sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From co...@apache.org
Subject sentry git commit: SENTRY-1178: Update Sentry Policy Service for export with specific auth object (Colin Ma, reviewed by Dapeng Sun)
Date Thu, 14 Apr 2016 01:12:03 GMT
Repository: sentry
Updated Branches:
  refs/heads/master a3f7510bb -> 04881fa7a


SENTRY-1178: Update Sentry Policy Service for export with specific auth object (Colin Ma,
reviewed by Dapeng Sun)


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/04881fa7
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/04881fa7
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/04881fa7

Branch: refs/heads/master
Commit: 04881fa7acbf11ab3118c5402f2473c5f1fc15b5
Parents: a3f7510
Author: Colin Ma <colin@apache.org>
Authored: Thu Apr 14 09:52:03 2016 +0800
Committer: Colin Ma <colin@apache.org>
Committed: Thu Apr 14 09:52:03 2016 +0800

----------------------------------------------------------------------
 .../binding/hive/authz/SentryConfigTool.java    |   2 +-
 .../thrift/SentryPolicyServiceClient.java       |   2 +-
 .../SentryPolicyServiceClientDefaultImpl.java   |   5 +-
 .../thrift/SentryPolicyStoreProcessor.java      |  24 ++-
 .../service/thrift/SentryServiceUtil.java       |  26 +++
 .../thrift/TestSentryServiceImportExport.java   | 188 ++++++++++++++++++-
 6 files changed, 232 insertions(+), 15 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/04881fa7/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
b/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
index 73b0941..18ba943 100644
--- a/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
+++ b/sentry-binding/sentry-binding-hive-common/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
@@ -293,7 +293,7 @@ public class SentryConfigTool {
     SentryPolicyServiceClient client = SentryServiceClientFactory.create(getAuthzConf());
     // export the sentry mapping data from database to map structure
     Map<String, Map<String, Set<String>>> policyFileMappingData = client
-        .exportPolicy(requestorUserName);
+        .exportPolicy(requestorUserName, null);
     // get the FileFormatter according to the configuration
     SentryPolicyFileFormatter sentryPolicyFileFormatter = SentryPolicyFileFormatFactory
         .createFileFormatter(authzConf);

http://git-wip-us.apache.org/repos/asf/sentry/blob/04881fa7/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
index de50adb..b6deadb 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClient.java
@@ -187,6 +187,6 @@ public interface SentryPolicyServiceClient {
       String requestorUserName, boolean isOverwriteRole) throws SentryUserException;
 
   // export the sentry mapping data with map structure
-  Map<String, Map<String, Set<String>>> exportPolicy(String requestorUserName)
+  Map<String, Map<String, Set<String>>> exportPolicy(String requestorUserName,
String objectPath)
       throws SentryUserException;
 }

http://git-wip-us.apache.org/repos/asf/sentry/blob/04881fa7/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
index edc5661..3f8e489 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.java
@@ -903,10 +903,11 @@ public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyService
   }
 
   // export the sentry mapping data with map structure
-  public synchronized Map<String, Map<String, Set<String>>> exportPolicy(String
requestorUserName)
-      throws SentryUserException {
+  public synchronized Map<String, Map<String, Set<String>>> exportPolicy(String
requestorUserName,
+      String objectPath) throws SentryUserException {
     TSentryExportMappingDataRequest request = new TSentryExportMappingDataRequest(
         ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT, requestorUserName);
+    request.setObjectPath(objectPath);
     try {
       TSentryExportMappingDataResponse response = client.export_sentry_mapping_data(request);
       Status.throwIfNotOk(response.getStatus());

