sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shreepa...@apache.org
Subject git commit: SENTRY-141: Active roles need to be pushed done to provider (Brock via Shreepadma)
Date Tue, 11 Mar 2014 21:49:28 GMT
Repository: incubator-sentry
Updated Branches:
  refs/heads/db_policy_store bd511cdb2 -> e18a902d2


SENTRY-141: Active roles need to be pushed done to provider (Brock via Shreepadma)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/e18a902d
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/e18a902d
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/e18a902d

Branch: refs/heads/db_policy_store
Commit: e18a902d2c24c50231d750f91b6d8d72fd198968
Parents: bd511cd
Author: Shreepadma Venugopalan <shreepadma@apache.org>
Authored: Tue Mar 11 14:48:53 2014 -0700
Committer: Shreepadma Venugopalan <shreepadma@apache.org>
Committed: Tue Mar 11 14:48:53 2014 -0700

----------------------------------------------------------------------
 .../binding/hive/authz/HiveAuthzBinding.java    |   5 +-
 .../binding/solr/authz/SolrAuthzBinding.java    |   4 +-
 .../sentry/core/common/ActiveRoleSet.java       |  71 +++++++++++
 .../sentry/policy/common/PolicyEngine.java      |   3 +-
 .../sentry/policy/db/SimpleDBPolicyEngine.java  |   5 +-
 .../db/AbstractTestSimplePolicyEngine.java      |  15 +--
 .../policy/db/TestPolicyParsingNegative.java    |  21 ++--
 ...sourceAuthorizationProviderGeneralCases.java |   5 +-
 ...sourceAuthorizationProviderSpecialCases.java |  13 +-
 .../policy/db/TestSimpleDBPolicyEngineDFS.java  |   3 +-
 .../policy/search/SimpleSearchPolicyEngine.java |   5 +-
 .../search/AbstractTestSearchPolicyEngine.java  |   9 +-
 ...SearchAuthorizationProviderGeneralCases.java |   3 +-
 ...SearchAuthorizationProviderSpecialCases.java |   3 +-
 .../policy/search/TestSearchPolicyNegative.java |   7 +-
 .../provider/common/AuthorizationProvider.java  |   7 +-
 .../common/NoAuthorizationProvider.java         |   3 +-
 .../sentry/provider/common/ProviderBackend.java |   3 +-
 .../common/TestNoAuthorizationProvider.java     |   2 +-
 .../file/ResourceAuthorizationProvider.java     |  23 ++--
 .../file/SimpleFileProviderBackend.java         | 119 +++++++++++++-----
 .../provider/file/TestGetGroupMapping.java      |   5 +-
 .../file/TestSimpleFileProvderBackend.java      | 120 +++++++++++++++++++
 23 files changed, 366 insertions(+), 88 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
index 7e8995d..65854c3 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/HiveAuthzBinding.java
@@ -33,6 +33,7 @@ import org.apache.hadoop.hive.ql.session.SessionState;
 import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
 import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars;
 import org.apache.sentry.binding.hive.conf.InvalidConfigurationException;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.core.model.db.DBModelAction;
 import org.apache.sentry.core.model.db.DBModelAuthorizable;
@@ -195,7 +196,7 @@ public class HiveAuthzBinding {
         if (requiredInputPrivileges.containsKey(getAuthzType(inputHierarchy))) {
           EnumSet<DBModelAction> inputPrivSet =
             requiredInputPrivileges.get(getAuthzType(inputHierarchy));
-          if (!authProvider.hasAccess(subject, inputHierarchy, inputPrivSet)) {
+          if (!authProvider.hasAccess(subject, inputHierarchy, inputPrivSet, ActiveRoleSet.ALL)) {
             throw new AuthorizationException("User " + subject.getName() +
                 " does not have privileges for " + hiveOp.name());
           }
@@ -213,7 +214,7 @@ public class HiveAuthzBinding {
         if (requiredOutputPrivileges.containsKey(getAuthzType(outputHierarchy))) {
           EnumSet<DBModelAction> outputPrivSet =
             requiredOutputPrivileges.get(getAuthzType(outputHierarchy));
-          if (!authProvider.hasAccess(subject, outputHierarchy, outputPrivSet)) {
+          if (!authProvider.hasAccess(subject, outputHierarchy, outputPrivSet, ActiveRoleSet.ALL)) {
             throw new AuthorizationException("User " + subject.getName() +
                 " does not have priviliedges for " + hiveOp.name());
           }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
index 6e31f18..9a6e623 100644
--- a/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
+++ b/sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/authz/SolrAuthzBinding.java
@@ -27,6 +27,7 @@ import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
 import org.apache.sentry.binding.solr.conf.SolrAuthzConf.AuthzConfVars;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.core.model.search.Collection;
 import org.apache.sentry.core.model.search.SearchModelAction;
@@ -118,7 +119,8 @@ public class SolrAuthzBinding {
       LOG.debug("Actions: " + actions);
     }
 
