sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gcha...@apache.org
Subject [2/4] SENTRY-122: Refactor provider/policy API to allow for DB-policy provider (Brock Noland via Gregory Chanan)
Date Wed, 05 Mar 2014 00:14:38 GMT
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchWildcardPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchWildcardPrivilege.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchWildcardPrivilege.java
new file mode 100644
index 0000000..9a33fcf
--- /dev/null
+++ b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SearchWildcardPrivilege.java
@@ -0,0 +1,146 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+// copied from apache shiro
+
+package org.apache.sentry.policy.search;
+
+import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_SPLITTER;
+
+import java.util.List;
+
+import org.apache.sentry.core.model.search.SearchConstants;
+import org.apache.sentry.policy.common.Privilege;
+import org.apache.sentry.policy.common.PrivilegeFactory;
+import org.apache.sentry.provider.file.KeyValue;
+import org.apache.sentry.provider.file.PolicyFileConstants;
+
+import com.google.common.base.Preconditions;
+import com.google.common.base.Strings;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.Lists;
+
+public class SearchWildcardPrivilege implements Privilege {
+
+  private final ImmutableList<KeyValue> parts;
+
+  public SearchWildcardPrivilege(String wildcardString) {
+    wildcardString = Strings.nullToEmpty(wildcardString).trim();
+    if (wildcardString.isEmpty()) {
+      throw new IllegalArgumentException("Wildcard string cannot be null or empty.");
+    }
+    List<KeyValue>parts = Lists.newArrayList();
+    for (String authorizable : AUTHORIZABLE_SPLITTER.trimResults().split(wildcardString)) {
+      if (authorizable.isEmpty()) {
+        throw new IllegalArgumentException("Privilege '" + wildcardString + "' has an empty section");
+      }
+      parts.add(new KeyValue(authorizable));
+    }
+    if (parts.isEmpty()) {
+      throw new AssertionError("Should never occur: " + wildcardString);
+    }
+    this.parts = ImmutableList.copyOf(parts);
+  }
+
+
+  @Override
+  public boolean implies(Privilege p) {
+    // By default only supports comparisons with other SearchWildcardPermissions
+    if (!(p instanceof SearchWildcardPrivilege)) {
+      return false;
+    }
+
+    SearchWildcardPrivilege wp = (SearchWildcardPrivilege) p;
+
+    List<KeyValue> otherParts = wp.parts;
+    if(equals(wp)) {
+      return true;
+    }
+    int index = 0;
+    for (KeyValue otherPart : otherParts) {
+      // If this privilege has less parts than the other privilege, everything
+      // after the number of parts contained
+      // in this privilege is automatically implied, so return true
+      if (parts.size() - 1 < index) {
+        return true;
+      } else {
+        KeyValue part = parts.get(index);
+        // are the keys even equal
+        if(!part.getKey().equalsIgnoreCase(otherPart.getKey())) {
+          return false;
+        }
+        if (!impliesKeyValue(part, otherPart)) {
+          return false;
+        }
+        index++;
+      }
+    }
+    // If this privilege has more parts than
+    // the other parts, only imply it if
+    // all of the other parts are wildcards
+    for (; index < parts.size(); index++) {
+      KeyValue part = parts.get(index);
+      if (!part.getValue().equals(SearchConstants.ALL)) {
+        return false;
+      }
+    }
+
+    return true;
+  }
+
+  private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) {
+    Preconditions.checkState(policyPart.getKey().equalsIgnoreCase(requestPart.getKey()),
+        "Please report, this method should not be called with two different keys");
+    if(policyPart.getValue().equals(SearchConstants.ALL) || policyPart.equals(requestPart)) {
+      return true;
+    } else if (!PolicyFileConstants.PRIVILEGE_NAME.equalsIgnoreCase(policyPart.getKey())
+        && SearchConstants.ALL.equalsIgnoreCase(requestPart.getValue())) {
+      /* privilege request is to match with any object of given type */
+      return true;
+    }
+    return false;
+  }
+
+  @Override
+  public String toString() {
+    return AUTHORIZABLE_JOINER.join(parts);
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (o instanceof SearchWildcardPrivilege) {
+      SearchWildcardPrivilege wp = (SearchWildcardPrivilege) o;
+      return parts.equals(wp.parts);
+    }
+    return false;
+  }
+
+  @Override
+  public int hashCode() {
+    return parts.hashCode();
+  }
+
+  public static class SearchWildcardPrivilegeFactory implements PrivilegeFactory {
+    @Override
+    public Privilege createPrivilege(String privilege) {
+      return new SearchWildcardPrivilege(privilege);
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
index 51ab35d..3519d05 100644
--- a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
+++ b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
@@ -16,29 +16,19 @@
  */
 package org.apache.sentry.policy.search;
 
-import javax.annotation.Nullable;
+import java.util.Set;
 
-import java.io.IOException;
-import java.util.List;
-import java.util.Map.Entry;
-
-import org.apache.shiro.config.ConfigurationException;
-import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.SentryConfigurationException;
-import org.apache.sentry.policy.common.PermissionFactory;
+import org.apache.sentry.policy.common.PrivilegeFactory;
 import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.policy.common.RoleValidator;
+import org.apache.sentry.policy.common.PrivilegeValidator;
 import org.apache.sentry.provider.common.ProviderBackend;
-import org.apache.sentry.provider.common.Roles;
-import org.apache.sentry.provider.file.SimpleFileProviderBackend;
+import org.apache.sentry.provider.common.ProviderBackendContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.ImmutableSetMultimap;
-import com.google.common.collect.Lists;
 
 /**
  * A PolicyEngine for a search service.
@@ -48,87 +38,46 @@ public class SimpleSearchPolicyEngine implements PolicyEngine {
   private static final Logger LOGGER = LoggerFactory
       .getLogger(SimpleSearchPolicyEngine.class);
 
-  private ProviderBackend providerBackend;
+  private final ProviderBackend providerBackend;
 
   public SimpleSearchPolicyEngine(ProviderBackend providerBackend) {
-    List<? extends RoleValidator> validators =
-      Lists.newArrayList(new CollectionRequiredInRole());
     this.providerBackend = providerBackend;
-    this.providerBackend.process(validators);
-
-    if (!this.providerBackend.getRoles().getPerDatabaseRoles().isEmpty()) {
-      throw new ConfigurationException(
-        "SimpleSearchPolicyEngine does not support per-database roles, " +
-        "but per-database roles were specified.  Ignoring.");
-    }
-  }
-
-  /*
-   * Note: finalize is final because constructor throws exception, see:
-   * OBJ11-J.
-   */
-  public final void finalize() {
-    // do nothing
+    ProviderBackendContext context = new ProviderBackendContext();
+    context.setAllowPerDatabase(false);
+    context.setValidators(createPrivilegeValidators());
+    this.providerBackend.initialize(context);
   }
 
   /**
    * {@inheritDoc}
    */
   @Override
-  public PermissionFactory getPermissionFactory() {
-    return new SearchWildcardPermission.SearchWildcardPermissionFactory();
+  public PrivilegeFactory getPrivilegeFactory() {
+    return new SearchWildcardPrivilege.SearchWildcardPrivilegeFactory();
   }
 
