sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shreepa...@apache.org
Subject [12/13] SENTRY-143: Merge db_policy_store branch into master (Brock Noland via Shreepadma Venugopalan)
Date Thu, 13 Mar 2014 21:21:27 GMT
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidatorContext.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidatorContext.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidatorContext.java
new file mode 100644
index 0000000..2b7fd1a
--- /dev/null
+++ b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/PrivilegeValidatorContext.java
@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.common;
+
+import javax.annotation.Nullable;
+
+public class PrivilegeValidatorContext {
+  private final String database;
+  private final String privilege;
+  public PrivilegeValidatorContext(String privilege) {
+    this(null, privilege);
+  }
+  public PrivilegeValidatorContext(@Nullable String database, String privilege) {
+    super();
+    this.database = database;
+    this.privilege = privilege;
+  }
+  public @Nullable String getDatabase() {
+    return database;
+  }
+  public String getPrivilege() {
+    return privilege;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/RoleValidator.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/RoleValidator.java b/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/RoleValidator.java
deleted file mode 100644
index 8390364..0000000
--- a/sentry-policy/sentry-policy-common/src/main/java/org/apache/sentry/policy/common/RoleValidator.java
+++ /dev/null
@@ -1,26 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.common;
-
-import javax.annotation.Nullable;
-
-import org.apache.shiro.config.ConfigurationException;
-
-public interface RoleValidator {
-
-  public void validate(@Nullable String database, String role) throws ConfigurationException;
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBPrivilegeValidator.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBPrivilegeValidator.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBPrivilegeValidator.java
new file mode 100644
index 0000000..1b774ee
--- /dev/null
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBPrivilegeValidator.java
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.db;
+
+import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_SPLITTER;
+import static org.apache.sentry.provider.file.PolicyFileConstants.PRIVILEGE_PREFIX;
+
+import java.util.List;
+
+import org.apache.sentry.core.model.db.DBModelAuthorizable;
+import org.apache.sentry.policy.common.PrivilegeValidator;
+import org.apache.shiro.config.ConfigurationException;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.collect.Lists;
+
+public abstract class AbstractDBPrivilegeValidator implements PrivilegeValidator {
+
+  @VisibleForTesting
+  public static Iterable<DBModelAuthorizable> parsePrivilege(String string) {
+    List<DBModelAuthorizable> result = Lists.newArrayList();
+    for(String section : AUTHORIZABLE_SPLITTER.split(string)) {
+      // XXX this ugly hack is because action is not an authorizeable
+      if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) {
+        DBModelAuthorizable authorizable = DBModelAuthorizables.from(section);
+        if(authorizable == null) {
+          String msg = "No authorizable found for " + section;
+          throw new ConfigurationException(msg);
+        }
+        result.add(authorizable);
+      }
+    }
+    return result;
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBRoleValidator.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBRoleValidator.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBRoleValidator.java
deleted file mode 100644
index 722a4be..0000000
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/AbstractDBRoleValidator.java
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_SPLITTER;
-import static org.apache.sentry.provider.file.PolicyFileConstants.PRIVILEGE_PREFIX;
-
-import java.util.List;
-
-import org.apache.sentry.policy.common.RoleValidator;
-import org.apache.sentry.core.model.db.DBModelAuthorizable;
-import org.apache.shiro.config.ConfigurationException;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.collect.Lists;
-
-public abstract class AbstractDBRoleValidator implements RoleValidator {
-
-  @VisibleForTesting
-  public static Iterable<DBModelAuthorizable> parseRole(String string) {
-    List<DBModelAuthorizable> result = Lists.newArrayList();
-    for(String section : AUTHORIZABLE_SPLITTER.split(string)) {
-      // XXX this ugly hack is because action is not an authorizeable
-      if(!section.toLowerCase().startsWith(PRIVILEGE_PREFIX)) {
-        DBModelAuthorizable authorizable = DBModelAuthorizables.from(section);
-        if(authorizable == null) {
-          String msg = "No authorizable found for " + section;
-          throw new ConfigurationException(msg);
-        }
-        result.add(authorizable);
-      }
-    }
-    return result;
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
deleted file mode 100644
index 01981d1..0000000
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPermission.java
+++ /dev/null
@@ -1,181 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-// copied from apache shiro
-
-package org.apache.sentry.policy.db;
-
-import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_SPLITTER;
-
-import java.io.Serializable;
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.util.List;
-
-import org.apache.commons.lang.text.StrSubstitutor;
-import org.apache.sentry.core.common.utils.PathUtils;
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
-import org.apache.sentry.policy.common.PermissionFactory;
-import org.apache.sentry.provider.file.KeyValue;
-import org.apache.sentry.provider.file.PolicyFileConstants;
-import org.apache.shiro.authz.Permission;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Preconditions;
-import com.google.common.base.Strings;
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.Lists;
-
-// XXX this class is made ugly by the fact that Action is not a Authorizable.
-public class DBWildcardPermission implements Permission, Serializable {
-  private static final Logger LOGGER = LoggerFactory
-      .getLogger(DBWildcardPermission.class);
-  private static final long serialVersionUID = -6785051263922740818L;
-
-  private final ImmutableList<KeyValue> parts;
-
-  public DBWildcardPermission(String wildcardString) {
-    wildcardString = Strings.nullToEmpty(wildcardString).trim();
-    if (wildcardString.isEmpty()) {
-      throw new IllegalArgumentException("Wildcard string cannot be null or empty.");
-    }
-    List<KeyValue>parts = Lists.newArrayList();
-    for (String authorizable : AUTHORIZABLE_SPLITTER.trimResults().split(wildcardString)) {
-      if (authorizable.isEmpty()) {
-        throw new IllegalArgumentException("Privilege '" + wildcardString + "' has an empty section");
-      }
-      parts.add(new KeyValue(authorizable));
-    }
-    if (parts.isEmpty()) {
-      throw new AssertionError("Should never occur: " + wildcardString);
-    }
-    this.parts = ImmutableList.copyOf(parts);
-  }
-
-
-  @Override
-  public boolean implies(Permission p) {
-    // By default only supports comparisons with other DBWildcardPermissions
-    if (!(p instanceof DBWildcardPermission)) {
-      return false;
-    }
-
-    DBWildcardPermission wp = (DBWildcardPermission) p;
-
-    List<KeyValue> otherParts = wp.parts;
-    if(equals(wp)) {
-      return true;
-    }
-    int index = 0;
-    for (KeyValue otherPart : otherParts) {
-      // If this permission has less parts than the other permission, everything
-      // after the number of parts contained
-      // in this permission is automatically implied, so return true
-      if (parts.size() - 1 < index) {
-        return true;
-      } else {
-        KeyValue part = parts.get(index);
-        // are the keys even equal
-        if(!part.getKey().equalsIgnoreCase(otherPart.getKey())) {
-          return false;
-        }
-        if (!impliesKeyValue(part, otherPart)) {
-          return false;
-        }
-        index++;
-      }
-    }
-    // If this permission has more parts than
-    // the other parts, only imply it if
-    // all of the other parts are wildcards
-    for (; index < parts.size(); index++) {
-      KeyValue part = parts.get(index);
-      if (!part.getValue().equals(AccessConstants.ALL)) {
-        return false;
-      }
-    }
-
-    return true;
