computer-implemented method and system for managing computer application functionality rights

专利摘要:
STRONG RIGHTS MANAGEMENT FOR COMPUTATIONAL APPLICATION FUNCTIONALITY. Illegal, unauthorized, unpaid and/or underpaid use of computer application functionality can be mitigated, at least in part, by controlling access to executable instructions implementing the computer application functionality. Executable instructions can be executed by a set of one or more virtual machines provisioned by a multi-tenant virtual resource provider. The virtual resource provider can provision virtual machines and other virtual resources with a set of deployment resources managed by a virtual resource provider control plan. The control plane can perform numerous control functions for the virtual resource provider, including managing and enforcing virtual resource access policies, such as one or more policies collectively specifying that computing application functionality will be accessed under a license or agreement between a third-party provider or provider of computing application functionality and a user of computing application functionality.
公开号:BR112013021996B1
申请号:R112013021996-3
申请日:2012-03-22
公开日:2021-05-18
发明作者:Marc J. Brooker；David Brown；Christopher Richard Jaques De Kadt
申请人:Amazon Technologies, Inc.；
IPC主号:

专利说明:

FUNDAMENTALS
From data processing and engineering to education and entertainment, computing devices have found a wide variety of applications in modern workplaces, schools and homes. Many of these computing devices include processors capable of executing instructions (for example, instructions corresponding to elements of a computer programming language) and much of the functionality of a computing device can be controlled by a set of executable instructions and, optionally, a set of configuration data (eg by a computer program). Developing a computer program for a specific application and/or a set of functionality can require a significant investment of time and resources. For example, years of effort by teams of tens of people is not uncommon. However, executable instructions and configuration data can have a digital representation (for example, an “executable” or “binary” application) that is easily copied and illegal and/or unpaid use of the functionality enabled (for example, the “ piracy” of the application) is a significant problem.
Several conventional “rights management” schemes (eg “copy protection” schemes) attempt to address this illegal and/or unpaid use. For example, some conventional rights management schemes involve cryptographic keys that unlock corresponding sets of application functionality. Some conventional rights management schemes involve periodic authentication and/or re-authentication with a remote server (eg, remote in a communication network). Some conventional rights management schemes involve verifying the local presence of a physical computing device component (eg, a “dongle”). However, conventional rights management systems have drawbacks.
For example, the copy that allows illegal and/or unpaid use of the application functionality may control and/or be installed on the computing device hardware to which the user has physical access. Even where portions of executable instructions and/or configuration data get encrypted and/or locked, such physical access may enable the user to obtain corresponding decrypted and/or unlocked portions or otherwise circumvent the need to obtain a legitimate key. Such physical access may also allow the user to emulate or otherwise bypass the need for a remote authentication server and/or a local dongle. Remote access to low-level computing device functionality (eg, operating system-level functionality) and/or access to low-level functionality of a communication network connected to the computing device (eg, sniffing access ” of packet data in transit) may similarly allow a user the intent of illegal and/or unpaid use of the application's functionality. BRIEF DESCRIPTION OF THE FIGURES
Various embodiments in accordance with the present disclosure will be described with reference to the drawings, in which:
Figure 1 is a schematic diagram illustrating an example environment for implementing aspects according to at least one embodiment.
Figure 2 is a schematic diagram depicting aspects of an example virtual resource provisioning architecture according to at least one modality.
Figure 3 is a schematic diagram representing aspects of an example virtual resource provider according to at least one modality.
Figure 4 is a schematic diagram representing aspects of an exemplary control plane in accordance with at least one embodiment.
Figure 5 is a flowchart depicting exemplary steps for making an application appliance available in a virtual resource provider according to at least one modality; and
Figure 6 is a flowchart depicting exemplary steps for accessing application device functionality in accordance with at least one embodiment; and
Figure 7 is a flowchart depicting exemplary steps for dynamic resource activation according to at least one embodiment; and
Figure 8 is a flowchart depicting exemplary steps for managing workflow according to at least one modality.
Like numbers are used throughout the disclosure and in the figures to refer to similar components and features, but such repetition of numbers is for purposes of simplicity of explanation and understanding and should not be seen as a limitation of the various modalities. DETAILED DESCRIPTION
In the following description, various modalities will be described. For explanation purposes, specific settings and details are established in order to provide a detailed understanding of the modalities. However, it will also be evident to those skilled in the art that the modalities can be practiced without the specifics. Also, well-known features can be omitted or simplified in order not to obscure the modality being described.
In at least one embodiment, illegal, unauthorized, unpaid and/or underpaid use of computer application functionality can be mitigated, at least in part, by controlling access to executable instructions that implement the computer application functionality. Executable instructions can be executed by a set of one or more virtual computing machines (“virtual machines”) provisioned by a provider of virtual resources for multiple tenants. The virtual resource provider can provision virtual machines and other virtual resources with a managed set of deployment resources, such as physical servers, physical network switches, and physical network paths. Provisioning, including ongoing allocation and reallocation of deployment resources, can be managed by a virtual resource provider control plan. The control plane can perform numerous control functions for the virtual resource provider, including managing and enforcing virtual resource access policies.
For example, the virtual resource provider can provision the set of virtual machines and a set of communication connections, enabling communication with the set of virtual machines. The set of virtual resource access policies imposed by the virtual resource provider's control plane may include one or more policies, collectively specifying that the provisioned set of virtual machines executing executable instructions that implement the computational application functionality will be accessed with the provisioned set of communication connections (the “allowed” set of communication connections) and not others. Where a communication protocol allows specification of a communication port or a sub-address, or the like, such policies can specify the communication connections allowed at a finer level of granularity. The set of virtual resource access policies may further include one or more policies, collectively specifying that the computing application functionality will be accessed pursuant to a license or agreement between a third-party provider or provider of the computing application functionality and a user of the computing application functionality.
In at least one modality the allowed set of communication connections corresponds to communication connections between virtual machines provisioned by the virtual resource provider. For example, the allowed set of communication connections can be between the provisioned set of virtual machines executing the executable instructions that implement the computational application functionality (the “application appliance”) and one or more virtual machines provisioned by the virtual resource provider in which a user account and desktop are maintained by an operating system (one or more “user VMs”). In at least one embodiment the allowed set of communication connections may include communication connections between the application appliance and one or more virtual machines and/or computing devices not provisioned by the virtual resource provider and participating in a private virtual computing cloud (VPC) maintained by the virtual resource provider so that the control plane can enforce access policies with respect to the application device and/or the allowed set of communication connections.
Various approaches can be taken in various environments for various applications. For example, Figure 1 illustrates aspects of an exemplary environment 100 for implementing aspects according to various modalities. As will be appreciated, while a web-based environment can be used for explanatory purposes, different environments can be used, as appropriate, to implement various modalities. The environment 100 shown includes both a test or development portion (or side) and a production portion. The production portion includes an electronic client device 102 which may include any suitable device operable to send and receive requests, messages or information over a suitable network 104 and transmit information back to a user of the device 102. Examples of such client devices include personal computers, cell phones, portable messaging devices, portable computers, tablet computers, TV decoders, personal data assistants, e-book readers and the like.
Network 104 can include any suitable network, including an intranet, the Internet, a cellular network, a local area network, a wide area network, a wireless data network, or any other network or combination thereof. The components used for such a system may depend, at least in part, on the type of network and/or environment selected. Protocols and components for communicating over this network are well known and will not be discussed here in detail. Communication over the network can be enabled by wired or wireless connections and combinations of these. In this example, the network 104 includes the Internet, while the environment includes a web server 106 for receiving requests and serving content in response to them, although for other networks an alternative device serving a similar purpose may be used, as would be evident for those skilled in the art.
Illustrative environment 100 includes at least one application server 108 and a data store 110. It should be understood that there may be multiple application servers, tiers, or other elements, processes, or components which may be chained together or otherwise configured. , which can interact to perform tasks such as retrieving data from an appropriate data store. As used herein, the term "data storage" refers to any device or combination of devices capable of storing, accessing, and/or retrieving data, which may include any combination and number of data servers, databases, data storage devices and data storage media, in any standard, distributed, or clustered environment.
Application server 108 can include any appropriate hardware and software to integrate with data storage as needed to run aspects of one or more applications to client device 102 and can still handle a majority of data access and business logic. for an app. Application server 108 provides access control services in cooperation with data store 110 and is capable of generating content, such as text, graphics, audio and/or video, to be transferred to the user which can be served to the user by the web server 106 in the form of HTML, XML, or other appropriate structured language in this example.
The handling of all requests and responses, as well as the distribution of content between the client device 102 and the application server 108, can be done by the web server 106. It should be understood that the web and application servers 106, 108 they are not required and are just exemplary components, as the structured code discussed here can be run on any appropriate device or host machine, as discussed elsewhere here. In addition, environment 100 can be designed in such a way that a test automation framework can be provided as a service to which a user or application can subscribe. A test automation framework can be provided as an implementation of any of the various test patterns discussed here, although several other implementations can be used as well, as discussed or suggested here.
Environment 100 may also include a development and/or test side which includes a user device 118 allowing a user, such as a developer, data administrator or tester, to access the system. User device 118 may be any appropriate device or machine, as described above in connection with client device 102. Environment 100 may also include a development server 120 that functions similarly to application server 108, but typically executes code during development and testing, before the code is deployed and executed on the production side and becomes accessible to external users, for example. In some embodiments an application server may function as a development server and separate test and production storage may not be used.
Data storage 110 may include various data tables, databases, or other data storage mechanisms and means for storing data relating to a particular aspect. For example, data storage 110 illustrated includes mechanisms for storing production data 112 and user information 116 that can be used to serve content to the production side. Data store 110 is also shown to include a mechanism for storing test data 114 that can be used with user information for the test side. It should be understood that there may be many other aspects that are stored in data store 110, such as page image information and access right information, which may be stored in any of the mechanisms listed above as appropriate, or in additional mechanisms in data storage 110.
