sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From br...@apache.org
Subject [2/3] SENTRY-17: Separate sentry-provider to hive specific and non-specific packages
Date Wed, 02 Oct 2013 19:55:00 GMT
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestResourceAuthorizationProviderGeneralCases.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestResourceAuthorizationProviderGeneralCases.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestResourceAuthorizationProviderGeneralCases.java
deleted file mode 100644
index a8a946d..0000000
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestResourceAuthorizationProviderGeneralCases.java
+++ /dev/null
@@ -1,176 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.file;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.Arrays;
-import java.util.EnumSet;
-import java.util.List;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.AccessConstants;
-import org.apache.sentry.core.Action;
-import org.apache.sentry.core.Authorizable;
-import org.apache.sentry.core.Database;
-import org.apache.sentry.core.Server;
-import org.apache.sentry.core.Subject;
-import org.apache.sentry.core.Table;
-import org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFiles;
-import org.apache.sentry.provider.file.ResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.SimplePolicyEngine;
-import org.junit.After;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Objects;
-import com.google.common.collect.HashMultimap;
-import com.google.common.collect.Multimap;
-import com.google.common.io.Files;
-
-
-public class TestResourceAuthorizationProviderGeneralCases {
-
-  private static final Logger LOGGER = LoggerFactory
-      .getLogger(TestResourceAuthorizationProviderGeneralCases.class);
-
-  private static final Multimap<String, String> USER_TO_GROUP_MAP = HashMultimap
-      .create();
-
-  private static final Subject SUB_ADMIN = new Subject("admin1");
-  private static final Subject SUB_MANAGER = new Subject("manager1");
-  private static final Subject SUB_ANALYST = new Subject("analyst1");
-  private static final Subject SUB_JUNIOR_ANALYST = new Subject("jranalyst1");
-
-  private static final Server SVR_SERVER1 = new Server("server1");
-  private static final Server SVR_ALL = new Server(AccessConstants.ALL);
-
-  private static final Database DB_CUSTOMERS = new Database("customers");
-  private static final Database DB_ANALYST = new Database("analyst1");
-  private static final Database DB_JR_ANALYST = new Database("jranalyst1");
-
-  private static final Table TBL_PURCHASES = new Table("purchases");
-
-  private static final EnumSet<Action> ALL = EnumSet.of(Action.ALL);
-  private static final EnumSet<Action> SELECT = EnumSet.of(Action.SELECT);
-  private static final EnumSet<Action> INSERT = EnumSet.of(Action.INSERT);
-
-  static {
-    USER_TO_GROUP_MAP.putAll(SUB_ADMIN.getName(), Arrays.asList("admin"));
-    USER_TO_GROUP_MAP.putAll(SUB_MANAGER.getName(), Arrays.asList("manager"));
-    USER_TO_GROUP_MAP.putAll(SUB_ANALYST.getName(), Arrays.asList("analyst"));
-    USER_TO_GROUP_MAP.putAll(SUB_JUNIOR_ANALYST.getName(),
-        Arrays.asList("jranalyst"));
-  }
-
-  private final ResourceAuthorizationProvider authzProvider;
-  private File baseDir;
-
-  public TestResourceAuthorizationProviderGeneralCases() throws IOException {
-    baseDir = Files.createTempDir();
-    PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini", "test-authz-provider-other-group.ini");
-    authzProvider = new HadoopGroupResourceAuthorizationProvider(
-        new SimplePolicyEngine(new File(baseDir, "test-authz-provider.ini").getPath(), "server1"),
-        new MockGroupMappingServiceProvider(USER_TO_GROUP_MAP));
-
-  }
-
-  @After
-  public void teardown() {
-    if(baseDir != null) {
-      FileUtils.deleteQuietly(baseDir);
-    }
-  }
-
-  private void doTestAuthorizables(
-      Subject subject, EnumSet<Action> privileges, boolean expected,
-      Authorizable... authorizables) throws Exception {
-    List<Authorizable> authzHierarchy = Arrays.asList(authorizables);
-    Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters");
-      helper.add("authorizables", authzHierarchy).add("Privileges", privileges);
-    LOGGER.info("Running with " + helper.toString());
-    Assert.assertEquals(helper.toString(), expected,
-        authzProvider.hasAccess(subject, authzHierarchy, privileges));
-    LOGGER.info("Passed " + helper.toString());
-  }
-
-  private void doTestResourceAuthorizationProvider(Subject subject,
-      Server server, Database database, Table table,
-      EnumSet<Action> privileges, boolean expected) throws Exception {
-    List<Authorizable> authzHierarchy = Arrays.asList(new Authorizable[] {
-        server, database, table
-    });
-    Objects.ToStringHelper helper = Objects.toStringHelper("TestParameters");
-    helper.add("Subject", subject).add("Server", server).add("DB", database)
-    .add("Table", table).add("Privileges", privileges).add("authzHierarchy", authzHierarchy);
-    LOGGER.info("Running with " + helper.toString());
-    Assert.assertEquals(helper.toString(), expected,
-        authzProvider.hasAccess(subject, authzHierarchy, privileges));
-    LOGGER.info("Passed " + helper.toString());
-  }
-
-  @Test
-  public void testAdmin() throws Exception {
-    doTestResourceAuthorizationProvider(SUB_ADMIN, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, true);
-    doTestResourceAuthorizationProvider(SUB_ADMIN, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true);
-    doTestResourceAuthorizationProvider(SUB_ADMIN, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, true);
-    doTestAuthorizables(SUB_ADMIN, SELECT, true, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES);
-
-  }
-  @Test
-  public void testManager() throws Exception {
-    doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, false);
-    doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true);
-    doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, false);
-    doTestResourceAuthorizationProvider(SUB_MANAGER, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true);
-  }
-  @Test
-  public void testAnalyst() throws Exception {
-    doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, false);
-    doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true);
-    doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, false);
-    doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES, SELECT, true);
-
-    // analyst sandbox
-    doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_ANALYST, TBL_PURCHASES, ALL, true);
-    doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_ANALYST, TBL_PURCHASES, SELECT, true);
-    doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_ANALYST, TBL_PURCHASES, INSERT, true);
-    doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_ALL, DB_ANALYST, TBL_PURCHASES, SELECT, true);
-
-    // jr analyst sandbox
-    doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, ALL, false);
-    doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true);
-    doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, INSERT, false);
-    doTestResourceAuthorizationProvider(SUB_ANALYST, SVR_ALL, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true);
-  }
-  @Test
-  public void testJuniorAnalyst() throws Exception {
-    doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, ALL, false);
-    doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, SELECT, false);
-    doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_CUSTOMERS, TBL_PURCHASES, INSERT, false);
-    doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_ALL, DB_CUSTOMERS, TBL_PURCHASES, SELECT, false);
-    // jr analyst sandbox
-    doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, ALL, true);
-    doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true);
-    doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_SERVER1, DB_JR_ANALYST, TBL_PURCHASES, INSERT, true);
-    doTestResourceAuthorizationProvider(SUB_JUNIOR_ANALYST, SVR_ALL, DB_JR_ANALYST, TBL_PURCHASES, SELECT, true);
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestResourceAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestResourceAuthorizationProviderSpecialCases.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestResourceAuthorizationProviderSpecialCases.java
