance of the application that corresponds to a combination of an application identifier of the application and a user credential of the separate user credentials. 8 . The method of claim 1 , further comprising creating, by a controller virtual machine, a self-signed certificate as the digital certificate, the self-signed certificate having a public key and a private key. 9 - 14 . (canceled) 15 . A non-transitory computer readable medium having stored thereon a sequence of instructions which, when stored in memory and executed by a processor, causes the processor to perform a set of acts, the set of acts comprising: receiving a digital certificate that is generated for an application, wherein different digital certificates are generated for different applications; receiving multiple requests to access the application from multiple users; and servicing the multiple requests from the multiple users at least by authorizing the multiple users to access respective instances of the application based at least in part upon separate user credentials of the multiple users and the digital certificate, wherein the digital certificate is common to the respective instances of the application. 16 . The non-transitory computer readable medium of claim 15 , wherein the same application digital certificate that corresponds to the particular application is a tenant-provided application digital certificate. 17 . A system comprising: a non-transitory storage medium having stored thereon a sequence of instructions; and a processor executing the sequence of instructions, execution of which causes the to perform a set of acts, the set of acts comprising, receiving a digital certificate that is generated for an application, wherein different digital certificates are generated for different applications; receiving multiple requests to access the application from multiple users; and servicing the multiple requests from the multiple users at least by authorizing the multiple users to access respective instances of the application based at least in part upon separate user credentials of the multiple users and and the digital certificate, wherein the digital certificate is common to the respective instances of the application. 18 . The system of claim 17 , wherein the digital certificate that corresponds to the application is a provided by a tenant that comprises a user of the multiple users. 19 . The system of claim 17 , further comprising instructions to cause the processor to store a copy of the particular application at a storage location accessible by a plurality of user processes running in the shared computing system. 20 . The system of claim 17 , the non-transitory storage medium further comprising instructions which, when executed by the processor, cause the processor to authenticate both the respective instances of the application using the digital certificate. 21 . A non-transitory computer readable medium having stored thereon a sequence of instructions which, when stored in memory and executed by a processor, causes the processor to perform a set of acts, the set of acts comprising: receiving a digital certificate that is generated for an application, wherein different digital certificates are generated for different applications; receiving multiple requests to access the application from multiple users; servicing the multiple requests from the multiple users at least by authenticating installation of respective instances of the application for the multiple users using separate user credentials of the multiple users the digital certificate, wherein the digital certificate is common to the respective instances of the application; and storing, in a mapping data structure, respective instance attributes that correspond the digital certificate to the respective user credentials. 22 . A non-transitory computer readable medium having stored thereon a sequence of instructions which, when stored in memory and executed by a processor, causes the processor to perform a set of acts, the set of acts comprising: receiving a digital certificate that is generated for an application, wherein different digital certificates are generated for different applications; receiving multiple requests to access respective instances of the application from multiple users, the respective instances of the application had been authenticated using at least the digital certificate that is common to the multiple users; and generating, by a reverse proxy authorization service, respective access tokens corresponding to the multiple requests. 23 . The non-transitory computer readable medium of claim 15 , the sequence of instructions, when stored in the memory and executed by the processor, further causing the processor to perform the set of acts that further comprises generating, by a controller virtual machine, the digital certificate that is self-signed. 24 . The non-transitory computer readable medium of claim 15 , wherein the digital certificate is provided by a user of the multiple users and is common to the multiple users. 25 . The non-transitory computer readable medium of claim 21 , the sequence of instructions, when stored in the memory and executed by the processor, further causing the processor to perform the set of acts that further comprises forming a secure communication link between a computing context of a tenant and a corresponding instance of the respective instances by using at least the digital certificate, wherein the tenant comprises a user of the multiple users. 26 . The non-transitory computer readable medium of claim 21 , wherein the digital certificate is provided by a user of the multiple users and is common to the multiple users. 27 . The non-transitory computer readable medi
Assignees
Inventors
Classifications
- G06F21/53Primary
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
at program execution time, where the protection is within the operating system · CPC title
in which an application is distributed across nodes in the network (software deployment G06F8/60; multiprogramming arrangements G06F9/46) · CPC title
Grouping of entities · CPC title
using certificates (cryptographic mechanisms or cryptographic arrangements for entity authentication involving certificates H04L9/3263) · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2020028848A1 cover?
- Systems and methods for computer security in computer clusters. Techniques provide secure user access to applications that run in shared resource computing environments. A method embodiment commences upon identifying an application digital certificate corresponding to a subject application. The subject application is stored for access by a reverse proxy authorization service that also runs in t…
- Who is the assignee on this patent?
- Nutanix Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/53. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Thu Jan 23 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).