Data store 110 is operable through the logic associated therewith to receive instructions from application server 108 or development server 120 and obtain, update, or otherwise process data in response thereto. In one example, a user might submit a search request for a particular type of item. In this case, data store 110 can access user information 116 to verify user identity and can access catalog detail information to obtain information about items of that type. Information can then be returned to the user, such as in a list of results on a web page that the user is able to view through a browser on the user's device 102. Information for a particular item of interest can be viewed in a dedicated page or browser window.
Each server will typically include an operating system that provides executable program instructions for the general administration and operation of the server and will typically include a computer-readable medium storing instructions that, when executed by a server processor, allow the server to perform its intended functions. . Suitable implementations for the operating system and general functionality of the servers are known or commercially available and are easily implemented by those skilled in the art, particularly in light of this disclosure.
Environment 100 in one embodiment is a distributed computing environment utilizing various computer systems and components that are interconnected through communication links, using one or more computer networks or direct connections. However, it will be appreciated by those skilled in the art that such a system could work equally well in a system with fewer or more components than are illustrated in Figure 1. Thus, the representation of system 100 in Figure 1 should be taken as being illustrative in nature and not limiting the scope of disclosure.
In at least one embodiment one or more aspects of environment 100 may incorporate and/or be incorporated into a virtual resource provisioning architecture. Figure 2 shows aspects of an exemplary 200 virtual resource provisioning architecture according to at least one modality. The example virtual resource provisioning architecture 200 includes multiple clients 202-204 communicatively connected to a virtual resource provider 206 on a network 208. For example, the clients 202-204 can correspond to computing devices such as the computing device. computing 102 of Figure 1 and/or client programs embedded in such computing devices. The ellipses between client 202 and client 204 indicate that the virtual resource provisioning architecture 200 can include any suitable number of clients, although for clarity only two are shown in Figure 2. Ellipses are used in the same way in all drawings.
One or more of the clients 202-204 may be used by one or more users associated with a tenant of virtual resource provider 206 to interact with a control plane 210 of virtual resource provider 206 and thereby provide one or more resources. virtual computing resources 212. Alternatively, or in addition, one or more of the clients 202-204 may be used to interact with provisioned virtual computing resources 212. Provisioned virtual computing resources 212 may include any suitable type and/or number of resources virtual 214-216. Examples of virtual resources 214-216 include virtual machines such as virtual computer systems (VCSs), virtual networks, virtual private networks (VPNs), virtual network connections, virtual data stores, virtual file system volumes, storage agents. specialized data processing, media streaming agents including audio and video streaming agents, message queues, publish-subscribe threads configured to notify subscribers having subscriptions that match events published in publish-subscribe threads, monitoring agents, load balancing agents and appropriate combinations thereof.
The virtual resource provider 206 may further include any suitable number and/or type of implementation resources 218. Each of the provisioned computing resources 212 may be implemented by a set of implementation resources 218. In at least one embodiment, multiple resources Implementation resources 218 may be configured to participate in the implementation, at least in part, of various of the provisioned computing resources 212. Examples of suitable implementation resources 218 include VCS servers, storage servers, computers, computer racks. server, network hardware including switches, routers, gateways, bridges, hubs, repeaters, firewalls and wireless transceivers, power supplies, generators, data centers, rooms in data centers, mobile data centers, as well as storage devices non-volatile, including hard drives, processing units, such as central processing units. tral (CPUs), caches in processing units, processing cores in multi-core processing units, volatile storage devices such as memory modules including random access memory (RAM) modules and RAM chips from memory modules. multiple chips, network interface hardware and appropriate combinations thereof.
In at least one embodiment, one or more types of provisioned computing resource 212, such as virtual computer systems, are implemented by default with a set of implementation resources having a standardized set of implementation resource capabilities (e.g., a number of non-volatile and/or volatile storage standard). Different implementation resource capabilities may be provisioned for such computing resources 212. For example, such computing resources 212 may be provisioned with implementation resources collectively having a set of implementation resource capabilities one or more of which is a multiple of a capability of corresponding implementation features in the standardized set. Suppose a virtual computer system with 1 gigabyte of available RAM corresponds to a “small” size. Virtual computer systems with “medium” and “large” sizes, corresponding to 2 gigabytes and 4 gigabytes of RAM, respectively, can be ordered, for example. Compute resources provisioned 212 with larger “sizes” may have correspondingly higher associated costs.
Provisioned virtual computing resources 212 may further include any suitable type and/or number of application appliances 220-222. In at least one embodiment, an application apparatus may configure a set of one or more virtual resources (e.g., corresponding to virtual resources 214-216) and/or implementation resources 218 to provide a set of computational application functionality. Application appliances 220-222 can be provisioned in a manner corresponding to that of provisioning virtual resources 214-216. In the example virtual resource provider 206, application appliances 220-222 are located in an application provider space 224 distinct from a general user space 226 of the provisioned computing resources 212. The location in different provisioned computing resource spaces 224 -226 may correspond to different access policy and/or cost accounting treatments reflecting different roles with respect to the virtual resource provider 206.
For example, virtual resources 214-216 provisioned in general user space 226 can facilitate a tenant's business end use. In contrast, application devices 220-222 30 may be offered by third party vendors to provide a set of computational application functionality. Access policies associated with virtual resources 214-216 in general user space 226 may allow access from public networks. On the other hand, access policies associated with application appliances 220-222 may restrict access to other provisioned computing resources 212 or to a specific subset of virtual resources 214-216, such as a certain set of communication connections and/or VMs of user. Costs associated with virtual resources 214-216 in general user space 226 can be determined at least in part based on allocated deployment resources 218. In contrast, costs associated with application appliances 220-222 can be determined based at least on part of a fixed fee, an appropriate unit of time fee, associated implementation resource costs 218 plus a surcharge, resource usage, and/or any suitable method of cost accounting.
Control plane 210 can provision compute resources 212 with deployment resources 218 responsive to provisioning requests. The control plane 210 can still manage and enforce policies that control access to the provisioned computing resources, including one or more policies that define and/or maintain the application provider space 224 distinct from the general user space 226. The control plane 210 can still track costs associated with maintaining provisioned computing resources 212 and allocate costs as appropriate to tenant accounts. An exemplary control plan, in accordance with at least one modality, is described in more detail below with reference to Figure 4.
In at least one embodiment, access to executable instructions that implement the computational application functionality of an application device 220-222 is controlled at least in part by enforcing at least one policy specifying that certain application devices 220-222 be accessed through a specific set of communication connections and no other. Figure 3 represents an example of virtual resource provider 302 according to at least one modality. The example virtual resource provider 302 of Figure 3 includes a control plane 304, a general user space 306, and an application provider space 308 corresponding to the control plane 210, the general user space 226, and the provider space Application Arrays 224 of Figure 2. General User Space 306 of Figure 3 contains multiple virtual machines 310-314 communicatively connected to multiple 316-320 application appliances with multiple 322-324 provisioned communication connections.
For example, virtual machines 310-314 may be user VMs and application appliances 316-320 may correspond to application appliances 220-222 of Figure 2. In at least one modality user control over application appliances 316- 320 is at a reduced level compared to virtual machines 310-314. For example, user control over 316320 app gadgets can be limited to starting, suspending, and stopping 316-320 app gadgets. In contrast, authorized users may be able to comprehensively configure and log in to 310-314 virtual machines.
In the example virtual resource provider 302, the general user space 306 and the application provider space 308 are separated by a communicative barrier 326 to indicate that ad-hoc and/or incompatible communication connections between the virtual machines 310-314 and application appliances 316-320 are impeded by one or more policies imposed by control plane 304. One or more virtual machines 310-314 may be connected to one or more of the application appliances 316-320 with communication connections compatible with the 322-324 policy. In the exemplary virtual resource provider 302, virtual machine 314 is connected to application appliance 320 with a policy-compliant communication connection 322. Virtual machine set 326 310-312 is connected to application appliance set 316-318 with communication connection compliant with policy 324. Communication connections compliant with policy 322-324 are depicted as passing through control plane 304 to indicate the ability of control plane 304 to enforce associated access policies.
Communication connections compliant with policy 322-324 may be maintained with any suitable communication medium and/or communication protocol. For example, policy 322-324 compliant communication connections can be maintained with a communication protocol in accordance with a transmission control protocol and/or an internet protocol (eg TCP/IP). Each virtual machine 310-314 and/or application apparatus 316-320 can be associated with a communication protocol address and/or communication port and, for example, the set of access policies associated with the communication connection 322 can specifying that a destination of the protocol messages transmitted over the communication connection 322 corresponds to a specific communication protocol address and a particular communication port. As an alternative or in addition, the 316320 application appliances may incorporate and/or provide one or more 328-332 interfaces for the computational application functionality and, for example, the access policy set may specify which protocol messages are carried over of the communication link 322 are in accordance with and/or directed to one or more elements of the interface 332 (e.g., a selected subset of such interface elements).
Interfaces 328-332 can include any appropriate interface elements, such as interface elements corresponding to the functionality, or sets of functionality, of the computer application. The 328-332 interfaces can embed and/or be embedded in a user interface (UI) such as a graphical user interface (GUI), a web-based interface, a programmatic interface such as an application programming interface (API ) and/or a set of remote procedure calls (RPCs) corresponding to the provisioning of interface elements, a messaging interface, such as a messaging interface where the interface elements of the 328-332 interfaces correspond to the messages of a protocol. communication, a remote desktop protocol, such as a remote frame buffer protocol (for example, RFB) or an “X WINDOW SYSTEM” protocol, as described in Scheifler et al., “The X Window System,” ACM Transactions on Graphics, April 1986, pages 79-109 and/or any suitable combination thereof. Web-based interfaces can include web service interfaces such as Representational State Transfer (REST) compliant web service interfaces (RESTful) or Simple Object Access Protocol (SOAP) compliant web service interfaces or other interfaces of “non-RESTful” web services.
Figure 4 depicts aspects of an exemplary control plane 402 in accordance with at least one embodiment. The control plane 402 may include a user interface (I/F) 404 allowing authorized users access to the functionality of the control plane 402 and an application provider (I/F) 406 interface allowing an application provider to manage a set of application gadgets (for example, application gadgets 316-320 in Figure 3) offered by the application vendor. User interface 404 and application provider interface 406 can incorporate and/or be embedded in any suitable type of functionality interface (for example, as described for interfaces 328-332 of Figure 3).
