sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From br...@apache.org
Subject [3/3] git commit: SENTRY-17: Separate sentry-provider to hive specific and non-specific packages
Date Wed, 02 Oct 2013 19:55:01 GMT
SENTRY-17: Separate sentry-provider to hive specific and non-specific packages


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/172631be
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/172631be
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/172631be

Branch: refs/heads/master
Commit: 172631be950a794ae86f22952e70065fcb906bbd
Parents: fb21cc3
Author: Brock Noland <brock@apache.org>
Authored: Wed Oct 2 14:47:48 2013 -0500
Committer: Brock Noland <brock@apache.org>
Committed: Wed Oct 2 14:48:10 2013 -0500

----------------------------------------------------------------------
 pom.xml                                         |   5 +
 sentry-binding/sentry-binding-hive/pom.xml      |   5 +
 .../binding/hive/TestHiveAuthzBindings.java     |   2 +-
 sentry-dist/pom.xml                             |   4 +
 sentry-dist/src/main/assembly/src.xml           |   1 +
 sentry-provider/pom.xml                         |   1 +
 sentry-provider/sentry-provider-file/pom.xml    |  25 +-
 .../provider/file/AbstractRoleValidator.java    |  49 ----
 .../sentry/provider/file/Authorizables.java     |  59 ----
 .../sentry/provider/file/DatabaseMustMatch.java |  43 ---
 .../provider/file/DatabaseRequiredInRole.java   |  70 -----
 ...adoopGroupResourceAuthorizationProvider.java |  40 ---
 ...LocalGroupResourceAuthorizationProvider.java |  32 ---
 .../sentry/provider/file/PermissionFactory.java |  26 ++
 .../file/ResourceAuthorizationProvider.java     |   9 +-
 .../org/apache/sentry/provider/file/Roles.java  |  70 +----
 .../sentry/provider/file/RolesFactory.java      |  30 ++
 .../provider/file/ServerNameMustMatch.java      |  43 ---
 .../provider/file/ServersAllIsInvalid.java      |  39 ---
 .../provider/file/SimplePolicyEngine.java       | 273 ------------------
 .../provider/file/SimplePolicyParser.java       | 241 ++++++++++++++++
 .../provider/file/WildcardPermission.java       | 188 ------------
 .../sentry/provider/file/TestAuthorizables.java |  80 ------
 .../file/TestDatabaseRequiredInRole.java        |  48 ----
 .../file/TestPolicyParsingNegative.java         | 238 ----------------
 ...sourceAuthorizationProviderGeneralCases.java | 176 ------------
 ...sourceAuthorizationProviderSpecialCases.java | 117 --------
 .../file/TestSimplePolicyEngineDFS.java         | 116 --------
 .../file/TestSimplePolicyEngineLocalFS.java     |  44 ---
 .../provider/file/TestWildcardPermission.java   | 282 ------------------
 .../test-authz-provider-other-group.ini         |  22 --
 .../src/test/resources/test-authz-provider.ini  |  32 ---
 .../sentry-provider-policy-db/pom.xml           |  84 ++++++
 .../provider/db/AbstractDBRoleValidator.java    |  50 ++++
 .../sentry/provider/db/DBAuthorizables.java     |  60 ++++
 .../org/apache/sentry/provider/db/DBRoles.java  | 102 +++++++
 .../provider/db/DBWildcardPermission.java       | 197 +++++++++++++
 .../sentry/provider/db/DatabaseMustMatch.java   |  43 +++
 .../provider/db/DatabaseRequiredInRole.java     |  70 +++++
 ...adoopGroupResourceAuthorizationProvider.java |  44 +++
 ...LocalGroupResourceAuthorizationProvider.java |  35 +++
 .../sentry/provider/db/ServerNameMustMatch.java |  43 +++
 .../sentry/provider/db/ServersAllIsInvalid.java |  39 +++
 .../provider/db/SimpleDBPolicyEngine.java       |  88 ++++++
 .../sentry/provider/db/TestDBAuthorizables.java |  80 ++++++
 .../provider/db/TestDBWildcardPermission.java   | 283 +++++++++++++++++++
 .../provider/db/TestDatabaseRequiredInRole.java |  48 ++++
 .../provider/db/TestPolicyParsingNegative.java  | 240 ++++++++++++++++
 ...sourceAuthorizationProviderGeneralCases.java | 175 ++++++++++++
 ...sourceAuthorizationProviderSpecialCases.java | 117 ++++++++
 .../db/TestSimpleDBPolicyEngineDFS.java         | 119 ++++++++
 .../db/TestSimpleDBPolicyEngineLocalFS.java     |  44 +++
 .../src/test/resources/log4j.properties         |  31 ++
 .../test-authz-provider-other-group.ini         |  22 ++
 .../src/test/resources/test-authz-provider.ini  |  32 +++
 sentry-tests/sentry-tests-hive/pom.xml          |   6 +
 .../tests/e2e/hive/TestPerDBConfiguration.java  |   6 +-
 .../e2e/hive/hiveserver/HiveServerFactory.java  |   2 +-
 58 files changed, 2401 insertions(+), 2069 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index c4aaf07..439ce32 100644
--- a/pom.xml
+++ b/pom.xml
@@ -238,6 +238,11 @@ limitations under the License.
         <groupId>org.apache.sentry</groupId>
         <artifactId>sentry-provider-file</artifactId>
         <version>${project.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.sentry</groupId>
+        <artifactId>sentry-provider-policy-db</artifactId>
+        <version>${project.version}</version>
         <scope>test</scope>
       </dependency>
       <dependency>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-binding/sentry-binding-hive/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/pom.xml b/sentry-binding/sentry-binding-hive/pom.xml
index 2d4369e..5c3e17a 100644
--- a/sentry-binding/sentry-binding-hive/pom.xml
+++ b/sentry-binding/sentry-binding-hive/pom.xml
@@ -72,6 +72,11 @@ limitations under the License.
       <scope>test</scope>
     </dependency>
     <dependency>
+      <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-provider-policy-db</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
       <groupId>org.apache.hadoop</groupId>
       <artifactId>hadoop-common</artifactId>
     </dependency>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
index fde3181..d3d44d2 100644
--- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzBindings.java
@@ -106,7 +106,7 @@ public class TestHiveAuthzBindings {
 
     // create auth configuration
     authzConf.set(AuthzConfVars.AUTHZ_PROVIDER.getVar(),
-        "org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider");
+        "org.apache.sentry.provider.db.LocalGroupResourceAuthorizationProvider");
     authzConf.set(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(),
         new File(baseDir, RESOURCE_PATH).getPath());
     authzConf.set(AuthzConfVars.AUTHZ_SERVER_NAME.getVar(), SERVER1);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-dist/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-dist/pom.xml b/sentry-dist/pom.xml
index 0f98d41..8fc489b 100644
--- a/sentry-dist/pom.xml
+++ b/sentry-dist/pom.xml
@@ -38,6 +38,10 @@ limitations under the License.
       <groupId>org.apache.sentry</groupId>
       <artifactId>sentry-provider-file</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-provider-policy-db</artifactId>
+    </dependency>
   </dependencies>
   <build>
     <plugins>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-dist/src/main/assembly/src.xml
----------------------------------------------------------------------
diff --git a/sentry-dist/src/main/assembly/src.xml b/sentry-dist/src/main/assembly/src.xml
index bf41707..af6dfa8 100644
--- a/sentry-dist/src/main/assembly/src.xml
+++ b/sentry-dist/src/main/assembly/src.xml
@@ -41,6 +41,7 @@
         <include>org.apache.sentry:sentry-core</include>
         <include>org.apache.sentry:sentry-provider</include>
         <include>org.apache.sentry:sentry-provider-file</include>
+        <include>org.apache.sentry:sentry-provider-policy-db</include>
         <include>org.apache.sentry:sentry-tests</include>
         <include>org.apache.sentry:sentry-tests-hive</include>
         <include>org.apache.sentry:sentry-dist</include>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/pom.xml b/sentry-provider/pom.xml
index b4e7689..0eaabbd 100644
--- a/sentry-provider/pom.xml
+++ b/sentry-provider/pom.xml
@@ -31,6 +31,7 @@ limitations under the License.
