sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From shreepa...@apache.org
Subject [2/6] SENTRY-142: Create database backed ProviderBackend (Brock Noland via Shreepadma Venugopalan)
Date Fri, 14 Mar 2014 19:08:52 GMT
http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java
index 71f7479..dbddcad 100644
--- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java
+++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java
@@ -36,8 +36,7 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
 
   private static final org.apache.thrift.protocol.TField ROLE_NAME_FIELD_DESC = new org.apache.thrift.protocol.TField("roleName", org.apache.thrift.protocol.TType.STRING, (short)1);
   private static final org.apache.thrift.protocol.TField PRIVILEGES_FIELD_DESC = new org.apache.thrift.protocol.TField("privileges", org.apache.thrift.protocol.TType.SET, (short)2);
-  private static final org.apache.thrift.protocol.TField CREATE_TIME_FIELD_DESC = new org.apache.thrift.protocol.TField("createTime", org.apache.thrift.protocol.TType.I64, (short)3);
-  private static final org.apache.thrift.protocol.TField GRANTOR_PRINCIPAL_FIELD_DESC = new org.apache.thrift.protocol.TField("grantorPrincipal", org.apache.thrift.protocol.TType.STRING, (short)4);
+  private static final org.apache.thrift.protocol.TField GRANTOR_PRINCIPAL_FIELD_DESC = new org.apache.thrift.protocol.TField("grantorPrincipal", org.apache.thrift.protocol.TType.STRING, (short)3);
 
   private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>();
   static {
@@ -47,15 +46,13 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
 
   private String roleName; // required
   private Set<TSentryPrivilege> privileges; // required
-  private long createTime; // required
   private String grantorPrincipal; // required
 
   /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */
   public enum _Fields implements org.apache.thrift.TFieldIdEnum {
     ROLE_NAME((short)1, "roleName"),
     PRIVILEGES((short)2, "privileges"),
-    CREATE_TIME((short)3, "createTime"),
-    GRANTOR_PRINCIPAL((short)4, "grantorPrincipal");
+    GRANTOR_PRINCIPAL((short)3, "grantorPrincipal");
 
     private static final Map<String, _Fields> byName = new HashMap<String, _Fields>();
 
@@ -74,9 +71,7 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
           return ROLE_NAME;
         case 2: // PRIVILEGES
           return PRIVILEGES;
-        case 3: // CREATE_TIME
-          return CREATE_TIME;
-        case 4: // GRANTOR_PRINCIPAL
+        case 3: // GRANTOR_PRINCIPAL
           return GRANTOR_PRINCIPAL;
         default:
           return null;
@@ -118,8 +113,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
   }
 
   // isset id assignments
-  private static final int __CREATETIME_ISSET_ID = 0;
-  private byte __isset_bitfield = 0;
   public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap;
   static {
     Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class);
@@ -128,8 +121,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
     tmpMap.put(_Fields.PRIVILEGES, new org.apache.thrift.meta_data.FieldMetaData("privileges", org.apache.thrift.TFieldRequirementType.REQUIRED, 
         new org.apache.thrift.meta_data.SetMetaData(org.apache.thrift.protocol.TType.SET, 
             new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryPrivilege.class))));
-    tmpMap.put(_Fields.CREATE_TIME, new org.apache.thrift.meta_data.FieldMetaData("createTime", org.apache.thrift.TFieldRequirementType.REQUIRED, 
-        new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.I64)));
     tmpMap.put(_Fields.GRANTOR_PRINCIPAL, new org.apache.thrift.meta_data.FieldMetaData("grantorPrincipal", org.apache.thrift.TFieldRequirementType.REQUIRED, 
         new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING)));
     metaDataMap = Collections.unmodifiableMap(tmpMap);
@@ -142,14 +133,11 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
   public TSentryRole(
     String roleName,
     Set<TSentryPrivilege> privileges,
-    long createTime,
     String grantorPrincipal)
   {
     this();
     this.roleName = roleName;
     this.privileges = privileges;
-    this.createTime = createTime;
-    setCreateTimeIsSet(true);
     this.grantorPrincipal = grantorPrincipal;
   }
 
@@ -157,7 +145,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
    * Performs a deep copy on <i>other</i>.
    */
   public TSentryRole(TSentryRole other) {
-    __isset_bitfield = other.__isset_bitfield;
     if (other.isSetRoleName()) {
       this.roleName = other.roleName;
     }
@@ -168,7 +155,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
       }
       this.privileges = __this__privileges;
     }
-    this.createTime = other.createTime;
     if (other.isSetGrantorPrincipal()) {
       this.grantorPrincipal = other.grantorPrincipal;
     }
@@ -182,8 +168,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
   public void clear() {
     this.roleName = null;
     this.privileges = null;
-    setCreateTimeIsSet(false);
-    this.createTime = 0;
     this.grantorPrincipal = null;
   }
 
@@ -248,28 +232,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
     }
   }
 
-  public long getCreateTime() {
-    return this.createTime;
-  }
-
-  public void setCreateTime(long createTime) {
-    this.createTime = createTime;
-    setCreateTimeIsSet(true);
-  }
-
-  public void unsetCreateTime() {
-    __isset_bitfield = EncodingUtils.clearBit(__isset_bitfield, __CREATETIME_ISSET_ID);
-  }
-
-  /** Returns true if field createTime is set (has been assigned a value) and false otherwise */
-  public boolean isSetCreateTime() {
-    return EncodingUtils.testBit(__isset_bitfield, __CREATETIME_ISSET_ID);
-  }
-
-  public void setCreateTimeIsSet(boolean value) {
-    __isset_bitfield = EncodingUtils.setBit(__isset_bitfield, __CREATETIME_ISSET_ID, value);
-  }
-
   public String getGrantorPrincipal() {
     return this.grantorPrincipal;
   }
@@ -311,14 +273,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
       }
       break;
 
-    case CREATE_TIME:
-      if (value == null) {
-        unsetCreateTime();
-      } else {
-        setCreateTime((Long)value);
-      }
-      break;
-
     case GRANTOR_PRINCIPAL:
       if (value == null) {
         unsetGrantorPrincipal();
@@ -338,9 +292,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
     case PRIVILEGES:
       return getPrivileges();
 
-    case CREATE_TIME:
-      return Long.valueOf(getCreateTime());
-
     case GRANTOR_PRINCIPAL:
       return getGrantorPrincipal();
 
@@ -359,8 +310,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
       return isSetRoleName();
     case PRIVILEGES:
       return isSetPrivileges();
-    case CREATE_TIME:
-      return isSetCreateTime();
     case GRANTOR_PRINCIPAL:
       return isSetGrantorPrincipal();
     }
@@ -398,15 +347,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
         return false;
     }
 
-    boolean this_present_createTime = true;
-    boolean that_present_createTime = true;
-    if (this_present_createTime || that_present_createTime) {
-      if (!(this_present_createTime && that_present_createTime))
-        return false;
-      if (this.createTime != that.createTime)
-        return false;
-    }
-
     boolean this_present_grantorPrincipal = true && this.isSetGrantorPrincipal();
     boolean that_present_grantorPrincipal = true && that.isSetGrantorPrincipal();
     if (this_present_grantorPrincipal || that_present_grantorPrincipal) {
@@ -433,11 +373,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
     if (present_privileges)
       builder.append(privileges);
 
-    boolean present_createTime = true;
-    builder.append(present_createTime);
-    if (present_createTime)
-      builder.append(createTime);
-
     boolean present_grantorPrincipal = true && (isSetGrantorPrincipal());
     builder.append(present_grantorPrincipal);
     if (present_grantorPrincipal)
@@ -474,16 +409,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
         return lastComparison;
       }
     }
-    lastComparison = Boolean.valueOf(isSetCreateTime()).compareTo(typedOther.isSetCreateTime());
-    if (lastComparison != 0) {
-      return lastComparison;
-    }
-    if (isSetCreateTime()) {
-      lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.createTime, typedOther.createTime);
-      if (lastComparison != 0) {
-        return lastComparison;
-      }
-    }
     lastComparison = Boolean.valueOf(isSetGrantorPrincipal()).compareTo(typedOther.isSetGrantorPrincipal());
     if (lastComparison != 0) {
       return lastComparison;
@@ -530,10 +455,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
     }
     first = false;
     if (!first) sb.append(", ");
-    sb.append("createTime:");
-    sb.append(this.createTime);
-    first = false;
-    if (!first) sb.append(", ");
     sb.append("grantorPrincipal:");
     if (this.grantorPrincipal == null) {
       sb.append("null");
@@ -555,10 +476,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
       throw new org.apache.thrift.protocol.TProtocolException("Required field 'privileges' is unset! Struct:" + toString());
     }
 
