sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From co...@apache.org
Subject incubator-sentry git commit: SENTRY-749: Create simple shell for sentry(Colin Ma, reviewed by Hao Hao, Gregory Chanan, Lenni Kuff)
Date Mon, 04 Jan 2016 06:13:23 GMT
Repository: incubator-sentry
Updated Branches:
  refs/heads/master a661c1828 -> 0adfc7384


SENTRY-749: Create simple shell for sentry(Colin Ma, reviewed by Hao Hao, Gregory Chanan, Lenni Kuff)


Project: http://git-wip-us.apache.org/repos/asf/incubator-sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-sentry/commit/0adfc738
Tree: http://git-wip-us.apache.org/repos/asf/incubator-sentry/tree/0adfc738
Diff: http://git-wip-us.apache.org/repos/asf/incubator-sentry/diff/0adfc738

Branch: refs/heads/master
Commit: 0adfc7384f531f93ff0a5d2a0b1470876fc10855
Parents: a661c18
Author: Colin Ma <colin@apache.org>
Authored: Mon Jan 4 14:56:50 2016 +0800
Committer: Colin Ma <colin@apache.org>
Committed: Mon Jan 4 14:56:50 2016 +0800

----------------------------------------------------------------------
 bin/sentryShell                                 |  71 +++
 .../provider/db/tools/SentryShellCommon.java    | 242 ++++++++
 .../provider/db/tools/SentryShellHive.java      |  92 +++
 .../provider/db/tools/command/hive/Command.java |  27 +
 .../db/tools/command/hive/CommandUtil.java      | 114 ++++
 .../db/tools/command/hive/CreateRoleCmd.java    |  37 ++
 .../db/tools/command/hive/DropRoleCmd.java      |  37 ++
 .../command/hive/GrantPrivilegeToRoleCmd.java   |  61 ++
 .../command/hive/GrantRoleToGroupsCmd.java      |  43 ++
 .../tools/command/hive/ListPrivilegesCmd.java   |  97 +++
 .../db/tools/command/hive/ListRolesCmd.java     |  51 ++
 .../hive/RevokePrivilegeFromRoleCmd.java        |  62 ++
 .../command/hive/RevokeRoleFromGroupsCmd.java   |  43 ++
 .../provider/db/tools/TestSentryShellHive.java  | 583 +++++++++++++++++++
 .../thrift/SentryServiceIntegrationBase.java    |   6 -
 15 files changed, 1560 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0adfc738/bin/sentryShell
----------------------------------------------------------------------
diff --git a/bin/sentryShell b/bin/sentryShell
new file mode 100755
index 0000000..d6e8055
--- /dev/null
+++ b/bin/sentryShell
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+bin=`dirname "$0"`
+myhome=`cd "$bin/.."; pwd`
+
+if [[ -z $SENTRY_HOME ]] ; then
+  export SENTRY_HOME=$myhome
+fi
+
+# check for hadoop in the path
+HADOOP_IN_PATH=`which hadoop 2>/dev/null`
+if [ -f ${HADOOP_IN_PATH} ]; then
+  HADOOP_DIR=`dirname "$HADOOP_IN_PATH"`/..
+fi
+# HADOOP_HOME env variable overrides hadoop in the path
+HADOOP_HOME=${HADOOP_HOME:-${HADOOP_PREFIX:-$HADOOP_DIR}}
+if [ "$HADOOP_HOME" == "" ]; then
+  echo "Cannot find hadoop installation: \$HADOOP_HOME or \$HADOOP_PREFIX must be set or hadoop must be in the path";
+  exit 4;
+fi
+
+HADOOP=$HADOOP_HOME/bin/hadoop
+if [ ! -f ${HADOOP} ]; then
+  echo "Cannot find hadoop installation: \$HADOOP_HOME or \$HADOOP_PREFIX must be set or hadoop must be in the path";
+  exit 4;
+fi
+
+export _CMD_JAR=${SENTRY_SHELL_JAR}:sentry-provider-db-*.jar
+for f in ${SENTRY_HOME}/lib/*.jar; do
+  HADOOP_CLASSPATH=${HADOOP_CLASSPATH}:${f}
+done
+export HADOOP_CLASSPATH
+
+for f in ${SENTRY_HOME}/lib/server/*.jar; do
+  HADOOP_CLASSPATH=${HADOOP_CLASSPATH}:${f}
+done
+for f in ${SENTRY_HOME}/lib/plugins/*.jar; do
+  HADOOP_CLASSPATH=${HADOOP_CLASSPATH}:${f}
+done
+
+args=()
+# get the type argument for the command, and check use the shell for hive model or for generic model.
+# todo: currently, supoort hive only, need add generic model support
+while [ $# -gt 0 ]; do    # Until you run out of parameters . . .
+  if [[ "$1" = "-t" || "$1" = "--type" ]]; then
+    # currently, only support the hive model
+    if ! [[ $2 =~ ^[H|h][I|i][V|v][E|e]$ ]]; then
+      echo "Doesn't support the type $2!"
+      exit 1
+    fi
+  fi
+  args+=" $1"
+  shift
+done
+
+exec $HADOOP jar ${SENTRY_HOME}/lib/${_CMD_JAR} org.apache.sentry.SentryShellHive ${args[@]}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0adfc738/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java
new file mode 100644
index 0000000..b1353c5
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellCommon.java
@@ -0,0 +1,242 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.tools;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.GnuParser;
+import org.apache.commons.cli.HelpFormatter;
+import org.apache.commons.cli.Option;
+import org.apache.commons.cli.OptionGroup;
+import org.apache.commons.cli.Options;
+import org.apache.commons.cli.ParseException;
+import org.apache.commons.cli.Parser;
+import org.apache.commons.lang.StringUtils;
+
+/**
+ * SentryShellCommon provides the function for parsing the argument.
+ * For hive model and generic model, child class should be implemented as a sentry admin tool.
