sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sra...@apache.org
Subject [1/2] SENTRY-157: Support filter pushdown in DB Store client to reduce data transfer from DB Store service ( Arun Suresh via Sravya Tirukkovalur)
Date Sat, 31 May 2014 02:25:03 GMT
Repository: incubator-sentry
Updated Branches:
  refs/heads/master a989b17b4 -> a7b456223


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
index 7e2323c..a7734df 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
@@ -22,7 +22,9 @@ import static org.apache.sentry.provider.common.ProviderConstants.AUTHORIZABLE_J
 import static org.apache.sentry.provider.common.ProviderConstants.KV_JOINER;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.HashSet;
+import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
@@ -39,6 +41,7 @@ import javax.jdo.Transaction;
 import org.apache.commons.lang.StringUtils;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.db.DBModelAuthorizable;
 import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
 import org.apache.sentry.provider.common.ProviderConstants;
 import org.apache.sentry.provider.db.SentryAccessDeniedException;
@@ -50,6 +53,7 @@ import org.apache.sentry.provider.db.service.model.MSentryPrivilege;
 import org.apache.sentry.provider.db.service.model.MSentryRole;
 import org.apache.sentry.provider.db.service.model.MSentryVersion;
 import org.apache.sentry.provider.db.service.thrift.TSentryActiveRoleSet;
+import org.apache.sentry.provider.db.service.thrift.TSentryAuthorizable;
 import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
 import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
 import org.apache.sentry.provider.db.service.thrift.TSentryRole;
@@ -58,7 +62,9 @@ import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
 import org.datanucleus.store.rdbms.exceptions.MissingTableException;
 
 import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Joiner;
 import com.google.common.base.Preconditions;
+import com.google.common.base.Splitter;
 import com.google.common.base.Strings;
 import com.google.common.collect.HashMultimap;
 import com.google.common.collect.Lists;
@@ -84,7 +90,7 @@ public class SentryStore {
   private final PersistenceManagerFactory pmf;
 
   public SentryStore(Configuration conf) throws SentryNoSuchObjectException,
-      SentryAccessDeniedException {
+  SentryAccessDeniedException {
     commitSequenceId = 0;
     Properties prop = new Properties();
     prop.putAll(ServerConfig.SENTRY_STORE_DEFAULTS);
@@ -114,7 +120,7 @@ public class SentryStore {
     boolean checkSchemaVersion = conf.get(
         ServerConfig.SENTRY_VERIFY_SCHEM_VERSION,
         ServerConfig.SENTRY_VERIFY_SCHEM_VERSION_DEFAULT).equalsIgnoreCase(
-        "true");
+            "true");
     if (!checkSchemaVersion) {
       prop.setProperty("datanucleus.autoCreateSchema", "true");
       prop.setProperty("datanucleus.fixedDatastore", "false");
@@ -126,7 +132,7 @@ public class SentryStore {
   // ensure that the backend DB schema is set
   private void verifySentryStoreSchema(Configuration serverConf,
       boolean checkVersion)
-      throws SentryNoSuchObjectException, SentryAccessDeniedException {
+          throws SentryNoSuchObjectException, SentryAccessDeniedException {
     if (!checkVersion) {
       setSentryVersion(SentryStoreSchemaInfo.getSentryVersion(),
           "Schema version set implicitly");
@@ -135,8 +141,8 @@ public class SentryStore {
       if (!SentryStoreSchemaInfo.getSentryVersion().equals(currentVersion)) {
         throw new SentryAccessDeniedException(
             "The Sentry store schema version " + currentVersion
-                + " is different from distribution version "
-                + SentryStoreSchemaInfo.getSentryVersion());
+            + " is different from distribution version "
+            + SentryStoreSchemaInfo.getSentryVersion());
       }
     }
   }
@@ -235,7 +241,7 @@ public class SentryStore {
    * @throws SentryAlreadyExistsException
    */
   public CommitContext createSentryRole(String roleName, String grantorPrincipal)
-  throws SentryAlreadyExistsException {
+      throws SentryAlreadyExistsException {
     roleName = trimAndLower(roleName);
     boolean rollbackTransaction = true;
     PersistenceManager pm = null;
@@ -338,7 +344,7 @@ public class SentryStore {
    */
   private void revokePartialPrivilege(PersistenceManager pm, MSentryRole role,
       TSentryPrivilege tPrivilege)
-      throws SentryNoSuchObjectException, SentryInvalidInputException {
+          throws SentryNoSuchObjectException, SentryInvalidInputException {
     // only perform partial revoke if INSERT/SELECT were the action
     // and the privilege being revoked is on a table
     String action = tPrivilege.getAction();
@@ -452,7 +458,7 @@ public class SentryStore {
 