-    if (!isSetCreateTime()) {
-      throw new org.apache.thrift.protocol.TProtocolException("Required field 'createTime' is unset! Struct:" + toString());
-    }
-
     if (!isSetGrantorPrincipal()) {
       throw new org.apache.thrift.protocol.TProtocolException("Required field 'grantorPrincipal' is unset! Struct:" + toString());
     }
@@ -576,8 +493,6 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
 
   private void readObject(java.io.ObjectInputStream in) throws java.io.IOException, ClassNotFoundException {
     try {
-      // it doesn't seem like you should have to do this, but java serialization is wacky, and doesn't call the default constructor.
-      __isset_bitfield = 0;
       read(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(in)));
     } catch (org.apache.thrift.TException te) {
       throw new java.io.IOException(te);
@@ -613,14 +528,14 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
           case 2: // PRIVILEGES
             if (schemeField.type == org.apache.thrift.protocol.TType.SET) {
               {
-                org.apache.thrift.protocol.TSet _set0 = iprot.readSetBegin();
-                struct.privileges = new HashSet<TSentryPrivilege>(2*_set0.size);
-                for (int _i1 = 0; _i1 < _set0.size; ++_i1)
+                org.apache.thrift.protocol.TSet _set16 = iprot.readSetBegin();
+                struct.privileges = new HashSet<TSentryPrivilege>(2*_set16.size);
+                for (int _i17 = 0; _i17 < _set16.size; ++_i17)
                 {
-                  TSentryPrivilege _elem2; // required
-                  _elem2 = new TSentryPrivilege();
-                  _elem2.read(iprot);
-                  struct.privileges.add(_elem2);
+                  TSentryPrivilege _elem18; // required
+                  _elem18 = new TSentryPrivilege();
+                  _elem18.read(iprot);
+                  struct.privileges.add(_elem18);
                 }
                 iprot.readSetEnd();
               }
@@ -629,15 +544,7 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
               org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
             }
             break;
-          case 3: // CREATE_TIME
-            if (schemeField.type == org.apache.thrift.protocol.TType.I64) {
-              struct.createTime = iprot.readI64();
-              struct.setCreateTimeIsSet(true);
-            } else { 
-              org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
-            }
-            break;
-          case 4: // GRANTOR_PRINCIPAL
+          case 3: // GRANTOR_PRINCIPAL
             if (schemeField.type == org.apache.thrift.protocol.TType.STRING) {
               struct.grantorPrincipal = iprot.readString();
               struct.setGrantorPrincipalIsSet(true);
@@ -667,17 +574,14 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
         oprot.writeFieldBegin(PRIVILEGES_FIELD_DESC);
         {
           oprot.writeSetBegin(new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, struct.privileges.size()));
-          for (TSentryPrivilege _iter3 : struct.privileges)
+          for (TSentryPrivilege _iter19 : struct.privileges)
           {
-            _iter3.write(oprot);
+            _iter19.write(oprot);
           }
           oprot.writeSetEnd();
         }
         oprot.writeFieldEnd();
       }
-      oprot.writeFieldBegin(CREATE_TIME_FIELD_DESC);
-      oprot.writeI64(struct.createTime);
-      oprot.writeFieldEnd();
       if (struct.grantorPrincipal != null) {
         oprot.writeFieldBegin(GRANTOR_PRINCIPAL_FIELD_DESC);
         oprot.writeString(struct.grantorPrincipal);
@@ -703,12 +607,11 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
       oprot.writeString(struct.roleName);
       {
         oprot.writeI32(struct.privileges.size());
-        for (TSentryPrivilege _iter4 : struct.privileges)
+        for (TSentryPrivilege _iter20 : struct.privileges)
         {
-          _iter4.write(oprot);
+          _iter20.write(oprot);
         }
       }
-      oprot.writeI64(struct.createTime);
       oprot.writeString(struct.grantorPrincipal);
     }
 
@@ -718,19 +621,17 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
       struct.roleName = iprot.readString();
       struct.setRoleNameIsSet(true);
       {
-        org.apache.thrift.protocol.TSet _set5 = new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, iprot.readI32());
-        struct.privileges = new HashSet<TSentryPrivilege>(2*_set5.size);
-        for (int _i6 = 0; _i6 < _set5.size; ++_i6)
+        org.apache.thrift.protocol.TSet _set21 = new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, iprot.readI32());
+        struct.privileges = new HashSet<TSentryPrivilege>(2*_set21.size);
+        for (int _i22 = 0; _i22 < _set21.size; ++_i22)
         {
-          TSentryPrivilege _elem7; // required
-          _elem7 = new TSentryPrivilege();
-          _elem7.read(iprot);
-          struct.privileges.add(_elem7);
+          TSentryPrivilege _elem23; // required
+          _elem23 = new TSentryPrivilege();
+          _elem23.read(iprot);
+          struct.privileges.add(_elem23);
         }
       }
       struct.setPrivilegesIsSet(true);
-      struct.createTime = iprot.readI64();
-      struct.setCreateTimeIsSet(true);
       struct.grantorPrincipal = iprot.readString();
       struct.setGrantorPrincipalIsSet(true);
     }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryAlreadyExistsException.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryAlreadyExistsException.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryAlreadyExistsException.java
new file mode 100644
index 0000000..d878cc6
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryAlreadyExistsException.java
@@ -0,0 +1,27 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db;
+
+import org.apache.sentry.SentryUserException;
+
+public class SentryAlreadyExistsException extends SentryUserException {
+  private static final long serialVersionUID = 1298632655835L;
+  public SentryAlreadyExistsException(String msg) {
+    super(msg);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryInvalidInputException.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryInvalidInputException.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryInvalidInputException.java
new file mode 100644
index 0000000..a05970e
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryInvalidInputException.java
@@ -0,0 +1,27 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db;
+
+import org.apache.sentry.SentryUserException;
+
+public class SentryInvalidInputException extends SentryUserException {
+  private static final long serialVersionUID = 2962080655835L;
+  public SentryInvalidInputException(String msg) {
+    super(msg);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryNoSuchObjectException.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryNoSuchObjectException.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryNoSuchObjectException.java
new file mode 100644
index 0000000..fa9ee22
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SentryNoSuchObjectException.java
@@ -0,0 +1,27 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db;
+
+import org.apache.sentry.SentryUserException;
+
+public class SentryNoSuchObjectException extends SentryUserException {
+  private static final long serialVersionUID = 2962080655835L;
+  public SentryNoSuchObjectException(String msg) {
+    super(msg);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
new file mode 100644
index 0000000..bc4d7b5
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
@@ -0,0 +1,108 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db;
+
+import java.io.IOException;
+import java.util.Set;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.Path;
+import org.apache.sentry.SentryUserException;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.SentryConfigurationException;
+import org.apache.sentry.provider.common.ProviderBackend;
+import org.apache.sentry.provider.common.ProviderBackendContext;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.collect.ImmutableSet;
+
+public class SimpleDBProviderBackend implements ProviderBackend {
+
+  private static final Logger LOGGER = LoggerFactory
+      .getLogger(SimpleDBProviderBackend.class);
+
+  private final SentryPolicyServiceClient policyServiceClient;
+
+  private volatile boolean initialized;
+
+  public SimpleDBProviderBackend(String resourcePath) throws IOException {
+    this(new Configuration(), new Path(resourcePath));
+  }
+
+  public SimpleDBProviderBackend(Configuration conf, String resourcePath) throws IOException {
+    this(conf, new Path(resourcePath));
+  }
+
+  public SimpleDBProviderBackend(Configuration conf, Path resourcePath) throws IOException {
+    this(new SentryPolicyServiceClient(conf));
+  }
+
+  @VisibleForTesting
+  public SimpleDBProviderBackend(SentryPolicyServiceClient policyServiceClient) throws IOException {
+    this.initialized = false;
+    this.policyServiceClient = policyServiceClient;
+  }
+
+  /**
+   * {@inheritDoc}
+   */
+  @Override
+  public void initialize(ProviderBackendContext context) {
+    if (initialized) {
+      throw new IllegalStateException("Backend has already been initialized, cannot be initialized twice");
+    }
+    this.initialized = true;
+  }
+
+  /**
+   * {@inheritDoc}
+   */
+  @Override
+  public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet) {
+    if (!initialized) {
+      throw new IllegalStateException("Backend has not been properly initialized");
+    }
+    try {
+      return ImmutableSet.copyOf(policyServiceClient.listPrivileges(groups, roleSet));
+    } catch (SentryUserException e) {
+      String msg = "Unable to obtain privileges from server: " + e.getMessage();
+      LOGGER.error(msg, e);
+    }
+    return ImmutableSet.of();
+  }
+
+  @Override
+  public void close() {
+    if (policyServiceClient != null) {
+      policyServiceClient.close();
+    }
+  }
+
+  /**
+   * SimpleDBProviderBackend does not implement validatePolicy()
+   */
+  @Override
+  public void validatePolicy(boolean strictValidation) throws SentryConfigurationException {
+    if (!initialized) {
+      throw new IllegalStateException("Backend has not been properly initialized");
+    }
+    // db provider does not implement validation
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java
index b5de36e..3f68f0d 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java
@@ -29,6 +29,9 @@ import javax.jdo.annotations.PersistenceCapable;
 @PersistenceCapable
 public class MSentryGroup {
 