+ */
+abstract public class SentryShellCommon {
+
+  protected String roleName;
+  protected String groupName;
+  protected String privilegeStr;
+  protected String confPath;
+  // flag for the command
+  protected boolean isCreateRole = false;
+  protected boolean isDropRole = false;
+  protected boolean isAddRoleGroup = false;
+  protected boolean isDeleteRoleGroup = false;
+  protected boolean isGrantPrivilegeRole = false;
+  protected boolean isRevokePrivilegeRole = false;
+  protected boolean isListRole = false;
+  protected boolean isListPrivilege = false;
+  protected boolean isPrintHelp = false;
+  // flag for the parameter check
+  protected boolean roleNameRequired = false;
+  protected boolean groupNameRequired = false;
+  protected boolean privilegeStrRequired = false;
+
+  public final static String OPTION_DESC_HELP = "Shell usage";
+  public final static String OPTION_DESC_CONF = "sentry-site file path";
+  public final static String OPTION_DESC_ROLE_NAME = "Role name";
+  public final static String OPTION_DESC_GROUP_NAME = "Group name";
+  public final static String OPTION_DESC_PRIVILEGE = "Privilege string";
+  public final static String PREFIX_MESSAGE_MISSING_OPTION = "Missing required option: ";
+
+  /**
+   * parse arguments
+   *
+   * <pre>
+   *   -conf,--sentry_conf             <filepath>                 sentry config file path
+   *   -cr,--create_role            -r <rolename>                 create role
+   *   -dr,--drop_role              -r <rolename>                 drop role
+   *   -arg,--add_role_group        -r <rolename>  -g <groupname> add group to role
+   *   -drg,--delete_role_group     -r <rolename>  -g <groupname> delete group from role
+   *   -gpr,--grant_privilege_role  -r <rolename>  -p <privilege> grant privilege to role
+   *   -rpr,--revoke_privilege_role -r <rolename>  -p <privilege> revoke privilege from role
+   *   -lr,--list_role              -g <groupname>                list roles for group
+   *   -lp,--list_privilege         -r <rolename>                 list privilege for role
+   *   -t,--type                    <typeame>                     the shell for hive model or generic model
+   * </pre>
+   *
+   * @param args
+   */
+  protected boolean parseArgs(String[] args) {
+    Options simpleShellOptions = new Options();
+
+    Option crOpt = new Option("cr", "create_role", false, "Create role");
+    crOpt.setRequired(false);
+
+    Option drOpt = new Option("dr", "drop_role", false, "Drop role");
+    drOpt.setRequired(false);
+
+    Option argOpt = new Option("arg", "add_role_group", false, "Add group to role");
+    argOpt.setRequired(false);
+
+    Option drgOpt = new Option("drg", "delete_role_group", false, "Delete group from role");
+    drgOpt.setRequired(false);
+
+    Option gprOpt = new Option("gpr", "grant_privilege_role", false, "Grant privilege to role");
+    gprOpt.setRequired(false);
+
+    Option rprOpt = new Option("rpr", "revoke_privilege_role", false, "Revoke privilege from role");
+    rprOpt.setRequired(false);
+
+    Option lrOpt = new Option("lr", "list_role", false, "List role");
+    lrOpt.setRequired(false);
+
+    Option lpOpt = new Option("lp", "list_privilege", false, "List privilege");
+    lpOpt.setRequired(false);
+
+    // required args group
+    OptionGroup simpleShellOptGroup = new OptionGroup();
+    simpleShellOptGroup.addOption(crOpt);
+    simpleShellOptGroup.addOption(drOpt);
+    simpleShellOptGroup.addOption(argOpt);
+    simpleShellOptGroup.addOption(drgOpt);
+    simpleShellOptGroup.addOption(gprOpt);
+    simpleShellOptGroup.addOption(rprOpt);
+    simpleShellOptGroup.addOption(lrOpt);
+    simpleShellOptGroup.addOption(lpOpt);
+    simpleShellOptGroup.setRequired(true);
+    simpleShellOptions.addOptionGroup(simpleShellOptGroup);
+
+    // optional args
+    Option pOpt = new Option("p", "privilege", true, OPTION_DESC_PRIVILEGE);
+    pOpt.setRequired(false);
+    simpleShellOptions.addOption(pOpt);
+
+    Option gOpt = new Option("g", "groupname", true, OPTION_DESC_GROUP_NAME);
+    gOpt.setRequired(false);
+    simpleShellOptions.addOption(gOpt);
+
+    Option rOpt = new Option("r", "rolename", true, OPTION_DESC_ROLE_NAME);
+    rOpt.setRequired(false);
+    simpleShellOptions.addOption(rOpt);
+
+    // this argument should be parsed in the bin/sentryShell
+    Option tOpt = new Option("t", "type", true, "[hive|solr|sqoop|.....]");
+    tOpt.setRequired(false);
+    simpleShellOptions.addOption(tOpt);
+
+    // file path of sentry-site
+    Option sentrySitePathOpt = new Option("conf", "sentry_conf", true, OPTION_DESC_CONF);
+    sentrySitePathOpt.setRequired(true);
+    simpleShellOptions.addOption(sentrySitePathOpt);
+
+    // help option
+    Option helpOpt = new Option("h", "help", false, OPTION_DESC_HELP);
+    helpOpt.setRequired(false);
+    simpleShellOptions.addOption(helpOpt);
+
+    // this Options is parsed first for help option
+    Options helpOptions = new Options();
+    helpOptions.addOption(helpOpt);
+
+    try {
+      Parser parser = new GnuParser();
+
+      // parse help option first
+      CommandLine cmd = parser.parse(helpOptions, args, true);
+      for (Option opt : cmd.getOptions()) {
+        if (opt.getOpt().equals("h")) {
+          // get the help option, print the usage and exit
+          usage(simpleShellOptions);
+          return false;
+        }
+      }
+
+      // without help option
+      cmd = parser.parse(simpleShellOptions, args);
+
+      for (Option opt : cmd.getOptions()) {
+        if (opt.getOpt().equals("p")) {
+          privilegeStr = opt.getValue();
+        } else if (opt.getOpt().equals("g")) {
+          groupName = opt.getValue();
