sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sra...@apache.org
Subject git commit: SENTRY-347: Generate the audit log in Json format (Colin Ma via Sravya Tirukkovalur)
Date Fri, 01 Aug 2014 21:15:04 GMT
Repository: incubator-sentry
Updated Branches:
  refs/heads/master c643db28d -> a170f53bd


SENTRY-347: Generate the audit log in Json format (Colin Ma via Sravya Tirukkovalur)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/a170f53b
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/a170f53b
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/a170f53b

Branch: refs/heads/master
Commit: a170f53bde4a3947243ca0439544b2769c9240ee
Parents: c643db2
Author: Sravya Tirukkovalur <sravya@clouera.com>
Authored: Fri Aug 1 14:14:17 2014 -0700
Committer: Sravya Tirukkovalur <sravya@clouera.com>
Committed: Fri Aug 1 14:14:17 2014 -0700

----------------------------------------------------------------------
 pom.xml                                         |  12 +
 .../db/log/entity/AuditMetadataLogEntity.java   | 227 ++++++++++++++
 .../provider/db/log/entity/JsonLogEntity.java   |  25 ++
 .../db/log/entity/JsonLogEntityFactory.java     | 143 +++++++++
 .../provider/db/log/util/CommandUtil.java       | 169 +++++++++++
 .../sentry/provider/db/log/util/Constants.java  |  98 ++++++
 .../thrift/SentryPolicyStoreProcessor.java      |  19 ++
 .../SentryPolicyStoreProcessorFactory.java      |   2 +-
 .../service/thrift/SentryProcessorWrapper.java  |  83 +++++
 .../sentry/service/thrift/ServiceConstants.java |   3 +
 .../log/entity/TestAuditMetadataLogEntity.java  |  68 +++++
 .../db/log/entity/TestJsonLogEntityFactory.java | 293 ++++++++++++++++++
 .../provider/db/log/util/TestCommandUtil.java   | 303 +++++++++++++++++++
 13 files changed, 1444 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 3d5492d..01c87f1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -166,6 +166,18 @@ limitations under the License.
         <artifactId>hive-metastore</artifactId>
         <version>${hive.version}</version>
       </dependency>
+
+      <dependency>
+         <groupId>org.codehaus.jackson</groupId>
+         <artifactId>jackson-core-asl</artifactId>
+         <version>${jackson.version}</version>
+       </dependency>
+       <dependency>
+         <groupId>org.codehaus.jackson</groupId>
+         <artifactId>jackson-mapper-asl</artifactId>
+         <version>${jackson.version}</version>
+      </dependency>
+
       <dependency>
         <groupId>org.apache.hive</groupId>
         <artifactId>hive-beeline</artifactId>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java
new file mode 100644
index 0000000..e1d8a9e
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/AuditMetadataLogEntity.java
@@ -0,0 +1,227 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import java.io.IOException;
+import java.io.StringWriter;
+
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.codehaus.jackson.JsonFactory;
+import org.codehaus.jackson.JsonGenerator;
+import org.codehaus.jackson.JsonNode;
+import org.codehaus.jackson.map.MappingJsonFactory;
+import org.codehaus.jackson.map.ObjectMapper;
+import org.codehaus.jackson.node.ContainerNode;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class AuditMetadataLogEntity implements JsonLogEntity {
+
+  private static final Logger LOGGER = LoggerFactory
+      .getLogger(AuditMetadataLogEntity.class);
+  private static final JsonFactory factory = new MappingJsonFactory();
+  private String serviceName;
+  private String userName;
+  private String impersonator;
+  private String ipAddress;
+  private String operation;
+  private String eventTime;
+  private String operationText;
+  private String allowed;
+  private String databaseName;
+  private String tableName;
+  private String resourcePath;
+  private String objectType;
+
+  public AuditMetadataLogEntity() {
+  }
+
+  public AuditMetadataLogEntity(String serviceName, String userName,
+      String impersonator, String ipAddress, String operation,
+      String eventTime, String operationText, String allowed,
+      String databaseName, String tableName, String resourcePath,
+      String objectType) {
+    this.serviceName = serviceName;
+    this.userName = userName;
+    this.impersonator = impersonator;
+    this.ipAddress = ipAddress;
+    this.operation = operation;
+    this.eventTime = eventTime;
+    this.operationText = operationText;
+    this.allowed = allowed;
+    this.databaseName = databaseName;
+    this.tableName = tableName;
+    this.resourcePath = resourcePath;
+    this.objectType = objectType;
+  }
+
+  @Override
+  public String toJsonFormatLog() {
+    StringWriter stringWriter = new StringWriter();
+    JsonGenerator json = null;
+    try {
+      json = factory.createJsonGenerator(stringWriter);
+      json.writeStartObject();
+      json.writeStringField(Constants.LOG_FIELD_SERVICE_NAME, serviceName);
+      json.writeStringField(Constants.LOG_FIELD_USER_NAME, userName);
+      json.writeStringField(Constants.LOG_FIELD_IMPERSONATOR, impersonator);
+      json.writeStringField(Constants.LOG_FIELD_IP_ADDRESS, ipAddress);
+      json.writeStringField(Constants.LOG_FIELD_OPERATION, operation);
+      json.writeStringField(Constants.LOG_FIELD_EVENT_TIME, eventTime);
+      json.writeStringField(Constants.LOG_FIELD_OPERATION_TEXT, operationText);
+      json.writeStringField(Constants.LOG_FIELD_ALLOWED, allowed);
+      json.writeStringField(Constants.LOG_FIELD_DATABASE_NAME, databaseName);
+      json.writeStringField(Constants.LOG_FIELD_TABLE_NAME, tableName);
+      json.writeStringField(Constants.LOG_FIELD_RESOURCE_PATH, resourcePath);
+      json.writeStringField(Constants.LOG_FIELD_OBJECT_TYPE, objectType);
+      json.writeEndObject();
+      json.flush();
+    } catch (IOException e) {
+      // if there has error when creating the audit log in json, set the audit
+      // log to empty.
+      stringWriter = new StringWriter();
+      String msg = "Error creating audit log in json format: " + e.getMessage();
+      LOGGER.error(msg, e);
+    } finally {
+      try {
+        if (json != null) {
+          json.close();
+        }
+      } catch (IOException e) {
+        LOGGER.error("Error closing JsonGenerator", e);
+      }
+    }
+
+    return stringWriter.toString();
+  }
+
+  public String getServiceName() {
+    return serviceName;
+  }
+
+  public void setServiceName(String serviceName) {
+    this.serviceName = serviceName;
+  }
+
+  public String getUserName() {
+    return userName;
+  }
+
+  public void setUserName(String userName) {
+    this.userName = userName;
+  }
+
+  public String getImpersonator() {
+    return impersonator;
+  }
+
+  public void setImpersonator(String impersonator) {
+    this.impersonator = impersonator;
+  }
+
+  public String getIpAddress() {
+    return ipAddress;
+  }
+
+  public void setIpAddress(String ipAddress) {
+    this.ipAddress = ipAddress;
+  }
+
+  public String getOperation() {
+    return operation;
+  }
+
+  public void setOperation(String operation) {
+    this.operation = operation;
+  }
+
+  public String getEventTime() {
+    return eventTime;
+  }
+
+  public void setEventTime(String eventTime) {
+    this.eventTime = eventTime;
+  }
+
+  public String getOperationText() {
+    return operationText;
+  }
+
+  public void setOperationText(String operationText) {
+    this.operationText = operationText;
+  }
+
+  public String getAllowed() {
+    return allowed;
+  }
+
+  public void setAllowed(String allowed) {
+    this.allowed = allowed;
+  }
+
+  public String getDatabaseName() {
+    return databaseName;
+  }
+
+  public void setDatabaseName(String databaseName) {
+    this.databaseName = databaseName;