   /**
    * {@inheritDoc}
    */
   @Override
-  public ImmutableSetMultimap<String, String> getPermissions(List<? extends Authorizable> authorizables, List<String> groups) {
+  public ImmutableSet<String> getPrivileges(Set<String> groups) {
     if(LOGGER.isDebugEnabled()) {
       LOGGER.debug("Getting permissions for {}", groups);
     }
-    ImmutableSetMultimap.Builder<String, String> resultBuilder = ImmutableSetMultimap.builder();
-    for(String group : groups) {
-      resultBuilder.putAll(group, getSearchRoles(group,providerBackend.getRoles()));
-    }
-    ImmutableSetMultimap<String, String> result = resultBuilder.build();
+    ImmutableSet<String> result = providerBackend.getPrivileges(groups);
     if(LOGGER.isDebugEnabled()) {
       LOGGER.debug("result = " + result);
     }
     return result;
   }
 
-  private ImmutableSet<String> getSearchRoles(String group, Roles roles) {
-    ImmutableSetMultimap<String, String> globalRoles = roles.getGlobalRoles();
-    ImmutableSet.Builder<String> resultBuilder = ImmutableSet.builder();
-
-    if(globalRoles.containsKey(group)) {
-      resultBuilder.addAll(globalRoles.get(group));
-    }
-    ImmutableSet<String> result = resultBuilder.build();
-    if(LOGGER.isDebugEnabled()) {
-      LOGGER.debug("Group {}, Result {}",
-          new Object[]{ group, result});
-    }
-    return result;
-  }
-
-  @Override
-  public ImmutableSet<String> listPermissions(String groupName)
-      throws SentryConfigurationException {
-    // TODO: not supported yet
-    throw new SentryConfigurationException("Not implemented yet");
-  }
-
   @Override
-  public ImmutableSet<String> listPermissions(List<String> groupName)
+  public void validatePolicy(boolean strictValidation)
       throws SentryConfigurationException {
     throw new SentryConfigurationException("Not implemented yet");
   }
 
-  @Override
-  public void validatePolicy(boolean strictValidation)
-      throws SentryConfigurationException {
-    throw new SentryConfigurationException("Not implemented yet");
+  public static ImmutableList<PrivilegeValidator> createPrivilegeValidators() {
+    return ImmutableList.<PrivilegeValidator>of(new CollectionRequiredInPrivilege());
   }
-}
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java
index 24e9521..495ec0d 100644
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java
+++ b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java
@@ -18,15 +18,12 @@ package org.apache.sentry.policy.search;
 
 import java.io.File;
 import java.io.IOException;
-import java.util.List;
 import java.util.Set;
 import java.util.TreeSet;
 
 import junit.framework.Assert;
 
 import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.model.search.Collection;
 import org.apache.sentry.policy.common.PolicyEngine;
 import org.junit.After;
 import org.junit.AfterClass;
@@ -34,7 +31,6 @@ import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 
-import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
 import com.google.common.io.Files;
 
@@ -50,7 +46,6 @@ public abstract class AbstractTestSearchPolicyEngine {
 
   private PolicyEngine policy;
   private static File baseDir;
-  private List<Authorizable> authorizables = Lists.newArrayList();
 
   @BeforeClass
   public static void setupClazz() throws IOException {
@@ -94,7 +89,7 @@ public abstract class AbstractTestSearchPolicyEngine {
         ANALYST_TMPCOLLECTION_QUERY, JRANALYST_JRANALYST1_ALL,
         JRANALYST_PURCHASES_PARTIAL_QUERY));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPermissions(authorizables, list("manager")).values())
+        new TreeSet<String>(policy.getPrivileges(set("manager")))
         .toString());
   }
 
@@ -105,7 +100,7 @@ public abstract class AbstractTestSearchPolicyEngine {
         ANALYST_JRANALYST1_ACTION_ALL, ANALYST_TMPCOLLECTION_UPDATE,
         ANALYST_TMPCOLLECTION_QUERY));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPermissions(authorizables, list("analyst")).values())
+        new TreeSet<String>(policy.getPrivileges(set("analyst")))
         .toString());
   }
 
@@ -115,7 +110,7 @@ public abstract class AbstractTestSearchPolicyEngine {
         .newHashSet(JRANALYST_JRANALYST1_ALL,
             JRANALYST_PURCHASES_PARTIAL_QUERY));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPermissions(authorizables, list("jranalyst")).values())
+        new TreeSet<String>(policy.getPrivileges(set("jranalyst")))
         .toString());
   }
 
@@ -123,11 +118,11 @@ public abstract class AbstractTestSearchPolicyEngine {
   public void testAdmin() throws Exception {
     Set<String> expected = Sets.newTreeSet(Sets.newHashSet(ADMIN_COLLECTION_ALL));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPermissions(authorizables, list("admin")).values())
+        new TreeSet<String>(policy.getPrivileges(set("admin")))
         .toString());
   }
 
-  private static List<String> list(String... values) {
-    return Lists.newArrayList(values);
+  private static Set<String> set(String... values) {
+    return Sets.newHashSet(values);
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/SearchPolicyFileBackend.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/SearchPolicyFileBackend.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/SearchPolicyFileBackend.java
index 874f2db..fd8af78 100644
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/SearchPolicyFileBackend.java
+++ b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/SearchPolicyFileBackend.java
@@ -17,6 +17,7 @@
 package org.apache.sentry.policy.search;
 
 import java.io.IOException;
+
 import org.apache.sentry.provider.file.SimpleFileProviderBackend;
 
 public class SearchPolicyFileBackend extends SimpleSearchPolicyEngine {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestCollectionRequiredInRole.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestCollectionRequiredInRole.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestCollectionRequiredInRole.java
index a56aabd..b626f1a 100644
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestCollectionRequiredInRole.java
+++ b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestCollectionRequiredInRole.java
@@ -20,6 +20,7 @@ package org.apache.sentry.policy.search;
 
 import junit.framework.Assert;
 
+import org.apache.sentry.policy.common.PrivilegeValidatorContext;
 import org.apache.shiro.config.ConfigurationException;
 import org.junit.Test;
 
@@ -27,11 +28,11 @@ public class TestCollectionRequiredInRole {
 
   @Test
   public void testEmptyRole() throws Exception {
-    CollectionRequiredInRole collRequiredInRole = new CollectionRequiredInRole();
+    CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege();
 
     // check no db
     try {
-      collRequiredInRole.validate(null,"index=index1");
+      collRequiredInRole.validate(new PrivilegeValidatorContext("index=index1"));
       Assert.fail("Expected ConfigurationException");
     } catch (ConfigurationException e) {
       ;
@@ -39,7 +40,7 @@ public class TestCollectionRequiredInRole {
 
     // check with db
     try {
-      collRequiredInRole.validate("db1","index=index2");
+      collRequiredInRole.validate(new PrivilegeValidatorContext("db1","index=index2"));
       Assert.fail("Expected ConfigurationException");
     } catch (ConfigurationException e) {
       ;
@@ -48,15 +49,15 @@ public class TestCollectionRequiredInRole {
 