-    if (!authProvider.hasAccess(subject, Arrays.asList(new Collection[] {collection}), actions)) {
+    if (!authProvider.hasAccess(subject, Arrays.asList(new Collection[] {collection}), actions,
+        ActiveRoleSet.ALL)) {
       throw new SentrySolrAuthorizationException("User " + subject.getName() +
         " does not have privileges for " + collection.getName());
     }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/ActiveRoleSet.java
----------------------------------------------------------------------
diff --git a/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/ActiveRoleSet.java b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/ActiveRoleSet.java
new file mode 100644
index 0000000..c1f1f66
--- /dev/null
+++ b/sentry-core/sentry-core-common/src/main/java/org/apache/sentry/core/common/ActiveRoleSet.java
@@ -0,0 +1,71 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.core.common;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import com.google.common.collect.ImmutableSet;
+
+/**
+ * Some authorization schemes allow users to select a particular
+ * set of roles they want active at any give time. For example,
+ * SQL systems often all ALL, NONE, or a subset of roles.
+ */
+public class ActiveRoleSet {
+  public static final ActiveRoleSet ALL = new ActiveRoleSet(true);
+  private final boolean allRoles;
+  private final ImmutableSet<String> roles;
+
+  public ActiveRoleSet(boolean allRoles) {
+    this(allRoles, new HashSet<String>());
+  }
+
+  public ActiveRoleSet(Set<String> roles) {
+    this(false, ImmutableSet.copyOf(roles));
+  }
+
+  private ActiveRoleSet(boolean allRoles, Set<String> roles) {
+    this.allRoles = allRoles;
+    ImmutableSet.Builder<String> setBuilder = ImmutableSet.builder();
+    for (String role : roles) {
+      setBuilder.add(role.toLowerCase());
+    }
+    this.roles = setBuilder.build();
+  }
+
+  /**
+   * Returns true if this active role set contains role. This can be the result
+   * of either this role set implying all roles or containing role.
+   * @param role
+   * @return true if this active role set contains role
+   */
+  public boolean containsRole(String role) {
+    return allRoles || roles.contains(role.toLowerCase());
+  }
+
+  @Override
+  public String toString() {
+    StringBuilder builder = new StringBuilder("ActiveRoleSet = [ roles = ");
+    if (allRoles) {
+      builder.append("ALL");
+    } else {
+      builder.append(roles);
+    }
+    return builder.append(" ").toString();
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
index 79c48d4..512e28e 100644
--- a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
+++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PolicyEngine.java
@@ -21,6 +21,7 @@ import java.util.Set;
 
 import javax.annotation.concurrent.ThreadSafe;
 
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.SentryConfigurationException;
 
 import com.google.common.collect.ImmutableSet;
@@ -46,7 +47,7 @@ public interface PolicyEngine {
    * @param group name
    * @return non-null immutable set of privileges
    */
-  public ImmutableSet<String> getPrivileges(Set<String> groups)
+  public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet)
       throws SentryConfigurationException;
 
   public void validatePolicy(boolean strictValidation) throws SentryConfigurationException;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
index 7ea5a06..e67daf4 100644
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
@@ -18,6 +18,7 @@ package org.apache.sentry.policy.db;
 
 import java.util.Set;
 
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.SentryConfigurationException;
 import org.apache.sentry.policy.common.PrivilegeFactory;
 import org.apache.sentry.policy.common.PolicyEngine;
@@ -59,12 +60,12 @@ public class SimpleDBPolicyEngine implements PolicyEngine {
    * {@inheritDoc}
    */
   @Override
-  public ImmutableSet<String> getPrivileges(Set<String> groups)
+  public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet)
       throws SentryConfigurationException {
     if(LOGGER.isDebugEnabled()) {
       LOGGER.debug("Getting permissions for {}", groups);
     }
-    ImmutableSet<String> result = providerBackend.getPrivileges(groups);
+    ImmutableSet<String> result = providerBackend.getPrivileges(groups, roleSet);
     if(LOGGER.isDebugEnabled()) {
       LOGGER.debug("result = " + result);
     }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
index b4ed2e5..4625d6f 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
@@ -24,6 +24,7 @@ import java.util.TreeSet;
 import junit.framework.Assert;
 
 import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.policy.common.PolicyEngine;
 import org.junit.After;
 import org.junit.AfterClass;
@@ -88,7 +89,7 @@ public abstract class AbstractTestSimplePolicyEngine {
         PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT
         ));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPrivileges(set("manager")))
+        new TreeSet<String>(policy.getPrivileges(set("manager"), ActiveRoleSet.ALL))
         .toString());
   }
 
@@ -98,7 +99,7 @@ public abstract class AbstractTestSimplePolicyEngine {
         PERM_SERVER1_CUSTOMERS_SELECT, PERM_SERVER1_ANALYST_ALL,
         PERM_SERVER1_JUNIOR_ANALYST_READ));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPrivileges(set("analyst")))
+        new TreeSet<String>(policy.getPrivileges(set("analyst"), ActiveRoleSet.ALL))
         .toString());
   }
 
@@ -108,7 +109,7 @@ public abstract class AbstractTestSimplePolicyEngine {
         .newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL,
             PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPrivileges(set("jranalyst")))
+        new TreeSet<String>(policy.getPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
         .toString());
   }
 
@@ -116,7 +117,7 @@ public abstract class AbstractTestSimplePolicyEngine {
   public void testAdmin() throws Exception {
     Set<String> expected = Sets.newTreeSet(Sets.newHashSet(PERM_SERVER1_ADMIN));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPrivileges(set("admin")))
+        new TreeSet<String>(policy.getPrivileges(set("admin"), ActiveRoleSet.ALL))
         .toString());
   }
 
@@ -126,7 +127,7 @@ public abstract class AbstractTestSimplePolicyEngine {
     Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
         PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPrivileges(set("other_group")))
+        new TreeSet<String>(policy.getPrivileges(set("other_group"), ActiveRoleSet.ALL))
         .toString());
   }
 
@@ -136,7 +137,7 @@ public abstract class AbstractTestSimplePolicyEngine {
         .newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL,
             PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPrivileges(set("jranalyst")))
+        new TreeSet<String>(policy.getPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
         .toString());
   }
 