deleted file mode 100644
index 14e2ff5..0000000
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestResourceAuthorizationProviderSpecialCases.java
+++ /dev/null
@@ -1,117 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.file;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.EnumSet;
-import java.util.List;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.AccessURI;
-import org.apache.sentry.core.Action;
-import org.apache.sentry.core.Authorizable;
-import org.apache.sentry.core.AuthorizationProvider;
-import org.apache.sentry.core.Server;
-import org.apache.sentry.core.Subject;
-import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.collect.ImmutableList;
-import com.google.common.io.Files;
-
-public class TestResourceAuthorizationProviderSpecialCases {
-  private AuthorizationProvider authzProvider;
-  private PolicyFile policyFile;
-  private File baseDir;
-  private File iniFile;
-  private String initResource;
-  @Before
-  public void setup() throws IOException {
-    baseDir = Files.createTempDir();
-    iniFile = new File(baseDir, "policy.ini");
-    initResource = "file://" + iniFile.getPath();
-    policyFile = new PolicyFile();
-  }
-
-  @After
-  public void teardown() throws IOException {
-    if(baseDir != null) {
-      FileUtils.deleteQuietly(baseDir);
-    }
-  }
-
-  @Test
-  public void testDuplicateEntries() throws Exception {
-    Subject user1 = new Subject("user1");
-    Server server1 = new Server("server1");
-    AccessURI uri = new AccessURI("file:///path/to/");
-    EnumSet<Action> actions = EnumSet.of(Action.ALL, Action.SELECT, Action.INSERT);
-    policyFile.addGroupsToUser(user1.getName(), true, "group1", "group1")
-      .addRolesToGroup("group1",  true, "role1", "role1")
-      .addPermissionsToRole("role1", true, "server=" + server1.getName() + "->uri=" + uri.getName(),
-          "server=" + server1.getName() + "->uri=" + uri.getName());
-    policyFile.write(iniFile);
-    authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, server1.getName());
-    List<Authorizable> authorizableHierarchy = ImmutableList.of(server1, uri);
-    Assert.assertTrue(authorizableHierarchy.toString(),
-        authzProvider.hasAccess(user1, authorizableHierarchy, actions));
-  }
-  @Test
-  public void testNonAbolutePath() throws Exception {
-    Subject user1 = new Subject("user1");
-    Server server1 = new Server("server1");
-    AccessURI uri = new AccessURI("file:///path/to/");
-    EnumSet<Action> actions = EnumSet.of(Action.ALL, Action.SELECT, Action.INSERT);
-    policyFile.addGroupsToUser(user1.getName(), "group1")
-      .addRolesToGroup("group1", "role1")
-      .addPermissionsToRole("role1", "server=" + server1.getName() + "->uri=" + uri.getName());
-    policyFile.write(iniFile);
-    authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, server1.getName());
-    // positive test
-    List<Authorizable> authorizableHierarchy = ImmutableList.of(server1, uri);
-    Assert.assertTrue(authorizableHierarchy.toString(),
-        authzProvider.hasAccess(user1, authorizableHierarchy, actions));
-    // negative tests
-    // TODO we should support the case of /path/to/./ but let's to that later
-    uri = new AccessURI("file:///path/to/./");
-    authorizableHierarchy = ImmutableList.of(server1, uri);
-    Assert.assertFalse(authorizableHierarchy.toString(),
-        authzProvider.hasAccess(user1, authorizableHierarchy, actions));
-    uri = new AccessURI("file:///path/to/../");
-    authorizableHierarchy = ImmutableList.of(server1, uri);
-    Assert.assertFalse(authorizableHierarchy.toString(),
-        authzProvider.hasAccess(user1, authorizableHierarchy, actions));
-    uri = new AccessURI("file:///path/to/../../");
-    authorizableHierarchy = ImmutableList.of(server1, uri);
-    Assert.assertFalse(authorizableHierarchy.toString(),
-        authzProvider.hasAccess(user1, authorizableHierarchy, actions));
-    uri = new AccessURI("file:///path/to/dir/../../");
-    authorizableHierarchy = ImmutableList.of(server1, uri);
-    Assert.assertFalse(authorizableHierarchy.toString(),
-        authzProvider.hasAccess(user1, authorizableHierarchy, actions));
-  }
-  @Test(expected=IllegalArgumentException.class)
-  public void testInvalidPath() throws Exception {
-    new AccessURI(":invaliduri");
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimplePolicyEngineDFS.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimplePolicyEngineDFS.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimplePolicyEngineDFS.java
deleted file mode 100644
index 34a734e..0000000
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimplePolicyEngineDFS.java
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.file;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.List;
-
-import junit.framework.Assert;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.FileSystem;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.hdfs.MiniDFSCluster;
-import org.apache.sentry.core.Authorizable;
-import org.apache.sentry.core.Database;
-import org.apache.sentry.core.Server;
-import org.junit.AfterClass;
-import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.ImmutableSetMultimap;
-import com.google.common.collect.Lists;
-import com.google.common.io.Files;
-
-public class TestSimplePolicyEngineDFS extends AbstractTestSimplePolicyEngine {
-
-  private static MiniDFSCluster dfsCluster;
-  private static FileSystem fileSystem;
-  private static Path root;
-  private static Path etc;
-
-  @BeforeClass
-  public static void setupLocalClazz() throws IOException {
-    File baseDir = getBaseDir();
-    Assert.assertNotNull(baseDir);
-    File dfsDir = new File(baseDir, "dfs");
-    Assert.assertTrue(dfsDir.isDirectory() || dfsDir.mkdirs());
-    Configuration conf = new Configuration();
-    conf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, dfsDir.getPath());
-    dfsCluster = new MiniDFSCluster.Builder(conf).numDataNodes(2).build();
-    fileSystem = dfsCluster.getFileSystem();
-    root = new Path(fileSystem.getUri().toString());
-    etc = new Path(root, "/etc");
-    fileSystem.mkdirs(etc);
-  }
-  @AfterClass
-  public static void teardownLocalClazz() {
-    if(dfsCluster != null) {
-      dfsCluster.shutdown();
-    }
-  }
-
-  @Override
-  protected void  afterSetup() throws IOException {
-    fileSystem.delete(etc, true);
-    fileSystem.mkdirs(etc);
-    PolicyFiles.copyToDir(fileSystem, etc, "test-authz-provider.ini", "test-authz-provider-other-group.ini");
-    setPolicy(new SimplePolicyEngine(new Path(etc, "test-authz-provider.ini").toString(), "server1"));
-  }
-  @Override
-  protected void beforeTeardown() throws IOException {
-    fileSystem.delete(etc, true);
-  }
-
-  @Test
-  public void testMultiFSPolicy() throws Exception {
-    File globalPolicyFile = new File(Files.createTempDir(), "global-policy.ini");
-    File dbPolicyFile = new File(Files.createTempDir(), "db11-policy.ini");
-
-    // Create global policy file
-    PolicyFile dbPolicy = new PolicyFile()
-      .addPermissionsToRole("db11_role", "server=server1->db=db11")
-      .addRolesToGroup("group1", "db11_role");
-
-    dbPolicy.write(dbPolicyFile);
-    Path dbPolicyPath = new Path(etc, "db11-policy.ini");
-
-    // create per-db policy file
-    PolicyFile globalPolicy = new PolicyFile()
-      .addPermissionsToRole("admin_role", "server=server1")
-      .addRolesToGroup("admin_group", "admin_role")
-      .addGroupsToUser("hive", "admin_group");
-    globalPolicy.addDatabase("db11", dbPolicyPath.toUri().toString());
-    globalPolicy.write(globalPolicyFile);
-
-
-    PolicyFiles.copyFilesToDir(fileSystem, etc, globalPolicyFile);
-    PolicyFiles.copyFilesToDir(fileSystem, etc, dbPolicyFile);
-    SimplePolicyEngine multiFSEngine =
-        new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
-
-    List<Authorizable> dbAuthorizables = Lists.newArrayList();
-    dbAuthorizables.add(new Server("server1"));
-    dbAuthorizables.add(new Database("db11"));
-    List<String> dbGroups = Lists.newArrayList();
-    dbGroups.add("group1");
-    ImmutableSetMultimap <String, String> dbPerms =
-        multiFSEngine.getPermissions(dbAuthorizables, dbGroups);
-    Assert.assertEquals("No DB permissions found", 1, dbPerms.size());
