sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gqs...@apache.org
Subject [2/2] incubator-sentry git commit: SENTRY-647: Add e2e tests for Sqoop Sentry integration (Guoquan Shen, reviewed by Dapeng Sun)
Date Thu, 09 Jul 2015 05:08:14 GMT
SENTRY-647: Add e2e tests for Sqoop Sentry integration (Guoquan Shen,reviewed by Dapeng Sun)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/98761811
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/98761811
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/98761811

Branch: refs/heads/master
Commit: 987618115b39d33937a44c0bdcdde3ff0c6be2f3
Parents: c8d5fce
Author: Guoquan Shen <guoquan.shen@intel.com>
Authored: Thu Jul 9 12:43:19 2015 +0800
Committer: Guoquan Shen <guoquan.shen@intel.com>
Committed: Thu Jul 9 12:43:19 2015 +0800

----------------------------------------------------------------------
 pom.xml                                         |   1 +
 sentry-tests/pom.xml                            |   1 +
 sentry-tests/sentry-tests-sqoop/pom.xml         | 153 +++++++++
 .../e2e/sqoop/AbstractSqoopSentryTestBase.java  | 225 +++++++++++++
 .../tests/e2e/sqoop/StaticUserGroupRole.java    |  62 ++++
 .../tests/e2e/sqoop/TestConnectorEndToEnd.java  | 111 +++++++
 .../tests/e2e/sqoop/TestGrantPrivilege.java     | 215 +++++++++++++
 .../sentry/tests/e2e/sqoop/TestJobEndToEnd.java | 305 ++++++++++++++++++
 .../tests/e2e/sqoop/TestLinkEndToEnd.java       | 238 ++++++++++++++
 .../tests/e2e/sqoop/TestOwnerPrivilege.java     | 156 +++++++++
 .../tests/e2e/sqoop/TestRevokePrivilege.java    | 175 ++++++++++
 .../tests/e2e/sqoop/TestRoleOperation.java      | 209 ++++++++++++
 .../e2e/sqoop/TestServerScopeEndToEnd.java      | 185 +++++++++++
 .../tests/e2e/sqoop/TestShowPrivilege.java      |  92 ++++++
 .../tests/e2e/sqoop/TomcatSqoopRunner.java      | 320 +++++++++++++++++++
 15 files changed, 2448 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index c623819..839eb1d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -754,6 +754,7 @@ limitations under the License.
                   <exclude>**/datanucleus.log</exclude>
                   <exclude>**/metastore_db/</exclude>
                   <exclude>**/*.rej</exclude>
+                  <exclude>**/thirdparty/</exclude>
                 </excludes>
               </configuration>
             </execution>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/pom.xml b/sentry-tests/pom.xml
index 37f0f3e..c12b118 100644
--- a/sentry-tests/pom.xml
+++ b/sentry-tests/pom.xml
@@ -30,6 +30,7 @@ limitations under the License.
   <modules>
     <module>sentry-tests-hive</module>
     <module>sentry-tests-solr</module>
+    <module>sentry-tests-sqoop</module>
   </modules>
 
 </project>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/pom.xml b/sentry-tests/sentry-tests-sqoop/pom.xml
new file mode 100644
index 0000000..491dbaa
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/pom.xml
@@ -0,0 +1,153 @@
+<?xml version="1.0"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>org.apache.sentry</groupId>
+    <artifactId>sentry-tests</artifactId>
+    <version>1.6.0-incubating-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>sentry-tests-sqoop</artifactId>
+  <name>Sentry Sqoop Tests</name>
+  <description>end to end tests for sentry-sqoop integration</description>
+
+  <dependencies>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>log4j</groupId>
+      <artifactId>log4j</artifactId>
+      <version>1.2.16</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sqoop</groupId>
+      <artifactId>test</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-common</artifactId>
+      <exclusions>
+        <exclusion>
+          <groupId>javax.servlet</groupId>
+          <artifactId>servlet-api</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-minicluster</artifactId>
+      <exclusions>
+        <exclusion>
+          <groupId>javax.servlet</groupId>
+          <artifactId>servlet-api</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty</groupId>
+      <artifactId>jetty-servlet</artifactId>
+      <version>8.1.10.v20130312</version>
+    </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty</groupId>
+      <artifactId>jetty-server</artifactId>
+       <version>8.1.10.v20130312</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-provider-db</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-provider-file</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-binding-sqoop</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-core-model-sqoop</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.google.guava</groupId>
+      <artifactId>guava</artifactId>
+    </dependency>
+  </dependencies>
+  <profiles>
+   <profile>
+     <id>download-sqoop2</id>
+     <activation>
+       <activeByDefault>true</activeByDefault>
+       <property><name>!skipTests</name></property>
+     </activation>
+     <build>
+     <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-antrun-plugin</artifactId>
+        <configuration>
+          <skipTests>true</skipTests>
+        </configuration>
+        <executions>
+          <execution>
+            <id>download-sqoop2</id>
+            <phase>generate-sources</phase>
+            <goals>
+              <goal>run</goal>
+            </goals>
+            <configuration>
+              <target>
+                <echo file="target/download.sh">
+                  set -e
+                  set -x
+                  /bin/pwd
+                  BASE_DIR=./target
+                  DOWNLOAD_DIR=./thirdparty
+                  download() {
+                    url=$1;
+                    packageName=$2
+                    if [[ ! -f $DOWNLOAD_DIR/$packageName ]]
+                    then
+                      wget --no-check-certificate -nv -O $DOWNLOAD_DIR/$packageName $url
+                    fi
+                  }
+                  mkdir -p $DOWNLOAD_DIR
+                  download "https://repository.apache.org/content/repositories/snapshots/org/apache/sqoop/sqoop-server/2.0.0-SNAPSHOT/sqoop-server-2.0.0-20150530.005523-4.war" sqoop.war
+                  download "http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.36/bin/apache-tomcat-6.0.36.zip" apache-tomcat-6.0.36.zip
+                </echo>
+                <exec executable="bash" dir="${basedir}" failonerror="true">
+                  <arg line="target/download.sh"/>
+                </exec>
+              </target>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+     </plugins>
+    </build>
+   </profile>
+  </profiles>
+</project>

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/AbstractSqoopSentryTestBase.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/AbstractSqoopSentryTestBase.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/AbstractSqoopSentryTestBase.java
new file mode 100644
index 0000000..2c6f329
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/AbstractSqoopSentryTestBase.java
@@ -0,0 +1,225 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * This class used to test the Sqoop integration with Sentry.
+ * It will set up a miniSqoopCluster and Sentry service in a JVM process.
