sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pras...@apache.org
Subject [1/3] Add Sentry service APIs to query roles and privileges (Sravya Tirukkovalur via Prasad Mujumdar)
Date Wed, 07 May 2014 23:07:19 GMT
Repository: incubator-sentry
Updated Branches:
  refs/heads/master 8f1ef00be -> 0fea11ab3


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0fea11ab/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java
index dbddcad..0e004f6 100644
--- a/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java
+++ b/sentry-provider/sentry-provider-db/src/gen/thrift/gen-javabean/org/apache/sentry/provider/db/service/thrift/TSentryRole.java
@@ -35,7 +35,7 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
   private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("TSentryRole");
 
   private static final org.apache.thrift.protocol.TField ROLE_NAME_FIELD_DESC = new org.apache.thrift.protocol.TField("roleName", org.apache.thrift.protocol.TType.STRING, (short)1);
-  private static final org.apache.thrift.protocol.TField PRIVILEGES_FIELD_DESC = new org.apache.thrift.protocol.TField("privileges", org.apache.thrift.protocol.TType.SET, (short)2);
+  private static final org.apache.thrift.protocol.TField GROUPS_FIELD_DESC = new org.apache.thrift.protocol.TField("groups", org.apache.thrift.protocol.TType.SET, (short)2);
   private static final org.apache.thrift.protocol.TField GRANTOR_PRINCIPAL_FIELD_DESC = new org.apache.thrift.protocol.TField("grantorPrincipal", org.apache.thrift.protocol.TType.STRING, (short)3);
 
   private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>();
@@ -45,13 +45,13 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
   }
 
   private String roleName; // required
-  private Set<TSentryPrivilege> privileges; // required
+  private Set<TSentryGroup> groups; // required
   private String grantorPrincipal; // required
 
   /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */
   public enum _Fields implements org.apache.thrift.TFieldIdEnum {
     ROLE_NAME((short)1, "roleName"),
-    PRIVILEGES((short)2, "privileges"),
+    GROUPS((short)2, "groups"),
     GRANTOR_PRINCIPAL((short)3, "grantorPrincipal");
 
     private static final Map<String, _Fields> byName = new HashMap<String, _Fields>();
@@ -69,8 +69,8 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
       switch(fieldId) {
         case 1: // ROLE_NAME
           return ROLE_NAME;
-        case 2: // PRIVILEGES
-          return PRIVILEGES;
+        case 2: // GROUPS
+          return GROUPS;
         case 3: // GRANTOR_PRINCIPAL
           return GRANTOR_PRINCIPAL;
         default:
@@ -118,9 +118,9 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
     Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class);
     tmpMap.put(_Fields.ROLE_NAME, new org.apache.thrift.meta_data.FieldMetaData("roleName", org.apache.thrift.TFieldRequirementType.REQUIRED, 
         new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING)));
-    tmpMap.put(_Fields.PRIVILEGES, new org.apache.thrift.meta_data.FieldMetaData("privileges", org.apache.thrift.TFieldRequirementType.REQUIRED, 
+    tmpMap.put(_Fields.GROUPS, new org.apache.thrift.meta_data.FieldMetaData("groups", org.apache.thrift.TFieldRequirementType.REQUIRED, 
         new org.apache.thrift.meta_data.SetMetaData(org.apache.thrift.protocol.TType.SET, 
-            new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryPrivilege.class))));
+            new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryGroup.class))));
     tmpMap.put(_Fields.GRANTOR_PRINCIPAL, new org.apache.thrift.meta_data.FieldMetaData("grantorPrincipal", org.apache.thrift.TFieldRequirementType.REQUIRED, 
         new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING)));
     metaDataMap = Collections.unmodifiableMap(tmpMap);
@@ -132,12 +132,12 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
 
   public TSentryRole(
     String roleName,
-    Set<TSentryPrivilege> privileges,
+    Set<TSentryGroup> groups,
     String grantorPrincipal)
   {
     this();
     this.roleName = roleName;
-    this.privileges = privileges;
+    this.groups = groups;
     this.grantorPrincipal = grantorPrincipal;
   }
 
@@ -148,12 +148,12 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
     if (other.isSetRoleName()) {
       this.roleName = other.roleName;
     }
-    if (other.isSetPrivileges()) {
-      Set<TSentryPrivilege> __this__privileges = new HashSet<TSentryPrivilege>();
-      for (TSentryPrivilege other_element : other.privileges) {
-        __this__privileges.add(new TSentryPrivilege(other_element));
+    if (other.isSetGroups()) {
+      Set<TSentryGroup> __this__groups = new HashSet<TSentryGroup>();
+      for (TSentryGroup other_element : other.groups) {
+        __this__groups.add(new TSentryGroup(other_element));
       }
-      this.privileges = __this__privileges;
+      this.groups = __this__groups;
     }
     if (other.isSetGrantorPrincipal()) {
       this.grantorPrincipal = other.grantorPrincipal;
@@ -167,7 +167,7 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
   @Override
   public void clear() {
     this.roleName = null;
-    this.privileges = null;
+    this.groups = null;
     this.grantorPrincipal = null;
   }
 
@@ -194,41 +194,41 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
     }
   }
 
-  public int getPrivilegesSize() {
-    return (this.privileges == null) ? 0 : this.privileges.size();
+  public int getGroupsSize() {
+    return (this.groups == null) ? 0 : this.groups.size();
   }
 
-  public java.util.Iterator<TSentryPrivilege> getPrivilegesIterator() {
-    return (this.privileges == null) ? null : this.privileges.iterator();
+  public java.util.Iterator<TSentryGroup> getGroupsIterator() {
+    return (this.groups == null) ? null : this.groups.iterator();
   }
 
