sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shreepa...@apache.org
Subject [13/13] git commit: SENTRY-143: Merge db_policy_store branch into master (Brock Noland via Shreepadma Venugopalan)
Date Thu, 13 Mar 2014 21:21:28 GMT
SENTRY-143: Merge db_policy_store branch into master (Brock Noland via Shreepadma Venugopalan)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/644e8be3
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/644e8be3
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/644e8be3

Branch: refs/heads/master
Commit: 644e8be346a152e43fa435b9adbb47ce6b3e3e91
Parents: 0341d51
Author: Shreepadma Venugopalan <shreepadma@apache.org>
Authored: Thu Mar 13 14:20:19 2014 -0700
Committer: Shreepadma Venugopalan <shreepadma@apache.org>
Committed: Thu Mar 13 14:20:19 2014 -0700

----------------------------------------------------------------------
 .gitignore                                      |    3 +-
 bin/config-tool.sh                              |   25 -
 bin/sentry                                      |   59 +-
 pom.xml                                         |  123 +-
 .../binding/hive/HiveAuthzBindingHook.java      |   28 +-
 .../hive/HiveAuthzBindingPreExecHook.java       |    2 +-
 .../hive/SentryOnFailureHookContext.java        |   13 +-
 .../hive/SentryOnFailureHookContextImpl.java    |   13 +-
 .../binding/hive/authz/HiveAuthzBinding.java    |   40 +-
 .../hive/authz/HiveAuthzPrivilegesMap.java      |    1 -
 .../binding/hive/authz/SentryConfigTool.java    |  107 +-
 .../binding/hive/MockUserToGroupMapping.java    |    8 +-
 .../sentry/binding/hive/TestHiveAuthzConf.java  |    1 +
 .../org/apache/sentry/binding/hive/TestURI.java |    1 -
 .../authz/SentrySolrAuthorizationException.java |    2 +
 .../binding/solr/authz/SolrAuthzBinding.java    |   12 +-
 .../sentry/binding/solr/conf/SolrAuthzConf.java |    4 -
 .../binding/solr/TestSolrAuthzBinding.java      |   39 +-
 sentry-core/sentry-core-common/pom.xml          |    4 +
 .../main/java/org/apache/sentry/Command.java    |   23 +
 .../main/java/org/apache/sentry/SentryMain.java |   73 +
 .../org/apache/sentry/SentryUserException.java  |   28 +
 .../sentry/core/common/ActiveRoleSet.java       |   71 +
 .../common/SentryConfigurationException.java    |    1 +
 .../sentry/core/common/utils/PathUtils.java     |    4 +-
 .../sentry/core/common/utils/TestPathUtils.java |    1 +
 .../sentry/core/search/TestCollection.java      |    3 +-
 sentry-dist/pom.xml                             |    4 +
 sentry-dist/src/main/assembly/src.xml           |    1 -
 .../sentry/policy/common/PermissionFactory.java |   26 -
 .../sentry/policy/common/PolicyEngine.java      |   39 +-
 .../apache/sentry/policy/common/Privilege.java  |   21 +
 .../sentry/policy/common/PrivilegeFactory.java  |   24 +
 .../sentry/policy/common/PrivilegeUtils.java    |   27 +
 .../policy/common/PrivilegeValidator.java       |   24 +
 .../common/PrivilegeValidatorContext.java       |   38 +
 .../sentry/policy/common/RoleValidator.java     |   26 -
 .../policy/db/AbstractDBPrivilegeValidator.java |   50 +
 .../policy/db/AbstractDBRoleValidator.java      |   50 -
 .../sentry/policy/db/DBWildcardPermission.java  |  181 -
 .../sentry/policy/db/DBWildcardPrivilege.java   |  179 +
 .../sentry/policy/db/DatabaseMustMatch.java     |   11 +-
 .../policy/db/DatabaseRequiredInPrivilege.java  |   71 +
 .../policy/db/DatabaseRequiredInRole.java       |   70 -
 .../sentry/policy/db/ServerNameMustMatch.java   |   12 +-
 .../sentry/policy/db/ServersAllIsInvalid.java   |   12 +-
 .../sentry/policy/db/SimpleDBPolicyEngine.java  |  125 +-
 .../db/AbstractTestSimplePolicyEngine.java      |   27 +-
 .../sentry/policy/db/DBPolicyFileBackend.java   |    3 +-
 .../policy/db/TestDBModelAuthorizables.java     |    2 -
 .../policy/db/TestDBWildcardPermission.java     |  286 -
 .../policy/db/TestDBWildcardPrivilege.java      |  286 +
 .../policy/db/TestDatabaseRequiredInRole.java   |   13 +-
 .../policy/db/TestPolicyParsingNegative.java    |   94 +-
 ...sourceAuthorizationProviderGeneralCases.java |    8 +-
 ...sourceAuthorizationProviderSpecialCases.java |   19 +-
 .../policy/db/TestSimpleDBPolicyEngineDFS.java  |   24 +-
 .../db/TestSimpleDBPolicyEngineLocalFS.java     |    3 +-
 .../AbstractSearchPrivilegeValidator.java       |   51 +
 .../search/AbstractSearchRoleValidator.java     |   50 -
 .../search/CollectionRequiredInPrivilege.java   |   43 +
 .../policy/search/CollectionRequiredInRole.java |   44 -
 .../policy/search/SearchWildcardPermission.java |  152 -
 .../policy/search/SearchWildcardPrivilege.java  |  146 +
 .../policy/search/SimpleSearchPolicyEngine.java |   88 +-
 .../search/AbstractTestSearchPolicyEngine.java  |   18 +-
 .../policy/search/SearchPolicyFileBackend.java  |    1 +
 .../search/TestCollectionRequiredInRole.java    |   19 +-
 ...SearchAuthorizationProviderGeneralCases.java |    6 +-
 ...SearchAuthorizationProviderSpecialCases.java |    5 +-
 .../search/TestSearchModelAuthorizables.java    |    2 -
 .../search/TestSearchPolicyEngineDFS.java       |   11 +-
 .../policy/search/TestSearchPolicyNegative.java |   34 +-
 .../search/TestSearchWildcardPermission.java    |  206 -
 .../search/TestSearchWildcardPrivilege.java     |  205 +
 sentry-provider/pom.xml                         |    1 +
 .../provider/common/AuthorizationProvider.java  |   19 +-
 .../provider/common/GroupMappingService.java    |    9 +-
 .../common/NoAuthorizationProvider.java         |    9 +-
 .../provider/common/NoGroupMappingService.java  |    8 +-
 .../sentry/provider/common/ProviderBackend.java |   37 +-
 .../provider/common/ProviderBackendContext.java |   50 +
 .../apache/sentry/provider/common/Roles.java    |   50 -
 .../common/MockGroupMappingServiceProvider.java |    9 +-
 .../common/TestNoAuthorizationProvider.java     |    6 +-
 sentry-provider/sentry-provider-db/.gitignore   |    1 +
 sentry-provider/sentry-provider-db/pom.xml      |  243 +
 .../db/service/thrift/SentryPolicyService.java  | 6548 ++++++++++++++++++
 .../TAlterSentryRoleAddGroupsRequest.java       |  895 +++
 .../TAlterSentryRoleAddGroupsResponse.java      |  390 ++
 .../TAlterSentryRoleDeleteGroupsRequest.java    |  639 ++
 .../TAlterSentryRoleDeleteGroupsResponse.java   |  390 ++
 .../TAlterSentryRoleGrantPrivilegeRequest.java  |  846 +++
 .../TAlterSentryRoleGrantPrivilegeResponse.java |  390 ++
 .../TAlterSentryRoleRevokePrivilegeRequest.java |  846 +++
 ...TAlterSentryRoleRevokePrivilegeResponse.java |  390 ++
 .../thrift/TCreateSentryRoleRequest.java        |  745 ++
 .../thrift/TCreateSentryRoleResponse.java       |  390 ++
 .../service/thrift/TDropSentryRoleRequest.java  |  740 ++
 .../service/thrift/TDropSentryRoleResponse.java |  390 ++
 .../service/thrift/TListSentryRolesRequest.java |  850 +++
 .../thrift/TListSentryRolesResponse.java        |  545 ++
 .../db/service/thrift/TSentryGroup.java         |  385 +
 .../db/service/thrift/TSentryPrivilege.java     | 1224 ++++
 .../provider/db/service/thrift/TSentryRole.java |  740 ++
 .../service/thrift/TSentryResponseStatus.java   |  594 ++
 .../thrift/sentry_common_serviceConstants.java  |   48 +
 .../provider/db/service/model/MSentryGroup.java |  131 +
 .../db/service/model/MSentryPrivilege.java      |  247 +
 .../provider/db/service/model/MSentryRole.java  |  179 +
 .../provider/db/service/model/package.jdo       |  125 +
 .../db/service/persistent/CommitContext.java    |   42 +
 .../SentryAlreadyExistsException.java           |   27 +
 .../persistent/SentryInvalidInputException.java |   27 +
 .../persistent/SentryNoSuchObjectException.java |   27 +
 .../db/service/persistent/SentryStore.java      |  461 ++
 .../db/service/thrift/NotificationHandler.java  |   71 +
 .../thrift/NotificationHandlerInvoker.java      |  146 +
 .../db/service/thrift/PolicyStoreConstants.java |   25 +
 .../thrift/SentryConfigurationException.java    |   30 +
 .../thrift/SentryPolicyServiceClient.java       |  110 +
 .../thrift/SentryPolicyStoreProcessor.java      |  344 +
 .../SentryPolicyStoreProcessorFactory.java      |   39 +
 .../thrift/ConnectionDeniedException.java       |   36 +
 .../sentry/service/thrift/GSSCallback.java      |  102 +
 .../service/thrift/KerberosConfiguration.java   |   78 +
 .../sentry/service/thrift/ProcessorFactory.java |   30 +
 .../sentry/service/thrift/SentryService.java    |  272 +
 .../thrift/SentryServiceClientFactory.java      |   30 +
 .../service/thrift/SentryServiceFactory.java    |   29 +
 .../sentry/service/thrift/ServiceConstants.java |   78 +
 .../apache/sentry/service/thrift/Status.java    |   84 +
 .../src/main/resources/sentry-mysql-1.4.0.sql   |  113 +
 .../src/main/resources/sentry-oracle-1.4.0.sql  |  101 +
 .../main/resources/sentry-postgres-1.4.0.sql    |  115 +
 .../main/resources/sentry_common_service.thrift |   41 +
 .../main/resources/sentry_policy_service.thrift |  150 +
 .../db/service/persistent/TestSentryStore.java  |  145 +
 .../thrift/TestNotificationHandlerInvoker.java  |  112 +
 .../thrift/TestSentryPolicyStoreProcessor.java  |   70 +
 .../thrift/TestSentryServiceFailureCase.java    |   45 +
 .../thrift/TestSentryServiceIntegration.java    |  170 +
 .../thrift/SentryServiceIntegrationBase.java    |  172 +
 .../src/test/resources/log4j.properties         |   34 +
 .../file/HadoopGroupMappingService.java         |    9 +-
 ...adoopGroupResourceAuthorizationProvider.java |    3 -
 .../provider/file/LocalGroupMappingService.java |   14 +-
 ...LocalGroupResourceAuthorizationProvider.java |    4 +-
 .../apache/sentry/provider/file/PolicyFile.java |   10 +-
 .../sentry/provider/file/PolicyFiles.java       |    2 +-
 .../file/ResourceAuthorizationProvider.java     |   76 +-
 .../file/SimpleFileProviderBackend.java         |  248 +-
 .../provider/file/TestGetGroupMapping.java      |   34 +-
 .../sentry/provider/file/TestKeyValue.java      |    1 -
 .../provider/file/TestLocalGroupMapping.java    |   22 +-
 .../file/TestSimpleFileProvderBackend.java      |  120 +
 sentry-tests/sentry-tests-hive/.gitignore       |    1 +
 sentry-tests/sentry-tests-hive/pom.xml          |   33 +-
 .../AbstractTestWithStaticConfiguration.java    |   10 +-
 .../apache/sentry/tests/e2e/hive/Context.java   |    1 -
 .../sentry/tests/e2e/hive/TestConfigTool.java   |   27 +-
 .../tests/e2e/hive/TestPerDBConfiguration.java  |   12 +-
 .../e2e/hive/TestPrivilegesAtTableScope.java    |    4 +-
 .../hive/TestSentryOnFailureHookLoading.java    |   21 +-
 .../sentry/tests/e2e/hive/fs/AbstractDFS.java   |    5 +-
 .../sentry/tests/e2e/hive/fs/ClusterDFS.java    |    7 +-
 .../apache/sentry/tests/e2e/hive/fs/DFS.java    |    2 -
 .../sentry/tests/e2e/hive/fs/DFSFactory.java    |    4 +-
 .../sentry/tests/e2e/hive/fs/MiniDFS.java       |    6 +-
 .../e2e/hive/hiveserver/EmbeddedHiveServer.java |    6 +-
 .../e2e/hive/hiveserver/HiveServerFactory.java  |    2 +-
 .../e2e/hive/hiveserver/InternalHiveServer.java |    1 +
 .../hive/hiveserver/UnmanagedHiveServer.java    |   12 +-
 .../e2e/solr/AbstractSolrSentryTestBase.java    |    3 -
 .../sentry/tests/e2e/solr/HdfsTestUtil.java     |    1 -
 .../ModifiableUserAuthenticationFilter.java     |    1 -
 .../e2e/solr/TestCollAdminCoreOperations.java   |   12 +-
 .../tests/e2e/solr/TestQueryOperations.java     |   11 +-
 .../tests/e2e/solr/TestUpdateOperations.java    |   11 +-
 179 files changed, 24669 insertions(+), 2058 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/.gitignore
----------------------------------------------------------------------
diff --git a/.gitignore b/.gitignore
index 06f9ff4..6a39d39 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,7 +6,8 @@ target/
 .metadata
 .idea/
 *.iml
-**/derby.log
+derby.log
+datanucleus.log
 **/TempStatsStore/
 # Package Files #
 *.jar