+ */
+package org.apache.sentry.tests.e2e.sqoop;
+
+import static org.junit.Assert.assertTrue;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.util.ArrayList;
+import java.util.Set;
+import java.util.UUID;
+import java.util.concurrent.TimeoutException;
+
+
+import org.apache.commons.io.FileUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.net.NetUtils;
+import org.apache.hadoop.security.UserGroupInformation;
+
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
+import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
+import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider;
+import org.apache.sentry.provider.file.PolicyFile;
+import org.apache.sentry.service.thrift.SentryService;
+import org.apache.sentry.service.thrift.SentryServiceFactory;
+import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+
+import org.apache.sentry.sqoop.binding.SqoopProviderBackend;
+import org.apache.sentry.sqoop.conf.SqoopAuthConf.AuthzConfVars;
+
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Joiner;
+import com.google.common.collect.Sets;
+
+public class AbstractSqoopSentryTestBase {
+  private static final Logger LOGGER = LoggerFactory
+      .getLogger(AbstractSqoopSentryTestBase.class);
+
+  private static final String SERVER_HOST = NetUtils
+      .createSocketAddr("localhost:80").getAddress().getCanonicalHostName();
+  private static final int PORT = 8038;
+
+  protected static final String COMPONENT = "sqoop";
+  protected static final String ADMIN_USER = "sqoop";
+  protected static final String ADMIN_GROUP = "sqoop";
+  protected static final String ADMIN_ROLE  = "sqoop";
+  protected static final String SQOOP_SERVER_NAME = "sqoopServer1";
+  /** test users, groups and roles */
+  protected static final String USER1 = StaticUserGroupRole.USER_1;
+  protected static final String USER2 = StaticUserGroupRole.USER_2;
+  protected static final String USER3 = StaticUserGroupRole.USER_3;
+  protected static final String USER4 = StaticUserGroupRole.USER_4;
+  protected static final String USER5 = StaticUserGroupRole.USER_5;
+
+  protected static final String GROUP1 = StaticUserGroupRole.GROUP_1;
+  protected static final String GROUP2 = StaticUserGroupRole.GROUP_2;
+  protected static final String GROUP3 = StaticUserGroupRole.GROUP_3;
+  protected static final String GROUP4 = StaticUserGroupRole.GROUP_4;
+  protected static final String GROUP5 = StaticUserGroupRole.GROUP_5;
+
+  protected static final String ROLE1 = StaticUserGroupRole.ROLE_1;
+  protected static final String ROLE2 = StaticUserGroupRole.ROLE_2;
+  protected static final String ROLE3 = StaticUserGroupRole.ROLE_3;
+  protected static final String ROLE4 = StaticUserGroupRole.ROLE_4;
+  protected static final String ROLE5 = StaticUserGroupRole.ROLE_5;
+
+  protected static SentryService server;
+  protected static TomcatSqoopRunner sqoopServerRunner;
+
+  protected static File baseDir;
+  protected static File sqoopDir;
+  protected static File dbDir;
+  protected static File policyFilePath;
+
+  protected static PolicyFile policyFile;
+
+  @BeforeClass
+  public static void beforeTestEndToEnd() throws Exception {
+    setupConf();
+    startSentryService();
+    setUserGroups();
+    setAdminPrivilege();
+    startSqoopWithSentryEnable();
+  }
+
+  @AfterClass
+  public static void afterTestEndToEnd() throws Exception {
+    if (server != null) {
+      server.stop();
+    }
+    if (sqoopServerRunner != null) {
+      sqoopServerRunner.stop();
+    }
+
+    FileUtils.deleteDirectory(baseDir);
+  }
+
+  public static void setupConf() throws Exception {
+    baseDir = createTempDir();
+    sqoopDir = new File(baseDir, "sqoop");
+    dbDir = new File(baseDir, "sentry_policy_db");
+    policyFilePath = new File(baseDir, "local_policy_file.ini");
+    policyFile = new PolicyFile();
+
+    /** set the configuratoion for Sentry Service */
+    Configuration conf = new Configuration();
+
+    conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE);
+    conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
+    conf.set(ServerConfig.ADMIN_GROUPS, Joiner.on(",").join(ADMIN_GROUP,
+        UserGroupInformation.getLoginUser().getPrimaryGroupName()));
+    conf.set(ServerConfig.RPC_ADDRESS, SERVER_HOST);
+    conf.set(ServerConfig.RPC_PORT, String.valueOf(PORT));
+    conf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
+        "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true");
+    conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING,
+        ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING);
+    conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE,
+        policyFilePath.getPath());
+    server = new SentryServiceFactory().create(conf);
+  }
+
+  public static File createTempDir() {
+    File baseDir = new File(System.getProperty("java.io.tmpdir"));
+    String baseName = "sqoop-e2e-";
+    File tempDir = new File(baseDir, baseName + UUID.randomUUID().toString());
+    if (tempDir.mkdir()) {
+        return tempDir;
+    }
+    throw new IllegalStateException("Failed to create temp directory");
+  }
+
+  public static void startSentryService() throws Exception {
+    server.start();
+    final long start = System.currentTimeMillis();
+    while(!server.isRunning()) {
+      Thread.sleep(1000);
+      if(System.currentTimeMillis() - start > 60000L) {
+        throw new TimeoutException("Server did not start after 60 seconds");
+      }
+    }
+  }
+
+  public static void startSqoopWithSentryEnable() throws Exception {
+    File sentrySitePath = new File(baseDir, "sentry-site.xml");
+    getClientConfig().writeXml(new FileOutputStream(sentrySitePath));
+    sqoopServerRunner = new TomcatSqoopRunner(sqoopDir.toString(), SQOOP_SERVER_NAME,
+        sentrySitePath.toURI().toURL().toString());
+    sqoopServerRunner.start();
+  }
+
+  private static Configuration getClientConfig() {
+    Configuration conf = new Configuration();
+    /** set the Sentry client configuration for Sqoop Service integration */
+    conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE);
+    conf.set(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostName());
+    conf.set(ClientConfig.SERVER_RPC_PORT, String.valueOf(server.getAddress().getPort()));
+
+    conf.set(AuthzConfVars.AUTHZ_PROVIDER.getVar(),
+        LocalGroupResourceAuthorizationProvider.class.getName());
+    conf.set(AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar(), SqoopProviderBackend.class.getName());
+    conf.set(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), policyFilePath.getPath());
+    conf.set(AuthzConfVars.AUTHZ_TESTING_MODE.getVar(), "true");
+    return conf;
+  }
+
+  public static void setUserGroups() throws Exception {
+    for (String user : StaticUserGroupRole.getUsers()) {
+      Set<String> groups = StaticUserGroupRole.getGroups(user);
+      policyFile.addGroupsToUser(user,
+          groups.toArray(new String[groups.size()]));
+    }
+    policyFile.addGroupsToUser(ADMIN_USER, ADMIN_GROUP);
+    UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
+    policyFile.addGroupsToUser(loginUser.getShortUserName(), loginUser.getGroupNames());
+    policyFile.write(policyFilePath);
+  }
+
+  public static void setAdminPrivilege() throws Exception {
+    SentryGenericServiceClient sentryClient = null;
+    try {
+      /** grant all privilege to admin user */
+      sentryClient = new SentryGenericServiceClient(getClientConfig());
+      sentryClient.createRoleIfNotExist(ADMIN_USER, ADMIN_ROLE, COMPONENT);
+      sentryClient.addRoleToGroups(ADMIN_USER, ADMIN_ROLE, COMPONENT, Sets.newHashSet(ADMIN_GROUP));
+      sentryClient.grantPrivilege(ADMIN_USER, ADMIN_ROLE, COMPONENT,
+          new TSentryPrivilege(COMPONENT, SQOOP_SERVER_NAME, new ArrayList<TAuthorizable>(),
+              SqoopActionConstant.ALL));
+    } finally {
+      if (sentryClient != null) {
+        sentryClient.close();
+      }
+    }
+  }
+
+  public static void assertCausedMessage(Exception e, String message) {
+    assertTrue(e.getCause().getMessage().contains(message));
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/StaticUserGroupRole.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/StaticUserGroupRole.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/StaticUserGroupRole.java
new file mode 100644
index 0000000..e51ee00
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/StaticUserGroupRole.java
@@ -0,0 +1,62 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.sqoop;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import com.google.common.collect.Sets;
+
+public class StaticUserGroupRole {
+  public static final String USER_1 = "user1";
+  public static final String USER_2 = "user2";
+  public static final String USER_3 = "user3";
+  public static final String USER_4 = "user4";
+  public static final String USER_5 = "user5";
+
+  public static final String GROUP_1 = "group1";
+  public static final String GROUP_2 = "group2";
+  public static final String GROUP_3 = "group3";
+  public static final String GROUP_4 = "group4";
+  public static final String GROUP_5 = "group5";
+
+  public static final String ROLE_1 = "role1";
+  public static final String ROLE_2 = "role2";
+  public static final String ROLE_3 = "role3";
+  public static final String ROLE_4 = "role4";
+  public static final String ROLE_5 = "role5";
+
+  private static Map<String, Set<String>> userToGroupsMapping =