@@ -145,7 +146,7 @@ public abstract class AbstractTestSimplePolicyEngine {
     Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
         PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPrivileges(set("other_group")))
+        new TreeSet<String>(policy.getPrivileges(set("other_group"), ActiveRoleSet.ALL))
         .toString());
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
index 01f428b..e88ae32 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestPolicyParsingNegative.java
@@ -22,6 +22,7 @@ import java.io.IOException;
 import junit.framework.Assert;
 
 import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.policy.common.PolicyEngine;
 import org.apache.sentry.provider.file.PolicyFile;
 import org.junit.After;
@@ -72,7 +73,7 @@ public class TestPolicyParsingNegative {
     append("[roles]", otherPolicyFile);
     append("malicious_role = server=server1->db=customers->table=purchases->action=select", otherPolicyFile);
     PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
-    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("other_group"));
+    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
     Assert.assertTrue(permissions.toString(), permissions.isEmpty());
   }
   @Test
@@ -86,21 +87,21 @@ public class TestPolicyParsingNegative {
     policyFile.write(globalPolicyFile);
     policyFile.write(otherPolicyFile);
     policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
-    permissions = policy.getPrivileges(Sets.newHashSet("admin"));
+    permissions = policy.getPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
     Assert.assertEquals(permissions.toString(), "[server=server1]");
     // test to ensure [users] fails parsing of per-db file
     policyFile.addDatabase("other", otherPolicyFile.getPath());
     policyFile.write(globalPolicyFile);
     policyFile.write(otherPolicyFile);
     policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
-    permissions = policy.getPrivileges(Sets.newHashSet("admin"));
+    permissions = policy.getPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
     Assert.assertEquals(permissions.toString(), "[server=server1]");
     // test to ensure [databases] fails parsing of per-db file
     // by removing the user mapping from the per-db policy file
     policyFile.removeGroupsFromUser("admin1", "admin")
       .write(otherPolicyFile);
     policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
-    permissions = policy.getPrivileges(Sets.newHashSet("admin"));
+    permissions = policy.getPrivileges(Sets.newHashSet("admin"), ActiveRoleSet.ALL);
     Assert.assertEquals(permissions.toString(), "[server=server1]");
   }
 
@@ -113,7 +114,7 @@ public class TestPolicyParsingNegative {
     append("[roles]", otherPolicyFile);
     append("malicious_role = server=server1", otherPolicyFile);
     PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
-    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("other_group"));
+    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL);
     Assert.assertTrue(permissions.toString(), permissions.isEmpty());
   }
 
@@ -124,7 +125,7 @@ public class TestPolicyParsingNegative {
     append("[roles]", globalPolicyFile);
     append("malicious_role = server=*", globalPolicyFile);
     PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
-    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"));
+    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
     Assert.assertTrue(permissions.toString(), permissions.isEmpty());
   }
 
@@ -135,7 +136,7 @@ public class TestPolicyParsingNegative {
     append("[roles]", globalPolicyFile);
     append("malicious_role = server=server2", globalPolicyFile);
     PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
-    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"));
+    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
     Assert.assertTrue(permissions.toString(), permissions.isEmpty());
   }
 
@@ -146,7 +147,7 @@ public class TestPolicyParsingNegative {
     append("[roles]", globalPolicyFile);
     append("malicious_role = *", globalPolicyFile);
     PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
-    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"));
+    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
     Assert.assertTrue(permissions.toString(), permissions.isEmpty());
   }
 
@@ -184,10 +185,10 @@ public class TestPolicyParsingNegative {
     PolicyEngine policy = new DBPolicyFileBackend("server1", globalPolicyFile.getPath());
 
     // verify that the db1 rule is empty
-    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("db1_group"));
+    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("db1_group"), ActiveRoleSet.ALL);
     Assert.assertTrue(permissions.toString(), permissions.isEmpty());
 
-    permissions = policy.getPrivileges(Sets.newHashSet("db2_group"));
+    permissions = policy.getPrivileges(Sets.newHashSet("db2_group"), ActiveRoleSet.ALL);
     Assert.assertEquals(permissions.toString(), 1, permissions.size());
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java
index e34b3ee..469be14 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderGeneralCases.java
@@ -27,6 +27,7 @@ import junit.framework.Assert;
 
 import org.apache.commons.io.FileUtils;
 import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.core.model.db.AccessConstants;
@@ -111,7 +112,7 @@ public class TestResourceAuthorizationProviderGeneralCases {
       helper.add("authorizables", authzHierarchy).add("Privileges", privileges);
     LOGGER.info("Running with " + helper.toString());
     Assert.assertEquals(helper.toString(), expected,
-        authzProvider.hasAccess(subject, authzHierarchy, privileges));
+        authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL));
     LOGGER.info("Passed " + helper.toString());
   }
 
@@ -126,7 +127,7 @@ public class TestResourceAuthorizationProviderGeneralCases {
     .add("Table", table).add("Privileges", privileges).add("authzHierarchy", authzHierarchy);
     LOGGER.info("Running with " + helper.toString());
     Assert.assertEquals(helper.toString(), expected,
-        authzProvider.hasAccess(subject, authzHierarchy, privileges));
+        authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL));
     LOGGER.info("Passed " + helper.toString());
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java
index 57f7575..3ae901e 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestResourceAuthorizationProviderSpecialCases.java
@@ -26,6 +26,7 @@ import junit.framework.Assert;
 