   @Test
   public void testCollectionWithoutAction() throws Exception {
-    CollectionRequiredInRole collRequiredInRole = new CollectionRequiredInRole();
-    collRequiredInRole.validate(null,"collection=nodb");
-    collRequiredInRole.validate("db2","collection=db");
+    CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege();
+    collRequiredInRole.validate(new PrivilegeValidatorContext("collection=nodb"));
+    collRequiredInRole.validate(new PrivilegeValidatorContext("db2","collection=db"));
   }
 
   @Test
   public void testCollectionWithAction() throws Exception {
-    CollectionRequiredInRole collRequiredInRole = new CollectionRequiredInRole();
-    collRequiredInRole.validate(null,"collection=nodb->action=query");
-    collRequiredInRole.validate("db2","collection=db->action=update");
+    CollectionRequiredInPrivilege collRequiredInRole = new CollectionRequiredInPrivilege();
+    collRequiredInRole.validate(new PrivilegeValidatorContext(null,"collection=nodb->action=query"));
+    collRequiredInRole.validate(new PrivilegeValidatorContext("db2","collection=db->action=update"));
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java
index 4bbaf3a..cd271a5 100644
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java
+++ b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java
@@ -29,9 +29,8 @@ import org.apache.commons.io.FileUtils;
 import org.apache.sentry.core.common.Action;
 import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.Subject;
-import org.apache.sentry.core.model.search.SearchConstants;
-import org.apache.sentry.core.model.search.SearchModelAction;
 import org.apache.sentry.core.model.search.Collection;
+import org.apache.sentry.core.model.search.SearchModelAction;
 import org.apache.sentry.provider.common.MockGroupMappingServiceProvider;
 import org.apache.sentry.provider.file.HadoopGroupResourceAuthorizationProvider;
 import org.apache.sentry.provider.file.PolicyFiles;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java
index 2a7872d..aa849ef 100644
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java
+++ b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java
@@ -25,8 +25,8 @@ import java.util.Set;
 import junit.framework.Assert;
 
 import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.core.model.search.Collection;
 import org.apache.sentry.core.model.search.SearchModelAction;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchModelAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchModelAuthorizables.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchModelAuthorizables.java
index bd06b7e..c68cd75 100644
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchModelAuthorizables.java
+++ b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchModelAuthorizables.java
@@ -20,9 +20,7 @@ package org.apache.sentry.policy.search;
 import static junit.framework.Assert.assertEquals;
 import static junit.framework.Assert.assertNull;
 
-
 import org.apache.sentry.core.model.search.Collection;
-import org.apache.sentry.policy.search.SearchModelAuthorizables;
 import org.junit.Test;
 
 public class TestSearchModelAuthorizables {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineDFS.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineDFS.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineDFS.java
index 1683eec..735935e 100644
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineDFS.java
+++ b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyEngineDFS.java
@@ -18,7 +18,6 @@ package org.apache.sentry.policy.search;
 
 import java.io.File;
 import java.io.IOException;
-import java.util.List;
 
 import junit.framework.Assert;
 
@@ -26,16 +25,9 @@ import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.provider.file.PolicyFile;
 import org.apache.sentry.provider.file.PolicyFiles;
 import org.junit.AfterClass;
 import org.junit.BeforeClass;
-import org.junit.Test;
-
-import com.google.common.collect.ImmutableSetMultimap;
-import com.google.common.collect.Lists;
-import com.google.common.io.Files;
 
 public class TestSearchPolicyEngineDFS extends AbstractTestSearchPolicyEngine {
 
@@ -71,7 +63,8 @@ public class TestSearchPolicyEngineDFS extends AbstractTestSearchPolicyEngine {
     fileSystem.delete(etc, true);
     fileSystem.mkdirs(etc);
     PolicyFiles.copyToDir(fileSystem, etc, "test-authz-provider.ini");
-    setPolicy(new SearchPolicyFileBackend(new Path(etc, "test-authz-provider.ini").toString()));
+    setPolicy(new SearchPolicyFileBackend(new Path(etc,
+        "test-authz-provider.ini").toString()));
   }
 
   @Override

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java
index 0770aa8..e95aca3 100644
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java
+++ b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java
@@ -18,16 +18,12 @@ package org.apache.sentry.policy.search;
 
 import java.io.File;
 import java.io.IOException;
-import java.util.Arrays;
+import java.util.Collections;
 
 import junit.framework.Assert;
 
 import org.apache.commons.io.FileUtils;
-import org.apache.shiro.config.ConfigurationException;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.model.search.Collection;
 import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.provider.file.PolicyFile;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -36,7 +32,7 @@ import org.slf4j.LoggerFactory;
 
 import com.google.common.base.Charsets;
 import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
 import com.google.common.io.Files;
 
 public class TestSearchPolicyNegative {
@@ -72,26 +68,22 @@ public class TestSearchPolicyNegative {
     append("[databases]", globalPolicyFile);
     append("other_group_db = " + otherPolicyFile.getPath(), globalPolicyFile);
     append("[groups]", otherPolicyFile);
-    append("other_group = malicious_role", otherPolicyFile);
+    append("other_group = some_role", otherPolicyFile);
     append("[roles]", otherPolicyFile);
-    append("malicious_role = collection=*", otherPolicyFile);
-    try {
-      PolicyEngine policy = new SearchPolicyFileBackend(globalPolicyFile.getPath());
-      Assert.fail("Excepted ConfigurationException");
-    } catch (ConfigurationException ce) {}
+    append("some_role = collection=c1", otherPolicyFile);
+    SearchPolicyFileBackend policy = new SearchPolicyFileBackend(globalPolicyFile.getPath());
+    Assert.assertEquals(Collections.emptySet(),
+        policy.getPrivileges(Sets.newHashSet("other_group")));
   }
 
   @Test
   public void testCollectionRequiredInRole() throws Exception {
     append("[groups]", globalPolicyFile);
-    append("group = malicious_role", globalPolicyFile);
+    append("group = some_role", globalPolicyFile);
     append("[roles]", globalPolicyFile);
-    append("malicious_role = action=query", globalPolicyFile);
+    append("some_role = action=query", globalPolicyFile);
     PolicyEngine policy = new SearchPolicyFileBackend(globalPolicyFile.getPath());
-    ImmutableSet<String> permissions = policy.getPermissions(
-        Arrays.asList(new Authorizable[] {
-            new Collection("collection1"),
-    }), Lists.newArrayList("group")).get("group");
+    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"));
     Assert.assertTrue(permissions.toString(), permissions.isEmpty());
   }
 
