Abstract: Access control management to shared resources in a common resource directory between different users of cloud data centers can be implemented as computer-readable methods, media and systems. A resource managing service receives a request to access resources of a resource directory managed by the resource managing service. The request includes a token for identity authentication. The resource managing service determined a container membership associated with the token, where the container membership is associated with a container from a set of containers for the resource directory. The container includes one or more resources in a tree data structure of the resource directory. The resource managing service filters access rights defined in authorization primitives associated with the container membership based on container policy rules for the set of containers in the resource directory. The resource managing service provides access to a set of resources from the resource directory.

Abstract: The disclosure provides an example method for connection health monitoring and troubleshooting. The method generally includes monitoring a plurality of connections established between a first application running on a first host and a second application running on a second host; based on the monitoring, detecting two or more connections of the plurality of connections have failed within a first time period; in response to detecting the two or more connections have failed within the first time period, determining to initiate a single health check between the first host and the second host and enqueuing a single health check request in a queue to invoke performance of the single health check based on the single health check request; determining the queue comprises: a queued active health check request, or no previously-queued health check requests; enqueuing the single health check request in the queue; and performing the single health check.

Abstract: The disclosure provides an approach for alarm state restoration. Embodiments include determining a plurality of alarm definitions applicable to an inventory of a plurality of entities in a computing environment. Embodiments include assigning each given alarm definition of the plurality of alarm definitions to a given alarm category of a plurality of alarm categories. Embodiments include restoring declared states of the plurality of alarms definition on the inventory based on the assigning, wherein the restoring comprises, for each given alarm category of the plurality of alarm categories, performing a single traversal of the inventory to identify all respective entities of the plurality of entities that correspond to one or more alarm definitions assigned to the given alarm category.

Abstract: Bootstrapping a new remote appliance based on a request received at a main appliance based on established trust between the two appliances can be implemented as computer-implemented methods, media, and systems. A request is received at an authentication orchestrator at the main appliance to perform an operation requested by a user for execution on a remote appliance. The authentication orchestrator at the main appliance obtains an authentication token issued by an identity provider at the main appliance for the user associated with the request. The authentication orchestrator requests to exchange the authentication token issued by the identity provider at the main appliance for a new authentication token that is issued by an identity provider at the remote appliance. The authentication orchestrator at the main appliance initiates an authentication of the user at an appliance manager at the remote appliance based on providing the new authentication token.

Abstract: Hosts in a cluster in a virtualized computing environment bypass a management layer when communicating with an external key management service (KMS). One of the hosts is configured with KMS configuration information (including digital certificate information) that enables the host to directly communicate with the KMS via a secure communication connection, instead of communicating with the KMS via the management layer. This KMS configuration information is replicated in a distributed manner from the host to the other hosts in the cluster, thereby enabling the other hosts in the cluster to also directly and independently communicate with the KMS to obtain encryption keys to perform cryptographic operations.

Abstract: Access control management to shared resources in a common resource directory between different users of cloud data centers can be implemented as computer-readable methods, media and systems. A resource managing service receives a request to access resources of a resource directory managed by the resource managing service. The request includes a token for identity authentication. The resource managing service determined a container membership associated with the token, where the container membership is associated with a container from a set of containers for the resource directory. The container includes one or more resources in a tree data structure of the resource directory. The resource managing service filters access rights defined in authorization primitives associated with the container membership based on container policy rules for the set of containers in the resource directory. The resource managing service provides access to a set of resources from the resource directory.

Abstract: The disclosure provides an approach for alarm state restoration. Embodiments include determining a plurality of alarm definitions applicable to an inventory of a plurality of entities in a computing environment. Embodiments include assigning each given alarm definition of the plurality of alarm definitions to a given alarm category of a plurality of alarm categories. Embodiments include restoring declared states of the plurality of alarms definition on the inventory based on the assigning, wherein the restoring comprises, for each given alarm category of the plurality of alarm categories, performing a single traversal of the inventory to identify all respective entities of the plurality of entities that correspond to one or more alarm definitions assigned to the given alarm category.

Abstract: Some embodiments provide a method of facilitating a multi-stream protocol for a split web server that includes a reactor core and a proactor interface. At a session object of the web server, the method generates an internal stream for a new incoming web-based protocol stream. The method transfers a set of data associated with the new incoming web-based protocol stream to a buffer of the internal stream from which a user-facing interface of the web server reads the data. In response to a first data byte sent by the user-facing interface, the method initiates an active write loop for the new web-based protocol stream.

Abstract: The disclosure herein describes monitoring authorization checks and detecting excess authorization privileges and other privilege usage patterns. An authorization check associated with an operation performed during a session in a computing environment is captured and a set of authorization privileges granted to a user of the session is identified. Based on comparison of the authorization privileges to authorization checks including the captured authorization check, excess authorization privileges granted to the user of the session is detected, wherein the excess authorization privileges are a subset of the identified set of authorization privileges. A privilege discrepancy notification based on the detected set of excess authorization privileges is generated. The detected privilege usage patterns described herein are used to improve the efficient use, and increase the security, of resources in the computing system.

Abstract: Hosts in a cluster in a virtualized computing environment bypass a management layer when communicating with an external key management service (KMS). One of the hosts is configured with KMS configuration information (including digital certificate information) that enables the host to directly communicate with the KMS via a secure communication connection, instead of communicating with the KMS via the management layer. This KMS configuration information is replicated in a distributed manner from the host to the other hosts in the cluster, thereby enabling the other hosts in the cluster to also directly and independently communicate with the KMS to obtain encryption keys to perform cryptographic operations.