+      new HashMap<String, Set<String>>();
+
+  static {
+    userToGroupsMapping.put(USER_1, Sets.newHashSet(GROUP_1));
+    userToGroupsMapping.put(USER_2, Sets.newHashSet(GROUP_2));
+    userToGroupsMapping.put(USER_3, Sets.newHashSet(GROUP_3));
+    userToGroupsMapping.put(USER_4, Sets.newHashSet(GROUP_4));
+    userToGroupsMapping.put(USER_5, Sets.newHashSet(GROUP_5));
+  }
+
+  public static Set<String> getUsers() {
+    return userToGroupsMapping.keySet();
+  }
+
+  public static Set<String> getGroups(String user) {
+    return userToGroupsMapping.get(user);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestConnectorEndToEnd.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestConnectorEndToEnd.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestConnectorEndToEnd.java
new file mode 100644
index 0000000..9e13b13
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestConnectorEndToEnd.java
@@ -0,0 +1,111 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.sqoop;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.util.Collection;
+
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sqoop.client.SqoopClient;
+import org.apache.sqoop.model.MConnector;
+import org.apache.sqoop.model.MPrincipal;
+import org.apache.sqoop.model.MPrivilege;
+import org.apache.sqoop.model.MResource;
+import org.apache.sqoop.model.MRole;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+
+public class TestConnectorEndToEnd extends AbstractSqoopSentryTestBase {
+  private static String JDBC_CONNECTOR_NAME = "generic-jdbc-connector";
+  private static String HDFS_CONNECTOR_NAME = "hdfs-connector";
+
+  @Test
+  public void testShowAllConnector() throws Exception {
+    // USER3 at firstly has no privilege on any Sqoop resource
+    SqoopClient client = sqoopServerRunner.getSqoopClient(USER3);
+    assertTrue(client.getConnectors().size() == 0);
+    /**
+     * ADMIN_USER grant read action privilege on connector all to role ROLE3
+     * ADMIN_USER grant role ROLE3 to group GROUP3
+     */
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MRole role3 = new MRole(ROLE3);
+    MPrincipal group3 = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
+    MResource  allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+    client.createRole(role3);
+    client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3));
+    client.grantPrivilege(Lists.newArrayList(new MPrincipal(role3.getName(), MPrincipal.TYPE.ROLE)),
+        Lists.newArrayList(readPriv));
+
+    // check USER3 has the read privilege on all connector
+    client = sqoopServerRunner.getSqoopClient(USER3);
+    assertTrue(client.getConnectors().size() > 0);
+  }
+
+  @Test
+  public void testShowSpecificConnector() throws Exception {
+    // USER1 and USER2 at firstly has no privilege on any Sqoop resource
+    SqoopClient client = sqoopServerRunner.getSqoopClient(USER1);
+    assertTrue(client.getConnectors().size() == 0);
+    client = sqoopServerRunner.getSqoopClient(USER2);
+    assertTrue(client.getConnectors().size() == 0);
+
+    /**
+     * ADMIN_USER grant read action privilege on jdbc connector to role ROLE1
+     * ADMIN_USER grant read action privilege on hdfs connector to role ROLE2
+     */
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MConnector hdfsConnector = client.getConnector(HDFS_CONNECTOR_NAME);
+    MConnector jdbcConnector = client.getConnector(JDBC_CONNECTOR_NAME);
+
+    MRole role1 = new MRole(ROLE1);
+    MPrincipal group1 = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
+    MPrivilege readHdfsPriv = new MPrivilege(new MResource(String.valueOf(hdfsConnector.getPersistenceId()), MResource.TYPE.CONNECTOR),
+        SqoopActionConstant.READ, false);
+    client.createRole(role1);
+    client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1));
+    client.grantPrivilege(Lists.newArrayList(new MPrincipal(role1.getName(), MPrincipal.TYPE.ROLE)),
+        Lists.newArrayList(readHdfsPriv));
+
+    MRole role2 = new MRole(ROLE2);
+    MPrincipal group2 = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP);
+    MPrivilege readJdbcPriv = new MPrivilege(new MResource(String.valueOf(jdbcConnector.getPersistenceId()), MResource.TYPE.CONNECTOR),
+        SqoopActionConstant.READ, false);
+    client.createRole(role2);
+    client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2));
+    client.grantPrivilege(Lists.newArrayList(new MPrincipal(role2.getName(), MPrincipal.TYPE.ROLE)),
+        Lists.newArrayList(readJdbcPriv));
+
+    client = sqoopServerRunner.getSqoopClient(USER1);
+    assertTrue(client.getConnectors().size() == 1);
+    // user1 can show hdfs connector
+    assertTrue(client.getConnector(HDFS_CONNECTOR_NAME) != null);
+    // user1 can't show jdbc connector
+    assertTrue(client.getConnector(JDBC_CONNECTOR_NAME) == null);
+
+    client = sqoopServerRunner.getSqoopClient(USER2);
+    assertTrue(client.getConnectors().size() == 1);
+    // user2 can show jdbc connector
+    assertTrue(client.getConnector(JDBC_CONNECTOR_NAME) != null);
+    // user2 can't show hdfs connector
+    assertTrue(client.getConnector(HDFS_CONNECTOR_NAME) == null);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestGrantPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestGrantPrivilege.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestGrantPrivilege.java
new file mode 100644
index 0000000..bc9dd13
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestGrantPrivilege.java
@@ -0,0 +1,215 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.sqoop;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import java.util.List;
+
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sentry.sqoop.SentrySqoopError;
+import org.apache.sqoop.client.SqoopClient;
+import org.apache.sqoop.model.MPrincipal;
+import org.apache.sqoop.model.MPrivilege;
+import org.apache.sqoop.model.MResource;
+import org.apache.sqoop.model.MRole;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+
+public class TestGrantPrivilege extends AbstractSqoopSentryTestBase {
+
+  @Test
+  public void testNotSupportGrantPrivilegeToUser() throws Exception {
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MPrincipal user1 = new MPrincipal("not_support_grant_user_1", MPrincipal.TYPE.GROUP);
+    MResource  allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+    try {
+      client.grantPrivilege(Lists.newArrayList(user1), Lists.newArrayList(readPriv));
+      fail("expected not support exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
+    }
+  }
+
+  @Test
+  public void testNotSupportGrantPrivilegeToGroup() throws Exception {
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MPrincipal group1 = new MPrincipal("not_support_grant_group_1", MPrincipal.TYPE.GROUP);
+    MResource  allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+    try {
+      client.grantPrivilege(Lists.newArrayList(group1), Lists.newArrayList(readPriv));
+      fail("expected not support exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
+    }
+  }
+
+  @Test
+  public void testGrantPrivilege() throws Exception {
+    /**
+     * user1 belongs to group group1
+     * admin user grant role role1 to group group1
+     * admin user grant read privilege on connector all to role role1
+     */
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MRole role1 = new MRole(ROLE1);
+    MPrincipal group1Princ = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
+    MPrincipal role1Princ = new MPrincipal(ROLE1, MPrincipal.TYPE.ROLE);
+    MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
+    client.createRole(role1);
+    client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1Princ));
+    client.grantPrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPrivilege));
+
+    // check user1 has privilege on role1
+    client = sqoopServerRunner.getSqoopClient(USER1);
+    assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 1);
+  }
+
+  @Test
+  public void testGrantPrivilegeTwice() throws Exception {
+    /**
+     * user2 belongs to group group2
+     * admin user grant role role2 to group group2
+     * admin user grant write privilege on connector all to role role2
+     */
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MRole role2 = new MRole(ROLE2);
+    MPrincipal group2Princ = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP);
+    MPrincipal role2Princ = new MPrincipal(ROLE2, MPrincipal.TYPE.ROLE);
+    MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege writePrivilege = new MPrivilege(allConnector, SqoopActionConstant.WRITE, false);
+    client.createRole(role2);
+    client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2Princ));
+    client.grantPrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(writePrivilege));
+
+    // check user2 has one privilege on role2
+    client = sqoopServerRunner.getSqoopClient(USER2);
+    assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 1);
+
+    // grant privilege to role role2 again
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    client.grantPrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(writePrivilege));
+
+    // check user2 has only one privilege on role2
+    client = sqoopServerRunner.getSqoopClient(USER2);
+    assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 1);
+  }
+
+  @Test
+  public void testGrantPrivilegeWithAllPrivilegeExist() throws Exception {
+    /**
+     * user3 belongs to group group3