 import org.apache.commons.io.FileUtils;
 import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.core.model.db.AccessURI;
@@ -77,7 +78,7 @@ public class TestResourceAuthorizationProviderSpecialCases {
     authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy);
     List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, uri);
     Assert.assertTrue(authorizableHierarchy.toString(),
-        authzProvider.hasAccess(user1, authorizableHierarchy, actions));
+        authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
   }
   @Test
   public void testNonAbolutePath() throws Exception {
@@ -94,25 +95,25 @@ public class TestResourceAuthorizationProviderSpecialCases {
     // positive test
     List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(server1, uri);
     Assert.assertTrue(authorizableHierarchy.toString(),
-        authzProvider.hasAccess(user1, authorizableHierarchy, actions));
+        authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
     // negative tests
     // TODO we should support the case of /path/to/./ but let's to that later
     uri = new AccessURI("file:///path/to/./");
     authorizableHierarchy = ImmutableList.of(server1, uri);
     Assert.assertFalse(authorizableHierarchy.toString(),
-        authzProvider.hasAccess(user1, authorizableHierarchy, actions));
+        authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
     uri = new AccessURI("file:///path/to/../");
     authorizableHierarchy = ImmutableList.of(server1, uri);
     Assert.assertFalse(authorizableHierarchy.toString(),
-        authzProvider.hasAccess(user1, authorizableHierarchy, actions));
+        authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
     uri = new AccessURI("file:///path/to/../../");
     authorizableHierarchy = ImmutableList.of(server1, uri);
     Assert.assertFalse(authorizableHierarchy.toString(),
-        authzProvider.hasAccess(user1, authorizableHierarchy, actions));
+        authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
     uri = new AccessURI("file:///path/to/dir/../../");
     authorizableHierarchy = ImmutableList.of(server1, uri);
     Assert.assertFalse(authorizableHierarchy.toString(),
-        authzProvider.hasAccess(user1, authorizableHierarchy, actions));
+        authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
   }
   @Test(expected=IllegalArgumentException.class)
   public void testInvalidPath() throws Exception {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java
index f39eacd..08f84a3 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestSimpleDBPolicyEngineDFS.java
@@ -26,6 +26,7 @@ import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.provider.file.PolicyFile;
 import org.apache.sentry.provider.file.PolicyFiles;
 import org.junit.AfterClass;
@@ -107,7 +108,7 @@ public class TestSimpleDBPolicyEngineDFS extends AbstractTestSimplePolicyEngine
     Set<String> dbGroups = Sets.newHashSet();
     dbGroups.add("group1");
     ImmutableSet<String> dbPerms =
-        multiFSEngine.getPrivileges(dbGroups);
+        multiFSEngine.getPrivileges(dbGroups, ActiveRoleSet.ALL);
     Assert.assertEquals("No DB permissions found", 1, dbPerms.size());
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
index 3519d05..728e356 100644
--- a/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
+++ b/sentry-policy/sentry-policy-search/src/main/java/org/apache/sentry/policy/search/SimpleSearchPolicyEngine.java
@@ -18,6 +18,7 @@ package org.apache.sentry.policy.search;
 
 import java.util.Set;
 
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.SentryConfigurationException;
 import org.apache.sentry.policy.common.PrivilegeFactory;
 import org.apache.sentry.policy.common.PolicyEngine;
@@ -60,11 +61,11 @@ public class SimpleSearchPolicyEngine implements PolicyEngine {
    * {@inheritDoc}
    */
   @Override
-  public ImmutableSet<String> getPrivileges(Set<String> groups) {
+  public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet) {
     if(LOGGER.isDebugEnabled()) {
       LOGGER.debug("Getting permissions for {}", groups);
     }
-    ImmutableSet<String> result = providerBackend.getPrivileges(groups);
+    ImmutableSet<String> result = providerBackend.getPrivileges(groups, roleSet);
     if(LOGGER.isDebugEnabled()) {
       LOGGER.debug("result = " + result);
     }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java
index 495ec0d..d1c415b 100644
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java
+++ b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/AbstractTestSearchPolicyEngine.java
@@ -24,6 +24,7 @@ import java.util.TreeSet;
 import junit.framework.Assert;
 
 import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.policy.common.PolicyEngine;
 import org.junit.After;
 import org.junit.AfterClass;
@@ -89,7 +90,7 @@ public abstract class AbstractTestSearchPolicyEngine {
         ANALYST_TMPCOLLECTION_QUERY, JRANALYST_JRANALYST1_ALL,
         JRANALYST_PURCHASES_PARTIAL_QUERY));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPrivileges(set("manager")))
+        new TreeSet<String>(policy.getPrivileges(set("manager"), ActiveRoleSet.ALL))
         .toString());
   }
 
@@ -100,7 +101,7 @@ public abstract class AbstractTestSearchPolicyEngine {
         ANALYST_JRANALYST1_ACTION_ALL, ANALYST_TMPCOLLECTION_UPDATE,
         ANALYST_TMPCOLLECTION_QUERY));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPrivileges(set("analyst")))
+        new TreeSet<String>(policy.getPrivileges(set("analyst"), ActiveRoleSet.ALL))
         .toString());
   }
 
@@ -110,7 +111,7 @@ public abstract class AbstractTestSearchPolicyEngine {
         .newHashSet(JRANALYST_JRANALYST1_ALL,
             JRANALYST_PURCHASES_PARTIAL_QUERY));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPrivileges(set("jranalyst")))
+        new TreeSet<String>(policy.getPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
         .toString());
   }
 
@@ -118,7 +119,7 @@ public abstract class AbstractTestSearchPolicyEngine {
   public void testAdmin() throws Exception {
     Set<String> expected = Sets.newTreeSet(Sets.newHashSet(ADMIN_COLLECTION_ALL));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPrivileges(set("admin")))
+        new TreeSet<String>(policy.getPrivileges(set("admin"), ActiveRoleSet.ALL))
         .toString());
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java
index cd271a5..6f36243 100644
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java
+++ b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderGeneralCases.java
@@ -27,6 +27,7 @@ import junit.framework.Assert;
 
 import org.apache.commons.io.FileUtils;
 import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.core.model.search.Collection;
@@ -116,7 +117,7 @@ public class TestSearchAuthorizationProviderGeneralCases {
       .add("Privileges", privileges).add("authzHierarchy", authzHierarchy);
     LOGGER.info("Running with " + helper.toString());
     Assert.assertEquals(helper.toString(), expected,
-        authzProvider.hasAccess(subject, authzHierarchy, privileges));
+        authzProvider.hasAccess(subject, authzHierarchy, privileges, ActiveRoleSet.ALL));
     LOGGER.info("Passed " + helper.toString());
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java
index aa849ef..801a702 100644
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java
+++ b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchAuthorizationProviderSpecialCases.java
@@ -26,6 +26,7 @@ import junit.framework.Assert;
 
 import org.apache.commons.io.FileUtils;
 import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.core.model.search.Collection;
@@ -75,7 +76,7 @@ public class TestSearchAuthorizationProviderSpecialCases {
     authzProvider = new LocalGroupResourceAuthorizationProvider(initResource, policy);
     List<? extends Authorizable> authorizableHierarchy = ImmutableList.of(collection1);
     Assert.assertTrue(authorizableHierarchy.toString(),
-        authzProvider.hasAccess(user1, authorizableHierarchy, actions));
+        authzProvider.hasAccess(user1, authorizableHierarchy, actions, ActiveRoleSet.ALL));
   }
 