@@ -102,10 +94,7 @@ public class TestSearchPolicyNegative {
     append("[roles]", globalPolicyFile);
     append("malicious_role = collection=*", globalPolicyFile);
     PolicyEngine policy = new SearchPolicyFileBackend(globalPolicyFile.getPath());
-    ImmutableSet<String> permissions = policy.getPermissions(
-        Arrays.asList(new Authorizable[] {
-            Collection.ALL
-    }), Lists.newArrayList("incorrectGroup")).get("incorrectGroup");
+    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("incorrectGroup"));
     Assert.assertTrue(permissions.toString(), permissions.isEmpty());
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchWildcardPermission.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchWildcardPermission.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchWildcardPermission.java
deleted file mode 100644
index b20595d..0000000
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchWildcardPermission.java
+++ /dev/null
@@ -1,206 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.search;
-import static junit.framework.Assert.assertEquals;
-import static junit.framework.Assert.assertFalse;
-import static junit.framework.Assert.assertTrue;
-import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.provider.file.PolicyFileConstants.KV_JOINER;
-import static org.apache.sentry.provider.file.PolicyFileConstants.KV_SEPARATOR;
-
-import org.apache.sentry.core.model.search.SearchConstants;
-import org.apache.sentry.provider.file.KeyValue;
-import org.apache.shiro.authz.Permission;
-import org.junit.Test;
-
-public class TestSearchWildcardPermission {
-
-  private static final String ALL = SearchConstants.ALL;
-
-  @Test
-  public void testSimpleNoAction() throws Exception {
-    Permission collection1 = create(new KeyValue("collection", "coll1"));
-    Permission collection2 = create(new KeyValue("collection", "coll2"));
-    Permission collection1Case = create(new KeyValue("colleCtIon", "coLl1"));
-
-    assertTrue(collection1.implies(collection1));
-    assertTrue(collection2.implies(collection2));
-    assertTrue(collection1.implies(collection1Case));
-    assertTrue(collection1Case.implies(collection1));
-
-    assertFalse(collection1.implies(collection2));
-    assertFalse(collection1Case.implies(collection2));
-    assertFalse(collection2.implies(collection1));
-    assertFalse(collection2.implies(collection1Case));
-  }
-
-  @Test
-  public void testSimpleAction() throws Exception {
-    Permission query =
-      create(new KeyValue("collection", "coll1"), new KeyValue("action", "query"));
-    Permission update =
-      create(new KeyValue("collection", "coll1"), new KeyValue("action", "update"));
-    Permission queryCase =
-      create(new KeyValue("colleCtIon", "coLl1"), new KeyValue("AcTiOn", "QuERy"));
-
-    assertTrue(query.implies(query));
-    assertTrue(update.implies(update));
-    assertTrue(query.implies(queryCase));
-    assertTrue(queryCase.implies(query));
-
-    assertFalse(query.implies(update));
-    assertFalse(queryCase.implies(update));
-    assertFalse(update.implies(query));
-    assertFalse(update.implies(queryCase));
-  }
-
-  @Test
-  public void testRoleShorterThanRequest() throws Exception {
-    Permission collection1 = create(new KeyValue("collection", "coll1"));
-    Permission query =
-      create(new KeyValue("collection", "coll1"), new KeyValue("action", "query"));
-    Permission update =
-      create(new KeyValue("collection", "coll1"), new KeyValue("action", "update"));
-    Permission all =
-      create(new KeyValue("collection", "coll1"), new KeyValue("action", ALL));
-
-    assertTrue(collection1.implies(query));
-    assertTrue(collection1.implies(update));
-    assertTrue(collection1.implies(all));
-
-    assertFalse(query.implies(collection1));
-    assertFalse(update.implies(collection1));
-    assertTrue(all.implies(collection1));
-  }
-
-  @Test
-  public void testCollectionAll() throws Exception {
-    Permission collectionAll = create(new KeyValue("collection", ALL));
-    Permission collection1 = create(new KeyValue("collection", "coll1"));
-    assertTrue(collectionAll.implies(collection1));
-    assertTrue(collection1.implies(collectionAll));
-
-    Permission allUpdate =
-      create(new KeyValue("collection", ALL), new KeyValue("action", "update"));
-    Permission allQuery =
-      create(new KeyValue("collection", ALL), new KeyValue("action", "query"));
-    Permission coll1Update =
-      create(new KeyValue("collection", "coll1"), new KeyValue("action", "update"));
-    Permission coll1Query =
-      create(new KeyValue("collection", "coll1"), new KeyValue("action", "query"));
-    assertTrue(allUpdate.implies(coll1Update));
-    assertTrue(allQuery.implies(coll1Query));
-    assertTrue(coll1Update.implies(allUpdate));
-    assertTrue(coll1Query.implies(allQuery));
-    assertFalse(allUpdate.implies(coll1Query));
-    assertFalse(coll1Update.implies(coll1Query));
-    assertFalse(allQuery.implies(coll1Update));
-    assertFalse(coll1Query.implies(allUpdate));
-    assertFalse(allUpdate.implies(allQuery));
-    assertFalse(allQuery.implies(allUpdate));
-    assertFalse(coll1Update.implies(coll1Query));
-    assertFalse(coll1Query.implies(coll1Update));
-
-    // test different length paths
-    assertTrue(collectionAll.implies(allUpdate));
-    assertTrue(collectionAll.implies(allQuery));
-    assertTrue(collectionAll.implies(coll1Update));
-    assertTrue(collectionAll.implies(coll1Query));
-    assertFalse(allUpdate.implies(collectionAll));
-    assertFalse(allQuery.implies(collectionAll));
-    assertFalse(coll1Update.implies(collectionAll));
-    assertFalse(coll1Query.implies(collectionAll));
-  }
-
-  @Test
-  public void testActionAll() throws Exception {
-    Permission coll1All =
-       create(new KeyValue("collection", "coll1"), new KeyValue("action", ALL));
-    Permission coll1Update =
-      create(new KeyValue("collection", "coll1"), new KeyValue("action", "update"));
-    Permission coll1Query =
-      create(new KeyValue("collection", "coll1"), new KeyValue("action", "query"));
-    assertTrue(coll1All.implies(coll1All));
-    assertTrue(coll1All.implies(coll1Update));
-    assertTrue(coll1All.implies(coll1Query));
-    assertFalse(coll1Update.implies(coll1All));
-    assertFalse(coll1Query.implies(coll1All));
-
-    // test different lengths
-    Permission coll1 =
-       create(new KeyValue("collection", "coll1"));
-    assertTrue(coll1All.implies(coll1));
-    assertTrue(coll1.implies(coll1All));
-  }
-
-  @Test
-  public void testUnexpected() throws Exception {
-    Permission p = new Permission() {
-      @Override
-      public boolean implies(Permission p) {
-        return false;
-      }
-    };
-    Permission collection1 = create(new KeyValue("collection", "coll1"));
-    assertFalse(collection1.implies(null));
-    assertFalse(collection1.implies(p));
-    assertFalse(collection1.equals(null));
-    assertFalse(collection1.equals(p));
-  }
-
-  @Test(expected=IllegalArgumentException.class)
-  public void testNullString() throws Exception {
-    System.out.println(create((String)null));
-  }
-
-  @Test(expected=IllegalArgumentException.class)
-  public void testEmptyString() throws Exception {
-    System.out.println(create(""));
-  }
-
-  @Test(expected=IllegalArgumentException.class)
-  public void testEmptyKey() throws Exception {
-    System.out.println(create(KV_JOINER.join("collection", "")));
-  }
-
-  @Test(expected=IllegalArgumentException.class)
-  public void testEmptyValue() throws Exception {
-    System.out.println(create(KV_JOINER.join("", "coll1")));
-  }
-
-  @Test(expected=IllegalArgumentException.class)
-  public void testEmptyPart() throws Exception {
-    System.out.println(create(AUTHORIZABLE_JOINER.
-        join(KV_JOINER.join("collection1", "coll1"), "")));
-  }
-
-  @Test(expected=IllegalArgumentException.class)
-  public void testOnlySeperators() throws Exception {
-    System.out.println(create(AUTHORIZABLE_JOINER.
-        join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR)));
-  }
-