+        } else if (opt.getOpt().equals("r")) {
+          roleName = opt.getValue();
+        } else if (opt.getOpt().equals("cr")) {
+          isCreateRole = true;
+          roleNameRequired = true;
+        } else if (opt.getOpt().equals("dr")) {
+          isDropRole = true;
+          roleNameRequired = true;
+        } else if (opt.getOpt().equals("arg")) {
+          isAddRoleGroup = true;
+          roleNameRequired = true;
+          groupNameRequired = true;
+        } else if (opt.getOpt().equals("drg")) {
+          isDeleteRoleGroup = true;
+          roleNameRequired = true;
+          groupNameRequired = true;
+        } else if (opt.getOpt().equals("gpr")) {
+          isGrantPrivilegeRole = true;
+          roleNameRequired = true;
+          privilegeStrRequired = true;
+        } else if (opt.getOpt().equals("rpr")) {
+          isRevokePrivilegeRole = true;
+          roleNameRequired = true;
+          privilegeStrRequired = true;
+        } else if (opt.getOpt().equals("lr")) {
+          isListRole = true;
+        } else if (opt.getOpt().equals("lp")) {
+          isListPrivilege = true;
+          roleNameRequired = true;
+        } else if (opt.getOpt().equals("conf")) {
+          confPath = opt.getValue();
+        }
+      }
+      checkRequiredParameter(roleNameRequired, roleName, OPTION_DESC_ROLE_NAME);
+      checkRequiredParameter(groupNameRequired, groupName, OPTION_DESC_GROUP_NAME);
+      checkRequiredParameter(privilegeStrRequired, privilegeStr, OPTION_DESC_PRIVILEGE);
+    } catch (ParseException pe) {
+      System.out.println(pe.getMessage());
+      usage(simpleShellOptions);
+      return false;
+    }
+    return true;
+  }
+
+  private void checkRequiredParameter(boolean isRequired, String paramValue, String paramName) throws ParseException {
+    if (isRequired && StringUtils.isEmpty(paramValue)) {
+      throw new ParseException(PREFIX_MESSAGE_MISSING_OPTION + paramName);
+    }
+  }
+
+  // print usage
+  private void usage(Options sentryOptions) {
+    HelpFormatter formatter = new HelpFormatter();
+    formatter.printHelp("sentryShell", sentryOptions);
+  }
+
+  // hive model and generic model should implement this method
+  abstract void run() throws Exception;
+
+  protected boolean executeShell(String[] args) throws Exception {
+    boolean result = true;
+    if (parseArgs(args)) {
+      run();
+    } else {
+      result = false;
+    }
+    return result;
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0adfc738/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java
new file mode 100644
index 0000000..80c8442
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java
@@ -0,0 +1,92 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.tools;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.Path;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.provider.db.tools.command.hive.*;
+import org.apache.sentry.service.thrift.SentryServiceClientFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * SentryShellHive is an admin tool, and responsible for the management of repository.
+ * The following function are supported:
+ * create role, drop role, add group to role, delete group from role, grant privilege to role,
+ * revoke privilege from role, list roles for group, list privilege for role.
+ */
+public class SentryShellHive extends SentryShellCommon {
+
+  private static final Logger LOGGER = LoggerFactory.getLogger(SentryShellHive.class);
+
+  public void run() throws Exception {
+    Command command = null;
+    String requestorName = System.getProperty("user.name", "");
+    SentryPolicyServiceClient client = SentryServiceClientFactory.create(getSentryConf());
+
+    if (isCreateRole) {
+      command = new CreateRoleCmd(roleName);
+    } else if (isDropRole) {
+      command = new DropRoleCmd(roleName);
+    } else if (isAddRoleGroup) {
+      command = new GrantRoleToGroupsCmd(roleName, groupName);
+    } else if (isDeleteRoleGroup) {
+      command = new RevokeRoleFromGroupsCmd(roleName, groupName);
+    } else if (isGrantPrivilegeRole) {
+      command = new GrantPrivilegeToRoleCmd(roleName, privilegeStr);
+    } else if (isRevokePrivilegeRole) {
+      command = new RevokePrivilegeFromRoleCmd(roleName, privilegeStr);
+    } else if (isListRole) {
+      command = new ListRolesCmd(groupName);
+    } else if (isListPrivilege) {
+      command = new ListPrivilegesCmd(roleName);
+    }
+
+    // check the requestor name
+    if (StringUtils.isEmpty(requestorName)) {
+      // The exception message will be recoreded in log file.
+      throw new Exception("The requestor name is empty.");
+    }
+
+    if (command != null) {
+      command.execute(client, requestorName);
+    }
+  }
+
+  private Configuration getSentryConf() {
+    Configuration conf = new Configuration();
+    conf.addResource(new Path(confPath));
+    return conf;
+  }
+
+  public static void main(String[] args) throws Exception {
+    SentryShellHive sentryShell = new SentryShellHive();
+    try {
+      if (sentryShell.executeShell(args)) {
+        System.out.println("The operation is compeleted successfully.");
+      }
+    } catch (Exception e) {
+      LOGGER.error(e.getMessage(), e);
+      System.out.println("The operation is failed, please refer to log file for the root cause.");
+    }
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0adfc738/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java
new file mode 100644
index 0000000..ae9809a
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/Command.java
@@ -0,0 +1,27 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+
+/**
+ * The interface for all admin commands, eg, CreateRoleCmd.