-  }
-
-  private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) {
-    Preconditions.checkState(policyPart.getKey().equalsIgnoreCase(requestPart.getKey()),
-        "Please report, this method should not be called with two different keys");
-    if(policyPart.getValue().equals(AccessConstants.ALL) || policyPart.equals(requestPart)) {
-      return true;
-    } else if (!PolicyFileConstants.PRIVILEGE_NAME.equalsIgnoreCase(policyPart.getKey())
-        && AccessConstants.ALL.equalsIgnoreCase(requestPart.getValue())) {
-      /* permission request is to match with any object of given type */
-      return true;
-    } else if(policyPart.getKey().equalsIgnoreCase(AuthorizableType.URI.name())) {
-      return impliesURI(policyPart.getValue(), requestPart.getValue());
-    }
-    return false;
-  }
-
-  @VisibleForTesting
-  protected static boolean impliesURI(String privilege, String request) {
-    try {
-    URI privilegeURI = new URI(new StrSubstitutor(System.getProperties()).replace(privilege));
-    URI requestURI = new URI(request);
-    if(privilegeURI.getScheme() == null || privilegeURI.getPath() == null) {
-      LOGGER.warn("Privilege URI " + request + " is not valid. Either no scheme or no path.");
-      return false;
-    }
-    if(requestURI.getScheme() == null || requestURI.getPath() == null) {
-      LOGGER.warn("Request URI " + request + " is not valid. Either no scheme or no path.");
-      return false;
-    }
-      return PathUtils.impliesURI(privilegeURI, requestURI);
-    } catch (URISyntaxException e) {
-      LOGGER.warn("Request URI " + request + " is not a URI", e);
-      return false;
-    }
-  }
-
-  @Override
-  public String toString() {
-    return AUTHORIZABLE_JOINER.join(parts);
-  }
-
-  @Override
-  public boolean equals(Object o) {
-    if (o instanceof DBWildcardPermission) {
-      DBWildcardPermission wp = (DBWildcardPermission) o;
-      return parts.equals(wp.parts);
-    }
-    return false;
-  }
-
-  @Override
-  public int hashCode() {
-    return parts.hashCode();
-  }
-
-  public static class DBWildcardPermissionFactory implements PermissionFactory {
-    @Override
-    public Permission createPermission(String permission) {
-      return new DBWildcardPermission(permission);
-    }
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPrivilege.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPrivilege.java
new file mode 100644
index 0000000..cab1234
--- /dev/null
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DBWildcardPrivilege.java
@@ -0,0 +1,179 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+// copied from apache shiro
+
+package org.apache.sentry.policy.db;
+
+import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_SPLITTER;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.List;
+
+import org.apache.commons.lang.text.StrSubstitutor;
+import org.apache.sentry.core.common.utils.PathUtils;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
+import org.apache.sentry.policy.common.PrivilegeFactory;
+import org.apache.sentry.policy.common.Privilege;
+import org.apache.sentry.provider.file.KeyValue;
+import org.apache.sentry.provider.file.PolicyFileConstants;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Preconditions;
+import com.google.common.base.Strings;
+import com.google.common.collect.ImmutableList;
+import com.google.common.collect.Lists;
+
+// XXX this class is made ugly by the fact that Action is not a Authorizable.
+public class DBWildcardPrivilege implements Privilege {
+  private static final Logger LOGGER = LoggerFactory
+      .getLogger(DBWildcardPrivilege.class);
+
+  private final ImmutableList<KeyValue> parts;
+
+  public DBWildcardPrivilege(String wildcardString) {
+    wildcardString = Strings.nullToEmpty(wildcardString).trim();
+    if (wildcardString.isEmpty()) {
+      throw new IllegalArgumentException("Wildcard string cannot be null or empty.");
+    }
+    List<KeyValue>parts = Lists.newArrayList();
+    for (String authorizable : AUTHORIZABLE_SPLITTER.trimResults().split(wildcardString)) {
+      if (authorizable.isEmpty()) {
+        throw new IllegalArgumentException("Privilege '" + wildcardString + "' has an empty section");
+      }
+      parts.add(new KeyValue(authorizable));
+    }
+    if (parts.isEmpty()) {
+      throw new AssertionError("Should never occur: " + wildcardString);
+    }
+    this.parts = ImmutableList.copyOf(parts);
+  }
+
+
+  @Override
+  public boolean implies(Privilege p) {
+    // By default only supports comparisons with other DBWildcardPermissions
+    if (!(p instanceof DBWildcardPrivilege)) {
+      return false;
+    }
+
+    DBWildcardPrivilege wp = (DBWildcardPrivilege) p;
+
+    List<KeyValue> otherParts = wp.parts;
+    if(equals(wp)) {
+      return true;
+    }
+    int index = 0;
+    for (KeyValue otherPart : otherParts) {
+      // If this privilege has less parts than the other privilege, everything
+      // after the number of parts contained
+      // in this privilege is automatically implied, so return true
+      if (parts.size() - 1 < index) {
+        return true;
+      } else {
+        KeyValue part = parts.get(index);
+        // are the keys even equal
+        if(!part.getKey().equalsIgnoreCase(otherPart.getKey())) {
+          return false;
+        }
+        if (!impliesKeyValue(part, otherPart)) {
+          return false;
+        }
+        index++;
+      }
+    }
+    // If this privilege has more parts than
+    // the other parts, only imply it if
+    // all of the other parts are wildcards
+    for (; index < parts.size(); index++) {
+      KeyValue part = parts.get(index);
+      if (!part.getValue().equals(AccessConstants.ALL)) {
+        return false;
+      }
+    }
+
+    return true;
+  }
+
+  private boolean impliesKeyValue(KeyValue policyPart, KeyValue requestPart) {
+    Preconditions.checkState(policyPart.getKey().equalsIgnoreCase(requestPart.getKey()),
+        "Please report, this method should not be called with two different keys");
+    if(policyPart.getValue().equals(AccessConstants.ALL) || policyPart.equals(requestPart)) {
+      return true;
+    } else if (!PolicyFileConstants.PRIVILEGE_NAME.equalsIgnoreCase(policyPart.getKey())
+        && AccessConstants.ALL.equalsIgnoreCase(requestPart.getValue())) {
+      /* privilege request is to match with any object of given type */
+      return true;
+    } else if(policyPart.getKey().equalsIgnoreCase(AuthorizableType.URI.name())) {
+      return impliesURI(policyPart.getValue(), requestPart.getValue());
+    }
+    return false;
+  }
+
+  @VisibleForTesting
+  protected static boolean impliesURI(String privilege, String request) {
+    try {
+    URI privilegeURI = new URI(new StrSubstitutor(System.getProperties()).replace(privilege));
+    URI requestURI = new URI(request);
+    if(privilegeURI.getScheme() == null || privilegeURI.getPath() == null) {
+      LOGGER.warn("Privilege URI " + request + " is not valid. Either no scheme or no path.");
+      return false;
+    }
+    if(requestURI.getScheme() == null || requestURI.getPath() == null) {
+      LOGGER.warn("Request URI " + request + " is not valid. Either no scheme or no path.");
+      return false;
+    }
+      return PathUtils.impliesURI(privilegeURI, requestURI);
+    } catch (URISyntaxException e) {
+      LOGGER.warn("Request URI " + request + " is not a URI", e);
+      return false;
+    }
+  }
+
+  @Override
+  public String toString() {
+    return AUTHORIZABLE_JOINER.join(parts);
+  }
+
+  @Override
+  public boolean equals(Object o) {
+    if (o instanceof DBWildcardPrivilege) {
+      DBWildcardPrivilege wp = (DBWildcardPrivilege) o;
+      return parts.equals(wp.parts);
+    }
+    return false;
+  }
+
+  @Override
+  public int hashCode() {
+    return parts.hashCode();
+  }
+
+  public static class DBWildcardPrivilegeFactory implements PrivilegeFactory {
+    @Override
+    public Privilege createPrivilege(String privilege) {
+      return new DBWildcardPrivilege(privilege);
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseMustMatch.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseMustMatch.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseMustMatch.java
index a7c2091..d280c41 100644
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseMustMatch.java
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseMustMatch.java
@@ -18,21 +18,24 @@ package org.apache.sentry.policy.db;
 
