sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shreepa...@apache.org
Subject [01/13] SENTRY-143: Merge db_policy_store branch into master (Brock Noland via Shreepadma Venugopalan)
Date Thu, 13 Mar 2014 21:21:16 GMT
Repository: incubator-sentry
Updated Branches:
  refs/heads/master 0341d51b9 -> 644e8be34


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
new file mode 100644
index 0000000..db76aa8
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
@@ -0,0 +1,172 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.service.thrift;
+import java.io.File;
+import java.security.PrivilegedExceptionAction;
+import java.util.HashSet;
+import java.util.concurrent.TimeoutException;
+
+import javax.security.auth.Subject;
+import javax.security.auth.kerberos.KerberosPrincipal;
+import javax.security.auth.login.LoginContext;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.minikdc.KerberosSecurityTestcase;
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Strings;
+import com.google.common.collect.Sets;
+
+public abstract class SentryServiceIntegrationBase extends KerberosSecurityTestcase {
+  private static final Logger LOGGER = LoggerFactory.getLogger(SentryServiceIntegrationBase.class);
+
+  static {
+    if (System.getProperty("sun.security.krb5.debug", "").trim().isEmpty()) {
+      System.setProperty("sun.security.krb5.debug", String.valueOf("true"));
+    }
+  }
+
+  protected static final String SERVER_HOST = "localhost";
+  protected static final String REALM = "EXAMPLE.COM";
+  protected static final String SERVER_PRINCIPAL = "sentry/" + SERVER_HOST;
+  protected static final String SERVER_KERBEROS_NAME = "sentry/" + SERVER_HOST + "@" + REALM;
+  protected static final String CLIENT_PRINCIPAL = "hive/" + SERVER_HOST;
+  protected static final String CLIENT_KERBEROS_NAME = "hive/" + SERVER_HOST + "@" + REALM;
+
+  protected SentryService server;
+  protected SentryPolicyServiceClient client;
+  protected MiniKdc kdc;
+  protected File kdcWorkDir;
+  protected File serverKeytab;
+  protected File clientKeytab;
+  protected Subject clientSubject;
+  protected LoginContext clientLoginContext;
+  protected final Configuration conf = new Configuration(false);
+
+  @Before
+  public void setup() throws Exception {
+    beforeSetup();
+    setupConf();
+    startSentryService();
+    connectToSentryService();
+    afterSetup();
+  }
+
+  public void startSentryService() throws Exception {
+    server.start();
+    final long start = System.currentTimeMillis();
+    while(!server.isRunning()) {
+      Thread.sleep(1000);
+      if(System.currentTimeMillis() - start > 60000L) {
+        throw new TimeoutException("Server did not start after 60 seconds");
+      }
+    }
+  }
+
+  public void setupConf() throws Exception {
+    kdc = getKdc();
+    kdcWorkDir = getWorkDir();
+    serverKeytab = new File(kdcWorkDir, "server.keytab");
+    clientKeytab = new File(kdcWorkDir, "client.keytab");
+    kdc.createPrincipal(serverKeytab, SERVER_PRINCIPAL);
+    kdc.createPrincipal(clientKeytab, CLIENT_PRINCIPAL);
+
+    conf.set(ServerConfig.PRINCIPAL, SERVER_KERBEROS_NAME);
+    conf.set(ServerConfig.KEY_TAB, serverKeytab.getPath());
+    conf.set(ServerConfig.RPC_ADDRESS, SERVER_HOST);
+    conf.set(ServerConfig.RPC_PORT, String.valueOf(0));
+    conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_NAME);
+    server = new SentryServiceFactory().create(conf);
+    conf.set(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostString());
+    conf.set(ClientConfig.SERVER_RPC_PORT, String.valueOf(server.getAddress().getPort()));
+  }
+
+  public void connectToSentryService() throws Exception {
+    // The client should already be logged in when running in hive/impala/solr
+    // therefore we must manually login in the integration tests
+    clientSubject = new Subject(false, Sets.newHashSet(
+                                  new KerberosPrincipal(CLIENT_KERBEROS_NAME)), new HashSet<Object>(),
+                                new HashSet<Object>());
+    clientLoginContext = new LoginContext("", clientSubject, null,
+                                          KerberosConfiguration.createClientConfig(CLIENT_KERBEROS_NAME, clientKeytab));
+    clientLoginContext.login();
+    clientSubject = clientLoginContext.getSubject();
+    client = Subject.doAs(clientSubject, new PrivilegedExceptionAction<SentryPolicyServiceClient>() {
+      @Override
+      public SentryPolicyServiceClient run() throws Exception {
+        return new SentryServiceClientFactory().create(conf);
+      }
+    });
+  }
+
+  @After
+  public void tearDown() throws Exception {
+    beforeTeardown();
+    if(client != null) {
+      client.close();
+    }
+    if(clientLoginContext != null) {
+      try {
+        clientLoginContext.logout();
+      } catch (Exception e) {
+        LOGGER.warn("Error logging client out", e);
+      }
+    }
+    if(server != null) {
+      server.stop();
+    }
+    afterTeardown();
+  }
+
+  public void beforeSetup() throws Exception {
+
+  }
+  public void afterSetup() throws Exception {
+
+  }
+  public void beforeTeardown() throws Exception {
+
+  }
+  public void afterTeardown() throws Exception {
+
+  }
+  protected static void assertOK(TSentryResponseStatus resp) {
+    assertStatus(Status.OK, resp);
+  }
+
+  protected static void assertStatus(Status status, TSentryResponseStatus resp) {
+    if (resp.getValue() !=  status.getCode()) {
+      String message = "Expected: " + status + ", Response: " + Status.fromCode(resp.getValue())
+          + ", Code: " + resp.getValue() + ", Message: " + resp.getMessage();
+      String stackTrace = Strings.nullToEmpty(resp.getStack()).trim();
+      if (!stackTrace.isEmpty()) {
+        message += ", StackTrace: " + stackTrace;
+      }
+      Assert.fail(message);
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties b/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties
new file mode 100644
index 0000000..9766758
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties
@@ -0,0 +1,34 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# Define some default values that can be overridden by system properties.
+#
+# For testing, it may also be convenient to specify
+
+log4j.rootLogger=DEBUG,console
+
+log4j.appender.console=org.apache.log4j.ConsoleAppender
+log4j.appender.console.target=System.err
+log4j.appender.console.layout=org.apache.log4j.PatternLayout
+log4j.appender.console.layout.ConversionPattern=%d (%t) [%p - %l] %m%n
+
+log4j.logger.org.apache.hadoop.conf.Configuration=INFO
+log4j.logger.org.apache.hadoop.metrics2=INFO
+log4j.logger.org.apache.directory=INFO
+log4j.logger.org.apache.directory.api.ldap.model.entry.AbstractValue=WARN

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupMappingService.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupMappingService.java
index 4db465d..f2bb39c 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupMappingService.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupMappingService.java
@@ -18,7 +18,8 @@ package org.apache.sentry.provider.file;
 
 import java.io.IOException;
 import java.util.Collections;
-import java.util.List;
+import java.util.HashSet;
+import java.util.Set;
 
 import org.apache.hadoop.security.Groups;
 import org.apache.sentry.provider.common.GroupMappingService;
@@ -36,12 +37,12 @@ public class HadoopGroupMappingService implements GroupMappingService {
   }
 
