1、Apache Ldap API
持续发展的增强型LDAP API,用于代替JNDI、jLdap、Mozila LDAP等现存的LDAP API,是schema aware的,支持所有的LDAP server
获取用户与用户组间的映射关系
核心代码:
EntryCursor cursor = connection.search( "ou=system", "(objectclass=*)", SearchScope.ONELEVEL, "*" ); while ( cursor.next() ) { Entry entry = cursor.get(); // Process the entry ... }
2、Sentry API
(1)做组、角色、权限间的操作
| 类 |
含义 |
| TSentryGroup |
组 |
| TSentryRole |
角色 |
| TSentryPrivilege |
权限 |
(2)SentryPolicyServiceClient核心方法
| 获取权限情况 |
Set<TSentryPrivilege> listAllPrivilegesByRoleName(requestor, roleName) |
根据角色名获取拥有的权限 |
| Set<TSentryRole> listRolesByGroupName(requestor, groupName) |
根据组名获取拥有的权限 |
|
| 角色管理 |
client.listAllRoles(requestor) |
列出所有角色 |
| createRole(requestor, roleName) |
创建角色 |
|
| dropRoleIfExists(requestor, roleName) |
删除角色 |
|
| 赋权 |
grantDatabasePrivilege(requestor, roleName, server, db, action.getAction()) |
给某角色赋某库的权限 |
| grantTablePrivilege(requestor, roleName, server, db, table, action.getAction()) |
给某角色赋某表的权限 |
|
| grantColumnPrivilege(requestor, roleName, server, db, table, column, action.getAction()) |
给某角色赋某列的权限 |
|
| 收权 |
revokeDatabasePrivilege(requestor, roleName, server, db, action.getAction()) |
回收某用户对于某库的权限 |
| revokeTablePrivilege(requestor, roleName, server, db, table, action.getAction()) |
回收某用户对于某表的权限 |
|
| revokeColumnPrivilege(requestor, roleName, server, db, table, column, action.getAction()) |
回收某用户对于某列的权限 |