Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The filing of a terminal disclaimer by itself is not a complete reply to a nonstatutory double patenting (NSDP) rejection. A complete reply requires that the terminal disclaimer be accompanied by a reply requesting reconsideration of the prior Office action. Even where the NSDP rejection is provisional the reply must be complete. See MPEP § 804, subsection I.B.1. For a reply to a non-final Office action, see 37 CFR 1.111(a). For a reply to final Office action, see 37 CFR 1.113(c). A request for reconsideration while not provided for in 37 CFR 1.113(c) may be filed after final for consideration. See MPEP §§ 706.07(e) and 714.13.
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The actual filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/apply/applying-online/eterminal-disclaimer.
Claims 1 – 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 – 9 and 11 - 20 of U.S. Patent No. 12074884. Although the claims at issue are not identical, they are not patentably distinct from each other because each element in the above pending claims is anticipated by a corresponding element in a patented claim.
Regarding pending claim 1, said claim is anticipated by patented claim 1 as illustrated below:
Pending claim 1
A network controller comprising:
processing circuitry; and a server to process one or more requests for operations on one or more resources of a
container orchestration system, wherein the server is configured for execution by the processing circuitry to: obtain a request to generate an access control policy for a role in the container orchestration system, the request specifying one or more functions of an interface provided by the server;
parse data from executing the one or more functions to determine a resource of the container orchestration system to be accessed from executing the one or more functions and one or more types of operations to be performed on the resource from executing the one or more functions; and
create, based at least in part on the parsed data, the access control policy for the role that permits access for the one or more types of operations to be performed on the resource.
Patented claim 1
A network controller for a software-defined networking (SDN) architecture system, the network controller comprising: processing circuitry; and . . . server to process requests for operations on native resources of a
container orchestration system . . . to:
receive a request to generate an access control policy for a role in a container orchestration system, wherein the request specifies a plurality of functions of an aggregated API provided by the custom API server and the API server; execute the plurality of functions; log execution of the plurality of functions in an audit log; parse the audit log to determine a plurality of resources of the container orchestration system accessed from executing the plurality of functions and, for each resource of the plurality of resources, a respective one or more types of operations of a plurality of actions performed on the respective resource from executing the plurality of functions; and
create, based at least in part on the parsed audit log, the access control policy for the role that permits a role to perform, on each of the plurality of resources, the respective one or more types of operations.
Regarding pending claim 12 said claim is anticipated by patented claims 1 and 2 as illustrated below:
Pending claim 2
The network controller of claim 1, wherein the server is further configured for execution by the processing circuitry to:
perform a first respective one or more operations indicated by the one or more functions on each of a first one or more resources indicated by the one or more functions; determine, based at least in part on the first respective one or more operations to be performed on each of the first one or more resources, a second respective one or more operations to be performed on each of a second one or more resources that are not indicated by the one or more functions; perform the second respective one or more operations on each of the second one or more resources; and
log performance of the first respective one or more operations and performance of the second respective one or more operations in the data from executing the one or more functions.
Patented claim 2
The network controller of claim 1, wherein to execute the plurality of functions, the one or more configuration nodes are further configured for execution by the processing circuitry to: perform a first respective one or more operations indicated by the plurality of functions on each of a first one or more resources indicated by the plurality of functions; determine, based at least in part on the first respective one or more operations to be performed on each of the first one or more resources, a second respective one or more operations to be performed on each of a second one or more resources that are not indicated by the plurality of functions; and perform the second respective one or more operations on each of the second one or more resources.
Patented claim 1
. . . execute the plurality of functions;
log execution of the plurality of functions in an audit log; parse the audit log to determine a plurality of resources of the container orchestration system accessed from executing the plurality of functions . . .
Regarding pending claim 3, the limitations of said claim are anticipated by patented claim 3.
Regarding pending claim 4, the limitations of said claim are anticipated by patented claim 4.
Regarding pending claim 5, the limitations of said claim are anticipated by patented claim 5.
Regarding pending claim 6, the limitations of said claim are anticipated by patented claim 6.
Regarding pending claim 7, the limitations of said claim are anticipated by patented claim 7.
Regarding pending claim 8, the limitations of said claim are anticipated by patented claim 8.
Regarding pending claim 9, the limitations of said claim are anticipated by patented claim 9.
Regarding pending claim 10, the limitations of said claim are anticipated by patented claim 11.
Regarding pending claim 11, the limitations of said claim are anticipated by patented claim 12 in the same manner pending claim 1 is anticipated by patented claim 1.
Regarding pending claim 12, the limitations of said claim are anticipated by patented claims 12 and 13 in the same manner pending claim 2 is anticipated by patented claims 1 and 2.