   @Override
-  public List<String> getGroups(String user) {
+  public Set<String> getGroups(String user) {
     try {
-      return groups.getGroups(user);
+      return new HashSet<String>(groups.getGroups(user));
     } catch (IOException e) {
       LOGGER.warn("Unable to obtain groups for " + user, e);
     }
-    return Collections.emptyList();
+    return Collections.emptySet();
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
index ff3adf1..b2e4196 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
@@ -21,11 +21,8 @@ import java.io.IOException;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.security.Groups;
-import org.apache.sentry.policy.common.RoleValidator;
 import org.apache.sentry.policy.common.PolicyEngine;
 import org.apache.sentry.provider.common.GroupMappingService;
-import org.apache.sentry.provider.file.HadoopGroupMappingService;
-import org.apache.sentry.provider.file.ResourceAuthorizationProvider;
 
 import com.google.common.annotations.VisibleForTesting;
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
index c399117..a4d9cba 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
@@ -20,9 +20,9 @@ package org.apache.sentry.provider.file;
 import java.io.IOException;
 import java.util.Collections;
 import java.util.HashMap;
-import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.Set;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
@@ -35,7 +35,7 @@ import org.slf4j.LoggerFactory;
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Strings;
-import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
 
 /**
  * Mapping users to groups
@@ -62,8 +62,8 @@ public class LocalGroupMappingService implements GroupMappingService {
   private static final Logger LOGGER = LoggerFactory
       .getLogger(LocalGroupMappingService.class);
 
-  private final Map <String, List<String>> groupMap =
-      new HashMap <String, List<String>> ();
+  private final Map <String, Set<String>> groupMap =
+      new HashMap <String, Set<String>> ();
 
   public LocalGroupMappingService(Path resourcePath) throws IOException {
     this(new Configuration(), resourcePath);
@@ -75,11 +75,11 @@ public class LocalGroupMappingService implements GroupMappingService {
   }
 
   @Override
-  public List<String> getGroups(String user) {
+  public Set<String> getGroups(String user) {
     if (groupMap.containsKey(user)) {
       return groupMap.get(user);
     } else {
-      return Collections.emptyList();
+      return Collections.emptySet();
     }
   }
 
@@ -102,7 +102,7 @@ public class LocalGroupMappingService implements GroupMappingService {
             " in the " + resourcePath);
         continue;
       }
-      List<String> groupList = Lists.newArrayList(
+      Set<String> groupList = Sets.newHashSet(
           PolicyFileConstants.ROLE_SPLITTER.trimResults().split(groupNames));
       LOGGER.debug("Got user mapping: " + userName + ", Groups: " + groupNames);
       groupMap.put(userName, groupList);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java
index 374e989..e8293f6 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java
@@ -17,12 +17,10 @@
 
 package org.apache.sentry.provider.file;
 
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.provider.file.LocalGroupMappingService;
-import org.apache.sentry.provider.file.ResourceAuthorizationProvider;
 import java.io.IOException;
 
 import org.apache.hadoop.fs.Path;
+import org.apache.sentry.policy.common.PolicyEngine;
 
 
 public class LocalGroupResourceAuthorizationProvider extends

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java
index bed3202..0189f85 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java
@@ -17,27 +17,29 @@
 
 package org.apache.sentry.provider.file;
 
+import static org.apache.sentry.provider.file.PolicyFileConstants.DATABASES;
+import static org.apache.sentry.provider.file.PolicyFileConstants.GROUPS;
+import static org.apache.sentry.provider.file.PolicyFileConstants.ROLES;
+import static org.apache.sentry.provider.file.PolicyFileConstants.USERS;
+
 import java.io.File;
-import java.io.IOException;
 import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 
-import com.google.common.base.Preconditions;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Charsets;
 import com.google.common.base.Joiner;
+import com.google.common.base.Preconditions;
 import com.google.common.collect.ArrayListMultimap;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
 import com.google.common.collect.Multimap;
 import com.google.common.io.Files;
 
-import static org.apache.sentry.provider.file.PolicyFileConstants.*;
-
 /**
  * PolicyFile creator. Written specifically to be used with tests. Specifically
  * due to the fact that methods that would typically return true or false to

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFiles.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFiles.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFiles.java
index 295ce78..a908ec3 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFiles.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFiles.java
@@ -63,7 +63,7 @@ public class PolicyFiles {
       throws IOException {
     InputStream input = new FileInputStream(inputFile.getPath());
     FSDataOutputStream out = fs.create(new Path(dest, inputFile.getName()));
-    long bytes = ByteStreams.copy(input, out);
+    ByteStreams.copy(input, out);
     input.close();
     out.hflush();
     out.close();

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
index 0743604..448d7c1 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/ResourceAuthorizationProvider.java
@@ -21,40 +21,47 @@ import static org.apache.sentry.provider.file.PolicyFileConstants.KV_JOINER;
 import static org.apache.sentry.provider.file.PolicyFileConstants.PRIVILEGE_NAME;
 
 import java.util.ArrayList;
-import java.util.EnumSet;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 
 import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.SentryConfigurationException;
 import org.apache.sentry.core.common.Subject;
-import org.apache.sentry.policy.common.PermissionFactory;
+import org.apache.sentry.policy.common.Privilege;
+import org.apache.sentry.policy.common.PrivilegeFactory;
 import org.apache.sentry.policy.common.PolicyEngine;
 import org.apache.sentry.provider.common.AuthorizationProvider;
 import org.apache.sentry.provider.common.GroupMappingService;
-import org.apache.shiro.authz.Permission;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import com.google.common.base.Function;
 import com.google.common.base.Preconditions;
 import com.google.common.collect.Iterables;
-import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
 
 public abstract class ResourceAuthorizationProvider implements AuthorizationProvider {
   private static final Logger LOGGER = LoggerFactory
       .getLogger(ResourceAuthorizationProvider.class);
   private final GroupMappingService groupService;
   private final PolicyEngine policy;
-  private final PermissionFactory permissionFactory;
-  private final List<String> lastFailedPermissions = new ArrayList<String>();
+  private final PrivilegeFactory privilegeFactory;
+  private final ThreadLocal<List<String>> lastFailedPrivileges;
 
   public ResourceAuthorizationProvider(PolicyEngine policy,
       GroupMappingService groupService) {
     this.policy = policy;
     this.groupService = groupService;
-    this.permissionFactory = policy.getPermissionFactory();
+    this.privilegeFactory = policy.getPrivilegeFactory();
+    this.lastFailedPrivileges = new ThreadLocal<List<String>>() {
+      @Override
+      protected List<String> initialValue() {
+        return new ArrayList<String>();
+      }
+    };
   }
 
   /***
@@ -68,7 +75,7 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
    */
   @Override
   public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy,
-      Set<? extends Action> actions) {
+      Set<? extends Action> actions, ActiveRoleSet roleSet) {
     if(LOGGER.isDebugEnabled()) {
       LOGGER.debug("Authorization Request for " + subject + " " +
           authorizableHierarchy + " and " + actions);
@@ -78,45 +85,47 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
     Preconditions.checkArgument(!authorizableHierarchy.isEmpty(), "Authorizable cannot be empty");
     Preconditions.checkNotNull(actions, "Actions cannot be null");
     Preconditions.checkArgument(!actions.isEmpty(), "Actions cannot be empty");
-    return doHasAccess(subject, authorizableHierarchy, actions);
+    Preconditions.checkNotNull(roleSet, "ActiveRoleSet cannot be null");
+    return doHasAccess(subject, authorizableHierarchy, actions, roleSet);
   }
 
   private boolean doHasAccess(Subject subject,
-      List<? extends Authorizable> authorizables, Set<? extends Action> actions) {
-    List<String> groups =  getGroups(subject);
-    List<String> hierarchy = new ArrayList<String>();
+      List<? extends Authorizable> authorizables, Set<? extends Action> actions,
+      ActiveRoleSet roleSet) {
+    Set<String> groups =  getGroups(subject);
+    Set<String> hierarchy = new HashSet<String>();
     for (Authorizable authorizable : authorizables) {
       hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName()));
     }
-    Iterable<Permission> permissions = getPermissions(authorizables, groups);
-    List<String> requestPermissions = buildPermissions(authorizables, actions);
-    lastFailedPermissions.clear();
+    Iterable<Privilege> privileges = getPrivileges(groups, roleSet);
+    List<String> requestPrivileges = buildPermissions(authorizables, actions);
+    lastFailedPrivileges.get().clear();
 