-  static SearchWildcardPermission create(KeyValue... keyValues) {
-    return create(AUTHORIZABLE_JOINER.join(keyValues));
-
-  }
-  static SearchWildcardPermission create(String s) {
-    return new SearchWildcardPermission(s);
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchWildcardPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchWildcardPrivilege.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchWildcardPrivilege.java
new file mode 100644
index 0000000..cb5531f
--- /dev/null
+++ b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchWildcardPrivilege.java
@@ -0,0 +1,205 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.search;
+import static junit.framework.Assert.assertFalse;
+import static junit.framework.Assert.assertTrue;
+import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.provider.file.PolicyFileConstants.KV_JOINER;
+import static org.apache.sentry.provider.file.PolicyFileConstants.KV_SEPARATOR;
+
+import org.apache.sentry.core.model.search.SearchConstants;
+import org.apache.sentry.policy.common.Privilege;
+import org.apache.sentry.provider.file.KeyValue;
+import org.junit.Test;
+
+public class TestSearchWildcardPrivilege {
+
+  private static final String ALL = SearchConstants.ALL;
+
+  @Test
+  public void testSimpleNoAction() throws Exception {
+    Privilege collection1 = create(new KeyValue("collection", "coll1"));
+    Privilege collection2 = create(new KeyValue("collection", "coll2"));
+    Privilege collection1Case = create(new KeyValue("colleCtIon", "coLl1"));
+
+    assertTrue(collection1.implies(collection1));
+    assertTrue(collection2.implies(collection2));
+    assertTrue(collection1.implies(collection1Case));
+    assertTrue(collection1Case.implies(collection1));
+
+    assertFalse(collection1.implies(collection2));
+    assertFalse(collection1Case.implies(collection2));
+    assertFalse(collection2.implies(collection1));
+    assertFalse(collection2.implies(collection1Case));
+  }
+
+  @Test
+  public void testSimpleAction() throws Exception {
+    Privilege query =
+      create(new KeyValue("collection", "coll1"), new KeyValue("action", "query"));
+    Privilege update =
+      create(new KeyValue("collection", "coll1"), new KeyValue("action", "update"));
+    Privilege queryCase =
+      create(new KeyValue("colleCtIon", "coLl1"), new KeyValue("AcTiOn", "QuERy"));
+
+    assertTrue(query.implies(query));
+    assertTrue(update.implies(update));
+    assertTrue(query.implies(queryCase));
+    assertTrue(queryCase.implies(query));
+
+    assertFalse(query.implies(update));
+    assertFalse(queryCase.implies(update));
+    assertFalse(update.implies(query));
+    assertFalse(update.implies(queryCase));
+  }
+
+  @Test
+  public void testRoleShorterThanRequest() throws Exception {
+    Privilege collection1 = create(new KeyValue("collection", "coll1"));
+    Privilege query =
+      create(new KeyValue("collection", "coll1"), new KeyValue("action", "query"));
+    Privilege update =
+      create(new KeyValue("collection", "coll1"), new KeyValue("action", "update"));
+    Privilege all =
+      create(new KeyValue("collection", "coll1"), new KeyValue("action", ALL));
+
+    assertTrue(collection1.implies(query));
+    assertTrue(collection1.implies(update));
+    assertTrue(collection1.implies(all));
+
+    assertFalse(query.implies(collection1));
+    assertFalse(update.implies(collection1));
+    assertTrue(all.implies(collection1));
+  }
+
+  @Test
+  public void testCollectionAll() throws Exception {
+    Privilege collectionAll = create(new KeyValue("collection", ALL));
+    Privilege collection1 = create(new KeyValue("collection", "coll1"));
+    assertTrue(collectionAll.implies(collection1));
+    assertTrue(collection1.implies(collectionAll));
+
+    Privilege allUpdate =
+      create(new KeyValue("collection", ALL), new KeyValue("action", "update"));
+    Privilege allQuery =
+      create(new KeyValue("collection", ALL), new KeyValue("action", "query"));
+    Privilege coll1Update =
+      create(new KeyValue("collection", "coll1"), new KeyValue("action", "update"));
+    Privilege coll1Query =
+      create(new KeyValue("collection", "coll1"), new KeyValue("action", "query"));
+    assertTrue(allUpdate.implies(coll1Update));
+    assertTrue(allQuery.implies(coll1Query));
+    assertTrue(coll1Update.implies(allUpdate));
+    assertTrue(coll1Query.implies(allQuery));
+    assertFalse(allUpdate.implies(coll1Query));
+    assertFalse(coll1Update.implies(coll1Query));
+    assertFalse(allQuery.implies(coll1Update));
+    assertFalse(coll1Query.implies(allUpdate));
+    assertFalse(allUpdate.implies(allQuery));
+    assertFalse(allQuery.implies(allUpdate));
+    assertFalse(coll1Update.implies(coll1Query));
+    assertFalse(coll1Query.implies(coll1Update));
+
+    // test different length paths
+    assertTrue(collectionAll.implies(allUpdate));
+    assertTrue(collectionAll.implies(allQuery));
+    assertTrue(collectionAll.implies(coll1Update));
+    assertTrue(collectionAll.implies(coll1Query));
+    assertFalse(allUpdate.implies(collectionAll));
+    assertFalse(allQuery.implies(collectionAll));
+    assertFalse(coll1Update.implies(collectionAll));
+    assertFalse(coll1Query.implies(collectionAll));
+  }
+
+  @Test
+  public void testActionAll() throws Exception {
+    Privilege coll1All =
+       create(new KeyValue("collection", "coll1"), new KeyValue("action", ALL));
+    Privilege coll1Update =
+      create(new KeyValue("collection", "coll1"), new KeyValue("action", "update"));
+    Privilege coll1Query =
+      create(new KeyValue("collection", "coll1"), new KeyValue("action", "query"));
+    assertTrue(coll1All.implies(coll1All));
+    assertTrue(coll1All.implies(coll1Update));
+    assertTrue(coll1All.implies(coll1Query));
+    assertFalse(coll1Update.implies(coll1All));
+    assertFalse(coll1Query.implies(coll1All));
+
+    // test different lengths
+    Privilege coll1 =
+       create(new KeyValue("collection", "coll1"));
+    assertTrue(coll1All.implies(coll1));
+    assertTrue(coll1.implies(coll1All));
+  }
+
+  @Test
+  public void testUnexpected() throws Exception {
+    Privilege p = new Privilege() {
+      @Override
+      public boolean implies(Privilege p) {
+        return false;
+      }
+    };
+    Privilege collection1 = create(new KeyValue("collection", "coll1"));
+    assertFalse(collection1.implies(null));
+    assertFalse(collection1.implies(p));
+    assertFalse(collection1.equals(null));
+    assertFalse(collection1.equals(p));
+  }
+
+  @Test(expected=IllegalArgumentException.class)
+  public void testNullString() throws Exception {
+    System.out.println(create((String)null));
+  }
+
+  @Test(expected=IllegalArgumentException.class)
+  public void testEmptyString() throws Exception {
+    System.out.println(create(""));
+  }
+
+  @Test(expected=IllegalArgumentException.class)
+  public void testEmptyKey() throws Exception {
+    System.out.println(create(KV_JOINER.join("collection", "")));
+  }
+
+  @Test(expected=IllegalArgumentException.class)
+  public void testEmptyValue() throws Exception {
+    System.out.println(create(KV_JOINER.join("", "coll1")));
+  }
+
+  @Test(expected=IllegalArgumentException.class)
+  public void testEmptyPart() throws Exception {
+    System.out.println(create(AUTHORIZABLE_JOINER.
+        join(KV_JOINER.join("collection1", "coll1"), "")));
+  }
+
+  @Test(expected=IllegalArgumentException.class)
+  public void testOnlySeperators() throws Exception {
+    System.out.println(create(AUTHORIZABLE_JOINER.
+        join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR)));
+  }
+
+  static SearchWildcardPrivilege create(KeyValue... keyValues) {
+    return create(AUTHORIZABLE_JOINER.join(keyValues));
+
+  }
+  static SearchWildcardPrivilege create(String s) {
+    return new SearchWildcardPrivilege(s);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
index 4887678..8dc2f52 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
@@ -19,11 +19,17 @@ package org.apache.sentry.provider.common;
 import java.util.List;
 import java.util.Set;
 