+  }
+
+  public String getTableName() {
+    return tableName;
+  }
+
+  public void setTableName(String tableName) {
+    this.tableName = tableName;
+  }
+
+  public String getResourcePath() {
+    return resourcePath;
+  }
+
+  public void setResourcePath(String resourcePath) {
+    this.resourcePath = resourcePath;
+  }
+
+  public String getObjectType() {
+    return objectType;
+  }
+
+  public void setObjectType(String objectType) {
+    this.objectType = objectType;
+  }
+
+  /**
+   * For use in tests
+   * 
+   * @param json
+   *          incoming JSON to parse
+   * @return a node tree
+   * @throws IOException
+   *           on any parsing problems
+   */
+  public static ContainerNode parse(String json) throws IOException {
+    ObjectMapper mapper = new ObjectMapper(factory);
+    JsonNode jsonNode = mapper.readTree(json);
+    if (!(jsonNode instanceof ContainerNode)) {
+      throw new IOException("Wrong JSON data: " + json);
+    }
+    return (ContainerNode) jsonNode;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java
new file mode 100644
index 0000000..7ad6966
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntity.java
@@ -0,0 +1,25 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+public interface JsonLogEntity {
+
+  public String toJsonFormatLog();
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
new file mode 100644
index 0000000..2cc8194
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/entity/JsonLogEntityFactory.java
@@ -0,0 +1,143 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.provider.db.log.util.CommandUtil;
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeResponse;
+import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleRequest;
+import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleResponse;
+import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
+import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleResponse;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.apache.sentry.service.thrift.Status;
+import org.apache.sentry.service.thrift.TSentryResponseStatus;
+
+public class JsonLogEntityFactory {
+
+  private static JsonLogEntityFactory factory = new JsonLogEntityFactory();
+
+  private JsonLogEntityFactory() {
+  };
+
+  public static JsonLogEntityFactory getInstance() {
+    return factory;
+  }
+
+  public JsonLogEntity createJsonLogEntity(TCreateSentryRoleRequest request,
+      TCreateSentryRoleResponse response, Configuration conf) {
+    AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+        request.getRequestorUserName(), request.getClass().getName());
+    amle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(
+        request.getRoleName(), true));
+
+    return amle;
+  }
+
+  public JsonLogEntity createJsonLogEntity(TDropSentryRoleRequest request,
+      TDropSentryRoleResponse response, Configuration conf) {
+    AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+        request.getRequestorUserName(), request.getClass().getName());
+    amle.setOperationText(CommandUtil.createCmdForCreateOrDropRole(
+        request.getRoleName(), false));
+
+    return amle;
+  }
+
+  public JsonLogEntity createJsonLogEntity(
+      TAlterSentryRoleGrantPrivilegeRequest request,
+      TAlterSentryRoleGrantPrivilegeResponse response, Configuration conf) {
+    AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+        request.getRequestorUserName(), request.getClass().getName());
+    amle.setOperationText(CommandUtil.createCmdForGrantPrivilege(request));
+    TSentryPrivilege privilege = request.getPrivilege();
+    amle.setDatabaseName(privilege.getDbName());
+    amle.setTableName(privilege.getTableName());
+    amle.setResourcePath(privilege.getURI());
+
+    return amle;
+  }
+
+  public JsonLogEntity createJsonLogEntity(
+      TAlterSentryRoleRevokePrivilegeRequest request,
+      TAlterSentryRoleRevokePrivilegeResponse response, Configuration conf) {
+    AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+        request.getRequestorUserName(), request.getClass().getName());
+    amle.setOperationText(CommandUtil.createCmdForRevokePrivilege(request));
+    TSentryPrivilege privilege = request.getPrivilege();
+    amle.setDatabaseName(privilege.getDbName());
+    amle.setTableName(privilege.getTableName());
+    amle.setResourcePath(privilege.getURI());
+
+    return amle;
+  }
+
+  public JsonLogEntity createJsonLogEntity(
+      TAlterSentryRoleAddGroupsRequest request,
+      TAlterSentryRoleAddGroupsResponse response, Configuration conf) {
+    AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+        request.getRequestorUserName(), request.getClass().getName());
+    amle.setOperationText(CommandUtil.createCmdForRoleAddGroup(request));
+
+    return amle;
+  }
+
+  public JsonLogEntity createJsonLogEntity(
+      TAlterSentryRoleDeleteGroupsRequest request,
+      TAlterSentryRoleDeleteGroupsResponse response, Configuration conf) {
+    AuditMetadataLogEntity amle = createCommonAMLE(conf, response.getStatus(),
+        request.getRequestorUserName(), request.getClass().getName());
+    amle.setOperationText(CommandUtil.createCmdForRoleDeleteGroup(request));
+
+    return amle;
+  }
+
+  public String isAllowed(TSentryResponseStatus status) {
+    if (status.equals(Status.OK())) {
+      return Constants.TRUE;
+    }
+    return Constants.FALSE;
+  }
+
+  private AuditMetadataLogEntity createCommonAMLE(Configuration conf,
+      TSentryResponseStatus responseStatus, String userName,
+      String requestClassName) {
+    AuditMetadataLogEntity amle = new AuditMetadataLogEntity();
+    amle.setUserName(userName);
+    amle.setServiceName(conf.get(ServerConfig.SENTRY_SERVICE_NAME,
+        ServerConfig.SENTRY_SERVICE_NAME_DEFAULT).trim());
+    amle.setImpersonator(CommandUtil.getImpersonator());
+    amle.setIpAddress(CommandUtil.getIpAddress());
+    amle.setOperation(Constants.requestTypeToOperationMap.get(requestClassName));
+    amle.setEventTime(Long.toString(System.currentTimeMillis()));
+    amle.setAllowed(isAllowed(responseStatus));
+    amle.setObjectType(Constants.requestTypeToObjectTypeMap
+        .get(requestClassName));
+    return amle;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
new file mode 100644
index 0000000..b2b5187
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
@@ -0,0 +1,169 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.util;
+
+import java.util.Iterator;
+
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+
+public class CommandUtil {
+
+  public static String createCmdForCreateOrDropRole(String roleName,
+      boolean isCreate) {
+    if (isCreate) {
+      return "CREATE ROLE " + roleName;
+    }
+    return "DROP ROLE " + roleName;
+  }
+
+  public static String createCmdForRoleAddGroup(
+      TAlterSentryRoleAddGroupsRequest request) {
+    return createCmdForRoleAddOrDeleteGroup(request.getRoleName(),
+        request.getGroupsIterator(), true);
+  }
+
+  public static String createCmdForRoleDeleteGroup(
+      TAlterSentryRoleDeleteGroupsRequest request) {
+    return createCmdForRoleAddOrDeleteGroup(request.getRoleName(),
+        request.getGroupsIterator(), false);
+  }
+
+  private static String createCmdForRoleAddOrDeleteGroup(String roleName,
+      Iterator<TSentryGroup> iter, boolean isAddGroup) {
+    StringBuilder sb = new StringBuilder();
+    if (isAddGroup) {
+      sb.append("GRANT ROLE ");
+    } else {
+      sb.append("REVOKE ROLE ");
+    }
+    sb.append(roleName);
+    if (isAddGroup) {
+      sb.append(" TO ");
+    } else {
+      sb.append(" FROM ");
+    }
+
+    if (iter != null) {
+      sb.append("GROUP ");
+      boolean commaFlg = false;