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/bin/config-tool.sh
----------------------------------------------------------------------
diff --git a/bin/config-tool.sh b/bin/config-tool.sh
deleted file mode 100755
index b286421..0000000
--- a/bin/config-tool.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/usr/bin/env bash
-
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements.  See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License.  You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-_CMD_JAR=sentry-binding-hive-*.jar
-_HIVE_CMD=${HIVE_HOME}/bin/hive
-for f in ${SENTRY_HOME}/lib/*.jar; do
-  HADOOP_CLASSPATH=${HADOOP_CLASSPATH}:${f}
-done
-
-${_HIVE_CMD} --service jar ${SENTRY_HOME}/lib/${_CMD_JAR} org.apache.sentry.binding.hive.authz.SentryConfigTool "$@"
-

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/bin/sentry
----------------------------------------------------------------------
diff --git a/bin/sentry b/bin/sentry
index 812fa12..81b4382 100755
--- a/bin/sentry
+++ b/bin/sentry
@@ -25,41 +25,40 @@ fi
 
 _HIVE_CMD=hive
 #check to see if the hive conf dir is given as an optional argument
+args=()
 while [ $# -gt 0 ]; do    # Until you run out of parameters . . .
   case "$1" in
     --hive-config)
-        shift
-        confdir=$1
-        shift
-        export HIVE_CONF_DIR=$confdir
-        echo Using hive-conf-dir $HIVE_CONF_DIR
-        ;;
+      shift
+      confdir=$1
+      shift
+      export HIVE_CONF_DIR=$confdir
+      echo Using hive-conf-dir $HIVE_CONF_DIR
+      ;;
     --hive-home)
-        shift
-        homedir=$1
-        shift
-        export HIVE_HOME=$homedir
-        echo Using hive-home $HIVE_HOME
-        ;;
-    --command)
-        shift
-        case "$1" in
-          config-tool)
-             shift
-             $myhome/bin/config-tool.sh "$@"
-             ;;
-          *)
-             echo Unknown option $1
-             echo "Usage sentry --command <config-tool [config-tool-options]>"
-             break
-             ;;
-        esac
-        break
-        ;;
+      shift
+      homedir=$1
+      shift
+      export HIVE_HOME=$homedir
+      echo Using hive-home $HIVE_HOME
+      ;;
     *)
-        echo "Usage sentry --command <config-tool [config-tool-options]>"
-        break
-        ;;
+      args+=($1)
+      shift
+      ;;
   esac
 done
 
+if [[ -z "$HIVE_HOME" ]]
+then
+  echo "HIVE_HOME must be defined either as an env variable or by the --hive-home argument"
+  exit 1
+fi
+
+_CMD_JAR=sentry-core-common-*.jar
+_HIVE_CMD=${HIVE_HOME}/bin/hive
+for f in ${SENTRY_HOME}/lib/*.jar; do
+  HADOOP_CLASSPATH=${HADOOP_CLASSPATH}:${f}
+done
+export HADOOP_CLASSPATH
+${_HIVE_CMD} --service jar ${SENTRY_HOME}/lib/${_CMD_JAR} org.apache.sentry.SentryMain "${args[@]}"

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 5a8c32b..9725102 100644
--- a/pom.xml
+++ b/pom.xml
@@ -50,8 +50,8 @@ limitations under the License.
 
