
适用于私有云的 Edge v4.18.01

借助外部角色映射,您可以将自己的群组或角色映射到基于角色的访问权限控制 在 Apigee Edge 上创建的 (RBAC) 角色和群组。此功能仅适用于 Edge Private Cloud 的最新动态和提示。


4.18.01 之前版本的 Edge for Private Cloud 的外部角色映射服务 已弃用。外部角色映射 4.18.01 版是更新版,修复了一些 bug 和新增的功能:

  • 修复了在以下情况下收到身份验证 403 禁止响应的问题: 向应该拥有访问权限的用户进行身份验证。
  • X-Apigee-Current-User 外部角色映射中现在支持标头。拥有适当访问权限的用户(系统管理员)现在可以 查看分配给其他用户的角色。


  • 您必须是具有全局系统管理员的 Apigee Private Cloud 系统管理员 凭据执行此配置。
  • 您需要知道 Apigee Edge 私有云安装的根目录。通过 默认根目录为 /opt


  1. 在完成以下配置之前,您必须创建一个 Java 类, 实现 ExternalRoleMapperServiceV2 接口,并将您的实现包含在 管理服务器类路径:


    如需详细了解此实现,请参阅关于 ExternalRoleMapperImpl 部分 实现示例
  2. 登录您的 Apigee Edge 管理服务器,然后停止管理服务器 进程:
    >/opt/apigee/apigee-service/bin/apigee-service 边缘管理服务器停止
  3. 打开 /opt/apigee/customer/application/management-server.properties 文本编辑器中。如果此文件不存在,请创建它。
  4. 修改属性文件,进行以下设置:
    # 要使用的用户存储区 身份验证。
    # 使用“externalized.authentication”。
    # 请注意,对于授权,我们会继续使用 LDAP。
    # 请参阅启用外部身份验证 到这里就结束了

    conf_security_externalized.authentication.role.mapper.enabled=true conf_security_externalized.authentication.role.mapper.implementation.class=

    上述配置中引用的实现类和软件包名称 (ExternalRoleMapperImpl) 只是示例,您必须实现这个类, 您可以随意命名该类并进行打包。如需详细了解如何实现 请参阅关于 ExternalRoleMapperImpl 实现示例类。这是一个 您必须实施一些方法来反映您自己的群体。
  5. 保存 management-server.properties 文件。
  6. 确保 management-server.properties 的所有者是 Apigee 用户:?
    >chown apigee:apigee /opt/apigee/customer/application/management-server.properties
  7. 启动管理服务器:
    >/opt/apigee/apigee-service/bin/apigee-service 边缘管理服务器启动



  1. 打开 /opt/apigee/customer/application/management-server.properties 文本编辑器中。如果该文件不存在,请创建该文件。
  2. 将身份验证用户存储区更改为 ldap:
  3. 将此属性设置为 false:
  4. 重启管理服务器:
    >/opt/apigee/apigee-service/bin/apigee-service 边缘管理服务器启动

ExternalRoleMapperImpl 简介 实现示例

在之前启用外部角色映射部分所述的 security.properties 配置文件中,请注意以下行:


此类实现了 ExternalRoleMapperServiceV2 接口,是必需的。您需要 根据相应的组创建该类的实现。完成后, 将编译的类放入 JAR 中,并将该 JAR 放入管理服务器的类路径中:

<ph type="x-smartling-placeholder">

您可以随意命名该类和打包该类,只要它能够实现即可 ExternalRoleMapperServiceV2 可在类路径中访问,可在 management-server.properties 配置文件。

下面提供了一个 ExternalRoleMapperImpl 类的实现示例,得到了充分注释。

package com.customer.authorization.impl;

import com.apigee.authentication.*;
import com.apigee.authorization.namespace.OrganizationNamespace;
import com.apigee.authorization.namespace.SystemNamespace;
import java.util.Collection;
import java.util.HashSet;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;

/** *
* Sample Implementation constructed with dummy roles with expected namespaces.

public class ExternalRoleMapperImpl
       implements ExternalRoleMapperServiceV2 {