+  /**
+   * Group name is unique
+   */
   private String groupName;
   // set of roles granted to this group
   private Set<MSentryRole> roles;
@@ -40,7 +43,7 @@ public class MSentryGroup {
     this.setGroupName(groupName);
     this.createTime = createTime;
     this.grantorPrincipal = grantorPrincipal;
-    this.setRoles(roles);
+    this.roles = roles;
   }
 
   public long getCreateTime() {
@@ -63,10 +66,6 @@ public class MSentryGroup {
     return roles;
   }
 
-  public void setRoles(Set<MSentryRole> roles) {
-    this.roles = roles;
-  }
-
   public String getGroupName() {
     return groupName;
   }
@@ -98,9 +97,6 @@ public class MSentryGroup {
   public int hashCode() {
     final int prime = 31;
     int result = 1;
-    result = prime * result + (int) (createTime ^ (createTime >>> 32));
-    result = prime * result
-        + ((grantorPrincipal == null) ? 0 : grantorPrincipal.hashCode());
     result = prime * result + ((groupName == null) ? 0 : groupName.hashCode());
     return result;
   }
@@ -116,11 +112,6 @@ public class MSentryGroup {
     MSentryGroup other = (MSentryGroup) obj;
     if (createTime != other.createTime)
       return false;
-    if (grantorPrincipal == null) {
-      if (other.grantorPrincipal != null)
-        return false;
-    } else if (!grantorPrincipal.equals(other.grantorPrincipal))
-      return false;
     if (groupName == null) {
       if (other.groupName != null)
         return false;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
index 7215435..4030205 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
@@ -19,7 +19,6 @@
 package org.apache.sentry.provider.db.service.model;
 
 import java.util.HashSet;
-import java.util.Iterator;
 import java.util.Set;
 
 import javax.jdo.annotations.PersistenceCapable;
@@ -32,6 +31,9 @@ import javax.jdo.annotations.PersistenceCapable;
 public class MSentryPrivilege {
 
   private String privilegeScope;
+  /**
+   * Privilege name is unique
+   */
   private String privilegeName;
   private String serverName;
   private String dbName;
@@ -132,10 +134,6 @@ public class MSentryPrivilege {
     this.privilegeName = privilegeName;
   }
 
-  public void appendRoles(Set<MSentryRole> roles) {
-    this.roles.addAll(roles);
-  }
-
   public void appendRole(MSentryRole role) {
     if (!roles.contains(role)) {
       roles.add(role);
@@ -144,21 +142,8 @@ public class MSentryPrivilege {
   }
 
   public void removeRole(MSentryRole role) {
-    for (Iterator<MSentryRole> iter = roles.iterator(); iter.hasNext();) {
-      if (iter.next().getRoleName().equalsIgnoreCase(role.getRoleName())) {
-        iter.remove();
-        role.removePrivilege(this);
-        return;
-      }
-    }
-  }
-
-  public void removeRole(String roleName) {
-    for (MSentryRole role: roles) {
-      if (role.getRoleName().equalsIgnoreCase(roleName)) {
-        roles.remove(role);
-        return;
-      }
+    if (roles.remove(role)) {
+      role.removePrivilege(this);
     }
   }
 
@@ -175,19 +160,8 @@ public class MSentryPrivilege {
   public int hashCode() {
     final int prime = 31;
     int result = 1;
-    result = prime * result + ((URI == null) ? 0 : URI.hashCode());
-    result = prime * result + ((action == null) ? 0 : action.hashCode());
-    result = prime * result + (int) (createTime ^ (createTime >>> 32));
-    result = prime * result + ((dbName == null) ? 0 : dbName.hashCode());
-    result = prime * result
-        + ((grantorPrincipal == null) ? 0 : grantorPrincipal.hashCode());
     result = prime * result
         + ((privilegeName == null) ? 0 : privilegeName.hashCode());
-    result = prime * result
-        + ((privilegeScope == null) ? 0 : privilegeScope.hashCode());
-    result = prime * result
-        + ((serverName == null) ? 0 : serverName.hashCode());
-    result = prime * result + ((tableName == null) ? 0 : tableName.hashCode());
     return result;
   }
 
@@ -200,48 +174,11 @@ public class MSentryPrivilege {
     if (getClass() != obj.getClass())
       return false;
     MSentryPrivilege other = (MSentryPrivilege) obj;
-    if (URI == null) {
-      if (other.URI != null)
-        return false;
-    } else if (!URI.equals(other.URI))
-      return false;
-    if (action == null) {
-      if (other.action != null)
-        return false;
-    } else if (!action.equals(other.action))
-      return false;
-    if (createTime != other.createTime)
-      return false;
-    if (dbName == null) {
-      if (other.dbName != null)
-        return false;
-    } else if (!dbName.equals(other.dbName))
-      return false;
-    if (grantorPrincipal == null) {
-      if (other.grantorPrincipal != null)
-        return false;
-    } else if (!grantorPrincipal.equals(other.grantorPrincipal))
-      return false;
     if (privilegeName == null) {
       if (other.privilegeName != null)
         return false;
     } else if (!privilegeName.equals(other.privilegeName))
       return false;
-    if (privilegeScope == null) {
-      if (other.privilegeScope != null)
-        return false;
-    } else if (!privilegeScope.equals(other.privilegeScope))
-      return false;
-    if (serverName == null) {
-      if (other.serverName != null)
-        return false;
-    } else if (!serverName.equals(other.serverName))
-      return false;
-    if (tableName == null) {
-      if (other.tableName != null)
-        return false;
-    } else if (!tableName.equals(other.tableName))
-      return false;
     return true;
   }
-}
\ No newline at end of file
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
index 16be80b..1dfc0cf 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
@@ -19,12 +19,12 @@
 package org.apache.sentry.provider.db.service.model;
 
 import java.util.HashSet;
-import java.util.Iterator;
 import java.util.Set;
 
 import javax.jdo.annotations.PersistenceCapable;
 
-import org.apache.sentry.provider.db.service.persistent.SentryNoSuchObjectException;
+import com.google.common.base.Preconditions;
+import com.google.common.collect.ImmutableSet;
 
 /**
  * Database backed Sentry Role. Any changes to this object
@@ -95,12 +95,8 @@ public class MSentryRole {
   }
 
   public void removePrivilege(MSentryPrivilege privilege) {
-    for (Iterator<MSentryPrivilege> iter = privileges.iterator(); iter.hasNext();) {
-      if (iter.next().getPrivilegeName().equalsIgnoreCase(privilege.getPrivilegeName())) {
-        iter.remove();
-        privilege.removeRole(this);
-        return;
-      }
+    if (privileges.remove(privilege)) {
+      privilege.removeRole(this);
     }
   }
 
@@ -132,7 +128,11 @@ public class MSentryRole {
   }
 
   public void removePrivileges() {
-    this.privileges.clear();
+    // copy is required since privilege.removeRole will call remotePrivilege
+    for (MSentryPrivilege privilege : ImmutableSet.copyOf(privileges)) {
+      privilege.removeRole(this);
+    }
+    Preconditions.checkState(privileges.isEmpty(), "Privileges should be empty: " + privileges);
   }
 