 
   <modules>
     <module>sentry-provider-file</module>
+    <module>sentry-provider-policy-db</module>
   </modules>
 
 </project>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/pom.xml b/sentry-provider/sentry-provider-file/pom.xml
index d09ad9f..85bb23b 100644
--- a/sentry-provider/sentry-provider-file/pom.xml
+++ b/sentry-provider/sentry-provider-file/pom.xml
@@ -32,13 +32,6 @@ limitations under the License.
       <groupId>org.apache.hadoop</groupId>
       <artifactId>hadoop-common</artifactId>
     </dependency>
-
-    <dependency>
-      <groupId>org.apache.hadoop</groupId>
-      <artifactId>hadoop-minicluster</artifactId>
-      <scope>test</scope>
-    </dependency>
-
     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>
@@ -70,4 +63,22 @@ limitations under the License.
     </dependency>
   </dependencies>
 
+  <!-- build a test jar -->
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-jar-plugin</artifactId>
+        <version>2.2</version>
+        <executions>
+          <execution>
+            <goals>
+              <goal>test-jar</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+     </plugins>
+   </build>
+
 </project>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/AbstractRoleValidator.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/AbstractRoleValidator.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/AbstractRoleValidator.java
deleted file mode 100644
index 35889e4..0000000
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/AbstractRoleValidator.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.file;
-
-import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_SPLITTER;
-import static org.apache.sentry.provider.file.PolicyFileConstants.PRIVILEGE_PREFIX;
-
-import java.util.List;
-
-import org.apache.sentry.core.Authorizable;
-import org.apache.shiro.config.ConfigurationException;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.collect.Lists;
-
-public abstract class AbstractRoleValidator implements RoleValidator {
-
-  @VisibleForTesting
-  public static Iterable<Authorizable> parseRole(String string) {
-    List<Authorizable> result = Lists.newArrayList();
-    for(String section : AUTHORIZABLE_SPLITTER.split(string)) {
-      // XXX this ugly hack is because action is not an authorizeable
-      if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) {
-        Authorizable authorizable = Authorizables.from(section);
-        if(authorizable == null) {
-          String msg = "No authorizable found for " + section;
-          throw new ConfigurationException(msg);
-        }
-        result.add(authorizable);
-      }
-    }
-    return result;
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/Authorizables.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/Authorizables.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/Authorizables.java
deleted file mode 100644
index 4062473..0000000
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/Authorizables.java
+++ /dev/null
@@ -1,59 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.file;
-
-import org.apache.sentry.core.AccessURI;
-import org.apache.sentry.core.Authorizable;
-import org.apache.sentry.core.Database;
-import org.apache.sentry.core.Server;
-import org.apache.sentry.core.Table;
-import org.apache.sentry.core.View;
-import org.apache.sentry.core.Authorizable.AuthorizableType;
-
-public class Authorizables {
-
-  public static Authorizable from(KeyValue keyValue) {
-    String prefix = keyValue.getKey().toLowerCase();
-    String name = keyValue.getValue().toLowerCase();
-    for(AuthorizableType type : AuthorizableType.values()) {
-      if(prefix.equalsIgnoreCase(type.name())) {
-        return from(type, name);
-      }
-    }
-    return null;
-  }
-  public static Authorizable from(String s) {
-    return from(new KeyValue(s));
-  }
-
-  private static Authorizable from(AuthorizableType type, String name) {
-    switch (type) {
-    case Server:
-      return new Server(name);
-    case Db:
-      return new Database(name);
-    case Table:
-      return new Table(name);
-    case View:
-      return new View(name);
-    case URI:
-      return new AccessURI(name);
-    default:
-      return null;
-    }
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/DatabaseMustMatch.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/DatabaseMustMatch.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/DatabaseMustMatch.java
deleted file mode 100644
index ef6486b..0000000
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/DatabaseMustMatch.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.file;
-
-import org.apache.sentry.core.Authorizable;
-import org.apache.sentry.core.Database;
-import org.apache.shiro.config.ConfigurationException;
-
-public class DatabaseMustMatch extends AbstractRoleValidator {
-
-  @Override
-  public void validate(String database, String role) throws ConfigurationException {
-    /*
-     *  Rule only applies to rules in per database policy file
-     */
-    if(database != null) {
-      Iterable<Authorizable> authorizables = parseRole(role);
-      for(Authorizable authorizable : authorizables) {
-        if(authorizable instanceof Database &&
-            !database.equalsIgnoreCase(authorizable.getName())) {
-          String msg = "Role " + role + " references db " +
-              authorizable.getName() + ", but is only allowed to reference "
-              + database;
-          throw new ConfigurationException(msg);
-        }
-      }
-    }
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/DatabaseRequiredInRole.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/DatabaseRequiredInRole.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/DatabaseRequiredInRole.java
deleted file mode 100644
index fd0f2c1..0000000
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/DatabaseRequiredInRole.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.file;
-
-import javax.annotation.Nullable;
-
-import org.apache.sentry.core.AccessURI;
-import org.apache.sentry.core.Authorizable;
-import org.apache.sentry.core.Database;
-import org.apache.shiro.config.ConfigurationException;
-
-public class DatabaseRequiredInRole extends AbstractRoleValidator {
-
-  @Override
-  public void validate(@Nullable String database, String role) throws ConfigurationException {
-    /*
-     *  Rule only applies to rules in per database policy file
-     */
-    if(database != null) {
-      Iterable<Authorizable> authorizables = parseRole(role);
-      /*
-       * Each permission in a non-global file must have a database
-       * object except for URIs.
-       *
-       * We allow URIs to be specified in the per DB policy file for
-       * ease of mangeability. URIs will contain to remain server scope
-       * objects.
-       */
-      boolean foundDatabaseInAuthorizables = false;
-      boolean foundURIInAuthorizables = false;
-      boolean allowURIInAuthorizables = false;
-
-      if ("true".equalsIgnoreCase(
-          System.getProperty(SimplePolicyEngine.ACCESS_ALLOW_URI_PER_DB_POLICYFILE))) {
-        allowURIInAuthorizables = true;
-      }
-
-      for(Authorizable authorizable : authorizables) {
-        if(authorizable instanceof Database) {
-          foundDatabaseInAuthorizables = true;
-        }
-        if (authorizable instanceof AccessURI) {
-          if (foundDatabaseInAuthorizables) {
-            String msg = "URI object is specified at DB scope in " + role;
-            throw new ConfigurationException(msg);
-          }
-          foundURIInAuthorizables = true;
-        }
-      }
-      if(!foundDatabaseInAuthorizables && !(foundURIInAuthorizables && allowURIInAuthorizables)) {
-        String msg = "Missing database object in " + role;
-        throw new ConfigurationException(msg);
-      }
-    }
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
deleted file mode 100644
index f99ae8c..0000000
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.file;
-
-import java.io.IOException;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.Groups;
-
-import com.google.common.annotations.VisibleForTesting;
-
-public class HadoopGroupResourceAuthorizationProvider extends
-  ResourceAuthorizationProvider {
-  public HadoopGroupResourceAuthorizationProvider(String resource, String serverName) throws IOException {
-    this(new SimplePolicyEngine(resource, serverName), new HadoopGroupMappingService(
-        Groups.getUserToGroupsMappingService(new Configuration())));
-  }
-
-  @VisibleForTesting
-  public HadoopGroupResourceAuthorizationProvider(PolicyEngine policy,
-      GroupMappingService groupService) {
-    super(policy, groupService);
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java
deleted file mode 100644
index ef595c8..0000000
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.file;
-
-import java.io.IOException;
-
-import org.apache.hadoop.fs.Path;
-
-
-public class LocalGroupResourceAuthorizationProvider extends
-  ResourceAuthorizationProvider {
-
-  public LocalGroupResourceAuthorizationProvider(String resource, String serverName) throws IOException {
-    super (new SimplePolicyEngine(resource, serverName), new LocalGroupMappingService(new Path(resource)));
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PermissionFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PermissionFactory.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PermissionFactory.java
new file mode 100644
index 0000000..44624e7
--- /dev/null
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PermissionFactory.java
@@ -0,0 +1,26 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.file;
+
+import org.apache.shiro.authz.Permission;
+
+/**
+ * Factory for creating Shiro permissions
+ */
+public interface PermissionFactory {
+  Permission createPermission(String permission);
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
index 60282e6..f22fccd 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
@@ -46,11 +46,14 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
       .getLogger(ResourceAuthorizationProvider.class);
   private final GroupMappingService groupService;
   private final PolicyEngine policy;
+  private final PermissionFactory permissionFactory;
 
   public ResourceAuthorizationProvider(PolicyEngine policy,
-      GroupMappingService groupService) {
+      GroupMappingService groupService, PermissionFactory permissionFactory) {
+    Preconditions.checkNotNull(permissionFactory, "Permission factory cannot be null");
     this.policy = policy;
     this.groupService = groupService;
+    this.permissionFactory = permissionFactory;
   }
 
   @Override
@@ -109,7 +112,7 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
         /*
          * Does the permission granted in the policy file imply the requested action?