 import org.apache.sentry.core.model.db.DBModelAuthorizable;
 import org.apache.sentry.core.model.db.Database;
+import org.apache.sentry.policy.common.PrivilegeValidatorContext;
 import org.apache.shiro.config.ConfigurationException;
 
-public class DatabaseMustMatch extends AbstractDBRoleValidator {
+public class DatabaseMustMatch extends AbstractDBPrivilegeValidator {
 
   @Override
-  public void validate(String database, String role) throws ConfigurationException {
+  public void validate(PrivilegeValidatorContext context) throws ConfigurationException {
+    String database = context.getDatabase();
+    String privilege = context.getPrivilege();
     /*
      *  Rule only applies to rules in per database policy file
      */
     if(database != null) {
-      Iterable<DBModelAuthorizable> authorizables = parseRole(role);
+      Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege);
       for(DBModelAuthorizable authorizable : authorizables) {
         if(authorizable instanceof Database &&
             !database.equalsIgnoreCase(authorizable.getName())) {
-          String msg = "Role " + role + " references db " +
+          String msg = "Privilege " + privilege + " references db " +
               authorizable.getName() + ", but is only allowed to reference "
               + database;
           throw new ConfigurationException(msg);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInPrivilege.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInPrivilege.java
new file mode 100644
index 0000000..e89aa16
--- /dev/null
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInPrivilege.java
@@ -0,0 +1,71 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.policy.db;
+
+import org.apache.sentry.core.model.db.AccessURI;
+import org.apache.sentry.core.model.db.DBModelAuthorizable;
+import org.apache.sentry.core.model.db.Database;
+import org.apache.sentry.policy.common.PrivilegeValidatorContext;
+import org.apache.shiro.config.ConfigurationException;
+
+public class DatabaseRequiredInPrivilege extends AbstractDBPrivilegeValidator {
+
+  @Override
+  public void validate(PrivilegeValidatorContext context) throws ConfigurationException {
+    String database = context.getDatabase();
+    String privilege = context.getPrivilege();
+    /*
+     *  Rule only applies to rules in per database policy file
+     */
+    if(database != null) {
+      Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege);
+      /*
+       * Each permission in a non-global file must have a database
+       * object except for URIs.
+       *
+       * We allow URIs to be specified in the per DB policy file for
+       * ease of mangeability. URIs will contain to remain server scope
+       * objects.
+       */
+      boolean foundDatabaseInAuthorizables = false;
+      boolean foundURIInAuthorizables = false;
+      boolean allowURIInAuthorizables = false;
+
+      if ("true".equalsIgnoreCase(
+          System.getProperty(SimpleDBPolicyEngine.ACCESS_ALLOW_URI_PER_DB_POLICYFILE))) {
+        allowURIInAuthorizables = true;
+      }
+
+      for(DBModelAuthorizable authorizable : authorizables) {
+        if(authorizable instanceof Database) {
+          foundDatabaseInAuthorizables = true;
+        }
+        if (authorizable instanceof AccessURI) {
+          if (foundDatabaseInAuthorizables) {
+            String msg = "URI object is specified at DB scope in " + privilege;
+            throw new ConfigurationException(msg);
+          }
+          foundURIInAuthorizables = true;
+        }
+      }
+      if(!foundDatabaseInAuthorizables && !(foundURIInAuthorizables && allowURIInAuthorizables)) {
+        String msg = "Missing database object in " + privilege;
+        throw new ConfigurationException(msg);
+      }
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInRole.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInRole.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInRole.java
deleted file mode 100644
index 48b36a6..0000000
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/DatabaseRequiredInRole.java
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.policy.db;
-
-import javax.annotation.Nullable;
-
-import org.apache.sentry.core.model.db.AccessURI;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.core.model.db.DBModelAuthorizable;
-import org.apache.shiro.config.ConfigurationException;
-
-public class DatabaseRequiredInRole extends AbstractDBRoleValidator {
-
-  @Override
-  public void validate(@Nullable String database, String role) throws ConfigurationException {
-    /*
-     *  Rule only applies to rules in per database policy file
-     */
-    if(database != null) {
-      Iterable<DBModelAuthorizable> authorizables = parseRole(role);
-      /*
-       * Each permission in a non-global file must have a database
-       * object except for URIs.
-       *
-       * We allow URIs to be specified in the per DB policy file for
-       * ease of mangeability. URIs will contain to remain server scope
-       * objects.
-       */
-      boolean foundDatabaseInAuthorizables = false;
-      boolean foundURIInAuthorizables = false;
-      boolean allowURIInAuthorizables = false;
-
-      if ("true".equalsIgnoreCase(
-          System.getProperty(SimpleDBPolicyEngine.ACCESS_ALLOW_URI_PER_DB_POLICYFILE))) {
-        allowURIInAuthorizables = true;
-      }
-
-      for(DBModelAuthorizable authorizable : authorizables) {
-        if(authorizable instanceof Database) {
-          foundDatabaseInAuthorizables = true;
-        }
-        if (authorizable instanceof AccessURI) {
-          if (foundDatabaseInAuthorizables) {
-            String msg = "URI object is specified at DB scope in " + role;
-            throw new ConfigurationException(msg);
-          }
-          foundURIInAuthorizables = true;
-        }
-      }
-      if(!foundDatabaseInAuthorizables && !(foundURIInAuthorizables && allowURIInAuthorizables)) {
-        String msg = "Missing database object in " + role;
-        throw new ConfigurationException(msg);
-      }
-    }
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java
index 8ddf1dd..1848a32 100644
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServerNameMustMatch.java
@@ -16,25 +16,25 @@
  */
 package org.apache.sentry.policy.db;
 
-import javax.annotation.Nullable;
-
 import org.apache.sentry.core.model.db.DBModelAuthorizable;
 import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.policy.common.PrivilegeValidatorContext;
 import org.apache.shiro.config.ConfigurationException;
 
-public class ServerNameMustMatch extends AbstractDBRoleValidator {
+public class ServerNameMustMatch extends AbstractDBPrivilegeValidator {
 
   private final String serverName;
   public ServerNameMustMatch(String serverName) {
     this.serverName = serverName;
   }
   @Override
-  public void validate(@Nullable String database, String role) throws ConfigurationException {
-    Iterable<DBModelAuthorizable> authorizables = parseRole(role);
+  public void validate(PrivilegeValidatorContext context) throws ConfigurationException {
+    String privilege = context.getPrivilege();
+    Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege);
     for(DBModelAuthorizable authorizable : authorizables) {
       if(authorizable instanceof Server && !serverName.equalsIgnoreCase(authorizable.getName())) {
         String msg = "Server name " + authorizable.getName() + " in "
-      + role + " is invalid. Expected " + serverName;
+            + privilege + " is invalid. Expected " + serverName;
         throw new ConfigurationException(msg);
       }
     }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java
index 9445b0b..b729ec3 100644
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/ServersAllIsInvalid.java
@@ -16,21 +16,21 @@
  */
 package org.apache.sentry.policy.db;
 