Virtual resource provider 302 (Figure 3) incorporating control plane 402 may have multiple tenants responsible for the costs associated with computing resources 212 (Figure 2) provisioned by authorized tenant users. An administrative user designated by a tenant can interact with the 404 user interface to manage different types of users associated with the tenant, including users authorized to incur costs, for example, by provisioning computing resources 212. Authorized users can interact with the 404 user interface to provision 212 compute resources and manage (eg, view, tag, allocate, route, and offload) associated costs.
An application provider can also be a tenant of virtual resource provider 302 (Figure 3), although this is not required in each modality. The application vendor can interact with the 406 application vendor interface to configure and/or register application devices (such as the 316-320 application devices in Figure 3) as available for provisioning, as well as specify license conditions, configure associated cost plans and manage associated costs. License conditions may include any suitable conditions with respect to accessing the computer application functionality, such that a valid and unexpired license exists, that no more than a maximum number of users have accessed the computer application functionality or any specified part thereof, that no more than a maximum number of concurrent users are accessing the computational application functionality or any specified part thereof, that the computational application functionality or any specified part thereof has been accessed no more than a threshold number of times and the like. Depending on the associated cost plan, the application vendor may be liable to the 302 virtual resource provider for costs incurred by provisioned instances of application appliances offered by the application vendor. Alternatively or in addition, the associated cost plan can specify that the provisioning tenant is responsible for the associated costs and the fees paid by the provisioning tenant can be allocated between the application provider and the virtual resource provider in accordance with an agreement between them.
A provisioning component 408 of control plane 402 can provision computing resources 212 (Figure 2) responsive to provisioning requests, for example, received from user interface 404. Provisioning component 408 can determine types and capabilities of implementation resources 218 required to implement specific provisioned computing resources 212 and allocate as available such implementation resources for the task of implementing virtual resources 214-216 and/or application appliances 220-222, as well as continuous reallocation of implementation resources 212, for example , to increase utilization efficiency and/or to reduce the chance of provisioned resource failure due to deployment resource failure.
A policy enforcement component 410 of control plane 402 can manage and enforce virtual resource provider policies 206 (Figure 2). For example, policy enforcement component 410 can receive policies to be enforced from an authorized user via the 404 user interface, policies in relation to a certain provisioned resource can be established in policy enforcement component 410 during provisioning, policies can be established in the policy enforcement component 410 by an administrator of the virtual resource provider 206 and/or policies (eg, cryptographically signed policies) can be received along with requests for access and/or interaction of provisioned resources 212 from customers 202-204. The policies of the virtual resource provider 206 may regulate any suitable aspect of the functionality of the virtual resource provider 206, including the functionality provided by the provisioned resources 212. Particular sets and/or subsets of functionality provided by the provisioned resources 212 may be named, tagged, and /or addressable. Each of these sets and/or subsets may be individually governed by the policies of the virtual resource provider 206. Such governance may include restriction regarding the allocation of implementation and utilization resources, as well as access by users and data transfer to and from specific provisioned resources 212. Users of provisioned resources 212 may include client users 202-204, including anonymous users, users of virtual resource provider 206, including administrative users, and components of virtual resource provider 206, including resources. implementation 218, provisioned resources 212, and components 404-416 of control plan 402.
A virtual resource provider policy 206 (Figure 2) can specify any suitable set of required conditions. For example, the policy can specify conditions under which access to a device for a particular application is allowed. Such conditions may be specified with any suitable condition specification language, including suitable programming languages, and may include compound conditions, for example specified with Boolean operators. Condition parameters can include any suitable data available to virtual resource provider 206. Condition parameter examples include environmental data such as date and time of day and data associated with requests such as source network address, location original geographic, original political and/or administrative division and communication protocol used.
A cost tracking component 412 of control plan 402 may track costs (eg, computing and/or financial costs) associated with providing and/or maintaining the computing resources 212 (Figure 2).
Costs can be allocated to accounts, including tenant accounts. For example, costs associated with computing resources 212 provisioned by one or more users associated with a given tenant can be allocated to the tenants account. The tenant's account and/or one or more of the 212 provisioned resources may be associated with one or more cost plans, and the costs allocated to the tenant's account may be determined in accordance with the cost plan(s). A cost plan can specify costs as flat rates and/or based on any appropriate metric. For example, the cost plan can specify costs based on a number of time units that a particular provisioned resource 212 is available to at least one user associated with the tenant, a number of time units that a deployment resource in particular 218 is allocated to maintain provisioned resources 212 associated with the tenant, a number of uses of a particular set of characteristics of a particular provisioned resource 212 and/or their suitable combinations. For 220-222 application handsets, the cost plan may specify a cost accounting relationship with the tenant, including cost pass-through, cost plus a surcharge, flat fee, periodic access fee, access fee. feature, activation and deactivation fees, independent billing and their appropriate combinations.
An application rights management (ARM) component 414 of control plane 402 can act to establish and maintain user and vendor rights with respect to the 220-222 provisioned application appliances (Figure 2). For example, application rights management component 414 may provide and/or establish virtual resource provider policies 206 that control access to executable instructions that implement the functionality of provisioned application appliances 220-222. Application rights management component 414 may further facilitate enabling or disabling application functionality sets and/or application features. For example, application rights management component 414 may notify application appliances 220-222 of user requests to enable and/or disable application features and virtual resource provider 206 policies and/or cost-sensitive plans. activation status updates received from the 220-222 app devices.
Control plane 402 may further include a workflow component 416 configured at least to establish and maintain workflows, such as provisioned resource workflows, provisioning workflows, and/or execution workflows. policy established by provisioned resources 212 (Figure 2), provisioning component 408, and policy enforcement component 410, respectively. Workflows can include one or more sequences of tasks to be performed to perform a job, such as configuring virtual resources, provisioning, or managing policies. A workflow, as the term is used here, is not the tasks themselves, but a task control framework that can control the flow of information to and from tasks, as well as the order of execution of the tasks it controls. For example, a workflow can be thought of as a state machine that can manage and return the state of a process at any time during execution. Workflows can be created from workflow templates. For example, a policy enforcement workflow can be created from a policy enforcement workflow template configured with parameters by policy enforcement component 410.
Workflow component 416 may modify, further specify and/or further configure established workflows. For example, workflow component 416 may select specific implementation resources from virtual resource provider 206 (Figure 2) to perform and/or be assigned specific tasks. This selection can be based at least in part on the computing resource needs of the specific task as assessed by the 416 workflow component. As another example, the 416 workflow component can add additional and/or duplicate tasks to a established workflow and/or reconfigure the flow of information between tasks in the established workflow. Such modification of established workflows can be based at least in part on an analysis of the efficiency of execution by the workflow component 416. For example, some tasks can be efficiently executed in parallel, while other tasks depend on the successful completion of the previous tasks.
Control plane 402 may be implemented with a provisioned resource set 212 (Figure 2), an implementation resource set 218 and/or corresponding computing resources. Each of the implementation resources 218 may be controlled by the control plan 210. For example, each implementation resource may participate in and/or incorporate a part, agent and/or component of the control plan 210. Each of the provisioned resources 212 can be controlled by control plan 210. For example, each provisioned resource can participate in and/or incorporate a part, agent and/or component of control plan 210. Control plan 210 can be distributed by implementation resources 218 and /or the provisioned resources 212. For example, the control plane 210 can be implemented with distributed computing techniques well known to those skilled in the art.
The description now turns to exemplary steps that can be performed, according to at least one modality. Figure 5 represents exemplary steps for making an application appliance available on a virtual resource provider, according to at least one modality. At step 502, a prototype application device can be configured. An authorized user of a tertiary application provider can configure a virtual machine in virtual resource provider 206 (Fig. 2) and configure the virtual machine to execute instructions that implement a desired set of computational application functionality. For example, the virtual machine can be a virtual computer system that incorporates a computer operating system, and the authorized user can install and configure one or more modules of the application in the virtual computer system and/or in the computer's operating system. Alternatively, the virtual machine can embody the desired set of computational application functionality independent of a computer operating system.
At step 504, the prototype application appliance can be packaged into a form suitable for provisioning. For example, the authorized user can request that virtual resource provider 206 (Figure 2) create the provisionable package from the prototype configured in step 502. User interface 404 and/or application provider interface 406 (Figure 4 ) may include one or more interface elements, allowing the authorized user to make such requests. At step 506, the packaged prototype may be submitted to and/or registered with the virtual resource provider, 206. For example, the application provider interface 406 may include one or more interface elements that allow for such submissions and/or subscriptions. Step 506 can be incorporated into step 504.
At step 508, one or more application device feature costs may be specified. For example, the authorized user can interact with one or more interface elements from the 406 application provider interface (Figure 4) to specify a cost plan for the users of the application device. Costs associated with accessing basic features can be specified, as well as costs associated with each of a set of premium and/or non-core features. Application-specific resource codes can be associated with human readable names, short descriptions and/or long descriptions. In step 510, a request can be presented to make the application device available for provisioning. For example, the authorized user can present the request with one or more interface elements from the 406 application provider interface.
At step 512, the registered and/or submitted application device prototype can be verified. For example, application rights management component 414 (Figure 4) can check a static and/or dynamic integrity of the prototype application appliance, including with respect to security. If the application device is verified, then in step 516 it can be made available for provisioning by authorized tenant users of virtual resource provider 206 (Figure 2). Otherwise, one or more issues that occurred during verification can be reported to the supplier in step 514.
Figure 6 represents the exemplary steps for accessing application device functionality, according to at least one modality. At step 602, a request to provision a user VM may be received. For example, an authorized user associated with a tenant of virtual resource provider 206 (Figure 2) can present a provisioning request with UI component 404 (Figure 4) of control plane 402. In step 604 the VM of requested user can be configured. For example, configuration component 408 can provision the requested virtual machine 314 in general user space 306 (Figure 3). The requested virtual machine 314 may be a virtual computer system that incorporates a computer operating system.