   @Override
@@ -146,9 +146,6 @@ public class MSentryRole {
   public int hashCode() {
     final int prime = 31;
     int result = 1;
-    result = prime * result + (int) (createTime ^ (createTime >>> 32));
-    result = prime * result
-        + ((grantorPrincipal == null) ? 0 : grantorPrincipal.hashCode());
     result = prime * result + ((roleName == null) ? 0 : roleName.hashCode());
     return result;
   }
@@ -162,13 +159,6 @@ public class MSentryRole {
     if (getClass() != obj.getClass())
       return false;
     MSentryRole other = (MSentryRole) obj;
-    if (createTime != other.createTime)
-      return false;
-    if (grantorPrincipal == null) {
-      if (other.grantorPrincipal != null)
-        return false;
-    } else if (!grantorPrincipal.equals(other.grantorPrincipal))
-      return false;
     if (roleName == null) {
       if (other.roleName != null)
         return false;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryAlreadyExistsException.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryAlreadyExistsException.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryAlreadyExistsException.java
deleted file mode 100644
index 965e64c..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryAlreadyExistsException.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.persistent;
-
-import org.apache.sentry.SentryUserException;
-
-public class SentryAlreadyExistsException extends SentryUserException {
-  private static final long serialVersionUID = 1298632655835L;
-  public SentryAlreadyExistsException(String msg) {
-    super(msg);
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryInvalidInputException.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryInvalidInputException.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryInvalidInputException.java
deleted file mode 100644
index 6ac9942..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryInvalidInputException.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.persistent;
-
-import org.apache.sentry.SentryUserException;
-
-public class SentryInvalidInputException extends SentryUserException {
-  private static final long serialVersionUID = 2962080655835L;
-  public SentryInvalidInputException(String msg) {
-    super(msg);
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryNoSuchObjectException.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryNoSuchObjectException.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryNoSuchObjectException.java
deleted file mode 100644
index a976880..0000000
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryNoSuchObjectException.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.db.service.persistent;
-
-import org.apache.sentry.SentryUserException;
-
-public class SentryNoSuchObjectException extends SentryUserException {
-  private static final long serialVersionUID = 2962080655835L;
-  public SentryNoSuchObjectException(String msg) {
-    super(msg);
-  }
-}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
index f1e502a..5c87d95 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
@@ -18,8 +18,13 @@
 
 package org.apache.sentry.provider.db.service.persistent;
 
+import static org.apache.sentry.provider.common.ProviderConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.provider.common.ProviderConstants.KV_JOINER;
+
+import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
 import java.util.UUID;
@@ -30,18 +35,33 @@ import javax.jdo.PersistenceManagerFactory;
 import javax.jdo.Query;
 import javax.jdo.Transaction;
 
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
+import org.apache.sentry.provider.common.ProviderConstants;
+import org.apache.sentry.provider.db.SentryAlreadyExistsException;
+import org.apache.sentry.provider.db.SentryNoSuchObjectException;
 import org.apache.sentry.provider.db.service.model.MSentryGroup;
 import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
 import org.apache.sentry.provider.db.service.model.MSentryRole;
+import org.apache.sentry.provider.db.service.thrift.TSentryActiveRoleSet;
 import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
 import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
 import org.apache.sentry.provider.db.service.thrift.TSentryRole;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
 
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Preconditions;
+import com.google.common.base.Strings;
+import com.google.common.collect.HashMultimap;
 import com.google.common.collect.Lists;
+import com.google.common.collect.SetMultimap;
 import com.google.common.collect.Sets;
 
+/**
+ * SentryStore is the data access object for Sentry data. Strings
+ * such as role and group names will be normalized to lowercase
+ * in addition to starting and ending whitespace.
+ */
 public class SentryStore {
   private static final UUID SERVER_UUID = UUID.randomUUID();
   static final String DEFAULT_DATA_DIR = "sentry_policy_db";
@@ -53,59 +73,25 @@ public class SentryStore {
    * is required to read commitSequenceId.
    */
   private long commitSequenceId;
-  private final Properties prop;
   private final PersistenceManagerFactory pmf;
-  private final String databaseName;
 
-  public SentryStore(String dataDir) {
+  public SentryStore(Configuration conf) {
     commitSequenceId = 0;
-    databaseName = (dataDir = dataDir.trim()).isEmpty() ? DEFAULT_DATA_DIR : dataDir;
-    prop = getDataSourceProperties();
+    Properties prop = new Properties();
+    prop.putAll(ServerConfig.SENTRY_STORE_DEFAULTS);
+    String jdbcUrl = conf.get(ServerConfig.SENTRY_STORE_JDBC_URL, "").trim();
+    Preconditions.checkArgument(!jdbcUrl.isEmpty(), "Required parameter " +
+        ServerConfig.SENTRY_STORE_JDBC_URL + " missing");
+    prop.setProperty("javax.jdo.option.ConnectionURL", jdbcUrl);
     pmf = JDOHelper.getPersistenceManagerFactory(prop);
   }
 
-  public SentryStore() {
-    this("");
-  }
-
   public synchronized void stop() {
     if (pmf != null) {
       pmf.close();
     }
   }
 
-  private Properties getDataSourceProperties() {
-    Properties prop = new Properties();
-    // FIXME: Read from configuration, override the default
-    //prop.setProperty("datanucleus.connectionPoolingType", "BONECP");
-    prop.setProperty("datanucleus.validateTables", "false");
-    prop.setProperty("datanucleus.validateColumns", "false");
-    prop.setProperty("datanucleus.validateConstraints", "false");
-    prop.setProperty("datanucleus.storeManagerType", "rdbms");
-    prop.setProperty("datanucleus.autoCreateSchema", "true");
-    prop.setProperty("datanucleus.fixedDatastore", "false");
-    prop.setProperty("datanucleus.autoStartMechanismMode", "checked");
-    prop.setProperty("datanucleus.transactionIsolation", "read-committed");
-    prop.setProperty("datanucleus.cache.level2", "false");
-    prop.setProperty("datanucleus.cache.level2.type", "none");
-    prop.setProperty("datanucleus.identifierFactory", "datanucleus1");
-    prop.setProperty("datanucleus.rdbms.useLegacyNativeValueStrategy", "true");
-    prop.setProperty("datanucleus.plugin.pluginRegistryBundleCheck", "LOG");
-    prop.setProperty("javax.jdo.option.ConnectionDriverName",
-                     "org.apache.derby.jdbc.EmbeddedDriver");
-    prop.setProperty("javax.jdo.PersistenceManagerFactoryClass",
-                     "org.datanucleus.api.jdo.JDOPersistenceManagerFactory");
-    prop.setProperty("javax.jdo.option.DetachAllOnCommit", "true");
-    prop.setProperty("javax.jdo.option.NonTransactionalRead", "false");
-    prop.setProperty("javax.jdo.option.NonTransactionalWrite", "false");
-    prop.setProperty("javax.jdo.option.ConnectionUserName", "Sentry");
-    prop.setProperty("javax.jdo.option.ConnectionPassword", "Sentry");
-    prop.setProperty("javax.jdo.option.Multithreaded", "true");
-    prop.setProperty("javax.jdo.option.ConnectionURL",
-                     "jdbc:derby:;databaseName=" + databaseName + ";create=true");
-    return prop;
-  }
-
   /**
    * PersistenceManager object and Transaction object have a one to one
    * correspondence. Each PersistenceManager object is associated with a
@@ -168,25 +154,26 @@ public class SentryStore {
     }
   }
 