+      while (iter.hasNext()) {
+        if (commaFlg) {
+          sb.append(", ");
+        } else {
+          commaFlg = true;
+        }
+        sb.append(iter.next().getGroupName());
+      }
+    } else {
+      sb = new StringBuilder("Missing group information.");
+    }
+
+    return sb.toString();
+  }
+
+  public static String createCmdForGrantPrivilege(
+      TAlterSentryRoleGrantPrivilegeRequest request) {
+    return createCmdForGrantOrRevokePrivilege(request.getRoleName(),
+        request.getPrivilege(), true);
+  }
+
+  public static String createCmdForRevokePrivilege(
+      TAlterSentryRoleRevokePrivilegeRequest request) {
+    return createCmdForGrantOrRevokePrivilege(request.getRoleName(),
+        request.getPrivilege(), false);
+  }
+
+  private static String createCmdForGrantOrRevokePrivilege(String roleName,
+      TSentryPrivilege privilege, boolean isGrant) {
+    StringBuilder sb = new StringBuilder();
+    if (isGrant) {
+      sb.append("GRANT ");
+    } else {
+      sb.append("REVOKE ");
+    }
+
+    String action = privilege.getAction();
+    String privilegeScope = privilege.getPrivilegeScope();
+    if (AccessConstants.ALL.equalsIgnoreCase(action)) {
+      sb.append("ALL");
+    } else {
+      if (action != null) {
+        action = action.toUpperCase();
+      }
+      sb.append(action);
+    }
+
+    sb.append(" ON ").append(privilege.getPrivilegeScope()).append(" ");
+    if (PrivilegeScope.DATABASE.name().equalsIgnoreCase(privilegeScope)) {
+      sb.append(privilege.getDbName());
+    } else if (PrivilegeScope.TABLE.name().equalsIgnoreCase(privilegeScope)) {
+      sb.append(privilege.getTableName());
+    } else if (PrivilegeScope.SERVER.name().equalsIgnoreCase(privilegeScope)) {
+      sb.append(privilege.getServerName());
+    } else if (PrivilegeScope.URI.name().equalsIgnoreCase(privilegeScope)) {
+      sb.append(privilege.getURI());
+    }
+
+    if (isGrant) {
+      sb.append(" TO ROLE ");
+    } else {
+      sb.append(" FROM ROLE ");
+    }
+    sb.append(roleName);
+
+    return sb.toString();
+  }
+
+  private static ThreadLocal<String> threadLocalIpAddress = new ThreadLocal<String>() {
+    @Override
+    protected synchronized String initialValue() {
+      return "";
+    }
+  };
+
+  public static void setIpAddress(String ipAddress) {
+    threadLocalIpAddress.set(ipAddress);
+  }
+
+  public static String getIpAddress() {
+    return threadLocalIpAddress.get();
+  }
+
+  private static ThreadLocal<String> threadLocalImpersonator = new ThreadLocal<String>() {
+    @Override
+    protected synchronized String initialValue() {
+      return "";
+    }
+  };
+
+  public static void setImpersonator(String impersonator) {
+    threadLocalImpersonator.set(impersonator);
+  }
+
+  public static String getImpersonator() {
+    return threadLocalImpersonator.get();
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
new file mode 100644
index 0000000..4b1d7de
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
@@ -0,0 +1,98 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.util;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleRequest;
+import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
+
+public class Constants {
+  public final static String AUDIT_LOGGER_NAME = "sentry.hive.authorization.ddl.logger";
+
+  public final static String LOG_FIELD_SERVICE_NAME = "serviceName";
+  public final static String LOG_FIELD_USER_NAME = "userName";
+  public final static String LOG_FIELD_IMPERSONATOR = "impersonator";
+  public final static String LOG_FIELD_IP_ADDRESS = "ipAddress";
+  public final static String LOG_FIELD_OPERATION = "operation";
+  public final static String LOG_FIELD_EVENT_TIME = "eventTime";
+  public final static String LOG_FIELD_OPERATION_TEXT = "operationText";
+  public final static String LOG_FIELD_ALLOWED = "allowed";
+  public final static String LOG_FIELD_DATABASE_NAME = "databaseName";
+  public final static String LOG_FIELD_TABLE_NAME = "tableName";
+  public final static String LOG_FIELD_RESOURCE_PATH = "resourcePath";
+  public final static String LOG_FIELD_OBJECT_TYPE = "objectType";
+
+  public final static String OPERATION_CREATE_ROLE = "CREATE_ROLE";
+  public final static String OPERATION_DROP_ROLE = "DROP_ROLE";
+  public final static String OPERATION_ADD_ROLE = "ADD_ROLE_TO_GROUP";
+  public final static String OPERATION_DELETE_ROLE = "DELETE_ROLE_FROM_GROUP";
+  public final static String OPERATION_GRANT_PRIVILEGE = "GRANTE_PRIVILEGE";
+  public final static String OPERATION_REVOKE_PRIVILEGE = "REVOKE_PRIVILEGE";
+
+  public final static String OBJECT_TYPE_PRINCIPAL = "PRINCIPAL";
+  public final static String OBJECT_TYPE_ROLE = "ROLE";
+
+  public final static String TRUE = "true";
+  public final static String FALSE = "false";
+
+  public static final Map<String, String> requestTypeToOperationMap = new HashMap<String, String>();
+  public static final Map<String, String> requestTypeToObjectTypeMap = new HashMap<String, String>();
+
+  static {
+    requestTypeToOperationMap.put(TCreateSentryRoleRequest.class.getName(),
+        Constants.OPERATION_CREATE_ROLE);
+    requestTypeToOperationMap.put(
+        TAlterSentryRoleGrantPrivilegeRequest.class.getName(),
+        Constants.OPERATION_GRANT_PRIVILEGE);
+    requestTypeToOperationMap.put(
+        TAlterSentryRoleRevokePrivilegeRequest.class.getName(),
+        Constants.OPERATION_REVOKE_PRIVILEGE);
+    requestTypeToOperationMap.put(TDropSentryRoleRequest.class.getName(),
+        Constants.OPERATION_DROP_ROLE);
+    requestTypeToOperationMap.put(
+        TAlterSentryRoleAddGroupsRequest.class.getName(),
+        Constants.OPERATION_ADD_ROLE);
+    requestTypeToOperationMap.put(
+        TAlterSentryRoleDeleteGroupsRequest.class.getName(),
+        Constants.OPERATION_DELETE_ROLE);
+
+    requestTypeToObjectTypeMap.put(TCreateSentryRoleRequest.class.getName(),
+        Constants.OBJECT_TYPE_ROLE);
+    requestTypeToObjectTypeMap.put(TDropSentryRoleRequest.class.getName(),
+        Constants.OBJECT_TYPE_ROLE);
+    requestTypeToObjectTypeMap.put(
+        TAlterSentryRoleAddGroupsRequest.class.getName(),
+        Constants.OBJECT_TYPE_ROLE);
+    requestTypeToObjectTypeMap.put(
+        TAlterSentryRoleDeleteGroupsRequest.class.getName(),
+        Constants.OBJECT_TYPE_ROLE);
+    requestTypeToObjectTypeMap.put(
+        TAlterSentryRoleGrantPrivilegeRequest.class.getName(),
+        Constants.OBJECT_TYPE_PRINCIPAL);
+    requestTypeToObjectTypeMap.put(
+        TAlterSentryRoleRevokePrivilegeRequest.class.getName(),
+        Constants.OBJECT_TYPE_PRINCIPAL);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index 1b05db3..5848e30 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -32,6 +32,8 @@ import org.apache.sentry.provider.db.SentryAccessDeniedException;
 import org.apache.sentry.provider.db.SentryAlreadyExistsException;
 import org.apache.sentry.provider.db.SentryInvalidInputException;
 import org.apache.sentry.provider.db.SentryNoSuchObjectException;
+import org.apache.sentry.provider.db.log.entity.JsonLogEntityFactory;
+import org.apache.sentry.provider.db.log.util.Constants;
 import org.apache.sentry.provider.db.service.persistent.CommitContext;
 import org.apache.sentry.provider.db.service.persistent.SentryStore;
 import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig;
@@ -52,6 +54,7 @@ import com.google.common.collect.Sets;
 @SuppressWarnings("unused")
 public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
   private static final Logger LOGGER = LoggerFactory.getLogger(SentryPolicyStoreProcessor.class);
+  private static final Logger AUDIT_LOGGER = LoggerFactory.getLogger(Constants.AUDIT_LOGGER_NAME);
 