At step 606, a request to configure an application application device may be received. For example, the authorized user can submit another provisioning request with UI component 404 (Figure 4). In at least one embodiment, the authorized user need not be aware of how the application computing functionality associated with the application device is implemented. For example, the authorized user does not need to be aware that an application device instance is provisioned to implement compute application functionality. The authorized user can request that the compute application functionality be made available to the user's VM provisioned in step 602 and the provisioning request from step 606 can be generated in response, for example, as part of a device provisioning workflow. of application. When the application appliance offers one or more optional features, the provisioning request can specify a set of optional features to enable during provisioning. In at least one modality, the provisioning request may further specify a set of optional deployment features 218 (Figure 2) and/or feature capabilities to be made available to the provisioned application appliance. At step 608, the application device can be provisioned. For example, provisioning component 408 may provision the requested application device 320 (Figure 3) in application provider space 308 in accordance with the provisioning request of step 606.
In step 610, a communication connection between the user VM and the application device can be provisioned. For example, provisioning component 408 (Figure 4) can configure communication connection 322 (Figure 3) with adequate implementation resources 218 (Figure 2). In step 612, a set of application device access policies can be configured. For example, application rights management component 414 may configure policy enforcement component 410 with one or more policies that govern provisioned application appliance 320, provisioned user VM 314, and/or communication connection 322 between they. Alternatively, application rights management component 414 can provide one or more templates for such policies that are configured by the application device provisioning workflow.
In step 614, access to the application device provisioned according to the set of access policy configured in step 612 can be enabled. For example, policy enforcement component 410 (Figure 4) may start to apply the set of access policies from step 612, communication connection 322 (Figure 3) may be activated, and/or a local interface corresponding to interface 332 of application appliance 320 may be made available to processes maintained by virtual machine 314.
Figure 7 describes the exemplary steps for activating the dynamic resource, according to at least one modality. At step 702, an instance of the provisioned application device can subscribe to feature activation requests. For example, application rights management component 414 may subscribe application appliance 320 (Figure 3) to these requests. At step 704, a feature activation request may be received. For example, an authorized user of virtual resource provider 206 (Figure 2) may request that an optional set of computational application functionality implemented by application appliance 320 be made available to user's VM 314. The resource activation request may be made through the 404 user interface (Figure 4) and received and processed by the rights management component of the application 414 and/or the workflow component 416.
In step 706, the application device instance can be notified of the feature activation request received in step 704. For example, the application rights management component 414 (Figure 4) can notify the application device 320 (Figure 3) of the resource activation request via an appropriate interface element of the application apparatus 320. In step 708, a response to the notification of step 706 may be received. For example, the application instance 320 may respond that the resource requested has been activated and/or is available, or there was a problem processing the feature activation request.
At step 710, you can determine whether the requested feature has been activated, for example, based on the response received in step 708. If the requested feature has been activated, a process that incorporates step 710 can progress to step 714. Otherwise, the process can progress to step 712. In step 712, the sender of the request received in step 704 can be notified of the problem that occurred while processing the feature activation request. In step 714, the cost tracking component 412 (Figure 4) can be notified of the successful activation of the requested resource, for example, by the rights management component of the application 414. In step 716, an account associated with the instance of App device can be updated. For example, the 412 cost tracking component can update a tenant account associated with user 314's VM to begin accounting for the activated feature according to a corresponding cost plan.
As described above with reference to Figure 4, control plane 402 can be facilitated by one or more workflows maintained by workflow component 416. Figure 8 depicts exemplary steps for workflow management, accordingly with at least one modality. At step 802, a request may be received by a control plane interface 402 (Figure 4). For example, user interface 404 or application provider interface 406 of control plane 402 can receive the request from a user and/or administrator of virtual resource provider 202. At step 804, the request can be analyzed to determine one or more actions required to successfully process the request. For example, configuration component 408 can analyze the request and determine a set of actions needed to configure a set of computing resources 212 (Figure 2). When an interface element that receives the request matches a specific action to be performed, the interface can extract information from the request to be used in determining aspects and/or parameters of the action to be performed.
In step 806, a request can be sent to create a workflow based at least in part on one or more actions determined in step 804. For example, the provisioning component 408 (Figure 4) can send the request to the provisioning component. workflow 416. The request to create the workflow may include the action(s), action metadata such as action type and/or action parameters. In at least one embodiment the control plane 402 and/or the workflow component 416 maintains a work queue for these requests and workflows are created responsive to new additions to the work queue. In step 808, a workflow and one or more component tasks can be created. For example, workflow component 416 can analyze the request from step 806 to determine the proper workflow and component tasks to create.
In step 810 the execution of component task(s) can be guided according to the workflow. For example, workflow component 416 (Figure 4) can activate interface elements from the various deployment resources to provision the set of virtual resources. As an alternative or in addition, the workflow component 416 can manage bids for the execution of the component task(s) by components of the virtual resource provider 206 (Figure 2). In step 812, you can determine if the workflow has ended. For example, workflow component 416 can determine whether a final task in a sequence of tasks managed by workflow has completed. In this case, a procedure that incorporates step 812 can progress to step 814. Otherwise the procedure can return to step 810 for a next task and/or sequence of tasks. Workflows can drive multiple sequences of tasks performed in parallel. In this case, it could be that the workflow is not finished until each of the various task sequences is completed and/or an explicit finished workflow flag is set for one of the component tasks. At step 814, the sender of the request from step 802 can be informed of the result(s) of the actions.
Various modalities of disclosure can be described by the following clauses:
Clause 1. A computer-implemented method for managing rights to computing application functionality, comprising: under control of one or more computer systems configured with executable instructions, provisioning a first virtual machine that includes an operating system with which at least one user is associated with a tenant of a multi-tenant virtual resource provider has access, provisioning the first virtual machine facilitated, at least in part, by a multi-tenant virtual resource provider's control plan; provisioning a second virtual machine configured to run at least a portion of an application, provisioning the second virtual machine facilitated, at least in part, by the multi-tenant virtual resource provider's control plane; providing said at least one user access to application functionality, at least in part, by establishing at least one communication connection between the first virtual machine and the second virtual machine and maintaining at least one interface to the application on the second virtual machine; impose an access condition to the application functionality by said at least one user, the access condition specifying at least that access occurs through said at least one communication connection and from said at least one interface, the application of the access condition realized, at least in part, by the multi-tenant virtual resource provider control plan; and allowing data to be transmitted over said at least one communication link for presentation to at least one user.
Clause 2. Computer implemented method, according to Clause 1, in which the provisioning of the first virtual machine and the second virtual machine comprises allocating deployment resources from a group of deployment resources managed by the control plan of the service provider virtual resources for multiple tenants.
Clause 3. A computer-implemented method, in accordance with Clause 2, further comprising: receiving a specification of at least one resource capacity available for the application; and provisioning a set of virtual resources, including the second virtual machine with a set of deployment resources from the group of deployment resources that collectively have a set of resource capabilities that include at least one specified resource capacity.
Clause 4. Computer-implemented method according to Clause 3, wherein said at least one specified resource capacity is specified as a multiple of a pre-defined set of implementation resources.
Clause 5. A computer-implemented method for managing rights to computing application functionality, comprising: under control of one or more computer systems configured with executable instructions, provisioning at least one virtual machine configured to run at least a portion of an application , provisioning performed, at least in part, by a provider of virtual resources; provide access to at least one user to application functionality, at least in part, by establishing at least one communication connection with at least one application interface, at least one interface maintained, at least in part, by at least one virtual machine; impose an application functionality access condition, the application functionality access condition specifying, at least that access occurs through said at least one communication connection and from said at least one interface, the application of the access condition to the application functionality performed, at least in part, by the virtual resource provider; and allowing data to be transmitted over said at least one communication link for presentation to at least one user.
Clause 6. Computer-implemented method, according to Clause 5, further comprising imposing an access condition to said at least one virtual machine, the access condition to said at least one virtual machine specifying at least that access occurs through the of said at least one communication connection and of said at least one interface, the imposition of the access condition to said at least one virtual machine is executed, at least in part, by a control plane of the virtual resource provider.
Clause 7. Computer implemented method according to Clause 5, wherein at least one virtual machine is implemented with a set of deployment features and access to the functionality of the set of deployment features is controlled by a control plan of the provider of virtual resources.
Clause 8. A computer-implemented method, in accordance with Clause 7, wherein the implementation feature set includes at least one of: a volatile storage device, a non-volatile storage device, a processor, a physical server, a network interface port, a network switch, and a network path.
Clause 9. Computer implemented method, in accordance with Clause 5, in which at least one communication connection is implemented with a set of implementation resources and access to the functionality of the set of implementation resources is controlled by a control plan of the virtual resource provider.
Clause 10. Computer implemented method, in accordance with Clause 5, wherein providing said at least one user access to application functionality comprises creating at least one policy specifying the access condition and enforcing the condition of access comprises enforcing said at least one policy with a virtual resource provider policy enforcement component.
Clause 11. Computer implemented method, according to Clause 5, wherein said at least one interface comprises a plurality of interface elements corresponding to a plurality of functional characteristics of the application and the access condition to the application functionality further specifies that the access corresponds to a selected subset of the plurality of interface elements.
Clause 12. Computer implemented method, according to Clause 5, wherein the provisioning of said at least one virtual machine has an associated set of costs that are charged to an account associated with said at least one user.
Clause 13. Computer implemented method, in accordance with Clause 12, wherein the set of application costs includes at least one cost corresponding to at least one feature of the application that is capable of being activated and deactivated.
Clause 14. A computer-implemented method, in accordance with Clause 5, further comprising: receiving, in a control plane from the virtual resource provider, a user request to activate at least one feature of the application from at least one user ; submitting a control plane request to activate said at least one feature to a feature setting interface, the feature setting interface maintained, at least in part, by said at least one virtual machine and inaccessible to said at least one user through said at least one communication connection; receive, in the control plan, confirmation that said at least one characteristic has been activated; and notifying a cost tracking component of the control plan that costs associated with said at least one activated feature will be charged to an account associated with said at least one user.