-import javax.annotation.Nullable;
-
 import org.apache.sentry.core.model.db.DBModelAuthorizable;
 import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.policy.common.PrivilegeValidatorContext;
 import org.apache.shiro.config.ConfigurationException;
 
-public class ServersAllIsInvalid extends AbstractDBRoleValidator {
+public class ServersAllIsInvalid extends AbstractDBPrivilegeValidator {
 
   @Override
-  public void validate(@Nullable String database, String role) throws ConfigurationException {
-    Iterable<DBModelAuthorizable> authorizables = parseRole(role);
+  public void validate(PrivilegeValidatorContext context) throws ConfigurationException {
+    String privilege = context.getPrivilege();
+    Iterable<DBModelAuthorizable> authorizables = parsePrivilege(privilege);
     for(DBModelAuthorizable authorizable : authorizables) {
       if(authorizable instanceof Server &&
           authorizable.getName().equals(Server.ALL.getName())) {
-        String msg = "Invalid value for " + authorizable.getAuthzType() + " in " + role;
+        String msg = "Invalid value for " + authorizable.getAuthzType() + " in " + privilege;
         throw new ConfigurationException(msg);
       }
     }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
index 1d01b47..e67daf4 100644
--- a/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
+++ b/sentry-policy/sentry-policy-db/src/main/java/org/apache/sentry/policy/db/SimpleDBPolicyEngine.java
@@ -16,33 +16,20 @@
  */
 package org.apache.sentry.policy.db;
 
-import javax.annotation.Nullable;
+import java.util.Set;
 
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map.Entry;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.fs.Path;
-import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.SentryConfigurationException;
-import org.apache.sentry.core.model.db.AccessURI;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.policy.common.PermissionFactory;
+import org.apache.sentry.policy.common.PrivilegeFactory;
 import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.policy.common.RoleValidator;
+import org.apache.sentry.policy.common.PrivilegeValidator;
 import org.apache.sentry.provider.common.ProviderBackend;
-import org.apache.sentry.provider.common.Roles;
-import org.apache.sentry.provider.file.SimpleFileProviderBackend;
+import org.apache.sentry.provider.common.ProviderBackendContext;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.ImmutableSetMultimap;
-import com.google.common.collect.Lists;
 
 public class SimpleDBPolicyEngine implements PolicyEngine {
 
@@ -51,119 +38,47 @@ public class SimpleDBPolicyEngine implements PolicyEngine {
 
   public final static String ACCESS_ALLOW_URI_PER_DB_POLICYFILE = "sentry.allow.uri.db.policyfile";
 
-  private ProviderBackend providerBackend;
-  private String serverName;
-  private List<? extends RoleValidator> validators;
+  private final ProviderBackend providerBackend;
 
   public SimpleDBPolicyEngine(String serverName, ProviderBackend providerBackend) {
-    validators = Lists.newArrayList(new ServersAllIsInvalid(), new DatabaseMustMatch(),
-          new DatabaseRequiredInRole(), new ServerNameMustMatch(serverName));
     this.providerBackend = providerBackend;
-    this.providerBackend.process(validators);
-    this.serverName = serverName;
+    ProviderBackendContext context = new ProviderBackendContext();
+    context.setAllowPerDatabase(true);
+    context.setValidators(createPrivilegeValidators(serverName));
+    this.providerBackend.initialize(context);
   }
 
   /**
    * {@inheritDoc}
    */
   @Override
-  public PermissionFactory getPermissionFactory() {
-    return new DBWildcardPermission.DBWildcardPermissionFactory();
+  public PrivilegeFactory getPrivilegeFactory() {
+    return new DBWildcardPrivilege.DBWildcardPrivilegeFactory();
   }
 
   /**
    * {@inheritDoc}
    */
   @Override
-  public ImmutableSetMultimap<String, String> getPermissions(
-      List<? extends Authorizable> authorizables, List<String> groups)
+  public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet)
       throws SentryConfigurationException {
-    String database = null;
-    Boolean isURI = false;
-    for(Authorizable authorizable : authorizables) {
-      if(authorizable instanceof Database) {
-        database = authorizable.getName();
-      }
-      if (authorizable instanceof AccessURI) {
-        isURI = true;
-      }
-    }
-
     if(LOGGER.isDebugEnabled()) {
-      LOGGER.debug("Getting permissions for {} via {}", groups, database);
+      LOGGER.debug("Getting permissions for {}", groups);
     }
-    ImmutableSetMultimap.Builder<String, String> resultBuilder = ImmutableSetMultimap.builder();
-    for(String group : groups) {
-      resultBuilder.putAll(group, getDBRoles(database, group, isURI, providerBackend.getRoles()));
-    }
-    ImmutableSetMultimap<String, String> result = resultBuilder.build();
+    ImmutableSet<String> result = providerBackend.getPrivileges(groups, roleSet);
     if(LOGGER.isDebugEnabled()) {
       LOGGER.debug("result = " + result);
     }
     return result;
   }
 
-  private ImmutableSet<String> getDBRoles(@Nullable String database,
-      String group, Boolean isURI, Roles roles) {
-    ImmutableSetMultimap<String, String> globalRoles = roles.getGlobalRoles();
-    ImmutableMap<String, ImmutableSetMultimap<String, String>> perDatabaseRoles = roles.getPerDatabaseRoles();
-    ImmutableSet.Builder<String> resultBuilder = ImmutableSet.builder();
-    String allowURIPerDbFile =
-        System.getProperty(SimpleDBPolicyEngine.ACCESS_ALLOW_URI_PER_DB_POLICYFILE);
-    Boolean consultPerDbRolesForURI = isURI && ("true".equalsIgnoreCase(allowURIPerDbFile));
-
-    // handle Database.ALL
-    if (Database.ALL.getName().equals(database)) {
-      for(Entry<String, ImmutableSetMultimap<String, String>> dbListEntry : perDatabaseRoles.entrySet()) {
-        if (dbListEntry.getValue().containsKey(group)) {
-          resultBuilder.addAll(dbListEntry.getValue().get(group));
-        }
-      }
-    } else if(database != null) {
-      ImmutableSetMultimap<String, String> dbPolicies =  perDatabaseRoles.get(database);
-      if(dbPolicies != null && dbPolicies.containsKey(group)) {
-        resultBuilder.addAll(dbPolicies.get(group));
-      }
-    }
-
-    if (consultPerDbRolesForURI) {
-      for(String db : perDatabaseRoles.keySet()) {
-        ImmutableSetMultimap<String, String> dbPolicies =  perDatabaseRoles.get(db);
-        if(dbPolicies != null && dbPolicies.containsKey(group)) {
-          resultBuilder.addAll(dbPolicies.get(group));
-        }
-      }
-    }
-
-    if(globalRoles.containsKey(group)) {
-      resultBuilder.addAll(globalRoles.get(group));
-    }
-    ImmutableSet<String> result = resultBuilder.build();
-    if(LOGGER.isDebugEnabled()) {
-      LOGGER.debug("Database {}, Group {}, Result {}",
-          new Object[]{ database, group, result});
-    }
-    return result;
-  }
-
   @Override
   public void validatePolicy(boolean strictValidation) throws SentryConfigurationException {
-    this.providerBackend.validatePolicy(validators, strictValidation);
+    this.providerBackend.validatePolicy(strictValidation);
   }
 