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimplePolicyEngineLocalFS.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimplePolicyEngineLocalFS.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimplePolicyEngineLocalFS.java
deleted file mode 100644
index 73cd673..0000000
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimplePolicyEngineLocalFS.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.file;
-
-import java.io.File;
-import java.io.IOException;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.provider.file.PolicyFiles;
-import org.apache.sentry.provider.file.SimplePolicyEngine;
-
-public class TestSimplePolicyEngineLocalFS extends AbstractTestSimplePolicyEngine {
-
-  @Override
-  protected void  afterSetup() throws IOException {
-    File baseDir = getBaseDir();
-    Assert.assertNotNull(baseDir);
-    Assert.assertTrue(baseDir.isDirectory() || baseDir.mkdirs());
-    PolicyFiles.copyToDir(baseDir, "test-authz-provider.ini", "test-authz-provider-other-group.ini");
-    setPolicy(new SimplePolicyEngine(new File(baseDir, "test-authz-provider.ini").getPath(), "server1"));
-  }
-  @Override
-  protected void beforeTeardown() throws IOException {
-    File baseDir = getBaseDir();
-    Assert.assertNotNull(baseDir);
-    FileUtils.deleteQuietly(baseDir);
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestWildcardPermission.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestWildcardPermission.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestWildcardPermission.java
deleted file mode 100644
index 156aa64..0000000
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestWildcardPermission.java
+++ /dev/null
@@ -1,282 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.provider.file;
-import static junit.framework.Assert.assertEquals;
-import static junit.framework.Assert.assertFalse;
-import static junit.framework.Assert.assertTrue;
-import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.provider.file.PolicyFileConstants.KV_JOINER;
-import static org.apache.sentry.provider.file.PolicyFileConstants.KV_SEPARATOR;
-
-import org.apache.sentry.core.AccessConstants;
-import org.apache.shiro.authz.Permission;
-import org.junit.Test;
-
-public class TestWildcardPermission {
-
-  private static final String ALL = AccessConstants.ALL;
-
-  private static final Permission ROLE_SERVER_SERVER1_DB_ALL =
-      create(new KeyValue("server", "server1"), new KeyValue("db", ALL));
-  private static final Permission ROLE_SERVER_SERVER1_DB_DB1 =
-      create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
-  private static final Permission ROLE_SERVER_SERVER2_DB_ALL =
-      create(new KeyValue("server", "server2"), new KeyValue("db", ALL));
-  private static final Permission ROLE_SERVER_SERVER2_DB_DB1 =
-      create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
-  private static final Permission ROLE_SERVER_ALL_DB_ALL =
-      create(new KeyValue("server", ALL), new KeyValue("db", ALL));
-  private static final Permission ROLE_SERVER_ALL_DB_DB1 =
-      create(new KeyValue("server", ALL), new KeyValue("db", "db1"));
-
-  private static final Permission ROLE_SERVER_SERVER1_URI_URI1 =
-      create(new KeyValue("server", "server1"), new KeyValue("uri",
-          "hdfs://namenode:8020/path/to/uri1"));
-  private static final Permission ROLE_SERVER_SERVER1_URI_URI2 =
-      create(new KeyValue("server", "server1"), new KeyValue("uri",
-          "hdfs://namenode:8020/path/to/uri2"));
-  private static final Permission ROLE_SERVER_SERVER1_URI_ALL =
-      create(new KeyValue("server", "server1"), new KeyValue("uri", ALL));
-
-
-  private static final Permission ROLE_SERVER_SERVER1 =
-      create(new KeyValue("server", "server1"));
-
-
-  private static final Permission REQUEST_SERVER1_DB1 =
-      create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
-  private static final Permission REQUEST_SERVER2_DB1 =
-      create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
-  private static final Permission REQUEST_SERVER1_DB2 =
-      create(new KeyValue("server", "server1"), new KeyValue("db", "db2"));
-  private static final Permission REQUEST_SERVER2_DB2 =
-      create(new KeyValue("server", "server2"), new KeyValue("db", "db2"));
-
-  private static final Permission REQUEST_SERVER1_URI1 =
-      create(new KeyValue("server", "server1"), new KeyValue("uri",
-          "hdfs://namenode:8020/path/to/uri1/some/file"));
-  private static final Permission REQUEST_SERVER1_URI2 =
-      create(new KeyValue("server", "server1"), new KeyValue("uri",
-          "hdfs://namenode:8020/path/to/uri2/some/other/file"));
-
-  private static final Permission REQUEST_SERVER1_OTHER =
-      create(new KeyValue("server", "server2"), new KeyValue("other", "thing"));
-
-  private static final Permission REQUEST_SERVER1 =
-      create(new KeyValue("server", "server2"));
-
-  @Test
-  public void testOther() throws Exception {
-    assertFalse(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_OTHER));
-    assertFalse(REQUEST_SERVER1_OTHER.implies(ROLE_SERVER_ALL_DB_ALL));
-  }
-  @Test
-  public void testRoleShorterThanRequest() throws Exception {
-    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB1));
-    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB2));
-    assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB1));
-    assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB2));
-
-    assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1));
-    assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1));
-  }
-  @Test
-  public void testRolesAndRequests() throws Exception {
-    // ROLE_SERVER_SERVER1_DB_ALL
-    assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB1));
-    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB1));
-    assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB2));
-    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB2));
-
-    // test inverse
-    assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL));
-    assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL));
-    assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL));
-    assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL));
-
-    // ROLE_SERVER_SERVER1_DB_DB1
-    assertTrue(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB1));
-    assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB1));
-    assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB2));
-    assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB2));
-
-    // test inverse
-    assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1));
-    assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1));
-    assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1));
-    assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1));
-
-    // ROLE_SERVER_SERVER2_DB_ALL
-    assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB1));
-    assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB1));
-    assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB2));
-    assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB2));
-
-    // test inverse
-    assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL));
-    assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL));
-    assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL));
-    assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL));
-
-    // ROLE_SERVER_SERVER2_DB_DB1
-    assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB1));
-    assertTrue(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB1));
-    assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB2));
-    assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB2));
-
-    assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1));
-    assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1));
-    assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1));
-    assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1));
-
-    // ROLE_SERVER_ALL_DB_ALL
-    assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB1));
-    assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB1));
-    assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB2));
-    assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB2));
-
-    // test inverse
-    assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_ALL));
-    assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_ALL));