-  public void addToPrivileges(TSentryPrivilege elem) {
-    if (this.privileges == null) {
-      this.privileges = new HashSet<TSentryPrivilege>();
+  public void addToGroups(TSentryGroup elem) {
+    if (this.groups == null) {
+      this.groups = new HashSet<TSentryGroup>();
     }
-    this.privileges.add(elem);
+    this.groups.add(elem);
   }
 
-  public Set<TSentryPrivilege> getPrivileges() {
-    return this.privileges;
+  public Set<TSentryGroup> getGroups() {
+    return this.groups;
   }
 
-  public void setPrivileges(Set<TSentryPrivilege> privileges) {
-    this.privileges = privileges;
+  public void setGroups(Set<TSentryGroup> groups) {
+    this.groups = groups;
   }
 
-  public void unsetPrivileges() {
-    this.privileges = null;
+  public void unsetGroups() {
+    this.groups = null;
   }
 
-  /** Returns true if field privileges is set (has been assigned a value) and false otherwise */
-  public boolean isSetPrivileges() {
-    return this.privileges != null;
+  /** Returns true if field groups is set (has been assigned a value) and false otherwise */
+  public boolean isSetGroups() {
+    return this.groups != null;
   }
 
-  public void setPrivilegesIsSet(boolean value) {
+  public void setGroupsIsSet(boolean value) {
     if (!value) {
-      this.privileges = null;
+      this.groups = null;
     }
   }
 
@@ -265,11 +265,11 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
       }
       break;
 
-    case PRIVILEGES:
+    case GROUPS:
       if (value == null) {
-        unsetPrivileges();
+        unsetGroups();
       } else {
-        setPrivileges((Set<TSentryPrivilege>)value);
+        setGroups((Set<TSentryGroup>)value);
       }
       break;
 
@@ -289,8 +289,8 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
     case ROLE_NAME:
       return getRoleName();
 
-    case PRIVILEGES:
-      return getPrivileges();
+    case GROUPS:
+      return getGroups();
 
     case GRANTOR_PRINCIPAL:
       return getGrantorPrincipal();
@@ -308,8 +308,8 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
     switch (field) {
     case ROLE_NAME:
       return isSetRoleName();
-    case PRIVILEGES:
-      return isSetPrivileges();
+    case GROUPS:
+      return isSetGroups();
     case GRANTOR_PRINCIPAL:
       return isSetGrantorPrincipal();
     }
@@ -338,12 +338,12 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
         return false;
     }
 
-    boolean this_present_privileges = true && this.isSetPrivileges();
-    boolean that_present_privileges = true && that.isSetPrivileges();
-    if (this_present_privileges || that_present_privileges) {
-      if (!(this_present_privileges && that_present_privileges))
+    boolean this_present_groups = true && this.isSetGroups();
+    boolean that_present_groups = true && that.isSetGroups();
+    if (this_present_groups || that_present_groups) {
+      if (!(this_present_groups && that_present_groups))
         return false;
-      if (!this.privileges.equals(that.privileges))
+      if (!this.groups.equals(that.groups))
         return false;
     }
 
@@ -368,10 +368,10 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
     if (present_roleName)
       builder.append(roleName);
 
-    boolean present_privileges = true && (isSetPrivileges());
-    builder.append(present_privileges);
-    if (present_privileges)
-      builder.append(privileges);
+    boolean present_groups = true && (isSetGroups());
+    builder.append(present_groups);
+    if (present_groups)
+      builder.append(groups);
 
     boolean present_grantorPrincipal = true && (isSetGrantorPrincipal());
     builder.append(present_grantorPrincipal);
@@ -399,12 +399,12 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
         return lastComparison;
       }
     }
-    lastComparison = Boolean.valueOf(isSetPrivileges()).compareTo(typedOther.isSetPrivileges());
+    lastComparison = Boolean.valueOf(isSetGroups()).compareTo(typedOther.isSetGroups());
     if (lastComparison != 0) {
       return lastComparison;
     }
-    if (isSetPrivileges()) {
-      lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.privileges, typedOther.privileges);
+    if (isSetGroups()) {
+      lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.groups, typedOther.groups);
       if (lastComparison != 0) {
         return lastComparison;
       }
@@ -447,11 +447,11 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
     }
     first = false;
     if (!first) sb.append(", ");
-    sb.append("privileges:");
-    if (this.privileges == null) {
+    sb.append("groups:");
+    if (this.groups == null) {
       sb.append("null");
     } else {
-      sb.append(this.privileges);
+      sb.append(this.groups);
     }
     first = false;
     if (!first) sb.append(", ");
@@ -472,8 +472,8 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
       throw new org.apache.thrift.protocol.TProtocolException("Required field 'roleName' is unset! Struct:" + toString());
     }
 
-    if (!isSetPrivileges()) {
-      throw new org.apache.thrift.protocol.TProtocolException("Required field 'privileges' is unset! Struct:" + toString());
+    if (!isSetGroups()) {
+      throw new org.apache.thrift.protocol.TProtocolException("Required field 'groups' is unset! Struct:" + toString());
     }
 