-  @Override
-  public ImmutableSet<String> listPermissions(String groupName) throws SentryConfigurationException {
-    return getDBRoles(Database.ALL.getName(), groupName, true, providerBackend.getRoles());
+  public static ImmutableList<PrivilegeValidator> createPrivilegeValidators(String serverName) {
+    return ImmutableList.<PrivilegeValidator>of(new ServersAllIsInvalid(), new DatabaseMustMatch(),
+        new DatabaseRequiredInPrivilege(), new ServerNameMustMatch(serverName));
   }
-
-  @Override
-  public ImmutableSet<String> listPermissions(List<String> groupNames)
-      throws SentryConfigurationException {
-    ImmutableSet.Builder<String> resultBuilder = ImmutableSet.builder();
-    for (String groupName : groupNames) {
-      resultBuilder.addAll(listPermissions(groupName));
-    }
-    return resultBuilder.build();
-  }
-
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
index 89ca737..4625d6f 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/AbstractTestSimplePolicyEngine.java
@@ -18,15 +18,13 @@ package org.apache.sentry.policy.db;
 
 import java.io.File;
 import java.io.IOException;
-import java.util.List;
 import java.util.Set;
 import java.util.TreeSet;
 
 import junit.framework.Assert;
 
 import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.model.db.Database;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.policy.common.PolicyEngine;
 import org.junit.After;
 import org.junit.AfterClass;
@@ -34,7 +32,6 @@ import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 
-import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
 import com.google.common.io.Files;
 
@@ -49,7 +46,6 @@ public abstract class AbstractTestSimplePolicyEngine {
   private static final String PERM_SERVER1_ADMIN = "server=server1";
   private PolicyEngine policy;
   private static File baseDir;
-  private List<Authorizable> authorizables = Lists.newArrayList();
 
   @BeforeClass
   public static void setupClazz() throws IOException {
@@ -93,7 +89,7 @@ public abstract class AbstractTestSimplePolicyEngine {
         PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT
         ));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPermissions(authorizables, list("manager")).values())
+        new TreeSet<String>(policy.getPrivileges(set("manager"), ActiveRoleSet.ALL))
         .toString());
   }
 
@@ -103,7 +99,7 @@ public abstract class AbstractTestSimplePolicyEngine {
         PERM_SERVER1_CUSTOMERS_SELECT, PERM_SERVER1_ANALYST_ALL,
         PERM_SERVER1_JUNIOR_ANALYST_READ));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPermissions(authorizables, list("analyst")).values())
+        new TreeSet<String>(policy.getPrivileges(set("analyst"), ActiveRoleSet.ALL))
         .toString());
   }
 
@@ -113,7 +109,7 @@ public abstract class AbstractTestSimplePolicyEngine {
         .newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL,
             PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPermissions(authorizables, list("jranalyst")).values())
+        new TreeSet<String>(policy.getPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
         .toString());
   }
 
@@ -121,43 +117,40 @@ public abstract class AbstractTestSimplePolicyEngine {
   public void testAdmin() throws Exception {
     Set<String> expected = Sets.newTreeSet(Sets.newHashSet(PERM_SERVER1_ADMIN));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPermissions(authorizables, list("admin")).values())
+        new TreeSet<String>(policy.getPrivileges(set("admin"), ActiveRoleSet.ALL))
         .toString());
   }
 
 
   @Test
   public void testOtherGroup() throws Exception {
-    authorizables.add(new Database("other_group_db"));
     Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
         PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPermissions(authorizables, list("other_group")).values())
+        new TreeSet<String>(policy.getPrivileges(set("other_group"), ActiveRoleSet.ALL))
         .toString());
   }
 
   @Test
   public void testDbAll() throws Exception {
-    authorizables.add(new Database(Database.ALL.getName()));
     Set<String> expected = Sets.newTreeSet(Sets
         .newHashSet(PERM_SERVER1_JUNIOR_ANALYST_ALL,
             PERM_SERVER1_CUSTOMERS_DB_CUSTOMERS_PARTIAL_SELECT));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPermissions(authorizables, list("jranalyst")).values())
+        new TreeSet<String>(policy.getPrivileges(set("jranalyst"), ActiveRoleSet.ALL))
         .toString());
   }
 
   @Test
   public void testDbAllforOtherGroup() throws Exception {
-    authorizables.add(new Database(Database.ALL.getName()));
     Set<String> expected = Sets.newTreeSet(Sets.newHashSet(
         PERM_SERVER1_OTHER_GROUP_DB_CUSTOMERS_SELECT));
     Assert.assertEquals(expected.toString(),
-        new TreeSet<String>(policy.getPermissions(authorizables, list("other_group")).values())
+        new TreeSet<String>(policy.getPrivileges(set("other_group"), ActiveRoleSet.ALL))
         .toString());
   }
 
-  private static List<String> list(String... values) {
-    return Lists.newArrayList(values);
+  private static Set<String> set(String... values) {
+    return Sets.newHashSet(values);
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java
index d8d68b7..661deff 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/DBPolicyFileBackend.java
@@ -17,10 +17,11 @@
 package org.apache.sentry.policy.db;
 
 import java.io.IOException;
+
 import org.apache.sentry.provider.file.SimpleFileProviderBackend;
 
 public class DBPolicyFileBackend extends SimpleDBPolicyEngine {
-  public DBPolicyFileBackend(String resource, String server) throws IOException{
+  public DBPolicyFileBackend(String server, String resource) throws IOException{
     super(server, new SimpleFileProviderBackend(resource));
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java
index 23b03d4..70f5e79 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBModelAuthorizables.java
@@ -20,13 +20,11 @@ package org.apache.sentry.policy.db;
 import static junit.framework.Assert.assertEquals;
 import static junit.framework.Assert.assertNull;
 
-
 import org.apache.sentry.core.model.db.AccessURI;
 import org.apache.sentry.core.model.db.Database;
 import org.apache.sentry.core.model.db.Server;
 import org.apache.sentry.core.model.db.Table;
 import org.apache.sentry.core.model.db.View;
-import org.apache.sentry.policy.db.DBModelAuthorizables;
 import org.junit.Test;
 