   public static final String SENTRY_POLICY_SERVICE_NAME = "SentryPolicyService";
 
@@ -158,6 +161,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
       LOGGER.error(msg, e);
       response.setStatus(Status.RuntimeError(msg, e));
     }
+
+    AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(
+    		request, response, conf).toJsonFormatLog());
     return response;
   }
 
@@ -191,6 +197,8 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
       response.setStatus(Status.RuntimeError(msg, e));
     }
 
+    AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(
+    		request, response, conf).toJsonFormatLog());
     return response;
   }
 
@@ -227,6 +235,8 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
       response.setStatus(Status.RuntimeError(msg, e));
     }
 
+    AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(
+    		request, response, conf).toJsonFormatLog());
     return response;
   }
 
@@ -254,6 +264,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
       LOGGER.error(msg, e);
       response.setStatus(Status.RuntimeError(msg, e));
     }
+
+    AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(
+    		request, response, conf).toJsonFormatLog());
     return response;
   }
 
@@ -281,6 +294,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
       LOGGER.error(msg, e);
       response.setStatus(Status.RuntimeError(msg, e));
     }
+
+    AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(
+    		request, response, conf).toJsonFormatLog());
     return response;
   }
 
@@ -308,6 +324,9 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
       LOGGER.error(msg, e);
       response.setStatus(Status.RuntimeError(msg, e));
     }
+
+    AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(
+    		request, response, conf).toJsonFormatLog());
     return response;
   }
 

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java
index b37db2b..691c1fb 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessorFactory.java
@@ -32,7 +32,7 @@ public class SentryPolicyStoreProcessorFactory extends ProcessorFactory {
         new SentryPolicyStoreProcessor(SentryPolicyStoreProcessor.SENTRY_POLICY_SERVICE_NAME,
             conf);
     TProcessor processor =
-      new SentryPolicyService.Processor<SentryPolicyService.Iface>(sentryServiceHandler);
+      new SentryProcessorWrapper<SentryPolicyService.Iface>(sentryServiceHandler);
     multiplexedProcessor.registerProcessor(SentryPolicyStoreProcessor.SENTRY_POLICY_SERVICE_NAME, processor);
     return true;
   }

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java
new file mode 100644
index 0000000..33e741d
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryProcessorWrapper.java
@@ -0,0 +1,83 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.thrift;
+
+import java.net.Socket;
+
+import org.apache.sentry.provider.db.log.util.CommandUtil;
+import org.apache.thrift.TException;
+import org.apache.thrift.protocol.TProtocol;
+import org.apache.thrift.transport.TSaslClientTransport;
+import org.apache.thrift.transport.TSaslServerTransport;
+import org.apache.thrift.transport.TSocket;
+import org.apache.thrift.transport.TTransport;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class SentryProcessorWrapper<I extends SentryPolicyService.Iface> extends
+    SentryPolicyService.Processor<SentryPolicyService.Iface> {
+
+  private static final Logger LOGGER = LoggerFactory.getLogger(SentryProcessorWrapper.class);
+
+  public SentryProcessorWrapper(I iface) {
+    super(iface);
+  }
+
+  @Override
+  public boolean process(TProtocol in, TProtocol out) throws TException {
+    setIpAddress(in);
+    setImpersonator(in);
+    return super.process(in, out);
+  }
+
+  private void setImpersonator(final TProtocol in) {
+    TTransport transport = in.getTransport();
+    if (transport instanceof TSaslServerTransport) {
+      String impersonator = ((TSaslServerTransport) transport).getSaslServer().getAuthorizationID();
+      CommandUtil.setImpersonator(impersonator);
+    }
+  }
+
+  private void setIpAddress(final TProtocol in) {
+    TTransport transport = in.getTransport();
+    TSocket tSocket = getUnderlyingSocketFromTransport(transport);
+    if (tSocket != null) {
+      setIpAddress(tSocket.getSocket());
+    } else {
+      LOGGER.warn("Unknown Transport, cannot determine ipAddress");
+    }
+  }
+
+  private void setIpAddress(Socket socket) {
+    CommandUtil.setIpAddress(socket.getInetAddress().toString());
+  }
+
+  private TSocket getUnderlyingSocketFromTransport(TTransport transport) {
+    if (transport != null) {
+      if (transport instanceof TSaslServerTransport) {
+        transport = ((TSaslServerTransport) transport).getUnderlyingTransport();
+      } else if (transport instanceof TSaslClientTransport) {
+        transport = ((TSaslClientTransport) transport).getUnderlyingTransport();
+      } else if (transport instanceof TSocket) {
+        return (TSocket) transport;
+      }
+    }
+    return null;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
index 111fabf..52eaeed 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/ServiceConstants.java
@@ -89,6 +89,9 @@ public class ServiceConstants {
     public static final String SENTRY_VERIFY_SCHEM_VERSION = "sentry.verify.schema.version";
     public static final String SENTRY_VERIFY_SCHEM_VERSION_DEFAULT = "true";
 