     if (!isSetGrantorPrincipal()) {
@@ -525,21 +525,21 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
               org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
             }
             break;
-          case 2: // PRIVILEGES
+          case 2: // GROUPS
             if (schemeField.type == org.apache.thrift.protocol.TType.SET) {
               {
-                org.apache.thrift.protocol.TSet _set16 = iprot.readSetBegin();
-                struct.privileges = new HashSet<TSentryPrivilege>(2*_set16.size);
-                for (int _i17 = 0; _i17 < _set16.size; ++_i17)
+                org.apache.thrift.protocol.TSet _set72 = iprot.readSetBegin();
+                struct.groups = new HashSet<TSentryGroup>(2*_set72.size);
+                for (int _i73 = 0; _i73 < _set72.size; ++_i73)
                 {
-                  TSentryPrivilege _elem18; // required
-                  _elem18 = new TSentryPrivilege();
-                  _elem18.read(iprot);
-                  struct.privileges.add(_elem18);
+                  TSentryGroup _elem74; // required
+                  _elem74 = new TSentryGroup();
+                  _elem74.read(iprot);
+                  struct.groups.add(_elem74);
                 }
                 iprot.readSetEnd();
               }
-              struct.setPrivilegesIsSet(true);
+              struct.setGroupsIsSet(true);
             } else { 
               org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
             }
@@ -570,13 +570,13 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
         oprot.writeString(struct.roleName);
         oprot.writeFieldEnd();
       }
-      if (struct.privileges != null) {
-        oprot.writeFieldBegin(PRIVILEGES_FIELD_DESC);
+      if (struct.groups != null) {
+        oprot.writeFieldBegin(GROUPS_FIELD_DESC);
         {
-          oprot.writeSetBegin(new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, struct.privileges.size()));
-          for (TSentryPrivilege _iter19 : struct.privileges)
+          oprot.writeSetBegin(new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, struct.groups.size()));
+          for (TSentryGroup _iter75 : struct.groups)
           {
-            _iter19.write(oprot);
+            _iter75.write(oprot);
           }
           oprot.writeSetEnd();
         }
@@ -606,10 +606,10 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
       TTupleProtocol oprot = (TTupleProtocol) prot;
       oprot.writeString(struct.roleName);
       {
-        oprot.writeI32(struct.privileges.size());
-        for (TSentryPrivilege _iter20 : struct.privileges)
+        oprot.writeI32(struct.groups.size());
+        for (TSentryGroup _iter76 : struct.groups)
         {
-          _iter20.write(oprot);
+          _iter76.write(oprot);
         }
       }
       oprot.writeString(struct.grantorPrincipal);
@@ -621,17 +621,17 @@ public class TSentryRole implements org.apache.thrift.TBase<TSentryRole, TSentry
       struct.roleName = iprot.readString();
       struct.setRoleNameIsSet(true);
       {
-        org.apache.thrift.protocol.TSet _set21 = new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, iprot.readI32());
-        struct.privileges = new HashSet<TSentryPrivilege>(2*_set21.size);
-        for (int _i22 = 0; _i22 < _set21.size; ++_i22)
+        org.apache.thrift.protocol.TSet _set77 = new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, iprot.readI32());
+        struct.groups = new HashSet<TSentryGroup>(2*_set77.size);
+        for (int _i78 = 0; _i78 < _set77.size; ++_i78)
         {
-          TSentryPrivilege _elem23; // required
-          _elem23 = new TSentryPrivilege();
-          _elem23.read(iprot);
-          struct.privileges.add(_elem23);
+          TSentryGroup _elem79; // required
+          _elem79 = new TSentryGroup();
+          _elem79.read(iprot);
+          struct.groups.add(_elem79);
         }
       }
-      struct.setPrivilegesIsSet(true);
+      struct.setGroupsIsSet(true);
       struct.grantorPrincipal = iprot.readString();
       struct.setGrantorPrincipalIsSet(true);
     }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0fea11ab/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
index dd4a977..13af593 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/SimpleDBProviderBackend.java
@@ -77,7 +77,7 @@ public class SimpleDBProviderBackend implements ProviderBackend {
       throw new IllegalStateException("Backend has not been properly initialized");
     }
     try {
-      return ImmutableSet.copyOf(policyServiceClient.listPrivileges(groups, roleSet));
+      return ImmutableSet.copyOf(policyServiceClient.listPrivilegesForProvider(groups, roleSet));
     } catch (SentryUserException e) {
       String msg = "Unable to obtain privileges from server: " + e.getMessage();
       LOGGER.error(msg, e);

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0fea11ab/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
index 1dfc0cf..e375a4c 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
@@ -18,14 +18,13 @@
 
 package org.apache.sentry.provider.db.service.model;
 
-import java.util.HashSet;
-import java.util.Set;
-
-import javax.jdo.annotations.PersistenceCapable;
-
 import com.google.common.base.Preconditions;
 import com.google.common.collect.ImmutableSet;
 
+import javax.jdo.annotations.PersistenceCapable;
+import java.util.HashSet;
+import java.util.Set;
+
 /**
  * Database backed Sentry Role. Any changes to this object
  * require re-running the maven build so DN an re-enhance.
@@ -41,17 +40,12 @@ public class MSentryRole {
   private long createTime;
   private String grantorPrincipal;
 
-  public MSentryRole() {
-    privileges = new HashSet<MSentryPrivilege>();
-  }
-
-  MSentryRole(String roleName, long createTime, String grantorPrincipal,
-      Set<MSentryPrivilege> privileges, Set<MSentryGroup> groups) {
+  public MSentryRole(String roleName, long createTime, String grantorPrincipal) {
     this.roleName = roleName;
     this.createTime = createTime;
     this.grantorPrincipal = grantorPrincipal;
-    this.privileges = privileges;
-    this.groups = groups;
+    privileges = new HashSet<MSentryPrivilege>();
+    groups = new HashSet<MSentryGroup>();
   }
 
   public long getCreateTime() {
@@ -166,4 +160,4 @@ public class MSentryRole {
       return false;
     return true;
   }
-}
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0fea11ab/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
index 33c8d1a..7301a1a 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
@@ -169,21 +169,42 @@ public class SentryStore {
       }
     }
   }
+  /**
+  Get the MSentry object from roleName
+  Note: Should be called inside a transaction
+   */
+  private MSentryRole getMSentryRole(PersistenceManager pm, String roleName) {
+    Query query = pm.newQuery(MSentryRole.class);
+    query.setFilter("this.roleName == t");
+    query.declareParameters("java.lang.String t");
+    query.setUnique(true);
+    MSentryRole sentryRole = (MSentryRole) query.execute(roleName);
+    return sentryRole;
+  }
 