 
   public CommitContext dropSentryRole(String roleName)
-  throws SentryNoSuchObjectException {
+      throws SentryNoSuchObjectException {
     boolean rollbackTransaction = true;
     PersistenceManager pm = null;
     roleName = roleName.trim().toLowerCase();
@@ -483,7 +489,7 @@ public class SentryStore {
 
   public CommitContext alterSentryRoleAddGroups(String grantorPrincipal,
       String roleName, Set<TSentryGroup> groupNames)
-  throws SentryNoSuchObjectException {
+          throws SentryNoSuchObjectException {
     boolean rollbackTransaction = true;
     PersistenceManager pm = null;
     roleName = roleName.trim().toLowerCase();
@@ -526,7 +532,7 @@ public class SentryStore {
 
   public CommitContext alterSentryRoleDeleteGroups(String roleName,
       Set<TSentryGroup> groupNames)
-  throws SentryNoSuchObjectException {
+          throws SentryNoSuchObjectException {
     boolean rollbackTransaction = true;
     PersistenceManager pm = null;
     roleName = roleName.trim().toLowerCase();
@@ -567,7 +573,7 @@ public class SentryStore {
 
   @VisibleForTesting
   MSentryRole getMSentryRoleByName(String roleName)
-  throws SentryNoSuchObjectException {
+      throws SentryNoSuchObjectException {
     boolean rollbackTransaction = true;
     PersistenceManager pm = null;
     roleName = roleName.trim().toLowerCase();
@@ -593,11 +599,50 @@ public class SentryStore {
     }
   }
 
-  private Set<MSentryPrivilege> getMSentryPrivilegesByRoleName(String roleName)
-    throws SentryNoSuchObjectException {
-      MSentryRole mSentryRole = getMSentryRoleByName(roleName);
-      return mSentryRole.getPrivileges();
+  List<MSentryPrivilege> getMSentryPrivileges(Set<String> roleNames, TSentryAuthorizable authHierarchy) {
+    if ((roleNames.size() == 0)||(roleNames == null)) return new ArrayList<MSentryPrivilege>();
+    boolean rollbackTransaction = true;
+    PersistenceManager pm = null;
+    try {
+      pm = openTransaction();
+      Query query = pm.newQuery(MSentryPrivilege.class);
+      query.declareVariables("org.apache.sentry.provider.db.service.model.MSentryRole role");
+      List<String> rolesFiler = new LinkedList<String>();
+      for (String rName : roleNames) {
+        rolesFiler.add("role.roleName == \"" + rName.trim().toLowerCase() + "\"");
+      }
+      StringBuilder filters = new StringBuilder("roles.contains(role) "
+          + "&& (" + Joiner.on(" || ").join(rolesFiler) + ") ");
+      if ((authHierarchy != null) && (authHierarchy.getServer() != null)) {
+        filters.append("&& serverName == \"" + authHierarchy.getServer().toLowerCase() + "\"");
+        if (authHierarchy.getDb() != null) {
+          filters.append(" && ((dbName == \"" + authHierarchy.getDb().toLowerCase() + "\") || (dbName == null)) && (URI == null)");
+          if (authHierarchy.getTable() != null) {
+            filters.append(" && ((tableName == \"" + authHierarchy.getTable().toLowerCase() + "\") || (tableName == null)) && (URI == null)");
+          }
+        }
+        if (authHierarchy.getUri() != null) {
+          filters.append(" && ((\"" + authHierarchy.getUri() + "\".startsWith(URI)) || (URI == null)) && (dbName == null)");
+        }
+      }
+
+      query.setFilter(filters.toString());
+      List<MSentryPrivilege> privileges = (List<MSentryPrivilege>) query.execute();
+      rollbackTransaction = false;
+      commitTransaction(pm);
+      return privileges;
+    } finally {
+      if (rollbackTransaction) {
+        rollbackTransaction(pm);
+      }
     }
+  }
+
+  private Set<MSentryPrivilege> getMSentryPrivilegesByRoleName(String roleName)
+      throws SentryNoSuchObjectException {
+    MSentryRole mSentryRole = getMSentryRoleByName(roleName);
+    return mSentryRole.getPrivileges();
+  }
 
   /**
    * Gets sentry privilege objects for a given roleName from the persistence layer
@@ -606,11 +651,37 @@ public class SentryStore {
    * @throws SentryNoSuchObjectException
    */
 
-  public Set<TSentryPrivilege> getTSentryPrivilegesByRoleName(String roleName)
+  public Set<TSentryPrivilege> getAllTSentryPrivilegesByRoleName(String roleName)
       throws SentryNoSuchObjectException {
     return convertToTSentryPrivileges(getMSentryPrivilegesByRoleName(roleName));
   }
 