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java
index e95aca3..2abe8f2 100644
--- a/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java
+++ b/sentry-policy/sentry-policy-search/src/test/java/org/apache/sentry/policy/search/TestSearchPolicyNegative.java
@@ -23,6 +23,7 @@ import java.util.Collections;
 import junit.framework.Assert;
 
 import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.policy.common.PolicyEngine;
 import org.junit.After;
 import org.junit.Before;
@@ -73,7 +74,7 @@ public class TestSearchPolicyNegative {
     append("some_role = collection=c1", otherPolicyFile);
     SearchPolicyFileBackend policy = new SearchPolicyFileBackend(globalPolicyFile.getPath());
     Assert.assertEquals(Collections.emptySet(),
-        policy.getPrivileges(Sets.newHashSet("other_group")));
+        policy.getPrivileges(Sets.newHashSet("other_group"), ActiveRoleSet.ALL));
   }
 
   @Test
@@ -83,7 +84,7 @@ public class TestSearchPolicyNegative {
     append("[roles]", globalPolicyFile);
     append("some_role = action=query", globalPolicyFile);
     PolicyEngine policy = new SearchPolicyFileBackend(globalPolicyFile.getPath());
-    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"));
+    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("group"), ActiveRoleSet.ALL);
     Assert.assertTrue(permissions.toString(), permissions.isEmpty());
   }
 
@@ -94,7 +95,7 @@ public class TestSearchPolicyNegative {
     append("[roles]", globalPolicyFile);
     append("malicious_role = collection=*", globalPolicyFile);
     PolicyEngine policy = new SearchPolicyFileBackend(globalPolicyFile.getPath());
-    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("incorrectGroup"));
+    ImmutableSet<String> permissions = policy.getPrivileges(Sets.newHashSet("incorrectGroup"), ActiveRoleSet.ALL);
     Assert.assertTrue(permissions.toString(), permissions.isEmpty());
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
index 8dc2f52..cd6f8a1 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
@@ -22,6 +22,7 @@ import java.util.Set;
 import javax.annotation.concurrent.ThreadSafe;
 
 import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.SentryConfigurationException;
 import org.apache.sentry.core.common.Subject;
@@ -36,14 +37,16 @@ public interface AuthorizationProvider {
    * Returns validate subject privileges on given Authorizable object
    *
    * @param subject: UserID to validate privileges
-   * @param authorizableHierarchy : List of object accroding to namespace hierarchy.
+   * @param authorizableHierarchy : List of object according to namespace hierarchy.
    *        eg. Server->Db->Table or Server->Function
    *        The privileges will be validated from the higher to lower scope
    * @param actions : Privileges to validate
+   * @param roleSet : Roles which should be used when obtaining privileges
    * @return
    *        True if the subject is authorized to perform requested action on the given object
    */
-  public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy, Set<? extends Action> actions);
+  public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy,
+      Set<? extends Action> actions, ActiveRoleSet roleSet);
 
   /***
    * Get the GroupMappingService used by the AuthorizationProvider

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
index 309f270..ed32224 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
@@ -22,6 +22,7 @@ import java.util.List;
 import java.util.Set;
 
 import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.SentryConfigurationException;
 import org.apache.sentry.core.common.Subject;
@@ -31,7 +32,7 @@ public class NoAuthorizationProvider implements AuthorizationProvider {
 
   @Override
   public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy,
-      Set<? extends Action> actions) {
+      Set<? extends Action> actions, ActiveRoleSet roleSet) {
     return false;
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
index 3582d36..6d6da25 100644
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
+++ b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ProviderBackend.java
@@ -20,6 +20,7 @@ import java.util.Set;
 
 import javax.annotation.concurrent.ThreadSafe;
 
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.SentryConfigurationException;
 
 import com.google.common.collect.ImmutableSet;
@@ -45,7 +46,7 @@ public interface ProviderBackend {
   /**
    * Get the privileges from the backend.
    */
-  public ImmutableSet<String> getPrivileges(Set<String> groups);
+  public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet);
 
   /**
    * If strictValidation is true then an error is thrown for warnings

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
index dbcf05b..fe01b06 100644
--- a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
@@ -29,7 +29,7 @@ public class TestNoAuthorizationProvider {
   @Test
   public void testNoAuthorizationProvider() {
     NoAuthorizationProvider nap = new NoAuthorizationProvider();
-    assertFalse(nap.hasAccess(null, null, null));
+    assertFalse(nap.hasAccess(null, null, null, null));
 
     GroupMappingService gms = nap.getGroupMapping();
     assertEquals(gms.getGroups(null).size(), 0);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
index 4d8551c..448d7c1 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
@@ -26,6 +26,7 @@ import java.util.List;
 import java.util.Set;
 
 import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.SentryConfigurationException;
 import org.apache.sentry.core.common.Subject;
@@ -74,7 +75,7 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
    */
   @Override
   public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy,
-      Set<? extends Action> actions) {
+      Set<? extends Action> actions, ActiveRoleSet roleSet) {
     if(LOGGER.isDebugEnabled()) {
       LOGGER.debug("Authorization Request for " + subject + " " +
           authorizableHierarchy + " and " + actions);
@@ -84,17 +85,19 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
     Preconditions.checkArgument(!authorizableHierarchy.isEmpty(), "Authorizable cannot be empty");
     Preconditions.checkNotNull(actions, "Actions cannot be null");
     Preconditions.checkArgument(!actions.isEmpty(), "Actions cannot be empty");
-    return doHasAccess(subject, authorizableHierarchy, actions);
+    Preconditions.checkNotNull(roleSet, "ActiveRoleSet cannot be null");
+    return doHasAccess(subject, authorizableHierarchy, actions, roleSet);
   }
 
   private boolean doHasAccess(Subject subject,
-      List<? extends Authorizable> authorizables, Set<? extends Action> actions) {
+      List<? extends Authorizable> authorizables, Set<? extends Action> actions,
+      ActiveRoleSet roleSet) {
     Set<String> groups =  getGroups(subject);
     Set<String> hierarchy = new HashSet<String>();
     for (Authorizable authorizable : authorizables) {
       hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName()));
     }
-    Iterable<Privilege> privileges = getPermissions(groups);
+    Iterable<Privilege> privileges = getPrivileges(groups, roleSet);
     List<String> requestPrivileges = buildPermissions(authorizables, actions);
     lastFailedPrivileges.get().clear();
 