+    public static final String SENTRY_SERVICE_NAME = "sentry.service.name";
+    public static final String SENTRY_SERVICE_NAME_DEFAULT = "Sentry-Service";
+    
     public static final String SENTRY_STORE_GROUP_MAPPING = "sentry.store.group.mapping";
     public static final String SENTRY_STORE_GROUP_MAPPING_RESOURCE = "sentry.store.group.mapping.resource";
     public static final String SENTRY_STORE_HADOOP_GROUP_MAPPING = "org.apache.sentry.provider.common.HadoopGroupMappingService";

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java
new file mode 100644
index 0000000..cd0a435
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestAuditMetadataLogEntity.java
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import junit.framework.TestCase;
+
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.codehaus.jackson.JsonNode;
+import org.codehaus.jackson.node.ContainerNode;
+import org.junit.Test;
+
+public class TestAuditMetadataLogEntity extends TestCase {
+
+  @Test
+  public void testToJsonFormatLog() throws Throwable {
+    AuditMetadataLogEntity amle = new AuditMetadataLogEntity("serviceName",
+        "userName", "impersonator", "ipAddress", "operation", "eventTime",
+        "operationText", "allowed", "databaseName", "tableName",
+        "resourcePath", "objectType");
+    String jsonAuditLog = amle.toJsonFormatLog();
+    ContainerNode rootNode = AuditMetadataLogEntity.parse(jsonAuditLog);
+    assertEntryEquals(rootNode, Constants.LOG_FIELD_SERVICE_NAME, "serviceName");
+    assertEntryEquals(rootNode, Constants.LOG_FIELD_USER_NAME, "userName");
+    assertEntryEquals(rootNode, Constants.LOG_FIELD_IMPERSONATOR,
+        "impersonator");
+    assertEntryEquals(rootNode, Constants.LOG_FIELD_IP_ADDRESS, "ipAddress");
+    assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION, "operation");
+    assertEntryEquals(rootNode, Constants.LOG_FIELD_EVENT_TIME, "eventTime");
+    assertEntryEquals(rootNode, Constants.LOG_FIELD_OPERATION_TEXT,
+        "operationText");
+    assertEntryEquals(rootNode, Constants.LOG_FIELD_ALLOWED, "allowed");
+    assertEntryEquals(rootNode, Constants.LOG_FIELD_DATABASE_NAME,
+        "databaseName");
+    assertEntryEquals(rootNode, Constants.LOG_FIELD_TABLE_NAME, "tableName");
+    assertEntryEquals(rootNode, Constants.LOG_FIELD_RESOURCE_PATH,
+        "resourcePath");
+    assertEntryEquals(rootNode, Constants.LOG_FIELD_OBJECT_TYPE, "objectType");
+  }
+
+  void assertEntryEquals(ContainerNode rootNode, String key, String value) {
+    JsonNode node = assertNodeContains(rootNode, key);
+    assertEquals(value, node.getTextValue());
+  }
+
+  private JsonNode assertNodeContains(ContainerNode rootNode, String key) {
+    JsonNode node = rootNode.get(key);
+    if (node == null) {
+      fail("No entry of name \"" + key + "\" found in " + rootNode.toString());
+    }
+    return node;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
new file mode 100644
index 0000000..fc9c716
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/entity/TestJsonLogEntityFactory.java
@@ -0,0 +1,293 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.entity;
+
+import static junit.framework.Assert.assertEquals;
+
+import java.util.LinkedHashSet;
+import java.util.Set;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.log4j.Logger;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.log.util.CommandUtil;
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeResponse;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeResponse;
+import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleRequest;
+import org.apache.sentry.provider.db.service.thrift.TCreateSentryRoleResponse;
+import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
+import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleResponse;
+import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+import org.apache.sentry.service.thrift.Status;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class TestJsonLogEntityFactory {
+
+  private static Configuration conf;
+  private Logger sentryLogger = Logger.getRootLogger();
+
+  private static String TEST_IP = "localhost/127.0.0.1";
+  private static String TEST_IMPERSONATOR = "impersonator";
+  private static String TEST_ROLE_NAME = "testRole";
+  private static String TEST_USER_NAME = "requestUser";
+  private static String TEST_DATABASE_NAME = "testDB";
+  private static String TEST_TABLE_NAME = "testTable";
+  private static String TEST_GROUP = "testGroup";
+
+  @BeforeClass
+  public static void init() {
+    conf = new Configuration();
+    conf.set(ServerConfig.SENTRY_SERVICE_NAME,
+        ServerConfig.SENTRY_SERVICE_NAME_DEFAULT);
+    CommandUtil.setIpAddress(TEST_IP);
+    CommandUtil.setImpersonator(TEST_IMPERSONATOR);
+  }
+
+  @Test
+  public void testCreateRole() {
+    TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
+    TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
+    request.setRequestorUserName(TEST_USER_NAME);
+    request.setRoleName(TEST_ROLE_NAME);
+    response.setStatus(Status.OK());
+    AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory
+        .getInstance().createJsonLogEntity(request, response, conf);
+    assertCommon(amle, Constants.TRUE, Constants.OPERATION_CREATE_ROLE,
+        "CREATE ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
+    sentryLogger.debug(amle.toJsonFormatLog());
+
+    response.setStatus(Status.InvalidInput("", null));
+    amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+        .createJsonLogEntity(request, response, conf);
+    assertCommon(amle, Constants.FALSE, Constants.OPERATION_CREATE_ROLE,
+        "CREATE ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
+    sentryLogger.debug(amle.toJsonFormatLog());
+  }
+
+  @Test
+  public void testDropRole() {
+    TDropSentryRoleRequest request = new TDropSentryRoleRequest();
+    TDropSentryRoleResponse response = new TDropSentryRoleResponse();
+    request.setRequestorUserName(TEST_USER_NAME);
+    request.setRoleName(TEST_ROLE_NAME);
+    response.setStatus(Status.OK());
+    AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory
+        .getInstance().createJsonLogEntity(request, response, conf);
+    assertCommon(amle, Constants.TRUE, Constants.OPERATION_DROP_ROLE,
+        "DROP ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
+    sentryLogger.debug(amle.toJsonFormatLog());
+
+    response.setStatus(Status.InvalidInput("", null));
+    amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+        .createJsonLogEntity(request, response, conf);
+    assertCommon(amle, Constants.FALSE, Constants.OPERATION_DROP_ROLE,
+        "DROP ROLE testRole", null, null, null, Constants.OBJECT_TYPE_ROLE);