-    for (String requestPermission : requestPermissions) {
-      for (Permission permission : permissions) {
+    for (String requestPrivilege : requestPrivileges) {
+      for (Privilege permission : privileges) {
         /*
          * Does the permission granted in the policy file imply the requested action?
          */
-        boolean result = permission.implies(permissionFactory.createPermission(requestPermission));
+        boolean result = permission.implies(privilegeFactory.createPrivilege(requestPrivilege));
         if(LOGGER.isDebugEnabled()) {
-          LOGGER.debug("FilePermission {}, RequestPermission {}, result {}",
-              new Object[]{ permission, requestPermission, result});
+          LOGGER.debug("ProviderPrivilege {}, RequestPrivilege {}, RoleSet, {}, Result {}",
+              new Object[]{ permission, requestPrivilege, roleSet, result});
         }
         if (result) {
           return true;
         }
       }
     }
-    lastFailedPermissions.addAll(requestPermissions);
+    lastFailedPrivileges.get().addAll(requestPrivileges);
     return false;
   }
 
-  private Iterable<Permission> getPermissions(List<? extends Authorizable> authorizables, List<String> groups) {
-    return Iterables.transform(policy.getPermissions(authorizables, groups).values(),
-        new Function<String, Permission>() {
+  private Iterable<Privilege> getPrivileges(Set<String> groups, ActiveRoleSet roleSet) {
+    return Iterables.transform(policy.getPrivileges(groups, roleSet),
+        new Function<String, Privilege>() {
       @Override
-      public Permission apply(String permission) {
-        return permissionFactory.createPermission(permission);
+      public Privilege apply(String privilege) {
+        return privilegeFactory.createPrivilege(privilege);
       }
     });
   }
@@ -126,7 +135,7 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
     return groupService;
   }
 
-  private List<String> getGroups(Subject subject) {
+  private Set<String> getGroups(Subject subject) {
     return groupService.getGroups(subject.getName());
   }
 
@@ -136,18 +145,18 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
   }
 
   @Override
-  public Set<String> listPermissionsForSubject(Subject subject) throws SentryConfigurationException {
-    return policy.listPermissions(getGroups(subject));
+  public Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException {
+    return policy.getPrivileges(getGroups(subject), ActiveRoleSet.ALL);
   }
 
   @Override
-  public Set<String> listPermissionsForGroup(String groupName) throws SentryConfigurationException {
-    return policy.listPermissions(groupName);
+  public Set<String> listPrivilegesForGroup(String groupName) throws SentryConfigurationException {
+    return policy.getPrivileges(Sets.newHashSet(groupName), ActiveRoleSet.ALL);
   }
 
   @Override
-  public List<String> getLastFailedPermissions() {
-    return lastFailedPermissions;
+  public List<String> getLastFailedPrivileges() {
+    return lastFailedPrivileges.get();
   }
 
   private List<String> buildPermissions(List<? extends Authorizable> authorizables,
@@ -167,5 +176,4 @@ public abstract class ResourceAuthorizationProvider implements AuthorizationProv
     }
     return requestedPermissions;
   }
-
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
index 9eabb53..89a2d31 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
@@ -22,11 +22,9 @@ import static org.apache.sentry.provider.file.PolicyFileConstants.ROLES;
 import static org.apache.sentry.provider.file.PolicyFileConstants.ROLE_SPLITTER;
 import static org.apache.sentry.provider.file.PolicyFileConstants.USERS;
 
-import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.URI;
-import java.util.ArrayList;
-import java.util.Collection;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -36,74 +34,157 @@ import javax.annotation.Nullable;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
-import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.ActiveRoleSet;
 import org.apache.sentry.core.common.SentryConfigurationException;
-import org.apache.sentry.policy.common.RoleValidator;
+import org.apache.sentry.policy.common.PrivilegeUtils;
+import org.apache.sentry.policy.common.PrivilegeValidator;
+import org.apache.sentry.policy.common.PrivilegeValidatorContext;
 import org.apache.sentry.provider.common.ProviderBackend;
-import org.apache.sentry.provider.common.Roles;
-import org.apache.shiro.config.ConfigurationException;
+import org.apache.sentry.provider.common.ProviderBackendContext;
 import org.apache.shiro.config.Ini;
-import org.apache.shiro.util.PermissionUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Splitter;
 import com.google.common.base.Strings;
+import com.google.common.collect.HashBasedTable;
 import com.google.common.collect.HashMultimap;
-import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.ImmutableSetMultimap;
+import com.google.common.collect.Interner;
+import com.google.common.collect.Interners;
 import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
 import com.google.common.collect.Multimap;
 import com.google.common.collect.Sets;
+import com.google.common.collect.Table;
+import com.google.common.collect.Table.Cell;
 
 public class SimpleFileProviderBackend implements ProviderBackend {
 
   private static final Logger LOGGER = LoggerFactory
       .getLogger(SimpleFileProviderBackend.class);
 
-
-
   private final FileSystem fileSystem;
   private final Path resourcePath;
-  private final List<Path> perDbResources = Lists.newArrayList();
-  private Roles rolesStorage;
   private final Configuration conf;
-  private boolean processed;
-  private final List<String> configErrors = new ArrayList<String>();
-  private final List<String> configWarnings = new ArrayList<String>();
+  private final List<String> configErrors;
+  private final List<String> configWarnings;
+
+  /**
+   * Sparse table where group is the row key and role is the cell.
+   * The value is the set of privileges located in the cell. For example,
+   * the following table would be generated for a policy where Group 1
+   * has Role 1 and Role 2 while Group 2 has only Role 2.
+   * <table border="1">
+   *  <tbody>
+   *    <tr>
+   *      <td><!-- empty --></td>
+   *      <td>Role 1</td>
+   *      <td>Role 2</td>
+   *    </tr>
+   *    <tr>
+   *      <td>Group 1</td>
+   *      <td>Priv 1</td>
+   *      <td>Priv 2, Priv 3</td>
+   *    </tr>
+   *    <tr>
+   *      <td>Group 2</td>
+   *      <td><!-- empty --></td>
+   *      <td>Priv 2, Priv 3</td>
+   *    </tr>
+   *  </tbody>
+   * </table>
+   */
+  private final Table<String, String, Set<String>> groupRolePrivilegeTable;
+  /**
+   * Each group, role, and privilege in groupRolePrivilegeTable is
+   * interned using a weak interner so that we only store each string
+   * once.
+   */
+  private final Interner<String> stringInterner;
+
+  private ImmutableList<PrivilegeValidator> validators;
+  private boolean allowPerDatabaseSection;
+  private volatile boolean initialized;
 
   public SimpleFileProviderBackend(String resourcePath) throws IOException {
-    this(new Configuration(), resourcePath);
+    this(new Configuration(), new Path(resourcePath));
   }
 
   public SimpleFileProviderBackend(Configuration conf, String resourcePath) throws IOException {
     this(conf, new Path(resourcePath));
   }
 