+  /**
+   * Normalize the string values
+   */
+  private String trimAndLower(String input) {
+    return input.trim().toLowerCase();
+  }
+  /**
+   * Create a sentry role and persist it.
+   * @param roleName: Name of the role being persisted
+   * @param grantorPrincipal: TODO: Currently not used
+   * @returns commit context used for notification handlers
+   * @throws SentryAlreadyExistsException
+   */
   public CommitContext createSentryRole(String roleName, String grantorPrincipal)
   throws SentryAlreadyExistsException {
+    roleName = trimAndLower(roleName);
     boolean rollbackTransaction = true;
     PersistenceManager pm = null;
-    roleName = roleName.trim().toLowerCase();
     try {
       pm = openTransaction();
-      Query query = pm.newQuery(MSentryRole.class);
-      query.setFilter("this.roleName == t");
-      query.declareParameters("java.lang.String t");
-      query.setUnique(true);
-      MSentryRole sentryRole = (MSentryRole) query.execute(roleName);
-      if (sentryRole == null) {
-        MSentryRole mRole = convertToMSentryRole(roleName, grantorPrincipal);
+      MSentryRole mSentryRole = getMSentryRole(pm, roleName);
+      if (mSentryRole == null) {
+        MSentryRole mRole = new MSentryRole(roleName, System.currentTimeMillis(), grantorPrincipal);
         pm.makePersistent(mRole);
         CommitContext commit = commitUpdateTransaction(pm);
         rollbackTransaction = false;
@@ -199,23 +220,19 @@ public class SentryStore {
   }
 
   //TODO: handle case where a) privilege already exists, b) role to privilege mapping already exists
-  public CommitContext alterSentryRoleGrantPrivilege(String roleName,
-      TSentryPrivilege privilege) throws SentryNoSuchObjectException, SentryInvalidInputException {
+  public CommitContext alterSentryRoleGrantPrivilege(String roleName, TSentryPrivilege privilege)
+      throws SentryNoSuchObjectException, SentryInvalidInputException {
     boolean rollbackTransaction = true;
     PersistenceManager pm = null;
-    roleName = roleName.trim().toLowerCase();
+    roleName = trimAndLower(roleName);
     try {
       pm = openTransaction();
-      Query query = pm.newQuery(MSentryRole.class);
-      query.setFilter("this.roleName == t");
-      query.declareParameters("java.lang.String t");
-      query.setUnique(true);
-      MSentryRole mRole = (MSentryRole) query.execute(roleName);
+      MSentryRole mRole = getMSentryRole(pm, roleName);
       if (mRole == null) {
         throw new SentryNoSuchObjectException("Role: " + roleName);
       } else {
         MSentryPrivilege mPrivilege = convertToMSentryPrivilege(privilege);
-        // add privilege and role objects to each other. needed by datanucleus to model
+        // Add privilege and role objects to each other. needed by datanucleus to model
         // m:n relationships correctly through a join table.
         mPrivilege.appendRole(mRole);
         mRole.appendPrivilege(mPrivilege);
@@ -530,9 +547,73 @@ public class SentryStore {
     }
   }
 
-  public TSentryRole getSentryRoleByName(String roleName)
-  throws SentryNoSuchObjectException {
-    return convertToSentryRole(getMSentryRoleByName(roleName));
+  private Set<MSentryPrivilege> getMSentryPrivilegesByRoleName(String roleName)
+    throws SentryNoSuchObjectException {
+      MSentryRole mSentryRole = getMSentryRoleByName(roleName);
+      return mSentryRole.getPrivileges();
+    }
+
+  /**
+   * Gets sentry privilege objects for a given roleName from the persistence layer
+   * @param roleName : roleName to look up
+   * @return : Set of thrift sentry privilege objects
+   * @throws SentryNoSuchObjectException
+   */
+
+  public Set<TSentryPrivilege> getTSentryPrivilegesByRoleName(String roleName)
+      throws SentryNoSuchObjectException {
+    return convertToTSentryPrivileges(getMSentryPrivilegesByRoleName(roleName));
+  }
+
+  private Set<MSentryRole> getMSentryRolesByGroupName(String groupName)
+      throws SentryNoSuchObjectException {
+    boolean rollbackTransaction = true;
+    PersistenceManager pm = null;
+    try {
+      Set<MSentryRole> roles;
+      pm = openTransaction();
+
+      //If no group name was specified, return all roles
+      if (groupName == null) {
+        Query query = pm.newQuery(MSentryRole.class);
+        roles = new HashSet<MSentryRole>((List<MSentryRole>)query.execute());
+      } else {
+        Query query = pm.newQuery(MSentryGroup.class);
+        MSentryGroup sentryGroup;
+        groupName = groupName.trim().toLowerCase();
+        query.setFilter("this.groupName == t");
+        query.declareParameters("java.lang.String t");
+        query.setUnique(true);
+        sentryGroup = (MSentryGroup) query.execute(groupName);
+        if (sentryGroup == null) {
+          throw new SentryNoSuchObjectException("Group " + groupName);
+        } else {
+          pm.retrieve(sentryGroup);
+        }
+        roles = sentryGroup.getRoles();
+      }
+      for ( MSentryRole role: roles) {
+        pm.retrieve(role);
+      }
+      commitTransaction(pm);
+      rollbackTransaction = false;
+      return roles;
+    } finally {
+      if (rollbackTransaction) {
+        rollbackTransaction(pm);
+      }
+    }
+  }
+
+  /**
+   * Gets sentry role objects for a given groupName from the persistence layer
+   * @param groupName : groupName to look up ( if null returns all roles for all groups)
+   * @return : Set of thrift sentry role objects
+   * @throws SentryNoSuchObjectException
+   */
+  public Set<TSentryRole> getTSentryRolesByGroupName(String groupName)
+      throws SentryNoSuchObjectException {
+    return convertToTSentryRoles(getMSentryRolesByGroupName(groupName));
   }
 
   private SetMultimap<String, String> getRoleToPrivilegeMap(Set<String> groups) {
@@ -613,35 +694,52 @@ public class SentryStore {
     return result;
   }
 