+
+  /**
+   * Gets sentry privilege objects for criteria from the persistence layer
+   * @param roleName : roleName to look up
+   * @param serverName : serverName (required)
+   * @param uri : URI (optional)
+   * @param dbName : dbName (optional if tableName is null else required)
+   * @param tableName : tableName (optional)
+   * @return : Set of thrift sentry privilege objects
+   * @throws SentryNoSuchObjectException
+   */
+
+  public Set<TSentryPrivilege> getTSentryPrivileges(Set<String> roleNames, TSentryAuthorizable authHierarchy) throws SentryInvalidInputException {
+    if (authHierarchy.getServer() == null) {
+      throw new SentryInvalidInputException("serverName cannot be null !!");
+    }
+    if ((authHierarchy.getTable() != null) && (authHierarchy.getDb() == null)) {
+      throw new SentryInvalidInputException("dbName cannot be null when tableName is present !!");
+    }
+    if ((authHierarchy.getUri() == null) && (authHierarchy.getDb() == null)) {
+      throw new SentryInvalidInputException("One of uri or dbName must not be null !!");
+    }
+    return convertToTSentryPrivileges(getMSentryPrivileges(roleNames, authHierarchy));
+  }
+
+
   private Set<MSentryRole> getMSentryRolesByGroupName(String groupName)
       throws SentryNoSuchObjectException {
     boolean rollbackTransaction = true;
@@ -692,18 +763,52 @@ public class SentryStore {
     }
   }
 
+  private Set<String> getRoleNamesForGroups(Set<String> groups) {
+    Set<String> result = new HashSet<String>();
+    boolean rollbackTransaction = true;
+    PersistenceManager pm = null;
+    try {
+      pm = openTransaction();
+      Query query = pm.newQuery(MSentryGroup.class);
+      query.setFilter("this.groupName == t");
+      query.declareParameters("java.lang.String t");
+      query.setUnique(true);
+      for (String group : toTrimedLower(groups)) {
+        MSentryGroup sentryGroup = (MSentryGroup) query.execute(group);
+        if (sentryGroup != null) {
+          for (MSentryRole role : sentryGroup.getRoles()) {
+            result.add(role.getRoleName());
+          }
+        }
+      }
+      rollbackTransaction = false;
+      commitTransaction(pm);
+      return result;
+    } finally {
+      if (rollbackTransaction) {
+        rollbackTransaction(pm);
+      }
+    }
+  }
+
+  public Set<String> listAllSentryPrivilegesForProvider(Set<String> groups, TSentryActiveRoleSet roleSet) throws SentryInvalidInputException {
+    return listSentryPrivilegesForProvider(groups, roleSet, null);
+  }
+
+
   public Set<String> listSentryPrivilegesForProvider(Set<String> groups,
-      TSentryActiveRoleSet roleSet) {
-   Set<String> result = Sets.newHashSet();
-   Set<String> activeRoleNames = toTrimedLower(roleSet.getRoles());
-   for (Map.Entry<String, String> entry : getRoleToPrivilegeMap(groups).entries()) {
-     if (roleSet.isAll()) {
-       result.add(entry.getValue());
-     } else if (activeRoleNames.contains(entry.getKey())) {
-       result.add(entry.getValue());
-     }
-   }
-   return result;
+      TSentryActiveRoleSet roleSet, TSentryAuthorizable authHierarchy) throws SentryInvalidInputException {
+    Set<String> result = Sets.newHashSet();
+    Set<String> activeRoleNames = toTrimedLower(roleSet.getRoles());
+
+    Set<String> roleNamesForGroups = toTrimedLower(getRoleNamesForGroups(groups));
+    Set<String> rolesToQuery = roleSet.isAll() ? roleNamesForGroups : Sets.intersection(activeRoleNames, roleNamesForGroups);
+    List<MSentryPrivilege> mSentryPrivileges = getMSentryPrivileges(rolesToQuery, authHierarchy);
+
+    for (MSentryPrivilege priv : mSentryPrivileges) {
+      result.add(toAuthorizable(priv));
+    }
+    return result;
   }
 
   @VisibleForTesting
@@ -727,7 +832,7 @@ public class SentryStore {
     if (!Strings.nullToEmpty(privilege.getAction()).isEmpty()
         && !privilege.getAction().equalsIgnoreCase(AccessConstants.ALL)) {
       authorizable
-          .add(KV_JOINER.join(ProviderConstants.PRIVILEGE_NAME.toLowerCase(),
+      .add(KV_JOINER.join(ProviderConstants.PRIVILEGE_NAME.toLowerCase(),
           privilege.getAction()));
     }
     return AUTHORIZABLE_JOINER.join(authorizable);
@@ -735,6 +840,7 @@ public class SentryStore {
 
