白丝美女被狂躁免费视频网站,500av导航大全精品,yw.193.cnc爆乳尤物未满,97se亚洲综合色区,аⅴ天堂中文在线网官网

Mechanism to manage group of resources using virtual resource containers

專利號(hào)
US11616787B1
公開日期
2023-03-28
申請(qǐng)人
Amazon Technologies, Inc.(US WA Seattle)
發(fā)明人
Jasmeet Chhabra; Harshad Vasant Kulkarni; Khaled Salah Sedky
IPC分類
H04L9/40
技術(shù)領(lǐng)域
resource,container,service,customer,policy,may,urn,in,data,or
地域: WA WA Seattle

摘要

A set of operations is performed to cause a resource accessible to a first set of entities to also be accessible to a member of a second set of entities, where the set of operations, as a result of being executed, causes a processor to create a project to associate with a set of resources, associate a policy that controls access to the set of resources with the projects, associate the resource with the set of resources of the project, and associate the member of the second set of entities with the project. A request is obtained from the member of the second set of entities to access the resource. The member of the second set of entities is determine to be authorized to access the resource based on the policy. The member of the second set of entities is allowed to obtain access to the resource.

說明書

BACKGROUND

In various contexts, managing computing resources is of utmost importance to many customers of computing resource service providers. Customers of computing resource service providers often desire to create groupings of large sets of resources, which sometimes comprise resources of various types, which can each have varying individual access policies. Managing the policies of such large set of resources and handling various failure modes of the resources can require complicated, manual workflows. Additionally, often some customers of computing resource service providers desire to share resources with each other in order to collaborate on a project. Providing the customers with the ability to define policies for large sets of resources and enables such policies to span across more than one customer account presents a challenge, especially when large amounts of resources and/or customers are involved.

BRIEF DESCRIPTION OF THE DRAWINGS

Various techniques will be described with reference to the drawings, in which:

FIG. 1 illustrates an example of a resource container service, in accordance with an embodiment;

FIG. 2 illustrates an example of a resource container, in accordance with an embodiment;

FIG. 3 is a swim diagram illustrating an example of a process for creating a resource container, in accordance with various embodiments;

FIG. 4 is a swim diagram illustrating an example of a process for adding resources to a resource container, in accordance with various embodiments;