+     * admin user grant role role3 to group group3
+     * admin user grant all privilege on connector all to role role3
+     */
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MRole role3 = new MRole(ROLE3);
+    MPrincipal group3Princ = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
+    MPrincipal role3Princ = new MPrincipal(ROLE3, MPrincipal.TYPE.ROLE);
+    MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false);
+    client.createRole(role3);
+    client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3Princ));
+    client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(allPrivilege));
+
+    // check user3 has one privilege on role3
+    client = sqoopServerRunner.getSqoopClient(USER3);
+    assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
+    // user3 has the all action on role3
+    MPrivilege user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
+    assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME);
+
+    /**
+     * admin user grant read privilege on connector all to role role3
+     * because the role3 has already the all privilege, the read privilege granting has
+     * no impact on the role3
+     */
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
+    client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(readPrivilege));
+    // check user3 has only one privilege on role3
+    client = sqoopServerRunner.getSqoopClient(USER3);
+    assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
+    // user3 has the all action on role3
+    user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
+    assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME);
+  }
+
+  @Test
+  public void testGrantALLPrivilegeWithOtherPrivilegesExist() throws Exception {
+    /**
+     * user4 belongs to group group4
+     * admin user grant role role4 to group group4
+     * admin user grant read privilege on connector all to role role4
+     */
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MRole role4 = new MRole(ROLE4);
+    MPrincipal group4Princ = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP);
+    MPrincipal role4Princ = new MPrincipal(ROLE4, MPrincipal.TYPE.ROLE);
+    MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
+    client.createRole(role4);
+    client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4Princ));
+    client.grantPrivilege(Lists.newArrayList(role4Princ), Lists.newArrayList(readPrivilege));
+
+    // check user4 has one privilege on role1
+    client = sqoopServerRunner.getSqoopClient(USER4);
+    assertTrue(client.getPrivilegesByPrincipal(role4Princ, allConnector).size() == 1);
+    // user4 has the read action on collector all
+    MPrivilege user4Privilege = client.getPrivilegesByPrincipal(role4Princ, allConnector).get(0);
+    assertEquals(user4Privilege.getAction().toLowerCase(), SqoopActionConstant.READ);
+
+    /**
+     * admin user grant write privilege on connector all to role role4
+     */
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MPrivilege writePrivilege = new MPrivilege(allConnector, SqoopActionConstant.WRITE, false);
+    client.grantPrivilege(Lists.newArrayList(role4Princ), Lists.newArrayList(writePrivilege));
+
+    // check user4 has two privileges on role1
+    client = sqoopServerRunner.getSqoopClient(USER4);
+    assertTrue(client.getPrivilegesByPrincipal(role4Princ, allConnector).size() == 2);
+    // user4 has the read and write action on collector all
+    List<String> actions = Lists.newArrayList();
+    for (MPrivilege privilege : client.getPrivilegesByPrincipal(role4Princ, allConnector)) {
+      actions.add(privilege.getAction().toLowerCase());
+    }
+    assertEquals(Lists.newArrayList(SqoopActionConstant.READ, SqoopActionConstant.WRITE), actions);
+
+    /**
+     * admin user grant all privilege on connector all to role role4
+     * because the all privilege includes the read and write privileges, these privileges will
+     * be removed
+     */
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false);
+    client.grantPrivilege(Lists.newArrayList(role4Princ), Lists.newArrayList(allPrivilege));
+
+    // check user4 has only privilege on role1
+    client = sqoopServerRunner.getSqoopClient(USER4);
+    assertTrue(client.getPrivilegesByPrincipal(role4Princ, allConnector).size() == 1);
+    // user4 has the all action on role3
+    user4Privilege = client.getPrivilegesByPrincipal(role4Princ, allConnector).get(0);
+    assertEquals(user4Privilege.getAction(), SqoopActionConstant.ALL_NAME);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestJobEndToEnd.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestJobEndToEnd.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestJobEndToEnd.java
new file mode 100644
index 0000000..636e269
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestJobEndToEnd.java
@@ -0,0 +1,305 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.sqoop;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sqoop.client.SqoopClient;
+import org.apache.sqoop.model.MJob;
+import org.apache.sqoop.model.MLink;
+import org.apache.sqoop.model.MPrincipal;
+import org.apache.sqoop.model.MPrivilege;
+import org.apache.sqoop.model.MResource;
+import org.apache.sqoop.model.MRole;
+import org.apache.sqoop.security.SecurityError;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+
+public class TestJobEndToEnd extends AbstractSqoopSentryTestBase {
+  @Test
+  public void testShowJob() throws Exception {
+    /**
+     * ADMIN_USER create two links and one job
+     */
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MLink rdbmsLink = client.createLink("generic-jdbc-connector");
+    sqoopServerRunner.fillRdbmsLinkConfig(rdbmsLink);
+    sqoopServerRunner.saveLink(client, rdbmsLink);
+
+    MLink hdfsLink = client.createLink("hdfs-connector");
+    sqoopServerRunner.fillHdfsLink(hdfsLink);
+    sqoopServerRunner.saveLink(client, hdfsLink);
+
+    MJob job1 = client.createJob(hdfsLink.getPersistenceId(), rdbmsLink.getPersistenceId());
+    // set HDFS "FROM" config for the job, since the connector test case base class only has utilities for HDFS!
+    sqoopServerRunner.fillHdfsFromConfig(job1);
+    // set the RDBM "TO" config here
+    sqoopServerRunner.fillRdbmsToConfig(job1);
+    // create job
+    sqoopServerRunner.saveJob(client, job1);
+    /**
+     * ADMIN_USER grant read privilege on all job to role1
+     */
+    MRole role1 = new MRole(ROLE1);
+    MPrincipal group1 = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
+    MResource allJob = new MResource(SqoopActionConstant.ALL, MResource.TYPE.JOB);
+    MPrivilege readAllPrivilege = new MPrivilege(allJob,SqoopActionConstant.READ, false);
+    client.createRole(role1);
+    client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1));
+    client.grantPrivilege(Lists.newArrayList(new MPrincipal(role1.getName(), MPrincipal.TYPE.ROLE)),
+        Lists.newArrayList(readAllPrivilege));
+
+    /**
+     * ADMIN_USER grant read privilege on job1 to role2
+     */
+    MRole role2 = new MRole(ROLE2);
+    MPrincipal group2 = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP);
+    MResource job1Resource = new MResource(String.valueOf(job1.getPersistenceId()), MResource.TYPE.JOB);
+    MPrivilege readJob1Privilege = new MPrivilege(job1Resource,SqoopActionConstant.READ, false);
+    client.createRole(role2);
+    client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2));
+    client.grantPrivilege(Lists.newArrayList(new MPrincipal(role2.getName(), MPrincipal.TYPE.ROLE)),
+        Lists.newArrayList(readJob1Privilege));
+
+    // user1 can show all jobs
+    client = sqoopServerRunner.getSqoopClient(USER1);
+    try {
+      assertTrue(client.getJobs().size() == 1);
+      assertTrue(client.getJob(job1.getPersistenceId()) != null);
+    } catch (Exception e) {
+      fail("unexpected Authorization exception happend");
+    }
+
+    // user2 can show job1
+    client = sqoopServerRunner.getSqoopClient(USER2);
+    try {
+      assertTrue(client.getJobs().size() == 1);
+      assertTrue(client.getJob(job1.getPersistenceId()) != null);
+    } catch (Exception e) {
+      fail("unexpected Authorization exception happend");
+    }
+
+    // user3 can't show job1
+    client = sqoopServerRunner.getSqoopClient(USER3);
+    try {
+      assertTrue(client.getJobs().size() == 0);
+      client.getJob(job1.getPersistenceId());
+      fail("expected Authorization exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+    }
+
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    client.deleteJob(job1.getPersistenceId());
+  }
+
+  @Test
+  public void testUpdateDeleteJob() throws Exception {
+    /**
+     * ADMIN_USER create two links and one job
+     */
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MLink rdbmsLink = client.createLink("generic-jdbc-connector");
+    sqoopServerRunner.fillRdbmsLinkConfig(rdbmsLink);
+    rdbmsLink.setName("rdbm_testUpdateJob");
+    sqoopServerRunner.saveLink(client, rdbmsLink);
+
+    MLink hdfsLink = client.createLink("hdfs-connector");
+    sqoopServerRunner.fillHdfsLink(hdfsLink);
+    hdfsLink.setName("hdfs_testUpdateJob");
+    sqoopServerRunner.saveLink(client, hdfsLink);
+
+    MJob job2 = client.createJob(hdfsLink.getPersistenceId(), rdbmsLink.getPersistenceId());
+    // set HDFS "FROM" config for the job, since the connector test case base class only has utilities for HDFS!