Clause 15. Computer implemented method, in accordance with Clause 5, wherein the provisioning of said at least one virtual machine has an associated set of implementation resource costs that are charged to an account associated with said at least one user .
Clause 16. Computer-implemented method, according to Clause 5, further comprising receiving a user request for provisioning said at least one virtual machine, the user request specifying, at least in part, at least a capacity of at least a deployment resource to be made available to said at least one virtual machine.
Clause 17. Computer implemented method for managing rights to computing application functionality, comprising: under control of one or more computer systems configured with executable instructions, providing at least one user access to the functionality of an application, at least in part, establishing at least one communication connection with at least one application interface, at least one interface maintained, at least in part, by at least one virtual machine configured in a virtual resource provider; impose an application functionality access condition, the application functionality access condition specifying at least that access occurs through said at least one communication connection and said at least one interface, the imposition of the functionality access condition application performed, at least in part, by a virtual resource provider's control plane; tracking at least one cost associated with accessing application functionality through said at least one communication connection and said at least one interface; and provide tracked cost data for presentation to a virtual resource provider tenant.
Clause 18. Computer implemented method, in accordance with Clause 17, in which the application functionality is implemented, at least in part, by at least one implementation resource of the virtual resource provider and the tracking of said at least one cost comprises tracking a number of time units during which said at least one implementation feature participates in the implementation of the functionality.
Clause 19. A computer-implemented method according to Clause 17, wherein tracking said at least one cost comprises tracking a number of uses of at least one interface element of said at least one application interface.
Clause 20. A computerized computer application functionality rights management system, comprising: a set of configurable implementation resources at least to implement a plurality of virtual resources; a virtual resource provisioning component configured at least to provision virtual resources with the deployment resource set, responsive to provisioning requests, to virtual resources, including at least one virtual machine configured to run at least a portion of an application and at least one communication connection with at least one application interface; and a policy enforcement component configured to at least impose a condition of access to application functionality, the condition of access to application functionality by specifying at least that access occurs through said at least one communication connection and said at least an interface.
Clause 21. Computer system, in accordance with Clause 20, wherein the computer system further comprises a user interface component configured to at least enable a user to send a request to access the application functionality and said at least one machine virtual is provisioned by the virtual resource provisioning component at least in part in response to the request to access application functionality.
Clause 22. Computer system according to Clause 20, wherein the computer system further comprises a provider interface component configured to allow an application provider to configure said at least one virtual machine to run said at least a part of the app and to set up at least one cost associated with accessing the app functionality.
Clause 23. One or more computer-readable media collectively having on them computer-executable instructions that configure one or more computers to collectively at least: provision at least one virtual machine configured to run at least a portion of an application, the provisioning facilitated, at least in part, by a control plan of a virtual resource provider; provide access to at least one user to application functionality, at least in part, by establishing at least one communication connection with at least one application interface, said at least one interface maintained, at least in part, by said at least one virtual machine; impose an application functionality access condition, the application functionality access condition specifying at least that access occurs through said at least one communication connection and said at least one interface, the imposition of the functionality access condition application performed, at least in part, by the virtual resource provider's control plane; and allowing data to be transmitted over said at least one communication connection for presentation to said at least one user.
Clause 24. One or more computer-readable media, in accordance with Clause 23, wherein said at least one interface is maintained at a communication network location that is remote from an operating system of said at least one user and access to said at least one communication connection is through at least one corresponding interface which is local to the operating system.
Clause 25. One or more computer readable media according to Clause 23, wherein said at least one interface comprises an interface in accordance with a remote desktop protocol.
The various modalities described herein can be applied to a wide variety of environments which, in some cases, may include one or more user computers, computing devices, or processing devices that can be used to run any of a number of applications. User or client devices can include any of a number of general purpose personal computers, such as desktop or laptop computers running a standard operating system, as well as cellular, wireless and handheld devices running mobile software and capable of supporting numerous network and network protocols. posts. This system can also include numerous workstations running any of a variety of commercially available operating systems and other known applications for purposes such as database development and management. These devices may also include other electronic devices, such as non-intelligent terminals, small clients, gaming systems, and other devices capable of communicating over a network.
Most modalities use at least one network that would be familiar to those skilled in the art to support communications using any of a variety of commercially available protocols, such as TCP/IP, OSI, FTP, UPnP, NFS, CIFS, and AppleTalk. Such a network can include, for example, a local area network, a wide area network, a virtual private network, the Internet, an intranet, an extranet, a public switched telephone network, an infrared network, a wireless network, and any combination of them. The network can further incorporate any appropriate network topology. Examples of suitable network topologies include, but are not limited to, simple point-to-point topologies, star topologies, self-organizing point-to-point topologies, and combinations thereof.
In embodiments using a web server, the web server can run any of a variety of server and/or mid-level applications, including HTTP servers, FTP servers, CGI servers, data servers, Java servers, and application servers. Business. Servers may also be able to run programs or scripts in response requests from user devices, such as running one or more web applications that can be implemented as one or more scripts or programs written in any programming language, such as Java ®, C, C# or C++, or any scripting language such as Perl, Python, or TCL, as well as combinations thereof. The server(s) may also include database servers, including, without limitation, those commercially available from Oracle®, Microsoft®, Sybase®, and IBM®.
The environment can include a variety of data stores and other storage and memory media, as discussed above. These can reside in a variety of locations, such as a storage medium location for (and/or residing on) one or more of the computers or remote to any and all computers over the network. In a given set of modalities, information may reside in a storage area network (“SAN”) familiar to those skilled in the art. Likewise, all files necessary to perform the functions assigned to computers, servers or other network devices can be stored locally and/or remotely as appropriate. When a system includes computerized devices, each such device may include hardware elements that can be electrically coupled via a bus, the elements including, for example, at least one central processing unit (CPU), at least one input device (for example, a mouse, keyboard, controller, touchscreen, or portable keyboard) and at least one output device (for example, a display device, printer, or speaker). Such a system may also include one or more storage devices, such as hard disks, optical storage devices, and solid-state storage devices, such as random access memory (RAM) or read-only memory (ROM), as well as devices. removable media, memory cards, flash cards, etc.
These devices may also include a computer-readable storage media reader, a communications device (eg, a modem, a network card (wired or wireless), an infrared communications device, etc.), and memory as described above. The computer-readable storage media reader may be connected to, or configured to receive, a computer-readable storage medium representing remote, local, fixed and/or removable storage devices, as well as storage media for temporarily and/or more permanently contain, store, transmit and retrieve computer-readable information. The system and various devices will typically also include a series of software applications, modules including program modules, services or other elements located within at least one working memory device, including an operating system and application programs, such as an application. client or web browser. It should be appreciated that alternative modalities may have numerous variations from the one described above. For example, custom hardware may also be used and/or certain elements may be implemented in hardware, software (including portable software such as applets) or both. In addition, connection to other computing devices, such as network input/output devices, can be employed.
Storage media and computer readable media for containing code, or portions of code, may include any appropriate media known or used in the art, including storage media and communication media such as, but not limited to, volatile and non-volatile media , removable and non-removable, implemented in any method or technology for storing and/or transmitting information, such as computer readable instructions, data structures, program modules, or other data, including RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disk (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store the desired information and which can be accessed by a system device. Program modules, program components and/or programmatic objects may include computer readable and/or computer executable instructions and/or corresponding to any appropriate computer programming language. In at least one modality, every computer-readable medium can be tangible. In at least one modality, each computer-readable medium may be non-transitory in time. Based on the disclosure and teachings provided herein, those skilled in the art will appreciate other ways and/or methods for implementing the various modalities.
The descriptive report and drawings are therefore to be considered in an illustrative rather than a restrictive sense. However, it is evident that various modifications and alterations can be made without departing from the broader spirit and scope of the invention as set out in the claims.
The use of the terms "a" and "an" and "the" and similar references in the context of descriptive modalities (especially in the context of the following claims) will be interpreted to cover both the singular and the plural, unless otherwise indicated way here, or clearly contradicted by the context. The terms “comprising”, “having”, “including” and “containing” will be interpreted as open terms (ie, meaning “including, but not limited to”) unless otherwise indicated. The term “connected” will be interpreted as fully or partially contained within, attached to, or joined together, even if there is something intervening. The recitation of ranges of values here is only intended to serve as a shortcut method of referring individually to each separate value falling within the range, unless otherwise indicated herein, and each separate value is incorporated into the descriptive report as if it was individually recited here. All methods described herein may be performed in any appropriate order, unless otherwise indicated herein, or otherwise clearly contradicted by context. The use of any and all examples, or exemplary language (eg, "as") provided herein, is intended only to further illuminate modalities and does not present a limitation on scope, unless otherwise claimed. No language in the descriptive report should be interpreted as indicating any element not claimed as essential to the practice of at least one modality.
Preferred embodiments are described herein, including the mode best known to the inventors. Variations of these preferred modalities may become apparent to those skilled in the art upon reading the above description. The inventors expect skilled artisans to employ these variations as appropriate and the inventors intend that the modalities be interpreted otherwise than specifically described herein. Accordingly, proper modalities include all modifications and equivalents of the subject matter recited in the claims attached hereto, as permitted by applicable law. Furthermore, any combination of the above-described elements in all their possible variations is contemplated to be incorporated in some suitable embodiment, unless otherwise indicated herein or otherwise clearly contradicted by context.
All references, including publications, patent applications and patents, cited herein are incorporated by reference to the same extent as if each reference were individually and specifically indicated to be incorporated by reference and were set forth in its entirety herein.