http://git-wip-us.apache.org/repos/asf/sentry/blob/04881fa7/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
index 8881d82..52af345 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.java
@@ -31,6 +31,7 @@ import org.apache.hadoop.conf.Configuration;
 import org.apache.sentry.SentryUserException;
 import org.apache.sentry.core.model.db.AccessConstants;
 import org.apache.sentry.provider.common.GroupMappingService;
+import org.apache.sentry.provider.common.PolicyFileConstants;
 import org.apache.sentry.provider.db.SentryAccessDeniedException;
 import org.apache.sentry.provider.db.SentryAlreadyExistsException;
 import org.apache.sentry.provider.db.SentryInvalidInputException;
@@ -46,6 +47,7 @@ import org.apache.sentry.provider.db.service.persistent.HAContext;
 import org.apache.sentry.provider.db.service.persistent.SentryStore;
 import org.apache.sentry.provider.db.service.persistent.ServiceRegister;
 import org.apache.sentry.provider.db.service.thrift.PolicyStoreConstants.PolicyStoreServerConfig;
+import org.apache.sentry.service.thrift.SentryServiceUtil;
 import org.apache.sentry.service.thrift.ServiceConstants;
 import org.apache.sentry.service.thrift.ServiceConstants.ConfUtilties;
 import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
@@ -902,14 +904,32 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface
{
     try {
       String requestor = request.getRequestorUserName();
       Set<String> memberGroups = getRequestorGroups(requestor);
+      String objectPath = request.getObjectPath();
+      String databaseName = null;
+      String tableName = null;
+
+      Map<String, String> objectMap =
+          SentryServiceUtil.parseObjectPath(objectPath);
+      databaseName = objectMap.get(PolicyFileConstants.PRIVILEGE_DATABASE_NAME);
+      tableName = objectMap.get(PolicyFileConstants.PRIVILEGE_TABLE_NAME);
+
       if (!inAdminGroups(memberGroups)) {
         // disallow non-admin to import the metadata of sentry
         throw new SentryAccessDeniedException("Access denied to " + requestor
             + " for export the metadata of sentry.");
       }
       TSentryMappingData tSentryMappingData = new TSentryMappingData();
-      tSentryMappingData.setGroupRolesMap(sentryStore.getGroupNameRoleNamesMap());
-      tSentryMappingData.setRolePrivilegesMap(sentryStore.getRoleNameTPrivilegesMap());
+      Map<String, Set<TSentryPrivilege>> rolePrivileges =
+          sentryStore.getRoleNameTPrivilegesMap(databaseName, tableName);
+      tSentryMappingData.setRolePrivilegesMap(rolePrivileges);
+      Set<String> roleNames = rolePrivileges.keySet();
+      // roleNames should be null if databaseName == null and tableName == null
+      if (databaseName == null && tableName == null) {
+        roleNames = null;
+      }
+      tSentryMappingData.setGroupRolesMap(
+          sentryStore.getGroupNameRoleNamesMap(roleNames));
+
       response.setMappingData(tSentryMappingData);
       response.setStatus(Status.OK());
     } catch (Exception e) {

http://git-wip-us.apache.org/repos/asf/sentry/blob/04881fa7/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java
b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java
index 5b293ec..1da17ee 100644
--- a/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java
+++ b/sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryServiceUtil.java
@@ -18,7 +18,9 @@
 
 package org.apache.sentry.service.thrift;
 
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 import org.apache.commons.lang.StringUtils;
 import org.apache.sentry.policy.common.KeyValue;
@@ -62,6 +64,30 @@ public class SentryServiceUtil {
     return tSentryPrivilege;
   }
 
+  /**
+   * Parse the object path from string to map.
+   * @param objectPath the string format as db=db1->table=tbl1
+   * @return Map
+   */
+  public static Map<String, String> parseObjectPath(String objectPath) {
+    Map<String, String> objectMap = new HashMap<String, String>();
+    if (StringUtils.isEmpty(objectPath)) {
+      return objectMap;
+    }
+    for (String kvStr : PolicyConstants.AUTHORIZABLE_SPLITTER.split(objectPath)) {
+      KeyValue kv = new KeyValue(kvStr);
+      String key = kv.getKey();
+      String value = kv.getValue();
+
+      if (PolicyFileConstants.PRIVILEGE_DATABASE_NAME.equalsIgnoreCase(key)) {
+        objectMap.put(PolicyFileConstants.PRIVILEGE_DATABASE_NAME, value);
+      } else if (PolicyFileConstants.PRIVILEGE_TABLE_NAME.equalsIgnoreCase(key)) {
+        objectMap.put(PolicyFileConstants.PRIVILEGE_TABLE_NAME, value);
+      }
+    }
+    return objectMap;
+  }
+
   // for the different hierarchy for hive:
   // 1: server->url
   // 2: server->database->table->column