+    sqoopServerRunner.fillHdfsFromConfig(job2);
+    // set the RDBM "TO" config here
+    sqoopServerRunner.fillRdbmsToConfig(job2);
+    // create job
+    sqoopServerRunner.saveJob(client, job2);
+
+    /**
+     * ADMIN_USER grant update privilege on job2 to role4
+     * ADMIN_USER grant read privilege on all connector to role4
+     * ADMIN_USER grant read privilege on all link to role4
+     */
+    MRole role4 = new MRole(ROLE4);
+    MPrincipal group4 = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP);
+    MResource job2Resource = new MResource(String.valueOf(job2.getPersistenceId()), MResource.TYPE.JOB);
+    MPrivilege writeJob2Privilege = new MPrivilege(job2Resource,SqoopActionConstant.WRITE, false);
+    MResource  allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege readConnectorPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+    MResource  allLink = new MResource(SqoopActionConstant.ALL, MResource.TYPE.LINK);
+    MPrivilege readLinkPriv = new MPrivilege(allLink,SqoopActionConstant.READ, false);
+    client.createRole(role4);
+    client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4));
+    client.grantPrivilege(Lists.newArrayList(new MPrincipal(role4.getName(), MPrincipal.TYPE.ROLE)),
+        Lists.newArrayList(writeJob2Privilege, readConnectorPriv, readLinkPriv));
+
+    // user4 can't show job2
+    client = sqoopServerRunner.getSqoopClient(USER4);
+    try {
+      assertTrue(client.getJobs().size() == 0);
+      client.getJob(job2.getPersistenceId());
+      fail("expected Authorization exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+    }
+    // user4 can update job2
+    try {
+      job2.setName("job2_update_user4_1");
+      client.updateJob(job2);
+    } catch (Exception e) {
+      fail("unexpected Authorization exception happend");
+    }
+    // user3 can't update job2
+    client = sqoopServerRunner.getSqoopClient(USER3);
+    try {
+      assertTrue(client.getJobs().size() == 0);
+      job2.setName("job2_update_user3_1");
+      client.updateJob(job2);
+      fail("expected Authorization exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+    }
+
+    // user3 can't delete job2
+    try {
+      client.deleteJob(job2.getPersistenceId());
+      fail("expected Authorization exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+    }
+
+    //user4 can delete job2 because user4 has write privilege on job2
+    client = sqoopServerRunner.getSqoopClient(USER4);
+    try {
+      client.deleteJob(job2.getPersistenceId());
+    } catch (Exception e) {
+      fail("unexpected Authorization exception happend");
+    }
+
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    client.dropRole(role4);
+  }
+
+  @Test
+  public void testEnableAndStartJob() throws Exception {
+    /**
+     * ADMIN_USER create two links and one job
+     */
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MLink rdbmsLink = client.createLink("generic-jdbc-connector");
+    sqoopServerRunner.fillRdbmsLinkConfig(rdbmsLink);
+    rdbmsLink.setName("rdbm_testEnableAndStartJob");
+    sqoopServerRunner.saveLink(client, rdbmsLink);
+
+    MLink hdfsLink = client.createLink("hdfs-connector");
+    sqoopServerRunner.fillHdfsLink(hdfsLink);
+    hdfsLink.setName("hdfs_testEnableAndStartJob");
+    sqoopServerRunner.saveLink(client, hdfsLink);
+
+    MJob job2 = client.createJob(hdfsLink.getPersistenceId(), rdbmsLink.getPersistenceId());
+    // set HDFS "FROM" config for the job, since the connector test case base class only has utilities for HDFS!
+    sqoopServerRunner.fillHdfsFromConfig(job2);
+    // set the RDBM "TO" config here
+    sqoopServerRunner.fillRdbmsToConfig(job2);
+    // create job
+    sqoopServerRunner.saveJob(client, job2);
+
+    /**
+     * ADMIN_USER grant update privilege on job2 to role4
+     * ADMIN_USER grant read privilege on all connector to role4
+     * ADMIN_USER grant read privilege on all link to role4
+     */
+    MRole role4 = new MRole(ROLE4);
+    MPrincipal group4 = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP);
+    MResource job2Resource = new MResource(String.valueOf(job2.getPersistenceId()), MResource.TYPE.JOB);
+    MPrivilege writeJob2Privilege = new MPrivilege(job2Resource,SqoopActionConstant.WRITE, false);
+    MResource  allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege readConnectorPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+    MResource  allLink = new MResource(SqoopActionConstant.ALL, MResource.TYPE.LINK);
+    MPrivilege readLinkPriv = new MPrivilege(allLink,SqoopActionConstant.READ, false);
+    client.createRole(role4);
+    client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4));
+    client.grantPrivilege(Lists.newArrayList(new MPrincipal(role4.getName(), MPrincipal.TYPE.ROLE)),
+        Lists.newArrayList(writeJob2Privilege, readConnectorPriv, readLinkPriv));
+
+
+    /**
+     * ADMIN_USER grant read privilege on job2 to role5
+     * ADMIN_USER grant read privilege on all connector to role5
+     * ADMIN_USER grant read privilege on all link to role5
+     */
+    MRole role5 = new MRole(ROLE5);
+    MPrincipal group5 = new MPrincipal(GROUP5, MPrincipal.TYPE.GROUP);
+    MPrivilege readJob2Privilege = new MPrivilege(job2Resource,SqoopActionConstant.READ, false);
+    client.createRole(role5);
+    client.grantRole(Lists.newArrayList(role5), Lists.newArrayList(group5));
+    client.grantPrivilege(Lists.newArrayList(new MPrincipal(role5.getName(), MPrincipal.TYPE.ROLE)),
+        Lists.newArrayList(readJob2Privilege, readConnectorPriv, readLinkPriv));
+
+    // user5 can't enable and start job2
+    client = sqoopServerRunner.getSqoopClient(USER5);
+    try {
+      client.enableJob(job2.getPersistenceId(), true);
+      fail("expected Authorization exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+    }
+
+    try {
+      client.startJob(job2.getPersistenceId());
+      fail("expected Authorization exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+    }
+
+    // user3 can't enable and start job2
+    client = sqoopServerRunner.getSqoopClient(USER3);
+    try {
+      client.enableJob(job2.getPersistenceId(), true);
+      fail("expected Authorization exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+    }
+
+    try {
+      client.startJob(job2.getPersistenceId());
+      fail("expected Authorization exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+    }
+
+    // user4 can enable or start job2
+    client = sqoopServerRunner.getSqoopClient(USER4);
+    try {
+      client.enableJob(job2.getPersistenceId(), false);
+      client.enableJob(job2.getPersistenceId(), true);
+      client.deleteJob(job2.getPersistenceId());
+    } catch (Exception e) {
+      fail("unexpected Authorization exception happend");
+    }
+
+
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    client.dropRole(role4);
+    client.dropRole(role5);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestLinkEndToEnd.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestLinkEndToEnd.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestLinkEndToEnd.java
new file mode 100644
index 0000000..a67ef63
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestLinkEndToEnd.java
@@ -0,0 +1,238 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.sqoop;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sqoop.client.SqoopClient;
+import org.apache.sqoop.model.MLink;
+import org.apache.sqoop.model.MPrincipal;
+import org.apache.sqoop.model.MPrivilege;
+import org.apache.sqoop.model.MResource;
+import org.apache.sqoop.model.MRole;
+import org.apache.sqoop.security.SecurityError;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+
+public class TestLinkEndToEnd extends AbstractSqoopSentryTestBase {
+
+  @Test
+  public void testShowLink() throws Exception {
+    /**
+     * ADMIN_USER create a hdfs link
+     */
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MLink hdfsLink = client.createLink("hdfs-connector");
+    sqoopServerRunner.fillHdfsLink(hdfsLink);
+    sqoopServerRunner.saveLink(client, hdfsLink);
+
+    /**
+     * ADMIN_USER grant read privilege on all link to role1
+     */
+    MRole role1 = new MRole(ROLE1);
+    MPrincipal group1 = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
+    MResource allLink = new MResource(SqoopActionConstant.ALL, MResource.TYPE.LINK);
+    MPrivilege readAllPrivilege = new MPrivilege(allLink,SqoopActionConstant.READ, false);
+    client.createRole(role1);
+    client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1));
+    client.grantPrivilege(Lists.newArrayList(new MPrincipal(role1.getName(), MPrincipal.TYPE.ROLE)),
+        Lists.newArrayList(readAllPrivilege));
+
+    /**
+     * ADMIN_USER grant read privilege on hdfs link to role2
+     */
+    MRole role2 = new MRole(ROLE2);
+    MPrincipal group2 = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP);
+    MResource hdfsLinkResource = new MResource(String.valueOf(hdfsLink.getPersistenceId()), MResource.TYPE.LINK);
+    MPrivilege readHdfsLinkPrivilege = new MPrivilege(hdfsLinkResource,SqoopActionConstant.READ, false);
+    client.createRole(role2);
+    client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2));
+    client.grantPrivilege(Lists.newArrayList(new MPrincipal(role2.getName(), MPrincipal.TYPE.ROLE)),
+        Lists.newArrayList(readHdfsLinkPrivilege));
+
+    // user1 can show all link
+    client = sqoopServerRunner.getSqoopClient(USER1);
+    try {
+      assertTrue(client.getLinks().size() == 1);
+      assertTrue(client.getLink(hdfsLink.getPersistenceId()) != null);
+    } catch (Exception e) {
+      fail("unexpected Authorization exception happend");
+    }
+
+    // user2 can show hdfs link
+    client = sqoopServerRunner.getSqoopClient(USER2);
+    try {
+      assertTrue(client.getLinks().size() == 1);
+      assertTrue(client.getLink(hdfsLink.getPersistenceId()) != null);
+    } catch (Exception e) {
+      fail("unexpected Authorization exception happend");
+    }
+
+    // user3 can't show hdfs link
+    client = sqoopServerRunner.getSqoopClient(USER3);
+    try {
+      assertTrue(client.getLinks().size() == 0);
+      client.getLink(hdfsLink.getPersistenceId());
+      fail("expected Authorization exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+    }
+