-  public CommitContext createSentryRole(TSentryRole role)
+  public CommitContext createSentryRole(String roleName, String grantorPrincipal)
   throws SentryAlreadyExistsException {
     boolean rollbackTransaction = true;
     PersistenceManager pm = null;
+    roleName = roleName.trim().toLowerCase();
     try {
       pm = openTransaction();
       Query query = pm.newQuery(MSentryRole.class);
       query.setFilter("this.roleName == t");
       query.declareParameters("java.lang.String t");
       query.setUnique(true);
-      MSentryRole sentryRole = (MSentryRole) query.execute(role.getRoleName());
+      MSentryRole sentryRole = (MSentryRole) query.execute(roleName);
       if (sentryRole == null) {
-        MSentryRole mRole = convertToMSentryRole(role);
+        MSentryRole mRole = convertToMSentryRole(roleName, grantorPrincipal);
         pm.makePersistent(mRole);
         CommitContext commit = commitUpdateTransaction(pm);
         rollbackTransaction = false;
         return commit;
       } else {
-        throw new SentryAlreadyExistsException("Role: " + role.getRoleName());
+        throw new SentryAlreadyExistsException("Role: " + roleName);
       }
     } finally {
       if (rollbackTransaction) {
@@ -200,6 +187,7 @@ public class SentryStore {
       TSentryPrivilege privilege) throws SentryNoSuchObjectException {
     boolean rollbackTransaction = true;
     PersistenceManager pm = null;
+    roleName = roleName.trim().toLowerCase();
     try {
       pm = openTransaction();
       Query query = pm.newQuery(MSentryRole.class);
@@ -269,7 +257,7 @@ public class SentryStore {
   throws SentryNoSuchObjectException {
     boolean rollbackTransaction = true;
     PersistenceManager pm = null;
-    roleName = roleName.trim();
+    roleName = roleName.trim().toLowerCase();
     try {
       pm = openTransaction();
       Query query = pm.newQuery(MSentryRole.class);
@@ -340,6 +328,7 @@ public class SentryStore {
   throws SentryNoSuchObjectException {
     boolean rollbackTransaction = true;
     PersistenceManager pm = null;
+    roleName = roleName.trim().toLowerCase();
     try {
       pm = openTransaction();
       Query query = pm.newQuery(MSentryRole.class);
@@ -356,7 +345,8 @@ public class SentryStore {
         query.setUnique(true);
         List<MSentryGroup> groups = Lists.newArrayList();
         for (TSentryGroup tGroup : groupNames) {
-          MSentryGroup group = (MSentryGroup) query.execute(tGroup.getGroupName());
+          String groupName = tGroup.getGroupName().trim().toLowerCase();
+          MSentryGroup group = (MSentryGroup) query.execute(groupName);
           if (group != null) {
             group.removeRole(role);
             groups.add(group);
@@ -379,7 +369,7 @@ public class SentryStore {
   throws SentryNoSuchObjectException {
     boolean rollbackTransaction = true;
     PersistenceManager pm = null;
-    roleName = roleName.trim();
+    roleName = roleName.trim().toLowerCase();
     try {
       pm = openTransaction();
       Query query = pm.newQuery(MSentryRole.class);
@@ -407,17 +397,98 @@ public class SentryStore {
     return convertToSentryRole(getMSentryRoleByName(roleName));
   }
 
-  private MSentryRole convertToMSentryRole(TSentryRole role) {
+  private SetMultimap<String, String> getRoleToPrivilegeMap(Set<String> groups) {
+    SetMultimap<String, String> result = HashMultimap.create();
+    boolean rollbackTransaction = true;
+    PersistenceManager pm = null;
+    try {
+      pm = openTransaction();
+      Query query = pm.newQuery(MSentryGroup.class);
+      query.setFilter("this.groupName == t");
+      query.declareParameters("java.lang.String t");
+      query.setUnique(true);
+      for (String group : toTrimedLower(groups)) {
+        MSentryGroup sentryGroup = (MSentryGroup) query.execute(group);
+        if (sentryGroup != null) {
+          for (MSentryRole role : sentryGroup.getRoles()) {
+            for (MSentryPrivilege privilege : role.getPrivileges()) {
+              result.put(role.getRoleName(), toAuthorizable(privilege));
+            }
+          }
+        }
+      }
+      rollbackTransaction = false;
+      commitTransaction(pm);
+      return result;
+    } finally {
+      if (rollbackTransaction) {
+        rollbackTransaction(pm);
+      }
+    }
+  }
+
+  public Set<String> listSentryPrivilegesForProvider(Set<String> groups,
+      TSentryActiveRoleSet roleSet) {
+   Set<String> result = Sets.newHashSet();
+   Set<String> activeRoleNames = toTrimedLower(roleSet.getRoles());
+   for (Map.Entry<String, String> entry : getRoleToPrivilegeMap(groups).entries()) {
+     if (roleSet.isAll()) {
+       result.add(entry.getValue());
+     } else if (activeRoleNames.contains(entry.getKey())) {
+       result.add(entry.getValue());
+     }
+   }
+   return result;
+  }
+
+  @VisibleForTesting
+  static String toAuthorizable(MSentryPrivilege privilege) {
+    List<String> authorizable = new ArrayList<>(4);
+    authorizable.add(KV_JOINER.join(AuthorizableType.Server.name().toLowerCase(),
+        privilege.getServerName()));
+    if (Strings.nullToEmpty(privilege.getURI()).isEmpty()) {
+      if (!Strings.nullToEmpty(privilege.getDbName()).isEmpty()) {
+        authorizable.add(KV_JOINER.join(AuthorizableType.Db.name().toLowerCase(),
+            privilege.getDbName()));
+        if (!Strings.nullToEmpty(privilege.getTableName()).isEmpty()) {
+          authorizable.add(KV_JOINER.join(AuthorizableType.Table.name().toLowerCase(),
+              privilege.getTableName()));
+        }
+      }
+    } else {
+      authorizable.add(KV_JOINER.join(AuthorizableType.URI.name().toLowerCase(),
+          privilege.getURI()));
+    }
+    if (!Strings.nullToEmpty(privilege.getAction()).isEmpty()) {
+      authorizable.add(KV_JOINER.join(ProviderConstants.PRIVILEGE_NAME.toLowerCase(),
+          privilege.getAction()));
+    }
+    return AUTHORIZABLE_JOINER.join(authorizable);
+  }
+
+  @VisibleForTesting
+  static Set<String> toTrimedLower(Set<String> s) {
+    Set<String> result = Sets.newHashSet();
+    for (String v : s) {
+      result.add(v.trim().toLowerCase());
+    }
+    return result;
+  }
+
+  /**
+   * Converts thrift object to model object. Additionally does normalization
+   * such as trimming whitespace and setting appropriate case.
+   */
+  private MSentryRole convertToMSentryRole(String roleName, String grantorPrincipal) {
     MSentryRole mRole = new MSentryRole();
-    mRole.setCreateTime(role.getCreateTime());
-    mRole.setRoleName(role.getRoleName());
-    mRole.setGrantorPrincipal(role.getGrantorPrincipal());
+    mRole.setCreateTime(System.currentTimeMillis());
+    mRole.setRoleName(roleName.trim().toLowerCase());
+    mRole.setGrantorPrincipal(grantorPrincipal.trim());
     return mRole;
   }
 
   private TSentryRole convertToSentryRole(MSentryRole mSentryRole) {
     TSentryRole role = new TSentryRole();
-    role.setCreateTime(mSentryRole.getCreateTime());
     role.setRoleName(mSentryRole.getRoleName());
     role.setGrantorPrincipal(mSentryRole.getGrantorPrincipal());
 
@@ -445,17 +516,27 @@ public class SentryStore {
     return privilege;
   }
 
+  /**
+   * Converts thrift object to model object. Additionally does normalization
+   * such as trimming whitespace and setting appropriate case.
+   */
   private MSentryPrivilege convertToMSentryPrivilege(TSentryPrivilege privilege) {
     MSentryPrivilege mSentryPrivilege = new MSentryPrivilege();
-    mSentryPrivilege.setServerName(privilege.getServerName());
-    mSentryPrivilege.setDbName(privilege.getDbName());
-    mSentryPrivilege.setTableName(privilege.getTableName());
-    mSentryPrivilege.setPrivilegeScope(privilege.getPrivilegeScope());
-    mSentryPrivilege.setAction(privilege.getAction());
+    mSentryPrivilege.setServerName(safeTrim(privilege.getServerName()));
+    mSentryPrivilege.setDbName(safeTrim(privilege.getDbName()));
+    mSentryPrivilege.setTableName(safeTrim(privilege.getTableName()));
+    mSentryPrivilege.setPrivilegeScope(safeTrim(privilege.getPrivilegeScope()));
+    mSentryPrivilege.setAction(safeTrim(privilege.getAction()));
     mSentryPrivilege.setCreateTime(privilege.getCreateTime());
-    mSentryPrivilege.setGrantorPrincipal(privilege.getGrantorPrincipal());
-    mSentryPrivilege.setURI(privilege.getURI());
-    mSentryPrivilege.setPrivilegeName(privilege.getPrivilegeName());
+    mSentryPrivilege.setGrantorPrincipal(safeTrim(privilege.getGrantorPrincipal()));
+    mSentryPrivilege.setURI(safeTrim(privilege.getURI()));
+    mSentryPrivilege.setPrivilegeName(safeTrim(privilege.getPrivilegeName()));
     return mSentryPrivilege;
   }
+  private String safeTrim(String s) {
+    if (s == null) {
+      return null;
+    }
+    return s.trim();
+  }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
index a4487ee..84d9d8d 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
@@ -18,24 +18,33 @@
 
 package org.apache.sentry.provider.db.service.thrift;
 