權(quán)利要求

1
What is claimed is:1. A computer-implemented method, comprising:creating a first customer account and a second customer account at a computing resource service provider, wherein the first customer account is assigned to a first business organization and the second customer account is assigned to a second business organization different from the first business organization, and wherein a computing resource assigned to the second customer account is inaccessible to users of the first customer account but accessible to users of the second customer account;creating a resource container usable to associate with one or more computing resources provided to customers by the computing resource service provider;associating a user of the first customer account with the resource container;associating an access policy with the resource container, the access policy controlling access to the one or more computing resources associated with the resource container;causing, by associating the computing resource assigned to the second customer account with the resource container, the computing resource assigned to the second customer account to also be accessible to the users of the first customer account; andas a result of determining, based on the access policy of the resource container, that the user is authorized to access the resource of the second customer account, causing the user to obtain the access to the computing resource of the second customer account.2. The computer-implemented method of claim 1, wherein:the method further comprising receiving, from a service of the computing resource service provider that hosts the computing resource, a request to determine whether the user associated with the first customer account is authorized; andthe determining that the user is authorized to access the one or more computing resources is performed in response to the request.3. The computer-implemented method of claim 1, wherein:associating the access policy with the resource container further includes storing, in association with an identifier corresponding to the resource container, the access policy at a platform data store; anddetermining, via the identifier, that the user is authorized to access the one or more computing resource further includes obtaining the access policy from the platform data store.4. The computer-implemented method of claim 1, wherein the resource container is a data structure that logically associates the one or more computing resources with a common project.5. The computer-implemented method of claim 1, wherein:the first business organization is located in a first geographic region; andthe computing resource of the second customer account is located within a second geographic region different from the first geographic region.6. A system, comprising:one or more processors; andmemory that stores computer-executable instructions that, if executed, cause the system to:create a first account of a first business organization and a second account of a second business organization, wherein a resource assigned to the first business organization is accessible to members of the first business organization but inaccessible to members of the second business organization;perform a set of operations to cause the resource to also be accessible to a member of a second business organization, the set of operations causing the system to:create a project to associate with a set of resources;associate a policy that controls access to the set of resources with the projects;associate the resource with the set of resources of the project; andassociate the member of the second business organization with the project;obtain a request from the member of the second business organization to access the resource;determine, based on the policy, that the member of the second business organization is authorized to access the resource of the first business organization; andgrant the member of the second business organization the access to the resource of the first business organization.7. The system of claim 6, wherein the resource comprises:a database table,a virtual machine instance, oran object data store with an on demand storage service.8. The system of claim 6, wherein:the policy specifies that the access to the resource depends at least in part on a tag being assigned to the resource; andthe computer-executable instructions further include instructions that further cause the system to assign, in response to a request from a member of the first business organization, the tag to the resource.9. The system of claim 6, wherein the computer-executable instructions further include instructions that further cause the system to:obtain a request to disassociate a subset of the set of resources from the project; andin response to the request, disassociate the subset of resources from the project.10. The system of claim 6, wherein the computer-executable instructions further include instructions that further cause the system to:receive an additional request from the member of the second business organization to cause a second resource accessible to members of the second business organization to be accessible to a member of the first business organization;in response to the additional request, perform another set of operations that causes the system to at least associate the second resource with the set of resources of the project; anddetermine, based at least in part on the policy, to grant the member of the first business organization access to the second resource.11. The system of claim 6, wherein:the policy indicates to deny the access to resources in a particular geographic region; andthe computer-executable instructions that cause the system to determine that the member is authorized to access the resource further includes instructions that further cause the one or more processors to determine, based on the policy, that the resource is physically located in a different geographic region from the particular geographic region.12. The system of claim 6, wherein the computer-executable instructions that cause the system to perform the set of operations are performed in response to a request from a member of the first business organization.13. The system of claim 6, wherein:the project is a first project; andthe computer-executable instructions further include instructions that further cause the system to:create a second project associated with a second set of resources;cause the resource to be associated with the second project; anddetermine, based on a second policy associated with the second project, that a member of a third set of entities unassociated with the first project is authorized to access the resource.14. A non-transitory computer-readable storage medium storing thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:create a first account of a first business organization and a second account of a second business organization, wherein the first account is associated with a first resource that is accessible to users of the first account but inaccessible to users of the second account;associate the first resource with a project;assign a first user of the first account and a second user of the second account to the project as authorized participants;receive a request to grant, to the second user, access to the first resource;make a determination based on the authorized participants and a set of policies associated with the project whether the second user is authorized to be granted the access to the first resource; andas a result of the determination, grant the second user of the second business organization the access to the first resource of the first business organization.15. The non-transitory computer-readable storage medium of claim 14, wherein the executable instructions further comprise instructions that further cause the computer system to:obtain, from the a user of the first account, an additional request, the additional request being to remove the first resource from the project;in response to the additional request, remove the first resource from the project; andas a result of a second determination based on the authorized participants and the set of policies associated with the project, deny the second user the access to the first resource.16. The non-transitory computer-readable storage medium of claim 14, wherein:the first user and the first resource are physically located in a first geographic region; andthe second user and a second resource associated with the project are physically located in a second geographic region different from the first geographic region.17. The non-transitory computer-readable storage medium of claim 14, wherein:the project is a first project; andthe executable instructions further include instructions that further cause the computer system to:associate the first resource with a second project; andassign a third user as an authorized participant in the second project, the third user lacking memberships in the first account and the second account;the executable instructions that cause the computer system to make the determination further include instructions that further cause the computer system to make the determination further based at least in part on authorized participants of the second project; andfurther as a result of the determination:grant the third user the access to the first resource; anddeny the third user the access to a second resource associated with the first project.18. The non-transitory computer-readable storage medium of claim 14, wherein the executable instructions further comprise instructions that further cause the computer system to deny, as a result of the first resource being associated with the project, an additional request to associate the first resource to an additional project.19. The non-transitory computer-readable storage medium of claim 14, wherein the executable instructions further include instructions that further cause the computer system to:add to the set of policies a policy granting permission to the second user to add one or more resources to the project; andin response to receipt of an additional request associated with the second account to add a second resource of the second account with the project, associate the second resource with the project.20. The non-transitory computer-readable storage medium of claim 19, wherein the executable instructions that cause the computer system to add to the set of policies are performed in response to a request associated with the first account to add the policy to the set of policies.21. The non-transitory computer-readable storage medium of claim 14, wherein the executable instructions further cause the computer system to:obtain an additional request to associate a time-based condition with access to the first resource; andthe executable instructions that cause the computer system to make the determination further include instructions that further cause the computer system to determine that the access to the first resource by the second user is in compliance with the time-based condition.
微信群二維碼
意見反饋