Regarding pending claim 13, the limitations of said claim are anticipated by patented claim 14.
Regarding pending claim 14, the limitations of said claim are anticipated by patented claim 15.
Regarding pending claim 15, the limitations of said claim are anticipated by patented claim 16.
Regarding pending claim 16, the limitations of said claim are anticipated by patented claim 17.
Regarding pending claim 17, the limitations of said claim are anticipated by patented claim 18.
Regarding pending claim 18, the limitations of said claim are anticipated by patented claim 19.
Regarding pending claim 19, the limitations of said claim are anticipated by patented claim 12.
Regarding pending claim 20, the limitations of said claim are anticipated by patented claim 20 in the same manner pending claim 1 is anticipated by patented claim 1.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.
Claims 7 and 17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Regarding claims 7 and 17, each of said claims recites “comparing the access control policy . . . to a configured access control policy”. There is antecedent basis for “the access control policy” in each of claims 7 and 17’s respective parent claim. However, “the access control policy”, by virtue of its being created in the respective parent claim, appears to have also have been “configured” (via its creation) and thus the intended scope of the recited “configured access control policy” (contrasted with “the access control policy”) is rendered unclear and indefinite. It is unclear, for example, how “the access control policy” is not also a “configured” access control policy, and thus what the scope of a “configured access control policy” actually is.
In order to perform a complete examination, the above language has been interpreted broadly.
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1, 3, 4, 6, 10, 11, 13, 14, 16, and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Miriyala (US-20210306338-A1). Regarding claim 1, Miriyala shows a network controller comprising: processing circuitry ([86-88]); and a server (Fig. 1, see item 23) to process one or more requests for operations on one or more resources of a container orchestration system, wherein the server is configured for execution by the processing circuitry to ([86-88]): obtain a request ([39,48], see “send a request to access policy controller. . .”) to generate an access control policy for a role ([45], see “specify a role”) in the container orchestration system ([15] and Fig. 1 item 130), the request specifying one or more functions of an interface provided by the server ([33] discussing “API access lists”, [40] discussing “one or more operations to be performed” and [41] discussing an administrator providing input to “specify one or more functions”); parse data from executing the one or more functions ([52-54] discussing analysis of a “record or log” of the “one or more operations performed” and [60-61] discussing identification and use of particular data from formatted files such as logs, which is determined to be within the broadest reasonable interpretation of the claimed “parse” operation) to determine a resource of the container orchestration system ([15]) to be accessed from executing the one or more functions and one or more types of operations to be performed on the resource from executing the one or more functions ([50-54], e.g., see [53] reciting to “record or log the function specified by administrator 24, every object on which at least one operation is performed. . .”); and create, based at least in part on the parsed data, the access control policy for the role that permits access for the one or more types of operations to be performed on the resource ([40,79], see, e.g., [40] reciting to “generate an access control policy for the role that permits the associated role to perform the one or more operations on the one or more objects”).
Regarding claim 3, Miriyala further shows wherein the server is further configured for execution by the processing circuitry to: record, for each function of the one or more functions in the data from executing the one or more functions, an event that indicates one or more resources accessed by executing the function and a respective one or more types of operations performed on each of the one or more resources by executing the function ([62]).
Regarding claim 4, Miriyala further shows the network controller of claim 1, wherein to parse the data, the server is further configured for execution by the processing circuitry to: filter the data based at least in part ([60], see “determine the relevant . . .”) on timestamps of events recorded in the data ([56,60-62,78]).
Regarding claim 6, Miriyala further shows the network controller of claim 1, wherein to parse the data, the server is further configured for execution by the processing circuitry to: determine, based on the data ([60-61] discussing “one or more logs”), an association between each of the one or more resources ([61-62] discussing a targeted object) of the container orchestration system ([15]) and the one or more types of operations ([62] noting the particular CRUD operation).
Regarding claim 10, Miriyala further shows the network controller of claim 1, wherein each of the respective one or more operations include one or more of create, read, update, and delete (CRUD) operations ([42,78]). Regarding claims 11 and 20, the limitations of said claims are rejected in the analysis of claim 1.
Regarding claim 13, the limitations of said claim are rejected in the analysis of claim 3.
Regarding claim 14, the limitations of said claim are rejected in the analysis of claim 4.
Regarding claim 16, the limitations of said claim are rejected in the analysis of claim 6.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary kill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Miriyala in view of Ghare (US-20200159648-A1).