-    assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_ALL));
-    assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_ALL));
-
-    // ROLE_SERVER_ALL_DB_DB1
-    assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB1));
-    assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB1));
-    assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB2));
-    assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB2));
-
-    // test inverse
-    assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_DB1));
-    assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_DB1));
-    assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_DB1));
-    assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_DB1));
-
-    // uri
-    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI1));
-    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
-    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
-    assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI1));
-    assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI2));
-    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
-    assertTrue(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI1));
-    assertFalse(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI2));
-    assertTrue(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI2));
-    assertFalse(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI1));
-    assertFalse(REQUEST_SERVER2_DB2.implies(REQUEST_SERVER1_URI1));
-    assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_URI1));
-    // test inverse
-    assertTrue(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_ALL));
-    assertTrue(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_ALL));
-    assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1));
-    assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI1));
-    assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI1));
-    assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI2));
-    assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI2));
-  };
-  @Test
-  public void testUnexpected() throws Exception {
-    Permission p = new Permission() {
-      @Override
-      public boolean implies(Permission p) {
-        return false;
-      }
-    };
-    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(null));
-    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(p));
-    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(null));
-    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(p));
-
-    assertEquals(ROLE_SERVER_SERVER1_DB_ALL.hashCode(),
-        create(ROLE_SERVER_SERVER1_DB_ALL.toString()).hashCode());
-  }
-  @Test(expected=IllegalArgumentException.class)
-  public void testNullString() throws Exception {
-    System.out.println(create((String)null));
-  }
-  @Test(expected=IllegalArgumentException.class)
-  public void testEmptyString() throws Exception {
-    System.out.println(create(""));
-  }
-  @Test(expected=IllegalArgumentException.class)
-  public void testEmptyKey() throws Exception {
-    System.out.println(create(KV_JOINER.join("", "db1")));
-  }
-  @Test(expected=IllegalArgumentException.class)
-  public void testEmptyValue() throws Exception {
-    System.out.println(create(KV_JOINER.join("db", "")));
-  }
-  @Test(expected=IllegalArgumentException.class)
-  public void testEmptyPart() throws Exception {
-    System.out.println(create(AUTHORIZABLE_JOINER.
-        join(KV_JOINER.join("server", "server1"), "")));
-  }
-  @Test(expected=IllegalArgumentException.class)
-  public void testOnlySeperators() throws Exception {
-    System.out.println(create(AUTHORIZABLE_JOINER.
-        join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR)));
-  }
-  @Test
-  public void testImpliesURIPositive() throws Exception {
-    assertTrue(WildcardPermission.impliesURI("hdfs://namenode:8020/path",
-        "hdfs://namenode:8020/path/to/some/dir"));
-    assertTrue(WildcardPermission.impliesURI("hdfs://namenode:8020/path",
-        "hdfs://namenode:8020/path"));
-    assertTrue(WildcardPermission.impliesURI("file:///path",
-        "file:///path/to/some/dir"));
-    assertTrue(WildcardPermission.impliesURI("file:///path",
-        "file:///path"));
-  }
-  @Test
-  public void testImpliesURINegative() throws Exception {
-    // relative path
-    assertFalse(WildcardPermission.impliesURI("hdfs://namenode:8020/path",
-        "hdfs://namenode:8020/path/to/../../other"));
-    assertFalse(WildcardPermission.impliesURI("file:///path",
-        "file:///path/to/../../other"));
-    // bad policy
-    assertFalse(WildcardPermission.impliesURI("blah",
-        "hdfs://namenode:8020/path/to/some/dir"));
-    // bad request
-    assertFalse(WildcardPermission.impliesURI("hdfs://namenode:8020/path",
-        "blah"));
-    // scheme
-    assertFalse(WildcardPermission.impliesURI("hdfs://namenode:8020/path",
-        "file:///path/to/some/dir"));
-    assertFalse(WildcardPermission.impliesURI("hdfs://namenode:8020/path",
-        "file://namenode:8020/path/to/some/dir"));
-    // hostname
-    assertFalse(WildcardPermission.impliesURI("hdfs://namenode1:8020/path",
-        "hdfs://namenode2:8020/path/to/some/dir"));
-    // port
-    assertFalse(WildcardPermission.impliesURI("hdfs://namenode:8020/path",
-        "hdfs://namenode:8021/path/to/some/dir"));
-    // mangled path
-    assertFalse(WildcardPermission.impliesURI("hdfs://namenode:8020/path",
-        "hdfs://namenode:8020/pathFooBar"));
-  }
-  static WildcardPermission create(KeyValue... keyValues) {
-    return create(AUTHORIZABLE_JOINER.join(keyValues));
-
-  }
-  static WildcardPermission create(String s) {
-    return new WildcardPermission(s);
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/test/resources/test-authz-provider-other-group.ini
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/resources/test-authz-provider-other-group.ini b/sentry-provider/sentry-provider-file/src/test/resources/test-authz-provider-other-group.ini
deleted file mode 100644
index cd3695c..0000000
--- a/sentry-provider/sentry-provider-file/src/test/resources/test-authz-provider-other-group.ini
+++ /dev/null
@@ -1,22 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#  http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-[groups]
-other_group = analyst_role
-
-[roles]
-analyst_role = server=server1->db=other_group_db->table=purchases->action=select
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/test/resources/test-authz-provider.ini
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/resources/test-authz-provider.ini b/sentry-provider/sentry-provider-file/src/test/resources/test-authz-provider.ini
deleted file mode 100644
index 2d00699..0000000
--- a/sentry-provider/sentry-provider-file/src/test/resources/test-authz-provider.ini
+++ /dev/null
@@ -1,32 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#  http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-[databases]
-other_group_db = test-authz-provider-other-group.ini
-
-[groups]
-manager = analyst_role, junior_analyst_role
-analyst = analyst_role
-jranalyst = junior_analyst_role
-admin = admin
-
-[roles]
-analyst_role = server=server1->db=customers->table=purchases->action=select, \
-  server=server1->db=analyst1, \
-  server=server1->db=jranalyst1->table=*->action=select
-junior_analyst_role = server=server1->db=jranalyst1, server=server1->db=customers->table=purchases_partial->action=select
-admin = server=server1

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-policy-db/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-policy-db/pom.xml b/sentry-provider/sentry-provider-policy-db/pom.xml
new file mode 100644
index 0000000..ca6f6f9
--- /dev/null
+++ b/sentry-provider/sentry-provider-policy-db/pom.xml
@@ -0,0 +1,84 @@
+<?xml version="1.0"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.apache.sentry</groupId>
+    <artifactId>sentry-provider</artifactId>
+    <version>1.3.0-incubating-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>sentry-provider-policy-db</artifactId>
+  <name>Sentry Provider and Policy for Databases</name>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-common</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-minicluster</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>log4j</groupId>
+      <artifactId>log4j</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.shiro</groupId>