+ */
+public interface Command {
+  abstract void execute(SentryPolicyServiceClient client, String requestorName) throws Exception;
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0adfc738/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java
new file mode 100644
index 0000000..0a73d9f
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CommandUtil.java
@@ -0,0 +1,114 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.sentry.provider.common.KeyValue;
+import org.apache.sentry.provider.common.PolicyFileConstants;
+import org.apache.sentry.provider.common.ProviderConstants;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants;
+
+public class CommandUtil {
+
+  public static final String SPLIT_CHAR = ",";
+
+  // parse the privilege in String and get the TSentryPrivilege as result
+  public static TSentryPrivilege convertToTSentryPrivilege(String privilegeStr) throws Exception {
+    TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
+    for (String authorizable : ProviderConstants.AUTHORIZABLE_SPLITTER.split(privilegeStr)) {
+      KeyValue tempKV = new KeyValue(authorizable);
+      String key = tempKV.getKey();
+      String value = tempKV.getValue();
+
+      if (PolicyFileConstants.PRIVILEGE_SERVER_NAME.equalsIgnoreCase(key)) {
+        tSentryPrivilege.setServerName(value);
+      } else if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) {
+        tSentryPrivilege.setDbName(value);
+      } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) {
+        tSentryPrivilege.setTableName(value);
+      } else if (PolicyFileConstants.PRIVILEGE_COLUMN_NAME.equalsIgnoreCase(key)) {
+        tSentryPrivilege.setColumnName(value);
+      } else if (PolicyFileConstants.PRIVILEGE_URI_NAME.equalsIgnoreCase(key)) {
+        tSentryPrivilege.setURI(value);
+      } else if (PolicyFileConstants.PRIVILEGE_ACTION_NAME.equalsIgnoreCase(key)) {
+        tSentryPrivilege.setAction(value);
+      } else if (PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME.equalsIgnoreCase(key)) {
+        TSentryGrantOption grantOption = "true".equalsIgnoreCase(value) ? TSentryGrantOption.TRUE
+                : TSentryGrantOption.FALSE;
+        tSentryPrivilege.setGrantOption(grantOption);
+      }
+    }
+    tSentryPrivilege.setPrivilegeScope(getPrivilegeScope(tSentryPrivilege));
+    validatePrivilegeHierarchy(tSentryPrivilege);
+    return tSentryPrivilege;
+  }
+
+  // for the different hierarchy for hive:
+  // 1: server->url
+  // 2: server->database->table->column
+  // if both of them are found in the privilege string, the privilege scope will be set as
+  // PrivilegeScope.URI
+  private static String getPrivilegeScope(TSentryPrivilege tSentryPrivilege) {
+    ServiceConstants.PrivilegeScope privilegeScope = ServiceConstants.PrivilegeScope.SERVER;
+    if (!StringUtils.isEmpty(tSentryPrivilege.getURI())) {
+      privilegeScope = ServiceConstants.PrivilegeScope.URI;
+    } else if (!StringUtils.isEmpty(tSentryPrivilege.getColumnName())) {
+      privilegeScope = ServiceConstants.PrivilegeScope.COLUMN;
+    } else if (!StringUtils.isEmpty(tSentryPrivilege.getTableName())) {
+      privilegeScope = ServiceConstants.PrivilegeScope.TABLE;
+    } else if (!StringUtils.isEmpty(tSentryPrivilege.getDbName())) {
+      privilegeScope = ServiceConstants.PrivilegeScope.DATABASE;
+    }
+    return privilegeScope.toString();
+  }
+
+  // check the privilege value for the specific privilege scope
+  // eg, for the table scope, server and database can't be empty
+  private static void validatePrivilegeHierarchy(TSentryPrivilege tSentryPrivilege) throws Exception {
+    String serverName = tSentryPrivilege.getServerName();
+    String dbName = tSentryPrivilege.getDbName();
+    String tableName = tSentryPrivilege.getTableName();
+    String columnName = tSentryPrivilege.getColumnName();
+    String uri = tSentryPrivilege.getURI();
+    if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+      if (StringUtils.isEmpty(serverName)) {
+        throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
+      }
+    } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+      if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(uri)) {
+        throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
+      }
+    } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+      if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName)) {
+        throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
+      }
+    } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+      if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName)
+              || StringUtils.isEmpty(tableName)) {
+        throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
+      }
+    } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+      if (StringUtils.isEmpty(serverName) || StringUtils.isEmpty(dbName)
+              || StringUtils.isEmpty(tableName) || StringUtils.isEmpty(columnName)) {
+        throw new IllegalArgumentException("The hierarchy of privilege is not correct.");
+      }
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0adfc738/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java
new file mode 100644
index 0000000..5a4834a
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/CreateRoleCmd.java
@@ -0,0 +1,37 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+
+/**
+ * The class for admin command to create role.
+ */
+public class CreateRoleCmd implements Command {
+
+  private String roleName;
+
+  public CreateRoleCmd(String roleName) {
+    this.roleName = roleName;
+  }
+
+  @Override
+  public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
+    client.createRole(requestorName, roleName);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0adfc738/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java
new file mode 100644
index 0000000..facec0e
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/DropRoleCmd.java
@@ -0,0 +1,37 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+
+/**
+ * The class for admin command to drop role.
+ */
+public class DropRoleCmd implements Command {
+
+  private String roleName;
+
+  public DropRoleCmd(String roleName) {
+    this.roleName = roleName;
+  }
+
+  @Override
+  public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
+    client.dropRole(requestorName, roleName);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0adfc738/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java
new file mode 100644
index 0000000..a1ef2f9
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantPrivilegeToRoleCmd.java
@@ -0,0 +1,61 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants;
+
+/**
+ * The class for admin command to grant privilege to role.
+ */
+public class GrantPrivilegeToRoleCmd implements Command {
+
+  private String roleName;
+  private String privilegeStr;
+
+  public GrantPrivilegeToRoleCmd(String roleName, String privilegeStr) {
+    this.roleName = roleName;
+    this.privilegeStr = privilegeStr;
+  }
+
+  @Override
+  public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
+    TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr);
+    boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false;
+    if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+      client.grantServerPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+              tSentryPrivilege.getAction(), grantOption);
+    } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+      client.grantDatabasePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+              tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption);
+    } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+      client.grantTablePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+              tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(),
+              tSentryPrivilege.getAction(), grantOption);
+    } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+      client.grantColumnPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+              tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(),
+              tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption);
+    } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+      client.grantURIPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+              tSentryPrivilege.getURI(), grantOption);
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0adfc738/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java
new file mode 100644
index 0000000..39d3591
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/GrantRoleToGroupsCmd.java
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import com.google.common.collect.Sets;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+
+import java.util.Set;
+
+/**
+ * The class for admin command to grant role to group.