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <maven.compile.source>1.6</maven.compile.source>
-    <maven.compile.target>1.6</maven.compile.target>
+    <maven.compile.source>1.7</maven.compile.source>
+    <maven.compile.target>1.7</maven.compile.target>
     <!-- versions are in alphabetical order -->
     <ant.contrib.version>1.0b3</ant.contrib.version>
     <maven.antrun.plugin.version>1.7</maven.antrun.plugin.version>
@@ -63,7 +63,9 @@ limitations under the License.
     <datanucleus-api-jdo.version>3.2.1</datanucleus-api-jdo.version>
     <datanucleus-core.version>3.2.2</datanucleus-core.version>
     <datanucleus-rdbms.version>3.2.1</datanucleus-rdbms.version>
+    <jdo-api.version>3.0.1</jdo-api.version>
     <derby.version>10.4.2.0</derby.version>
+    <commons-cli.version>1.2</commons-cli.version>
     <hive.version>0.12.0-cdh5.0.0-beta-2-SNAPSHOT</hive.version>
     <hadoop.version>2.2.0-cdh5.0.0-beta-2-SNAPSHOT</hadoop.version>
     <fest.reflect.version>1.4.1</fest.reflect.version>
@@ -72,6 +74,7 @@ limitations under the License.
     <libthrift.version>0.9.0-cdh4-1</libthrift.version>
     <libfb303.version>0.9.0</libfb303.version>
     <log4j.version>1.2.16</log4j.version>
+    <mockito.version>1.8.5</mockito.version>
     <shiro.version>1.2.1</shiro.version>
     <slf4j.version>1.6.1</slf4j.version>
     <solr.version>4.7.0</solr.version>
@@ -82,6 +85,16 @@ limitations under the License.
   <dependencyManagement>
     <dependencies>
       <dependency>
+        <groupId>ant-contrib</groupId>
+        <artifactId>ant-contrib</artifactId>
+        <version>1.0b3</version>
+      </dependency>
+      <dependency>
+        <groupId>commons-cli</groupId>
+        <artifactId>commons-cli</artifactId>
+        <version>${commons-cli.version}</version>
+      </dependency>
+      <dependency>
         <groupId>commons-lang</groupId>
         <artifactId>commons-lang</artifactId>
         <version>${commons.lang.version}</version>
@@ -264,6 +277,11 @@ limitations under the License.
       </dependency>
       <dependency>
         <groupId>org.apache.sentry</groupId>
+        <artifactId>sentry-provider-db</artifactId>
+        <version>${project.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.sentry</groupId>
         <artifactId>sentry-policy-common</artifactId>
         <version>${project.version}</version>
       </dependency>
@@ -282,6 +300,31 @@ limitations under the License.
         <artifactId>sentry-dist</artifactId>
         <version>${project.version}</version>
       </dependency>
+      <dependency>
+        <groupId>javax.jdo</groupId>
+        <artifactId>jdo-api</artifactId>
+        <version>${jdo-api.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.datanucleus</groupId>
+        <artifactId>datanucleus-core</artifactId>
+        <version>${datanucleus-core.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.datanucleus</groupId>
+        <artifactId>datanucleus-api-jdo</artifactId>
+        <version>${datanucleus-api-jdo.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.datanucleus</groupId>
+        <artifactId>datanucleus-rdbms</artifactId>
+        <version>${datanucleus-rdbms.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.mockito</groupId>
+        <artifactId>mockito-all</artifactId>
+        <version>${mockito.version}</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
@@ -328,6 +371,24 @@ limitations under the License.
         </plugin>
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
+          <artifactId>maven-antrun-plugin</artifactId>
+          <version>${maven.antrun.plugin.version}</version>
+          <dependencies>
+            <dependency>
+              <groupId>ant-contrib</groupId>
+              <artifactId>ant-contrib</artifactId>
+              <version>${ant.contrib.version}</version>
+              <exclusions>
+                <exclusion>
+                  <groupId>ant</groupId>
+                  <artifactId>ant</artifactId>
+                </exclusion>
+              </exclusions>
+            </dependency>
+          </dependencies>
+        </plugin>
+        <plugin>
+          <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-compiler-plugin</artifactId>
           <version>2.5.1</version>
           <configuration>
@@ -336,6 +397,30 @@ limitations under the License.
           </configuration>
         </plugin>
         <plugin>
+          <groupId>org.apache.maven.plugins</groupId>
+          <artifactId>maven-enforcer-plugin</artifactId>
+          <version>${maven.enforcer.plugin.version}</version>
+        </plugin>
+        <plugin>
+          <groupId>org.apache.maven.plugins</groupId>
+          <artifactId>maven-jar-plugin</artifactId>
+          <version>2.4</version>
+        </plugin>
+        <plugin>
+          <groupId>org.apache.maven.plugins</groupId>
+          <artifactId>maven-surefire-plugin</artifactId>
+          <version>2.16</version>
+          <configuration>
+            <forkMode>always</forkMode>
+            <environmentVariables>
+              <HADOOP_CLIENT_OPTS>-Xmx1000m -Dhive.log.dir=./target/</HADOOP_CLIENT_OPTS>
+            </environmentVariables>
+            <forkedProcessTimeoutInSeconds>900</forkedProcessTimeoutInSeconds>
+            <redirectTestOutputToFile>true</redirectTestOutputToFile>
+            <argLine>-Xms256m -Xmx1g</argLine>
+          </configuration>
+        </plugin>
+        <plugin>
           <groupId>org.apache.rat</groupId>
           <artifactId>apache-rat-plugin</artifactId>
           <version>0.10</version>
@@ -368,31 +453,29 @@ limitations under the License.
                   <exclude>**/*.lck</exclude>
                   <!-- exclude generated solr config files -->
                   <exclude>**/solr/collection1/conf/**</exclude>
+                  <!-- exclude generated thrift files -->
+                  <exclude>**/gen/**</exclude>
                 </excludes>
               </configuration>
             </execution>
           </executions>
         </plugin>
-
         <plugin>
-          <groupId>org.apache.maven.plugins</groupId>
-          <artifactId>maven-jar-plugin</artifactId>
-          <version>2.4</version>
+          <groupId>org.codehaus.mojo</groupId>
+          <artifactId>build-helper-maven-plugin</artifactId>
+          <version>${build.helper.maven.plugin.version}</version>
         </plugin>
-
-        <plugin>
-          <groupId>org.apache.maven.plugins</groupId>
-          <artifactId>maven-surefire-plugin</artifactId>
-          <version>2.16</version>
-          <configuration>
-            <forkMode>always</forkMode>
-            <environmentVariables>
-              <HADOOP_CLIENT_OPTS>-Xmx1000m -Dhive.log.dir=./target/</HADOOP_CLIENT_OPTS>
-            </environmentVariables>
-            <forkedProcessTimeoutInSeconds>900</forkedProcessTimeoutInSeconds>
-            <redirectTestOutputToFile>true</redirectTestOutputToFile>
-            <argLine>-Xms256m -Xmx1g</argLine>
-          </configuration>
+	<plugin>
+          <groupId>org.datanucleus</groupId>
+          <artifactId>datanucleus-maven-plugin</artifactId>
+          <version>${datanucleus.maven.plugin.version}</version>
+          <dependencies>
+            <dependency>
+              <groupId>org.datanucleus</groupId>
+              <artifactId>datanucleus-core</artifactId>
+              <version>${datanucleus-core.version}</version>
+            </dependency>
+          </dependencies>
         </plugin>
       </plugins>
     </pluginManagement>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index c719905..5ff7764 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -18,11 +18,9 @@ package org.apache.sentry.binding.hive;
 
 import static org.apache.hadoop.hive.metastore.MetaStoreUtils.DEFAULT_DATABASE_NAME;
 