   @VisibleForTesting
   static Set<String> toTrimedLower(Set<String> s) {
+    if (null == s) return new HashSet<String>();
     Set<String> result = Sets.newHashSet();
     for (String v : s) {
       result.add(v.trim().toLowerCase());
@@ -750,7 +856,7 @@ public class SentryStore {
    * time.
    */
 
-  private Set<TSentryPrivilege> convertToTSentryPrivileges(Set<MSentryPrivilege> mSentryPrivileges) {
+  private Set<TSentryPrivilege> convertToTSentryPrivileges(Collection<MSentryPrivilege> mSentryPrivileges) {
     Set<TSentryPrivilege> privileges = new HashSet<TSentryPrivilege>();
     for(MSentryPrivilege mSentryPrivilege:mSentryPrivileges) {
       privileges.add(convertToTSentryPrivilege(mSentryPrivilege));
@@ -809,9 +915,9 @@ public class SentryStore {
   private MSentryPrivilege convertToMSentryPrivilege(TSentryPrivilege privilege)
       throws SentryInvalidInputException {
     MSentryPrivilege mSentryPrivilege = new MSentryPrivilege();
-    mSentryPrivilege.setServerName(safeTrim(privilege.getServerName()));
-    mSentryPrivilege.setDbName(safeTrim(privilege.getDbName()));
-    mSentryPrivilege.setTableName(safeTrim(privilege.getTableName()));
+    mSentryPrivilege.setServerName(safeTrimLower(privilege.getServerName()));
+    mSentryPrivilege.setDbName(safeTrimLower(privilege.getDbName()));
+    mSentryPrivilege.setTableName(safeTrimLower(privilege.getTableName()));
     mSentryPrivilege.setPrivilegeScope(safeTrim(privilege.getPrivilegeScope()));
     mSentryPrivilege.setAction(safeTrim(privilege.getAction()));
     mSentryPrivilege.setCreateTime(System.currentTimeMillis());
@@ -826,9 +932,15 @@ public class SentryStore {
     }
     return s.trim();
   }
+  private String safeTrimLower(String s) {
+    if (s == null) {
+      return null;
+    }
+    return s.trim().toLowerCase();
+  }
 
   public String getSentryVersion() throws SentryNoSuchObjectException,
-      SentryAccessDeniedException {
+  SentryAccessDeniedException {
     MSentryVersion mVersion = getMSentryVersion();
     return mVersion.getSchemaVersion();
   }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
index 2aac409..3660607 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
@@ -18,6 +18,8 @@
 
 package org.apache.sentry.provider.db.service.thrift;
 
+import com.google.common.base.Preconditions;
+import com.google.common.collect.Sets;
 import java.io.IOException;
 import java.net.InetSocketAddress;
 import java.util.HashSet;
@@ -29,7 +31,9 @@ import org.apache.hadoop.security.SaslRpcServer;
 import org.apache.hadoop.security.SaslRpcServer.AuthMethod;
 import org.apache.sentry.SentryUserException;
 import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.db.DBModelAuthorizable;
 import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
 import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
 import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
@@ -45,8 +49,7 @@ import org.apache.thrift.transport.TTransportException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.google.common.base.Preconditions;
-import com.google.common.collect.Sets;
+import java.util.List;
 
