US 12,261,889 B2
Centralized request processing and security zone policy enforcement in a cloud infrastructure system
Sreenivas Gattu, Redmond, WA (US); Qian Wei, Kirkland, WA (US); Jonathan Jorge Nadal, Seattle, WA (US); Jun Tong, Bellevue, WA (US); and Thoulfekar Alrahem, Bellevue, WA (US)
Assigned to ORACLE INTERNATIONAL CORPORATION, Redwood Shores, CA (US)
Filed by Oracle International Corporation, Redwood Shores, CA (US)
Filed on Aug. 3, 2021, as Appl. No. 17/393,334.
Claims priority of provisional application 63/068,943, filed on Aug. 21, 2020.
Claims priority of provisional application 63/068,945, filed on Aug. 21, 2020.
Prior Publication US 2022/0060513 A1, Feb. 24, 2022
Int. Cl. H04L 9/40 (2022.01); H04L 67/10 (2022.01)
CPC H04L 63/205 (2013.01) [H04L 63/10 (2013.01); H04L 63/102 (2013.01); H04L 63/107 (2013.01); H04L 63/20 (2013.01); H04L 67/10 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method comprising:
receiving, by a centralized application programming interface (API) request processing system in a cloud service provider infrastructure (CSPI), an API request, the API request identifying an operation to be performed on a resource, the centralized API request processing system configured to receive a plurality of API requests directed to a plurality of cloud services provided using the CSPI;
determining, by the centralized API request processing system and based upon the API request, that the resource resides in a compartment that is associated with a security zone;
transmitting, by the centralized API processing system and to a security zone policy enforcement system, information identifying the operation to be performed on the resource, the compartment in which the resource resides, and the security zone associated with the compartment;
obtaining, by the centralized API processing system and from the security zone policy enforcement system, a response indicative of whether the operation is permitted on the resource, the response generated by the security zone policy enforcement system based upon evaluating a set of one or more compartment policies associated with the compartment and a set of one or more security zone policies associated with the security zone, the evaluating comprising:
determining that the operation is permitted on the resource based on the set of one or more compartment policies;
upon determining that the operation is permitted on the resource based on the set of one or more compartment policies, determining that the operation is permitted on the resource based on the set of one or more security zone policies; and
upon determining that the operation is permitted on the resource based on the set of one or more security zone policies, transmitting a response indicating that the operation is permitted on the resource; and
upon determining that the response indicates that the operation is permitted to be performed on the resource, transmitting, by the centralized API processing system, the API request to a first cloud service from the plurality of cloud services.