          */
-        boolean result = permission.implies(new WildcardPermission(requestPermission));
+        boolean result = permission.implies(permissionFactory.createPermission(requestPermission));
         if(LOGGER.isDebugEnabled()) {
           LOGGER.debug("FilePermission {}, RequestPermission {}, result {}",
               new Object[]{ permission, requestPermission, result});
@@ -127,7 +130,7 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
         new Function<String, Permission>() {
       @Override
       public Permission apply(String permission) {
-        return new WildcardPermission(permission);
+        return permissionFactory.createPermission(permission);
       }
     });
   }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/Roles.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/Roles.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/Roles.java
index 924c2cc..39044fd 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/Roles.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/Roles.java
@@ -16,71 +16,15 @@
  */
 package org.apache.sentry.provider.file;
 
-import java.util.Map.Entry;
-
 import javax.annotation.Nullable;
 
-import org.apache.sentry.core.Database;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.ImmutableSetMultimap;
-
-public class Roles {
-  private static final Logger LOGGER = LoggerFactory
-      .getLogger(Roles.class);
-  private final ImmutableSetMultimap<String, String> globalRoles;
-  private final ImmutableMap<String, ImmutableSetMultimap<String, String>> perDatabaseRoles;
-  public Roles() {
-    this(ImmutableSetMultimap.<String,String>of(),
-        ImmutableMap.<String, ImmutableSetMultimap<String, String>>of());
-  }
-  public Roles(
-      ImmutableSetMultimap<String, String> globalRoles,
-      ImmutableMap<String, ImmutableSetMultimap<String, String>> perDatabaseRoles) {
-    super();
-    this.globalRoles = globalRoles;
-    this.perDatabaseRoles = perDatabaseRoles;
-  }
-  public ImmutableSet<String> getRoles(@Nullable String database, String group, Boolean isURI) {
-    ImmutableSet.Builder<String> resultBuilder = ImmutableSet.builder();
-    String allowURIPerDbFile =
-        System.getProperty(SimplePolicyEngine.ACCESS_ALLOW_URI_PER_DB_POLICYFILE);
-    Boolean consultPerDbRolesForURI = isURI && ("true".equalsIgnoreCase(allowURIPerDbFile));
 
-    // handle Database.ALL
-    if (Database.ALL.getName().equals(database)) {
-      for(Entry<String, ImmutableSetMultimap<String, String>> dbListEntry : perDatabaseRoles.entrySet()) {
-        if (dbListEntry.getValue().containsKey(group)) {
-          resultBuilder.addAll(dbListEntry.getValue().get(group));
-        }
-      }
-    } else if(database != null) {
-      ImmutableSetMultimap<String, String> dbPolicies =  perDatabaseRoles.get(database);
-      if(dbPolicies != null && dbPolicies.containsKey(group)) {
-        resultBuilder.addAll(dbPolicies.get(group));
-      }
-    }
-
-    if (consultPerDbRolesForURI) {
-      for(String db:perDatabaseRoles.keySet()) {
-        ImmutableSetMultimap<String, String> dbPolicies =  perDatabaseRoles.get(db);
-        if(dbPolicies != null && dbPolicies.containsKey(group)) {
-          resultBuilder.addAll(dbPolicies.get(group));
-        }
-      }
-    }
-
-    if(globalRoles.containsKey(group)) {
-      resultBuilder.addAll(globalRoles.get(group));
-    }
-    ImmutableSet<String> result = resultBuilder.build();
-    if(LOGGER.isDebugEnabled()) {
-      LOGGER.debug("Database {}, Group {}, Result {}",
-          new Object[]{ database, group, result});
-    }
-    return result;
-  }
+/**
+ * Interface for getting roles for a specific database/group.
+ * Perhaps this should be abstracted out further; right now it is currently
+ * very database-model specific.
+ */
+public interface Roles {
+  public ImmutableSet<String> getRoles(@Nullable String database, String group, Boolean isURI);
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/RolesFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/RolesFactory.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/RolesFactory.java
new file mode 100644
index 0000000..e060ff8
--- /dev/null
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/RolesFactory.java
@@ -0,0 +1,30 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.file;
+
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSetMultimap;
+
+/**
+ * Factory for creating Role objects
+ */
+public interface RolesFactory {
+  public Roles createRoles();
+
+  public Roles createRoles(ImmutableSetMultimap<String, String>globalRoles,
+      ImmutableMap<String, ImmutableSetMultimap<String, String>> perDatabaseRoles);
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ServerNameMustMatch.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ServerNameMustMatch.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ServerNameMustMatch.java
deleted file mode 100644
index 1d2a8c6..0000000
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ServerNameMustMatch.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.file;
-
-import javax.annotation.Nullable;
-
-import org.apache.sentry.core.Authorizable;
-import org.apache.sentry.core.Server;
-import org.apache.shiro.config.ConfigurationException;
-
-public class ServerNameMustMatch extends AbstractRoleValidator {
-
-  private final String serverName;
-  public ServerNameMustMatch(String serverName) {
-    this.serverName = serverName;
-  }
-  @Override
-  public void validate(@Nullable String database, String role) throws ConfigurationException {
-    Iterable<Authorizable> authorizables = parseRole(role);
-    for(Authorizable authorizable : authorizables) {
-      if(authorizable instanceof Server && !serverName.equalsIgnoreCase(authorizable.getName())) {
-        String msg = "Server name " + authorizable.getName() + " in "
-      + role + " is invalid. Expected " + serverName;
-        throw new ConfigurationException(msg);
-      }
-    }
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ServersAllIsInvalid.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ServersAllIsInvalid.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ServersAllIsInvalid.java
deleted file mode 100644
index 8ee1c43..0000000
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ServersAllIsInvalid.java
+++ /dev/null