   InitialDirContext dirContext = null;

   public void start(ConfigBean arg0) throws ConnectionException {

       try {
           // Customer Specific Implementation will override the
           // ImplementDirContextCreationLogicForSysAdmin method implementation.
           // Create InitialDirContext based on the system admin user credentials.
           dirContext = ImplementDirContextCreationLogicForSysAdmin();
       } catch (NamingException e) {
           // TODO Auto-generated catch block
           throw new ConnectionException(e);

   public void stop() throws Exception {

    * This method should be replaced with customer's implementation
    * For given roleName under expectedNamespace, return all users that belongs to this role
    * @param roleName
    * @param expectedNamespace
    * @return All users that belongs to this role. For each user, please return the username/email that is stored in Apigee LDAP
    * @throws ExternalRoleMappingException
   public Collection<String> getUsersForRole(String roleName, NameSpace expectedNamespace) throws ExternalRoleMappingException {
       Collection<String> users = new HashSet<>();
       if (expectedNamespace instanceof SystemNamespace) {
           // If requesting all users with sysadmin role
           if (roleName.equalsIgnoreCase("sysadmin")) {
               // Add sysadmin's email to results
       } else {
           String orgName = ((OrganizationNamespace) expectedNamespace).getOrganization();
           // If requesting all users of engRole in Apigee LDAP
           if (roleName.equalsIgnoreCase("engRole")) {
               // Get all users in corresponding groups in customer's LDAP. In this case looking for 'engGroup';
               SearchControls controls = new SearchControls();
               try {
                   NamingEnumeration<SearchResult> res = dirContext.search("ou=groups,dc=corp,dc=wacapps,dc=net",
                           "cn=engGroup", new Object[]{"",""}, controls);
                   while (res.hasMoreElements()) {
                       SearchResult sr = res.nextElement();
                       // Add all users into return
               } catch (NamingException e) {
                   // Customer needs to handle the exception here
       return users;

    * This method would be implemented by the customer and would be invoked
    * while including using X-Apigee-Current-User header in request.
    * X-Apigee-Current-User allows the customer to login as another user
    * Below is the basic example.
    * If User has sysadmin role then it's expected to set SystemNameSpace
    * along with the expected NameSpace. Otherwise role's expectedNameSpace
    * to be set for the NameSpacedRole.
    * Collection<NameSpacedRole> results = new HashSet<NameSpacedRole>();
    * NameSpacedRole sysNameSpace = new NameSpacedRole("sysadmin",
    * SystemNamespace.get());
    * String orgName =
    * ((OrganizationNamespace) expectedNameSpace).getOrganization();
    * NameSpacedRole orgNameSpace = new NameSpacedRole ("orgadmin",
    * expectedNameSpace);
    * results.add(sysNameSpace);
    * results.add(orgNameSpace);
    * @param username UserA's username
    * @param password UserA's password
    * @param requestedUsername UserB's username. Allow UserA to request UserB's userroles with
    *                          UserA's credentials when requesting UserB as X-Apigee-Current-User
    * @param expectedNamespace
    * @return
    * @throws ExternalRoleMappingException
   public Collection<NameSpacedRole> getUserRoles(String username, String password, String requestedUsername, NameSpace expectedNamespace) throws ExternalRoleMappingException {
       /******************** Authenticate UserA ********************/

       // Customer Specific Implementation will override the
       // ImplementDnameLookupLogic method implementation.

       // obtain dnName for given username.
       String dnName = ImplementDnNameLookupLogic(username);
       // Obtain dnName for given requestedUsername.
       String requestedDnName = ImplementDnNameLookupLogic(requestedUsername);

       if (dnName == null || requestedDnName == null) {
           System.out.println("Error ");

       DirContext dirContext = null;
       try {

           // Customer Specific Implementation will override the
           // ImplementDirectoryContextCreationLogic method implementation

           // Create a directory context with dnName or requestedDnName and password
           dirContext = ImplementDirectoryContextCreationLogic();

           /*** Map internal groups to apigee-edge roles ***/
           return apigeeEdgeRoleMapper(dirContext, requestedDnName, expectedNamespace);

       } catch (Exception ex) {
           System.out.println("Error in authenticating User: {}" + new Object[] { username });

       } finally {
           // Customer implementation to close
           // ActiveDirectory/LDAP context.

       return null;


    * This method would be implemented by the customer and would be invoked
    * wihle using username and password for authentication and without the
    * X-Apigee-Current-User header
    * The customer can reuse implementations in
    *      getUserRoles(String username, String password, String requestedUsername, NameSpace expectedNamespace)
    * by
    *      return getUserRoles(username, password, username, expectedNamespace)
    * in implementations.
    * or the customer can provide new implementations as shown below.

   public Collection<NameSpacedRole> getUserRoles(String username, String password, NameSpace expectedNamespace) throws ExternalRoleMappingException {
       /****************** Authenticate Given User ******************/

       // Customer Specific Implementation will override the
       // ImplementDnameLookupLogic implementation.