 public class TestDBModelAuthorizables {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
deleted file mode 100644
index 2024cd8..0000000
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPermission.java
+++ /dev/null
@@ -1,286 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.sentry.policy.db;
-import static junit.framework.Assert.assertEquals;
-import static junit.framework.Assert.assertFalse;
-import static junit.framework.Assert.assertTrue;
-import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.provider.file.PolicyFileConstants.KV_JOINER;
-import static org.apache.sentry.provider.file.PolicyFileConstants.KV_SEPARATOR;
-
-import org.apache.sentry.core.model.db.AccessConstants;
-import org.apache.sentry.provider.file.KeyValue;
-import org.apache.shiro.authz.Permission;
-import org.junit.Test;
-
-public class TestDBWildcardPermission {
-
-  private static final String ALL = AccessConstants.ALL;
-
-  private static final Permission ROLE_SERVER_SERVER1_DB_ALL =
-      create(new KeyValue("server", "server1"), new KeyValue("db", ALL));
-  private static final Permission ROLE_SERVER_SERVER1_DB_DB1 =
-      create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
-  private static final Permission ROLE_SERVER_SERVER2_DB_ALL =
-      create(new KeyValue("server", "server2"), new KeyValue("db", ALL));
-  private static final Permission ROLE_SERVER_SERVER2_DB_DB1 =
-      create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
-  private static final Permission ROLE_SERVER_ALL_DB_ALL =
-      create(new KeyValue("server", ALL), new KeyValue("db", ALL));
-  private static final Permission ROLE_SERVER_ALL_DB_DB1 =
-      create(new KeyValue("server", ALL), new KeyValue("db", "db1"));
-
-  private static final Permission ROLE_SERVER_SERVER1_URI_URI1 =
-      create(new KeyValue("server", "server1"), new KeyValue("uri",
-          "hdfs://namenode:8020/path/to/uri1"));
-  private static final Permission ROLE_SERVER_SERVER1_URI_URI2 =
-      create(new KeyValue("server", "server1"), new KeyValue("uri",
-          "hdfs://namenode:8020/path/to/uri2/"));
-  private static final Permission ROLE_SERVER_SERVER1_URI_ALL =
-      create(new KeyValue("server", "server1"), new KeyValue("uri", ALL));
-
-
-  private static final Permission ROLE_SERVER_SERVER1 =
-      create(new KeyValue("server", "server1"));
-
-
-  private static final Permission REQUEST_SERVER1_DB1 =
-      create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
-  private static final Permission REQUEST_SERVER2_DB1 =
-      create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
-  private static final Permission REQUEST_SERVER1_DB2 =
-      create(new KeyValue("server", "server1"), new KeyValue("db", "db2"));
-  private static final Permission REQUEST_SERVER2_DB2 =
-      create(new KeyValue("server", "server2"), new KeyValue("db", "db2"));
-
-  private static final Permission REQUEST_SERVER1_URI1 =
-      create(new KeyValue("server", "server1"), new KeyValue("uri",
-          "hdfs://namenode:8020/path/to/uri1/some/file"));
-  private static final Permission REQUEST_SERVER1_URI2 =
-      create(new KeyValue("server", "server1"), new KeyValue("uri",
-          "hdfs://namenode:8020/path/to/uri2/some/other/file"));
-
-  private static final Permission REQUEST_SERVER1_OTHER =
-      create(new KeyValue("server", "server2"), new KeyValue("other", "thing"));
-
-  private static final Permission REQUEST_SERVER1 =
-      create(new KeyValue("server", "server2"));
-
-  @Test
-  public void testOther() throws Exception {
-    assertFalse(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_OTHER));
-    assertFalse(REQUEST_SERVER1_OTHER.implies(ROLE_SERVER_ALL_DB_ALL));
-  }
-  @Test
-  public void testRoleShorterThanRequest() throws Exception {
-    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB1));
-    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB2));
-    assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB1));
-    assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB2));
-
-    assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1));
-    assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1));
-  }
-  @Test
-  public void testRolesAndRequests() throws Exception {
-    // ROLE_SERVER_SERVER1_DB_ALL
-    assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB1));
-    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB1));
-    assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB2));
-    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB2));
-
-    // test inverse
-    assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL));
-    assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL));
-    assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL));
-    assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL));
-
-    // ROLE_SERVER_SERVER1_DB_DB1
-    assertTrue(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB1));
-    assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB1));
-    assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB2));
-    assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB2));
-
-    // test inverse
-    assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1));
-    assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1));
-    assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1));
-    assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1));
-
-    // ROLE_SERVER_SERVER2_DB_ALL
-    assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB1));
-    assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB1));
-    assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB2));
-    assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB2));
-
-    // test inverse
-    assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL));
-    assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL));
-    assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL));
-    assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL));
-
-    // ROLE_SERVER_SERVER2_DB_DB1
-    assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB1));
-    assertTrue(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB1));
-    assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB2));
-    assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB2));
-
-    assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1));
-    assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1));
-    assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1));
-    assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1));
-
-    // ROLE_SERVER_ALL_DB_ALL
-    assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB1));
-    assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB1));
-    assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB2));
-    assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB2));
-
-    // test inverse
-    assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_ALL));
-    assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_ALL));
-    assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_ALL));
-    assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_ALL));
-
-    // ROLE_SERVER_ALL_DB_DB1
-    assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB1));
-    assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB1));
-    assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB2));
-    assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB2));
-
-    // test inverse
-    assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_DB1));
-    assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_DB1));
-    assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_DB1));
-    assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_DB1));
-
-    // uri
-    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI1));
-    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
-    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
-    assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI1));
-    assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI2));
-    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
-    assertTrue(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI1));
-    assertFalse(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI2));
-    assertTrue(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI2));
-    assertFalse(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI1));
-    assertFalse(REQUEST_SERVER2_DB2.implies(REQUEST_SERVER1_URI1));
-    assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_URI1));
-    // test inverse
-    assertTrue(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_ALL));
-    assertTrue(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_ALL));
-    assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1));
-    assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI1));
-    assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI1));
-    assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI2));
-    assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI2));
-  };
-  @Test
-  public void testUnexpected() throws Exception {
-    Permission p = new Permission() {
-      @Override
-      public boolean implies(Permission p) {
-        return false;
-      }
-    };
-    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(null));
-    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(p));
-    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(null));
-    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(p));
-
-    assertEquals(ROLE_SERVER_SERVER1_DB_ALL.hashCode(),
-        create(ROLE_SERVER_SERVER1_DB_ALL.toString()).hashCode());
-  }
-  @Test(expected=IllegalArgumentException.class)
-  public void testNullString() throws Exception {
-    System.out.println(create((String)null));
-  }
-  @Test(expected=IllegalArgumentException.class)
-  public void testEmptyString() throws Exception {
-    System.out.println(create(""));
-  }
-  @Test(expected=IllegalArgumentException.class)
-  public void testEmptyKey() throws Exception {
-    System.out.println(create(KV_JOINER.join("", "db1")));
-  }
-  @Test(expected=IllegalArgumentException.class)
-  public void testEmptyValue() throws Exception {
-    System.out.println(create(KV_JOINER.join("db", "")));
-  }
-  @Test(expected=IllegalArgumentException.class)
-  public void testEmptyPart() throws Exception {
-    System.out.println(create(AUTHORIZABLE_JOINER.
-        join(KV_JOINER.join("server", "server1"), "")));
-  }
-  @Test(expected=IllegalArgumentException.class)
-  public void testOnlySeperators() throws Exception {
-    System.out.println(create(AUTHORIZABLE_JOINER.
-        join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR)));
-  }
-  @Test
-  public void testImpliesURIPositive() throws Exception {
-    assertTrue(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
-        "hdfs://namenode:8020/path/to/some/dir"));
-    assertTrue(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
-        "hdfs://namenode:8020/path"));
-    assertTrue(DBWildcardPermission.impliesURI("file:///path",
-        "file:///path/to/some/dir"));
-    assertTrue(DBWildcardPermission.impliesURI("file:///path",
-        "file:///path"));
-  }
-  @Test
-  public void testImpliesURINegative() throws Exception {
-    // relative path
-    assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
-        "hdfs://namenode:8020/path/to/../../other"));
-    assertFalse(DBWildcardPermission.impliesURI("file:///path",
-        "file:///path/to/../../other"));
-    // bad policy
-    assertFalse(DBWildcardPermission.impliesURI("blah",
-        "hdfs://namenode:8020/path/to/some/dir"));
-    // bad request
-    assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
-        "blah"));
-    // scheme
-    assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
-        "file:///path/to/some/dir"));
-    assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
-        "file://namenode:8020/path/to/some/dir"));
-    // hostname
-    assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode1:8020/path",
-        "hdfs://namenode2:8020/path/to/some/dir"));
-    // port
-    assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
-        "hdfs://namenode:8021/path/to/some/dir"));
-    // mangled path
-    assertFalse(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path",
-        "hdfs://namenode:8020/pathFooBar"));
-    // ends in /
-    assertTrue(DBWildcardPermission.impliesURI("hdfs://namenode:8020/path/",
-        "hdfs://namenode:8020/path/FooBar"));
-  }
-  static DBWildcardPermission create(KeyValue... keyValues) {
-    return create(AUTHORIZABLE_JOINER.join(keyValues));
-
-  }
-  static DBWildcardPermission create(String s) {
-    return new DBWildcardPermission(s);
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java
new file mode 100644
index 0000000..f4862e0
--- /dev/null
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDBWildcardPrivilege.java
@@ -0,0 +1,286 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.policy.db;