@@ -1,39 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.file;
-
-import javax.annotation.Nullable;
-
-import org.apache.sentry.core.Authorizable;
-import org.apache.sentry.core.Server;
-import org.apache.shiro.config.ConfigurationException;
-
-public class ServersAllIsInvalid extends AbstractRoleValidator {
-
-  @Override
-  public void validate(@Nullable String database, String role) throws ConfigurationException {
-    Iterable<Authorizable> authorizables = parseRole(role);
-    for(Authorizable authorizable : authorizables) {
-      if(authorizable instanceof Server &&
-          authorizable.getName().equals(Server.ALL.getName())) {
-        String msg = "Invalid value for " + authorizable.getAuthzType() + " in " + role;
-        throw new ConfigurationException(msg);
-      }
-    }
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimplePolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimplePolicyEngine.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimplePolicyEngine.java
deleted file mode 100644
index 0d4c858..0000000
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimplePolicyEngine.java
+++ /dev/null
@@ -1,273 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.file;
-
-import static org.apache.sentry.provider.file.PolicyFileConstants.DATABASES;
-import static org.apache.sentry.provider.file.PolicyFileConstants.GROUPS;
-import static org.apache.sentry.provider.file.PolicyFileConstants.ROLES;
-import static org.apache.sentry.provider.file.PolicyFileConstants.ROLE_SPLITTER;
-import static org.apache.sentry.provider.file.PolicyFileConstants.USERS;
-
-import java.io.FileNotFoundException;
-import java.io.IOException;
-import java.net.URI;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
-import java.util.Set;
-import java.util.concurrent.atomic.AtomicReference;
-
-import javax.annotation.Nullable;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.FileSystem;
-import org.apache.hadoop.fs.Path;
-import org.apache.sentry.core.AccessURI;
-import org.apache.sentry.core.Authorizable;
-import org.apache.sentry.core.Database;
-import org.apache.shiro.config.ConfigurationException;
-import org.apache.shiro.config.Ini;
-import org.apache.shiro.util.PermissionUtils;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Splitter;
-import com.google.common.base.Strings;
-import com.google.common.collect.HashMultimap;
-import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.ImmutableSetMultimap;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
-import com.google.common.collect.Multimap;
-import com.google.common.collect.Sets;
-
-public class SimplePolicyEngine implements PolicyEngine {
-
-  private static final Logger LOGGER = LoggerFactory
-      .getLogger(SimplePolicyEngine.class);
-
-
-
-  private final FileSystem fileSystem;
-  private final Path resourcePath;
-  private final String serverName;
-  private final List<Path> perDbResources = Lists.newArrayList();
-  private final AtomicReference<Roles> rolesReference;
-  private final Configuration conf;
-  public final static String ACCESS_ALLOW_URI_PER_DB_POLICYFILE = "sentry.allow.uri.db.policyfile";
-
-  public SimplePolicyEngine(String resourcePath, String serverName) throws IOException {
-    this(new Configuration(), new Path(resourcePath), serverName);
-  }
-  @VisibleForTesting
-  public SimplePolicyEngine(Configuration conf, Path resourcePath, String serverName) throws IOException {
-    this.resourcePath = resourcePath;
-    this.serverName = serverName;
-    this.fileSystem = resourcePath.getFileSystem(conf);
-    this.rolesReference = new AtomicReference<Roles>();
-    this.rolesReference.set(new Roles());
-    this.conf = conf;
-    parse();
-  }
-
-  /**
-   * Parse the resource. Should not be used in the normal course
-   */
-  protected void parse() {
-    LOGGER.info("Parsing " + resourcePath);
-    Roles roles = new Roles();
-    try {
-      perDbResources.clear();
-      Ini ini = PolicyFiles.loadFromPath(fileSystem, resourcePath);
-      if(LOGGER.isDebugEnabled()) {
-        for(String sectionName : ini.getSectionNames()) {
-          LOGGER.debug("Section: " + sectionName);
-          Ini.Section section = ini.get(sectionName);
-          for(String key : section.keySet()) {
-            String value = section.get(key);
-            LOGGER.debug(key + " = " + value);
-          }
-        }
-      }
-      ImmutableSetMultimap<String, String> globalRoles;
-      Map<String, ImmutableSetMultimap<String, String>> perDatabaseRoles = Maps.newHashMap();
-      globalRoles = parseIni(null, ini);
-      Ini.Section filesSection = ini.getSection(DATABASES);
-      if(filesSection == null) {
-        LOGGER.info("Section " + DATABASES + " needs no further processing");
-      } else {
-        for(Map.Entry<String, String> entry : filesSection.entrySet()) {
-          String database = Strings.nullToEmpty(entry.getKey()).trim().toLowerCase();
-          Path perDbPolicy = new Path(Strings.nullToEmpty(entry.getValue()).trim());
-          if(isRelative(perDbPolicy)) {
-            perDbPolicy = new Path(resourcePath.getParent(), perDbPolicy);
-          }
-          try {
-            LOGGER.info("Parsing " + perDbPolicy);
-            Ini perDbIni = PolicyFiles.loadFromPath(perDbPolicy.getFileSystem(conf), perDbPolicy);
-            if(perDbIni.containsKey(USERS)) {
-              throw new ConfigurationException("Per-db policy files cannot contain " + USERS + " section");
-            }
-            if(perDbIni.containsKey(DATABASES)) {
-              throw new ConfigurationException("Per-db policy files cannot contain " + DATABASES + " section");
-            }
-            ImmutableSetMultimap<String, String> currentDbRoles = parseIni(database, perDbIni);
-            perDatabaseRoles.put(database, currentDbRoles);
-            perDbResources.add(perDbPolicy);
-          } catch (Exception e) {
-            LOGGER.error("Error processing key " + entry.getKey() + ", skipping " + entry.getValue(), e);
-          }
-        }
-      }
-      roles = new Roles(globalRoles, ImmutableMap.copyOf(perDatabaseRoles));
-    } catch (Exception e) {
-      LOGGER.error("Error processing file, ignoring " + resourcePath, e);
-    }
-    rolesReference.set(roles);
-  }
-
-  /**
-   * Relative for our purposes is no scheme, no authority
-   * and a non-absolute path portion.