       // Obtain dnName for given username or email address.
       String dnName = ImplementDnNameLookupLogic(username);

       if (dnName == null) {
           System.out.println("Error ");

       DirContext dirContext = null;
       try {
           // Create a directory context with username or dnName and password
           dirContext = ImplementDirectoryContextCreationLogic();

           /*** Map internal groups to apigee-edge roles ***/
           return apigeeEdgeRoleMapper(dirContext, dnName, expectedNamespace);

       } catch (Exception ex) {
           System.out.println("Error in authenticating User: {}" + new Object[] { username });

       } finally {
           // Customer implementation to close
           // ActiveDirectory/LDAP context.

       return null;

    * This method would be implemented by the customer and would be invoked
    * while using security token or access token as authentication credentials.
   public Collection<NameSpacedRole> getUserRoles(String username, NameSpace expectedNamespace) throws ExternalRoleMappingException {

       /****************** Authenticate Given User ******************/

       // Customer Specific Implementation will override the
       // ImplementDnameLookupLogic implementation.

       // Obtain dnName for given username or email address.
       String dnName = ImplementDnNameLookupLogic(username);

       if (dnName == null) {
           System.out.println("Error ");

       DirContext dirContext = null;
       try {
           // Create a directory context with username or dnName and password
           dirContext = ImplementDirectoryContextCreationLogic();

           /*** Map internal groups to apigee-edge roles ***/
           return apigeeEdgeRoleMapper(dirContext, dnName, expectedNamespace);

       } catch (Exception ex) {
           System.out.println("Error in authenticating User: {}" + new Object[] { username });

       } finally {
           // Customer implementation to close
           // ActiveDirectory/LDAP context.

       return null;

    *  This method should be replaced with Customer Specific Implementations
    *  Provided as a sample Implementation of mapping user groups to apigee-edge roles
   private Collection<NameSpacedRole> apigeeEdgeRoleMapper(DirContext dirContext, String dnName, NameSpace expectedNamespace) throws Exception {

       Collection<NameSpacedRole> results = new HashSet<NameSpacedRole>();

       /************ Fetch internal groups *****************/

       String groupDN = "OU=Groups,DC=corp,DC=wacapps,DC=net";
       String userFilter = "(user=userDnName)";
       SearchControls controls = new SearchControls();

       // Looking for all groups the user belongs to in customer's LDAP
       NamingEnumeration<SearchResult> groups = dirContext.search(groupDN,userFilter.replace("userDnName", dnName), new Object[] { "", "" }, controls);

       if (groups.hasMoreElements()) {
           while (groups.hasMoreElements()) {
               SearchResult searchResult = groups.nextElement();
               Attributes attributes = searchResult.getAttributes();
               String groupName = attributes.get("name").get().toString();

               /*** Map internal groups to apigee-edge roles ***/

               if (groupName.equals("BusDev")) {
                   results.add(new NameSpacedRole("businessAdmin",SystemNamespace.get()));

               } else if (groupName.equals("Engineering")) {
                   if (expectedNamespace instanceof OrganizationNamespace) {
                       String orgName = ((OrganizationNamespace) expectedNamespace).getOrganization();
                       results.add(new NameSpacedRole("orgadmin", new OrganizationNamespace(orgName)));

               } else if (groupName.equals("Marketing")) {
                   results.add(new NameSpacedRole("marketAdmin",SystemNamespace.get()));

               } else {
                   results.add(new NameSpacedRole("readOnly",SystemNamespace.get()));

       } else {
           // In case of no group found or exception found we throw empty roles.
           System.out.println(" !!!!! NO  GROUPS FOUND !!!!!");
       return results;

    * The customer need to replace with own implementations for getting dnName for given user
   private String ImplementDnNameLookupLogic(String username) {
       // Connect to the customer's own LDAP to fetch user dnName
       return customerLDAP.getDnName(username);

    * The customer need to replace with own implementations for creating DirContext
   private DirContext ImplementDirectoryContextCreationLogic() {
       // Connect to the customer's own LDAP to create DirContext for given user
       return customerLDAP.createLdapContextUsingCredentials();
