1、Apache Ldap API
持續發展的增強型LDAP API,用於代替JNDI、jLdap、Mozila LDAP等現存的LDAP API,是schema aware的,支持所有的LDAP server
獲取用戶與用戶組間的映射關系
核心代碼:
EntryCursor cursor = connection.search( "ou=system", "(objectclass=*)", SearchScope.ONELEVEL, "*" ); while ( cursor.next() ) { Entry entry = cursor.get(); // Process the entry ... }
2、Sentry API
(1)做組、角色、權限間的操作
| 類 |
含義 |
| TSentryGroup |
組 |
| TSentryRole |
角色 |
| TSentryPrivilege |
權限 |
(2)SentryPolicyServiceClient核心方法
| 獲取權限情況 |
Set<TSentryPrivilege> listAllPrivilegesByRoleName(requestor, roleName) |
根據角色名獲取擁有的權限 |
| Set<TSentryRole> listRolesByGroupName(requestor, groupName) |
根據組名獲取擁有的權限 |
|
| 角色管理 |
client.listAllRoles(requestor) |
列出所有角色 |
| createRole(requestor, roleName) |
創建角色 |
|
| dropRoleIfExists(requestor, roleName) |
刪除角色 |
|
| 賦權 |
grantDatabasePrivilege(requestor, roleName, server, db, action.getAction()) |
給某角色賦某庫的權限 |
| grantTablePrivilege(requestor, roleName, server, db, table, action.getAction()) |
給某角色賦某表的權限 |
|
| grantColumnPrivilege(requestor, roleName, server, db, table, column, action.getAction()) |
給某角色賦某列的權限 |
|
| 收權 |
revokeDatabasePrivilege(requestor, roleName, server, db, action.getAction()) |
回收某用戶對於某庫的權限 |
| revokeTablePrivilege(requestor, roleName, server, db, table, action.getAction()) |
回收某用戶對於某表的權限 |
|
| revokeColumnPrivilege(requestor, roleName, server, db, table, column, action.getAction()) |
回收某用戶對於某列的權限 |