权利要求:
Claims (15)
[0001]
1. Computer-implemented method for managing computing application functionality rights, characterized in that it comprises: under control of one or more computer systems configured with executable instructions, provisioning at least one application appliance virtual machine configured for at least run at least a part of an application, provisioning performed, at least in part, by a virtual resource provider; provide at least one user access to application functionality, at least in part, by establishing at least one communication connection from a user virtual machine to at least one interface of a plurality of interfaces maintained, at least in part, by the dictates at least one application appliance virtual machine; impose an application functionality access condition, the application functionality access condition specifying at least that access occurs through said at least one communication connection and said at least one interface, the imposition of the functionality access condition application performed, at least in part, by the provider of virtual resources; and allowing data to be transmitted over said at least one communication connection for presentation to said at least one user.
[0002]
2. A computer-implemented method according to claim 1, characterized in that it further comprises imposing an access condition from the application appliance virtual machine to said at least one application appliance virtual machine, the condition of access to said at least one application appliance virtual machine by specifying at least that access takes place via said at least one communication connection and said at least one interface, imposing the access condition on said at least one virtual machine of application appliance executed, at least in part, by a virtual resource provider control plane.
[0003]
3. Computer-implemented method according to claim 1, characterized in that the at least one application appliance virtual machine is implemented with a set of deployment features and access to the functionality of the set of deployment features is controlled by a control plane from the virtual resource provider.
[0004]
4. Method implemented on a computer, according to claim 3, characterized in that the set of implementation resources includes at least one of: a volatile storage device, a non-volatile storage device, a processor, a physical server , a network interface port, a network switch, and a network path.
[0005]
5. Computer-implemented method according to claim 1, characterized in that said at least one communication connection is implemented with a set of implementation resources and access to the functionality of the set of implementation resources is controlled by a virtual resource provider control plan.
[0006]
6. Method implemented on a computer, according to claim 1, characterized in that the provision of said at least one user access to the application functionality comprises the creation of at least one policy specifying the access condition and the enforcement of the access condition comprises enforcing said at least one policy with a virtual resource provider policy enforcement component.
[0007]
7. Computer-implemented method according to claim 1, characterized in that said at least one interface comprises a plurality of interface elements corresponding to a plurality of functional characteristics of the application and the access condition to the application functionality further specifies that the access corresponds to a selected subset of the plurality of interface elements.
[0008]
8. Method implemented in computer, according to claim 1, characterized in that the provision of said at least one virtual machine has an associated set of costs that are charged to an account associated with said at least one user.
[0009]
9. Computer-implemented method, according to claim 8, characterized in that the set of application costs includes at least one cost corresponding to at least one application feature that is capable of being activated and deactivated.
[0010]
10. Method implemented on a computer, according to claim 1, characterized in that it further comprises: receiving, in a control plane from the provider of virtual resources, a user request to activate at least one feature of the application of said by one less user; submitting a control plane request to activate said at least one feature to an application feature setting interface, the feature setting interface maintained, at least in part, by said at least one application appliance virtual machine and inaccessible to said at least one user through said at least one communication connection; receive, in the control plane, confirmation that said at least one characteristic has been activated; and notifying a cost tracking component of the control plan that costs associated with said at least one activated feature will be charged to an account associated with said at least one user.
[0011]
11. Computer-implemented method according to claim 1, characterized in that the provisioning of at least one application appliance virtual machine has an associated set of implementation resource costs that are charged to an account associated with said at least one user.
[0012]
12. Computer implemented method according to claim 1, characterized in that it further comprises receiving a user request for provisioning said at least one application appliance virtual machine, the user request specifying at least in part , at least a capability of at least one deployment resource to be made available to said at least one application appliance virtual machine.
[0013]
13. Computerized system for managing computational application functionality rights, characterized in that it comprises: a set of configurable implementation resources at least to implement a plurality of virtual resources; a virtual resource provisioning component configured at least to provision virtual resources with the deployment resource set responsive to provisioning requests, the virtual resources including at least one application appliance virtual machine configured to run at least a portion of an application and at least one communication connection from a user virtual machine with at least one interface of the plurality of interfaces maintained, at least in part, in the application appliance virtual machine, said user virtual machine being separate from said one or more application appliance virtual machines; and a policy enforcement component configured to at least enforce an application functionality access condition, the application functionality access condition specifying at least that access occurs through said at least one communication connection and said at least an interface.
[0014]
14. Computer system according to claim 13, characterized in that the computer system further comprises a user interface component configured at least to enable a user to send a request to access the application functionality and said at least an application appliance virtual machine is provisioned by the virtual resource provisioning component, at least in part, in response to the request to access application functionality.
[0015]
15. Computer system according to claim 13, characterized in that the computer system further comprises a provider interface component configured at least to allow an application provider to configure said at least one application appliance virtual machine to run said at least a portion of the application and set up at least one cost associated with accessing the application functionality.