+import javax.annotation.concurrent.ThreadSafe;
+
 import org.apache.sentry.core.common.Action;
 import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.SentryConfigurationException;
 import org.apache.sentry.core.common.Subject;
 
+/**
+ * Implementations of AuthorizationProvider must be threadsafe.
+ */
+@ThreadSafe
 public interface AuthorizationProvider {
 
   /***
@@ -59,7 +65,7 @@ public interface AuthorizationProvider {
    * @return
    * @throws SentryConfigurationException
    */
-  public Set<String> listPermissionsForSubject(Subject subject) throws SentryConfigurationException;
+  public Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException;
 
   /**
    * Returns the list privileges for the given group
@@ -67,11 +73,11 @@ public interface AuthorizationProvider {
    * @return
    * @throws SentryConfigurationException
    */
-  public Set<String> listPermissionsForGroup(String groupName) throws SentryConfigurationException;
+  public Set<String> listPrivilegesForGroup(String groupName) throws SentryConfigurationException;
 
   /***
    * Returns the list of missing privileges of the last access request
    * @return
    */
-  public List<String> getLastFailedPermissions();
+  public List<String> getLastFailedPrivileges();
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/GroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/GroupMappingService.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/GroupMappingService.java
index 226cc88..22371d1 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/GroupMappingService.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/GroupMappingService.java
@@ -16,15 +16,20 @@
  */
 package org.apache.sentry.provider.common;
 
-import java.util.List;
+import java.util.Set;
+
+import javax.annotation.concurrent.ThreadSafe;
 
 /**
  * Interface so the Groups class is easier to unit test with.
+ * Implementations of this class are expected to be thread safe
+ * after construction.
  */
+@ThreadSafe
 public interface GroupMappingService {
 
   /**
    * @return non-null list of groups for user
    */
-  public List<String> getGroups(String user);
+  public Set<String> getGroups(String user);
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
index 8f18926..309f270 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
@@ -46,19 +46,19 @@ public class NoAuthorizationProvider implements AuthorizationProvider {
   }
 
   @Override
-  public Set<String> listPermissionsForSubject(Subject subject)
+  public Set<String> listPrivilegesForSubject(Subject subject)
       throws SentryConfigurationException {
     return new HashSet<String>();
   }
 
   @Override
-  public Set<String> listPermissionsForGroup(String groupName)
+  public Set<String> listPrivilegesForGroup(String groupName)
       throws SentryConfigurationException {
     return new HashSet<String>();
   }
 
   @Override
-  public List<String> getLastFailedPermissions() {
+  public List<String> getLastFailedPrivileges() {
     return new ArrayList<String>();
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoGroupMappingService.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoGroupMappingService.java
index e1bc6d2..e44cbc4 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoGroupMappingService.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoGroupMappingService.java
@@ -16,8 +16,8 @@
  */
 package org.apache.sentry.provider.common;
 
-import java.util.LinkedList;
-import java.util.List;
+import java.util.HashSet;
+import java.util.Set;
 
 /**
  * GroupMappingService that always returns an empty list of groups
@@ -27,7 +27,7 @@ public class NoGroupMappingService implements GroupMappingService {
   /**
    * @return empty list of groups for every user
    */
-  public List<String> getGroups(String user) {
-    return new LinkedList<String>();
+  public Set<String> getGroups(String user) {
+    return new HashSet<String>();
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
index 327a3a5..3582d36 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
@@ -16,31 +16,43 @@
  */
 package org.apache.sentry.provider.common;
 
-import javax.annotation.Nullable;
+import java.util.Set;
 
-import java.util.List;
+import javax.annotation.concurrent.ThreadSafe;
 
 import org.apache.sentry.core.common.SentryConfigurationException;
-import org.apache.sentry.policy.common.RoleValidator;
 
 import com.google.common.collect.ImmutableSet;
 
 /**
- * Interface for getting roles from a specific provider backend.
+ * Interface for getting roles from a specific provider backend. Implementations
+ * are expected to be thread safe after initialize() has
+ * been called.
  */
+@ThreadSafe
 public interface ProviderBackend {
+
   /**
-   * Process roles from the backend.  Checks the validity of each role
-   * by running it through each validator passed via validators.
+   * Set the privilege validators to be used on the backend. This is required
+   * because the Backend must be created before the policy engine and only the
+   * policy engine knows the validators. Ideally we could change but since
+   * both the policy engine and backend are exposed via configuration properties
+   * that would be backwards incompatible.
+   * @param validators
    */
-  public void process(List<? extends RoleValidator> validators);
+  public void initialize(ProviderBackendContext context);
 
   /**
-   * Get the roles from the backend.  Requires that process(...) is invoked at
-   * least once prior.
+   * Get the privileges from the backend.
    */
-  public Roles getRoles();
+  public ImmutableSet<String> getPrivileges(Set<String> groups);
 
