Browse Prior Art Database

System Environment Variable Isolation Framework among Cloud applications on PaaS

IP.com Disclosure Number: IPCOM000236643D
Publication Date: 2014-May-07
Document File: 7 page(s) / 539K

Publishing Venue

The IP.com Prior Art Database

Abstract

Platform as a service (PaaS) offers application hosting and a deployment environment, along with various integrated services which offer varying levels of scalability and maintenance. In the PaaS model, system environment variable is an easy way and is very popularly used to implement the binding operation between the cloud application and its dependant various integrated services. Each cloud application is supposed to see the only part of its own system environment variable which including the service connecting credential information. However, in current PaaS platforms, cloud applications can also see the system environment varaibles of other applications. The system environment variable becomes vulnerable and attackable with its transparency. In this disclosure, an system environment variable isolation framework is presented to avoid the above mentioned problem.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 46% of the total text.

Page 01 of 7

System Environment Variable Isolation Framework among Cloud applications on PaaS

Platform as a service (PaaS) is a category of cloud computing services that provides a computing platform and a solution stack as a service. It offers application hosting and a deployment environment, along with various integrated services which offer varying levels of scalability and maintenance. In the PaaS model, cloud users only take care the applications operation(installing, deploying and upgrading), they do not need to manage the cloud infrastructure and platforms where the application runs. The cloud infrastructure and platforms will be managed by cloud providers.

Multitenant refers to a principle in software architecture where a single instance of the software runs on a server, serving multiple client-organizations (tenants). Multitenant contrasts with multi-instance architectures where separate software instances (or hardware systems) operate on behalf of different client organizations.

To accommodate a large number of cloud users, cloud applications are often multitenant, that is, any machine serves more than one cloud user organizations on one middle-ware instance process.

System environment variable, typically, is used to help cloud users bind their applications to relative cloud services offered by cloud providers on PaaS. The binding information is injected into system variable after applications deployed so that applications can use them to connect to cloud services. When the application is running, the system variable could be fetched by using System.getenv() method. In a multitenant case(multiple applications running on one middleware service instance), applications share the same system environment variable, that means, the system environment is visible to any of those cloud applications which are running on the same middleware process.

1


Page 02 of 7

Figure 1. Typical multitenant structure on PaaS among cloud applications

Here is a sample section of system variable shared by two applications. It's formatted to make people read easily.

2


Page 03 of 7

Figure 2. An Example of Shared System Variable among Cloud Applications


You could see that all binding information are exposed. Take the derby service as an example, which is consumed by two application. The port number, username are visible to both the cloud users of the two applications. The problem comes up.

Problems:

The binding information contains application-specified information - the cloud services consumed by the application, in particular the credential part. The credential typically contains all the information that is required by the application to consume the cloud service, such as the service endpoint and the user credential.

One cloud user should only take care its own part of binding information in system variable. However, In the structure as above diagram shows, the portions of binding information consumed by other applications in the system variable are also visible...