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    client.deleteLink(hdfsLink.getPersistenceId());
+  }
+
+  @Test
+  public void testUpdateDtestUpdateDeleteLinkeleteLink() throws Exception {
+    /**
+     * ADMIN_USER create a hdfs link
+     */
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MLink hdfsLink = client.createLink("hdfs-connector");
+    sqoopServerRunner.fillHdfsLink(hdfsLink);
+    sqoopServerRunner.saveLink(client, hdfsLink);
+
+    /**
+     * ADMIN_USER grant update privilege on hdfs link to role4
+     * ADMIN_USER grant read privilege on all connector to role4
+     */
+    MRole role4 = new MRole(ROLE4);
+    MPrincipal group4 = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP);
+    MResource hdfsLinkResource = new MResource(String.valueOf(hdfsLink.getPersistenceId()), MResource.TYPE.LINK);
+    MPrivilege writeHdfsPrivilege = new MPrivilege(hdfsLinkResource,SqoopActionConstant.WRITE, false);
+    MResource  allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege readConnectorPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+    client.createRole(role4);
+    client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4));
+    client.grantPrivilege(Lists.newArrayList(new MPrincipal(role4.getName(), MPrincipal.TYPE.ROLE)),
+        Lists.newArrayList(writeHdfsPrivilege, readConnectorPriv));
+
+    // user4 can't show hdfs link
+    client = sqoopServerRunner.getSqoopClient(USER4);
+    try {
+      assertTrue(client.getLinks().size() == 0);
+      client.getLink(hdfsLink.getPersistenceId());
+      fail("expected Authorization exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+    }
+    // user4 can update hdfs link
+    try {
+      hdfsLink.setName("hdfs_link_update_user4_1");
+      client.updateLink(hdfsLink);
+    } catch (Exception e) {
+      fail("unexpected Authorization exception happend");
+    }
+    // user3 can't update hdfs link
+    client = sqoopServerRunner.getSqoopClient(USER3);
+    try {
+      assertTrue(client.getLinks().size() == 0);
+      hdfsLink.setName("hdfs_link_update_user3_1");
+      client.updateLink(hdfsLink);
+      fail("expected Authorization exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+    }
+
+    // user3 can't delete hdfs link
+    try {
+      client.deleteLink(hdfsLink.getPersistenceId());
+      fail("expected Authorization exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+    }
+
+    //user4 can delete hdfs link because user4 has write privilege on hdfs link
+    client = sqoopServerRunner.getSqoopClient(USER4);
+    try {
+      client.deleteLink(hdfsLink.getPersistenceId());
+    } catch (Exception e) {
+      fail("unexpected Authorization exception happend");
+    }
+
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    client.dropRole(role4);
+  }
+
+  @Test
+  public void testEnableLink() throws Exception {
+    /**
+     * ADMIN_USER create a hdfs link
+     */
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MLink hdfsLink = client.createLink("hdfs-connector");
+    sqoopServerRunner.fillHdfsLink(hdfsLink);
+    sqoopServerRunner.saveLink(client, hdfsLink);
+
+    /**
+     * ADMIN_USER grant read privilege on hdfs link to role4
+     * ADMIN_USER grant read privilege on all connector to role4
+     */
+    MRole role4 = new MRole(ROLE4);
+    MPrincipal group4 = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP);
+    MResource hdfsLinkResource = new MResource(String.valueOf(hdfsLink.getPersistenceId()), MResource.TYPE.LINK);
+    MPrivilege readHdfsPrivilege = new MPrivilege(hdfsLinkResource,SqoopActionConstant.READ, false);
+    MResource  allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege readConnectorPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+    client.createRole(role4);
+    client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4));
+    client.grantPrivilege(Lists.newArrayList(new MPrincipal(role4.getName(), MPrincipal.TYPE.ROLE)),
+        Lists.newArrayList(readHdfsPrivilege, readConnectorPriv));
+
+    /**
+     * ADMIN_USER grant write privilege on hdfs link to role5
+     * ADMIN_USER grant read privilege on all connector to role5
+     */
+    MRole role5 = new MRole(ROLE5);
+    MPrincipal group5 = new MPrincipal(GROUP5, MPrincipal.TYPE.GROUP);
+    MPrivilege writeHdfsPrivilege = new MPrivilege(hdfsLinkResource,SqoopActionConstant.WRITE, false);
+    client.createRole(role5);
+    client.grantRole(Lists.newArrayList(role5), Lists.newArrayList(group5));
+    client.grantPrivilege(Lists.newArrayList(new MPrincipal(role5.getName(), MPrincipal.TYPE.ROLE)),
+        Lists.newArrayList(writeHdfsPrivilege, readConnectorPriv));
+
+    // user4 can't enable hdfs link
+    client = sqoopServerRunner.getSqoopClient(USER4);
+    try {
+      client.enableLink(hdfsLink.getPersistenceId(), true);
+      fail("expected Authorization exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+    }
+    // user5 can enbale hdfs link
+    client = sqoopServerRunner.getSqoopClient(USER5);
+    try {
+      client.enableLink(hdfsLink.getPersistenceId(), true);
+    } catch (Exception e) {
+      fail("unexpected Authorization exception happend");
+    }
+    // user3 can't update hdfs link
+    client = sqoopServerRunner.getSqoopClient(USER3);
+    try {
+      client.enableLink(hdfsLink.getPersistenceId(), true);
+      fail("expected Authorization exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+    }
+
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    client.deleteLink(hdfsLink.getPersistenceId());
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestOwnerPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestOwnerPrivilege.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestOwnerPrivilege.java
new file mode 100644
index 0000000..9bed526
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestOwnerPrivilege.java
@@ -0,0 +1,156 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.tests.e2e.sqoop;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sqoop.client.SqoopClient;
+import org.apache.sqoop.model.MConnector;
+import org.apache.sqoop.model.MDriverConfig;
+import org.apache.sqoop.model.MJob;
+import org.apache.sqoop.model.MLink;
+import org.apache.sqoop.model.MPrincipal;
+import org.apache.sqoop.model.MPrivilege;
+import org.apache.sqoop.model.MResource;
+import org.apache.sqoop.model.MRole;
+import org.apache.sqoop.security.SecurityError;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+
+public class TestOwnerPrivilege extends AbstractSqoopSentryTestBase {
+
+  @Test
+  public void testLinkOwner() throws Exception {
+    // USER1 at firstly has no privilege on any Sqoop resource
+    SqoopClient client = sqoopServerRunner.getSqoopClient(USER1);
+    assertTrue(client.getConnectors().size() == 0);
+    /**
+     * ADMIN_USER grant read action privilege on connector all to role ROLE1
+     * ADMIN_USER grant role ROLE1 to group GROUP1
+     */
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MRole role1 = new MRole(ROLE1);
+    MPrincipal group1 = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
+    MResource  allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+    client.createRole(role1);
+    client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1));
+    client.grantPrivilege(Lists.newArrayList(new MPrincipal(role1.getName(), MPrincipal.TYPE.ROLE)),
+        Lists.newArrayList(readPriv));
+
+    // check USER1 has the read privilege on all connector
+    client = sqoopServerRunner.getSqoopClient(USER1);
+    assertTrue(client.getConnectors().size() > 0);
+
+    // USER1 create a new HDFS link
+    MLink hdfsLink = client.createLink("hdfs-connector");
+    sqoopServerRunner.fillHdfsLink(hdfsLink);
+    sqoopServerRunner.saveLink(client, hdfsLink);
+
+    // USER1 is the owner of HDFS link, so he can show and update HDFS link
+    assertEquals(client.getLink(hdfsLink.getPersistenceId()), hdfsLink);
+
+    // USER1 update the name of HDFS link
+    hdfsLink.setName("HDFS_update1");
+    sqoopServerRunner.updateLink(client, hdfsLink);
+
+    // USER2 has no privilege on HDFS link
+    client = sqoopServerRunner.getSqoopClient(USER2);
+    assertTrue(client.getLinks().size() == 0);
+
+    //delete the HDFS link
+    client = sqoopServerRunner.getSqoopClient(USER1);
+    client.deleteLink(hdfsLink.getPersistenceId());
+  }
+
+  @Test
+  public void testJobOwner() throws Exception {
+    // USER3 at firstly has no privilege on any Sqoop resource
+    SqoopClient client = sqoopServerRunner.getSqoopClient(USER3);
+    assertTrue(client.getConnectors().size() == 0);
+    /**
+     * ADMIN_USER grant read action privilege on connector all to role ROLE3
+     * ADMIN_USER grant role ROLE3 to group GROUP3
+     */
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MRole role3 = new MRole(ROLE3);
+    MPrincipal group3 = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
+    MResource  allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+    client.createRole(role3);
+    client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3));
+    client.grantPrivilege(Lists.newArrayList(new MPrincipal(ROLE3, MPrincipal.TYPE.ROLE)),
+        Lists.newArrayList(readPriv));
+
+    // check USER3 has the read privilege on all connector
+    client = sqoopServerRunner.getSqoopClient(USER3);
+    assertTrue(client.getConnectors().size() > 0);
+
+    // USER3 create two links: hdfs link and rdbm link
+    MLink rdbmsLink = client.createLink("generic-jdbc-connector");
+    sqoopServerRunner.fillRdbmsLinkConfig(rdbmsLink);
+    sqoopServerRunner.saveLink(client, rdbmsLink);
+
+    MLink hdfsLink = client.createLink("hdfs-connector");
+    sqoopServerRunner.fillHdfsLink(hdfsLink);
+    sqoopServerRunner.saveLink(client, hdfsLink);
+
+    // USER3 is the owner of hdfs and link, so he can show and update hdfs link
+    assertTrue(client.getLinks().size() == 2);
+    hdfsLink.setName("HDFS_update2");
+    client.updateLink(hdfsLink);
+    rdbmsLink.setName("RDBM_update");
+    client.updateLink(rdbmsLink);
+
+    // USER_3 create a job: transfer date from HDFS to RDBM
+    MJob job1 = client.createJob(hdfsLink.getPersistenceId(), rdbmsLink.getPersistenceId());
+    // set HDFS "FROM" config for the job, since the connector test case base class only has utilities for HDFS!