+ */
+public class GrantRoleToGroupsCmd implements Command {
+
+  private String roleName;
+  private String groupNamesStr;
+
+  public GrantRoleToGroupsCmd(String roleName, String groupNamesStr) {
+    this.roleName = roleName;
+    this.groupNamesStr = groupNamesStr;
+  }
+
+  @Override
+  public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
+    Set<String> groups = Sets.newHashSet(groupNamesStr.split(CommandUtil.SPLIT_CHAR));
+    client.grantRoleToGroups(requestorName, roleName, groups);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0adfc738/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java
new file mode 100644
index 0000000..98fae95
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListPrivilegesCmd.java
@@ -0,0 +1,97 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import com.google.common.collect.Lists;
+import org.apache.commons.lang.StringUtils;
+import org.apache.sentry.provider.common.PolicyFileConstants;
+import org.apache.sentry.provider.common.ProviderConstants;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+
+import java.util.List;
+import java.util.Set;
+
+/**
+ * The class for admin command to list privileges.
+ */
+public class ListPrivilegesCmd implements Command {
+
+  private String roleName;
+
+  public ListPrivilegesCmd(String roleName) {
+    this.roleName = roleName;
+  }
+
+  @Override
+  public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
+    Set<TSentryPrivilege> privileges = client
+            .listAllPrivilegesByRoleName(requestorName, roleName);
+    if (privileges != null) {
+      for (TSentryPrivilege privilege : privileges) {
+        String privilegeStr = convertToPrivilegeStr(privilege);
+        System.out.println(privilegeStr);
+      }
+    }
+  }
+
+  // convert TSentryPrivilege to privilege in string
+  private String convertToPrivilegeStr(TSentryPrivilege tSentryPrivilege) {
+    List<String> privileges = Lists.newArrayList();
+    if (tSentryPrivilege != null) {
+      String serverName = tSentryPrivilege.getServerName();
+      String dbName = tSentryPrivilege.getDbName();
+      String tableName = tSentryPrivilege.getTableName();
+      String columnName = tSentryPrivilege.getColumnName();
+      String uri = tSentryPrivilege.getURI();
+      String action = tSentryPrivilege.getAction();
+      String grantOption = (tSentryPrivilege.getGrantOption() == TSentryGrantOption.TRUE ? "true"
+              : "false");
+      if (!StringUtils.isEmpty(serverName)) {
+        privileges.add(ProviderConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_SERVER_NAME,
+                serverName));
+        if (!StringUtils.isEmpty(uri)) {
+          privileges.add(ProviderConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_URI_NAME,
+                  uri));
+        } else if (!StringUtils.isEmpty(dbName)) {
+          privileges.add(ProviderConstants.KV_JOINER.join(
+                  PolicyFileConstants.PRIVILEGE_DATABASE_NAME, dbName));
+          if (!StringUtils.isEmpty(tableName)) {
+            privileges.add(ProviderConstants.KV_JOINER.join(
+                    PolicyFileConstants.PRIVILEGE_TABLE_NAME, tableName));
+            if (!StringUtils.isEmpty(columnName)) {
+              privileges.add(ProviderConstants.KV_JOINER.join(
+                      PolicyFileConstants.PRIVILEGE_COLUMN_NAME, columnName));
+            }
+          }
+        }
+        if (!StringUtils.isEmpty(action)) {
+          privileges.add(ProviderConstants.KV_JOINER.join(
+                  PolicyFileConstants.PRIVILEGE_ACTION_NAME, action));
+        }
+      }
+      // only append the grant option to privilege string if it's true
+      if ("true".equals(grantOption)) {
+        privileges.add(ProviderConstants.KV_JOINER.join(
+                PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME, grantOption));
+      }
+    }
+    return ProviderConstants.AUTHORIZABLE_JOINER.join(privileges);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0adfc738/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java
new file mode 100644
index 0000000..283f2c0
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/ListRolesCmd.java
@@ -0,0 +1,51 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.provider.db.service.thrift.TSentryRole;
+
+import java.util.Set;
+
+/**
+ * The class for admin command to list roles.
+ */
+public class ListRolesCmd implements Command {
+
+  private String groupName;
+
+  public ListRolesCmd(String groupName) {
+    this.groupName = groupName;
+  }
+
+  @Override
+  public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
+    Set<TSentryRole> roles;
+    if (StringUtils.isEmpty(groupName)) {
+      roles = client.listRoles(requestorName);
+    } else {
+      roles = client.listRolesByGroupName(requestorName, groupName);
+    }
+    if (roles != null) {
+      for (TSentryRole role : roles) {
+        System.out.println(role.getRoleName());
+      }
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0adfc738/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java
new file mode 100644
index 0000000..9405037
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokePrivilegeFromRoleCmd.java
@@ -0,0 +1,62 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants;
+
+/**
+ * The class for admin command to revoke privileges from role.
+ */
+public class RevokePrivilegeFromRoleCmd implements Command {
+
+  private String roleName;
+  String privilegeStr;
+
+  public RevokePrivilegeFromRoleCmd(String roleName, String privilegeStr) {
+    this.roleName = roleName;
+    this.privilegeStr = privilegeStr;
+  }
+
+  @Override
+  public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
+    TSentryPrivilege tSentryPrivilege = CommandUtil.convertToTSentryPrivilege(privilegeStr);
+    boolean grantOption = tSentryPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false;
+    if (ServiceConstants.PrivilegeScope.SERVER.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+      client.revokeServerPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+              grantOption);
+    } else if (ServiceConstants.PrivilegeScope.DATABASE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+      client.revokeDatabasePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+              tSentryPrivilege.getDbName(), tSentryPrivilege.getAction(), grantOption);
+    } else if (ServiceConstants.PrivilegeScope.TABLE.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+      client.revokeTablePrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+              tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(),
+              tSentryPrivilege.getAction(), grantOption);
+    } else if (ServiceConstants.PrivilegeScope.COLUMN.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+      client.revokeColumnPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+              tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(),
+              tSentryPrivilege.getColumnName(), tSentryPrivilege.getAction(), grantOption);
+    } else if (ServiceConstants.PrivilegeScope.URI.toString().equals(tSentryPrivilege.getPrivilegeScope())) {
+      client.revokeURIPrivilege(requestorName, roleName, tSentryPrivilege.getServerName(),
+              tSentryPrivilege.getURI(), grantOption);
+    }
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0adfc738/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java
new file mode 100644
index 0000000..86773ca
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/command/hive/RevokeRoleFromGroupsCmd.java
@@ -0,0 +1,43 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.tools.command.hive;
+
+import com.google.common.collect.Sets;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+
+import java.util.Set;
+
+/**
+ * The class for admin command to revoke role from group.