-import java.io.File;
 import java.io.Serializable;
 import java.net.MalformedURLException;
 import java.net.URI;
-import java.net.URISyntaxException;
 import java.net.URL;
 import java.security.CodeSource;
 import java.util.ArrayList;
@@ -44,8 +42,6 @@ import org.apache.hadoop.hive.ql.hooks.Hook;
 import org.apache.hadoop.hive.ql.hooks.ReadEntity;
 import org.apache.hadoop.hive.ql.hooks.WriteEntity;
 import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
-import org.apache.hadoop.hive.ql.metadata.Hive;
-import org.apache.hadoop.hive.ql.metadata.HiveException;
 import org.apache.hadoop.hive.ql.parse.ASTNode;
 import org.apache.hadoop.hive.ql.parse.AbstractSemanticAnalyzerHook;
 import org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer;
@@ -60,14 +56,13 @@ import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationSco
 import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType;
 import org.apache.sentry.binding.hive.authz.HiveAuthzPrivilegesMap;
 import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
-import org.apache.sentry.core.common.Action;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.core.common.utils.PathUtils;
 import org.apache.sentry.core.model.db.AccessURI;
-import org.apache.sentry.core.model.db.Database;
 import org.apache.sentry.core.model.db.DBModelAction;
 import org.apache.sentry.core.model.db.DBModelAuthorizable;
 import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
+import org.apache.sentry.core.model.db.Database;
 import org.apache.sentry.core.model.db.Table;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -284,7 +279,7 @@ implements HiveDriverFilterHook {
     } catch (AuthorizationException e) {
       executeOnFailureHooks(context, stmtOperation, e);
       String permsRequired = "";
-      for (String perm : hiveAuthzBinding.getLastQueryPermissionErrors()) {
+      for (String perm : hiveAuthzBinding.getLastQueryPrivilegeErrors()) {
         permsRequired += perm + ";";
       }
       context.getConf().set(HiveAuthzConf.HIVE_SENTRY_AUTH_ERRORS, permsRequired);
@@ -530,11 +525,13 @@ implements HiveDriverFilterHook {
           conf.getVar(HiveConf.ConfVars.SCRATCHDIR)));
         URI requestURI = new URI(PathUtils.parseDFSURI(warehouseDir,
           writeEntity.getLocation().getPath()));
+        LOG.debug("scratchURI = " + scratchURI + ", requestURI = " + requestURI);
         if (PathUtils.impliesURI(scratchURI, requestURI)) {
           return true;
         }
         URI localScratchURI = new URI(PathUtils.parseLocalURI(conf.getVar(HiveConf.ConfVars.LOCALSCRATCHDIR)));
         URI localRequestURI = new URI(PathUtils.parseLocalURI(writeEntity.getLocation().getPath()));
+        LOG.debug("localScratchURI = " + localScratchURI + ", localRequestURI = " + localRequestURI);
         if (PathUtils.impliesURI(localScratchURI, localRequestURI)) {
           return true;
         }
@@ -711,22 +708,15 @@ implements HiveDriverFilterHook {
       throws Exception {
 
     List<T> hooks = new ArrayList<T>();
-    String csHooks = authzConf.get(hookConfVar.getVar(), "");
-    if (csHooks == null) {
+    String csHooks = authzConf.get(hookConfVar.getVar(), "").trim();
+    if (csHooks.isEmpty()) {
       return hooks;
     }
-
-    csHooks = csHooks.trim();
-    if (csHooks.equals("")) {
-      return hooks;
-    }
-
-    String[] hookClasses = csHooks.split(",");
-
-    for (String hookClass : hookClasses) {
+    for (String hookClass : Splitter.on(",").omitEmptyStrings().trimResults().split(csHooks)) {
       try {
+        @SuppressWarnings("unchecked")
         T hook =
-            (T) Class.forName(hookClass.trim(), true, JavaUtils.getClassLoader()).newInstance();
+            (T) Class.forName(hookClass, true, JavaUtils.getClassLoader()).newInstance();
         hooks.add(hook);
       } catch (ClassNotFoundException e) {
         LOG.error(hookConfVar.getVar() + " Class not found:" + e.getMessage());

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingPreExecHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingPreExecHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingPreExecHook.java
index f120c77..bed7917 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingPreExecHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingPreExecHook.java
@@ -24,8 +24,8 @@ import org.apache.hadoop.hive.ql.hooks.ExecuteWithHookContext;
 import org.apache.hadoop.hive.ql.hooks.HookContext;
 import org.apache.hadoop.hive.ql.plan.HiveOperation;
 import org.apache.sentry.binding.hive.authz.HiveAuthzBinding;
-import org.apache.sentry.binding.hive.authz.HiveAuthzPrivilegesMap;
 import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveExtendedOperation;
+import org.apache.sentry.binding.hive.authz.HiveAuthzPrivilegesMap;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.core.model.db.DBModelAuthorizable;
 import org.slf4j.Logger;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContext.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContext.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContext.java
index 2beacd0..a380651 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContext.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContext.java
@@ -18,19 +18,16 @@
 
 package org.apache.sentry.binding.hive;
 
+import java.util.Set;
+
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.ql.hooks.ReadEntity;
+import org.apache.hadoop.hive.ql.hooks.WriteEntity;
+import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
 import org.apache.hadoop.hive.ql.plan.HiveOperation;
 import org.apache.sentry.core.model.db.AccessURI;
 import org.apache.sentry.core.model.db.Database;
 import org.apache.sentry.core.model.db.Table;
-import org.apache.hadoop.hive.ql.exec.Task;
-import org.apache.hadoop.hive.ql.hooks.ReadEntity;
-import org.apache.hadoop.hive.ql.hooks.WriteEntity;
-import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
-
-import java.io.Serializable;
-import java.util.List;
-import java.util.Set;
 
 /**
  * Context information provided by Access to implementations

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContextImpl.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContextImpl.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContextImpl.java
index d8ffe23..f97d7f3 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContextImpl.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryOnFailureHookContextImpl.java
@@ -18,19 +18,16 @@
 
 package org.apache.sentry.binding.hive;
 
+import java.util.Set;
+
 import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.ql.hooks.ReadEntity;
+import org.apache.hadoop.hive.ql.hooks.WriteEntity;
+import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
 import org.apache.hadoop.hive.ql.plan.HiveOperation;
 import org.apache.sentry.core.model.db.AccessURI;
 import org.apache.sentry.core.model.db.Database;
 import org.apache.sentry.core.model.db.Table;
-import org.apache.hadoop.hive.ql.exec.Task;
-import org.apache.hadoop.hive.ql.hooks.ReadEntity;
-import org.apache.hadoop.hive.ql.hooks.WriteEntity;
-import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
-
-import java.io.Serializable;
-import java.util.List;
-import java.util.Set;
 
 public class SentryOnFailureHookContextImpl implements SentryOnFailureHookContext {
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
index f6a1ecc..65854c3 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
@@ -32,7 +32,8 @@ import org.apache.hadoop.hive.ql.plan.HiveOperation;
 import org.apache.hadoop.hive.ql.session.SessionState;
 import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
 import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars;
-import org.apache.sentry.core.common.Action;
+import org.apache.sentry.binding.hive.conf.InvalidConfigurationException;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.core.model.db.DBModelAction;
 import org.apache.sentry.core.model.db.DBModelAuthorizable;
@@ -44,7 +45,6 @@ import org.apache.sentry.provider.common.NoAuthorizationProvider;
 import org.apache.sentry.provider.common.ProviderBackend;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.apache.sentry.binding.hive.conf.InvalidConfigurationException;
 
 import com.google.common.base.Strings;
 