+import java.io.IOException;
 import java.net.InetSocketAddress;
+import java.util.Set;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.security.SaslRpcServer;
 import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
+import org.apache.sentry.SentryUserException;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.model.db.AccessConstants;
 import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
 import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants;
+import org.apache.sentry.service.thrift.Status;
 import org.apache.thrift.TException;
 import org.apache.thrift.protocol.TBinaryProtocol;
 import org.apache.thrift.protocol.TMultiplexedProtocol;
 import org.apache.thrift.transport.TSaslClientTransport;
 import org.apache.thrift.transport.TSocket;
 import org.apache.thrift.transport.TTransport;
+import org.apache.thrift.transport.TTransportException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import com.google.common.base.Preconditions;
+import com.google.common.collect.Sets;
 
 public class SentryPolicyServiceClient {
 
@@ -49,7 +58,7 @@ public class SentryPolicyServiceClient {
   private static final Logger LOGGER = LoggerFactory
                                        .getLogger(SentryPolicyServiceClient.class);
 
-  public SentryPolicyServiceClient(Configuration conf) throws Exception {
+  public SentryPolicyServiceClient(Configuration conf) throws IOException {
     this.conf = conf;
     this.serverAddress = NetUtils.createSocketAddr(Preconditions.checkNotNull(
                            conf.get(ClientConfig.SERVER_RPC_ADDRESS), "Config key "
@@ -68,7 +77,11 @@ public class SentryPolicyServiceClient {
     TTransport saslTransport = new TSaslClientTransport(
       AuthMethod.KERBEROS.getMechanismName(), null, serverPrincipalParts[0],
       serverPrincipalParts[1], ClientConfig.SASL_PROPERTIES, null, transport);
-    saslTransport.open();
+    try {
+      saslTransport.open();
+    } catch (TTransportException e) {
+      throw new IOException("Transport exception while opening transport: " + e.getMessage(), e);
+    }
     LOGGER.info("Successfully opened transport");
     TMultiplexedProtocol protocol = new TMultiplexedProtocol(
       new TBinaryProtocol(saslTransport),
@@ -77,9 +90,53 @@ public class SentryPolicyServiceClient {
     LOGGER.info("Successfully created client");
   }
 
-  public TCreateSentryRoleResponse createRole(TCreateSentryRoleRequest req)
-  throws TException {
-    return client.create_sentry_role(req);
+  public void createRole(String requestorUserName, Set<String> requestorUserGroupNames, String roleName)
+  throws SentryUserException {
+    TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
+    request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+    request.setRequestorUserName(requestorUserName);
+    request.setRequestorGroupNames(requestorUserGroupNames);
+    request.setRoleName(roleName);
+    try {
+      TCreateSentryRoleResponse response = client.create_sentry_role(request);
+      Status.throwIfNotOk(response.getStatus());
+    } catch (TException e) {
+      String msg = "Thrift exception occured: " + e.getMessage();
+      throw new SentryUserException(msg, e);
+    }
+  }
+
+  public void dropRole(String requestorUserName, Set<String> requestorUserGroupNames,
+      String roleName)
+  throws SentryUserException {
+    dropRole(requestorUserName, requestorUserGroupNames, roleName, false);
+  }
+
+  public void dropRoleIfExists(String requestorUserName, Set<String> requestorUserGroupNames,
+      String roleName)
+  throws SentryUserException {
+    dropRole(requestorUserName, requestorUserGroupNames, roleName, true);
+  }
+
+  private void dropRole(String requestorUserName, Set<String> requestorUserGroupNames,
+      String roleName, boolean ifExists)
+  throws SentryUserException {
+    TDropSentryRoleRequest request = new TDropSentryRoleRequest();
+    request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+    request.setRequestorUserName(requestorUserName);
+    request.setRequestorGroupNames(requestorUserGroupNames);
+    request.setRoleName(roleName);
+    try {
+      TDropSentryRoleResponse response = client.drop_sentry_role(request);
+      Status status = Status.fromCode(response.getStatus().getValue());
+      if (ifExists && status == Status.NO_SUCH_OBJECT) {
+        return;
+      }
+      Status.throwIfNotOk(response.getStatus());
+    } catch (TException e) {
+      String msg = "Thrift exception occured: " + e.getMessage();
+      throw new SentryUserException(msg, e);
+    }
   }
 
   public TListSentryRolesResponse listRoleByName(TListSentryRolesRequest req)
@@ -87,19 +144,143 @@ public class SentryPolicyServiceClient {
     return client.list_sentry_roles_by_role_name(req);
   }
 
-  public TDropSentryRoleResponse dropRole(TDropSentryRoleRequest req)
-  throws TException {
-    return client.drop_sentry_role(req);
+  public void grantURIPrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
+      String roleName, String server, String uri)
+  throws SentryUserException {
+    grantPrivilege(requestorUserName, requestorUserGroupNames, roleName, "SERVER", server, uri,
+        null, null, AccessConstants.ALL);
   }
 
-  public TAlterSentryRoleGrantPrivilegeResponse grantPrivilege(TAlterSentryRoleGrantPrivilegeRequest req)
-  throws TException {
-    return client.alter_sentry_role_grant_privilege(req);
+  public void grantServerPrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
+      String roleName, String server)
+  throws SentryUserException {
+    grantPrivilege(requestorUserName, requestorUserGroupNames, roleName, "SERVER", server, null,
+        null, null, AccessConstants.ALL);
   }
 
-  public TAlterSentryRoleRevokePrivilegeResponse revokePrivilege(TAlterSentryRoleRevokePrivilegeRequest req)
-  throws TException {
-    return client.alter_sentry_role_revoke_privilege(req);
+  public void grantDatabasePrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
+      String roleName, String server, String db)
+  throws SentryUserException {
+    grantPrivilege(requestorUserName, requestorUserGroupNames, roleName, "DATABASE", server, null,
+        db, null, AccessConstants.ALL);
+  }
+
+  public void grantTablePrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
+      String roleName, String server, String db, String table, String action)
+  throws SentryUserException {
+    grantPrivilege(requestorUserName, requestorUserGroupNames, roleName, "TABLE", server, null,
+        db, table, action);
+  }
+
+  private void grantPrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
+      String roleName, String scope, String serverName, String uri, String db, String table, String action)
+  throws SentryUserException {
+    TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
+    request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+    request.setRequestorUserName(requestorUserName);
+    request.setRequestorGroupNames(requestorUserGroupNames);
+    request.setRoleName(roleName);
+    TSentryPrivilege privilege = new TSentryPrivilege();
+    privilege.setPrivilegeScope(scope);
+    privilege.setServerName(serverName);
+    privilege.setURI(uri);
+    privilege.setDbName(db);
+    privilege.setAction(action);
+    privilege.setGrantorPrincipal(requestorUserName);
+    privilege.setCreateTime(System.currentTimeMillis());
+    request.setPrivilege(privilege);
+    try {
+      TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request);
+      Status.throwIfNotOk(response.getStatus());
+    } catch (TException e) {
+      String msg = "Thrift exception occured: " + e.getMessage();
+      throw new SentryUserException(msg, e);
+    }
+  }
+
+  public void revokeURIPrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
+      String roleName, String server, String uri)
+  throws SentryUserException {
+    revokePrivilege(requestorUserName, requestorUserGroupNames, roleName, "SERVER", server, uri,
+        null, null, AccessConstants.ALL);
+  }
+
+  public void revokeServerPrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
+      String roleName, String server)
+  throws SentryUserException {
+    revokePrivilege(requestorUserName, requestorUserGroupNames, roleName, "SERVER", server, null,
+        null, null, AccessConstants.ALL);
+  }
+
+  public void revokeDatabasePrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
+      String roleName, String server, String db)
+  throws SentryUserException {
+    revokePrivilege(requestorUserName, requestorUserGroupNames, roleName, "DATABASE", server, null,
+        db, null, AccessConstants.ALL);
+  }
+
+  public void revokeTablePrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
+      String roleName, String server, String db, String table, String action)
+  throws SentryUserException {
+    revokePrivilege(requestorUserName, requestorUserGroupNames, roleName, "TABLE", server, null,
+        db, table, action);
+  }
+
+  private void revokePrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
+      String roleName, String scope, String serverName, String uri, String db, String table, String action)
+  throws SentryUserException {
+    TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
+    request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+    request.setRequestorUserName(requestorUserName);
+    request.setRequestorGroupNames(requestorUserGroupNames);
+    request.setRoleName(roleName);
+    TSentryPrivilege privilege = new TSentryPrivilege();
+    privilege.setPrivilegeScope(scope);
+    privilege.setServerName(serverName);
+    privilege.setURI(uri);
+    privilege.setDbName(db);
+    privilege.setAction(action);
+    privilege.setGrantorPrincipal(requestorUserName);
+    privilege.setCreateTime(System.currentTimeMillis());
+    request.setPrivilege(privilege);
+    try {
+      TAlterSentryRoleRevokePrivilegeResponse response = client.alter_sentry_role_revoke_privilege(request);
+      Status.throwIfNotOk(response.getStatus());
+    } catch (TException e) {
+      String msg = "Thrift exception occured: " + e.getMessage();
+      throw new SentryUserException(msg, e);
+    }
+  }
+
+  public Set<String> listPrivileges(Set<String> groups, ActiveRoleSet roleSet)
+  throws SentryUserException {
+    TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles());
+    TListSentryPrivilegesForProviderRequest request =
+        new TListSentryPrivilegesForProviderRequest(ThriftConstants.
+            TSENTRY_SERVICE_VERSION_CURRENT, groups, thriftRoleSet);
+    try {
+      TListSentryPrivilegesForProviderResponse response = client.list_sentry_privileges_for_provider(request);
+      Status.throwIfNotOk(response.getStatus());
+      return response.getPrivileges();
+    } catch (TException e) {
+      String msg = "Thrift exception occured: " + e.getMessage();
+      throw new SentryUserException(msg, e);
+    }
+  }
+
+  public void grantRoleToGroup(String requestorUserName, Set<String> requestorUserGroupName,
+      String groupName, String roleName)
+  throws SentryUserException {
+    TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest(ThriftConstants.
+        TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName, requestorUserGroupName,
+        roleName, Sets.newHashSet(new TSentryGroup(groupName)));
+    try {
+      TAlterSentryRoleAddGroupsResponse response = client.alter_sentry_role_add_groups(request);
+      Status.throwIfNotOk(response.getStatus());
+    } catch (TException e) {
+      String msg = "Thrift exception occured: " + e.getMessage();
+      throw new SentryUserException(msg, e);
+    }
   }
 