+
   /**
-   * Converts thrift object to model object. Additionally does normalization
+   * Converts model object(s) to thrift object(s).
+   * Additionally does normalization
    * such as trimming whitespace and setting appropriate case. Also sets the create
    * time.
    */
-  private MSentryRole convertToMSentryRole(String roleName, String grantorPrincipal) {
-    MSentryRole mRole = new MSentryRole();
-    mRole.setCreateTime(System.currentTimeMillis());
-    mRole.setRoleName(roleName.trim().toLowerCase());
-    mRole.setGrantorPrincipal(grantorPrincipal.trim());
-    return mRole;
+
+  private Set<TSentryPrivilege> convertToTSentryPrivileges(Set<MSentryPrivilege> mSentryPrivileges) {
+    Set<TSentryPrivilege> privileges = new HashSet<TSentryPrivilege>();
+    for(MSentryPrivilege mSentryPrivilege:mSentryPrivileges) {
+      privileges.add(convertToTSentryPrivilege(mSentryPrivilege));
+    }
+    return privileges;
+  }
+
+  private Set<TSentryRole> convertToTSentryRoles(Set<MSentryRole> mSentryRoles) {
+    Set<TSentryRole> roles = new HashSet<TSentryRole>();
+    for(MSentryRole mSentryRole:mSentryRoles) {
+      roles.add(convertToTSentryRole(mSentryRole));
+    }
+    return roles;
   }
 
-  private TSentryRole convertToSentryRole(MSentryRole mSentryRole) {
+  private TSentryRole convertToTSentryRole(MSentryRole mSentryRole) {
     TSentryRole role = new TSentryRole();
     role.setRoleName(mSentryRole.getRoleName());
     role.setGrantorPrincipal(mSentryRole.getGrantorPrincipal());
 
-    Set<TSentryPrivilege> sentryPrivileges = new HashSet<TSentryPrivilege>();
-    for(MSentryPrivilege mSentryPrivilege:mSentryRole.getPrivileges()) {
-      TSentryPrivilege privilege = convertToSentryPrivilege(mSentryPrivilege);
-      sentryPrivileges.add(privilege);
+    Set<TSentryGroup> sentryGroups = new HashSet<TSentryGroup>();
+    for(MSentryGroup mSentryGroup:mSentryRole.getGroups()) {
+      TSentryGroup group = convertToTSentryGroup(mSentryGroup);
+      sentryGroups.add(group);
     }
 
-    role.setPrivileges(sentryPrivileges);
+    role.setGroups(sentryGroups);
     return role;
   }
 
-  private TSentryPrivilege convertToSentryPrivilege(MSentryPrivilege mSentryPrivilege) {
+  private TSentryGroup convertToTSentryGroup(MSentryGroup mSentryGroup) {
+    TSentryGroup group = new TSentryGroup();
+    group.setGroupName(mSentryGroup.getGroupName());
+    return group;
+  }
+
+  private TSentryPrivilege convertToTSentryPrivilege(MSentryPrivilege mSentryPrivilege) {
     TSentryPrivilege privilege = new TSentryPrivilege();
     privilege.setCreateTime(mSentryPrivilege.getCreateTime());
     privilege.setPrivilegeName(mSentryPrivilege.getPrivilegeName());
@@ -680,4 +778,4 @@ public class SentryStore {
     }
     return s.trim();
   }
-}
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0fea11ab/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
index 7e73b2c..33b8735 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
@@ -18,10 +18,8 @@
 
 package org.apache.sentry.provider.db.service.thrift;
 
-import java.io.IOException;
-import java.net.InetSocketAddress;
-import java.util.Set;
-
+import com.google.common.base.Preconditions;
+import com.google.common.collect.Sets;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.net.NetUtils;
 import org.apache.hadoop.security.SaslRpcServer;
@@ -44,8 +42,10 @@ import org.apache.thrift.transport.TTransportException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.google.common.base.Preconditions;
-import com.google.common.collect.Sets;
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.util.HashSet;
+import java.util.Set;
 
 public class SentryPolicyServiceClient {
 
@@ -58,6 +58,7 @@ public class SentryPolicyServiceClient {
   private int connectionTimeout;
   private static final Logger LOGGER = LoggerFactory
                                        .getLogger(SentryPolicyServiceClient.class);
+  private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured ";
 
   public SentryPolicyServiceClient(Configuration conf) throws IOException {
     this.conf = conf;
@@ -109,8 +110,7 @@ public class SentryPolicyServiceClient {
       TCreateSentryRoleResponse response = client.create_sentry_role(request);
       Status.throwIfNotOk(response.getStatus());
     } catch (TException e) {
-      String msg = "Thrift exception occured: " + e.getMessage();
-      throw new SentryUserException(msg, e);
+      throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
     }
   }
 