 public class SentryPolicyServiceClient {
 
@@ -171,21 +174,43 @@ public class SentryPolicyServiceClient {
     }
   }
 
+  public Set<TSentryPrivilege> listAllPrivilegesByRoleName(String requestorUserName, String roleName) 
+		  throws SentryUserException {
+    return listPrivilegesByRoleName(requestorUserName, roleName, null);
+  }
+
   /**
    * Gets sentry privilege objects for a given roleName using the Sentry service
    * @param requestorUserName : user on whose behalf the request is issued
    * @param requestorUserGroupNames :groups the requesting user belongs to
    * @param roleName : roleName to look up
+   * @param authorizable : authorizable Hierarchy (server->db->table etc)
    * @return Set of thrift sentry privilege objects
    * @throws SentryUserException
    */
-  public Set<TSentryPrivilege> listPrivilegesByRoleName(
-      String requestorUserName, String roleName)
+  public Set<TSentryPrivilege> listPrivilegesByRoleName(String requestorUserName,
+      String roleName, List<? extends Authorizable> authorizable)
   throws SentryUserException {
     TListSentryPrivilegesRequest request = new TListSentryPrivilegesRequest();
     request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
     request.setRequestorUserName(requestorUserName);
     request.setRoleName(roleName);
+    if (authorizable != null) {
+      TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
+      // TODO : Needed to support SearchModelAuthorizable
+      for (Authorizable authzble : authorizable) {
+        if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Server.toString())) {
+          tSentryAuthorizable.setServer(authzble.getName());
+        } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.URI.toString())) {
+          tSentryAuthorizable.setUri(authzble.getName());
+        } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Db.toString())) {
+          tSentryAuthorizable.setDb(authzble.getName());
+        } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Table.toString())) {
+          tSentryAuthorizable.setTable(authzble.getName());
+        }
+      }
+      request.setAuthorizableHierarchy(tSentryAuthorizable);
+    }
     TListSentryPrivilegesResponse response;
     try {
       response = client.list_sentry_privileges_by_role(request);
@@ -309,12 +334,28 @@ public class SentryPolicyServiceClient {
     }
   }
 
-  public Set<String> listPrivilegesForProvider(Set<String> groups, ActiveRoleSet roleSet)
+  public Set<String> listPrivilegesForProvider(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizable)
   throws SentryUserException {
     TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles());
     TListSentryPrivilegesForProviderRequest request =
         new TListSentryPrivilegesForProviderRequest(ThriftConstants.
             TSENTRY_SERVICE_VERSION_CURRENT, groups, thriftRoleSet);
+    if ((authorizable != null)&&(authorizable.length > 0)) {
+      TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
+      // TODO : Needed to support SearchModelAuthorizable
+      for (Authorizable authzble : authorizable) {
+        if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Server.toString())) {
+          tSentryAuthorizable.setServer(authzble.getName());
+        } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.URI.toString())) {
+          tSentryAuthorizable.setUri(authzble.getName());
+        } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Db.toString())) {
+          tSentryAuthorizable.setDb(authzble.getName());
+        } else if (authzble.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Table.toString())) {
+          tSentryAuthorizable.setTable(authzble.getName());
+        }
+      }
+      request.setAuthorizableHierarchy(tSentryAuthorizable);
+    }
     try {
       TListSentryPrivilegesForProviderResponse response = client.list_sentry_privileges_for_provider(request);
       Status.throwIfNotOk(response.getStatus());
@@ -357,4 +398,4 @@ TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName,
       transport.close();
     }
   }
-}
\ No newline at end of file
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index f92c78a..f06568f 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -344,7 +344,12 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
       // or allow all users as long as user is granted this role?
       authorize(request.getRequestorUserName(),
           getRequestorGroups(request.getRequestorUserName()));
-      privilegeSet = sentryStore.getTSentryPrivilegesByRoleName(request.getRoleName());
+      if (request.isSetAuthorizableHierarchy()) {
+        TSentryAuthorizable authorizableHierarchy = request.getAuthorizableHierarchy();
+        privilegeSet = sentryStore.getTSentryPrivileges(Sets.newHashSet(request.getRoleName()), authorizableHierarchy);
+      } else {
+        privilegeSet = sentryStore.getAllTSentryPrivilegesByRoleName(request.getRoleName());
+      }
       response.setPrivileges(privilegeSet);
       response.setStatus(Status.OK());
     } catch (SentryNoSuchObjectException e) {
@@ -371,7 +376,7 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
     response.setPrivileges(new HashSet<String>());
     try {
       response.setPrivileges(sentryStore.listSentryPrivilegesForProvider(
-          request.getGroups(), request.getRoleSet()));
+          request.getGroups(), request.getRoleSet(), request.getAuthorizableHierarchy()));
       response.setStatus(Status.OK());
     } catch (Exception e) {
       String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
index b4281c7..5d584c0 100644
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
+++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
@@ -130,11 +130,19 @@ struct TListSentryRolesResponse {
 2: required set<TSentryRole> roles
 }
 
+struct TSentryAuthorizable {
+1: required string server,
+2: optional string uri,
+3: optional string db,
+4: optional string table,
+}
+
 # SHOW GRANT
 struct TListSentryPrivilegesRequest {
 1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
 2: required string requestorUserName, # user on whose behalf the request is issued
-3: required string roleName # get privileges assigned for this role
+4: required string roleName, # get privileges assigned for this role
+5: optional TSentryAuthorizable authorizableHierarchy # get privileges assigned for this role
 }
 struct TListSentryPrivilegesResponse {
 1: required sentry_common_service.TSentryResponseStatus status
@@ -153,6 +161,7 @@ struct TListSentryPrivilegesForProviderRequest {
 1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
 2: required set<string> groups,
 3: required TSentryActiveRoleSet roleSet,
+4: optional TSentryAuthorizable authorizableHierarchy,
 }
 struct TListSentryPrivilegesForProviderResponse {
 1: required sentry_common_service.TSentryResponseStatus status