@@ -56,12 +56,10 @@ public class HiveAuthzBinding {
   private static final AtomicInteger queryID = new AtomicInteger();
   public static final String HIVE_BINDING_TAG = "hive.authz.bindings.tag";
 
-  private final HiveAuthzConf authzConf;
   private final Server authServer;
   private final AuthorizationProvider authProvider;
 
   public HiveAuthzBinding (HiveConf hiveConf, HiveAuthzConf authzConf) throws Exception {
-    this.authzConf = authzConf;
     this.authServer = new Server(authzConf.get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar()));
     this.authProvider = getAuthProvider(hiveConf, authzConf, authServer.getName());
   }
@@ -130,27 +128,25 @@ public class HiveAuthzBinding {
     String authProviderName = authzConf.get(AuthzConfVars.AUTHZ_PROVIDER.getVar());
     String resourceName =
         authzConf.get(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar());
-    String providerBackendName =
-      authzConf.get(AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar());
-    String policyEngineName =
-      authzConf.get(AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar());
+    String providerBackendName = authzConf.get(AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar());
+    String policyEngineName = authzConf.get(AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar());
 
     LOG.debug("Using authorization provider " + authProviderName +
-      " with resource " + resourceName + ", policy engine "
-      + policyEngineName + ", provider backend " + providerBackendName);
-    // load the provider backend class
-    Constructor<?> providerBackendConstructor =
-      Class.forName(providerBackendName).getDeclaredConstructor(String.class);
-    providerBackendConstructor.setAccessible(true);
-    ProviderBackend providerBackend =
-      (ProviderBackend) providerBackendConstructor.newInstance(new Object[] {resourceName});
+        " with resource " + resourceName + ", policy engine "
+        + policyEngineName + ", provider backend " + providerBackendName);
+      // load the provider backend class
+      Constructor<?> providerBackendConstructor =
+        Class.forName(providerBackendName).getDeclaredConstructor(String.class);
+      providerBackendConstructor.setAccessible(true);
+    ProviderBackend providerBackend = (ProviderBackend) providerBackendConstructor.
+        newInstance(new Object[] {resourceName});
 
     // load the policy engine class
     Constructor<?> policyConstructor =
       Class.forName(policyEngineName).getDeclaredConstructor(String.class, ProviderBackend.class);
     policyConstructor.setAccessible(true);
-    PolicyEngine policyEngine =
-      (PolicyEngine) policyConstructor.newInstance(new Object[] {serverName, providerBackend});
+    PolicyEngine policyEngine = (PolicyEngine) policyConstructor.
+        newInstance(new Object[] {serverName, providerBackend});
 
 
     // load the authz provider class
@@ -200,7 +196,7 @@ public class HiveAuthzBinding {
         if (requiredInputPrivileges.containsKey(getAuthzType(inputHierarchy))) {
           EnumSet<DBModelAction> inputPrivSet =
             requiredInputPrivileges.get(getAuthzType(inputHierarchy));
-          if (!authProvider.hasAccess(subject, inputHierarchy, inputPrivSet)) {
+          if (!authProvider.hasAccess(subject, inputHierarchy, inputPrivSet, ActiveRoleSet.ALL)) {
             throw new AuthorizationException("User " + subject.getName() +
                 " does not have privileges for " + hiveOp.name());
           }
@@ -218,7 +214,7 @@ public class HiveAuthzBinding {
         if (requiredOutputPrivileges.containsKey(getAuthzType(outputHierarchy))) {
           EnumSet<DBModelAction> outputPrivSet =
             requiredOutputPrivileges.get(getAuthzType(outputHierarchy));
-          if (!authProvider.hasAccess(subject, outputHierarchy, outputPrivSet)) {
+          if (!authProvider.hasAccess(subject, outputHierarchy, outputPrivSet, ActiveRoleSet.ALL)) {
             throw new AuthorizationException("User " + subject.getName() +
                 " does not have priviliedges for " + hiveOp.name());
           }
@@ -234,7 +230,7 @@ public class HiveAuthzBinding {
     return hierarchy.get(hierarchy.size() -1).getAuthzType();
   }
 
-  public List<String> getLastQueryPermissionErrors() {
-    return authProvider.getLastFailedPermissions();
+  public List<String> getLastQueryPrivilegeErrors() {
+    return authProvider.getLastFailedPrivileges();
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
index b20ec34..7d241d0 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzPrivilegesMap.java
@@ -24,7 +24,6 @@ import org.apache.hadoop.hive.ql.plan.HiveOperation;
 import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveExtendedOperation;
 import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationScope;
 import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType;
-import org.apache.sentry.core.common.Action;
 import org.apache.sentry.core.model.db.DBModelAction;
 import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
index d7a518d..bc739ad 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
@@ -25,7 +25,6 @@ import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.Set;
 
-import org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook;
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.GnuParser;
 import org.apache.commons.cli.HelpFormatter;
@@ -42,13 +41,15 @@ import org.apache.hadoop.hive.ql.processors.CommandProcessorResponse;
 import org.apache.hadoop.hive.ql.session.SessionState;
 import org.apache.log4j.Level;
 import org.apache.log4j.LogManager;
+import org.apache.sentry.Command;
 import org.apache.sentry.binding.hive.HiveAuthzBindingHook;
+import org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook;
 import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
 import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars;
-import org.apache.sentry.provider.common.AuthorizationProvider;
 import org.apache.sentry.core.common.SentryConfigurationException;
-import org.apache.sentry.core.model.db.Server;
 import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.provider.common.AuthorizationProvider;
 
 public class SentryConfigTool {
   private String sentrySiteFile = null;
@@ -57,7 +58,7 @@ public class SentryConfigTool {
   private String jdbcURL = null;
   private String user = null;
   private String passWord = null;
-  private boolean listPerms = false;
+  private boolean listPrivs = false;
   private boolean validate = false;
   private HiveConf hiveConf = null;
   private HiveAuthzConf authzConf = null;
@@ -147,12 +148,12 @@ public class SentryConfigTool {
     this.passWord = passWord;
   }
 
-  public boolean isListPerms() {
-    return listPerms;
+  public boolean isListPrivs() {
+    return listPrivs;
   }
 
-  public void setListPerms(boolean listPerms) {
-    this.listPerms = listPerms;
+  public void setListPrivs(boolean listPrivs) {
+    this.listPrivs = listPrivs;
   }
 
   /**
@@ -229,10 +230,10 @@ public class SentryConfigTool {
   }
 
   // list permissions for given user
-  public void listPerms() throws Exception {
+  public void listPrivs() throws Exception {
     getSentryProvider().validateResource(true);
     System.out.println("Available privileges for user " + getUser() + ":");
-    Set<String> permList = getSentryProvider().listPermissionsForSubject(
+    Set<String> permList = getSentryProvider().listPrivilegesForSubject(
         new Subject(getUser()));
     for (String perms : permList) {
       System.out.println("\t" + perms);
@@ -359,17 +360,18 @@ public class SentryConfigTool {
 
   /**
    *  parse arguments
-   *
-   *   -d,--debug               enable debug output
-   *   -e,--query <arg>         Query privilege verification, requires -u
-   *    -h,--help                Print usage
-   *   -i,--policyIni <arg>     Policy file path
-   *   -j,--jdbcURL <arg>       JDBC URL
-   *   -l,--listPerms           list permissions for given user, requires -u
-   *   -p,--password <arg>      Password
-   *   -s,--sentry-site <arg>   sentry-site file path
-   *   -u,--user <arg>          user name
-   *   -v,--validate            Validate policy file
+   * <pre>
+   *   -d,--debug                  Enable debug output
+   *   -e,--query <arg>            Query privilege verification, requires -u
+   *    -h,--help                  Print usage
+   *   -i,--policyIni <arg>        Policy file path
+   *   -j,--jdbcURL <arg>          JDBC URL
+   *   -l,--listPrivs,--listPerms  List privilges for given user, requires -u
+   *   -p,--password <arg>         Password
+   *   -s,--sentry-site <arg>      sentry-site file path
+   *   -u,--user <arg>             user name
+   *   -v,--validate               Validate policy file
+   * </pre>
    * @param args
    */
   private void parseArgs(String[] args) {
@@ -391,6 +393,9 @@ public class SentryConfigTool {
     Option listPermsOpt = new Option("l", "listPerms", false,
         "list permissions for given user, requires -u");
     listPermsOpt.setRequired(false);
+    Option listPrivsOpt = new Option("listPrivs", false,
+        "list privileges for given user, requires -u");
+    listPrivsOpt.setRequired(false);
 