类似技术:

---

公开号 | 公开日 | 专利标题

---

BR112013021996B1|2021-05-18|computer-implemented method and system for managing computer application functionality rights

---

CA2978183C|2021-01-26|Executing commands within virtual machine instances

---

JP6005706B2|2016-10-12|Virtual machine morphing for heterogeneous mobile environments

---

US9760420B1|2017-09-12|Fleet host rebuild service implementing vetting, diagnostics, and provisioning pools

---

US10033604B2|2018-07-24|Providing compliance/monitoring service based on content of a service controller

---

US9866547B2|2018-01-09|Controlling a discovery component, within a virtual environment, that sends authenticated data to a discovery engine outside the virtual environment

---

US20150020151A1|2015-01-15|Systems and methods for trusted sharing

---

WO2013123399A1|2013-08-22|Methods and systems for secure digital content distribution and analytical reporting

---

US10198560B2|2019-02-05|Enforcing licensing policies using an application wrapper

---

US10594703B2|2020-03-17|Taint mechanism for messaging system

---

US20200042718A1|2020-02-06|Security scanning of application program interfaces that are affected by changes to source code

---

US10846463B2|2020-11-24|Document object model | element location platform

---

US20210271492A1|2021-09-02|Accessing Conflicting Frameworks and Classes

---

US10623414B2|2020-04-14|Authenticating multi-facets of a user through unaware third-party services