+    sentryLogger.debug(amle.toJsonFormatLog());
+  }
+
+  @Test
+  public void testGrantRole() {
+    TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
+    request.setRequestorUserName(TEST_USER_NAME);
+    request.setRoleName(TEST_ROLE_NAME);
+
+    TAlterSentryRoleGrantPrivilegeResponse response = new TAlterSentryRoleGrantPrivilegeResponse();
+
+    TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL,
+        PrivilegeScope.DATABASE.name(), TEST_DATABASE_NAME, null, null, null);
+    request.setPrivilege(privilege);
+    response.setStatus(Status.OK());
+    AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory
+        .getInstance().createJsonLogEntity(request, response, conf);
+    assertCommon(amle, Constants.TRUE, Constants.OPERATION_GRANT_PRIVILEGE,
+        "GRANT ALL ON DATABASE testDB TO ROLE testRole", TEST_DATABASE_NAME,
+        null, null, Constants.OBJECT_TYPE_PRINCIPAL);
+    sentryLogger.debug(amle.toJsonFormatLog());
+
+    privilege = getPrivilege(AccessConstants.ALL, PrivilegeScope.TABLE.name(),
+        null, TEST_TABLE_NAME, null, null);
+    request.setPrivilege(privilege);
+    response.setStatus(Status.InvalidInput("", null));
+    amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+        .createJsonLogEntity(request, response, conf);
+    assertCommon(amle, Constants.FALSE, Constants.OPERATION_GRANT_PRIVILEGE,
+        "GRANT ALL ON TABLE testTable TO ROLE testRole", null, TEST_TABLE_NAME,
+        null, Constants.OBJECT_TYPE_PRINCIPAL);
+    sentryLogger.debug(amle.toJsonFormatLog());
+  }
+
+  @Test
+  public void testRevokeRole() {
+    TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
+    TAlterSentryRoleRevokePrivilegeResponse response = new TAlterSentryRoleRevokePrivilegeResponse();
+    request.setRequestorUserName(TEST_USER_NAME);
+    request.setRoleName(TEST_ROLE_NAME);
+
+    TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL,
+        PrivilegeScope.DATABASE.name(), TEST_DATABASE_NAME, null, null, null);
+    request.setPrivilege(privilege);
+    response.setStatus(Status.OK());
+    AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory
+        .getInstance().createJsonLogEntity(request, response, conf);
+    assertCommon(amle, Constants.TRUE, Constants.OPERATION_REVOKE_PRIVILEGE,
+        "REVOKE ALL ON DATABASE testDB FROM ROLE testRole", TEST_DATABASE_NAME,
+        null, null, Constants.OBJECT_TYPE_PRINCIPAL);
+    sentryLogger.debug(amle.toJsonFormatLog());
+
+    privilege = getPrivilege(AccessConstants.ALL, PrivilegeScope.TABLE.name(),
+        null, TEST_TABLE_NAME, null, null);
+    request.setPrivilege(privilege);
+    response.setStatus(Status.InvalidInput("", null));
+    amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+        .createJsonLogEntity(request, response, conf);
+    assertCommon(amle, Constants.FALSE, Constants.OPERATION_REVOKE_PRIVILEGE,
+        "REVOKE ALL ON TABLE testTable FROM ROLE testRole", null,
+        TEST_TABLE_NAME, null, Constants.OBJECT_TYPE_PRINCIPAL);
+    sentryLogger.debug(amle.toJsonFormatLog());
+  }
+
+  @Test
+  public void testAddRole() {
+    TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
+    TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse();
+    request.setRequestorUserName(TEST_USER_NAME);
+    request.setRoleName(TEST_ROLE_NAME);
+    request.setGroups(getGroups());
+    response.setStatus(Status.OK());
+    AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory
+        .getInstance().createJsonLogEntity(request, response, conf);
+    assertCommon(amle, Constants.TRUE, Constants.OPERATION_ADD_ROLE,
+        "GRANT ROLE testRole TO GROUP testGroup", null, null, null,
+        Constants.OBJECT_TYPE_ROLE);
+    sentryLogger.debug(amle.toJsonFormatLog());
+
+    response.setStatus(Status.InvalidInput("", null));
+    amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+        .createJsonLogEntity(request, response, conf);
+    assertCommon(amle, Constants.FALSE, Constants.OPERATION_ADD_ROLE,
+        "GRANT ROLE testRole TO GROUP testGroup", null, null, null,
+        Constants.OBJECT_TYPE_ROLE);
+    sentryLogger.debug(amle.toJsonFormatLog());
+  }
+
+  @Test
+  public void testDeleteRole() {
+    TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
+    TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse();
+    request.setRequestorUserName(TEST_USER_NAME);
+    request.setRoleName(TEST_ROLE_NAME);
+    request.setGroups(getGroups());
+    response.setStatus(Status.OK());
+    AuditMetadataLogEntity amle = (AuditMetadataLogEntity) JsonLogEntityFactory
+        .getInstance().createJsonLogEntity(request, response, conf);
+    assertCommon(amle, Constants.TRUE, Constants.OPERATION_DELETE_ROLE,
+        "REVOKE ROLE testRole FROM GROUP testGroup", null, null, null,
+        Constants.OBJECT_TYPE_ROLE);
+    sentryLogger.debug(amle.toJsonFormatLog());
+
+    response.setStatus(Status.InvalidInput("", null));
+    amle = (AuditMetadataLogEntity) JsonLogEntityFactory.getInstance()
+        .createJsonLogEntity(request, response, conf);
+    assertCommon(amle, Constants.FALSE, Constants.OPERATION_DELETE_ROLE,
+        "REVOKE ROLE testRole FROM GROUP testGroup", null, null, null,
+        Constants.OBJECT_TYPE_ROLE);
+    sentryLogger.debug(amle.toJsonFormatLog());
+  }
+
+  private void assertCommon(AuditMetadataLogEntity amle,
+      String allowedExcepted, String operationExcepted,
+      String operationTextExcepted, String databaseNameExcepted,
+      String tableNameExcepted, String resourcePathExcepted,
+      String objectTypeExcepted) {
+    assertEquals(ServerConfig.SENTRY_SERVICE_NAME_DEFAULT,
+        amle.getServiceName());
+    assertEquals(TEST_IP, amle.getIpAddress());
+    assertEquals(TEST_USER_NAME, amle.getUserName());
+    assertEquals(TEST_IMPERSONATOR, amle.getImpersonator());
+    assertEquals(allowedExcepted, amle.getAllowed());
+    assertEquals(operationExcepted, amle.getOperation());
+    assertEquals(operationTextExcepted, amle.getOperationText());
+    assertEquals(tableNameExcepted, amle.getTableName());
+    assertEquals(databaseNameExcepted, amle.getDatabaseName());
+    assertEquals(resourcePathExcepted, amle.getResourcePath());
+    assertEquals(objectTypeExcepted, amle.getObjectType());
+  }
+
+  // private TAlterSentryRoleGrantPrivilegeRequest getGrantPrivilegeRequest() {
+  // TAlterSentryRoleGrantPrivilegeRequest request = new
+  // TAlterSentryRoleGrantPrivilegeRequest();
+  // request.setRoleName(TEST_ROLE_NAME);
+  // return request;
+  // }
+  //
+  // private TAlterSentryRoleGrantPrivilegeResponse getGrantPrivilegeResponse(
+  // TSentryResponseStatus status) {
+  // TAlterSentryRoleGrantPrivilegeResponse response = new