     // required args
     OptionGroup sentryOptGroup = new OptionGroup();
@@ -398,6 +403,7 @@ public class SentryConfigTool {
     sentryOptGroup.addOption(validateOpt);
     sentryOptGroup.addOption(queryOpt);
     sentryOptGroup.addOption(listPermsOpt);
+    sentryOptGroup.addOption(listPrivsOpt);
     sentryOptGroup.setRequired(true);
     sentryOptions.addOptionGroup(sentryOptGroup);
 
@@ -445,8 +451,8 @@ public class SentryConfigTool {
           setUser(opt.getValue());
         } else if (opt.getOpt().equals("p")) {
           setPassWord(opt.getValue());
-        } else if (opt.getOpt().equals("l")) {
-          setListPerms(true);
+        } else if (opt.getOpt().equals("l") || opt.getOpt().equals("listPrivs")) {
+          setListPrivs(true);
         } else if (opt.getOpt().equals("v")) {
           setValidate(true);
         } else if (opt.getOpt().equals("h")) {
@@ -456,7 +462,7 @@ public class SentryConfigTool {
         }
       }
 
-      if (isListPerms() && (getUser() == null)) {
+      if (isListPrivs() && (getUser() == null)) {
         throw new ParseException("Can't use -l without -u ");
       }
       if ((getQuery() != null) && (getUser() == null)) {
@@ -473,38 +479,41 @@ public class SentryConfigTool {
     }
   }
 
-  public static void main(String args[]) throws Exception {
-    SentryConfigTool sentryTool = new SentryConfigTool();
+  public static class CommandImpl implements Command {
+    @Override
+    public void run(String[] args) throws Exception {
+      SentryConfigTool sentryTool = new SentryConfigTool();
 
-    try {
-      // parse arguments
-      sentryTool.parseArgs(args);
+      try {
+        // parse arguments
+        sentryTool.parseArgs(args);
 
-      // load configuration
-      sentryTool.setupConfig();
+        // load configuration
+        sentryTool.setupConfig();
 
-      // validate configuration
-      if (sentryTool.isValidate()) {
-        sentryTool.validatePolicy();
-      }
+        // validate configuration
+        if (sentryTool.isValidate()) {
+          sentryTool.validatePolicy();
+        }
 
-      // list permissions for give user
-      if (sentryTool.isListPerms()) {
-        sentryTool.listPerms();
-      }
+        // list permissions for give user
+        if (sentryTool.isListPrivs()) {
+          sentryTool.listPrivs();
+        }
 
-      // verify given query
-      if (sentryTool.getQuery() != null) {
-        if (sentryTool.getJdbcURL() != null) {
-          sentryTool.verifyRemoteQuery(sentryTool.getQuery());
-        } else {
-          sentryTool.verifyLocalQuery(sentryTool.getQuery());
+        // verify given query
+        if (sentryTool.getQuery() != null) {
+          if (sentryTool.getJdbcURL() != null) {
+            sentryTool.verifyRemoteQuery(sentryTool.getQuery());
+          } else {
+            sentryTool.verifyLocalQuery(sentryTool.getQuery());
+          }
         }
+      } catch (Exception e) {
+        System.out.println("Sentry tool reported Errors: " + e.getMessage());
+        e.printStackTrace(System.out);
+        System.exit(1);
       }
-    } catch (Exception e) {
-      System.out.println("Sentry tool reported Errors: " + e.getMessage());
-      System.exit(1);
     }
-
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/MockUserToGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/MockUserToGroupMapping.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/MockUserToGroupMapping.java
index 83432ca..c095603 100644
--- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/MockUserToGroupMapping.java
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/MockUserToGroupMapping.java
@@ -17,18 +17,18 @@
 
 package org.apache.sentry.binding.hive;
 
-import java.util.List;
+import java.util.Set;
 
 import org.apache.sentry.provider.common.GroupMappingService;
 
-import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
 
 public class MockUserToGroupMapping implements GroupMappingService {
 
   // User to group 1-to-1 map
   @Override
-  public List<String> getGroups(String user) {
-    return Lists.newArrayList(user);
+  public Set<String> getGroups(String user) {
+    return Sets.newHashSet(user);
   }
 
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzConf.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzConf.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzConf.java
index ea2c7ea..1942e03 100644
--- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzConf.java
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestHiveAuthzConf.java
@@ -18,6 +18,7 @@ package org.apache.sentry.binding.hive;
 
 import java.util.Arrays;
 import java.util.List;
+
 import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
 import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars;
 import org.junit.Assert;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestURI.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestURI.java b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestURI.java
index 1853559..e99d37f 100644
--- a/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestURI.java
+++ b/sentry-binding/sentry-binding-hive/src/test/java/org/apache/sentry/binding/hive/TestURI.java
@@ -20,7 +20,6 @@ import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
 import org.apache.hadoop.hive.ql.parse.SemanticException;
 import org.apache.hadoop.hive.ql.session.SessionState;
-import org.apache.sentry.binding.hive.HiveAuthzBindingHook;
 import org.junit.Assert;
 import org.junit.BeforeClass;
 import org.junit.Test;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrAuthorizationException.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrAuthorizationException.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrAuthorizationException.java
index 134eaeb..938dbfd 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrAuthorizationException.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SentrySolrAuthorizationException.java
@@ -17,6 +17,8 @@
 package org.apache.sentry.binding.solr.authz;
 
 public class SentrySolrAuthorizationException extends Exception {
+  private static final long serialVersionUID = -263787088321897523L;
+
   public SentrySolrAuthorizationException(String message) {
     super(message);
   }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
index c6ce53e..9a6e623 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
@@ -20,22 +20,21 @@ import java.io.File;
 import java.io.IOException;
 import java.lang.reflect.Constructor;
 import java.util.Arrays;
-import java.util.List;
 import java.util.Set;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
+import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.core.model.search.Collection;
 import org.apache.sentry.core.model.search.SearchModelAction;
-import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
-import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars;
 import org.apache.sentry.policy.common.PolicyEngine;
 import org.apache.sentry.provider.common.AuthorizationProvider;
 import org.apache.sentry.provider.common.GroupMappingService;
 import org.apache.sentry.provider.common.ProviderBackend;
-
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -120,7 +119,8 @@ public class SolrAuthzBinding {
       LOG.debug("Actions: " + actions);
     }
 
-    if (!authProvider.hasAccess(subject, Arrays.asList(new Collection[] {collection}), actions)) {
+    if (!authProvider.hasAccess(subject, Arrays.asList(new Collection[] {collection}), actions,
+        ActiveRoleSet.ALL)) {
       throw new SentrySolrAuthorizationException("User " + subject.getName() +
         " does not have privileges for " + collection.getName());
     }
@@ -131,7 +131,7 @@ public class SolrAuthzBinding {
    * @param user
    * @return list of groups the user belongs to
    */
-  public List<String> getGroups(String user) {
+  public Set<String> getGroups(String user) {
     return groupMapping.getGroups(user);
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/conf/SolrAuthzConf.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/conf/SolrAuthzConf.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/conf/SolrAuthzConf.java
index c9ee8ba..70983c4 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/conf/SolrAuthzConf.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/conf/SolrAuthzConf.java
@@ -17,12 +17,8 @@
 package org.apache.sentry.binding.solr.conf;
 
 import java.net.URL;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.Map.Entry;
 
 import org.apache.hadoop.conf.Configuration;
-import org.mortbay.log.Log;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
index b061eec..e2e3403 100644
--- a/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/test/java/org/apache/sentry/binding/solr/TestSolrAuthzBinding.java
@@ -16,31 +16,32 @@
  */
 package org.apache.sentry.binding.solr;
 