-   */
-  private boolean isRelative(Path path) {
-    URI uri = path.toUri();
-    return uri.getAuthority() == null && uri.getScheme() == null && !path.isUriPathAbsolute();
-  }
-
-  protected long getModificationTime() throws IOException {
-    // if resource path has been deleted, throw all exceptions
-    long result = fileSystem.getFileStatus(resourcePath).getModificationTime();
-    for(Path perDbPolicy : perDbResources) {
-      try {
-        result = Math.max(result, fileSystem.getFileStatus(perDbPolicy).getModificationTime());
-      } catch (FileNotFoundException e) {
-        // if a per-db file has been deleted, wait until the main
-        // policy file has been updated before refreshing
-      }
-    }
-    return result;
-  }
-
-  private ImmutableSetMultimap<String, String> parseIni(String database, Ini ini) {
-    Ini.Section privilegesSection = ini.getSection(ROLES);
-    boolean invalidConfiguration = false;
-    if (privilegesSection == null) {
-      LOGGER.warn("Section {} empty for {}", ROLES, resourcePath);
-      invalidConfiguration = true;
-    }
-    Ini.Section groupsSection = ini.getSection(GROUPS);
-    if (groupsSection == null) {
-      LOGGER.warn("Section {} empty for {}", GROUPS, resourcePath);
-      invalidConfiguration = true;
-    }
-    if (!invalidConfiguration) {
-      return parsePermissions(database, privilegesSection, groupsSection);
-    }
-    return ImmutableSetMultimap.of();
-  }
-
-  private ImmutableSetMultimap<String, String> parsePermissions(@Nullable String database,
-      Ini.Section rolesSection, Ini.Section groupsSection) {
-    ImmutableSetMultimap.Builder<String, String> resultBuilder = ImmutableSetMultimap.builder();
-    Multimap<String, String> roleNameToPrivilegeMap = HashMultimap
-        .create();
-    List<? extends RoleValidator> validators = Lists.newArrayList(
-        new ServersAllIsInvalid(),
-        new DatabaseMustMatch(),
-        new DatabaseRequiredInRole(),
-        new ServerNameMustMatch(serverName));
-    for (Map.Entry<String, String> entry : rolesSection.entrySet()) {
-      String roleName = Strings.nullToEmpty(entry.getKey()).trim();
-      String roleValue = Strings.nullToEmpty(entry.getValue()).trim();
-      boolean invalidConfiguration = false;
-      if (roleName.isEmpty()) {
-        LOGGER.warn("Empty role name encountered in {}", resourcePath);
-        invalidConfiguration = true;
-      }
-      if (roleValue.isEmpty()) {
-        LOGGER.warn("Empty role value encountered in {}", resourcePath);
-        invalidConfiguration = true;
-      }
-      if (roleNameToPrivilegeMap.containsKey(roleName)) {
-        LOGGER.warn("Role {} defined twice in {}", roleName,
-            resourcePath);
-      }
-      Set<String> roles = PermissionUtils
-          .toPermissionStrings(roleValue);
-      if (!invalidConfiguration && roles != null) {
-        for(String role : roles) {
-          for(RoleValidator validator : validators) {
-            validator.validate(database, role.trim());
-          }
-        }
-        roleNameToPrivilegeMap.putAll(roleName, roles);
-      }
-    }
-    Splitter roleSplitter = ROLE_SPLITTER.omitEmptyStrings().trimResults();
-    for (Map.Entry<String, String> entry : groupsSection.entrySet()) {
-      String groupName = Strings.nullToEmpty(entry.getKey()).trim();
-      String groupPrivileges = Strings.nullToEmpty(entry.getValue()).trim();
-      Collection<String> resolvedGroupPrivileges = Sets.newHashSet();
-      for (String roleName : roleSplitter.split(groupPrivileges)) {
-        if (roleNameToPrivilegeMap.containsKey(roleName)) {
-          resolvedGroupPrivileges.addAll(roleNameToPrivilegeMap
-              .get(roleName));
-        } else {
-          LOGGER.warn("Role {} for group {} does not exist in privileges section in {}",
-              new Object[] { roleName, groupName, resourcePath });
-        }
-      }
-      resultBuilder.putAll(groupName, resolvedGroupPrivileges);
-    }
-    return resultBuilder.build();
-  }
-
-
-
-  /**
-   * {@inheritDoc}
-   */
-  @Override
-  public ImmutableSetMultimap<String, String> getPermissions(List<Authorizable> authorizables, List<String> groups) {
-    Roles roles = rolesReference.get();
-    String database = null;
-    Boolean isURI = false;
-    for(Authorizable authorizable : authorizables) {
-      if(authorizable instanceof Database) {
-        database = authorizable.getName();
-      }
-      if (authorizable instanceof AccessURI) {
-        isURI = true;
-      }
-    }
-
-    if(LOGGER.isDebugEnabled()) {
-      LOGGER.debug("Getting permissions for {} via {}", groups, database);
-    }
-    ImmutableSetMultimap.Builder<String, String> resultBuilder = ImmutableSetMultimap.builder();
-    for(String group : groups) {
-      resultBuilder.putAll(group, roles.getRoles(database, group, isURI));
-    }
-    ImmutableSetMultimap<String, String> result = resultBuilder.build();
-    if(LOGGER.isDebugEnabled()) {
-      LOGGER.debug("result = " + result);
-    }
-    return result;
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimplePolicyParser.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimplePolicyParser.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimplePolicyParser.java
new file mode 100644
index 0000000..f6b87e0
--- /dev/null
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimplePolicyParser.java
@@ -0,0 +1,241 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.file;
+
+import static org.apache.sentry.provider.file.PolicyFileConstants.DATABASES;
+import static org.apache.sentry.provider.file.PolicyFileConstants.GROUPS;
+import static org.apache.sentry.provider.file.PolicyFileConstants.ROLES;
+import static org.apache.sentry.provider.file.PolicyFileConstants.ROLE_SPLITTER;
+import static org.apache.sentry.provider.file.PolicyFileConstants.USERS;
+
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.net.URI;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.atomic.AtomicReference;
+
+import javax.annotation.Nullable;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.Path;
+import org.apache.sentry.core.AccessURI;
+import org.apache.sentry.core.Authorizable;
+import org.apache.sentry.core.Database;
+import org.apache.shiro.config.ConfigurationException;
+import org.apache.shiro.config.Ini;
+import org.apache.shiro.util.PermissionUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Splitter;
+import com.google.common.base.Strings;
+import com.google.common.collect.HashMultimap;
+import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.ImmutableSetMultimap;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Maps;
+import com.google.common.collect.Multimap;
+import com.google.common.collect.Sets;
+
+public class SimplePolicyParser {
+
+  private static final Logger LOGGER = LoggerFactory
+      .getLogger(SimplePolicyParser.class);
+
+
+
+  private final FileSystem fileSystem;
+  private final Path resourcePath;
+  private final List<Path> perDbResources = Lists.newArrayList();
+  private final AtomicReference<Roles> rolesReference;
+  private final RolesFactory rolesFactory;
+  private final Configuration conf;
+  private final List<? extends RoleValidator> validators;
+
+  public SimplePolicyParser(String resourcePath, RolesFactory rolesFactory, List<? extends RoleValidator> validators) throws IOException {
+    this(new Configuration(), new Path(resourcePath), rolesFactory, validators);
+  }
+
+  @VisibleForTesting
+  public SimplePolicyParser(Configuration conf, Path resourcePath, RolesFactory rolesFactory, List<? extends RoleValidator> validators) throws IOException {
+    this.resourcePath = resourcePath;
+    this.fileSystem = resourcePath.getFileSystem(conf);
+    this.rolesReference = new AtomicReference<Roles>();
+    this.rolesReference.set(rolesFactory.createRoles());
+    this.conf = conf;
+    this.rolesFactory = rolesFactory;
+    this.validators = validators;
+    parse();
+  }
+
+  /**
+   * Parse the resource. Should not be used in the normal course
+   */
+  protected void parse() {
+    LOGGER.info("Parsing " + resourcePath);
+    Roles roles = rolesFactory.createRoles();
+    try {
+      perDbResources.clear();
+      Ini ini = PolicyFiles.loadFromPath(fileSystem, resourcePath);
+      if(LOGGER.isDebugEnabled()) {
+        for(String sectionName : ini.getSectionNames()) {
+          LOGGER.debug("Section: " + sectionName);
+          Ini.Section section = ini.get(sectionName);
+          for(String key : section.keySet()) {
+            String value = section.get(key);
+            LOGGER.debug(key + " = " + value);
+          }
+        }
+      }
+      ImmutableSetMultimap<String, String> globalRoles;
+      Map<String, ImmutableSetMultimap<String, String>> perDatabaseRoles = Maps.newHashMap();
+      globalRoles = parseIni(null, ini);
+      Ini.Section filesSection = ini.getSection(DATABASES);
+      if(filesSection == null) {
+        LOGGER.info("Section " + DATABASES + " needs no further processing");
+      } else {
+        for(Map.Entry<String, String> entry : filesSection.entrySet()) {
+          String database = Strings.nullToEmpty(entry.getKey()).trim().toLowerCase();
+          Path perDbPolicy = new Path(Strings.nullToEmpty(entry.getValue()).trim());
+          if(isRelative(perDbPolicy)) {
+            perDbPolicy = new Path(resourcePath.getParent(), perDbPolicy);
+          }
+          try {
+            LOGGER.info("Parsing " + perDbPolicy);
+            Ini perDbIni = PolicyFiles.loadFromPath(perDbPolicy.getFileSystem(conf), perDbPolicy);
+            if(perDbIni.containsKey(USERS)) {
+              throw new ConfigurationException("Per-db policy files cannot contain " + USERS + " section");
+            }
+            if(perDbIni.containsKey(DATABASES)) {
+              throw new ConfigurationException("Per-db policy files cannot contain " + DATABASES + " section");
+            }
+            ImmutableSetMultimap<String, String> currentDbRoles = parseIni(database, perDbIni);
+            perDatabaseRoles.put(database, currentDbRoles);
+            perDbResources.add(perDbPolicy);
+          } catch (Exception e) {
+            LOGGER.error("Error processing key " + entry.getKey() + ", skipping " + entry.getValue(), e);
+          }
+        }
+      }
+      roles = rolesFactory.createRoles(globalRoles, ImmutableMap.copyOf(perDatabaseRoles));
+    } catch (Exception e) {
+      LOGGER.error("Error processing file, ignoring " + resourcePath, e);
+    }
+    rolesReference.set(roles);
+  }
+  /**
+   * Relative for our purposes is no scheme, no authority
+   * and a non-absolute path portion.