+  // TAlterSentryRoleGrantPrivilegeResponse();
+  // response.setStatus(status);
+  // return response;
+  // }
+
+  // private TAlterSentryRoleRevokePrivilegeRequest getRevokePrivilegeRequest()
+  // {
+  // TAlterSentryRoleRevokePrivilegeRequest request = new
+  // TAlterSentryRoleRevokePrivilegeRequest();
+  // request.setRoleName(TEST_ROLE_NAME);
+  // return request;
+  // }
+  //
+  // private TAlterSentryRoleRevokePrivilegeResponse getRevokePrivilegeResponse(
+  // TSentryResponseStatus status) {
+  // TAlterSentryRoleRevokePrivilegeResponse response = new
+  // TAlterSentryRoleRevokePrivilegeResponse();
+  // response.setStatus(status);
+  // return response;
+  // }
+
+  private TSentryPrivilege getPrivilege(String action, String privilegeScope,
+      String dbName, String tableName, String serverName, String URI) {
+    TSentryPrivilege privilege = new TSentryPrivilege();
+    privilege.setAction(action);
+    privilege.setPrivilegeScope(privilegeScope);
+    privilege.setDbName(dbName);
+    privilege.setTableName(tableName);
+    privilege.setServerName(serverName);
+    privilege.setURI(URI);
+    return privilege;
+  }
+
+  private Set<TSentryGroup> getGroups() {
+    Set<TSentryGroup> groups = new LinkedHashSet<TSentryGroup>();
+    TSentryGroup group = new TSentryGroup();
+    group.setGroupName(TEST_GROUP);
+    groups.add(group);
+    return groups;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/a170f53b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java
new file mode 100644
index 0000000..392289c
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/log/util/TestCommandUtil.java
@@ -0,0 +1,303 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.util;
+
+import java.util.LinkedHashSet;
+import java.util.Set;
+
+import junit.framework.TestCase;
+
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+import org.junit.Test;
+
+public class TestCommandUtil extends TestCase {
+
+  @Test
+  public void testCreateCmdForCreateOrDropRole() {
+    String roleName = "testRole";
+
+    String createRoleCmdResult = CommandUtil.createCmdForCreateOrDropRole(
+        roleName, true);
+    String dropRoleCmdResult = CommandUtil.createCmdForCreateOrDropRole(
+        roleName, false);
+    String createRoleCmdExcepted = "CREATE ROLE testRole";
+    String dropRoleCmdExcepted = "DROP ROLE testRole";
+
+    assertEquals(createRoleCmdExcepted, createRoleCmdResult);
+    assertEquals(dropRoleCmdResult, dropRoleCmdExcepted);
+  }
+
+  @Test
+  public void testCreateCmdForRoleAddOrDeleteGroup1() {
+
+    TAlterSentryRoleAddGroupsRequest requestAdd = getRoleAddGroupsRequest();
+    TAlterSentryRoleDeleteGroupsRequest requestDelete = getRoleDeleteGroupsRequest();
+
+    Set<TSentryGroup> groups = getGroups(1);
+    requestAdd.setGroups(groups);
+    requestDelete.setGroups(groups);
+
+    String createRoleAddGroupCmdResult = CommandUtil
+        .createCmdForRoleAddGroup(requestAdd);
+    String createRoleAddGroupCmdExcepted = "GRANT ROLE testRole TO GROUP testGroup1";
+    String createRoleDeleteGroupCmdResult = CommandUtil
+        .createCmdForRoleDeleteGroup(requestDelete);
+    String createRoleDeleteGroupCmdExcepted = "REVOKE ROLE testRole FROM GROUP testGroup1";
+
+    assertEquals(createRoleAddGroupCmdExcepted, createRoleAddGroupCmdResult);
+    assertEquals(createRoleDeleteGroupCmdExcepted,
+        createRoleDeleteGroupCmdResult);
+  }
+
+  @Test
+  public void testCreateCmdForRoleAddOrDeleteGroup2() {
+
+    TAlterSentryRoleAddGroupsRequest requestAdd = getRoleAddGroupsRequest();
+    TAlterSentryRoleDeleteGroupsRequest requestDelete = getRoleDeleteGroupsRequest();
+
+    Set<TSentryGroup> groups = getGroups(3);
+    requestAdd.setGroups(groups);
+    requestDelete.setGroups(groups);
+
+    String createRoleAddGroupCmdResult = CommandUtil
+        .createCmdForRoleAddGroup(requestAdd);
+    String createRoleAddGroupCmdExcepted = "GRANT ROLE testRole TO GROUP testGroup1, testGroup2, testGroup3";
+    String createRoleDeleteGroupCmdResult = CommandUtil
+        .createCmdForRoleDeleteGroup(requestDelete);
+    String createRoleDeleteGroupCmdExcepted = "REVOKE ROLE testRole FROM GROUP testGroup1, testGroup2, testGroup3";
+
+    assertEquals(createRoleAddGroupCmdExcepted, createRoleAddGroupCmdResult);
+    assertEquals(createRoleDeleteGroupCmdExcepted,
+        createRoleDeleteGroupCmdResult);
+  }
+
+  @Test
+  public void testCreateCmdForGrantOrRevokePrivilege1() {
+    TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+    TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+    TSentryPrivilege privilege = getPrivilege(AccessConstants.ALL,
+        PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest",
+        "hdfs://namenode:port/path/to/dir");
+    grantRequest.setPrivilege(privilege);
+    revokeRequest.setPrivilege(privilege);
+
+    String createGrantPrivilegeCmdResult = CommandUtil
+        .createCmdForGrantPrivilege(grantRequest);
+    String createGrantPrivilegeCmdExcepted = "GRANT ALL ON DATABASE dbTest TO ROLE testRole";
+    String createRevokePrivilegeCmdResult = CommandUtil
+        .createCmdForRevokePrivilege(revokeRequest);
+    String createRevokePrivilegeCmdExcepted = "REVOKE ALL ON DATABASE dbTest FROM ROLE testRole";
+
+    assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+    assertEquals(createRevokePrivilegeCmdExcepted,
+        createRevokePrivilegeCmdResult);
+  }
+
+  @Test
+  public void testCreateCmdForGrantOrRevokePrivilege2() {
+    TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+    TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+    TSentryPrivilege privilege = getPrivilege(AccessConstants.INSERT,
+        PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest",
+        "hdfs://namenode:port/path/to/dir");
+    grantRequest.setPrivilege(privilege);
+    revokeRequest.setPrivilege(privilege);
+
+    String createGrantPrivilegeCmdResult = CommandUtil
+        .createCmdForGrantPrivilege(grantRequest);
+    String createGrantPrivilegeCmdExcepted = "GRANT INSERT ON DATABASE dbTest TO ROLE testRole";
+    String createRevokePrivilegeCmdResult = CommandUtil
+        .createCmdForRevokePrivilege(revokeRequest);
+    String createRevokePrivilegeCmdExcepted = "REVOKE INSERT ON DATABASE dbTest FROM ROLE testRole";
+
+    assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+    assertEquals(createRevokePrivilegeCmdExcepted,
+        createRevokePrivilegeCmdResult);
+  }
+
+  @Test
+  public void testCreateCmdForGrantOrRevokePrivilege3() {
+    TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+    TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+    TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT,
+        PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest",