http://git-wip-us.apache.org/repos/asf/sentry/blob/04881fa7/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceImportExport.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceImportExport.java
b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceImportExport.java
index dbe4a27..8d8f28c 100644
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceImportExport.java
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/service/thrift/TestSentryServiceImportExport.java
@@ -46,6 +46,7 @@ public class TestSentryServiceImportExport extends SentryServiceIntegrationBase
   public static String PRIVILIEGE6 = "server=server1->db=db1->table=tbl3->column=col1->action=*->grantoption=true";
   public static String PRIVILIEGE7 = "server=server1->db=db1->table=tbl4->column=col1->action=all->grantoption=true";
   public static String PRIVILIEGE8 = "server=server1->uri=hdfs://testserver:9999/path2->action=insert";
+  public static String PRIVILIEGE9 = "server=server1->db=db2->table=tbl1->action=insert";
 
   @BeforeClass
   public static void setup() throws Exception {
@@ -92,7 +93,7 @@ public class TestSentryServiceImportExport extends SentryServiceIntegrationBase
         policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap);
         client.importPolicy(policyFileMappingData, ADMIN_USER, false);
 
-        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER);
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER,
null);
         validateSentryMappingData(sentryMappingData,
             policyFileMappingData);
       }
@@ -148,7 +149,7 @@ public class TestSentryServiceImportExport extends SentryServiceIntegrationBase
         exceptedMappingData.get(PolicyFileConstants.ROLES).putAll(
             policyFileMappingData2.get(PolicyFileConstants.ROLES));
 
-        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER);
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER,
null);
         validateSentryMappingData(sentryMappingData, exceptedMappingData);
       }
     });
@@ -216,7 +217,7 @@ public class TestSentryServiceImportExport extends SentryServiceIntegrationBase
         exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
         exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
 
-        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER);
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER,
null);
         validateSentryMappingData(sentryMappingData, exceptedMappingData);
       }
     });
@@ -238,7 +239,7 @@ public class TestSentryServiceImportExport extends SentryServiceIntegrationBase
         policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap);
         client.importPolicy(policyFileMappingData, ADMIN_USER, false);
 
-        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER);
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER,
null);
         validateSentryMappingData(sentryMappingData,
             policyFileMappingData);
       }
@@ -293,7 +294,7 @@ public class TestSentryServiceImportExport extends SentryServiceIntegrationBase
         exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
         exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
 
-        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER);
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER,
null);
         validateSentryMappingData(sentryMappingData, exceptedMappingData);
       }
     });
@@ -362,7 +363,7 @@ public class TestSentryServiceImportExport extends SentryServiceIntegrationBase
         exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
         exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
 
-        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER);
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER,
null);
         validateSentryMappingData(sentryMappingData, exceptedMappingData);
       }
     });
@@ -409,7 +410,7 @@ public class TestSentryServiceImportExport extends SentryServiceIntegrationBase
         exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
         exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
 
-        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER);
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER,
null);
         validateSentryMappingData(sentryMappingData, exceptedMappingData);
       }
     });
@@ -458,7 +459,7 @@ public class TestSentryServiceImportExport extends SentryServiceIntegrationBase
         client.importPolicy(policyFileMappingData2, ADMIN_USER, false);
 
         Map<String, Map<String, Set<String>>> exceptedMappingData = policyFileMappingData2;
-        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER);
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER,
null);
         // all and * should replace the select and insert
         validateSentryMappingData(sentryMappingData, exceptedMappingData);
       }
@@ -484,7 +485,7 @@ public class TestSentryServiceImportExport extends SentryServiceIntegrationBase
         }
 
         try {
-          client.exportPolicy("no-admin-user");
+          client.exportPolicy("no-admin-user", null);
           fail("non-admin can't do the export.");
         } catch (Exception e) {
           // excepted exception
@@ -493,6 +494,175 @@ public class TestSentryServiceImportExport extends SentryServiceIntegrationBase
     });
   }
 