+    sqoopServerRunner.fillHdfsFromConfig(job1);
+
+    // set the RDBM "TO" config here
+    sqoopServerRunner.fillRdbmsToConfig(job1);
+
+    // create job
+    sqoopServerRunner.saveJob(client, job1);
+
+    /**
+     *  USER3 is the owner of job1 , so he can show and delete job1.
+     *  USER4 has no privilege on job1
+     */
+    client = sqoopServerRunner.getSqoopClient(USER4);
+    assertTrue(client.getJobs().size() == 0);
+    try {
+      client.deleteJob(job1.getPersistenceId());
+      fail("expected Authorization exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SecurityError.AUTH_0014.getMessage());
+    }
+    client = sqoopServerRunner.getSqoopClient(USER3);
+    assertEquals(client.getJob(job1.getPersistenceId()), job1);
+    client.deleteJob(job1.getPersistenceId());
+
+    // delete the HDFS and RDBM links
+    client.deleteLink(hdfsLink.getPersistenceId());
+    client.deleteLink(rdbmsLink.getPersistenceId());
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRevokePrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRevokePrivilege.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRevokePrivilege.java
new file mode 100644
index 0000000..f71595c
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRevokePrivilege.java
@@ -0,0 +1,175 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.sqoop;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import org.apache.sentry.core.model.sqoop.SqoopActionConstant;
+import org.apache.sentry.sqoop.SentrySqoopError;
+import org.apache.sqoop.client.SqoopClient;
+import org.apache.sqoop.model.MPrincipal;
+import org.apache.sqoop.model.MPrivilege;
+import org.apache.sqoop.model.MResource;
+import org.apache.sqoop.model.MRole;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+
+public class TestRevokePrivilege extends AbstractSqoopSentryTestBase {
+  @Test
+  public void testNotSupportRevokePrivilegeFromUser() throws Exception {
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MPrincipal user1 = new MPrincipal("not_support_revoke_user_1", MPrincipal.TYPE.GROUP);
+    MResource  allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+    try {
+      client.revokePrivilege(Lists.newArrayList(user1), Lists.newArrayList(readPriv));
+      fail("expected not support exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
+    }
+  }
+
+  @Test
+  public void testNotSupportRevokePrivilegeFromGroup() throws Exception {
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MPrincipal group1 = new MPrincipal("not_support_revoke_group_1", MPrincipal.TYPE.GROUP);
+    MResource  allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege readPriv = new MPrivilege(allConnector,SqoopActionConstant.READ, false);
+    try {
+      client.revokePrivilege(Lists.newArrayList(group1), Lists.newArrayList(readPriv));
+      fail("expected not support exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_PRIVILEGE_NOT_SUPPORT_FOR_PRINCIPAL);
+    }
+  }
+
+  @Test
+  public void testRevokeNotExistPrivilege() throws Exception {
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MRole testRole = new MRole("noexist_privilege_role1");
+    MPrincipal testPrinc = new MPrincipal(testRole.getName(), MPrincipal.TYPE.ROLE);
+    MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
+    client.createRole(testRole);
+    assertTrue(client.getPrivilegesByPrincipal(testPrinc, allConnector).size() == 0);
+
+    client.revokePrivilege(Lists.newArrayList(testPrinc), Lists.newArrayList(readPrivilege));
+    assertTrue(client.getPrivilegesByPrincipal(testPrinc, allConnector).size() == 0);
+  }
+
+
+  @Test
+  public void testRevokePrivilege() throws Exception {
+    /**
+     * user1 belongs to group group1
+     * admin user grant role role1 to group group1
+     * admin user grant read privilege on connector all to role role1
+     */
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MRole role1 = new MRole(ROLE1);
+    MPrincipal group1Princ = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
+    MPrincipal role1Princ = new MPrincipal(ROLE1, MPrincipal.TYPE.ROLE);
+    MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
+    client.createRole(role1);
+    client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1Princ));
+    client.grantPrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPrivilege));
+
+    // check user1 has privilege on role1
+    client = sqoopServerRunner.getSqoopClient(USER1);
+    assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 1);
+
+    // admin user revoke read privilege from role1
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    client.revokePrivilege(Lists.newArrayList(role1Princ), Lists.newArrayList(readPrivilege));
+
+    // check user1 has no privilege on role1
+    client = sqoopServerRunner.getSqoopClient(USER1);
+    assertTrue(client.getPrivilegesByPrincipal(role1Princ, allConnector).size() == 0);
+  }
+
+  @Test
+  public void testRevokeAllPrivilege() throws Exception {
+    /**
+     * user2 belongs to group group2
+     * admin user grant role role2 to group group2
+     * admin user grant read and write privilege on connector all to role role2
+     */
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MRole role2 = new MRole(ROLE2);
+    MPrincipal group2Princ = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP);
+    MPrincipal role2Princ = new MPrincipal(ROLE2, MPrincipal.TYPE.ROLE);
+    MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege writePrivilege = new MPrivilege(allConnector, SqoopActionConstant.WRITE, false);
+    MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
+    client.createRole(role2);
+    client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2Princ));
+    client.grantPrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(writePrivilege, readPrivilege));
+
+    // check user2 has two privileges on role2
+    client = sqoopServerRunner.getSqoopClient(USER2);
+    assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 2);
+
+    // admin user revoke all privilege from role2
+    MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false);
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    client.revokePrivilege(Lists.newArrayList(role2Princ), Lists.newArrayList(allPrivilege));
+
+    // check user2 has no privilege on role2
+    client = sqoopServerRunner.getSqoopClient(USER2);
+    assertTrue(client.getPrivilegesByPrincipal(role2Princ, allConnector).size() == 0);
+  }
+
+  @Test
+  public void testRevokePrivilegeWithAllPrivilegeExist() throws Exception {
+    /**
+     * user3 belongs to group group3
+     * admin user grant role role3 to group group3
+     * admin user grant all privilege on connector all to role role3
+     */
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MRole role3 = new MRole(ROLE3);
+    MPrincipal group3Princ = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
+    MPrincipal role3Princ = new MPrincipal(ROLE3, MPrincipal.TYPE.ROLE);
+    MResource allConnector = new MResource(SqoopActionConstant.ALL, MResource.TYPE.CONNECTOR);
+    MPrivilege allPrivilege = new MPrivilege(allConnector, SqoopActionConstant.ALL_NAME, false);
+    client.createRole(role3);
+    client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3Princ));
+    client.grantPrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(allPrivilege));
+
+    // check user3 has one privilege on role3
+    client = sqoopServerRunner.getSqoopClient(USER3);
+    assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
+    // user3 has the all action on role3
+    MPrivilege user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
+    assertEquals(user3Privilege.getAction(), SqoopActionConstant.ALL_NAME);
+
+    // admin user revoke the read privilege on connector all from role role3
+    MPrivilege readPrivilege = new MPrivilege(allConnector, SqoopActionConstant.READ, false);