@@ -142,14 +142,66 @@ public class SentryPolicyServiceClient {
       }
       Status.throwIfNotOk(response.getStatus());
     } catch (TException e) {
-      String msg = "Thrift exception occured: " + e.getMessage();
-      throw new SentryUserException(msg, e);
+      throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+    }
+  }
+
+  /**
+   * Gets sentry role objects for a given groupName using the Sentry service
+   * @param requestorUserName : user on whose behalf the request is issued
+   * @param requestorUserGroupNames :groups the requesting user belongs to
+   * @param groupName : groupName to look up ( if null returns all roles for all groups)
+   * @return Set of thrift sentry role objects
+   * @throws SentryUserException
+   */
+  public Set<TSentryRole> listRolesByGroupName(String requestorUserName,
+      Set<String> requestorUserGroupNames, String groupName)
+  throws SentryUserException {
+    TListSentryRolesRequest request = new TListSentryRolesRequest();
+    request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+    request.setRequestorUserName(requestorUserName);
+    request.setRequestorGroupNames(requestorUserGroupNames);
+    request.setGroupName(groupName);
+    TListSentryRolesResponse response;
+    Set<String> roles = new HashSet<String>();
+    try {
+      response = client.list_sentry_roles_by_group(request);
+      Status.throwIfNotOk(response.getStatus());
+      return response.getRoles();
+    } catch (TException e) {
+      throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
+    }
+  }
+
+  /**
+   * Gets sentry privilege objects for a given roleName using the Sentry service
+   * @param requestorUserName : user on whose behalf the request is issued
+   * @param requestorUserGroupNames :groups the requesting user belongs to
+   * @param roleName : roleName to look up
+   * @return Set of thrift sentry privilege objects
+   * @throws SentryUserException
+   */
+  public Set<TSentryPrivilege> listPrivilegesByRoleName(String requestorUserName,
+      Set<String> requestorUserGroupNames, String roleName)
+  throws SentryUserException {
+    TListSentryPrivilegesRequest request = new TListSentryPrivilegesRequest();
+    request.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+    request.setRequestorUserName(requestorUserName);
+    request.setRequestorGroupNames(requestorUserGroupNames);
+    request.setRoleName(roleName);
+    TListSentryPrivilegesResponse response;
+    try {
+      response = client.list_sentry_privileges_by_role(request);
+      Status.throwIfNotOk(response.getStatus());
+      return response.getPrivileges();
+    } catch (TException e) {
+      throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
     }
   }
 
-  public TListSentryRolesResponse listRoleByName(TListSentryRolesRequest req)
-  throws TException {
-    return client.list_sentry_roles_by_role_name(req);
+  public Set<TSentryRole> listRoles(String requestorUserName, Set<String> requestorUserGroupNames)
+       throws SentryUserException {
+    return listRolesByGroupName(requestorUserName, requestorUserGroupNames, null);
   }
 
   public void grantURIPrivilege(String requestorUserName, Set<String> requestorUserGroupNames,
@@ -202,8 +254,7 @@ public class SentryPolicyServiceClient {
       TAlterSentryRoleGrantPrivilegeResponse response = client.alter_sentry_role_grant_privilege(request);
       Status.throwIfNotOk(response.getStatus());
     } catch (TException e) {
-      String msg = "Thrift exception occured: " + e.getMessage();
-      throw new SentryUserException(msg, e);
+      throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
     }
   }
 
@@ -257,12 +308,11 @@ public class SentryPolicyServiceClient {
       TAlterSentryRoleRevokePrivilegeResponse response = client.alter_sentry_role_revoke_privilege(request);
       Status.throwIfNotOk(response.getStatus());
     } catch (TException e) {
-      String msg = "Thrift exception occured: " + e.getMessage();
-      throw new SentryUserException(msg, e);
+      throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
     }
   }
 
-  public Set<String> listPrivileges(Set<String> groups, ActiveRoleSet roleSet)
+  public Set<String> listPrivilegesForProvider(Set<String> groups, ActiveRoleSet roleSet)
   throws SentryUserException {
     TSentryActiveRoleSet thriftRoleSet = new TSentryActiveRoleSet(roleSet.isAll(), roleSet.getRoles());
     TListSentryPrivilegesForProviderRequest request =
@@ -273,8 +323,7 @@ public class SentryPolicyServiceClient {
       Status.throwIfNotOk(response.getStatus());
       return response.getPrivileges();
     } catch (TException e) {
-      String msg = "Thrift exception occured: " + e.getMessage();
-      throw new SentryUserException(msg, e);
+      throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
     }
   }
 
@@ -288,8 +337,7 @@ public class SentryPolicyServiceClient {
       TAlterSentryRoleAddGroupsResponse response = client.alter_sentry_role_add_groups(request);
       Status.throwIfNotOk(response.getStatus());
     } catch (TException e) {
-      String msg = "Thrift exception occured: " + e.getMessage();
-      throw new SentryUserException(msg, e);
+      throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
     }
   }
 
@@ -303,8 +351,7 @@ public class SentryPolicyServiceClient {
       TAlterSentryRoleDeleteGroupsResponse response = client.alter_sentry_role_delete_groups(request);
       Status.throwIfNotOk(response.getStatus());
     } catch (TException e) {
-      String msg = "Thrift exception occured: " + e.getMessage();
-      throw new SentryUserException(msg, e);
+      throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
     }
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0fea11ab/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index 6c52fa4..3b3bdc3 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -18,12 +18,12 @@
 
 package org.apache.sentry.provider.db.service.thrift;
 
-import java.lang.reflect.Constructor;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import org.apache.commons.lang.StringUtils;
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Preconditions;
+import com.google.common.base.Splitter;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
 import org.apache.hadoop.conf.Configuration;
 import org.apache.sentry.provider.db.SentryAccessDeniedException;
 import org.apache.sentry.provider.db.SentryAlreadyExistsException;
@@ -32,19 +32,17 @@ import org.apache.sentry.provider.db.SentryNoSuchObjectException;
 import org.apache.sentry.provider.db.service.persistent.CommitContext;
 import org.apache.sentry.provider.db.service.persistent.SentryStore;
 import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
 import org.apache.sentry.service.thrift.Status;
 import org.apache.sentry.service.thrift.TSentryResponseStatus;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
 import org.apache.thrift.TException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Preconditions;
-import com.google.common.base.Splitter;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
+import java.lang.reflect.Constructor;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
 