   public void close() {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index 3fe47dc..722b490 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -24,10 +24,10 @@ import java.util.List;
 import java.util.Set;
 
 import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.provider.db.SentryAlreadyExistsException;
+import org.apache.sentry.provider.db.SentryInvalidInputException;
+import org.apache.sentry.provider.db.SentryNoSuchObjectException;
 import org.apache.sentry.provider.db.service.persistent.CommitContext;
-import org.apache.sentry.provider.db.service.persistent.SentryAlreadyExistsException;
-import org.apache.sentry.provider.db.service.persistent.SentryInvalidInputException;
-import org.apache.sentry.provider.db.service.persistent.SentryNoSuchObjectException;
 import org.apache.sentry.provider.db.service.persistent.SentryStore;
 import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig;
 import org.apache.sentry.service.thrift.Status;
@@ -61,7 +61,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
     this.notificationHandlerInvoker = new NotificationHandlerInvoker(conf,
         createHandlers(conf));
     isReady = false;
-    sentryStore = new SentryStore();
+    sentryStore = new SentryStore(conf);
     isReady = true;
   }
 
@@ -114,7 +114,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
       throw new SentryInvalidInputException("Server name is null");
     }
 
-    if (action.equalsIgnoreCase("SELECT") || action.equalsIgnoreCase("INSERT")) {
+    if ("SELECT".equalsIgnoreCase(action) || "INSERT".equalsIgnoreCase(action)) {
       if (tableName == null || tableName.equals("")) {
         throw new SentryInvalidInputException("Table name can't be null for SELECT/INSERT privilege");
       }
@@ -150,7 +150,8 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
     TCreateSentryRoleRequest request) throws TException {
     TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
     try {
-      CommitContext commitContext = sentryStore.createSentryRole(request.getRole());
+      CommitContext commitContext = sentryStore.createSentryRole(request.getRoleName(),
+          request.getRequestorUserName());
       response.setStatus(Status.OK());
       notificationHandlerInvoker.create_sentry_role(commitContext,
           request, response);
@@ -272,10 +273,10 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
   @Override
   public TAlterSentryRoleDeleteGroupsResponse alter_sentry_role_delete_groups(
     TAlterSentryRoleDeleteGroupsRequest request) throws TException {
-    // TODO implement
     TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse();
     try {
-      CommitContext commitContext = sentryStore.alterSentryRoleDeleteGroups(null, null);
+      CommitContext commitContext = sentryStore.alterSentryRoleDeleteGroups(request.getRoleName(),
+          request.getGroups());
       response.setStatus(Status.OK());
       notificationHandlerInvoker.alter_sentry_role_delete_groups(commitContext,
           request, response);
@@ -321,7 +322,6 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
   public TListSentryRolesResponse list_sentry_roles_by_role_name(
     TListSentryRolesRequest request) throws TException {
     TListSentryRolesResponse response = new TListSentryRolesResponse();
-    TSentryResponseStatus status;
     TSentryRole role = null;
     Set<TSentryRole> roleSet = new HashSet<TSentryRole>();
     try {
@@ -341,4 +341,25 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
     }
     return response;
   }
+
+  /**
+   * This method was created specifically for ProviderBackend.getPrivileges() and is not meant
+   * to be used for general privilege retrieval. More details in the .thrift file.
+   */
+  @Override
+  public TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(
+      TListSentryPrivilegesForProviderRequest request) throws TException {
+    TListSentryPrivilegesForProviderResponse response = new TListSentryPrivilegesForProviderResponse();
+    response.setPrivileges(new HashSet<String>());
+    try {
+      response.setPrivileges(sentryStore.listSentryPrivilegesForProvider(
+          request.getGroups(), request.getRoleSet()));
+      response.setStatus(Status.OK());
+    } catch (Exception e) {
+      String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
+      LOGGER.error(msg, e);
+      response.setStatus(Status.RuntimeError(msg, e));
+    }
+    return response;
+  }
 }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
index 253f88e..29df4c4 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
@@ -59,6 +59,35 @@ public class ServiceConstants {
     public static final String PROCESSOR_FACTORIES = "sentry.service.processor.factories";
     public static final String PROCESSOR_FACTORIES_DEFAULT =
         "org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessorFactory";
+    public static final String SENTRY_STORE_JDBC_URL = "sentry.store.jdbc.url";
+
+    public static final ImmutableMap<String, String> SENTRY_STORE_DEFAULTS =
+        ImmutableMap.<String, String>builder()
+    .put("datanucleus.validateTables", "false")
+    .put("datanucleus.validateColumns", "false")
+    .put("datanucleus.validateConstraints", "false")
+    .put("datanucleus.storeManagerType", "rdbms")
+    .put("datanucleus.autoCreateSchema", "true")
+    .put("datanucleus.fixedDatastore", "false")
+    .put("datanucleus.autoStartMechanismMode", "checked")
+    .put("datanucleus.transactionIsolation", "read-committed")
+    .put("datanucleus.cache.level2", "false")
+    .put("datanucleus.cache.level2.type", "none")
+    .put("datanucleus.identifierFactory", "datanucleus1")
+    .put("datanucleus.rdbms.useLegacyNativeValueStrategy", "true")
+    .put("datanucleus.plugin.pluginRegistryBundleCheck", "LOG")
+    .put("javax.jdo.option.ConnectionDriverName",
+                     "org.apache.derby.jdbc.EmbeddedDriver")
+    .put("javax.jdo.PersistenceManagerFactoryClass",
+                     "org.datanucleus.api.jdo.JDOPersistenceManagerFactory")
+    .put("javax.jdo.option.DetachAllOnCommit", "true")
+    .put("javax.jdo.option.NonTransactionalRead", "false")
+    .put("javax.jdo.option.NonTransactionalWrite", "false")
+    .put("javax.jdo.option.ConnectionUserName", "Sentry")
+    .put("javax.jdo.option.ConnectionPassword", "Sentry")
+    .put("javax.jdo.option.Multithreaded", "true")
+    .build();
+
   }
   public static class ClientConfig {
     public static final ImmutableMap<String, String> SASL_PROPERTIES = ServiceConstants.SASL_PROPERTIES;

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java
index 1686780..e1549ca 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/Status.java
@@ -22,6 +22,10 @@ import java.io.StringWriter;
 
 import javax.annotation.Nullable;
 
+import org.apache.sentry.SentryUserException;
+import org.apache.sentry.provider.db.SentryAlreadyExistsException;
+import org.apache.sentry.provider.db.SentryInvalidInputException;
+import org.apache.sentry.provider.db.SentryNoSuchObjectException;
 import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants;
 