+ */
+public class RevokeRoleFromGroupsCmd implements Command {
+
+  private String roleName;
+  private String groupNamesStr;
+
+  public RevokeRoleFromGroupsCmd(String roleName, String groupNamesStr) {
+    this.roleName = roleName;
+    this.groupNamesStr = groupNamesStr;
+  }
+
+  @Override
+  public void execute(SentryPolicyServiceClient client, String requestorName) throws Exception {
+    Set<String> groups = Sets.newHashSet(groupNamesStr.split(CommandUtil.SPLIT_CHAR));
+    client.revokeRoleFromGroups(requestorName, roleName, groups);
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0adfc738/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
new file mode 100644
index 0000000..3907200
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
@@ -0,0 +1,583 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.tools;
+
+import static junit.framework.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.PrintStream;
+import java.util.Set;
+
+import junit.framework.Assert;
+import org.apache.commons.io.FileUtils;
+import org.apache.sentry.SentryUserException;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.service.thrift.TSentryRole;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestSentryShellHive extends SentryServiceIntegrationBase {
+
+  private static final Logger LOGGER = LoggerFactory.getLogger(TestSentryShellHive.class);
+  private File confDir;
+  private File confPath;
+  private static String TEST_ROLE_NAME_1 = "testRole1";
+  private static String TEST_ROLE_NAME_2 = "testRole2";
+  private String requestorName = "";
+
+  @Before
+  public void prepareForTest() throws Exception {
+    confDir = Files.createTempDir();
+    confPath = new File(confDir, "sentry-site.xml");
+    if (confPath.createNewFile()) {
+      FileOutputStream to = new FileOutputStream(confPath);
+      conf.writeXml(to);
+      to.close();
+    }
+    requestorName = System.getProperty("user.name", "");
+    Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+    setLocalGroupMapping(requestorName, requestorUserGroupNames);
+    // add ADMIN_USER for the after() in SentryServiceIntegrationBase
+    setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames);
+    writePolicyFile();
+  }
+
+  @After
+  public void clearTestData() throws Exception {
+    FileUtils.deleteQuietly(confDir);
+  }
+
+  @Test
+  public void testCreateDropRole() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        // test: create role with -cr
+        String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        // test: create role with --create_role
+        args = new String[] { "--create_role", "-r", TEST_ROLE_NAME_2, "-conf",
+            confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+
+        // validate the result, list roles with -lr
+        args = new String[] { "-lr", "-conf", confPath.getAbsolutePath() };
+        SentryShellHive sentryShell = new SentryShellHive();
+        Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+        assertEquals("Incorrect number of roles", 2, roleNames.size());
+        for (String roleName : roleNames) {
+          assertTrue(TEST_ROLE_NAME_1.equalsIgnoreCase(roleName)
+              || TEST_ROLE_NAME_2.equalsIgnoreCase(roleName));
+        }
+
+        // validate the result, list roles with --list_role
+        args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+        assertEquals("Incorrect number of roles", 2, roleNames.size());
+        for (String roleName : roleNames) {
+          assertTrue(TEST_ROLE_NAME_1.equalsIgnoreCase(roleName)
+              || TEST_ROLE_NAME_2.equalsIgnoreCase(roleName));
+        }
+
+        // test: drop role with -dr
+        args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        // test: drop role with --drop_role
+        args = new String[] { "--drop_role", "-r", TEST_ROLE_NAME_2, "-conf",
+            confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+
+        // validate the result
+        Set<TSentryRole> roles = client.listRoles(requestorName);
+        assertEquals("Incorrect number of roles", 0, roles.size());
+      }
+    });
+  }
+
+  @Test
+  public void testAddDeleteRoleForGroup() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        // create the role for test
+        client.createRole(requestorName, TEST_ROLE_NAME_1);
+        client.createRole(requestorName, TEST_ROLE_NAME_2);
+        // test: add group to role with -arg
+        String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup1", "-conf",
+            confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        // test: add role to multiple groups
+        args = new String[] { "-arg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup2,testGroup3",
+            "-conf",
+            confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        // test: add role to group with --add_role_group
+        args = new String[] { "--add_role_group", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1",
+            "-conf",
+            confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+
+        // validate the result list roles with -lr and -g
+        args = new String[] { "-lr", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
+        SentryShellHive sentryShell = new SentryShellHive();
+        Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+        assertEquals("Incorrect number of roles", 2, roleNames.size());
+        for (String roleName : roleNames) {
+          assertTrue(TEST_ROLE_NAME_1.equalsIgnoreCase(roleName)
+              || TEST_ROLE_NAME_2.equalsIgnoreCase(roleName));
+        }
+
+        // list roles with --list_role and -g
+        args = new String[] { "--list_role", "-g", "testGroup2", "-conf",
+            confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+        assertEquals("Incorrect number of roles", 1, roleNames.size());
+        for (String roleName : roleNames) {
+          assertTrue(TEST_ROLE_NAME_1.equalsIgnoreCase(roleName));
+        }
+
+        args = new String[] { "--list_role", "-g", "testGroup3", "-conf",
+            confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
+        assertEquals("Incorrect number of roles", 1, roleNames.size());
+        for (String roleName : roleNames) {
+          assertTrue(TEST_ROLE_NAME_1.equalsIgnoreCase(roleName));
+        }
+
+        // test: delete group from role with -drg
+        args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup1", "-conf",
+            confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        // test: delete role to multiple groups
+        args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup2,testGroup3",
+            "-conf",
+            confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        // test: delete group from role with --delete_role_group
+        args = new String[] { "--delete_role_group", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1",
+            "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+
+        // validate the result
+        Set<TSentryRole> roles = client.listRolesByGroupName(requestorName, "testGroup1");
+        assertEquals("Incorrect number of roles", 0, roles.size());
+        roles = client.listRolesByGroupName(requestorName, "testGroup2");
+        assertEquals("Incorrect number of roles", 0, roles.size());
+        roles = client.listRolesByGroupName(requestorName, "testGroup3");
+        assertEquals("Incorrect number of roles", 0, roles.size());
+        // clear the test data
+        client.dropRole(requestorName, TEST_ROLE_NAME_1);
+        client.dropRole(requestorName, TEST_ROLE_NAME_2);
+      }
+    });
+  }
+
+  @Test