-  @VisibleForTesting
   public SimpleFileProviderBackend(Configuration conf, Path resourcePath) throws IOException {
     this.resourcePath = resourcePath;
     this.fileSystem = resourcePath.getFileSystem(conf);
-    this.rolesStorage = new Roles();
+    this.groupRolePrivilegeTable = HashBasedTable.create();
     this.conf = conf;
-    this.processed = false;
+    this.configErrors = Lists.newArrayList();
+    this.configWarnings = Lists.newArrayList();
+    this.validators = ImmutableList.of();
+    this.allowPerDatabaseSection = true;
+    this.initialized = false;
+    this.stringInterner = Interners.newWeakInterner();
+  }
+
+  /**
+   * {@inheritDoc}
+   */
+  @Override
+  public void initialize(ProviderBackendContext context) {
+    if (initialized) {
+      throw new IllegalStateException("Backend has already been initialized, cannot be initialized twice");
+    }
+    this.validators = context.getValidators();
+    this.allowPerDatabaseSection = context.isAllowPerDatabase();
+    parse();
+    this.initialized = true;
   }
 
   /**
    * {@inheritDoc}
    */
-  public void process(List<? extends RoleValidator> validators) {
+  @Override
+  public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet) {
+    if (!initialized) {
+      throw new IllegalStateException("Backend has not been properly initialized");
+    }
+    ImmutableSet.Builder<String> resultBuilder = ImmutableSet.builder();
+    for (String groupName : groups) {
+      for (Map.Entry<String, Set<String>> row : groupRolePrivilegeTable.row(groupName)
+          .entrySet()) {
+        if (roleSet.containsRole(row.getKey())) {
+          resultBuilder.addAll(row.getValue());
+        }
+      }
+    }
+    return resultBuilder.build();
+  }
+
+  @Override
+  public void validatePolicy(boolean strictValidation) throws SentryConfigurationException {
+    if (!initialized) {
+      throw new IllegalStateException("Backend has not been properly initialized");
+    }
+    List<String> localConfigErrors = Lists.newArrayList(configErrors);
+    List<String> localConfigWarnings = Lists.newArrayList(configWarnings);
+    if ((strictValidation && !localConfigWarnings.isEmpty()) || !localConfigErrors.isEmpty()) {
+      localConfigErrors.add("Failed to process global policy file " + resourcePath);
+      SentryConfigurationException e = new SentryConfigurationException("");
+      e.setConfigErrors(localConfigErrors);
+      e.setConfigWarnings(localConfigWarnings);
+      throw e;
+    }
+  }
+
+  private void parse() {
     configErrors.clear();
-    perDbResources.clear();
+    configWarnings.clear();
+    Table<String, String, Set<String>> groupRolePrivilegeTableTemp = HashBasedTable.create();
     Ini ini;
-
     LOGGER.info("Parsing " + resourcePath);
-    Roles roles = new Roles();
     try {
-      perDbResources.clear();
       try {
         ini = PolicyFiles.loadFromPath(fileSystem, resourcePath);
       } catch (IOException e) {
@@ -126,12 +207,15 @@ public class SimpleFileProviderBackend implements ProviderBackend {
           }
         }
       }
-      ImmutableSetMultimap<String, String> globalRoles;
-      Map<String, ImmutableSetMultimap<String, String>> perDatabaseRoles = Maps.newHashMap();
-      globalRoles = parseIni(null, ini, validators, resourcePath);
+      parseIni(null, ini, validators, resourcePath, groupRolePrivilegeTableTemp);
+      mergeResult(groupRolePrivilegeTableTemp);
+      groupRolePrivilegeTableTemp.clear();
       Ini.Section filesSection = ini.getSection(DATABASES);
       if(filesSection == null) {
         LOGGER.info("Section " + DATABASES + " needs no further processing");
+      } else if (!allowPerDatabaseSection) {
+        String msg = "Per-db policy file is not expected in this configuration.";
+        throw new SentryConfigurationException(msg);
       } else {
         for(Map.Entry<String, String> entry : filesSection.entrySet()) {
           String database = Strings.nullToEmpty(entry.getKey()).trim().toLowerCase();
@@ -144,16 +228,14 @@ public class SimpleFileProviderBackend implements ProviderBackend {
             Ini perDbIni = PolicyFiles.loadFromPath(perDbPolicy.getFileSystem(conf), perDbPolicy);
             if(perDbIni.containsKey(USERS)) {
               configErrors.add("Per-db policy file cannot contain " + USERS + " section in " +  perDbPolicy);
-              throw new ConfigurationException("Per-db policy files cannot contain " + USERS + " section");
+              throw new SentryConfigurationException("Per-db policy files cannot contain " + USERS + " section");
             }
             if(perDbIni.containsKey(DATABASES)) {
               configErrors.add("Per-db policy files cannot contain " + DATABASES
                   + " section in " + perDbPolicy);
-              throw new ConfigurationException("Per-db policy files cannot contain " + DATABASES + " section");
+              throw new SentryConfigurationException("Per-db policy files cannot contain " + DATABASES + " section");
             }
-            ImmutableSetMultimap<String, String> currentDbRoles = parseIni(database, perDbIni, validators, perDbPolicy);
-            perDatabaseRoles.put(database, currentDbRoles);
-            perDbResources.add(perDbPolicy);
+            parseIni(database, perDbIni, validators, perDbPolicy, groupRolePrivilegeTableTemp);
           } catch (Exception e) {
             configErrors.add("Failed to read per-DB policy file " + perDbPolicy +
                " Error: " + e.getMessage());
@@ -161,14 +243,14 @@ public class SimpleFileProviderBackend implements ProviderBackend {
           }
         }
       }
-      roles = new Roles(globalRoles, ImmutableMap.copyOf(perDatabaseRoles));
+      mergeResult(groupRolePrivilegeTableTemp);
+      groupRolePrivilegeTableTemp.clear();
     } catch (Exception e) {
       configErrors.add("Error processing file " + resourcePath + e.getMessage());
       LOGGER.error("Error processing file, ignoring " + resourcePath, e);
     }
-    rolesStorage = roles;
-    this.processed = true;
   }
+
   /**
    * Relative for our purposes is no scheme, no authority
    * and a non-absolute path portion.
@@ -178,22 +260,22 @@ public class SimpleFileProviderBackend implements ProviderBackend {
     return uri.getAuthority() == null && uri.getScheme() == null && !path.isUriPathAbsolute();
   }
 
-  protected long getModificationTime() throws IOException {
-    // if resource path has been deleted, throw all exceptions
-    long result = fileSystem.getFileStatus(resourcePath).getModificationTime();
-    for(Path perDbPolicy : perDbResources) {
-      try {
-        result = Math.max(result, fileSystem.getFileStatus(perDbPolicy).getModificationTime());
-      } catch (FileNotFoundException e) {
-        // if a per-db file has been deleted, wait until the main
-        // policy file has been updated before refreshing
+  private void mergeResult(Table<String, String, Set<String>> groupRolePrivilegeTableTemp) {
+    for (Cell<String, String, Set<String>> cell : groupRolePrivilegeTableTemp.cellSet()) {
+      String groupName = cell.getRowKey();
+      String roleName = cell.getColumnKey();
+      Set<String> privileges = groupRolePrivilegeTable.get(groupName, roleName);
+      if (privileges == null) {
+        privileges = new HashSet<>();
+        groupRolePrivilegeTable.put(groupName, roleName, privileges);
       }
+      privileges.addAll(cell.getValue());
     }
-    return result;
   }
 