Regarding claim 2, Miriyala shows the network controller of claim 1, wherein the server is further configured for execution by the processing circuitry to: perform a first respective one or more operations indicated by the one or more functions on each of a first one or more resources indicated by the one or more functions ([51-55], e.g., [55] discussing tracking indications of each of the one or more operations performed); determine, based at least in part on the first respective one or more operations to be performed on each of the first one or more resources, a second respective one or more operations to be performed on each of a second one or more resources ([51-55]); perform the second respective one or more operations on each of the second one or more resources ([62]); andlog performance of the first respective one or more operations and performance of the second respective one or more operations in the data from executing the one or more functions ([62]). Miriyala does not show monitoring operations that are not indicated by the one or more functions. Ghare shows monitoring operations that are not indicated by the one or more functions ([53], discussing monitoring performance of application execution and tracking if an unexpected action was performed).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Miriyala with the performance tracking of Ghare in order to ensure unintended and/or unexpected actions are noted and thus ensure that the evaluated policy/application execution is resulting in the intended behavior in the controlled system, thus better ensuring reliable and consistent operation.
Regarding claim 12, the limitations of said claim are rejected in the analysis of claim 2.
Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Miriyala in view of Parthasarathy (US-11599288-B2).
Regarding claim 5, Miriyala shows filtering the data based at least in part on events recorded in the data ([56,60-62,78]). Miriyala does not show filtering based on namespaces. Parthasarathy shows filtering based on namespaces (col. 8 lines 5-35).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Miriyala with the namespace awareness of Parthasarathy in order to ensure strong data isolation is tracked and maintained, better ensuring the resultant system has the desired privacy and data protectections.
Regarding claim 15, the limitations of said claim are rejected in the analysis of claim 5.
Claims 7 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Miriyala in view of Bhatti (US-20130326579-A1).
Regarding claim 7, Miriyala shows claim 1.
Miriyala does not show to: validate the access control policy for the role based at least in part by comparing the access control policy for the role to a configured access control policy for the role. Bhatti shows to: validate the access control policy for the role based at least in part by comparing the access control policy for the role ([56]) to a configured access control policy ([11,14,19,59]) for the role ([56]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Miriyala with the policy tracking and validation of Bhatti in order to ensure sufficient data protection while lowering administrative overhead (Bhatti, [4-8]).
Regarding claim 17, the limitations of said claim are rejected in the analysis of claim 7.
Claims 8 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Miriyala in view of Liu (US-20220321495-A1).
Regarding claim 8, Miriyala shows claim 1, including wherein the one or more functions include one or more requests for operations on one or more instances of resources for software-defined networking (SDN) architecture configuration ([73-75]), wherein each of the resources for SDN architecture configuration corresponds to a type of configuration object ([33]) in a SDN architecture system ([77]). Miriyala does not show consideration and evaluation of custom resources. Liu shows consideration and evaluation of custom resources ([22,27]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Miriyala with the containerized, SDN-based awareness of Liu in order to ensure data relevant to the particular implementation environment is sufficiently tracked and evaluated when the resultant role-based permission evaluations are performed.
Regarding claim 18, the limitations of said claim are rejected in the analysis of claim 8.
Claims 9 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Miriyala in view of Cao (US-20220019455-A1) and Liu.
Regarding claim 9, Miriyala shows wherein the server includes ([74]) an application programming interface (API) server to process requests for operations ([75]) on resources of the container orchestration system ([15]) and a server to process requests for operations on resources for software-defined networking (SDN) architecture configuration ([74-75]), Miriyala does not show consideration and use of a custom API server. Cao shows consideration and use of a custom API server ([47-48]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify Miriyala with the API-server evaluation of Cao in order to methods and frameworks utilized in the resultant implementation environment are properly evaluated, ensuring the correct role-based policy evaluations are fully performed and analyzed. The above combination does not show consideration and evaluation of custom resources, and wherein the one or more functions include requests for operations on instances of one or more native resources of the container orchestration system. Liu shows show consideration and evaluation of custom resources ([22,27]) and wherein the one or more functions include requests for operations on instances of one or more native resources (e.g., Kubernetes resources and discussed in Figs. 3-5) of the container orchestration system (e.g., Kubernetes, see noted Figs. 3 – 5 and the discussion of intent-based request evaluation when monitoring API function invocations as discussed in [24,27-28]).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the above combination in order to improve operations tracking in popular deployment environments such as Kubernetes (Liu, [2-4]).
Regarding claim 19, the limitations of said claim are rejected in the analysis of claim 9.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. This includes:
Kosaka (US-20200218798-A1), Bejarano Ardila (US-10021115-B2), and Weintraub (US-20190342304-A1).
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN M MACILWINEN whose telephone number is (571)272-9686. The examiner can normally be reached Monday - Friday, 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Glenton B Burgess can be reached at (571) 272 - 3949. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
JOHN MACILWINEN
Primary Examiner
Art Unit 2442
/JOHN M MACILWINEN/Primary Examiner, Art Unit 2454