@@ -105,8 +108,8 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
          */
         boolean result = permission.implies(privilegeFactory.createPrivilege(requestPrivilege));
         if(LOGGER.isDebugEnabled()) {
-          LOGGER.debug("ProviderPrivilege {}, RequestPrivilege {}, result {}",
-              new Object[]{ permission, requestPrivilege, result});
+          LOGGER.debug("ProviderPrivilege {}, RequestPrivilege {}, RoleSet, {}, Result {}",
+              new Object[]{ permission, requestPrivilege, roleSet, result});
         }
         if (result) {
           return true;
@@ -117,8 +120,8 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
     return false;
   }
 
-  private Iterable<Privilege> getPermissions(Set<String> groups) {
-    return Iterables.transform(policy.getPrivileges(groups),
+  private Iterable<Privilege> getPrivileges(Set<String> groups, ActiveRoleSet roleSet) {
+    return Iterables.transform(policy.getPrivileges(groups, roleSet),
         new Function<String, Privilege>() {
       @Override
       public Privilege apply(String privilege) {
@@ -143,12 +146,12 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
 
   @Override
   public Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException {
-    return policy.getPrivileges(getGroups(subject));
+    return policy.getPrivileges(getGroups(subject), ActiveRoleSet.ALL);
   }
 
   @Override
   public Set<String> listPrivilegesForGroup(String groupName) throws SentryConfigurationException {
-    return policy.getPrivileges(Sets.newHashSet(groupName));
+    return policy.getPrivileges(Sets.newHashSet(groupName), ActiveRoleSet.ALL);
   }
 
   @Override

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
index f02da69..89a2d31 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
@@ -24,7 +24,7 @@ import static org.apache.sentry.provider.file.PolicyFileConstants.USERS;
 
 import java.io.IOException;
 import java.net.URI;
-import java.util.Collection;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -34,6 +34,7 @@ import javax.annotation.Nullable;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.SentryConfigurationException;
 import org.apache.sentry.policy.common.PrivilegeUtils;
 import org.apache.sentry.policy.common.PrivilegeValidator;
@@ -46,14 +47,17 @@ import org.slf4j.LoggerFactory;
 
 import com.google.common.base.Splitter;
 import com.google.common.base.Strings;
+import com.google.common.collect.HashBasedTable;
 import com.google.common.collect.HashMultimap;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.ImmutableSetMultimap;
+import com.google.common.collect.Interner;
+import com.google.common.collect.Interners;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Multimap;
-import com.google.common.collect.SetMultimap;
 import com.google.common.collect.Sets;
+import com.google.common.collect.Table;
+import com.google.common.collect.Table.Cell;
 
 public class SimpleFileProviderBackend implements ProviderBackend {
 
@@ -65,7 +69,39 @@ public class SimpleFileProviderBackend implements ProviderBackend {
   private final Configuration conf;
   private final List<String> configErrors;
   private final List<String> configWarnings;
-  private final SetMultimap<String, String> groupToPrivilegeMap;
+
+  /**
+   * Sparse table where group is the row key and role is the cell.
+   * The value is the set of privileges located in the cell. For example,
+   * the following table would be generated for a policy where Group 1
+   * has Role 1 and Role 2 while Group 2 has only Role 2.
+   * <table border="1">
+   *  <tbody>
+   *    <tr>
+   *      <td><!-- empty --></td>
+   *      <td>Role 1</td>
+   *      <td>Role 2</td>
+   *    </tr>
+   *    <tr>
+   *      <td>Group 1</td>
+   *      <td>Priv 1</td>
+   *      <td>Priv 2, Priv 3</td>
+   *    </tr>
+   *    <tr>
+   *      <td>Group 2</td>
+   *      <td><!-- empty --></td>
+   *      <td>Priv 2, Priv 3</td>
+   *    </tr>
+   *  </tbody>
+   * </table>
+   */
+  private final Table<String, String, Set<String>> groupRolePrivilegeTable;
+  /**
+   * Each group, role, and privilege in groupRolePrivilegeTable is
+   * interned using a weak interner so that we only store each string
+   * once.
+   */
+  private final Interner<String> stringInterner;
 
   private ImmutableList<PrivilegeValidator> validators;
   private boolean allowPerDatabaseSection;
@@ -82,13 +118,14 @@ public class SimpleFileProviderBackend implements ProviderBackend {
   public SimpleFileProviderBackend(Configuration conf, Path resourcePath) throws IOException {
     this.resourcePath = resourcePath;
     this.fileSystem = resourcePath.getFileSystem(conf);
-    this.groupToPrivilegeMap = HashMultimap.create();
+    this.groupRolePrivilegeTable = HashBasedTable.create();
     this.conf = conf;
     this.configErrors = Lists.newArrayList();
     this.configWarnings = Lists.newArrayList();
     this.validators = ImmutableList.of();
     this.allowPerDatabaseSection = true;
     this.initialized = false;
+    this.stringInterner = Interners.newWeakInterner();
   }
 
