1、Apache Ldap API
持续发展的增强型LDAP API,用于代替JNDI、jLdap、Mozila LDAP等现存的LDAP API,是schema aware的,支持所有的LDAP server
获取用户与用户组间的映射关系
核心代码:
EntryCursor cursor = connection.search( "ou=system", "(objectclass=*)", SearchScope.ONELEVEL, "*" ); while ( cursor.next() ) { Entry entry = cursor.get(); // Process the entry ... }
2、Sentry API
(1)做组、角色、权限间的操作
|
类 |
含义 |
|
TSentryGroup |
组 |
|
TSentryRole |
角色 |
|
TSentryPrivilege |
权限 |
(2)SentryPolicyServiceClient核心方法
|
获取权限情况 |
Set<TSentryPrivilege> listAllPrivilegesByRoleName(requestor, roleName) |
根据角色名获取拥有的权限 |
|
Set<TSentryRole> listRolesByGroupName(requestor, groupName) |
根据组名获取拥有的权限 |
|
|
角色管理 |
client.listAllRoles(requestor) |
列出所有角色 |
|
createRole(requestor, roleName) |
创建角色 |
|
|
dropRoleIfExists(requestor, roleName) |
删除角色 |
|
|
赋权 |
grantDatabasePrivilege(requestor, roleName, server, db, action.getAction()) |
给某角色赋某库的权限 |
|
grantTablePrivilege(requestor, roleName, server, db, table, action.getAction()) |
给某角色赋某表的权限 |
|
|
grantColumnPrivilege(requestor, roleName, server, db, table, column, action.getAction()) |
给某角色赋某列的权限 |
|
|
收权 |
revokeDatabasePrivilege(requestor, roleName, server, db, action.getAction()) |
回收某用户对于某库的权限 |
|
revokeTablePrivilege(requestor, roleName, server, db, table, action.getAction()) |
回收某用户对于某表的权限 |
|
|
revokeColumnPrivilege(requestor, roleName, server, db, table, column, action.getAction()) |
回收某用户对于某列的权限 |