+   */
+  private boolean isRelative(Path path) {
+    URI uri = path.toUri();
+    return uri.getAuthority() == null && uri.getScheme() == null && !path.isUriPathAbsolute();
+  }
+
+  protected long getModificationTime() throws IOException {
+    // if resource path has been deleted, throw all exceptions
+    long result = fileSystem.getFileStatus(resourcePath).getModificationTime();
+    for(Path perDbPolicy : perDbResources) {
+      try {
+        result = Math.max(result, fileSystem.getFileStatus(perDbPolicy).getModificationTime());
+      } catch (FileNotFoundException e) {
+        // if a per-db file has been deleted, wait until the main
+        // policy file has been updated before refreshing
+      }
+    }
+    return result;
+  }
+
+  private ImmutableSetMultimap<String, String> parseIni(String database, Ini ini) {
+    Ini.Section privilegesSection = ini.getSection(ROLES);
+    boolean invalidConfiguration = false;
+    if (privilegesSection == null) {
+      LOGGER.warn("Section {} empty for {}", ROLES, resourcePath);
+      invalidConfiguration = true;
+    }
+    Ini.Section groupsSection = ini.getSection(GROUPS);
+    if (groupsSection == null) {
+      LOGGER.warn("Section {} empty for {}", GROUPS, resourcePath);
+      invalidConfiguration = true;
+    }
+    if (!invalidConfiguration) {
+      return parsePermissions(database, privilegesSection, groupsSection);
+    }
+    return ImmutableSetMultimap.of();
+  }
+
+  private ImmutableSetMultimap<String, String> parsePermissions(@Nullable String database,
+      Ini.Section rolesSection, Ini.Section groupsSection) {
+    ImmutableSetMultimap.Builder<String, String> resultBuilder = ImmutableSetMultimap.builder();
+    Multimap<String, String> roleNameToPrivilegeMap = HashMultimap
+        .create();
+    for (Map.Entry<String, String> entry : rolesSection.entrySet()) {
+      String roleName = Strings.nullToEmpty(entry.getKey()).trim();
+      String roleValue = Strings.nullToEmpty(entry.getValue()).trim();
+      boolean invalidConfiguration = false;
+      if (roleName.isEmpty()) {
+        LOGGER.warn("Empty role name encountered in {}", resourcePath);
+        invalidConfiguration = true;
+      }
+      if (roleValue.isEmpty()) {
+        LOGGER.warn("Empty role value encountered in {}", resourcePath);
+        invalidConfiguration = true;
+      }
+      if (roleNameToPrivilegeMap.containsKey(roleName)) {
+        LOGGER.warn("Role {} defined twice in {}", roleName,
+            resourcePath);
+      }
+      Set<String> roles = PermissionUtils
+          .toPermissionStrings(roleValue);
+      if (!invalidConfiguration && roles != null) {
+        for(String role : roles) {
+          for(RoleValidator validator : validators) {
+            validator.validate(database, role.trim());
+          }
+        }
+        roleNameToPrivilegeMap.putAll(roleName, roles);
+      }
+    }
+    Splitter roleSplitter = ROLE_SPLITTER.omitEmptyStrings().trimResults();
+    for (Map.Entry<String, String> entry : groupsSection.entrySet()) {
+      String groupName = Strings.nullToEmpty(entry.getKey()).trim();
+      String groupPrivileges = Strings.nullToEmpty(entry.getValue()).trim();
+      Collection<String> resolvedGroupPrivileges = Sets.newHashSet();
+      for (String roleName : roleSplitter.split(groupPrivileges)) {
+        if (roleNameToPrivilegeMap.containsKey(roleName)) {
+          resolvedGroupPrivileges.addAll(roleNameToPrivilegeMap
+              .get(roleName));
+        } else {
+          LOGGER.warn("Role {} for group {} does not exist in privileges section in {}",
+              new Object[] { roleName, groupName, resourcePath });
+        }
+      }
+      resultBuilder.putAll(groupName, resolvedGroupPrivileges);
+    }
+    return resultBuilder.build();
+  }
+
+  public ImmutableSet<String> getRoles(@Nullable String database, String group, Boolean isURI) {
+    return rolesReference.get().getRoles(database, group, isURI);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/WildcardPermission.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/WildcardPermission.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/WildcardPermission.java
deleted file mode 100644
index 23c845d..0000000
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/WildcardPermission.java
+++ /dev/null
@@ -1,188 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-// copied from apache shiro
-
-package org.apache.sentry.provider.file;
-
-import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_SPLITTER;
-
-import java.io.File;
-import java.io.Serializable;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.util.List;
-
-import org.apache.commons.lang.text.StrSubstitutor;
-import org.apache.sentry.core.AccessConstants;
-import org.apache.sentry.core.Authorizable.AuthorizableType;
-import org.apache.shiro.authz.Permission;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Preconditions;
-import com.google.common.base.Strings;
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.Lists;
-
-// XXX this class is made ugly by the fact that Action is not a Authorizable.
-public class WildcardPermission implements Permission, Serializable {
-  private static final Logger LOGGER = LoggerFactory
-      .getLogger(WildcardPermission.class);
-  private static final long serialVersionUID = -6785051263922740818L;
-
-  private final ImmutableList<KeyValue> parts;
-
-  public WildcardPermission(String wildcardString) {
-    wildcardString = Strings.nullToEmpty(wildcardString).trim();
-    if (wildcardString.isEmpty()) {
-      throw new IllegalArgumentException("Wildcard string cannot be null or empty.");
-    }
-    List<KeyValue>parts = Lists.newArrayList();
-    for (String authorizable : AUTHORIZABLE_SPLITTER.trimResults().split(wildcardString)) {
-      if (authorizable.isEmpty()) {
-        throw new IllegalArgumentException("Privilege '" + wildcardString + "' has an empty section");
-      }
-      parts.add(new KeyValue(authorizable));
-    }
-    if (parts.isEmpty()) {
-      throw new AssertionError("Should never occur: " + wildcardString);
-    }
-    this.parts = ImmutableList.copyOf(parts);
-  }
-
-
-  @Override
-  public boolean implies(Permission p) {
-    // By default only supports comparisons with other WildcardPermissions
-    if (!(p instanceof WildcardPermission)) {
-      return false;
-    }
-
-    WildcardPermission wp = (WildcardPermission) p;
-
-    List<KeyValue> otherParts = wp.parts;
-    if(equals(wp)) {
-      return true;
-    }
-    int index = 0;
-    for (KeyValue otherPart : otherParts) {
-      // If this permission has less parts than the other permission, everything
-      // after the number of parts contained
-      // in this permission is automatically implied, so return true
-      if (parts.size() - 1 < index) {
-        return true;
-      } else {
-        KeyValue part = parts.get(index);
-        // are the keys even equal
-        if(!part.getKey().equalsIgnoreCase(otherPart.getKey())) {
-          return false;
-        }
-        if (!impliesKeyValue(part, otherPart)) {
-          return false;
-        }
-        index++;
-      }
-    }
-    // If this permission has more parts than
-    // the other parts, only imply it if
-    // all of the other parts are wildcards
-    for (; index < parts.size(); index++) {
-      KeyValue part = parts.get(index);
-      if (!part.getValue().equals(AccessConstants.ALL)) {
-        return false;
-      }
-    }
-
-    return true;
-  }
-
-  private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) {
-    Preconditions.checkState(policyPart.getKey().equalsIgnoreCase(requestPart.getKey()),
-        "Please report, this method should not be called with two different keys");
-    if(policyPart.getValue().equals(AccessConstants.ALL) || policyPart.equals(requestPart)) {
-      return true;
-    } else if (!PolicyFileConstants.PRIVILEGE_NAME.equalsIgnoreCase(policyPart.getKey())
-        && AccessConstants.ALL.equalsIgnoreCase(requestPart.getValue())) {
-      /* permission request is to match with any object of given type */
-      return true;
-    } else if(policyPart.getKey().equalsIgnoreCase(AuthorizableType.URI.name())) {
-      return impliesURI(policyPart.getValue(), requestPart.getValue());
-    }
-    return false;
-  }
-
-  /**
-   * URI is a a special case. For URI's, /a implies /a/b.