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
index 67b05e6..524eea3 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
@@ -235,65 +235,65 @@ public class TestSentryStore {
         roleName2, groups).getSequenceId());
     // group1 all roles
     assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
-        SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName1),
+        SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1),
             new TSentryActiveRoleSet(true, new HashSet<String>()))));
     // one active role
     assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
-        SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName1),
+        SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1),
             new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1)))));
     // unknown active role
     assertEquals(Sets.newHashSet(),
-        SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName1),
+        SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1),
             new TSentryActiveRoleSet(false, Sets.newHashSet("not a role")))));
     // no active roles
     assertEquals(Sets.newHashSet(),
-        SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName1),
+        SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName1),
             new TSentryActiveRoleSet(false, new HashSet<String>()))));
 
     // group2 all roles
     assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select", "server=server1"),
-        SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
+        SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
             new TSentryActiveRoleSet(true, new HashSet<String>()))));
     // one active role
     assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
-        SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
+        SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
             new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1)))));
     assertEquals(Sets.newHashSet(
         "server=server1->db=db1->table=tbl1->action=select", "server=server1"),
-        SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
+        SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
             new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2)))));
     // unknown active role
     assertEquals(Sets.newHashSet(),
-        SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
+        SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
             new TSentryActiveRoleSet(false, Sets.newHashSet("not a role")))));
     // no active roles
     assertEquals(Sets.newHashSet(),
-        SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
+        SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.newHashSet(groupName2),
             new TSentryActiveRoleSet(false, new HashSet<String>()))));
 
     // both groups, all active roles
     assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select", "server=server1"),
-        SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.
+        SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.
             newHashSet(groupName1, groupName2),
             new TSentryActiveRoleSet(true, new HashSet<String>()))));
     // one active role
     assertEquals(Sets.newHashSet("server=server1->db=db1->table=tbl1->action=select"),
-        SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.
+        SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.
             newHashSet(groupName1, groupName2),
             new TSentryActiveRoleSet(false, Sets.newHashSet(roleName1)))));
     assertEquals(Sets.newHashSet(
         "server=server1->db=db1->table=tbl1->action=select", "server=server1"),
-        SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.
+        SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.
             newHashSet(groupName1, groupName2),
             new TSentryActiveRoleSet(false, Sets.newHashSet(roleName2)))));
     // unknown active role
     assertEquals(Sets.newHashSet(),
-        SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.
+        SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.
             newHashSet(groupName1, groupName2),
             new TSentryActiveRoleSet(false, Sets.newHashSet("not a role")))));
     // no active roles
     assertEquals(Sets.newHashSet(),
-        SentryStore.toTrimedLower(sentryStore.listSentryPrivilegesForProvider(Sets.
+        SentryStore.toTrimedLower(sentryStore.listAllSentryPrivilegesForProvider(Sets.
             newHashSet(groupName1, groupName2),
             new TSentryActiveRoleSet(false, new HashSet<String>()))));
   }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
index 56dcaf9..1089390 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
@@ -18,17 +18,22 @@
 
 package org.apache.sentry.provider.db.service.thrift;
 
-import org.apache.sentry.core.common.ActiveRoleSet;
-import static junit.framework.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-
-import java.util.Set;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
 
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.model.db.Database;
+import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.core.model.db.Table;
 import org.apache.sentry.provider.db.service.persistent.SentryStore;
 import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
 import org.junit.Test;
 
-import com.google.common.collect.Sets;
+import java.util.HashSet;
+import java.util.Set;
+
+import static junit.framework.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 
 
 public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
@@ -55,6 +60,66 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
   }
 