 @SuppressWarnings("unused")
 public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
@@ -298,12 +296,11 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
     TListSentryRolesRequest request) throws TException {
     TListSentryRolesResponse response = new TListSentryRolesResponse();
     TSentryResponseStatus status;
-    TSentryRole role = null;
     Set<TSentryRole> roleSet = new HashSet<TSentryRole>();
     try {
-      // TODO implement
-      role = sentryStore.getSentryRoleByName(request.getRoleName());
-      roleSet.add(role);
+      //TODO: Handle authorization for metadata queries
+      authorize(request.getRequestorUserName(), request.getRequestorGroupNames());
+      roleSet = sentryStore.getTSentryRolesByGroupName(request.getGroupName());
       response.setRoles(roleSet);
       response.setStatus(Status.OK());
     } catch (SentryNoSuchObjectException e) {
@@ -320,19 +317,22 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
   }
 
   @Override
-  public TListSentryRolesResponse list_sentry_roles_by_role_name(
-    TListSentryRolesRequest request) throws TException {
-    TListSentryRolesResponse response = new TListSentryRolesResponse();
-    TSentryRole role = null;
-    Set<TSentryRole> roleSet = new HashSet<TSentryRole>();
+  public TListSentryPrivilegesResponse list_sentry_privileges_by_role(
+      TListSentryPrivilegesRequest request) throws TException {
+    TListSentryPrivilegesResponse response = new TListSentryPrivilegesResponse();
+    TSentryResponseStatus status;
+    Set<TSentryPrivilege> privilegeSet = new HashSet<TSentryPrivilege>();
     try {
-      role = sentryStore.getSentryRoleByName(request.getRoleName());
-      roleSet.add(role);
-      response.setRoles(roleSet);
+      //TODO: Handle authorization for metadata queries
+      // Shall we allow only admin users to list privileges
+      // or allow all users as long as user is granted this role?
+      authorize(request.getRequestorUserName(), request.getRequestorGroupNames());
+      privilegeSet = sentryStore.getTSentryPrivilegesByRoleName(request.getRoleName());
+      response.setPrivileges(privilegeSet);
       response.setStatus(Status.OK());
     } catch (SentryNoSuchObjectException e) {
-      response.setRoles(roleSet);
-      String msg = "Role: " + request + " couldn't be retrieved.";
+      response.setPrivileges(privilegeSet);
+      String msg = "Privilege: " + request + " couldn't be retrieved.";
       LOGGER.error(msg, e);
       response.setStatus(Status.NoSuchObject(msg, e));
     } catch (Exception e) {

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0fea11ab/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
index 677047f..a8b511d 100644
--- a/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
+++ b/sentry-provider/sentry-provider-db/src/main/resources/sentry_policy_service.thrift
@@ -70,25 +70,6 @@ struct TDropSentryRoleResponse {
 1: required sentry_common_service.TSentryResponseStatus status
 }
 
-# TODO what is this implementing SHOW GRANT/SHOW ROLE GRANT?
-# We should have seperate requests for those commands
-struct TListSentryRolesRequest {
-1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
-2: required string requestorUserName, # user on whose behalf the request is issued
-3: optional string rolerequestorGroupNames, # list roles for this group
-4: required string roleName # role get prirvilges for
-}
-# used only for TListSentryRolesResponse
-struct TSentryRole {
-1: required string roleName,
-2: required set<TSentryPrivilege> privileges,
-3: required string grantorPrincipal
-}
-struct TListSentryRolesResponse {
-1: required sentry_common_service.TSentryResponseStatus status
-2: required set<TSentryRole> roles
-}
-
 # GRANT ROLE r1 TO GROUP g1
 struct TAlterSentryRoleAddGroupsRequest {
 1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
@@ -138,6 +119,36 @@ struct TAlterSentryRoleRevokePrivilegeResponse {
 1: required sentry_common_service.TSentryResponseStatus status
 }
 
+# SHOW ROLE GRANT
+struct TListSentryRolesRequest {
+1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
+2: required string requestorUserName, # user on whose behalf the request is issued
+3: required set<string> requestorGroupNames,# groups the requesting user belongs to
+4: optional string groupName # for this group, or all roles for all groups if null
+}
+# used only for TListSentryRolesResponse
+struct TSentryRole {
+1: required string roleName,
+2: required set<TSentryGroup> groups,
+3: required string grantorPrincipal
+}
+struct TListSentryRolesResponse {
+1: required sentry_common_service.TSentryResponseStatus status
+2: required set<TSentryRole> roles
+}
+
+# SHOW GRANT
+struct TListSentryPrivilegesRequest {
+1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V1,
+2: required string requestorUserName, # user on whose behalf the request is issued
+3: required set<string> requestorGroupNames,# groups the requesting user belongs to
+4: required string roleName # get privileges assigned for this role
+}
+struct TListSentryPrivilegesResponse {
+1: required sentry_common_service.TSentryResponseStatus status
+2: required set<TSentryPrivilege> privileges
+}
+
 # This API was created specifically for ProviderBackend.getPrivileges
 # and is not mean for general purpose privilege retrieval.
 # This request/response pair are created specifically so we can
@@ -168,8 +179,9 @@ service SentryPolicyService
   TAlterSentryRoleDeleteGroupsResponse alter_sentry_role_delete_groups(1:TAlterSentryRoleDeleteGroupsRequest request)
 
   TListSentryRolesResponse list_sentry_roles_by_group(1:TListSentryRolesRequest request)
-  TListSentryRolesResponse list_sentry_roles_by_role_name(1:TListSentryRolesRequest request)
+
+  TListSentryPrivilegesResponse list_sentry_privileges_by_role(1:TListSentryPrivilegesRequest request)
 
   # For use with ProviderBackend.getPrivileges only
   TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(1:TListSentryPrivilegesForProviderRequest request)
-}
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0fea11ab/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
index dcaa246..e211079 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceIntegration.java
@@ -17,25 +17,22 @@
  */
 
 package org.apache.sentry.provider.db.service.thrift;
-import static junit.framework.Assert.assertEquals;
-
-import java.util.HashSet;
-import java.util.Set;
 