-  public void validatePolicy(List<? extends RoleValidator> validators, boolean strictValidation)
-      throws SentryConfigurationException;
+  /**
+   * If strictValidation is true then an error is thrown for warnings
+   * as well as errors.
+   *
+   * @param strictValidation
+   * @throws SentryConfigurationException
+   */
+  public void validatePolicy(boolean strictValidation) throws SentryConfigurationException;
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackendContext.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackendContext.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackendContext.java
new file mode 100644
index 0000000..f45d23d
--- /dev/null
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackendContext.java
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.common;
+
+import org.apache.sentry.policy.common.PrivilegeValidator;
+
+import com.google.common.collect.ImmutableList;
+
+public class ProviderBackendContext {
+
+  private boolean allowPerDatabase;
+  private ImmutableList<PrivilegeValidator> validators;
+
+  public ProviderBackendContext() {
+    validators = ImmutableList.of();
+  }
+
+  public boolean isAllowPerDatabase() {
+    return allowPerDatabase;
+  }
+
+  public void setAllowPerDatabase(boolean allowPerDatabase) {
+    this.allowPerDatabase = allowPerDatabase;
+  }
+
+  public ImmutableList<PrivilegeValidator> getValidators() {
+    return validators;
+  }
+
+  public void setValidators(ImmutableList<PrivilegeValidator> validators) {
+    if (validators == null) {
+      validators = ImmutableList.of();
+    }
+    this.validators = validators;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/Roles.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/Roles.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/Roles.java
deleted file mode 100644
index a8f36a3..0000000
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/Roles.java
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.common;
-
-import javax.annotation.Nullable;
-
-import com.google.common.collect.ImmutableMap;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.ImmutableSetMultimap;
-
-/**
- * Class providing storage of roles
- */
-public class Roles {
-  private final ImmutableSetMultimap<String, String> globalRoles;
-  private final ImmutableMap<String, ImmutableSetMultimap<String, String>> perDatabaseRoles;
-
-  public Roles() {
-    this(ImmutableSetMultimap.<String, String>of(),
-        ImmutableMap.<String, ImmutableSetMultimap<String, String>>of());
-  }
-
-  public Roles(ImmutableSetMultimap<String, String> globalRoles,
-      ImmutableMap<String, ImmutableSetMultimap<String, String>> perDatabaseRoles) {
-    this.globalRoles = globalRoles;
-    this.perDatabaseRoles = perDatabaseRoles;
-  }
-
-  public ImmutableSetMultimap<String, String> getGlobalRoles() {
-    return globalRoles;
-  }
-
-  public ImmutableMap<String, ImmutableSetMultimap<String, String>> getPerDatabaseRoles() {
-    return perDatabaseRoles;
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/MockGroupMappingServiceProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/MockGroupMappingServiceProvider.java b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/MockGroupMappingServiceProvider.java
index 806b42e..1e885f4 100644
--- a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/MockGroupMappingServiceProvider.java
+++ b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/MockGroupMappingServiceProvider.java
@@ -17,14 +17,13 @@
 package org.apache.sentry.provider.common;
 
 import java.util.Collection;
-import java.util.List;
+import java.util.Set;
 
-import org.apache.sentry.provider.common.GroupMappingService;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.google.common.collect.Lists;
 import com.google.common.collect.Multimap;
+import com.google.common.collect.Sets;
 
 public class MockGroupMappingServiceProvider implements GroupMappingService {
   private static final Logger LOGGER = LoggerFactory
@@ -36,10 +35,10 @@ public class MockGroupMappingServiceProvider implements GroupMappingService {
   }
 
   @Override
-  public List<String> getGroups(String user) {
+  public Set<String> getGroups(String user) {
     Collection<String> groups = userToGroupMap.get(user);
     LOGGER.info("Mapping " + user + " to " + groups);
-    return Lists.newArrayList(groups);
+    return Sets.newHashSet(groups);
   }
 
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
index 3f48f49..dbcf05b 100644
--- a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
@@ -16,11 +16,11 @@
  */
 package org.apache.sentry.provider.common;
 
-import org.junit.Test;
-
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 
+import org.junit.Test;
+
 /**
  * Tests around the NoAuthorizationProvider
  */

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
index 549a9db..4c3e6ea 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
@@ -19,7 +19,6 @@
 package org.apache.sentry.provider.db.service.model;
 
 import java.util.HashSet;
-
 import java.util.Set;
 
 import javax.jdo.annotations.PersistenceCapable;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryConfigurationException.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryConfigurationException.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryConfigurationException.java
index 2aeea42..0e5ad32 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryConfigurationException.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryConfigurationException.java
@@ -21,6 +21,9 @@ import org.apache.sentry.SentryUserException;
 
 public class SentryConfigurationException extends SentryUserException {
   private static final long serialVersionUID = 1298632655835L;
+  public SentryConfigurationException(String msg) {
+    super(msg);
+  }
   public SentryConfigurationException(String msg, Throwable t) {
     super(msg, t);
   }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index 55dbcdd..a451f58 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -71,7 +71,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
 
   @VisibleForTesting
   static List<NotificationHandler> createHandlers(Configuration conf)
-      throws Exception {
+      throws SentryConfigurationException {
     List<NotificationHandler> handlers = Lists.newArrayList();
     Iterable<String> notificationHandlers = Splitter.onPattern("[\\s,]").trimResults()
         .omitEmptyStrings().split(conf.get(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, ""));
@@ -80,7 +80,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
       try {
         clazz = Class.forName(notificationHandler);
         if (!NotificationHandler.class.isAssignableFrom(clazz)) {
-          throw new IllegalArgumentException("Class " + notificationHandler + " is not a " +
+          throw new SentryConfigurationException("Class " + notificationHandler + " is not a " +
               NotificationHandler.class.getName());
         }
       } catch (ClassNotFoundException e) {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
index 8323959..3022f67 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/KerberosConfiguration.java
@@ -18,8 +18,9 @@
 package org.apache.sentry.service.thrift;
 
 import java.io.File;
-import java.util.Map;
 import java.util.HashMap;
+import java.util.Map;
+
 import javax.security.auth.login.AppConfigurationEntry;
 
 public class KerberosConfiguration extends javax.security.auth.login.Configuration {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java
index ab4fff6..46f8fb8 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryPolicyStoreProcessor.java
@@ -32,18 +32,18 @@ public class TestSentryPolicyStoreProcessor {
   public void setup() {
     conf = new Configuration(false);
   }
-  @Test(expected=IllegalArgumentException.class)
+  @Test(expected=SentryConfigurationException.class)
   public void testConfigNotNotificationHandler() throws Exception {
     conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, Object.class.getName());
     SentryPolicyStoreProcessor.createHandlers(conf);
   }
-  @Test(expected=IllegalStateException.class)
+  @Test(expected=SentryConfigurationException.class)
   public void testConfigCannotCreateNotificationHandler() throws Exception {
     conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS,
         ExceptionInConstructorNotificationHandler.class.getName());
     SentryPolicyStoreProcessor.createHandlers(conf);
   }
-  @Test(expected=IllegalArgumentException.class)
+  @Test(expected=SentryConfigurationException.class)
   public void testConfigNotAClassNotificationHandler() throws Exception {
     conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, "junk");
     SentryPolicyStoreProcessor.createHandlers(conf);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
index 692dbfa..8e1be52 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
@@ -18,16 +18,17 @@
 
 package org.apache.sentry.provider.db.service.thrift;
 import java.util.HashSet;
-import com.google.common.base.Preconditions;
-
 import java.util.Set;
 
 import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
 import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants;
+import org.apache.sentry.service.thrift.Status;
 import org.junit.Test;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.google.common.base.Preconditions;
+
 public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
   private static final Logger LOGGER = LoggerFactory.getLogger(TestSentryServiceIntegration.class);
 