   @Test
+  public void testQueryPushDown() throws Exception {
+    String requestorUserName = ADMIN_USER;
+    Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+    setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+    writePolicyFile();
+    
+    String roleName1 = "admin_r1";
+    String roleName2 = "admin_r2";
+
+    String group1 = "g1";
+    String group2 = "g2";
+
+    client.dropRoleIfExists(requestorUserName, roleName1);
+    client.createRole(requestorUserName, roleName1);
+    client.grantRoleToGroup(requestorUserName, group1, roleName1);
+
+    client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
+
+
+    client.dropRoleIfExists(requestorUserName, roleName2);
+    client.createRole(requestorUserName, roleName2);
+    client.grantRoleToGroup(requestorUserName, group1, roleName2);
+    client.grantRoleToGroup(requestorUserName, group2, roleName2);
+
+    client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName2, "server", "db3", "table5", "ALL");
+
+    Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1")));
+    assertEquals("Privilege not assigned to role2 !!", 2, listPrivilegesByRoleName.size());
+
+    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db2"), new Table("table1")));
+    assertEquals("Privilege not assigned to role2 !!", 0, listPrivilegesByRoleName.size());
+
+    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1"), new Table("table1")));
+    assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size());
+
+    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db3")));
+    assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size());
+
+    Set<String> listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), ActiveRoleSet.ALL, new Server("server"), new Database("db2"));
+    assertEquals("Privilege not correctly assigned to roles !!",
+        Sets.newHashSet("server=server->db=db2->table=table4->action=ALL", "server=server->db=db2->table=table3->action=ALL"),
+        listPrivilegesForProvider);
+
+    listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), ActiveRoleSet.ALL, new Server("server"), new Database("db3"));
+    assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=server->db=db3->table=table5->action=ALL"), listPrivilegesForProvider);
+
+    listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server"), new Database("db3"));
+    assertEquals("Privilege not correctly assigned to roles !!", new HashSet<String>(), listPrivilegesForProvider);
+  }
+
+
+
+  @Test
   public void testGranRevokePrivilegeOnTableForRole() throws Exception {
     String requestorUserName = ADMIN_USER;
     Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
@@ -66,49 +131,49 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
     client.dropRoleIfExists(requestorUserName,  roleName1);
     client.createRole(requestorUserName,  roleName1);
 
-    client.grantTablePrivilege(requestorUserName,  roleName1, "server", "db", "table1", "ALL");
-    client.grantTablePrivilege(requestorUserName,  roleName1, "server", "db", "table2", "ALL");
-    client.grantTablePrivilege(requestorUserName,  roleName1, "server", "db", "table3", "ALL");
-    client.grantTablePrivilege(requestorUserName,  roleName1, "server", "db", "table4", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
 
 
     client.dropRoleIfExists(requestorUserName,  roleName2);
     client.createRole(requestorUserName,  roleName2);
 
-    client.grantTablePrivilege(requestorUserName,  roleName2, "server", "db", "table1", "ALL");
-    client.grantTablePrivilege(requestorUserName,  roleName2, "server", "db", "table2", "ALL");
-    client.grantTablePrivilege(requestorUserName,  roleName2, "server", "db", "table3", "ALL");
-    client.grantTablePrivilege(requestorUserName,  roleName2, "server", "db", "table4", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
 
-    Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName,  roleName1);
+    Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
     assertEquals("Privilege not assigned to role1 !!", 4, listPrivilegesByRoleName.size());
 
-    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName,  roleName2);
+    listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
     assertEquals("Privilege not assigned to role2 !!", 4, listPrivilegesByRoleName.size());
 
 
-    client.revokeTablePrivilege(requestorUserName,  roleName1, "server", "db", "table1", "ALL");
-    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName,  roleName1);
+    client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
+    listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
     assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
-    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName,  roleName2);
+    listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
     assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 4);
 
-    client.revokeTablePrivilege(requestorUserName,  roleName2, "server", "db", "table1", "ALL");
-    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName,  roleName2);
+    client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
+    listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
     assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
-    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName,  roleName1);
+    listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
     assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 3);
 
-    client.revokeTablePrivilege(requestorUserName,  roleName1, "server", "db", "table2", "ALL");
-    client.revokeTablePrivilege(requestorUserName,  roleName1, "server", "db", "table3", "ALL");
-    client.revokeTablePrivilege(requestorUserName,  roleName1, "server", "db", "table4", "ALL");
-    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName,  roleName1);
+    client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
+    client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
+    client.revokeTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
+    listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
     assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
 
-    client.revokeTablePrivilege(requestorUserName,  roleName2, "server", "db", "table2", "ALL");
-    client.revokeTablePrivilege(requestorUserName,  roleName2, "server", "db", "table3", "ALL");
-    client.revokeTablePrivilege(requestorUserName,  roleName2, "server", "db", "table4", "ALL");
-    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName,  roleName2);
+    client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
+    client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
+    client.revokeTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
+    listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
     assertTrue("Privilege not correctly revoked !!", listPrivilegesByRoleName.size() == 0);
   }
 
@@ -127,12 +192,12 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
     client.dropRoleIfExists(requestorUserName,  roleName2);
     client.createRole(requestorUserName,  roleName2);
 
-    client.grantTablePrivilege(requestorUserName,  roleName1, "server", "db", "table", "ALL");
-    Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName,  roleName1);
+    client.grantTablePrivilege(requestorUserName, roleName1, "server", "db", "table", "ALL");
+    Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1);
     assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1);
 