+      <artifactId>shiro-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-log4j12</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-core</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-provider-file</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-provider-file</artifactId>
+      <scope>test</scope>
+      <type>test-jar</type>
+      <version>${project.version}</version>
+    </dependency>
+  </dependencies>
+
+</project>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/AbstractDBRoleValidator.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/AbstractDBRoleValidator.java b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/AbstractDBRoleValidator.java
new file mode 100644
index 0000000..d386d59
--- /dev/null
+++ b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/AbstractDBRoleValidator.java
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db;
+
+import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_SPLITTER;
+import static org.apache.sentry.provider.file.PolicyFileConstants.PRIVILEGE_PREFIX;
+
+import java.util.List;
+
+import org.apache.sentry.core.Authorizable;
+import org.apache.sentry.provider.file.RoleValidator;
+import org.apache.shiro.config.ConfigurationException;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.collect.Lists;
+
+public abstract class AbstractDBRoleValidator implements RoleValidator {
+
+  @VisibleForTesting
+  public static Iterable<Authorizable> parseRole(String string) {
+    List<Authorizable> result = Lists.newArrayList();
+    for(String section : AUTHORIZABLE_SPLITTER.split(string)) {
+      // XXX this ugly hack is because action is not an authorizeable
+      if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) {
+        Authorizable authorizable = DBAuthorizables.from(section);
+        if(authorizable == null) {
+          String msg = "No authorizable found for " + section;
+          throw new ConfigurationException(msg);
+        }
+        result.add(authorizable);
+      }
+    }
+    return result;
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DBAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DBAuthorizables.java b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DBAuthorizables.java
new file mode 100644
index 0000000..089e6de
--- /dev/null
+++ b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DBAuthorizables.java
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db;
+
+import org.apache.sentry.core.AccessURI;
+import org.apache.sentry.core.Authorizable;
+import org.apache.sentry.core.Database;
+import org.apache.sentry.core.Server;
+import org.apache.sentry.core.Table;
+import org.apache.sentry.core.View;
+import org.apache.sentry.core.Authorizable.AuthorizableType;
+import org.apache.sentry.provider.file.KeyValue;
+
+public class DBAuthorizables {
+
+  public static Authorizable from(KeyValue keyValue) {
+    String prefix = keyValue.getKey().toLowerCase();
+    String name = keyValue.getValue().toLowerCase();
+    for(AuthorizableType type : AuthorizableType.values()) {
+      if(prefix.equalsIgnoreCase(type.name())) {
+        return from(type, name);
+      }
+    }
+    return null;
+  }
+  public static Authorizable from(String s) {
+    return from(new KeyValue(s));
+  }
+
+  private static Authorizable from(AuthorizableType type, String name) {
+    switch (type) {
+    case Server:
+      return new Server(name);
+    case Db:
+      return new Database(name);
+    case Table:
+      return new Table(name);
+    case View:
+      return new View(name);
+    case URI:
+      return new AccessURI(name);
+    default:
+      return null;
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DBRoles.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DBRoles.java b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DBRoles.java
new file mode 100644
index 0000000..499d988
--- /dev/null
+++ b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DBRoles.java
@@ -0,0 +1,102 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db;
+
+import java.util.Map.Entry;
+
+import javax.annotation.Nullable;
+
+import org.apache.sentry.core.Database;
+import org.apache.sentry.provider.file.Roles;
+import org.apache.sentry.provider.file.RolesFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.ImmutableSetMultimap;
+
+public class DBRoles implements Roles {
+  private static final Logger LOGGER = LoggerFactory
+      .getLogger(DBRoles.class);
+  private final ImmutableSetMultimap<String, String> globalRoles;
+  private final ImmutableMap<String, ImmutableSetMultimap<String, String>> perDatabaseRoles;
+
+  public DBRoles() {
+    this(ImmutableSetMultimap.<String,String>of(),
+        ImmutableMap.<String, ImmutableSetMultimap<String, String>>of());
+  }
+
+  public DBRoles(
+      ImmutableSetMultimap<String, String> globalRoles,
+      ImmutableMap<String, ImmutableSetMultimap<String, String>> perDatabaseRoles) {
+    super();
+    this.globalRoles = globalRoles;
+    this.perDatabaseRoles = perDatabaseRoles;
+  }
+
+  public ImmutableSet<String> getRoles(@Nullable String database, String group, Boolean isURI) {
+    ImmutableSet.Builder<String> resultBuilder = ImmutableSet.builder();
+    String allowURIPerDbFile =
+        System.getProperty(SimpleDBPolicyEngine.ACCESS_ALLOW_URI_PER_DB_POLICYFILE);
+    Boolean consultPerDbRolesForURI = isURI && ("true".equalsIgnoreCase(allowURIPerDbFile));
+
+    // handle Database.ALL
+    if (Database.ALL.getName().equals(database)) {
+      for(Entry<String, ImmutableSetMultimap<String, String>> dbListEntry : perDatabaseRoles.entrySet()) {
+        if (dbListEntry.getValue().containsKey(group)) {
+          resultBuilder.addAll(dbListEntry.getValue().get(group));
+        }
+      }
+    } else if(database != null) {
+      ImmutableSetMultimap<String, String> dbPolicies =  perDatabaseRoles.get(database);
+      if(dbPolicies != null && dbPolicies.containsKey(group)) {
+        resultBuilder.addAll(dbPolicies.get(group));
+      }
+    }
+
+    if (consultPerDbRolesForURI) {
+      for(String db:perDatabaseRoles.keySet()) {
+        ImmutableSetMultimap<String, String> dbPolicies =  perDatabaseRoles.get(db);
+        if(dbPolicies != null && dbPolicies.containsKey(group)) {
+          resultBuilder.addAll(dbPolicies.get(group));
+        }
+      }
+    }
+
+    if(globalRoles.containsKey(group)) {
+      resultBuilder.addAll(globalRoles.get(group));
+    }
+    ImmutableSet<String> result = resultBuilder.build();
+    if(LOGGER.isDebugEnabled()) {
+      LOGGER.debug("Database {}, Group {}, Result {}",
+          new Object[]{ database, group, result});
+    }
+    return result;
+  }
+
+  public static class DBRolesFactory implements RolesFactory {
+    public Roles createRoles() {
+      return new DBRoles();
+    }
+
+    public Roles createRoles(ImmutableSetMultimap<String, String>globalRoles,
+        ImmutableMap<String, ImmutableSetMultimap<String, String>> perDatabaseRoles) {
+      return new DBRoles(globalRoles, perDatabaseRoles);
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DBWildcardPermission.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DBWildcardPermission.java b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DBWildcardPermission.java
new file mode 100644
index 0000000..17f5a76
--- /dev/null
+++ b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DBWildcardPermission.java
@@ -0,0 +1,197 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+// copied from apache shiro
+
+package org.apache.sentry.provider.db;
+
+import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_SPLITTER;
+
+import java.io.File;
+import java.io.Serializable;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.List;
+
+import org.apache.commons.lang.text.StrSubstitutor;
+import org.apache.sentry.core.AccessConstants;
+import org.apache.sentry.core.Authorizable.AuthorizableType;
+import org.apache.sentry.provider.file.KeyValue;
+import org.apache.sentry.provider.file.PermissionFactory;
+import org.apache.sentry.provider.file.PolicyFileConstants;
+import org.apache.shiro.authz.Permission;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Preconditions;
+import com.google.common.base.Strings;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.Lists;
+
+// XXX this class is made ugly by the fact that Action is not a Authorizable.