-  private ImmutableSetMultimap<String, String> parseIni(String database, Ini ini, List<? extends RoleValidator> validators,
-      Path policyPath) {
+  private void parseIni(String database, Ini ini,
+      List<? extends PrivilegeValidator> validators, Path policyPath,
+      Table<String, String, Set<String>> groupRolePrivilegeTable) {
     Ini.Section privilegesSection = ini.getSection(ROLES);
     boolean invalidConfiguration = false;
     if (privilegesSection == null) {
@@ -210,19 +292,18 @@ public class SimpleFileProviderBackend implements ProviderBackend {
       invalidConfiguration = true;
     }
     if (!invalidConfiguration) {
-      return parsePermissions(database, privilegesSection, groupsSection, validators, policyPath);
+      parsePrivileges(database, privilegesSection, groupsSection, validators, policyPath,
+          groupRolePrivilegeTable);
     }
-    return ImmutableSetMultimap.of();
   }
 
-  private ImmutableSetMultimap<String, String> parsePermissions(@Nullable String database,
-      Ini.Section rolesSection, Ini.Section groupsSection, List<? extends RoleValidator> validators,
-      Path policyPath) {
-    ImmutableSetMultimap.Builder<String, String> resultBuilder = ImmutableSetMultimap.builder();
+  private void parsePrivileges(@Nullable String database, Ini.Section rolesSection,
+      Ini.Section groupsSection, List<? extends PrivilegeValidator> validators, Path policyPath,
+      Table<String, String, Set<String>> groupRolePrivilegeTable) {
     Multimap<String, String> roleNameToPrivilegeMap = HashMultimap
         .create();
     for (Map.Entry<String, String> entry : rolesSection.entrySet()) {
-      String roleName = Strings.nullToEmpty(entry.getKey()).trim();
+      String roleName = stringInterner.intern(Strings.nullToEmpty(entry.getKey()).trim());
       String roleValue = Strings.nullToEmpty(entry.getValue()).trim();
       boolean invalidConfiguration = false;
       if (roleName.isEmpty()) {
@@ -242,26 +323,31 @@ public class SimpleFileProviderBackend implements ProviderBackend {
         LOGGER.warn(warnMsg);
         configWarnings.add(warnMsg);
       }
-      Set<String> roles = PermissionUtils
-          .toPermissionStrings(roleValue);
-      if (!invalidConfiguration && roles != null) {
-        for(String role : roles) {
-          for(RoleValidator validator : validators) {
-            validator.validate(database, role.trim());
+      Set<String> privileges = PrivilegeUtils.toPrivilegeStrings(roleValue);
+      if (!invalidConfiguration && privileges != null) {
+        Set<String> internedPrivileges = Sets.newHashSet();
+        for(String privilege : privileges) {
+          for(PrivilegeValidator validator : validators) {
+            validator.validate(new PrivilegeValidatorContext(database, privilege.trim()));
           }
+          internedPrivileges.add(stringInterner.intern(privilege));
         }
-        roleNameToPrivilegeMap.putAll(roleName, roles);
+        roleNameToPrivilegeMap.putAll(roleName, internedPrivileges);
       }
     }
     Splitter roleSplitter = ROLE_SPLITTER.omitEmptyStrings().trimResults();
     for (Map.Entry<String, String> entry : groupsSection.entrySet()) {
-      String groupName = Strings.nullToEmpty(entry.getKey()).trim();
+      String groupName = stringInterner.intern(Strings.nullToEmpty(entry.getKey()).trim());
       String groupPrivileges = Strings.nullToEmpty(entry.getValue()).trim();
-      Collection<String> resolvedGroupPrivileges = Sets.newHashSet();
       for (String roleName : roleSplitter.split(groupPrivileges)) {
+        roleName = stringInterner.intern(roleName);
         if (roleNameToPrivilegeMap.containsKey(roleName)) {
-          resolvedGroupPrivileges.addAll(roleNameToPrivilegeMap
-              .get(roleName));
+          Set<String> privileges = groupRolePrivilegeTable.get(groupName, roleName);
+          if (privileges == null) {
+            privileges = new HashSet<>();
+            groupRolePrivilegeTable.put(groupName, roleName, privileges);
+          }
+          privileges.addAll(roleNameToPrivilegeMap.get(roleName));
         } else {
           String warnMsg = String.format("Role %s for group %s does not exist in privileges section in %s",
                   roleName, groupName, policyPath);
@@ -269,30 +355,6 @@ public class SimpleFileProviderBackend implements ProviderBackend {
           configWarnings.add(warnMsg);
         }
       }
-      resultBuilder.putAll(groupName, resolvedGroupPrivileges);
     }
-    return resultBuilder.build();
   }
-
-  /*
-   * {@inheritDoc}
-   */
-  public Roles getRoles() {
-    if (!processed) throw new UnsupportedOperationException("Process has not been called");
-
-    return rolesStorage;
-  }
-
-  @Override
-  public void validatePolicy(List<? extends RoleValidator> validators, boolean strictValidation)
-      throws SentryConfigurationException {
-    if ((strictValidation && !configWarnings.isEmpty()) || !configErrors.isEmpty()) {
-      configErrors.add("Failed to process global policy file " + resourcePath);
-      SentryConfigurationException e = new SentryConfigurationException("");
-      e.setConfigErrors(configErrors);
-      e.setConfigWarnings(configWarnings);
-      throw e;
-    }
-  }
-
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
index a50bd24..d3127d7 100644
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
+++ b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestGetGroupMapping.java
@@ -16,21 +16,19 @@
  */
 package org.apache.sentry.provider.file;
 
-import java.util.Arrays;
-import java.util.List;
+import static org.junit.Assert.assertSame;
+
+import java.util.Set;
 
-import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.SentryConfigurationException;
-import org.apache.sentry.policy.common.PermissionFactory;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.policy.common.PrivilegeFactory;
 import org.apache.sentry.policy.common.PolicyEngine;
 import org.apache.sentry.provider.common.GroupMappingService;
-
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.ImmutableSetMultimap;
-
 import org.junit.Test;
 
-import static org.junit.Assert.assertSame;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
 
 public class TestGetGroupMapping {
 
@@ -43,23 +41,15 @@ public class TestGetGroupMapping {
 
   @Test
   public void testResourceAuthorizationProvider() {
-    final List<String> list = Arrays.asList("a", "b", "c");
+    final Set<String> set = Sets.newHashSet("a", "b", "c");
     GroupMappingService mappingService = new GroupMappingService() {
-      public List<String> getGroups(String user) { return list; }
+      public Set<String> getGroups(String user) { return set; }
     };
     PolicyEngine policyEngine = new PolicyEngine() {
-      public PermissionFactory getPermissionFactory() { return null; }
-
-      public ImmutableSetMultimap<String, String> getPermissions(List<? extends Authorizable> authorizables, List<String> groups) { return null; }
-
-      public ImmutableSet<String> listPermissions(String groupName)
-          throws SentryConfigurationException {
-        return null;
-      }
+      public PrivilegeFactory getPrivilegeFactory() { return null; }
 
-      public ImmutableSet<String> listPermissions(List<String> groupName)
-          throws SentryConfigurationException {
-        return null;
+      public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet) {
+        return ImmutableSet.of();
       }
 
       public void validatePolicy(boolean strictValidation)

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestKeyValue.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestKeyValue.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestKeyValue.java
index 1fd64f1..1d8c9ae 100644
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestKeyValue.java
+++ b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestKeyValue.java
@@ -21,7 +21,6 @@ import static junit.framework.Assert.assertEquals;
 import static junit.framework.Assert.assertFalse;
 import static org.apache.sentry.provider.file.PolicyFileConstants.KV_JOINER;
 
