Extensible multi-tenant cloud-management system and methods for extending functionalities and services provided by a multi-tenant cloud-managment system

The invention claimed is: 1. A cloud-connector subsystem comprising: cloud-connector nodes, each associated with a cloud-computing facility; and a cloud-director server that includes one or more processors, one or more memories, one or more data-storage devices, and computer instructions that, when executed on the one or more processors, control the cloud-director server to provide, in cooperation with the cloud-connector nodes: a management user interface that provides native management services and functionalities for creating, administering, and managing virtual data centers within one or more cloud-computing facilities, each associated with a cloud-connector node; an API entrypoint request/response interface to native services, a service-extension interface, service extensions created through the service-extension interface, and an authorization-service-management-interface; and an authorization service that controls access to service extensions created through the service-extension interface. 2. The cloud-connector subsystem of claim 1 wherein the API entrypoint request/response interface is a hierarchical, URI-based RESTful interface. 3. The cloud-connector subsystem of claim 1 wherein the authorization service comprises: an authorization-service database; and an authorization routine that is called to determine whether a request directed to a service extension through the API entrypoint request/response interface is authorized to access the service extension. 4. The cloud-connector subsystem of claim 3 wherein the authorization-service database stores data objects within one or more data-storage devices, the data objects including: data objects that each represents an access-control rule. 5. The cloud-connector subsystem of claim 4 wherein an access-control rule specifies an authorization relationship between one of: a resource class, a resource-class action, an organization, and a user; a resource class, a resource-class action, an organization, and a group of users; a resource class, a resource-class action, an organization, and a right; a resource class, a resource-class action, an organization, and a role; a service, a resource-class action, an organization, and a user; a service, a resource-class action, an organization, and a group of users; a service, a resource-class action, an organization, and a right; and a service, a resource-class action, an organization, and a role. 6. The cloud-connector subsystem of claim 5 wherein a resource class is a type of service; wherein a service is a service extension accessed through the API entrypoint request/response interface; wherein an organization is associated with each virtual data center in a multi-tenant cloud-computing facility; wherein a user is an individual who accesses a service extension accessed through the API entrypoint request/response interface; wherein a group of users is a defined set of users; wherein a right is specific access right; and wherein a role is a job title, professional capacity, or position associated with an individual or group of individuals. 7. The cloud-connector subsystem of claim 6 wherein the authorization-service database stores additional types data objects of data objects that include: data objects that each represent a resource class; data objects that each represent a resource-class action; data objects that each represent a service; data objects that each represent a user; data objects that each represent a group of users; data objects that each represent a right; and data objects that each represent a role. 8. The cloud-connector subsystem of claim 3 wherein the authorization routine returns an indication of whether a request to a service extension is authorized; and wherein the authorization routine is supplied sufficient information about the request to the service extension to allow the authorization routine to extract, from data objects stored within the authorization service, indications of at least a resource class, resource-class action, service, organization, and user, group, right, or role corresponding to the request to the service extension that the authorization routine then uses to determine whether or not the resource class, resource-class action, service, organization, and user, group, right, or role match a relationship defined by an access-control rule. 9. The cloud-connector subsystem of claim 8 wherein the authorization routine retrieves different access-control rules from the authorization-service database until the most recently retrieved access-control rule matches a combination of primitives selected from among a resource class, a resource-class action, a service, an organization, a user, a group of users, a right, and a role corresponding to the request to the service extension, in which case the authorization routine returns an indication that the request to the service extension is authorized, or until there are no more different access-control rules to retrieve from the authorization-service database, in which case the authorization routine returns an indication that the request to the service extension is not authorized. 10. The cloud-connector subsystem of claim 3 wherein the authorization-service-management-interface is a hierarchical, URI-based RESTful interface accessed through the API entrypoint request/response interface that allows an authorized user to create data objects within, retrieve data objects from, and delete data objects from the authorization-service database. 11. A method for extending services provided by cloud-connector nodes, each associated with a cloud-computing facility, and a cloud-director server that includes one or more processors, one or more memories, one or more data-storage devices, the method comprising: providing an API entrypoint request/response interface to native services, a service-extension interface, service extensions created through the service-extension interface, and an authorization-service-management-interface; and an authorization service that controls access to service extensions created through the service-extension interface; and when a request is received through the API entrypoint request/response interface and directed to a service extension, responding to an authorization inquiry, directed to the authorization service by the service extension, by indicating to the service extension whether or not the request is authorized. 12. The method of claim 11 wherein the API entrypoint request/response interface is a hierarchical, URI-based RESTful interface. 13. The method of claim 11 wherein the authorization service comprises: an authorization-service database; and an authorization routine that is called to make an authorization inquiry to determine whether a request directed to a service extension through the API entrypoint request/response interface is authorized to access the service extension. 14. The method of claim 13 wherein the authorization-service database stores data objects within one or more data-storage devices, the data objects including: data objects that each represents an access-control rule. 15. The method of claim 14 wherein an access-control rule specifies an authorization relationship between one of: a resource class, a resource-class action, an organization, and a user; a resource class, a resource-class action, an organization, and a group of users; a resource class, a resource-class action, an organization, and a right; a resource class, a resource-class action, an organization, and a role; a service, a resource-class acti