+public class DBWildcardPermission implements Permission, Serializable {
+  private static final Logger LOGGER = LoggerFactory
+      .getLogger(DBWildcardPermission.class);
+  private static final long serialVersionUID = -6785051263922740818L;
+
+  private final ImmutableList<KeyValue> parts;
+
+  public DBWildcardPermission(String wildcardString) {
+    wildcardString = Strings.nullToEmpty(wildcardString).trim();
+    if (wildcardString.isEmpty()) {
+      throw new IllegalArgumentException("Wildcard string cannot be null or empty.");
+    }
+    List<KeyValue>parts = Lists.newArrayList();
+    for (String authorizable : AUTHORIZABLE_SPLITTER.trimResults().split(wildcardString)) {
+      if (authorizable.isEmpty()) {
+        throw new IllegalArgumentException("Privilege '" + wildcardString + "' has an empty section");
+      }
+      parts.add(new KeyValue(authorizable));
+    }
+    if (parts.isEmpty()) {
+      throw new AssertionError("Should never occur: " + wildcardString);
+    }
+    this.parts = ImmutableList.copyOf(parts);
+  }
+
+
+  @Override
+  public boolean implies(Permission p) {
+    // By default only supports comparisons with other DBWildcardPermissions
+    if (!(p instanceof DBWildcardPermission)) {
+      return false;
+    }
+
+    DBWildcardPermission wp = (DBWildcardPermission) p;
+
+    List<KeyValue> otherParts = wp.parts;
+    if(equals(wp)) {
+      return true;
+    }
+    int index = 0;
+    for (KeyValue otherPart : otherParts) {
+      // If this permission has less parts than the other permission, everything
+      // after the number of parts contained
+      // in this permission is automatically implied, so return true
+      if (parts.size() - 1 < index) {
+        return true;
+      } else {
+        KeyValue part = parts.get(index);
+        // are the keys even equal
+        if(!part.getKey().equalsIgnoreCase(otherPart.getKey())) {
+          return false;
+        }
+        if (!impliesKeyValue(part, otherPart)) {
+          return false;
+        }
+        index++;
+      }
+    }
+    // If this permission has more parts than
+    // the other parts, only imply it if
+    // all of the other parts are wildcards
+    for (; index < parts.size(); index++) {
+      KeyValue part = parts.get(index);
+      if (!part.getValue().equals(AccessConstants.ALL)) {
+        return false;
+      }
+    }
+
+    return true;
+  }
+
+  private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) {
+    Preconditions.checkState(policyPart.getKey().equalsIgnoreCase(requestPart.getKey()),
+        "Please report, this method should not be called with two different keys");
+    if(policyPart.getValue().equals(AccessConstants.ALL) || policyPart.equals(requestPart)) {
+      return true;
+    } else if (!PolicyFileConstants.PRIVILEGE_NAME.equalsIgnoreCase(policyPart.getKey())
+        && AccessConstants.ALL.equalsIgnoreCase(requestPart.getValue())) {
+      /* permission request is to match with any object of given type */
+      return true;
+    } else if(policyPart.getKey().equalsIgnoreCase(AuthorizableType.URI.name())) {
+      return impliesURI(policyPart.getValue(), requestPart.getValue());
+    }
+    return false;
+  }
+
+  /**
+   * URI is a a special case. For URI's, /a implies /a/b.