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.provider.common.ProviderBackendContext;
-import org.apache.sentry.provider.db.SimpleDBProviderBackend;
+import com.google.common.collect.Sets;
+import org.apache.sentry.provider.db.service.persistent.SentryStore;
 import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.apache.sentry.service.thrift.ServiceConstants.ThriftConstants;
 import org.junit.Test;
 
-import com.google.common.collect.Sets;
+import java.util.Set;
+
+import static junit.framework.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 
 
 public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
 
   @Test
-  public void testCreateRole() throws Exception {
+  public void testCreateDropShowRole() throws Exception {
     String requestorUserName = ADMIN_USER;
     Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
     String roleName = "admin_r";
@@ -44,56 +41,68 @@ public class TestSentryServiceIntegration extends SentryServiceIntegrationBase {
 
     client.createRole(requestorUserName, requestorUserGroupNames, roleName);
 
-    TListSentryRolesRequest listReq = new TListSentryRolesRequest();
-    listReq.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
-    listReq.setRoleName(roleName);
-    listReq.setRequestorUserName(requestorUserName);
-    TListSentryRolesResponse listResp = client.listRoleByName(listReq);
-    Set<TSentryRole> roles = listResp.getRoles();
-    assertEquals("Incorrect number of roles:" + roles, 1, roles.size());
+    Set<TSentryRole> roles = client.listRoles(requestorUserName, requestorUserGroupNames);
+    assertEquals("Incorrect number of roles", 1, roles.size());
 
+    for (TSentryRole role:roles) {
+      assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
+    }
     client.dropRole(requestorUserName, requestorUserGroupNames, roleName);
   }
 
   @Test
-  public void testGrantRevokePrivilege() throws Exception {
-    String server = "server1";
+  public void testShowRoleGrant() throws Exception {
     String requestorUserName = ADMIN_USER;
     Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
     String roleName = "admin_testdb";
+    String groupName = "group1";
+
+    client.dropRoleIfExists(requestorUserName, requestorUserGroupNames, roleName);
+    client.createRole(requestorUserName, requestorUserGroupNames, roleName);
+
+    Set<TSentryRole> roles = client.listRoles(requestorUserName, requestorUserGroupNames);
+    assertEquals("Incorrect number of roles", 1, roles.size());
+
+    client.grantRoleToGroup(requestorUserName, requestorUserGroupNames, groupName, roleName);
+    Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName,
+        requestorUserGroupNames, groupName);
+    assertTrue(groupRoles.size() == 1);
+    for (TSentryRole role:groupRoles) {
+      assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
+      assertTrue(role.getGroups().size() == 1);
+      for (TSentryGroup group :role.getGroups()) {
+        assertTrue(group.getGroupName(), group.getGroupName().equalsIgnoreCase(groupName));
+      }
+    }
+
+    client.dropRole(requestorUserName, requestorUserGroupNames, roleName);
+  }
+
+  @Test
+  public void testShowGrant() throws Exception {
+    String requestorUserName = ADMIN_USER;
+    Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+    String roleName = "admin_testdb";
+    String server = "server1";
     String db = "testDB";
-    String group = "group1";
 
     client.dropRoleIfExists(requestorUserName, requestorUserGroupNames, roleName);
     client.createRole(requestorUserName, requestorUserGroupNames, roleName);
 
-    TListSentryRolesRequest listReq = new TListSentryRolesRequest();
-    listReq.setProtocol_version(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
-    listReq.setRoleName("admin_testdb");
-    listReq.setRequestorUserName(requestorUserName);
-    TListSentryRolesResponse listResp = client.listRoleByName(listReq);
-    Set<TSentryRole> roles = listResp.getRoles();
-    assertEquals("Incorrect number of roles:" + roles, 1, roles.size());
+    Set<TSentryRole> roles = client.listRoles(requestorUserName, requestorUserGroupNames);
+    assertEquals("Incorrect number of roles", 1, roles.size());
 
     client.grantDatabasePrivilege(requestorUserName, requestorUserGroupNames, roleName, server, db);
-
-    // verify we can get the privileges from the backend
-    SimpleDBProviderBackend dbBackend = new SimpleDBProviderBackend(client);
-    dbBackend.initialize(new ProviderBackendContext());
-    assertEquals(Sets.newHashSet(), dbBackend.getPrivileges(Sets.newHashSet(group),
-        new ActiveRoleSet(true)));
-    client.grantRoleToGroup(requestorUserName, requestorUserGroupNames, group, roleName);
-    assertEquals(Sets.newHashSet(), dbBackend.getPrivileges(Sets.newHashSet(group),
-        new ActiveRoleSet(new HashSet<String>())));
-    assertEquals(Sets.newHashSet("server="+ server + "->db=" + db + "->action=*"),
-        dbBackend.getPrivileges(Sets.newHashSet("group1"),
-        new ActiveRoleSet(true)));
-    assertEquals(Sets.newHashSet("server="+ server + "->db=" + db + "->action=*"),
-        dbBackend.getPrivileges(Sets.newHashSet(group),
-        new ActiveRoleSet(Sets.newHashSet(roleName))));
+    Set<TSentryPrivilege> privileges = client.listPrivilegesByRoleName(requestorUserName,
+        requestorUserGroupNames, roleName);
+    assertTrue(privileges.size() == 1);
+    for (TSentryPrivilege privilege:privileges) {
+      assertTrue(privilege.getPrivilegeName(),
+        privilege.getPrivilegeName().equalsIgnoreCase(SentryStore.constructPrivilegeName(privilege)));
+    }
 
     client.revokeDatabasePrivilege(requestorUserName, requestorUserGroupNames, roleName, server, db);
     client.dropRole(requestorUserName, requestorUserGroupNames, roleName);
   }
 
-}
+}
\ No newline at end of file


Mime
View raw message