Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has a set of one or more servers that acts as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The server set in some embodiments also enforces these API-authorizing policies. Conjunctively, or alternatively, the server set in some embodiments distributes the defined policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls. From an associated application, a local agent receives API-authorization requests to determine whether API calls received by the application are authorized.

Abstract: Some embodiments provide a method for evaluating a policy for authorizing an API (Application Programming Interface) call to an application. Based on a first set of parameters available before receiving the API call, the method evaluates only a portion of the policy to produce a partially evaluated policy. The method stores the partially evaluated policy in a cache. The method then receives an API call to authorize, and determines whether the API call should be authorized by fully evaluating the policy, using the partially evaluated policy retrieved from the cache first storage, and a second set of parameters associated with the API call. The method responds to the API call with a policy decision based on the fully evaluated authorization policy.

Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has servers that act as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The servers enforce these policies and distribute the policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls. From an associated application, a local agent receives API-authorization requests to determine whether API calls received by the application are authorized. In response to such a request, the local agent uses one or more parameters associated with the API call to identify a policy stored in its local policy storage to evaluate whether the API call should be authorized.

Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has servers that act as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The servers enforce these policies and distribute the policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls. From an associated application, a local agent receives API-authorization requests to determine whether API calls received by the application are authorized. In response to such a request, the local agent uses one or more parameters associated with the API call to identify a policy stored in its local policy storage to evaluate whether the API call should be authorized.

Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has a set of one or more servers that acts as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The server set in some embodiments also enforces these API-authorizing policies. Conjunctively, or alternatively, the server set in some embodiments distributes the defined policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls.

Abstract: Some embodiments provide a method for distributing a set of parameters associated with policies for authorizing Application Programming Interface (API) calls to an application. For a previously stored hierarchical first document that comprises a first set of elements in a first hierarchical structure, the method receives a hierarchical update second document that comprises a second set of elements in a second hierarchical structure corresponding to the first hierarchical structure, wherein at least a subset of elements in the first and the second documents correspond to the set of parameters for evaluating API calls. The method receives a first set of hash values for elements of the first document that are not specified in the second document, and generates a second set of hash values for a set of elements specified in the second document. The method generates an overall hash for the second document by using the received first set of hash values and the generated second set of hash values.

Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has a set of one or more servers that acts as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The server set in some embodiments also enforces these API-authorizing policies. Conjunctively, or alternatively, the server set in some embodiments distributes the defined policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls. From an associated application, a local agent receives API-authorization requests to determine whether API calls received by the application are authorized.

Abstract: Some embodiments provide a novel network control system that provides publications for managing different slices (e.g., logical and/or physical entities) of a network. The publications are published from publisher controllers in the network control system to subscriber controllers. The network control system uses publications with generation numbers and buffered subscribers to implement the fixed points in order to help maintain a consistent network state. Buffered subscribers buffer the inputs received from a publisher in case the publisher becomes unavailable. Rather than deleting all of the output state that is based on the published inputs, the buffered subscriber allows the subscriber to maintain the network state until an explicit change to the state is received at the subscriber from a publisher (e.g., a restarted publisher, a backup publisher, etc.).

Abstract: Some embodiments provide a novel network control system that uses secondary input queues to receive and store inputs from multiple input sources prior to moving the inputs to a primary input queue for processing. The secondary input queues provide a separate storage for each input source so that the inputs from the different sources do not get mixed with each other to ensure that fixed points and barriers sent to the controller maintain their integrity.

Abstract: Some embodiments provide a novel network control system that provides publications for managing different slices (e.g., logical and/or physical entities) of a network. The publications are published from publisher controllers in the network control system to subscriber controllers. The network control system uses publications with generation numbers and buffered subscribers to implement the fixed points in order to help maintain a consistent network state. The information published with a publication is useful for resolving conflicts in the network control system when multiple publisher controllers provide conflicting inputs to a subscriber controller.

Abstract: Some embodiments provide a novel network control system that provides publications for managing different slices (e.g., logical and/or physical entities) of a network. The publications are published from publisher controllers in the network control system to subscriber controllers. The network control system uses publications with generation numbers and buffered subscribers to implement the fixed points in order to help maintain a consistent network state. Buffered subscribers buffer the inputs received from a publisher in case the publisher becomes unavailable. Rather than deleting all of the output state that is based on the published inputs, the buffered subscriber allows the subscriber to maintain the network state until an explicit change to the state is received at the subscriber from a publisher (e.g., a restarted publisher, a backup publisher, etc.).

Abstract: Some embodiments provide a novel network control system that provides publications for managing different slices (e.g., logical and/or physical entities) of a network. The publications are published from publisher controllers in the network control system to subscriber controllers. The network control system uses publications with generation numbers and buffered subscribers to implement the fixed points in order to help maintain a consistent network state. The information published with a publication is useful for resolving conflicts in the network control system when multiple publisher controllers provide conflicting inputs to a subscriber controller.

Abstract: Some embodiments provide a novel network control system that uses secondary input queues to receive and store inputs from multiple input sources prior to moving the inputs to a primary input queue for processing. The secondary input queues provide a separate storage for each input source so that the inputs from the different sources do not get mixed with each other to ensure that fixed points and barriers sent to the controller maintain their integrity.