+  public void testGrantRevokePrivilegeWithShortOption() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        // create the role for test
+        client.createRole(requestorName, TEST_ROLE_NAME_1);
+        client.createRole(requestorName, TEST_ROLE_NAME_2);
+
+        // test: grant privilege to role with -gpr
+        String[] args = { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->action=*",
+            "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->db=db1->table=tbl1->action=insert", "-conf",
+            confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
+            confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
+            "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        // for the uri privilege, the action will be awalys *
+        args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+
+        // test the list privilege with -lp
+        args = new String[] { "-lp", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+        SentryShellHive sentryShell = new SentryShellHive();
+        Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
+        // validate the result for -lp
+        assertEquals("Incorrect number of privileges", 6, privilegeStrs.size());
+        assertTrue(privilegeStrs.contains("server=server1->action=*"));
+        assertTrue(privilegeStrs.contains("server=server1->db=db1->action=select"));
+        assertTrue(privilegeStrs.contains("server=server1->db=db1->table=tbl1->action=insert"));
+        assertTrue(privilegeStrs
+            .contains("server=server1->db=db1->table=tbl1->column=col1->action=insert"));
+        assertTrue(privilegeStrs
+            .contains("server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true"));
+        // for the uri privilege, the action will be awalys *
+        assertTrue(privilegeStrs.contains("server=server1->uri=hdfs://path/testuri->action=*"));
+
+        // test: revoke privilege from role with -rpr
+        args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
+            confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName,
+            TEST_ROLE_NAME_1);
+        assertEquals("Incorrect number of privileges", 5, privileges.size());
+
+        args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
+            "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+        assertEquals("Incorrect number of privileges", 4, privileges.size());
+
+        args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+        assertEquals("Incorrect number of privileges", 3, privileges.size());
+
+        args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->db=db1->table=tbl1->action=insert", "-conf",
+            confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+        assertEquals("Incorrect number of privileges", 2, privileges.size());
+
+        args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+        assertEquals("Incorrect number of privileges", 1, privileges.size());
+
+        args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p", "server=server1->action=*",
+            "-conf",
+            confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+        assertEquals("Incorrect number of privileges", 0, privileges.size());
+
+        // clear the test data
+        client.dropRole(requestorName, TEST_ROLE_NAME_1);
+        client.dropRole(requestorName, TEST_ROLE_NAME_2);
+      }
+    });
+  }
+
+  @Test
+  public void testGrantRevokePrivilegeWithLongOption() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        // create the role for test
+        client.createRole(requestorName, TEST_ROLE_NAME_1);
+        client.createRole(requestorName, TEST_ROLE_NAME_2);
+
+        // test: grant privilege to role with -gpr
+        String[] args = { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->action=*", "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->db=db1->table=tbl1->action=insert", "-conf",
+            confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
+            confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
+            "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        // for the uri privilege, the action will be awalys *
+        args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+
+        // test the list privilege with -lp
+        args = new String[] { "--list_privilege", "-r", TEST_ROLE_NAME_1, "-conf",
+            confPath.getAbsolutePath() };
+        SentryShellHive sentryShell = new SentryShellHive();
+        Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
+        // validate the result for -lp
+        assertEquals("Incorrect number of privileges", 6, privilegeStrs.size());
+        assertTrue(privilegeStrs.contains("server=server1->action=*"));
+        assertTrue(privilegeStrs.contains("server=server1->db=db1->action=select"));
+        assertTrue(privilegeStrs.contains("server=server1->db=db1->table=tbl1->action=insert"));
+        assertTrue(privilegeStrs
+            .contains("server=server1->db=db1->table=tbl1->column=col1->action=insert"));
+        assertTrue(privilegeStrs
+            .contains("server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true"));
+        // for the uri privilege, the action will be awalys *
+        assertTrue(privilegeStrs.contains("server=server1->uri=hdfs://path/testuri->action=*"));
+
+        // test: revoke privilege from role with -rpr
+        args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
+            confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName,
+            TEST_ROLE_NAME_1);
+        assertEquals("Incorrect number of privileges", 5, privileges.size());
+
+        args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
+            "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+        assertEquals("Incorrect number of privileges", 4, privileges.size());
+
+        args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+        assertEquals("Incorrect number of privileges", 3, privileges.size());
+
+        args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->db=db1->table=tbl1->action=insert", "-conf",
+            confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+        assertEquals("Incorrect number of privileges", 2, privileges.size());
+
+        args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+        assertEquals("Incorrect number of privileges", 1, privileges.size());
+
+        args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->action=*", "-conf", confPath.getAbsolutePath() };
+        SentryShellHive.main(args);
+        privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
+        assertEquals("Incorrect number of privileges", 0, privileges.size());
+
+        // clear the test data
+        client.dropRole(requestorName, TEST_ROLE_NAME_1);
+        client.dropRole(requestorName, TEST_ROLE_NAME_2);
+      }
+    });
+  }
+
+  @Test
+  public void testNegativeCaseWithInvalidArgument() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        client.createRole(requestorName, TEST_ROLE_NAME_1);
+        // test: create duplicate role with -cr
+        String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+        SentryShellHive sentryShell = new SentryShellHive();
+        try {
+          sentryShell.executeShell(args);
+          fail("Exception should be thrown for creating duplicate role");
+        } catch (SentryUserException e) {
+          // excepted exception
+        }
+
+        // test: drop non-exist role with -dr
+        args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        try {
+          sentryShell.executeShell(args);
+          fail("Exception should be thrown for dropping non-exist role");