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.assertFalse;
+import static junit.framework.Assert.assertTrue;
+import static org.apache.sentry.provider.file.PolicyFileConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.provider.file.PolicyFileConstants.KV_JOINER;
+import static org.apache.sentry.provider.file.PolicyFileConstants.KV_SEPARATOR;
+
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.policy.common.Privilege;
+import org.apache.sentry.provider.file.KeyValue;
+import org.junit.Test;
+
+public class TestDBWildcardPrivilege {
+
+  private static final String ALL = AccessConstants.ALL;
+
+  private static final Privilege ROLE_SERVER_SERVER1_DB_ALL =
+      create(new KeyValue("server", "server1"), new KeyValue("db", ALL));
+  private static final Privilege ROLE_SERVER_SERVER1_DB_DB1 =
+      create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
+  private static final Privilege ROLE_SERVER_SERVER2_DB_ALL =
+      create(new KeyValue("server", "server2"), new KeyValue("db", ALL));
+  private static final Privilege ROLE_SERVER_SERVER2_DB_DB1 =
+      create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
+  private static final Privilege ROLE_SERVER_ALL_DB_ALL =
+      create(new KeyValue("server", ALL), new KeyValue("db", ALL));
+  private static final Privilege ROLE_SERVER_ALL_DB_DB1 =
+      create(new KeyValue("server", ALL), new KeyValue("db", "db1"));
+
+  private static final Privilege ROLE_SERVER_SERVER1_URI_URI1 =
+      create(new KeyValue("server", "server1"), new KeyValue("uri",
+          "hdfs://namenode:8020/path/to/uri1"));
+  private static final Privilege ROLE_SERVER_SERVER1_URI_URI2 =
+      create(new KeyValue("server", "server1"), new KeyValue("uri",
+          "hdfs://namenode:8020/path/to/uri2/"));
+  private static final Privilege ROLE_SERVER_SERVER1_URI_ALL =
+      create(new KeyValue("server", "server1"), new KeyValue("uri", ALL));
+
+
+  private static final Privilege ROLE_SERVER_SERVER1 =
+      create(new KeyValue("server", "server1"));
+
+
+  private static final Privilege REQUEST_SERVER1_DB1 =
+      create(new KeyValue("server", "server1"), new KeyValue("db", "db1"));
+  private static final Privilege REQUEST_SERVER2_DB1 =
+      create(new KeyValue("server", "server2"), new KeyValue("db", "db1"));
+  private static final Privilege REQUEST_SERVER1_DB2 =
+      create(new KeyValue("server", "server1"), new KeyValue("db", "db2"));
+  private static final Privilege REQUEST_SERVER2_DB2 =
+      create(new KeyValue("server", "server2"), new KeyValue("db", "db2"));
+
+  private static final Privilege REQUEST_SERVER1_URI1 =
+      create(new KeyValue("server", "server1"), new KeyValue("uri",
+          "hdfs://namenode:8020/path/to/uri1/some/file"));
+  private static final Privilege REQUEST_SERVER1_URI2 =
+      create(new KeyValue("server", "server1"), new KeyValue("uri",
+          "hdfs://namenode:8020/path/to/uri2/some/other/file"));
+
+  private static final Privilege REQUEST_SERVER1_OTHER =
+      create(new KeyValue("server", "server2"), new KeyValue("other", "thing"));
+
+  private static final Privilege REQUEST_SERVER1 =
+      create(new KeyValue("server", "server2"));
+
+  @Test
+  public void testOther() throws Exception {
+    assertFalse(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_OTHER));
+    assertFalse(REQUEST_SERVER1_OTHER.implies(ROLE_SERVER_ALL_DB_ALL));
+  }
+  @Test
+  public void testRoleShorterThanRequest() throws Exception {
+    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB1));
+    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_DB2));
+    assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB1));
+    assertFalse(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER2_DB2));
+
+    assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1));
+    assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1));
+  }
+  @Test
+  public void testRolesAndRequests() throws Exception {
+    // ROLE_SERVER_SERVER1_DB_ALL
+    assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB1));
+    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB1));
+    assertTrue(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER1_DB2));
+    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(REQUEST_SERVER2_DB2));
+
+    // test inverse
+    assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL));
+    assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_ALL));
+    assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL));
+    assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_ALL));
+
+    // ROLE_SERVER_SERVER1_DB_DB1
+    assertTrue(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB1));
+    assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB1));
+    assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER1_DB2));
+    assertFalse(ROLE_SERVER_SERVER1_DB_DB1.implies(REQUEST_SERVER2_DB2));
+
+    // test inverse
+    assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1));
+    assertFalse(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER1_DB_DB1));
+    assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1));
+    assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER1_DB_DB1));
+
+    // ROLE_SERVER_SERVER2_DB_ALL
+    assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB1));
+    assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB1));
+    assertFalse(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER1_DB2));
+    assertTrue(ROLE_SERVER_SERVER2_DB_ALL.implies(REQUEST_SERVER2_DB2));
+
+    // test inverse
+    assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL));
+    assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_ALL));
+    assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL));
+    assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_ALL));
+
+    // ROLE_SERVER_SERVER2_DB_DB1
+    assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB1));
+    assertTrue(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB1));
+    assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER1_DB2));
+    assertFalse(ROLE_SERVER_SERVER2_DB_DB1.implies(REQUEST_SERVER2_DB2));
+
+    assertFalse(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1));
+    assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_SERVER2_DB_DB1));
+    assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1));
+    assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_SERVER2_DB_DB1));
+
+    // ROLE_SERVER_ALL_DB_ALL
+    assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB1));
+    assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB1));
+    assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER1_DB2));
+    assertTrue(ROLE_SERVER_ALL_DB_ALL.implies(REQUEST_SERVER2_DB2));
+
+    // test inverse
+    assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_ALL));
+    assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_ALL));
+    assertTrue(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_ALL));
+    assertTrue(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_ALL));
+
+    // ROLE_SERVER_ALL_DB_DB1
+    assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB1));
+    assertTrue(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB1));
+    assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_DB2));
+    assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER2_DB2));
+
+    // test inverse
+    assertTrue(REQUEST_SERVER1_DB1.implies(ROLE_SERVER_ALL_DB_DB1));
+    assertTrue(REQUEST_SERVER2_DB1.implies(ROLE_SERVER_ALL_DB_DB1));
+    assertFalse(REQUEST_SERVER1_DB2.implies(ROLE_SERVER_ALL_DB_DB1));
+    assertFalse(REQUEST_SERVER2_DB2.implies(ROLE_SERVER_ALL_DB_DB1));
+
+    // uri
+    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI1));
+    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
+    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
+    assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI1));
+    assertTrue(ROLE_SERVER_SERVER1_URI_ALL.implies(REQUEST_SERVER1_URI2));
+    assertTrue(ROLE_SERVER_SERVER1.implies(REQUEST_SERVER1_URI2));
+    assertTrue(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI1));
+    assertFalse(ROLE_SERVER_SERVER1_URI_URI1.implies(REQUEST_SERVER1_URI2));
+    assertTrue(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI2));
+    assertFalse(ROLE_SERVER_SERVER1_URI_URI2.implies(REQUEST_SERVER1_URI1));
+    assertFalse(REQUEST_SERVER2_DB2.implies(REQUEST_SERVER1_URI1));
+    assertFalse(ROLE_SERVER_ALL_DB_DB1.implies(REQUEST_SERVER1_URI1));
+    // test inverse
+    assertTrue(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_ALL));
+    assertTrue(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_ALL));
+    assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1));
+    assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI1));
+    assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI1));
+    assertFalse(REQUEST_SERVER1_URI2.implies(ROLE_SERVER_SERVER1_URI_URI2));
+    assertFalse(REQUEST_SERVER1_URI1.implies(ROLE_SERVER_SERVER1_URI_URI2));
+  };
+  @Test
+  public void testUnexpected() throws Exception {
+    Privilege p = new Privilege() {
+      @Override
+      public boolean implies(Privilege p) {
+        return false;
+      }
+    };
+    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(null));
+    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.implies(p));
+    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(null));
+    assertFalse(ROLE_SERVER_SERVER1_DB_ALL.equals(p));
+
+    assertEquals(ROLE_SERVER_SERVER1_DB_ALL.hashCode(),
+        create(ROLE_SERVER_SERVER1_DB_ALL.toString()).hashCode());
+  }
+  @Test(expected=IllegalArgumentException.class)
+  public void testNullString() throws Exception {
+    System.out.println(create((String)null));
+  }
+  @Test(expected=IllegalArgumentException.class)
+  public void testEmptyString() throws Exception {
+    System.out.println(create(""));
+  }
+  @Test(expected=IllegalArgumentException.class)
+  public void testEmptyKey() throws Exception {
+    System.out.println(create(KV_JOINER.join("", "db1")));
+  }
+  @Test(expected=IllegalArgumentException.class)
+  public void testEmptyValue() throws Exception {
+    System.out.println(create(KV_JOINER.join("db", "")));
+  }
+  @Test(expected=IllegalArgumentException.class)
+  public void testEmptyPart() throws Exception {
+    System.out.println(create(AUTHORIZABLE_JOINER.
+        join(KV_JOINER.join("server", "server1"), "")));
+  }
+  @Test(expected=IllegalArgumentException.class)
+  public void testOnlySeperators() throws Exception {
+    System.out.println(create(AUTHORIZABLE_JOINER.
+        join(KV_SEPARATOR, KV_SEPARATOR, KV_SEPARATOR)));
+  }
+  @Test
+  public void testImpliesURIPositive() throws Exception {
+    assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
+        "hdfs://namenode:8020/path/to/some/dir"));
+    assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
+        "hdfs://namenode:8020/path"));
+    assertTrue(DBWildcardPrivilege.impliesURI("file:///path",
+        "file:///path/to/some/dir"));
+    assertTrue(DBWildcardPrivilege.impliesURI("file:///path",
+        "file:///path"));
+  }
+  @Test
+  public void testImpliesURINegative() throws Exception {
+    // relative path
+    assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
+        "hdfs://namenode:8020/path/to/../../other"));
+    assertFalse(DBWildcardPrivilege.impliesURI("file:///path",
+        "file:///path/to/../../other"));
+    // bad policy
+    assertFalse(DBWildcardPrivilege.impliesURI("blah",
+        "hdfs://namenode:8020/path/to/some/dir"));
+    // bad request
+    assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
+        "blah"));
+    // scheme
+    assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
+        "file:///path/to/some/dir"));
+    assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
+        "file://namenode:8020/path/to/some/dir"));
+    // hostname
+    assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode1:8020/path",
+        "hdfs://namenode2:8020/path/to/some/dir"));
+    // port
+    assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
+        "hdfs://namenode:8021/path/to/some/dir"));
+    // mangled path
+    assertFalse(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path",
+        "hdfs://namenode:8020/pathFooBar"));
+    // ends in /
+    assertTrue(DBWildcardPrivilege.impliesURI("hdfs://namenode:8020/path/",
+        "hdfs://namenode:8020/path/FooBar"));
+  }
+  static DBWildcardPrivilege create(KeyValue... keyValues) {
+    return create(AUTHORIZABLE_JOINER.join(keyValues));
+
+  }
+  static DBWildcardPrivilege create(String s) {
+    return new DBWildcardPrivilege(s);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java
index 948b7ac..f9b00b4 100644
--- a/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java
+++ b/sentry-policy/sentry-policy-db/src/test/java/org/apache/sentry/policy/db/TestDatabaseRequiredInRole.java
@@ -20,6 +20,7 @@ package org.apache.sentry.policy.db;
 