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    client.revokePrivilege(Lists.newArrayList(role3Princ), Lists.newArrayList(readPrivilege));
+
+    // check user3 has only the write privilege on role3
+    client = sqoopServerRunner.getSqoopClient(USER3);
+    assertTrue(client.getPrivilegesByPrincipal(role3Princ, allConnector).size() == 1);
+    user3Privilege = client.getPrivilegesByPrincipal(role3Princ, allConnector).get(0);
+    assertEquals(user3Privilege.getAction().toLowerCase(), SqoopActionConstant.WRITE);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/98761811/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRoleOperation.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRoleOperation.java b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRoleOperation.java
new file mode 100644
index 0000000..1a6ca02
--- /dev/null
+++ b/sentry-tests/sentry-tests-sqoop/src/test/java/org/apache/sentry/tests/e2e/sqoop/TestRoleOperation.java
@@ -0,0 +1,209 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.tests.e2e.sqoop;
+
+import org.apache.sentry.sqoop.SentrySqoopError;
+import org.apache.sqoop.client.SqoopClient;
+import org.apache.sqoop.model.MPrincipal;
+import org.apache.sqoop.model.MRole;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+public class TestRoleOperation extends AbstractSqoopSentryTestBase {
+
+  @Test
+  public void testAdminToCreateDeleteRole() throws Exception {
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MRole role1 = new MRole("create_delete_role_1");
+    MRole role2 = new MRole("create_delete_role_2");
+    client.createRole(role1);
+    client.createRole(role2);
+    assertTrue( client.getRoles().size() > 0);
+  }
+
+  @Test
+  public void testNotAdminToCreateDeleteRole() throws Exception {
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MRole role1 = new MRole("not_admin_create_delete_role_1");
+    MRole role2 = new MRole("not_admin_create_delete_role_2");
+    client.createRole(role1);
+
+    client = sqoopServerRunner.getSqoopClient(USER1);
+    try {
+      client.createRole(role2);
+      fail("expected SentryAccessDeniedException happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, "SentryAccessDeniedException");
+    }
+    try {
+      client.dropRole(role1);
+      fail("expected SentryAccessDeniedException happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, "SentryAccessDeniedException");
+    }
+  }
+
+  @Test
+  public void testCreateExistedRole() throws Exception {
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MRole role1 = new MRole("create_exist_role_1");
+    client.createRole(role1);
+    try {
+      client.createRole(role1);
+      fail("expected SentryAlreadyExistsException happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, "SentryAlreadyExistsException");
+    }
+  }
+
+  @Test
+  public void testDropNotExistedRole() throws Exception {
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    try {
+      client.dropRole(new MRole("drop_noexisted_role_1"));
+      fail("expected SentryNoSuchObjectException happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, "SentryNoSuchObjectException");
+    }
+  }
+
+  @Test
+  public void testAdminShowAllRole() throws Exception {
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    client.createRole(new MRole("show_all_role"));
+    assertTrue(client.getRoles().size() > 0);
+  }
+
+  @Test
+  public void testNotAdminShowAllRole() throws Exception {
+    SqoopClient client = sqoopServerRunner.getSqoopClient(USER1);
+    try {
+      client.getRoles();
+      fail("expected SentryAccessDeniedException happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, "SentryAccessDeniedException");
+    }
+  }
+
+  @Test
+  public void testNotSupportAddRoleToUser() throws Exception {
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MRole role1 = new MRole("add_to_user_role");
+    MPrincipal user1 = new MPrincipal("add_to_user", MPrincipal.TYPE.USER);
+    try {
+      client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(user1));
+      fail("expected not support exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SentrySqoopError.GRANT_REVOKE_ROLE_NOT_SUPPORT_FOR_PRINCIPAL);
+    }
+  }
+
+  @Test
+  public void testShowRoleOnGroup() throws Exception {
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    // admin user grant role1 to group1
+    MRole role1 = new MRole(ROLE1);
+    client.createRole(role1);
+    MPrincipal group1 = new MPrincipal(GROUP1, MPrincipal.TYPE.GROUP);
+    client.grantRole(Lists.newArrayList(role1), Lists.newArrayList(group1));
+    // admin user grant role2 to group2
+    MRole role2 = new MRole(ROLE2);
+    client.createRole(role2);
+    MPrincipal group2 = new MPrincipal(GROUP2, MPrincipal.TYPE.GROUP);
+    client.grantRole(Lists.newArrayList(role2), Lists.newArrayList(group2));
+
+    // use1 can show role on group1
+    client = sqoopServerRunner.getSqoopClient(USER1);
+    assertEquals(role1.getName(), client.getRolesByPrincipal(group1).get(0).getName());
+
+    // use1 can't show role on group2
+    try {
+      client.getRolesByPrincipal(group2);
+      fail("expected SentryAccessDeniedException happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, "SentryAccessDeniedException");
+    }
+
+    // user2 can show role on group2
+    client = sqoopServerRunner.getSqoopClient(USER2);
+    assertEquals(role2.getName(), client.getRolesByPrincipal(group2).get(0).getName());
+
+    // use2 can't show role on group1
+    try {
+      client.getRolesByPrincipal(group1);
+      fail("expected SentryAccessDeniedException happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, "SentryAccessDeniedException");
+    }
+  }
+
+  @Test
+  public void testAddDeleteRoleOnGroup() throws Exception {
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    // admin user grant role3 to group3
+    MRole role3 = new MRole(ROLE3);
+    client.createRole(role3);
+    MPrincipal group3 = new MPrincipal(GROUP3, MPrincipal.TYPE.GROUP);
+    client.grantRole(Lists.newArrayList(role3), Lists.newArrayList(group3));
+    // admin user grant role4 to group4
+    MRole role4 = new MRole(ROLE4);
+    client.createRole(role4);
+    MPrincipal group4 = new MPrincipal(GROUP4, MPrincipal.TYPE.GROUP);
+    client.grantRole(Lists.newArrayList(role4), Lists.newArrayList(group4));
+
+    // use3 can show role on group3
+    client = sqoopServerRunner.getSqoopClient(USER3);
+    assertEquals(role3.getName(), client.getRolesByPrincipal(group3).get(0).getName());
+
+    // user4 can show role on group4
+    client = sqoopServerRunner.getSqoopClient(USER4);
+    assertEquals(role4.getName(), client.getRolesByPrincipal(group4).get(0).getName());
+
+    /**
+     * admin delete role3 from group3
+     * admin delete role4 from group4
+     */
+    client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    client.revokeRole(Lists.newArrayList(role3), Lists.newArrayList(group3));
+    client.revokeRole(Lists.newArrayList(role4), Lists.newArrayList(group4));
+
+    // use3 show role on group3, empty role list return
+    client = sqoopServerRunner.getSqoopClient(USER3);
+    assertTrue(client.getRolesByPrincipal(group3).isEmpty());
+
+    // use4 show role on group4, empty role list return
+    client = sqoopServerRunner.getSqoopClient(USER4);
+    assertTrue(client.getRolesByPrincipal(group4).isEmpty());
+  }
+
+  @Test
+  public void testNotSupportShowRoleonUser() throws Exception {
+    SqoopClient client = sqoopServerRunner.getSqoopClient(ADMIN_USER);
+    MPrincipal user1 = new MPrincipal("showRoleOnUser", MPrincipal.TYPE.USER);
+    try {
+      client.getRolesByPrincipal(user1);
+      fail("expected not support exception happend");
+    } catch (Exception e) {
+      assertCausedMessage(e, SentrySqoopError.SHOW_GRANT_NOT_SUPPORTED_FOR_PRINCIPAL);
+    }
+  }
+}



Mime
View raw message