+   * Therefore the test is "/a/b".startsWith("/a");
+   */
+  @VisibleForTesting
+  protected static boolean impliesURI(String policy, String request) {
+    try {
+      URI policyURI = new URI(new StrSubstitutor(System.getProperties()).replace(policy));
+      URI requestURI = new URI(request);
+      if(policyURI.getScheme() == null || policyURI.getPath() == null) {
+        LOGGER.warn("Policy URI " + policy + " is not valid. Either no scheme or no path.");
+        return false;
+      }
+      if(requestURI.getScheme() == null || requestURI.getPath() == null) {
+        LOGGER.warn("Request URI " + request + " is not valid. Either no scheme or no path.");
+        return false;
+      }
+      // schemes are equal &&
+      // request path does not contain relative parts /a/../b &&
+      // request path starts with policy path &&
+      // authorities (nullable) are equal
+      String requestPath = requestURI.getPath() + File.separator;
+      String policyPath = policyURI.getPath() + File.separator;
+      if(policyURI.getScheme().equals(requestURI.getScheme()) &&
+          requestURI.getPath().equals(new URI(request).normalize().getPath()) &&
+          requestPath.startsWith(policyPath) &&
+          Strings.nullToEmpty(policyURI.getAuthority()).equals(Strings.nullToEmpty(requestURI.getAuthority()))) {
+        return true;
+      }
+      return false;
+    } catch (URISyntaxException e) {
+      LOGGER.warn("Request URI " + request + " is not a URI", e);
+      return false;
+    }
+  }
+
+  @Override
+  public String toString() {
+    return AUTHORIZABLE_JOINER.join(parts);
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (o instanceof DBWildcardPermission) {
+      DBWildcardPermission wp = (DBWildcardPermission) o;
+      return parts.equals(wp.parts);
+    }
+    return false;
+  }
+
+  @Override
+  public int hashCode() {
+    return parts.hashCode();
+  }
+
+  public static class DBWildcardPermissionFactory implements PermissionFactory {
+    @Override
+    public Permission createPermission(String permission) {
+      return new DBWildcardPermission(permission);
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DatabaseMustMatch.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DatabaseMustMatch.java b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DatabaseMustMatch.java
new file mode 100644
index 0000000..db9d60c
--- /dev/null
+++ b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DatabaseMustMatch.java
@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db;
+
+import org.apache.sentry.core.Authorizable;
+import org.apache.sentry.core.Database;
+import org.apache.shiro.config.ConfigurationException;
+
+public class DatabaseMustMatch extends AbstractDBRoleValidator {
+
+  @Override
+  public void validate(String database, String role) throws ConfigurationException {
+    /*
+     *  Rule only applies to rules in per database policy file
+     */
+    if(database != null) {
+      Iterable<Authorizable> authorizables = parseRole(role);
+      for(Authorizable authorizable : authorizables) {
+        if(authorizable instanceof Database &&
+            !database.equalsIgnoreCase(authorizable.getName())) {
+          String msg = "Role " + role + " references db " +
+              authorizable.getName() + ", but is only allowed to reference "
+              + database;
+          throw new ConfigurationException(msg);
+        }
+      }
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DatabaseRequiredInRole.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DatabaseRequiredInRole.java b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DatabaseRequiredInRole.java
new file mode 100644
index 0000000..f8ab954
--- /dev/null
+++ b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/DatabaseRequiredInRole.java
@@ -0,0 +1,70 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db;
+
+import javax.annotation.Nullable;
+
+import org.apache.sentry.core.AccessURI;
+import org.apache.sentry.core.Authorizable;
+import org.apache.sentry.core.Database;
+import org.apache.shiro.config.ConfigurationException;
+
+public class DatabaseRequiredInRole extends AbstractDBRoleValidator {
+
+  @Override
+  public void validate(@Nullable String database, String role) throws ConfigurationException {
+    /*
+     *  Rule only applies to rules in per database policy file
+     */
+    if(database != null) {
+      Iterable<Authorizable> authorizables = parseRole(role);
+      /*
+       * Each permission in a non-global file must have a database
+       * object except for URIs.
+       *
+       * We allow URIs to be specified in the per DB policy file for
+       * ease of mangeability. URIs will contain to remain server scope
+       * objects.
+       */
+      boolean foundDatabaseInAuthorizables = false;
+      boolean foundURIInAuthorizables = false;
+      boolean allowURIInAuthorizables = false;
+
+      if ("true".equalsIgnoreCase(
+          System.getProperty(SimpleDBPolicyEngine.ACCESS_ALLOW_URI_PER_DB_POLICYFILE))) {
+        allowURIInAuthorizables = true;
+      }
+
+      for(Authorizable authorizable : authorizables) {
+        if(authorizable instanceof Database) {
+          foundDatabaseInAuthorizables = true;
+        }
+        if (authorizable instanceof AccessURI) {
+          if (foundDatabaseInAuthorizables) {
+            String msg = "URI object is specified at DB scope in " + role;
+            throw new ConfigurationException(msg);
+          }
+          foundURIInAuthorizables = true;
+        }
+      }
+      if(!foundDatabaseInAuthorizables && !(foundURIInAuthorizables && allowURIInAuthorizables)) {
+        String msg = "Missing database object in " + role;
+        throw new ConfigurationException(msg);
+      }
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/HadoopGroupResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/HadoopGroupResourceAuthorizationProvider.java
new file mode 100644
index 0000000..328e990
--- /dev/null
+++ b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/HadoopGroupResourceAuthorizationProvider.java
@@ -0,0 +1,44 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db;
+
+import java.io.IOException;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.Groups;
+import org.apache.sentry.provider.file.GroupMappingService;
+import org.apache.sentry.provider.file.HadoopGroupMappingService;
+import org.apache.sentry.provider.file.PolicyEngine;
+import org.apache.sentry.provider.file.ResourceAuthorizationProvider;
+
+import com.google.common.annotations.VisibleForTesting;
+
+public class HadoopGroupResourceAuthorizationProvider extends
+  ResourceAuthorizationProvider {
+  public HadoopGroupResourceAuthorizationProvider(String resource, String serverName) throws IOException {
+    this(new SimpleDBPolicyEngine(resource, serverName), new HadoopGroupMappingService(
+        Groups.getUserToGroupsMappingService(new Configuration())));
+  }
+
+  @VisibleForTesting
+  public HadoopGroupResourceAuthorizationProvider(PolicyEngine policy,
+      GroupMappingService groupService) {
+    super(policy, groupService, new DBWildcardPermission.DBWildcardPermissionFactory());
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/LocalGroupResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/LocalGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/LocalGroupResourceAuthorizationProvider.java
new file mode 100644
index 0000000..6c43f3c
--- /dev/null
+++ b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/LocalGroupResourceAuthorizationProvider.java
@@ -0,0 +1,35 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db;
+
+import org.apache.sentry.provider.file.LocalGroupMappingService;
+import org.apache.sentry.provider.file.ResourceAuthorizationProvider;
+import java.io.IOException;
+
+import org.apache.hadoop.fs.Path;
+
+
+public class LocalGroupResourceAuthorizationProvider extends
+  ResourceAuthorizationProvider {
+
+  public LocalGroupResourceAuthorizationProvider(String resource, String serverName) throws IOException {
+    super (new SimpleDBPolicyEngine(resource, serverName), new LocalGroupMappingService(new Path(resource)),