   /**
@@ -109,13 +146,18 @@ public class SimpleFileProviderBackend implements ProviderBackend {
    * {@inheritDoc}
    */
   @Override
-  public ImmutableSet<String> getPrivileges(Set<String> groups) {
+  public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet) {
     if (!initialized) {
       throw new IllegalStateException("Backend has not been properly initialized");
     }
     ImmutableSet.Builder<String> resultBuilder = ImmutableSet.builder();
-    for (String group : groups) {
-      resultBuilder.addAll(groupToPrivilegeMap.get(group));
+    for (String groupName : groups) {
+      for (Map.Entry<String, Set<String>> row : groupRolePrivilegeTable.row(groupName)
+          .entrySet()) {
+        if (roleSet.containsRole(row.getKey())) {
+          resultBuilder.addAll(row.getValue());
+        }
+      }
     }
     return resultBuilder.build();
   }
@@ -139,7 +181,7 @@ public class SimpleFileProviderBackend implements ProviderBackend {
   private void parse() {
     configErrors.clear();
     configWarnings.clear();
-    SetMultimap<String, String> groupToPrivilegeMapTemp = HashMultimap.create();
+    Table<String, String, Set<String>> groupRolePrivilegeTableTemp = HashBasedTable.create();
     Ini ini;
     LOGGER.info("Parsing " + resourcePath);
     try {
@@ -165,7 +207,9 @@ public class SimpleFileProviderBackend implements ProviderBackend {
           }
         }
       }
-      groupToPrivilegeMapTemp.putAll(parseIni(null, ini, validators, resourcePath));
+      parseIni(null, ini, validators, resourcePath, groupRolePrivilegeTableTemp);
+      mergeResult(groupRolePrivilegeTableTemp);
+      groupRolePrivilegeTableTemp.clear();
       Ini.Section filesSection = ini.getSection(DATABASES);
       if(filesSection == null) {
         LOGGER.info("Section " + DATABASES + " needs no further processing");
@@ -191,7 +235,7 @@ public class SimpleFileProviderBackend implements ProviderBackend {
                   + " section in " + perDbPolicy);
               throw new SentryConfigurationException("Per-db policy files cannot contain " + DATABASES + " section");
             }
-            groupToPrivilegeMapTemp.putAll(parseIni(database, perDbIni, validators, perDbPolicy));
+            parseIni(database, perDbIni, validators, perDbPolicy, groupRolePrivilegeTableTemp);
           } catch (Exception e) {
             configErrors.add("Failed to read per-DB policy file " + perDbPolicy +
                " Error: " + e.getMessage());
@@ -199,8 +243,8 @@ public class SimpleFileProviderBackend implements ProviderBackend {
           }
         }
       }
-      groupToPrivilegeMap.clear();
-      groupToPrivilegeMap.putAll(groupToPrivilegeMapTemp);
+      mergeResult(groupRolePrivilegeTableTemp);
+      groupRolePrivilegeTableTemp.clear();
     } catch (Exception e) {
       configErrors.add("Error processing file " + resourcePath + e.getMessage());
       LOGGER.error("Error processing file, ignoring " + resourcePath, e);
@@ -216,8 +260,22 @@ public class SimpleFileProviderBackend implements ProviderBackend {
     return uri.getAuthority() == null && uri.getScheme() == null && !path.isUriPathAbsolute();
   }
 
-  private ImmutableSetMultimap<String, String> parseIni(String database, Ini ini,
-      List<? extends PrivilegeValidator> validators, Path policyPath) {
+  private void mergeResult(Table<String, String, Set<String>> groupRolePrivilegeTableTemp) {
+    for (Cell<String, String, Set<String>> cell : groupRolePrivilegeTableTemp.cellSet()) {
+      String groupName = cell.getRowKey();
+      String roleName = cell.getColumnKey();
+      Set<String> privileges = groupRolePrivilegeTable.get(groupName, roleName);
+      if (privileges == null) {
+        privileges = new HashSet<>();
+        groupRolePrivilegeTable.put(groupName, roleName, privileges);
+      }
+      privileges.addAll(cell.getValue());
+    }
+  }
+
+  private void parseIni(String database, Ini ini,
+      List<? extends PrivilegeValidator> validators, Path policyPath,
+      Table<String, String, Set<String>> groupRolePrivilegeTable) {
     Ini.Section privilegesSection = ini.getSection(ROLES);
     boolean invalidConfiguration = false;
     if (privilegesSection == null) {
@@ -234,19 +292,18 @@ public class SimpleFileProviderBackend implements ProviderBackend {
       invalidConfiguration = true;
     }
     if (!invalidConfiguration) {
-      return parsePrivileges(database, privilegesSection, groupsSection, validators, policyPath);
+      parsePrivileges(database, privilegesSection, groupsSection, validators, policyPath,
+          groupRolePrivilegeTable);
     }
-    return ImmutableSetMultimap.of();
   }
 