---

US20220004651A1|2022-01-06|Management of computing secrets

---

JP2018170002A|2018-11-01|Method and system for conducting audit for assessment platform

同族专利:

---

公开号 | 公开日

---

EP2689324A4|2015-03-11|

---

BR112013021996A2|2016-12-06|

---

WO2012129409A2|2012-09-27|

---

EP2689324B1|2018-08-29|

---

JP5702477B2|2015-04-15|

---

EP2689324A2|2014-01-29|

---

JP2014507741A|2014-03-27|

---

AU2012230866B2|2015-06-11|

---

WO2012129409A3|2013-09-26|

---

CA2825153C|2017-08-22|

---

CA2825153A1|2012-09-27|

---

CN103703443B|2017-10-10|

---

CN103703443A|2014-04-02|

---

US20120246740A1|2012-09-27|

---

SG192018A1|2013-08-30|

---

AU2012230866A1|2013-08-15|

引用文献:

---

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

---

---

WO2005036405A1|2003-10-08|2005-04-21|Unisys Corporation|Computer system para-virtualization using a hypervisor that is implemented in a partition of the host system|

---

GB0422750D0|2004-10-13|2004-11-17|Ciphergrid Ltd|Remote database technique|

---

US9081981B2|2005-12-29|2015-07-14|Nextlabs, Inc.|Techniques and system to manage access of information using policies|

---

US20070174429A1|2006-01-24|2007-07-26|Citrix Systems, Inc.|Methods and servers for establishing a connection between a client system and a virtual machine hosting a requested computing environment|

---

US7873805B2|2007-02-23|2011-01-18|Lewis, Rice & Fingersh, L.C.|Data recovery systems and methods|

---

JP2008234200A|2007-03-19|2008-10-02|Nec Corp|Security management system, security management method, security management program|

---

US8875266B2|2007-05-16|2014-10-28|Vmware, Inc.|System and methods for enforcing software license compliance with virtual machines|

---

JP4874908B2|2007-09-20|2012-02-15|株式会社東芝|Information processing system and monitoring method|

---

JP5104588B2|2007-10-18|2012-12-19|富士通株式会社|Migration program and virtual machine management device|

---

JP4627789B2|2007-11-26|2011-02-09|株式会社リコー|Information processing apparatus, information processing method, and program|

---

EP2238535A4|2007-12-20|2011-03-09|Virtual Computer Inc|Virtual computing management systems and methods|

---

JP2009258982A|2008-04-16|2009-11-05|Ntt Docomo Inc|Node device, program, and resource-allocating method|

---

CN101309180B|2008-06-21|2010-12-08|华中科技大学|Security network invasion detection system suitable for virtual machine environment|

---

KR101331032B1|2008-07-30|2013-11-19|삼성전자주식회사|Method for executing application associated with virtualized environment|

---

US8434093B2|2008-08-07|2013-04-30|Code Systems Corporation|Method and system for virtualization of software applications|

---

US20100241731A1|2009-03-17|2010-09-23|Gladinet, Inc.|Method for virtualizing internet resources as a virtual computer|

---

CN102460393B|2009-05-01|2014-05-07|思杰系统有限公司|Systems and methods for establishing a cloud bridge between virtual storage resources|

---

US8370510B2|2009-12-18|2013-02-05|Microsoft Corporation|Remote application presentation over a public network connection|

---

WO2011159842A2|2010-06-15|2011-12-22|Nimbula, Inc.|Virtual computing infrastructure|

---

US8713088B2|2011-03-27|2014-04-29|Hewlett-Packard Development Company, L.P.|Identifying users of remote sessions|US9489647B2|2008-06-19|2016-11-08|Csc Agility Platform, Inc.|System and method for a cloud computing abstraction with self-service portal for publishing resources|

---

EP3734449A1|2010-06-18|2020-11-04|Sweetlabs, Inc.|Systems and methods for integration of an application runtime environment into a user computing environment|

---

US9003141B2|2011-11-14|2015-04-07|Ca, Inc.|Enhanced software application platform|

---

US9720668B2|2012-02-29|2017-08-01|Red Hat, Inc.|Creating and maintaining multi-tenant applications in a platform-as-a-serviceenvironment of a cloud computing system|

---

US9058198B2|2012-02-29|2015-06-16|Red Hat Inc.|System resource sharing in a multi-tenant platform-as-a-service environment in a cloud computing system|

---

US8850514B2|2012-05-01|2014-09-30|Red Hat, Inc.|Cartridges in a multi-tenant platforms-as-a-servicesystem implemented in a cloud computing environment|

---

US9665411B2|2012-05-01|2017-05-30|Red Hat, Inc.|Communication between a server orchestration system and a messaging system|

---

US8775925B2|2012-08-28|2014-07-08|Sweetlabs, Inc.|Systems and methods for hosted applications|

---

US9323939B2|2012-12-17|2016-04-26|Ca, Inc.|Multi-tenancy governance in a cloud computing environment|

---

US9535734B2|2014-03-06|2017-01-03|International Business Machines Corporation|Managing stream components based on virtual machine performance adjustments|

---

US9262200B2|2014-06-25|2016-02-16|Independenceit, Inc.|Methods and systems for provisioning a virtual resource in a mixed-use server|

---

EP3186040A1|2014-08-28|2017-07-05|ABB Schweiz AG|A device, system and method for setting an operation of a robot unit, and use of a device|

---

US9819690B2|2014-10-30|2017-11-14|Empire Technology Development Llc|Malicious virtual machine alert generator|

---

CN104601555A|2014-12-30|2015-05-06|中国航天科工集团第二研究院七〇六所|Trusted security control method of virtual cloud terminal|

---

CN106452814B|2015-08-10|2019-11-26|阿里巴巴集团控股有限公司|A kind of method and apparatus using external account operating resource|

---

CN105100109B|2015-08-19|2019-05-24|华为技术有限公司|A kind of method and device of deployment secure access control policy|

---

US9674108B1|2015-12-30|2017-06-06|Accenture Global Solutions Limited|Hub-and-spoke connection architecture|

---

US10225259B2|2016-03-30|2019-03-05|Oracle International Corporation|Establishing a cleanroom data processing environment|

---

KR20190030653A|2016-05-30|2019-03-22|레프트 오브 더 닷 미디어 인코포레이티드|A method for establishing a network cluster between network devices|

---

CN110463163A|2017-03-28|2019-11-15|云端跳动公司|For providing the on-demand method and system for waking up access to conversation server|

---

US10523677B2|2017-04-28|2019-12-31|Versata Development Group, Inc.|Managing metadata for external content within a computing environment|

---

US10749698B2|2017-05-18|2020-08-18|Vmware, Inc.|Feature-aware software usage metering|

---

EP3673708A4|2017-08-25|2021-05-05|Left Technologies Inc.|Mesh communications network having mesh ports|

---

WO2020188140A1|2019-03-21|2020-09-24|Nokia Technologies Oy|Network based media processing control|

法律状态:
2018-12-18| B06F| Objections, documents and/or translations needed after an examination request according [chapter 6.6 patent gazette]|

---

2019-10-22| B06U| Preliminary requirement: requests with searches performed by other patent offices: procedure suspended [chapter 6.21 patent gazette]|

---

2021-03-09| B09A| Decision: intention to grant [chapter 9.1 patent gazette]|

---

2021-05-18| B16A| Patent or certificate of addition of invention granted|Free format text: PRAZO DE VALIDADE: 20 (VINTE) ANOS CONTADOS A PARTIR DE 22/03/2012, OBSERVADAS AS CONDICOES LEGAIS. |

优先权:

---

申请号 | 申请日 | 专利标题

---

US13/069,271|US20120246740A1|2011-03-22|2011-03-22|Strong rights management for computing application functionality|

---

US13/069,271|2011-03-22|

---

PCT/US2012/030130|WO2012129409A2|2011-03-22|2012-03-22|Strong rights management for computing application functionality|

---