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertTrue;
+
 import java.io.File;
 import java.io.FileNotFoundException;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.EnumSet;
-import java.util.List;
 import java.lang.reflect.InvocationTargetException;
+import java.util.Collections;
+import java.util.EnumSet;
+import java.util.Set;
 
 import junit.framework.Assert;
-import static junit.framework.Assert.assertEquals;
-import static junit.framework.Assert.assertTrue;
 
 import org.apache.commons.io.FileUtils;
+import org.apache.sentry.binding.solr.authz.SentrySolrAuthorizationException;
+import org.apache.sentry.binding.solr.authz.SolrAuthzBinding;
+import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
+import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.core.model.search.Collection;
 import org.apache.sentry.core.model.search.SearchModelAction;
 import org.apache.sentry.provider.file.PolicyFiles;
-import org.apache.sentry.binding.solr.authz.SolrAuthzBinding;
-import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
-import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars;
-import org.apache.sentry.binding.solr.authz.SentrySolrAuthorizationException;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
 
+import com.google.common.collect.Sets;
 import com.google.common.io.Files;
 import com.google.common.io.Resources;
 
@@ -59,11 +60,11 @@ public class TestSolrAuthzBinding {
   private Subject sergeant1 = new Subject("sergeant1");
   private Subject general1 = new Subject("general1");
 
-  private EnumSet querySet = EnumSet.of(SearchModelAction.QUERY);
-  private EnumSet updateSet = EnumSet.of(SearchModelAction.UPDATE);
-  private EnumSet allSet = EnumSet.of(SearchModelAction.ALL);
-  private EnumSet allOfSet = EnumSet.allOf(SearchModelAction.class);
-  private EnumSet emptySet = EnumSet.noneOf(SearchModelAction.class);
+  private EnumSet<SearchModelAction> querySet = EnumSet.of(SearchModelAction.QUERY);
+  private EnumSet<SearchModelAction> updateSet = EnumSet.of(SearchModelAction.UPDATE);
+  private EnumSet<SearchModelAction> allSet = EnumSet.of(SearchModelAction.ALL);
+  private EnumSet<SearchModelAction> allOfSet = EnumSet.allOf(SearchModelAction.class);
+  private EnumSet<SearchModelAction> emptySet = EnumSet.noneOf(SearchModelAction.class);
 
   @Before
   public void setUp() throws Exception {
@@ -170,7 +171,7 @@ public class TestSolrAuthzBinding {
       new SolrAuthzConf(Resources.getResource("sentry-site.xml"));
     setUsableAuthzConf(solrAuthzConf);
     SolrAuthzBinding binding = new SolrAuthzBinding(solrAuthzConf);
-    List<String> emptyList = Arrays.asList();
+    Set<String> emptyList = Collections.emptySet();
 
     // check non-existant users
     assertEquals(binding.getGroups(null), emptyList);
@@ -183,9 +184,9 @@ public class TestSolrAuthzBinding {
     assertEquals(binding.getGroups("othergeneralgroup"), emptyList);
 
     // check valid group names
-    assertEquals(binding.getGroups("corporal1"), Arrays.asList("corporal"));
-    assertEquals(binding.getGroups("sergeant1"), Arrays.asList("sergeant"));
-    assertEquals(binding.getGroups("general1"), Arrays.asList("general", "othergeneralgroup"));
+    assertEquals(binding.getGroups("corporal1"), Sets.newHashSet("corporal"));
+    assertEquals(binding.getGroups("sergeant1"), Sets.newHashSet("sergeant"));
+    assertEquals(binding.getGroups("general1"), Sets.newHashSet("general", "othergeneralgroup"));
   }
 
   /**

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-common/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/pom.xml b/sentry-core/sentry-core-common/pom.xml
index d50963e..84ab359 100644
--- a/sentry-core/sentry-core-common/pom.xml
+++ b/sentry-core/sentry-core-common/pom.xml
@@ -29,6 +29,10 @@ limitations under the License.
 
   <dependencies>
     <dependency>
+      <groupId>commons-cli</groupId>
+      <artifactId>commons-cli</artifactId>
+    </dependency>
+    <dependency>
       <groupId>com.google.guava</groupId>
       <artifactId>guava</artifactId>
     </dependency>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/Command.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/Command.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/Command.java
new file mode 100644
index 0000000..528f7d7
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/Command.java
@@ -0,0 +1,23 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry;
+
+
+public interface Command {
+  public void run(String[] args) throws Exception;
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/SentryMain.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/SentryMain.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/SentryMain.java
new file mode 100644
index 0000000..eb3482b
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/SentryMain.java
@@ -0,0 +1,73 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.CommandLineParser;
+import org.apache.commons.cli.GnuParser;
+import org.apache.commons.cli.HelpFormatter;
+import org.apache.commons.cli.Options;
+
+import com.google.common.collect.ImmutableMap;
+
+public class SentryMain {
+  private static final String HELP_SHORT = "h";
+  private static final String HELP_LONG = "help";
+  private static final String COMMAND = "command";
+  private static final ImmutableMap<String, String> COMMANDS = ImmutableMap
+      .<String, String>builder()
+      .put("service", "org.apache.sentry.service.thrift.SentryService$CommandImpl")
+      .put("config-tool", "org.apache.sentry.binding.hive.authz.SentryConfigTool$CommandImpl")
+      .build();
+  public static void main(String[] args)
+      throws Exception {
+    CommandLineParser parser = new GnuParser();
+    Options options = new Options();
+    options.addOption(HELP_SHORT, HELP_LONG, false, "Print this help text");
+    options.addOption(null, COMMAND, true, "Command to run. Options: " + COMMANDS.keySet());
+    CommandLine commandLine = parser.parse(options, args);
+    String commandName = commandLine.getOptionValue(COMMAND);
+    if (commandName == null || commandLine.hasOption(HELP_SHORT) ||
+        commandLine.hasOption(HELP_LONG)) {
+      printHelp(options);
+    }
+    String commandClazz = COMMANDS.get(commandName);
+    if (commandClazz == null) {
+      String msg = "Unknown command '" + commandName + "', options are: " + COMMANDS.keySet();
+      throw new IllegalArgumentException(msg);
+    }
+    Object command;
+    try {
+      command = Class.forName(commandClazz.trim()).newInstance();
+    } catch (Exception e) {
+      String msg = "Could not create instance of " + commandClazz + " for command " + commandName;
+      throw new IllegalStateException(msg, e);
+    }
+    if (!(command instanceof Command)) {
+      String msg = "Command " + command.getClass().getName() + " is not an instance of "
+          + Command.class.getName();
+      throw new IllegalStateException(msg);
+    }
+    ((Command)command).run(commandLine.getArgs());
+  }
+  private static void printHelp(Options options) {
+    (new HelpFormatter()).printHelp("sentry --" + COMMAND + "=" + COMMANDS.keySet(),
+        options);
+    System.exit(1);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/SentryUserException.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/SentryUserException.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/SentryUserException.java
new file mode 100644
index 0000000..2b24703
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/SentryUserException.java
@@ -0,0 +1,28 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry;
+
+public class SentryUserException extends Exception{
+  private static final long serialVersionUID = 2329620558380655835L;
+  public SentryUserException(String msg) {
+    super(msg);
+  }
+  public SentryUserException(String msg, Throwable t) {
+    super(msg, t);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/ActiveRoleSet.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/ActiveRoleSet.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/ActiveRoleSet.java
new file mode 100644
index 0000000..c1f1f66
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/ActiveRoleSet.java
@@ -0,0 +1,71 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.core.common;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import com.google.common.collect.ImmutableSet;
+
+/**
+ * Some authorization schemes allow users to select a particular
+ * set of roles they want active at any give time. For example,
+ * SQL systems often all ALL, NONE, or a subset of roles.
+ */
+public class ActiveRoleSet {
+  public static final ActiveRoleSet ALL = new ActiveRoleSet(true);
+  private final boolean allRoles;
+  private final ImmutableSet<String> roles;
+
+  public ActiveRoleSet(boolean allRoles) {
+    this(allRoles, new HashSet<String>());
+  }
+
+  public ActiveRoleSet(Set<String> roles) {
+    this(false, ImmutableSet.copyOf(roles));
+  }
+
+  private ActiveRoleSet(boolean allRoles, Set<String> roles) {
+    this.allRoles = allRoles;
+    ImmutableSet.Builder<String> setBuilder = ImmutableSet.builder();
+    for (String role : roles) {
+      setBuilder.add(role.toLowerCase());
+    }
+    this.roles = setBuilder.build();
+  }
+
+  /**
+   * Returns true if this active role set contains role. This can be the result
+   * of either this role set implying all roles or containing role.
+   * @param role
+   * @return true if this active role set contains role
+   */
+  public boolean containsRole(String role) {
+    return allRoles || roles.contains(role.toLowerCase());
+  }
+
+  @Override
+  public String toString() {
+    StringBuilder builder = new StringBuilder("ActiveRoleSet = [ roles = ");
+    if (allRoles) {
+      builder.append("ALL");
+    } else {
+      builder.append(roles);
+    }
+    return builder.append(" ").toString();
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/SentryConfigurationException.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/SentryConfigurationException.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/SentryConfigurationException.java
index 516b2da..10d66f5 100644
--- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/SentryConfigurationException.java
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/SentryConfigurationException.java
@@ -22,6 +22,7 @@ import java.util.List;
 import org.apache.shiro.config.ConfigurationException;
 