 /**
@@ -81,4 +85,34 @@ public enum Status {
     }
     return status;
   }
+  public static void throwIfNotOk(TSentryResponseStatus thriftStatus)
+  throws SentryUserException {
+    Status status = Status.fromCode(thriftStatus.getValue());
+    switch(status) {
+    case OK:
+      break;
+    case ALREADY_EXISTS:
+      throw new SentryAlreadyExistsException(serverErrorToString(thriftStatus));
+    case NO_SUCH_OBJECT:
+      throw new SentryNoSuchObjectException(serverErrorToString(thriftStatus));
+    case RUNTIME_ERROR:
+      throw new RuntimeException(serverErrorToString(thriftStatus));
+    case INVALID_INPUT:
+      throw new SentryInvalidInputException(serverErrorToString(thriftStatus));
+    case UNKNOWN:
+      throw new AssertionError(serverErrorToString(thriftStatus));
+    default:
+      throw new AssertionError("Unknown status code: " + status + ". Msg: " +
+          serverErrorToString(thriftStatus));
+    }
+  }
+
+  private static String serverErrorToString(TSentryResponseStatus thriftStatus) {
+    String msg = thriftStatus.getMessage();
+    String stack = thriftStatus.getStack();
+    if (stack == null) {
+      return msg;
+    }
+    return msg + ". Server Stacktrace: " + stack;
+  }
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/90cdbefd/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
index b3f7d6e..677047f 100644
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
+++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
@@ -29,6 +29,8 @@ namespace java org.apache.sentry.provider.db.service.thrift
 namespace php sentry.provider.db.service.thrift
 namespace cpp Apache.Sentry.Provider.Db.Service.Thrift
 
+
+# Represents a Privilege in transport from the client to the server
 struct TSentryPrivilege {
 1: required string privilegeScope, # Valid values are SERVER, DATABASE, TABLE
 2: optional string privilegeName, # Generated on server side
@@ -41,59 +43,58 @@ struct TSentryPrivilege {
 9: optional string grantorPrincipal # Set on server side
 }
 
-struct TSentryRole {
-1: required string roleName,
-# TODO privs should not be part of Sentry role as
-# they are created when a grant is executed
-# They need to be returned as part of the list role API, else
-# there would be another round trip
-2: required set<TSentryPrivilege> privileges,
-3: required i64 createTime,
-4: required string grantorPrincipal
-}
-
-// TODO fill out
+# TODO can this be deleted? it's not adding value to TAlterSentryRoleAddGroupsRequest
 struct TSentryGroup {
 1: required string groupName
 }
 
+# CREATE ROLE r1
 struct TCreateSentryRoleRequest {
 1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
-2: required string requestorUserName,
-3: required TSentryRole role,
-4: required set<string> requestorGroupName
+2: required string requestorUserName, # user on whose behalf the request is issued
+3: required set<string> requestorGroupNames # groups the requesting user belongs to
+4: required string roleName, # TSentryRole is not required for this request
 }
 struct TCreateSentryRoleResponse {
 1: required sentry_common_service.TSentryResponseStatus status
 }
 
-struct TListSentryRolesRequest {
+# DROP ROLE r1
+struct TDropSentryRoleRequest {
 1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
 2: required string requestorUserName, # user on whose behalf the request is issued
-3: optional string rolerequestorGroupName, # list roles for this group
-4: required string roleName,
-5: required set<string> requestorGroupName # groups the requesting user belongs to
+3: required set<string> requestorGroupNames # groups the requesting user belongs to
+4: required string roleName # role to drop
 }
-struct TListSentryRolesResponse {
+struct TDropSentryRoleResponse {
 1: required sentry_common_service.TSentryResponseStatus status
-2: required set<TSentryRole> roles
 }
 
-struct TDropSentryRoleRequest {
+# TODO what is this implementing SHOW GRANT/SHOW ROLE GRANT?
+# We should have seperate requests for those commands
+struct TListSentryRolesRequest {
 1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
-2: required string requestorUserName,
-3: required string roleName,
-4: required set<string> requestorGroupName
+2: required string requestorUserName, # user on whose behalf the request is issued
+3: optional string rolerequestorGroupNames, # list roles for this group
+4: required string roleName # role get prirvilges for
 }
-struct TDropSentryRoleResponse {
+# used only for TListSentryRolesResponse
+struct TSentryRole {
+1: required string roleName,
+2: required set<TSentryPrivilege> privileges,
+3: required string grantorPrincipal
+}
+struct TListSentryRolesResponse {
 1: required sentry_common_service.TSentryResponseStatus status
+2: required set<TSentryRole> roles
 }
 
+# GRANT ROLE r1 TO GROUP g1
 struct TAlterSentryRoleAddGroupsRequest {
 1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
-2: required string requestorUserName,
-3: required string roleName,
-4: required set<string> requestorGroupName,
+2: required string requestorUserName, # user on whose behalf the request is issued
+3: required set<string> requestorGroupNames # groups the requesting user belongs to
+4: required string roleName,
 5: required set<TSentryGroup> groups
 }
 
@@ -101,50 +102,74 @@ struct TAlterSentryRoleAddGroupsResponse {
 1: required sentry_common_service.TSentryResponseStatus status
 }
 
+# REVOLE ROLE r1 FROM GROUP g1
 struct TAlterSentryRoleDeleteGroupsRequest {
 1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
-2: required string requestorUserName,
-3: required set<string> requestorGroupName
+2: required string requestorUserName, # user on whose behalf the request is issued
+3: required set<string> requestorGroupNames # groups the requesting user belongs to
+4: required string roleName,
+5: required set<TSentryGroup> groups
 }
 struct TAlterSentryRoleDeleteGroupsResponse {
 1: required sentry_common_service.TSentryResponseStatus status
 }
 
+# GRANT ... ON ... TO ROLE ...
 struct TAlterSentryRoleGrantPrivilegeRequest {
 1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
-2: required string requestorUserName,
-3: required string roleName,
-4: required set<string> requestorGroupName,
+2: required string requestorUserName, # user on whose behalf the request is issued
+3: required set<string> requestorGroupNames # groups the requesting user belongs to
+4: required string roleName,
 5: required TSentryPrivilege privilege
 }
-
 struct TAlterSentryRoleGrantPrivilegeResponse {
 1: required sentry_common_service.TSentryResponseStatus status
 }
 
+# REVOKE ... ON ... FROM ROLE ...
 struct TAlterSentryRoleRevokePrivilegeRequest {
 1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
-2: required string requestorUserName,
-3: required string roleName,
-4: required set<string> requestorGroupName,
+2: required string requestorUserName, # user on whose behalf the request is issued
+3: required set<string> requestorGroupNames # groups the requesting user belongs to
+4: required string roleName,
 5: required TSentryPrivilege privilege
 }
-
 struct TAlterSentryRoleRevokePrivilegeResponse {
 1: required sentry_common_service.TSentryResponseStatus status
 }
 
+# This API was created specifically for ProviderBackend.getPrivileges
+# and is not mean for general purpose privilege retrieval.
+# This request/response pair are created specifically so we can
+# efficiently obtain the specific privilges for a user query
+struct TSentryActiveRoleSet {
+1: required bool all,
+2: required set<string> roles,
+}
+struct TListSentryPrivilegesForProviderRequest {
+1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
+2: required set<string> groups,
+3: required TSentryActiveRoleSet roleSet,
+}
+struct TListSentryPrivilegesForProviderResponse {
+1: required sentry_common_service.TSentryResponseStatus status
+2: required set<string> privileges
+}
+
 service SentryPolicyService
 {
   TCreateSentryRoleResponse create_sentry_role(1:TCreateSentryRoleRequest request)
   TDropSentryRoleResponse drop_sentry_role(1:TDropSentryRoleRequest request)
-  
+
   TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege(1:TAlterSentryRoleGrantPrivilegeRequest request)
   TAlterSentryRoleRevokePrivilegeResponse alter_sentry_role_revoke_privilege(1:TAlterSentryRoleRevokePrivilegeRequest request)
-  
+
   TAlterSentryRoleAddGroupsResponse alter_sentry_role_add_groups(1:TAlterSentryRoleAddGroupsRequest request)
   TAlterSentryRoleDeleteGroupsResponse alter_sentry_role_delete_groups(1:TAlterSentryRoleDeleteGroupsRequest request)
 
   TListSentryRolesResponse list_sentry_roles_by_group(1:TListSentryRolesRequest request)
-  TListSentryRolesResponse list_sentry_roles_by_role_name(1:TListSentryRolesRequest request) 
+  TListSentryRolesResponse list_sentry_roles_by_role_name(1:TListSentryRolesRequest request)
+
+  # For use with ProviderBackend.getPrivileges only
+  TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(1:TListSentryPrivilegesForProviderRequest request)
 }


Mime
View raw message