-   * Therefore the test is "/a/b".startsWith("/a");
-   */
-  @VisibleForTesting
-  protected static boolean impliesURI(String policy, String request) {
-    try {
-      URI policyURI = new URI(new StrSubstitutor(System.getProperties()).replace(policy));
-      URI requestURI = new URI(request);
-      if(policyURI.getScheme() == null || policyURI.getPath() == null) {
-        LOGGER.warn("Policy URI " + policy + " is not valid. Either no scheme or no path.");
-        return false;
-      }
-      if(requestURI.getScheme() == null || requestURI.getPath() == null) {
-        LOGGER.warn("Request URI " + request + " is not valid. Either no scheme or no path.");
-        return false;
-      }
-      // schemes are equal &&
-      // request path does not contain relative parts /a/../b &&
-      // request path starts with policy path &&
-      // authorities (nullable) are equal
-      String requestPath = requestURI.getPath() + File.separator;
-      String policyPath = policyURI.getPath() + File.separator;
-      if(policyURI.getScheme().equals(requestURI.getScheme()) &&
-          requestURI.getPath().equals(new URI(request).normalize().getPath()) &&
-          requestPath.startsWith(policyPath) &&
-          Strings.nullToEmpty(policyURI.getAuthority()).equals(Strings.nullToEmpty(requestURI.getAuthority()))) {
-        return true;
-      }
-      return false;
-    } catch (URISyntaxException e) {
-      LOGGER.warn("Request URI " + request + " is not a URI", e);
-      return false;
-    }
-  }
-
-  @Override
-  public String toString() {
-    return AUTHORIZABLE_JOINER.join(parts);
-  }
-
-  @Override
-  public boolean equals(Object o) {
-    if (o instanceof WildcardPermission) {
-      WildcardPermission wp = (WildcardPermission) o;
-      return parts.equals(wp.parts);
-    }
-    return false;
-  }
-
-  @Override
-  public int hashCode() {
-    return parts.hashCode();
-  }
-
-}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestAuthorizables.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestAuthorizables.java
deleted file mode 100644
index f81b574..0000000
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestAuthorizables.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.provider.file;
-import static junit.framework.Assert.assertEquals;
-import static junit.framework.Assert.assertNull;
-
-import org.apache.sentry.core.AccessURI;
-import org.apache.sentry.core.Database;
-import org.apache.sentry.core.Server;
-import org.apache.sentry.core.Table;
-import org.apache.sentry.core.View;
-import org.apache.sentry.provider.file.Authorizables;
-import org.junit.Test;
-
-public class TestAuthorizables {
-
-  @Test
-  public void testServer() throws Exception {
-    Server server = (Server)Authorizables.from("SeRvEr=server1");
-    assertEquals("server1", server.getName());
-  }
-  @Test
-  public void testDb() throws Exception {
-    Database db = (Database)Authorizables.from("dB=db1");
-    assertEquals("db1", db.getName());
-  }
-  @Test
-  public void testTable() throws Exception {
-    Table table = (Table)Authorizables.from("tAbLe=t1");
-    assertEquals("t1", table.getName());
-  }
-  @Test
-  public void testView() throws Exception {
-    View view = (View)Authorizables.from("vIeW=v1");
-    assertEquals("v1", view.getName());
-  }
-  @Test
-  public void testURI() throws Exception {
-    AccessURI uri = (AccessURI)Authorizables.from("UrI=hdfs://uri1:8200/blah");
-    assertEquals("hdfs://uri1:8200/blah", uri.getName());
-  }
-
-  @Test(expected=IllegalArgumentException.class)
-  public void testNoKV() throws Exception {
-    System.out.println(Authorizables.from("nonsense"));
-  }
-
-  @Test(expected=IllegalArgumentException.class)
-  public void testTooManyKV() throws Exception {
-    System.out.println(Authorizables.from("k=v1=v2"));
-  }
-  @Test(expected=IllegalArgumentException.class)
-  public void testEmptyKey() throws Exception {
-    System.out.println(Authorizables.from("=v"));
-  }
-  @Test(expected=IllegalArgumentException.class)
-  public void testEmptyValue() throws Exception {
-    System.out.println(Authorizables.from("k="));
-  }
-  @Test
-  public void testNotAuthorizable() throws Exception {
-    assertNull(Authorizables.from("k=v"));
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestDatabaseRequiredInRole.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestDatabaseRequiredInRole.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestDatabaseRequiredInRole.java
deleted file mode 100644
index fc35043..0000000
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestDatabaseRequiredInRole.java
+++ /dev/null
@@ -1,48 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.provider.file;
-
-import junit.framework.Assert;
-
-import org.apache.shiro.config.ConfigurationException;
-import org.junit.Test;
-
-public class TestDatabaseRequiredInRole {
-
-  @Test
-  public void testURIInPerDbPolicyFile() throws Exception {
-    DatabaseRequiredInRole dbRequiredInRole = new DatabaseRequiredInRole();
-    System.setProperty("sentry.allow.uri.db.policyfile", "true");
-    dbRequiredInRole.validate("db1",
-      "server=server1->URI=file:///user/hive/warehouse/tab1");
-    System.setProperty("sentry.allow.uri.db.policyfile", "false");
-  }
-
-  @Test
-  public void testURIWithDBInPerDbPolicyFile() throws Exception {
-    DatabaseRequiredInRole dbRequiredInRole = new DatabaseRequiredInRole();
-    try {
-      dbRequiredInRole.validate("db1",
-        "server=server1->db=db1->URI=file:///user/hive/warehouse/tab1");
-      Assert.fail("Expected ConfigurationException");
-    } catch (ConfigurationException e) {
-      ;
-    }
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/172631be/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestPolicyParsingNegative.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestPolicyParsingNegative.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestPolicyParsingNegative.java
deleted file mode 100644
index e6e6564..0000000
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestPolicyParsingNegative.java
+++ /dev/null
@@ -1,238 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.file;
-
-import java.io.File;
-import java.io.IOException;
-import java.util.Arrays;
-
-import junit.framework.Assert;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.Authorizable;
-import org.apache.sentry.core.Database;
-import org.apache.sentry.core.Server;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Charsets;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Lists;
-import com.google.common.io.Files;
-
-public class TestPolicyParsingNegative {
-
-  @SuppressWarnings("unused")
-  private static final Logger LOGGER = LoggerFactory
-      .getLogger(TestPolicyParsingNegative.class);
-
-  private File baseDir;
-  private File globalPolicyFile;
-  private File otherPolicyFile;
-
-  @Before
-  public void setup() {
-    baseDir = Files.createTempDir();
-    globalPolicyFile = new File(baseDir, "global.ini");
-    otherPolicyFile = new File(baseDir, "other.ini");
-  }
-
-  @After
-  public void teardown() {
-    if(baseDir != null) {
-      FileUtils.deleteQuietly(baseDir);
-    }
-  }
-
-  private void append(String from, File to) throws IOException {
-    Files.append(from + "\n", to, Charsets.UTF_8);
-  }
-
-  @Test
-  public void testUnauthorizedDbSpecifiedInDBPolicyFile() throws Exception {
-    append("[databases]", globalPolicyFile);
-    append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile);