-import org.apache.sentry.provider.file.KeyValue;
 import org.junit.Test;
 
 public class TestKeyValue {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
index f1d8192..c436009 100644
--- a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
+++ b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
@@ -19,25 +19,25 @@ package org.apache.sentry.provider.file;
 
 import java.io.File;
 import java.io.IOException;
-import java.util.List;
+import java.util.Set;
 
 import org.apache.commons.io.FileUtils;
 import org.apache.hadoop.fs.Path;
-import org.apache.sentry.provider.file.LocalGroupMappingService;
-import org.apache.sentry.provider.file.PolicyFiles;
 import org.junit.After;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 
+import com.google.common.collect.Sets;
 import com.google.common.io.Files;
 
 public class TestLocalGroupMapping {
 
-  private String resourcePath = "test-authz-provider-local-group-mapping.ini";
+  private static final String resourcePath = "test-authz-provider-local-group-mapping.ini";
+  private static final Set<String> fooGroups = Sets.newHashSet("admin", "analyst");
+  private static final Set<String> barGroups = Sets.newHashSet("jranalyst");
+
   private LocalGroupMappingService localGroupMapping;
-  private String[] fooGroups = new String[] {"admin", "analyst" };
-  private String[] barGroups = new String[] {"jranalyst"};
 
   private File baseDir;
 
@@ -57,13 +57,13 @@ public class TestLocalGroupMapping {
 
   @Test
   public void testGroupMapping() {
-    List <String> fooGroupsFromResource = localGroupMapping.getGroups("foo");
-    Assert.assertArrayEquals(fooGroupsFromResource.toArray(), fooGroups);
+    Set<String> fooGroupsFromResource = localGroupMapping.getGroups("foo");
+    Assert.assertEquals(fooGroupsFromResource, fooGroups);
 
-    List <String> barGroupsFromResource = localGroupMapping.getGroups("bar");
-    Assert.assertArrayEquals(barGroupsFromResource.toArray(), barGroups);
+    Set<String> barGroupsFromResource = localGroupMapping.getGroups("bar");
+    Assert.assertEquals(barGroupsFromResource, barGroups);
 
-    List <String> unknownGroupsFromResource = localGroupMapping.getGroups("unknown");
+    Set<String> unknownGroupsFromResource = localGroupMapping.getGroups("unknown");
     Assert.assertTrue("List not empty " + unknownGroupsFromResource, unknownGroupsFromResource.isEmpty());
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimpleFileProvderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimpleFileProvderBackend.java b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimpleFileProvderBackend.java
new file mode 100644
index 0000000..df5acdc
--- /dev/null
+++ b/sentry-provider/sentry-provider-file/src/test/java/org/apache/sentry/provider/file/TestSimpleFileProvderBackend.java
@@ -0,0 +1,120 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.sentry.provider.file;
+import static junit.framework.Assert.assertEquals;
+import static junit.framework.Assert.fail;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.HashSet;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.provider.common.ProviderBackendContext;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestSimpleFileProvderBackend {
+
+  private static final String resourcePath = "test-authz-provider-local-group-mapping.ini";
+
+  private SimpleFileProviderBackend backend;
+  private ProviderBackendContext context;
+  private File baseDir;
+
+  @Before
+  public void setup() throws IOException {
+    baseDir = Files.createTempDir();
+    PolicyFiles.copyToDir(baseDir, resourcePath);
+    backend = new SimpleFileProviderBackend(new File(baseDir, resourcePath).toString());
+    context = new ProviderBackendContext();
+  }
+
+  @After
+  public void teardown() {
+    if(baseDir != null) {
+      FileUtils.deleteQuietly(baseDir);
+    }
+  }
+
+  @Test
+  public void testInitializeTwice() {
+    backend.initialize(context);
+    try {
+      backend.initialize(context);
+      fail("Expected IllegalStateException on second initialze");
+    } catch (IllegalStateException e) {
+      // expected
+    }
+  }
+
+  @Test(expected = IllegalStateException.class)
+  public void testUninitializeGetPrivileges() {
+    backend.getPrivileges(new HashSet<String>(), ActiveRoleSet.ALL);
+  }
+
+  @Test(expected = IllegalStateException.class)
+  public void testUninitializeValidatePolicy() {
+    backend.validatePolicy(true);
+  }
+
+  @Test
+  public void testRoleSetAll() {
+    backend.initialize(context);
+    assertEquals(Sets.newHashSet("server=server1->db=customers->table=purchases->select",
+        "server=server1->db=analyst1", "server=server1->db=jranalyst1->table=*->select",
+        "server=server1->db=jranalyst1", "server=server1->functions"),
+        backend.getPrivileges(Sets.newHashSet("manager"), ActiveRoleSet.ALL));
+  }
+
+  @Test
+  public void testRoleSetAllUnknownGroup() {
+    backend.initialize(context);
+    assertEquals(Sets.newHashSet(), backend.getPrivileges(Sets.newHashSet("not-a-group"),
+        ActiveRoleSet.ALL));
+  }
+
+  @Test
+  public void testRoleSetNone() {
+    backend.initialize(context);
+    assertEquals(Sets.newHashSet(), backend.getPrivileges(Sets.newHashSet("manager"),
+        new ActiveRoleSet(new HashSet<String>())));
+  }
+
+  @Test
+  public void testRoleSetOne() {
+    backend.initialize(context);
+    assertEquals(Sets.newHashSet("server=server1->functions"),
+        backend.getPrivileges(Sets.newHashSet("manager"),
+            new ActiveRoleSet(Sets.newHashSet("functions"))));
+  }
+
+  @Test
+  public void testRoleSetTwo() {
+    backend.initialize(context);
+    assertEquals(Sets.newHashSet("server=server1->db=jranalyst1",
+        "server=server1->functions"),
+        backend.getPrivileges(Sets.newHashSet("manager"),
+            new ActiveRoleSet(Sets.newHashSet("junior_analyst_role", "functions"))));
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-hive/.gitignore
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/.gitignore b/sentry-tests/sentry-tests-hive/.gitignore
index 1f01ed7..a3e474e 100644
--- a/sentry-tests/sentry-tests-hive/.gitignore
+++ b/sentry-tests/sentry-tests-hive/.gitignore
@@ -1,3 +1,4 @@
 derby.log
 TempStatsStore/**
 thirdparty/*
+sentry_policy_db

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-hive/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/pom.xml b/sentry-tests/sentry-tests-hive/pom.xml
index 030b9b1..2b00d16 100644
--- a/sentry-tests/sentry-tests-hive/pom.xml
+++ b/sentry-tests/sentry-tests-hive/pom.xml
@@ -260,8 +260,8 @@ limitations under the License.
                     mv $BASE_DIR/${finalName}* $BASE_DIR/$finalName
                   }
                   mkdir -p $DOWNLOAD_DIR
-                  download "http://archive.cloudera.com/cdh5/cdh/5/hadoop-latest.tar.gz" hadoop.tar.gz hadoop
-                  download "http://archive.cloudera.com/cdh5/cdh/5/hive-latest.tar.gz" hive.tar.gz hive
+                  download "http://repos.jenkins.cloudera.com/cdh5-nightly/cdh/5/hadoop-latest.tar.gz" hadoop.tar.gz hadoop
+                  download "http://repos.jenkins.cloudera.com/cdh5-nightly/cdh/5/hive-latest.tar.gz" hive.tar.gz hive
                 </echo>
                 <exec executable="bash" dir="${basedir}" failonerror="true">
                   <arg line="target/download.sh"/>
@@ -272,6 +272,35 @@ limitations under the License.
         </executions>
       </plugin>
     </plugins>
+    <pluginManagement>
+      <plugins>
+        <!--This plugin's configuration is used to store Eclipse m2e settings only. It has no influence on the Maven build itself.-->
+        <plugin>
+          <groupId>org.eclipse.m2e</groupId>
+          <artifactId>lifecycle-mapping</artifactId>
+          <version>1.0.0</version>
+          <configuration>
+            <lifecycleMappingMetadata>
+              <pluginExecutions>
+                <pluginExecution>
+                  <pluginExecutionFilter>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-antrun-plugin</artifactId>
+                    <versionRange>[1.7,)</versionRange>
+                    <goals>
+                      <goal>run</goal>
+                    </goals>
+                  </pluginExecutionFilter>
+                  <action>
+                    <ignore></ignore>
+                  </action>
+                </pluginExecution>
+              </pluginExecutions>
+            </lifecycleMappingMetadata>
+          </configuration>
+        </plugin>
+      </plugins>
+    </pluginManagement>
   </build>
   <profiles>
    <profile>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
index 6ae3776..6444407 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/AbstractTestWithStaticConfiguration.java
@@ -26,8 +26,8 @@ import junit.framework.Assert;
 