+        "hdfs://namenode:port/path/to/dir");
+    grantRequest.setPrivilege(privilege);
+    revokeRequest.setPrivilege(privilege);
+
+    String createGrantPrivilegeCmdResult = CommandUtil
+        .createCmdForGrantPrivilege(grantRequest);
+    String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON DATABASE dbTest TO ROLE testRole";
+    String createRevokePrivilegeCmdResult = CommandUtil
+        .createCmdForRevokePrivilege(revokeRequest);
+    String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON DATABASE dbTest FROM ROLE testRole";
+
+    assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+    assertEquals(createRevokePrivilegeCmdExcepted,
+        createRevokePrivilegeCmdResult);
+  }
+
+  @Test
+  public void testCreateCmdForGrantOrRevokePrivilege4() {
+    TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+    TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+    TSentryPrivilege privilege = getPrivilege(null,
+        PrivilegeScope.DATABASE.name(), "dbTest", "tableTest", "serverTest",
+        "hdfs://namenode:port/path/to/dir");
+    grantRequest.setPrivilege(privilege);
+    revokeRequest.setPrivilege(privilege);
+
+    String createGrantPrivilegeCmdResult = CommandUtil
+        .createCmdForGrantPrivilege(grantRequest);
+    String createGrantPrivilegeCmdExcepted = "GRANT null ON DATABASE dbTest TO ROLE testRole";
+    String createRevokePrivilegeCmdResult = CommandUtil
+        .createCmdForRevokePrivilege(revokeRequest);
+    String createRevokePrivilegeCmdExcepted = "REVOKE null ON DATABASE dbTest FROM ROLE testRole";
+
+    assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+    assertEquals(createRevokePrivilegeCmdExcepted,
+        createRevokePrivilegeCmdResult);
+  }
+
+  @Test
+  public void testCreateCmdForGrantOrRevokePrivilege5() {
+    TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+    TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+    TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT,
+        PrivilegeScope.TABLE.name(), "dbTest", "tableTest", "serverTest",
+        "hdfs://namenode:port/path/to/dir");
+    grantRequest.setPrivilege(privilege);
+    revokeRequest.setPrivilege(privilege);
+
+    String createGrantPrivilegeCmdResult = CommandUtil
+        .createCmdForGrantPrivilege(grantRequest);
+    String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON TABLE tableTest TO ROLE testRole";
+    String createRevokePrivilegeCmdResult = CommandUtil
+        .createCmdForRevokePrivilege(revokeRequest);
+    String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON TABLE tableTest FROM ROLE testRole";
+
+    assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+    assertEquals(createRevokePrivilegeCmdExcepted,
+        createRevokePrivilegeCmdResult);
+  }
+
+  @Test
+  public void testCreateCmdForGrantOrRevokePrivilege6() {
+    TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+    TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+    TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT,
+        PrivilegeScope.SERVER.name(), "dbTest", "tableTest", "serverTest",
+        "hdfs://namenode:port/path/to/dir");
+    grantRequest.setPrivilege(privilege);
+    revokeRequest.setPrivilege(privilege);
+
+    String createGrantPrivilegeCmdResult = CommandUtil
+        .createCmdForGrantPrivilege(grantRequest);
+    String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON SERVER serverTest TO ROLE testRole";
+    String createRevokePrivilegeCmdResult = CommandUtil
+        .createCmdForRevokePrivilege(revokeRequest);
+    String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON SERVER serverTest FROM ROLE testRole";
+
+    assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+    assertEquals(createRevokePrivilegeCmdExcepted,
+        createRevokePrivilegeCmdResult);
+  }
+
+  @Test
+  public void testCreateCmdForGrantOrRevokePrivilege7() {
+    TAlterSentryRoleGrantPrivilegeRequest grantRequest = getGrantPrivilegeRequest();
+    TAlterSentryRoleRevokePrivilegeRequest revokeRequest = getRevokePrivilegeRequest();
+
+    TSentryPrivilege privilege = getPrivilege(AccessConstants.SELECT,
+        PrivilegeScope.URI.name(), "dbTest", "tableTest", "serverTest",
+        "hdfs://namenode:port/path/to/dir");
+    grantRequest.setPrivilege(privilege);
+    revokeRequest.setPrivilege(privilege);
+
+    String createGrantPrivilegeCmdResult = CommandUtil
+        .createCmdForGrantPrivilege(grantRequest);
+    String createGrantPrivilegeCmdExcepted = "GRANT SELECT ON URI hdfs://namenode:port/path/to/dir TO ROLE testRole";
+    String createRevokePrivilegeCmdResult = CommandUtil
+        .createCmdForRevokePrivilege(revokeRequest);
+    String createRevokePrivilegeCmdExcepted = "REVOKE SELECT ON URI hdfs://namenode:port/path/to/dir FROM ROLE testRole";
+
+    assertEquals(createGrantPrivilegeCmdExcepted, createGrantPrivilegeCmdResult);
+    assertEquals(createRevokePrivilegeCmdExcepted,
+        createRevokePrivilegeCmdResult);
+  }
+
+  private TAlterSentryRoleAddGroupsRequest getRoleAddGroupsRequest() {
+    TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
+    request.setRoleName("testRole");
+    return request;
+  }
+
+  private TAlterSentryRoleDeleteGroupsRequest getRoleDeleteGroupsRequest() {
+    TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
+    request.setRoleName("testRole");
+    return request;
+  }
+
+  private Set<TSentryGroup> getGroups(int num) {
+    Set<TSentryGroup> groups = new LinkedHashSet<TSentryGroup>();
+    for (int i = 0; i < num; i++) {
+      TSentryGroup group = new TSentryGroup();
+      group.setGroupName("testGroup" + (i + 1));
+      groups.add(group);
+    }
+    return groups;
+  }
+
+  private TAlterSentryRoleGrantPrivilegeRequest getGrantPrivilegeRequest() {
+    TAlterSentryRoleGrantPrivilegeRequest request = new TAlterSentryRoleGrantPrivilegeRequest();
+    request.setRoleName("testRole");
+    return request;
+  }
+
+  private TAlterSentryRoleRevokePrivilegeRequest getRevokePrivilegeRequest() {
+    TAlterSentryRoleRevokePrivilegeRequest request = new TAlterSentryRoleRevokePrivilegeRequest();
+    request.setRoleName("testRole");
+    return request;
+  }
+
+  private TSentryPrivilege getPrivilege(String action, String privilegeScope,
+      String dbName, String tableName, String serverName, String URI) {
+    TSentryPrivilege privilege = new TSentryPrivilege();
+    privilege.setAction(action);
+    privilege.setPrivilegeScope(privilegeScope);
+    privilege.setDbName(dbName);
+    privilege.setTableName(tableName);
+    privilege.setServerName(serverName);
+    privilege.setURI(URI);
+    return privilege;
+  }
+}


Mime
View raw message