-    append("[groups]", otherPolicyFile);
-    append("other_group = malicious_role", otherPolicyFile);
-    append("[roles]", otherPolicyFile);
-    append("malicious_role = server=server1->db=customers->table=purchases->action=select", otherPolicyFile);
-    PolicyEngine policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
-    ImmutableSet<String> permissions = policy.getPermissions(
-        Arrays.asList(new Authorizable[] {
-            new Server("server1"),
-            new Database("other_group_db")
-    }), Lists.newArrayList("other_group")).get("other_group");
-    Assert.assertTrue(permissions.toString(), permissions.isEmpty());
-  }
-  @Test
-  public void testPerDbFileCannotContainUsersOrDatabases() throws Exception {
-    PolicyEngine policy;
-    ImmutableSet<String> permissions;
-    PolicyFile policyFile;
-    // test sanity
-    policyFile = PolicyFile.setAdminOnServer1("admin");
-    policyFile.addGroupsToUser("admin1", "admin");
-    policyFile.write(globalPolicyFile);
-    policyFile.write(otherPolicyFile);
-    policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
-    permissions = policy.getPermissions(
-        Arrays.asList(new Authorizable[] {
-            new Server("server1")
-    }), Lists.newArrayList("admin")).get("admin");
-    Assert.assertEquals(permissions.toString(), "[server=server1]");
-    // test to ensure [users] fails parsing of per-db file
-    policyFile.addDatabase("other", otherPolicyFile.getPath());
-    policyFile.write(globalPolicyFile);
-    policyFile.write(otherPolicyFile);
-    policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
-    permissions = policy.getPermissions(
-        Arrays.asList(new Authorizable[] {
-            new Server("server1")
-    }), Lists.newArrayList("admin")).get("admin");
-    Assert.assertEquals(permissions.toString(), "[server=server1]");
-    // test to ensure [databases] fails parsing of per-db file
-    // by removing the user mapping from the per-db policy file
-    policyFile.removeGroupsFromUser("admin1", "admin")
-      .write(otherPolicyFile);
-    policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
-    permissions = policy.getPermissions(
-        Arrays.asList(new Authorizable[] {
-            new Server("server1")
-    }), Lists.newArrayList("admin")).get("admin");
-    Assert.assertEquals(permissions.toString(), "[server=server1]");
-  }
-  @Test
-  public void testDatabaseRequiredInRole() throws Exception {
-    append("[databases]", globalPolicyFile);
-    append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile);
-    append("[groups]", otherPolicyFile);
-    append("other_group = malicious_role", otherPolicyFile);
-    append("[roles]", otherPolicyFile);
-    append("malicious_role = server=server1", otherPolicyFile);
-    PolicyEngine policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
-    ImmutableSet<String> permissions = policy.getPermissions(
-        Arrays.asList(new Authorizable[] {
-            new Server("server1"),
-            new Database("other_group_db")
-    }), Lists.newArrayList("other_group")).get("other_group");
-    Assert.assertTrue(permissions.toString(), permissions.isEmpty());
-  }
-  @Test
-  public void testServerAll() throws Exception {
-    append("[groups]", globalPolicyFile);
-    append("group = malicious_role", globalPolicyFile);
-    append("[roles]", globalPolicyFile);
-    append("malicious_role = server=*", globalPolicyFile);
-    PolicyEngine policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
-    ImmutableSet<String> permissions = policy.getPermissions(
-        Arrays.asList(new Authorizable[] {
-            Server.ALL,
-            new Database("some_db")
-    }), Lists.newArrayList("group")).get("group");
-    Assert.assertTrue(permissions.toString(), permissions.isEmpty());
-  }
-  @Test
-  public void testServerIncorrect() throws Exception {
-    append("[groups]", globalPolicyFile);
-    append("group = malicious_role", globalPolicyFile);
-    append("[roles]", globalPolicyFile);
-    append("malicious_role = server=server2", globalPolicyFile);
-    PolicyEngine policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
-    ImmutableSet<String> permissions = policy.getPermissions(
-        Arrays.asList(new Authorizable[] {
-            Server.ALL,
-            new Database("some_db")
-    }), Lists.newArrayList("group")).get("group");
-    Assert.assertTrue(permissions.toString(), permissions.isEmpty());
-  }
-
-  @Test
-  public void testAll() throws Exception {
-    append("[groups]", globalPolicyFile);
-    append("group = malicious_role", globalPolicyFile);
-    append("[roles]", globalPolicyFile);
-    append("malicious_role = *", globalPolicyFile);
-    PolicyEngine policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
-    ImmutableSet<String> permissions = policy.getPermissions(
-        Arrays.asList(new Authorizable[] {
-            Server.ALL,
-            new Database("some_db")
-    }), Lists.newArrayList("group")).get("group");
-    Assert.assertTrue(permissions.toString(), permissions.isEmpty());
-  }
-
-  /**
-   * Create policy file with multiple per db files.
-   * Verify that a file with bad format is the only one that's ignored
-   * @throws Exception
-   */
-  @Test
-  public void testMultiDbWithErrors() throws Exception {
-    File db1PolicyFile = new File(baseDir, "db1.ini");
-    File db2PolicyFile = new File(baseDir, "db2.ini");
-
-    // global policy file
-    append("[databases]", globalPolicyFile);
-    append("db1 = " + db1PolicyFile.getPath(), globalPolicyFile);
-    append("db2 = " + db2PolicyFile.getPath(), globalPolicyFile);
-    append("[groups]", globalPolicyFile);
-    append("db3_group = db3_rule", globalPolicyFile);
-    append("[roles]", globalPolicyFile);
-    append("db3_rule = server=server1->db=db3->table=sales->action=select", globalPolicyFile);
-
-    //db1 policy file with badly formatted rule
-    append("[groups]", db1PolicyFile);
-    append("db1_group = bad_rule", db1PolicyFile);
-    append("[roles]", db1PolicyFile);
-    append("bad_rule = server=server1->db=customers->=purchases->action=", db1PolicyFile);
-
-    //db2 policy file with proper rule
-    append("[groups]", db2PolicyFile);
-    append("db2_group = db2_rule", db2PolicyFile);
-    append("[roles]", db2PolicyFile);
-    append("db2_rule = server=server1->db=db2->table=purchases->action=select", db2PolicyFile);
-
-    PolicyEngine policy = new SimplePolicyEngine(globalPolicyFile.getPath(), "server1");
-
-    // verify that the db1 rule is empty
-    ImmutableSet<String> permissions = policy.getPermissions(
-        Arrays.asList(new Authorizable[] {
-            new Server("server1"),
-            new Database("db1")
-    }), Lists.newArrayList("db1_group")).get("db1_group");
-    Assert.assertTrue(permissions.toString(), permissions.isEmpty());
-
-    permissions = policy.getPermissions(
-        Arrays.asList(new Authorizable[] {
-            new Server("server1"),
-            new Database("db2")
-    }), Lists.newArrayList("db2_group")).get("db2_group");
-    Assert.assertEquals(permissions.toString(), 1, permissions.size());
-
-    permissions = policy.getPermissions(
-        Arrays.asList(new Authorizable[] {
-            new Server("server1"),
-            new Database("db2")
-    }), Lists.newArrayList("db2_group")).get("db2_group");
-    Assert.assertEquals(permissions.toString(), 1, permissions.size());
-
-  }
-
-}


Mime
View raw message