 import org.apache.commons.io.FileUtils;
 import org.apache.hadoop.fs.FileSystem;
-import org.apache.sentry.tests.e2e.hive.fs.DFSFactory;
 import org.apache.sentry.tests.e2e.hive.fs.DFS;
+import org.apache.sentry.tests.e2e.hive.fs.DFSFactory;
 import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServer;
 import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory;
 import org.junit.AfterClass;
@@ -173,8 +173,12 @@ public abstract class AbstractTestWithStaticConfiguration {
       }
       baseDir = null;
     }
-    if(dfs!=null) {
-      dfs.tearDown();
+    if(dfs != null) {
+      try {
+        dfs.tearDown();
+      } catch (Exception e) {
+        LOGGER.info("Exception shutting down dfs", e);
+      }
     }
   }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
index 2f83678..4f7dd2d 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/Context.java
@@ -27,7 +27,6 @@ import java.io.IOException;
 import java.io.PrintWriter;
 import java.net.URI;
 import java.sql.Connection;
-import java.sql.DriverManager;
 import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.Set;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java
index 6968cc0..bb7bec2 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestConfigTool.java
@@ -17,36 +17,25 @@
 
 package org.apache.sentry.tests.e2e.hive;
 
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import java.io.BufferedInputStream;
-import java.io.BufferedOutputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
-import java.io.FileOutputStream;
 import java.io.PrintStream;
 import java.sql.Connection;
-import java.sql.ResultSet;
-import java.sql.ResultSetMetaData;
 import java.sql.SQLException;
 import java.sql.Statement;
-import java.util.ArrayList;
-import java.util.List;
 import java.util.Set;
 
-import junit.framework.Assert;
-
 import org.apache.sentry.binding.hive.authz.SentryConfigTool;
 import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
 import org.apache.sentry.core.common.SentryConfigurationException;
 import org.apache.sentry.core.common.Subject;
 import org.apache.sentry.provider.file.PolicyFile;
-
-import com.google.common.io.Resources;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
 
 public class TestConfigTool extends AbstractTestWithStaticConfiguration {
   private static final String DB2_POLICY_FILE = "db2-policy-file.ini";
@@ -188,18 +177,18 @@ public class TestConfigTool extends AbstractTestWithStaticConfiguration {
     configTool.validatePolicy();
 
     Set<String> permList = configTool.getSentryProvider()
-        .listPermissionsForSubject(new Subject(USER1_1));
+        .listPrivilegesForSubject(new Subject(USER1_1));
     assertTrue(permList
         .contains("server=server1->db=db1->table=tab1->action=select"));
     assertTrue(permList
         .contains("server=server1->db=db1->table=tab2->action=insert"));
 
-    permList = configTool.getSentryProvider().listPermissionsForSubject(
+    permList = configTool.getSentryProvider().listPrivilegesForSubject(
         new Subject(USER2_1));
     assertTrue(permList
         .contains("server=server1->db=db1->table=tab3->action=select"));
 
-    permList = configTool.getSentryProvider().listPermissionsForSubject(
+    permList = configTool.getSentryProvider().listPrivilegesForSubject(
         new Subject(ADMIN1));
     assertTrue(permList.contains("server=server1"));
   }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDBConfiguration.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDBConfiguration.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDBConfiguration.java
index 80912a3..f782613 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDBConfiguration.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPerDBConfiguration.java
@@ -26,8 +26,8 @@ import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
 
-import org.apache.sentry.provider.file.PolicyFile;
 import org.apache.sentry.policy.db.SimpleDBPolicyEngine;
+import org.apache.sentry.provider.file.PolicyFile;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.Test;
@@ -71,6 +71,8 @@ public class TestPerDBConfiguration extends AbstractTestWithStaticConfiguration
 
   @After
   public void teardown() throws Exception {
+    // one test turns this on so let's disable it in the teardown method
+    System.setProperty(SimpleDBPolicyEngine.ACCESS_ALLOW_URI_PER_DB_POLICYFILE, "false");
     if (context != null) {
       context.close();
     }
@@ -336,6 +338,13 @@ public class TestPerDBConfiguration extends AbstractTestWithStaticConfiguration
     context.assertAuthzException(statement, "SELECT COUNT(*) FROM db1.tbl1");
     context.assertAuthzException(statement, "USE db1");
 
+    // once we disable this property all queries should fail
+    System.setProperty(SimpleDBPolicyEngine.ACCESS_ALLOW_URI_PER_DB_POLICYFILE, "false");
+    context.assertAuthzException(statement, "USE db2");
+
+    // re-enable for clean
+    System.setProperty(SimpleDBPolicyEngine.ACCESS_ALLOW_URI_PER_DB_POLICYFILE, "true");
+
     statement.close();
     connection.close();
 
@@ -346,7 +355,6 @@ public class TestPerDBConfiguration extends AbstractTestWithStaticConfiguration
     statement.execute("DROP DATABASE db2 CASCADE");
     statement.close();
     connection.close();
-    System.setProperty(SimpleDBPolicyEngine.ACCESS_ALLOW_URI_PER_DB_POLICYFILE, "false");
   }
 
   /**

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
index c267ea6..56ed06a 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestPrivilegesAtTableScope.java
@@ -17,8 +17,8 @@
 
 package org.apache.sentry.tests.e2e.hive;
 
-import static org.junit.Assert.*;
-import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertTrue;
 
 import java.io.File;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java
index 8222590..cae270b 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/TestSentryOnFailureHookLoading.java
@@ -17,13 +17,9 @@
 
 package org.apache.sentry.tests.e2e.hive;
 
-import com.google.common.io.Resources;
-import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
 import java.io.File;
 import java.io.FileOutputStream;
 import java.sql.Connection;
@@ -31,10 +27,17 @@ import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.HashMap;
 import java.util.Map;
+
 import junit.framework.Assert;
 
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.assertFalse;
+import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
+import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.tests.e2e.hive.hiveserver.HiveServerFactory;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.io.Resources;
 
 public class TestSentryOnFailureHookLoading extends AbstractTestWithHiveServer {
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/AbstractDFS.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/AbstractDFS.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/AbstractDFS.java
index 1068dbe..145584d 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/AbstractDFS.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/AbstractDFS.java
@@ -16,12 +16,13 @@
  */
 package org.apache.sentry.tests.e2e.hive.fs;
 
+import java.io.IOException;
+
 import junit.framework.Assert;
+
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 
-import java.io.IOException;
-
 public abstract class AbstractDFS implements DFS{
   protected static FileSystem fileSystem;
   protected static Path dfsBaseDir;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/ClusterDFS.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/ClusterDFS.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/ClusterDFS.java
index 1e2c01e..d5db811 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/ClusterDFS.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/ClusterDFS.java
@@ -16,17 +16,16 @@
  */
 package org.apache.sentry.tests.e2e.hive.fs;
 