-    client.grantTablePrivilege(requestorUserName,  roleName2, "server", "db", "table", "ALL");
-    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName,  roleName2);
+    client.grantTablePrivilege(requestorUserName, roleName2, "server", "db", "table", "ALL");
+    listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2);
     assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1);
   }
 
@@ -183,8 +248,7 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
     assertEquals("Incorrect number of roles", 1, roles.size());
 
     client.grantDatabasePrivilege(requestorUserName, roleName, server, db);
-    Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(requestorUserName,
- roleName);
+    Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName);
     assertTrue(privileges.size() == 1);
     for (TSentryPrivilege privilege:privileges) {
       assertTrue(privilege.getPrivilegeName(),

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
index 6e8f02f..5245eb4 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/SimpleFileProviderBackend.java
@@ -29,10 +29,12 @@ import com.google.common.collect.Multimap;
 import com.google.common.collect.Sets;
 import com.google.common.collect.Table;
 import com.google.common.collect.Table.Cell;
+
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.FileSystem;
 import org.apache.hadoop.fs.Path;
 import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.common.SentryConfigurationException;
 import org.apache.sentry.policy.common.PrivilegeUtils;
 import org.apache.sentry.policy.common.PrivilegeValidator;
@@ -44,6 +46,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.annotation.Nullable;
+
 import java.io.IOException;
 import java.net.URI;
 import java.util.HashSet;
@@ -140,7 +143,7 @@ public class SimpleFileProviderBackend implements ProviderBackend {
    * {@inheritDoc}
    */
   @Override
-  public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet) {
+  public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) {
     if (!initialized) {
       throw new IllegalStateException("Backend has not been properly initialized");
     }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a7b45622/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java
index 1d89e1a..ab65cfd 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDbEndToEnd.java
@@ -139,7 +139,7 @@ public class TestDbEndToEnd extends AbstractTestWithDbProvider {
     statement.execute("create table " + dbName2 + "." + tableName2
         + " (under_col int comment 'the under column', value string)");
     statement.execute("load data local inpath '" + dataFile.getPath()
-            + "' into table " + tableName2);
+        + "' into table " + tableName2);
 
     // 3
     statement.execute("CREATE ROLE all_db1");
@@ -163,8 +163,8 @@ public class TestDbEndToEnd extends AbstractTestWithDbProvider {
         + " TO ROLE select_tb1");
 
     statement
-        .execute("GRANT ROLE all_db1, select_tb1, insert_tb1, insert_tb2, data_uri TO GROUP "
-            + USERGROUP1);
+    .execute("GRANT ROLE all_db1, select_tb1, insert_tb1, insert_tb2, data_uri TO GROUP "
+        + USERGROUP1);
 
     statement.close();
     connection.close();
@@ -177,7 +177,7 @@ public class TestDbEndToEnd extends AbstractTestWithDbProvider {
     statement.execute("create table " + dbName1 + "." + tableName1
         + " (under_col int comment 'the under column', value string)");
     statement.execute("load data local inpath '" + dataFile.getPath()
-            + "' into table " + tableName1);
+        + "' into table " + tableName1);
 
     // 5
     statement.execute("CREATE VIEW " + viewName1 + " (value) AS SELECT value from " + tableName1 + " LIMIT 10");
@@ -197,7 +197,30 @@ public class TestDbEndToEnd extends AbstractTestWithDbProvider {
     // 8
     connection = context.createConnection(USER1_1);
     statement = context.createStatement(connection);
+    Exception ex = null;
+    try {
+      statement.execute("USE " + dbName2);
+    } catch (Exception e) {
+      ex = e;
+    } finally {
+      statement.close();
+      connection.close();
+    }
+    System.out.println("Message : " + ex.getMessage());
+    assertTrue("This should not be allowed !!", ex != null);
+
+    connection = context.createConnection(ADMIN1);
+    statement = context.createStatement(connection);
+    statement.execute("CREATE ROLE all_db2");
+    statement.execute("GRANT ALL ON DATABASE " + dbName2 + " TO ROLE all_db2");
+    statement.execute("GRANT ROLE all_db2 TO GROUP " + USERGROUP1);
+    statement.close();
+    connection.close();
+
+    connection = context.createConnection(USER1_1);
+    statement = context.createStatement(connection);
     statement.execute("USE " + dbName2);
+
     statement.execute("INSERT OVERWRITE TABLE " +
         dbName2 + "." + tableName2 + " SELECT * FROM " + dbName1
         + "." + tableName1);


Mime
View raw message