+        } catch (SentryUserException e) {
+          // excepted exception
+        }
+
+        // test: add group to non-exist role with -arg
+        args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
+            confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        try {
+          sentryShell.executeShell(args);
+          fail("Exception should be thrown for granting non-exist role to group");
+        } catch (SentryUserException e) {
+          // excepted exception
+        }
+
+        // test: drop group from non-exist role with -drg
+        args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
+            confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        try {
+          sentryShell.executeShell(args);
+          fail("Exception should be thrown for drop group from non-exist role");
+        } catch (SentryUserException e) {
+          // excepted exception
+        }
+
+        // test: grant privilege to role with the error privilege format
+        args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", "serverserver1->action=*",
+            "-conf", confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        try {
+          sentryShell.executeShell(args);
+          fail("Exception should be thrown for the error privilege format, invalid key value.");
+        } catch (IllegalArgumentException e) {
+          // excepted exception
+        }
+
+        // test: grant privilege to role with the error privilege hierarchy
+        args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
+            "server=server1->table=tbl1->column=col2->action=insert", "-conf",
+            confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        try {
+          sentryShell.executeShell(args);
+          fail("Exception should be thrown for the error privilege format, invalid key value.");
+        } catch (IllegalArgumentException e) {
+          // excepted exception
+        }
+
+        // clear the test data
+        client.dropRole(requestorName, TEST_ROLE_NAME_1);
+      }
+    });
+  }
+
+  @Test
+  public void testNegativeCaseWithoutRequiredArgument() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String strOptionConf = "conf";
+        client.createRole(requestorName, TEST_ROLE_NAME_1);
+        // test: the conf is required argument
+        String[] args = { "-cr", "-r", TEST_ROLE_NAME_1 };
+        SentryShellHive sentryShell = new SentryShellHive();
+        validateMissingParameterMsg(sentryShell, args,
+                SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + strOptionConf);
+
+        // test: -r is required when create role
+        args = new String[] { "-cr", "-conf", confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        validateMissingParameterMsg(sentryShell, args,
+                SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+        // test: -r is required when drop role
+        args = new String[] { "-dr", "-conf", confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        validateMissingParameterMsg(sentryShell, args,
+                SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+        // test: -r is required when add group to role
+        args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        validateMissingParameterMsg(sentryShell, args,
+                SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+        // test: -g is required when add group to role
+        args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        validateMissingParameterMsg(sentryShell, args,
+                SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
+
+        // test: -r is required when delete group from role
+        args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        validateMissingParameterMsg(sentryShell, args,
+                SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+        // test: -g is required when delete group from role
+        args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        validateMissingParameterMsg(sentryShell, args,
+                SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
+
+        // test: -r is required when grant privilege to role
+        args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        validateMissingParameterMsg(sentryShell, args,
+                SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+        // test: -p is required when grant privilege to role
+        args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        validateMissingParameterMsg(sentryShell, args,
+                SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
+
+        // test: -r is required when revoke privilege from role
+        args = new String[] { "-rpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        validateMissingParameterMsg(sentryShell, args,
+                SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
+
+        // test: -p is required when revoke privilege from role
+        args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        validateMissingParameterMsg(sentryShell, args,
+                SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
+
+        // test: command option is required for shell
+        args = new String[] {"-conf", confPath.getAbsolutePath() };
+        sentryShell = new SentryShellHive();
+        validateMissingParameterMsg(sentryShell, args,
+                SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + "[-arg Add group to role," +
+                        " -cr Create role, -rpr Revoke privilege from role, -drg Delete group from role," +
+                        " -lr List role, -lp List privilege, -gpr Grant privilege to role, -dr Drop role]");
+
+        // clear the test data
+        client.dropRole(requestorName, TEST_ROLE_NAME_1);
+      }
+    });
+  }
+
+  // redirect the System.out to ByteArrayOutputStream, then execute the command and parse the result.
+  private Set<String> getShellResultWithOSRedirect(SentryShellHive sentryShell,
+      String[] args, boolean exceptedExecuteResult) throws Exception {
+    PrintStream oldOut = System.out;
+    ByteArrayOutputStream outContent = new ByteArrayOutputStream();
+    System.setOut(new PrintStream(outContent));
+    assertEquals(exceptedExecuteResult, sentryShell.executeShell(args));
+    Set<String> resultSet = Sets.newHashSet(outContent.toString().split("\n"));
+    System.setOut(oldOut);
+    return resultSet;
+  }
+
+  private void validateMissingParameterMsg(SentryShellHive sentryShell, String[] args,
+      String exceptedErrorMsg) throws Exception {
+    Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
+    Assert.assertTrue(errorMsgs.contains(exceptedErrorMsg));
+  }
+}

http://git-wip-us.apache.org/repos/asf/incubator-sentry/blob/0adfc738/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
index 6bc9f75..124293a 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
@@ -56,12 +56,6 @@ import com.google.common.io.Files;
 public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase {
   private static final Logger LOGGER = LoggerFactory.getLogger(SentryServiceIntegrationBase.class);
 
-  static {
-    if (System.getProperty("sun.security.krb5.debug", "").trim().isEmpty()) {
-      System.setProperty("sun.security.krb5.debug", String.valueOf("true"));
-    }
-  }
-
   protected static final String SERVER_HOST = NetUtils.createSocketAddr("localhost:80").getAddress().getCanonicalHostName();
   protected static final String REALM = "EXAMPLE.COM";
   protected static final String SERVER_PRINCIPAL = "sentry/" + SERVER_HOST;


Mime
View raw message