+import java.security.PrivilegedExceptionAction;
+import java.util.Random;
+
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.mapred.JobClient;
 import org.apache.hadoop.security.UserGroupInformation;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.security.PrivilegedExceptionAction;
-import java.util.Random;
-
 public class ClusterDFS extends AbstractDFS{
   private static final Logger LOGGER = LoggerFactory
       .getLogger(ClusterDFS.class);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/DFS.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/DFS.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/DFS.java
index b9764bc..9e9bb27 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/DFS.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/DFS.java
@@ -19,8 +19,6 @@ package org.apache.sentry.tests.e2e.hive.fs;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 
-import java.io.IOException;
-
 public interface DFS {
   public FileSystem getFileSystem();
   public void tearDown() throws Exception;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/DFSFactory.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/DFSFactory.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/DFSFactory.java
index c3e5bf3..c897b49 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/DFSFactory.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/DFSFactory.java
@@ -16,10 +16,10 @@
  */
 package org.apache.sentry.tests.e2e.hive.fs;
 
-import com.google.common.annotations.VisibleForTesting;
-
 import java.io.File;
 
+import com.google.common.annotations.VisibleForTesting;
+
 public class DFSFactory {
   public static final String FS_TYPE = "sentry.e2etest.DFSType";
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/MiniDFS.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/MiniDFS.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/MiniDFS.java
index dba2a54..de684a9 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/MiniDFS.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/fs/MiniDFS.java
@@ -16,14 +16,14 @@
  */
 package org.apache.sentry.tests.e2e.hive.fs;
 
+import java.io.File;
+
 import junit.framework.Assert;
+
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
 
-import java.io.File;
-import java.io.IOException;
-
 public class MiniDFS extends AbstractDFS {
   private static MiniDFSCluster dfsCluster;
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/EmbeddedHiveServer.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/EmbeddedHiveServer.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/EmbeddedHiveServer.java
index ce3b97c..52ba09e 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/EmbeddedHiveServer.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/EmbeddedHiveServer.java
@@ -17,12 +17,12 @@
 
 package org.apache.sentry.tests.e2e.hive.hiveserver;
 
-import org.apache.hadoop.hive.metastore.HiveMetaStore;
-import org.fest.reflect.core.Reflection;
-
 import java.sql.Connection;
 import java.sql.DriverManager;
 
+import org.apache.hadoop.hive.metastore.HiveMetaStore;
+import org.fest.reflect.core.Reflection;
+
 public class EmbeddedHiveServer implements HiveServer {
 
   @Override

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java
index 0751e91..8af3f45 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java
@@ -24,7 +24,6 @@ import java.net.ServerSocket;
 import java.net.URL;
 import java.util.Map;
 
-import com.google.common.annotations.VisibleForTesting;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.hdfs.DistributedFileSystem;
 import org.apache.hadoop.hive.conf.HiveConf;
@@ -36,6 +35,7 @@ import org.junit.Assert;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.io.Resources;
 
 public class HiveServerFactory {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/InternalHiveServer.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/InternalHiveServer.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/InternalHiveServer.java
index 3a257bf..02d8024 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/InternalHiveServer.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/InternalHiveServer.java
@@ -18,6 +18,7 @@
 package org.apache.sentry.tests.e2e.hive.hiveserver;
 
 import java.io.IOException;
+
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.metastore.HiveMetaStore;
 import org.apache.hive.service.server.HiveServer2;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/UnmanagedHiveServer.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/UnmanagedHiveServer.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/UnmanagedHiveServer.java
index 4425efa..42a274f 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/UnmanagedHiveServer.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/UnmanagedHiveServer.java
@@ -16,16 +16,16 @@
  */
 package org.apache.sentry.tests.e2e.hive.hiveserver;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.util.Properties;
 
-import com.google.common.base.Preconditions;
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.security.UserGroupInformation;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
-import java.sql.Connection;
-import java.sql.DriverManager;
-import java.util.Properties;
+import com.google.common.base.Preconditions;
 
 public class UnmanagedHiveServer implements HiveServer {
   private static final Logger LOGGER = LoggerFactory.getLogger(UnmanagedHiveServer.class);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java
index b730de6..bc36967 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/AbstractSolrSentryTestBase.java
@@ -19,7 +19,6 @@ package org.apache.sentry.tests.e2e.solr;
 import java.io.File;
 import java.io.IOException;
 import java.net.MalformedURLException;
-import java.util.Collections;
 import java.util.Comparator;
 import java.util.Random;
 import java.util.SortedMap;
@@ -47,12 +46,10 @@ import org.apache.solr.common.params.CoreAdminParams;
 import org.apache.solr.common.params.ModifiableSolrParams;
 import org.apache.solr.common.util.NamedList;
 import org.apache.solr.servlet.SolrDispatchFilter;
-
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
-
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/HdfsTestUtil.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/HdfsTestUtil.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/HdfsTestUtil.java
index f68fd28..bb566bb 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/HdfsTestUtil.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/HdfsTestUtil.java
@@ -9,7 +9,6 @@ import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hdfs.MiniDFSCluster;
 import org.apache.lucene.util.LuceneTestCase;
 import org.apache.solr.SolrTestCaseJ4;
-import org.junit.Assert;
 
 /*
  * Licensed to the Apache Software Foundation (ASF) under one or more

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java
index b61ee25..533858b 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/ModifiableUserAuthenticationFilter.java
@@ -27,7 +27,6 @@ import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 
 import org.apache.solr.servlet.SolrRequestParsers;
-
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestCollAdminCoreOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestCollAdminCoreOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestCollAdminCoreOperations.java
index 6990444..8509497 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestCollAdminCoreOperations.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestCollAdminCoreOperations.java
@@ -16,12 +16,6 @@
  */
 package org.apache.sentry.tests.e2e.solr;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
-import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope.Scope;
-
 import java.io.File;
 import java.io.PrintWriter;
 import java.io.StringWriter;
@@ -29,10 +23,14 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
-import java.util.Properties;
 import java.util.Random;
 
 import org.apache.solr.common.params.CollectionParams.CollectionAction;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope.Scope;
 
 @ThreadLeakScope(Scope.NONE) // hdfs client currently leaks thread(s)
 public class TestCollAdminCoreOperations extends AbstractSolrSentryTestBase {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java
index 8699849..6658560 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestQueryOperations.java
@@ -16,12 +16,6 @@
  */
 package org.apache.sentry.tests.e2e.solr;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
-import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope.Scope;
-
 import java.io.File;
 import java.io.PrintWriter;
 import java.io.StringWriter;
@@ -30,6 +24,11 @@ import java.util.Arrays;
 import java.util.List;
 
 import org.apache.solr.common.SolrInputDocument;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope.Scope;
 
 @ThreadLeakScope(Scope.NONE) // hdfs client currently leaks thread(s)
 public class TestQueryOperations extends AbstractSolrSentryTestBase {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/644e8be3/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
index e7ad2c2..d4855da 100644
--- a/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
+++ b/sentry-tests/sentry-tests-solr/src/test/java/org/apache/sentry/tests/e2e/solr/TestUpdateOperations.java
@@ -16,12 +16,6 @@
  */
 package org.apache.sentry.tests.e2e.solr;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
-import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope.Scope;
-
 import java.io.File;
 import java.io.PrintWriter;
 import java.io.StringWriter;
@@ -30,6 +24,11 @@ import java.util.Arrays;
 import java.util.List;
 
 import org.apache.solr.common.SolrInputDocument;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope;
+import com.carrotsearch.randomizedtesting.annotations.ThreadLeakScope.Scope;
 
 @ThreadLeakScope(Scope.NONE) // hdfs client currently leaks thread(s)
 public class TestUpdateOperations extends AbstractSolrSentryTestBase {


Mime
View raw message