@@ -38,7 +39,7 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
     dropReq.setRoleName("admin_r");
     dropReq.setUserName("user_1");
     TDropSentryRoleResponse dropResp = client.dropRole(dropReq);
-    assertOK(dropResp.getStatus());
+    assertStatus(Status.NO_SUCH_OBJECT, dropResp.getStatus());
     LOGGER.info("Successfully dropped role: admin_r");
 
     TCreateSentryRoleRequest createReq = new TCreateSentryRoleRequest();

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
index c1bb887..db76aa8 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
@@ -155,9 +155,13 @@ public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestc
 
   }
   protected static void assertOK(TSentryResponseStatus resp) {
-    if (resp.getValue() !=  Status.OK.getCode()) {
-      String message = "Response: " + Status.fromCode(resp.getValue()) + ", Code: "
-          + resp.getValue() + ", Message: " + resp.getMessage();
+    assertStatus(Status.OK, resp);
+  }
+
+  protected static void assertStatus(Status status, TSentryResponseStatus resp) {
+    if (resp.getValue() !=  status.getCode()) {
+      String message = "Expected: " + status + ", Response: " + Status.fromCode(resp.getValue())
+          + ", Code: " + resp.getValue() + ", Message: " + resp.getMessage();
       String stackTrace = Strings.nullToEmpty(resp.getStack()).trim();
       if (!stackTrace.isEmpty()) {
         message += ", StackTrace: " + stackTrace;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupMappingService.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupMappingService.java
index 4db465d..f2bb39c 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupMappingService.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupMappingService.java
@@ -18,7 +18,8 @@ package org.apache.sentry.provider.file;
 
 import java.io.IOException;
 import java.util.Collections;
-import java.util.List;
+import java.util.HashSet;
+import java.util.Set;
 
 import org.apache.hadoop.security.Groups;
 import org.apache.sentry.provider.common.GroupMappingService;
@@ -36,12 +37,12 @@ public class HadoopGroupMappingService implements GroupMappingService {
   }
 
   @Override
-  public List<String> getGroups(String user) {
+  public Set<String> getGroups(String user) {
     try {
-      return groups.getGroups(user);
+      return new HashSet<String>(groups.getGroups(user));
     } catch (IOException e) {
       LOGGER.warn("Unable to obtain groups for " + user, e);
     }
-    return Collections.emptyList();
+    return Collections.emptySet();
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
index ff3adf1..b2e4196 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
@@ -21,11 +21,8 @@ import java.io.IOException;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.Groups;
-import org.apache.sentry.policy.common.RoleValidator;
 import org.apache.sentry.policy.common.PolicyEngine;
 import org.apache.sentry.provider.common.GroupMappingService;
-import org.apache.sentry.provider.file.HadoopGroupMappingService;
-import org.apache.sentry.provider.file.ResourceAuthorizationProvider;
 
 import com.google.common.annotations.VisibleForTesting;
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
index c399117..a4d9cba 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
@@ -20,9 +20,9 @@ package org.apache.sentry.provider.file;
 import java.io.IOException;
 import java.util.Collections;
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.Set;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
@@ -35,7 +35,7 @@ import org.slf4j.LoggerFactory;
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
-import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
 
 /**
  * Mapping users to groups
@@ -62,8 +62,8 @@ public class LocalGroupMappingService implements GroupMappingService {
   private static final Logger LOGGER = LoggerFactory
       .getLogger(LocalGroupMappingService.class);
 
-  private final Map <String, List<String>> groupMap =
-      new HashMap <String, List<String>> ();
+  private final Map <String, Set<String>> groupMap =
+      new HashMap <String, Set<String>> ();
 
   public LocalGroupMappingService(Path resourcePath) throws IOException {
     this(new Configuration(), resourcePath);
@@ -75,11 +75,11 @@ public class LocalGroupMappingService implements GroupMappingService {
   }
 
   @Override
-  public List<String> getGroups(String user) {
+  public Set<String> getGroups(String user) {
     if (groupMap.containsKey(user)) {
       return groupMap.get(user);
     } else {
-      return Collections.emptyList();
+      return Collections.emptySet();
     }
   }
 
@@ -102,7 +102,7 @@ public class LocalGroupMappingService implements GroupMappingService {
             " in the " + resourcePath);
         continue;
       }
-      List<String> groupList = Lists.newArrayList(
+      Set<String> groupList = Sets.newHashSet(
           PolicyFileConstants.ROLE_SPLITTER.trimResults().split(groupNames));
       LOGGER.debug("Got user mapping: " + userName + ", Groups: " + groupNames);
       groupMap.put(userName, groupList);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java
index 374e989..e8293f6 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java
@@ -17,12 +17,10 @@
 
 package org.apache.sentry.provider.file;
 
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.provider.file.LocalGroupMappingService;
-import org.apache.sentry.provider.file.ResourceAuthorizationProvider;
 import java.io.IOException;
 
 import org.apache.hadoop.fs.Path;
+import org.apache.sentry.policy.common.PolicyEngine;
 
 
 public class LocalGroupResourceAuthorizationProvider extends

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java
index bed3202..0189f85 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java
@@ -17,27 +17,29 @@
 
 package org.apache.sentry.provider.file;
 
+import static org.apache.sentry.provider.file.PolicyFileConstants.DATABASES;
+import static org.apache.sentry.provider.file.PolicyFileConstants.GROUPS;
+import static org.apache.sentry.provider.file.PolicyFileConstants.ROLES;
+import static org.apache.sentry.provider.file.PolicyFileConstants.USERS;
+
 import java.io.File;
-import java.io.IOException;
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 
-import com.google.common.base.Preconditions;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Charsets;
 import com.google.common.base.Joiner;
+import com.google.common.base.Preconditions;
 import com.google.common.collect.ArrayListMultimap;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
 import com.google.common.collect.Multimap;
 import com.google.common.io.Files;
 
-import static org.apache.sentry.provider.file.PolicyFileConstants.*;
-
 /**
  * PolicyFile creator. Written specifically to be used with tests. Specifically
  * due to the fact that methods that would typically return true or false to

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/92212c3d/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFiles.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFiles.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFiles.java
index 295ce78..a908ec3 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFiles.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFiles.java
@@ -63,7 +63,7 @@ public class PolicyFiles {
       throws IOException {
     InputStream input = new FileInputStream(inputFile.getPath());
     FSDataOutputStream out = fs.create(new Path(dest, inputFile.getName()));
-    long bytes = ByteStreams.copy(input, out);
+    ByteStreams.copy(input, out);
     input.close();
     out.hflush();
     out.close();


Mime
View raw message