+      new DBWildcardPermission.DBWildcardPermissionFactory());
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/ServerNameMustMatch.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/ServerNameMustMatch.java b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/ServerNameMustMatch.java
new file mode 100644
index 0000000..ab26266
--- /dev/null
+++ b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/ServerNameMustMatch.java
@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db;
+
+import javax.annotation.Nullable;
+
+import org.apache.sentry.core.Authorizable;
+import org.apache.sentry.core.Server;
+import org.apache.shiro.config.ConfigurationException;
+
+public class ServerNameMustMatch extends AbstractDBRoleValidator {
+
+  private final String serverName;
+  public ServerNameMustMatch(String serverName) {
+    this.serverName = serverName;
+  }
+  @Override
+  public void validate(@Nullable String database, String role) throws ConfigurationException {
+    Iterable<Authorizable> authorizables = parseRole(role);
+    for(Authorizable authorizable : authorizables) {
+      if(authorizable instanceof Server && !serverName.equalsIgnoreCase(authorizable.getName())) {
+        String msg = "Server name " + authorizable.getName() + " in "
+      + role + " is invalid. Expected " + serverName;
+        throw new ConfigurationException(msg);
+      }
+    }
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/ServersAllIsInvalid.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/ServersAllIsInvalid.java b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/ServersAllIsInvalid.java
new file mode 100644
index 0000000..7b56324
--- /dev/null
+++ b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/ServersAllIsInvalid.java
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db;
+
+import javax.annotation.Nullable;
+
+import org.apache.sentry.core.Authorizable;
+import org.apache.sentry.core.Server;
+import org.apache.shiro.config.ConfigurationException;
+
+public class ServersAllIsInvalid extends AbstractDBRoleValidator {
+
+  @Override
+  public void validate(@Nullable String database, String role) throws ConfigurationException {
+    Iterable<Authorizable> authorizables = parseRole(role);
+    for(Authorizable authorizable : authorizables) {
+      if(authorizable instanceof Server &&
+          authorizable.getName().equals(Server.ALL.getName())) {
+        String msg = "Invalid value for " + authorizable.getAuthzType() + " in " + role;
+        throw new ConfigurationException(msg);
+      }
+    }
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/SimpleDBPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/SimpleDBPolicyEngine.java b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/SimpleDBPolicyEngine.java
new file mode 100644
index 0000000..7224f60
--- /dev/null
+++ b/sentry-provider/sentry-provider-policy-db/src/main/java/org/apache/sentry/provider/db/SimpleDBPolicyEngine.java
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db;
+
+import java.io.IOException;
+import java.util.List;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.Path;
+import org.apache.sentry.core.AccessURI;
+import org.apache.sentry.core.Authorizable;
+import org.apache.sentry.core.Database;
+import org.apache.sentry.provider.file.PolicyEngine;
+import org.apache.sentry.provider.file.SimplePolicyParser;
+import org.apache.sentry.provider.file.Roles;
+import org.apache.sentry.provider.file.RoleValidator;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.annotations.VisibleForTesting;
+
+import com.google.common.collect.ImmutableSetMultimap;
+import com.google.common.collect.Lists;
+
+public class SimpleDBPolicyEngine implements PolicyEngine {
+
+  private static final Logger LOGGER = LoggerFactory
+      .getLogger(SimpleDBPolicyEngine.class);
+
+  public final static String ACCESS_ALLOW_URI_PER_DB_POLICYFILE = "sentry.allow.uri.db.policyfile";
+
+  private SimplePolicyParser parser;
+
+  public SimpleDBPolicyEngine(String resourcePath, String serverName) throws IOException {
+    this(new Configuration(), new Path(resourcePath), serverName);
+  }
+
+  @VisibleForTesting
+  public SimpleDBPolicyEngine(Configuration conf, Path resourcePath, String serverName) throws IOException {
+    List<? extends RoleValidator> validators =
+      Lists.newArrayList(new ServersAllIsInvalid(), new DatabaseMustMatch(),
+        new DatabaseRequiredInRole(), new ServerNameMustMatch(serverName));
+    parser = new SimplePolicyParser(conf, resourcePath, new DBRoles.DBRolesFactory(), validators);
+  }
+
+  /**
+   * {@inheritDoc}
+   */
+  @Override
+  public ImmutableSetMultimap<String, String> getPermissions(List<Authorizable> authorizables, List<String> groups) {
+    String database = null;
+    Boolean isURI = false;
+    for(Authorizable authorizable : authorizables) {
+      if(authorizable instanceof Database) {
+        database = authorizable.getName();
+      }
+      if (authorizable instanceof AccessURI) {
+        isURI = true;
+      }
+    }
+
+    if(LOGGER.isDebugEnabled()) {
+      LOGGER.debug("Getting permissions for {} via {}", groups, database);
+    }
+    ImmutableSetMultimap.Builder<String, String> resultBuilder = ImmutableSetMultimap.builder();
+    for(String group : groups) {
+      resultBuilder.putAll(group, parser.getRoles(database, group, isURI));
+    }
+    ImmutableSetMultimap<String, String> result = resultBuilder.build();
+    if(LOGGER.isDebugEnabled()) {
+      LOGGER.debug("result = " + result);
+    }
+    return result;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-policy-db/src/test/java/org/apache/sentry/provider/db/TestDBAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-policy-db/src/test/java/org/apache/sentry/provider/db/TestDBAuthorizables.java b/sentry-provider/sentry-provider-policy-db/src/test/java/org/apache/sentry/provider/db/TestDBAuthorizables.java
new file mode 100644
index 0000000..347a2c2
--- /dev/null
+++ b/sentry-provider/sentry-provider-policy-db/src/test/java/org/apache/sentry/provider/db/TestDBAuthorizables.java
@@ -0,0 +1,80 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.provider.db;
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertNull;
+
+import org.apache.sentry.core.AccessURI;
+import org.apache.sentry.core.Database;
+import org.apache.sentry.core.Server;
+import org.apache.sentry.core.Table;
+import org.apache.sentry.core.View;
+import org.apache.sentry.provider.db.DBAuthorizables;
+import org.junit.Test;
+
+public class TestDBAuthorizables {
+
+  @Test
+  public void testServer() throws Exception {
+    Server server = (Server)DBAuthorizables.from("SeRvEr=server1");
+    assertEquals("server1", server.getName());
+  }
+  @Test
+  public void testDb() throws Exception {
+    Database db = (Database)DBAuthorizables.from("dB=db1");
+    assertEquals("db1", db.getName());
+  }
+  @Test
+  public void testTable() throws Exception {
+    Table table = (Table)DBAuthorizables.from("tAbLe=t1");
+    assertEquals("t1", table.getName());
+  }
+  @Test
+  public void testView() throws Exception {
+    View view = (View)DBAuthorizables.from("vIeW=v1");
+    assertEquals("v1", view.getName());
+  }
+  @Test
+  public void testURI() throws Exception {
+    AccessURI uri = (AccessURI)DBAuthorizables.from("UrI=hdfs://uri1:8200/blah");
+    assertEquals("hdfs://uri1:8200/blah", uri.getName());
+  }
+
+  @Test(expected=IllegalArgumentException.class)
+  public void testNoKV() throws Exception {
+    System.out.println(DBAuthorizables.from("nonsense"));
+  }
+
+  @Test(expected=IllegalArgumentException.class)
+  public void testTooManyKV() throws Exception {
+    System.out.println(DBAuthorizables.from("k=v1=v2"));
+  }
+  @Test(expected=IllegalArgumentException.class)
+  public void testEmptyKey() throws Exception {
+    System.out.println(DBAuthorizables.from("=v"));
+  }
+  @Test(expected=IllegalArgumentException.class)
+  public void testEmptyValue() throws Exception {
+    System.out.println(DBAuthorizables.from("k="));
+  }
+  @Test
+  public void testNotAuthorizable() throws Exception {
+    assertNull(DBAuthorizables.from("k=v"));
+  }
+}


Mime
View raw message