-  private ImmutableSetMultimap<String, String> parsePrivileges(@Nullable String database,
-      Ini.Section rolesSection, Ini.Section groupsSection, List<? extends PrivilegeValidator> validators,
-      Path policyPath) {
-    ImmutableSetMultimap.Builder<String, String> resultBuilder = ImmutableSetMultimap.builder();
+  private void parsePrivileges(@Nullable String database, Ini.Section rolesSection,
+      Ini.Section groupsSection, List<? extends PrivilegeValidator> validators, Path policyPath,
+      Table<String, String, Set<String>> groupRolePrivilegeTable) {
     Multimap<String, String> roleNameToPrivilegeMap = HashMultimap
         .create();
     for (Map.Entry<String, String> entry : rolesSection.entrySet()) {
-      String roleName = Strings.nullToEmpty(entry.getKey()).trim();
+      String roleName = stringInterner.intern(Strings.nullToEmpty(entry.getKey()).trim());
       String roleValue = Strings.nullToEmpty(entry.getValue()).trim();
       boolean invalidConfiguration = false;
       if (roleName.isEmpty()) {
@@ -268,23 +325,29 @@ public class SimpleFileProviderBackend implements ProviderBackend {
       }
       Set<String> privileges = PrivilegeUtils.toPrivilegeStrings(roleValue);
       if (!invalidConfiguration && privileges != null) {
+        Set<String> internedPrivileges = Sets.newHashSet();
         for(String privilege : privileges) {
           for(PrivilegeValidator validator : validators) {
             validator.validate(new PrivilegeValidatorContext(database, privilege.trim()));
           }
+          internedPrivileges.add(stringInterner.intern(privilege));
         }
-        roleNameToPrivilegeMap.putAll(roleName, privileges);
+        roleNameToPrivilegeMap.putAll(roleName, internedPrivileges);
       }
     }
     Splitter roleSplitter = ROLE_SPLITTER.omitEmptyStrings().trimResults();
     for (Map.Entry<String, String> entry : groupsSection.entrySet()) {
-      String groupName = Strings.nullToEmpty(entry.getKey()).trim();
+      String groupName = stringInterner.intern(Strings.nullToEmpty(entry.getKey()).trim());
       String groupPrivileges = Strings.nullToEmpty(entry.getValue()).trim();
-      Collection<String> resolvedGroupPrivileges = Sets.newHashSet();
       for (String roleName : roleSplitter.split(groupPrivileges)) {
+        roleName = stringInterner.intern(roleName);
         if (roleNameToPrivilegeMap.containsKey(roleName)) {
-          resolvedGroupPrivileges.addAll(roleNameToPrivilegeMap
-              .get(roleName));
+          Set<String> privileges = groupRolePrivilegeTable.get(groupName, roleName);
+          if (privileges == null) {
+            privileges = new HashSet<>();
+            groupRolePrivilegeTable.put(groupName, roleName, privileges);
+          }
+          privileges.addAll(roleNameToPrivilegeMap.get(roleName));
         } else {
           String warnMsg = String.format("Role %s for group %s does not exist in privileges section in %s",
                   roleName, groupName, policyPath);
@@ -292,8 +355,6 @@ public class SimpleFileProviderBackend implements ProviderBackend {
           configWarnings.add(warnMsg);
         }
       }
-      resultBuilder.putAll(groupName, resolvedGroupPrivileges);
     }
-    return resultBuilder.build();
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
index 39625f7..d3127d7 100644
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
+++ b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
@@ -21,6 +21,7 @@ import static org.junit.Assert.assertSame;
 import java.util.Set;
 
 import org.apache.sentry.core.common.SentryConfigurationException;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.policy.common.PrivilegeFactory;
 import org.apache.sentry.policy.common.PolicyEngine;
 import org.apache.sentry.provider.common.GroupMappingService;
@@ -47,7 +48,9 @@ public class TestGetGroupMapping {
     PolicyEngine policyEngine = new PolicyEngine() {
       public PrivilegeFactory getPrivilegeFactory() { return null; }
 
-      public ImmutableSet<String> getPrivileges(Set<String> groups) { return null; }
+      public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet) {
+        return ImmutableSet.of();
+      }
 
       public void validatePolicy(boolean strictValidation)
           throws SentryConfigurationException {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/e18a902d/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimpleFileProvderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimpleFileProvderBackend.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimpleFileProvderBackend.java
new file mode 100644
index 0000000..df5acdc
--- /dev/null
+++ b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimpleFileProvderBackend.java
@@ -0,0 +1,120 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.provider.file;
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.fail;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.HashSet;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.provider.common.ProviderBackendContext;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestSimpleFileProvderBackend {
+
+  private static final String resourcePath = "test-authz-provider-local-group-mapping.ini";
+
+  private SimpleFileProviderBackend backend;
+  private ProviderBackendContext context;
+  private File baseDir;
+
+  @Before
+  public void setup() throws IOException {
+    baseDir = Files.createTempDir();
+    PolicyFiles.copyToDir(baseDir, resourcePath);
+    backend = new SimpleFileProviderBackend(new File(baseDir, resourcePath).toString());
+    context = new ProviderBackendContext();
+  }
+
+  @After
+  public void teardown() {
+    if(baseDir != null) {
+      FileUtils.deleteQuietly(baseDir);
+    }
+  }
+
+  @Test
+  public void testInitializeTwice() {
+    backend.initialize(context);
+    try {
+      backend.initialize(context);
+      fail("Expected IllegalStateException on second initialze");
+    } catch (IllegalStateException e) {
+      // expected
+    }
+  }
+
+  @Test(expected = IllegalStateException.class)
+  public void testUninitializeGetPrivileges() {
+    backend.getPrivileges(new HashSet<String>(), ActiveRoleSet.ALL);
+  }
+
+  @Test(expected = IllegalStateException.class)
+  public void testUninitializeValidatePolicy() {
+    backend.validatePolicy(true);
+  }
+
+  @Test
+  public void testRoleSetAll() {
+    backend.initialize(context);
+    assertEquals(Sets.newHashSet("server=server1->db=customers->table=purchases->select",
+        "server=server1->db=analyst1", "server=server1->db=jranalyst1->table=*->select",
+        "server=server1->db=jranalyst1", "server=server1->functions"),
+        backend.getPrivileges(Sets.newHashSet("manager"), ActiveRoleSet.ALL));
+  }
+
+  @Test
+  public void testRoleSetAllUnknownGroup() {
+    backend.initialize(context);
+    assertEquals(Sets.newHashSet(), backend.getPrivileges(Sets.newHashSet("not-a-group"),
+        ActiveRoleSet.ALL));
+  }
+
+  @Test
+  public void testRoleSetNone() {
+    backend.initialize(context);
+    assertEquals(Sets.newHashSet(), backend.getPrivileges(Sets.newHashSet("manager"),
+        new ActiveRoleSet(new HashSet<String>())));
+  }
+
+  @Test
+  public void testRoleSetOne() {
+    backend.initialize(context);
+    assertEquals(Sets.newHashSet("server=server1->functions"),
+        backend.getPrivileges(Sets.newHashSet("manager"),
+            new ActiveRoleSet(Sets.newHashSet("functions"))));
+  }
+
+  @Test
+  public void testRoleSetTwo() {
+    backend.initialize(context);
+    assertEquals(Sets.newHashSet("server=server1->db=jranalyst1",
+        "server=server1->functions"),
+        backend.getPrivileges(Sets.newHashSet("manager"),
+            new ActiveRoleSet(Sets.newHashSet("junior_analyst_role", "functions"))));
+  }
+}


Mime
View raw message