Method and apparatus for authorizing api calls
Abstract
Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has a set of one or more servers that acts as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The server set in some embodiments also enforces these API-authorizing policies. Conjunctively, or alternatively, the server set in some embodiments distributes the defined policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls. From an associated application, a local agent receives API-authorization requests to determine whether API calls received by the application are authorized. In response to such a request, the local agent uses one or more parameters associated with the API call to identify a policy stored in its local policy storage to evaluate whether the API call should be authorized. To evaluate this policy, the agent might also retrieve one or more parameters from the local policy storage.
Claims
exact text as granted — not AI-modified1 . A method for enforcing API (Application Programming Interface) authorization policies for an application executing on a first computer, the method comprising:
at a second computer,
receiving, for the application executing on the first computer, a request to determine whether an API call received by the application is authorized;
identifying at least one API-authorization policy and a first set of parameters for evaluating the API-authorization policy;
using the identified first set of parameters to evaluate the identified API-authorization policy in order to determine that the API call should be approved; and
sending a response to the first computer to authorize the API call after determining that the API call should be approved.
2 . (canceled)
3 . (canceled)
4 . The method of claim 1 , wherein the request is received from, and the response is sent to, a local API-authorizing agent executing on the first computer.
5 . The method of claim 4 , wherein the application and the local agent execute on a machine that executes on the first computer.
6 . The method of claim 5 , wherein the machine is a virtual machine.
7 . The method of claim 5 , wherein the machine is a container.
8 . The method of claim 5 , wherein the application receives the API call, and in response, sends a request to authorize the API call to the local agent through a network stack of the machine, and the local agent forwards the request to the second computer.
9 . The method of claim 1 further comprising:
at the second computer,
receiving definitions for a plurality of authorization policies for a plurality of API calls to the applications;
collecting parameters for evaluating the authorization policies to assess whether API calls should be authorized or rejected; and
storing the defined authorization policies and collected parameters in a single hierarchical storage structure from which the policies and associated set of parameters are retrieved to evaluate whether API calls should be authorized.
10 . The method of claim 1 , wherein the second computer is a server that processes API-authorization requests from a plurality of applications executing on a plurality of computers.
11 . A non-transitory machine readable medium storing a program enforcing API (Application Programming Interface) authorization policies for an application executing on a first computer, the program for execution by at least one processing unit of a second computer, the program comprising sets of instructions for:
receiving, for the application executing on the first computer, a request to determine whether an API call received by the application is authorized; identifying at least one API-authorization policy and a first set of parameters for evaluating the API-authorization policy; using the identified first set of parameters to evaluate the identified API-authorization policy in order to determine that the API call should be approved; and sending a response to the first computer to authorize the API call after determining that the API call should be approved.
12 . (canceled)
13 . (canceled)
14 . The non-transitory machine readable medium of claim 11 , wherein the request is received from, and the response is sent to, a local API-authorizing agent executing on the first computer.
15 . The non-transitory machine readable medium of claim 14 , wherein the application and the local agent execute on a machine that executes on the first computer.
16 . The non-transitory machine readable medium of claim 15 , wherein the machine is a virtual machine.
17 . The non-transitory machine readable medium of claim 15 , wherein the machine is a container.
18 . The non-transitory machine readable medium of claim 15 , wherein the application receives the API call, and in response, sends a request to authorize the API call to the local agent through a network stack of the machine, and the local agent forwards the request to the second computer.
19 . The non-transitory machine readable medium of claim 1 , wherein the program further comprises sets of instructions for:
receiving definitions for a plurality of authorization policies for a plurality of API calls to the applications; collecting parameters for evaluating the authorization policies to assess whether API calls should be authorized or rejected; and storing the defined authorization policies and collected parameters in a single hierarchical storage structure from which the policies and associated set of parameters are retrieved to evaluate whether API calls should be authorized.
20 . The non-transitory machine readable medium of claim 11 , wherein the second computer is a server that processes API-authorization requests from a plurality of applications executing on a plurality of computers.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.