 import junit.framework.Assert;
 
+import org.apache.sentry.policy.common.PrivilegeValidatorContext;
 import org.apache.shiro.config.ConfigurationException;
 import org.junit.Test;
 
@@ -27,19 +28,19 @@ public class TestDatabaseRequiredInRole {
 
   @Test
   public void testURIInPerDbPolicyFile() throws Exception {
-    DatabaseRequiredInRole dbRequiredInRole = new DatabaseRequiredInRole();
+    DatabaseRequiredInPrivilege dbRequiredInRole = new DatabaseRequiredInPrivilege();
     System.setProperty("sentry.allow.uri.db.policyfile", "true");
-    dbRequiredInRole.validate("db1",
-      "server=server1->URI=file:///user/db/warehouse/tab1");
+    dbRequiredInRole.validate(new PrivilegeValidatorContext("db1",
+      "server=server1->URI=file:///user/db/warehouse/tab1"));
     System.setProperty("sentry.allow.uri.db.policyfile", "false");
   }
 
   @Test
   public void testURIWithDBInPerDbPolicyFile() throws Exception {
-    DatabaseRequiredInRole dbRequiredInRole = new DatabaseRequiredInRole();
+    DatabaseRequiredInPrivilege dbRequiredInRole = new DatabaseRequiredInPrivilege();
     try {
-      dbRequiredInRole.validate("db1",
-        "server=server1->db=db1->URI=file:///user/db/warehouse/tab1");
+      dbRequiredInRole.validate(new PrivilegeValidatorContext("db1",
+        "server=server1->db=db1->URI=file:///user/db/warehouse/tab1"));
       Assert.fail("Expected ConfigurationException");
     } catch (ConfigurationException e) {
       ;


Mime
View raw message