 public class SentryConfigurationException extends ConfigurationException {
+  private static final long serialVersionUID = -116202866086371884L;
   private List<String> configErrors = new ArrayList<String>();
   private List<String> configWarnings = new ArrayList<String>();
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java
index 1659450..962179f 100644
--- a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/utils/PathUtils.java
@@ -43,8 +43,8 @@ public class PathUtils {
     // request path does not contain relative parts /a/../b &&
     // request path starts with privilege path &&
     // authorities (nullable) are equal
-    String requestPath = ensureEndsWithSeparator(requestURI.getPath());
-    String privilegePath = ensureEndsWithSeparator(privilegeURI.getPath());
+    String requestPath = ensureEndsWithSeparator(requestURI.getPath()).replace("//", "/");
+    String privilegePath = ensureEndsWithSeparator(privilegeURI.getPath()).replace("//", "/");
     if (requestURI.getPath().equals(requestURI.normalize().getPath()) &&
         requestPath.startsWith(privilegePath) &&
         Strings.nullToEmpty(privilegeURI.getAuthority()).equals(Strings.nullToEmpty(requestURI.getAuthority()))) {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java b/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java
index 28818ba..d30305b 100644
--- a/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java
+++ b/sentry-core/sentry-core-common/src/test/java/org/apache/sentry/core/common/utils/TestPathUtils.java
@@ -21,6 +21,7 @@ import static junit.framework.Assert.assertFalse;
 import static junit.framework.Assert.assertTrue;
 
 import java.net.URI;
+
 import org.junit.Test;
 
 public class TestPathUtils {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-core/sentry-core-model-search/src/test/java/org/apache/sentry/core/search/TestCollection.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-model-search/src/test/java/org/apache/sentry/core/search/TestCollection.java b/sentry-core/sentry-core-model-search/src/test/java/org/apache/sentry/core/search/TestCollection.java
index bc00b62..1bf7069 100644
--- a/sentry-core/sentry-core-model-search/src/test/java/org/apache/sentry/core/search/TestCollection.java
+++ b/sentry-core/sentry-core-model-search/src/test/java/org/apache/sentry/core/search/TestCollection.java
@@ -16,9 +16,10 @@ package org.apache.sentry.core.search;
  * limitations under the License.
  */
 
+import junit.framework.Assert;
+
 import org.apache.sentry.core.model.search.Collection;
 import org.junit.Test;
-import junit.framework.Assert;
 
 public class TestCollection {
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-dist/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-dist/pom.xml b/sentry-dist/pom.xml
index e43bb7c..edac341 100644
--- a/sentry-dist/pom.xml
+++ b/sentry-dist/pom.xml
@@ -56,6 +56,10 @@ limitations under the License.
     </dependency>
     <dependency>
       <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-provider-db</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
       <artifactId>sentry-policy-common</artifactId>
     </dependency>
     <dependency>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-dist/src/main/assembly/src.xml
----------------------------------------------------------------------
diff --git a/sentry-dist/src/main/assembly/src.xml b/sentry-dist/src/main/assembly/src.xml
index fefe182..a06e521 100644
--- a/sentry-dist/src/main/assembly/src.xml
+++ b/sentry-dist/src/main/assembly/src.xml
@@ -65,4 +65,3 @@
   </fileSets>
 
 </assembly>
-

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PermissionFactory.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PermissionFactory.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PermissionFactory.java
deleted file mode 100644
index 45fd7bd..0000000
--- a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PermissionFactory.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.common;
-
-import org.apache.shiro.authz.Permission;
-
-/**
- * Factory for creating Shiro permissions
- */
-public interface PermissionFactory {
-  Permission createPermission(String permission);
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
index c08d082..512e28e 100644
--- a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
+++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
@@ -17,41 +17,38 @@
 
 package org.apache.sentry.policy.common;
 
-import java.util.List;
+import java.util.Set;
 
-import org.apache.sentry.core.common.Authorizable;
+import javax.annotation.concurrent.ThreadSafe;
+
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.SentryConfigurationException;
 
 import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.ImmutableSetMultimap;
-
+/**
+ * Implementations of this interface are expected to be thread safe
+ * after construction.
+ */
+@ThreadSafe
 public interface PolicyEngine {
 
   /**
-   * The permission factory to use in order to compare permissions in {@link getPermission}.
-   * This is typically a factory that returns a permission used to evaluate wildcards.
-   * @return the permission factory
+   * The privilege factory to use in order to compare privileges in {@link getPermission}.
+   * This is typically a factory that returns a privilege used to evaluate wildcards.
+   * @return the privilege factory
    */
-  public PermissionFactory getPermissionFactory();
+  public PrivilegeFactory getPrivilegeFactory();
 
   /**
-   * Get permissions associated with a group. Returns Strings which can be resolved
+   * Get privileges associated with a group. Returns Strings which can be resolved
    * by the caller. Strings are returned to separate the PolicyFile class from the
-   * type of permissions used in a policy file. Additionally it is possible further
-   * processing of the permissions is needed before resolving to a permission object.
-   * @param authorizeable object
+   * type of privileges used in a policy file. Additionally it is possible further
+   * processing of the privileges is needed before resolving to a privilege object.
    * @param group name
-   * @return non-null immutable set of permissions
+   * @return non-null immutable set of privileges
    */
-  public ImmutableSetMultimap<String, String> getPermissions(
-      List<? extends Authorizable> authorizables, List<String> groups)
+  public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet)
       throws SentryConfigurationException;
 
-  public ImmutableSet<String> listPermissions(String groupName)
-    throws SentryConfigurationException;
-
-  public ImmutableSet<String> listPermissions(List<String> groupName)
-    throws SentryConfigurationException;
-
   public void validatePolicy(boolean strictValidation) throws SentryConfigurationException;
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/Privilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/Privilege.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/Privilege.java
new file mode 100644
index 0000000..c7e1734
--- /dev/null
+++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/Privilege.java
@@ -0,0 +1,21 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.common;
+
+public interface Privilege {
+  public boolean implies(Privilege p);
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeFactory.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeFactory.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeFactory.java
new file mode 100644
index 0000000..2f8296b
--- /dev/null
+++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeFactory.java
@@ -0,0 +1,24 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.common;
+
+/**
+ * Factory for creating Privilege
+ */
+public interface PrivilegeFactory {
+  Privilege createPrivilege(String permission);
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeUtils.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeUtils.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeUtils.java
new file mode 100644
index 0000000..7387ad0
--- /dev/null
+++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeUtils.java
@@ -0,0 +1,27 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.common;
+
+import java.util.Set;
+
+import org.apache.shiro.util.PermissionUtils;
+
+public class PrivilegeUtils {
+  public static Set<String> toPrivilegeStrings(String s) {
+    return PermissionUtils.toPermissionStrings(s);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidator.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidator.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidator.java
new file mode 100644
index 0000000..5548f04
--- /dev/null
+++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidator.java
@@ -0,0 +1,24 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.common;
+
+import org.apache.shiro.config.ConfigurationException;
+
+public interface PrivilegeValidator {
+
+  public void validate(PrivilegeValidatorContext context) throws ConfigurationException;
+}


Mime
View raw message