+  // The following data is imported:
+  // group1=role1
+  // group2=role1,role2
+  // group3=role2,role3
+  // group4=role1,role2,role3
+  // role1=privilege3,privilege4,privilege9
+  // role2=privilege3,privilege4,privilege5,privilege6,privilege7
+  // role3=privilege4,privilege5,privilege6,privilege7,privilege8
+  // Export APIs getRoleNameTPrivilegesMap, getGroupNameRoleNamesMap are tested.
+  @Test
+  public void testExportPolicyWithSpecificObject() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        // import the test data
+        Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap();
+        Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
+        groupRolesMap.put("group1", Sets.newHashSet("role1"));
+        groupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+        groupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+        groupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+        Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
+        rolePrivilegesMap1.put("role1",
+            Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9));
+        rolePrivilegesMap1.put("role2",
+            Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5,
+            PRIVILIEGE6, PRIVILIEGE7));
+        rolePrivilegesMap1.put("role3",
+            Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6,
+            PRIVILIEGE7, PRIVILIEGE8));
+        policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
+        policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
+        client.importPolicy(policyFileMappingData, ADMIN_USER, true);
+
+        // verify the rolePrivilegesMap and groupRolesMap with null objectPath
+        Map<String, Map<String, Set<String>>> expectedMappingData = Maps.newHashMap();
+        Map<String, Set<String>> expectedGroupRoles = Maps.newHashMap();
+        expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+        expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+        expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+        expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+        Map<String, Set<String>> expectedRolePrivileges = Maps.newHashMap();
+        expectedRolePrivileges.put("role1", Sets.newHashSet(
+            PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9));
+        expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4,
+            PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
+        expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4,
+            PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+        expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+        expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER,
null);
+        validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+        // verify the rolePrivilegesMap and groupRolesMap with empty objectPath
+        expectedMappingData = Maps.newHashMap();
+        expectedGroupRoles = Maps.newHashMap();
+        expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+        expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+        expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+        expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+        expectedRolePrivileges = Maps.newHashMap();
+        expectedRolePrivileges.put("role1", Sets.newHashSet(
+            PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9));
+        expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4,
+            PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
+        expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4,
+            PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+        expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+        expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+        sentryMappingData = client.exportPolicy(ADMIN_USER, "");
+        validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+        // verify the rolePrivilegesMap and groupRolesMap for db=db1
+        expectedMappingData = Maps.newHashMap();
+        expectedGroupRoles = Maps.newHashMap();
+        expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+        expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+        expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+        expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+        expectedRolePrivileges = Maps.newHashMap();
+        expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4));
+        expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4,
+            PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
+        expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4,
+            PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
+        expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+        expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+        sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db1");
+        validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+        // verify the rolePrivilegesMap and groupRolesMap for db=db2
+        expectedMappingData = Maps.newHashMap();
+        expectedGroupRoles = Maps.newHashMap();
+        expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+        expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+        expectedGroupRoles.put("group3", Sets.newHashSet("role2"));
+        expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2"));
+        expectedRolePrivileges = Maps.newHashMap();
+        expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE9));
+        expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3));
+        expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+        expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+        sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db2");
+        validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+        // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl1
+        expectedMappingData = Maps.newHashMap();
+        expectedGroupRoles = Maps.newHashMap();
+        expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+        expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+        expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+        expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+        expectedRolePrivileges = Maps.newHashMap();
+        expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4));
+        expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4));
+        expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4));
+        expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+        expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+        sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db1->table=tbl1");
+        validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+        // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl2
+        expectedMappingData = Maps.newHashMap();
+        expectedGroupRoles = Maps.newHashMap();
+        expectedGroupRoles.put("group2", Sets.newHashSet("role2"));
+        expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+        expectedGroupRoles.put("group4", Sets.newHashSet("role2", "role3"));
+        expectedRolePrivileges = Maps.newHashMap();
+        expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE5));
+        expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE5));
+        expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+        expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+        sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db1->table=tbl2");
+        validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+        // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl1
+        expectedMappingData = Maps.newHashMap();
+        expectedGroupRoles = Maps.newHashMap();
+        expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+        expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+        expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+        expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+        expectedRolePrivileges = Maps.newHashMap();
+        expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE9));
+        expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4));
+        expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4));
+        expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+        expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+        sentryMappingData = client.exportPolicy(ADMIN_USER, "table=tbl1");
+        validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+        // verify the invalid exportObject string
+        try {
+          client.exportPolicy(ADMIN_USER, "invalidString");
+          fail("RuntimeException should be thrown.");
+        } catch (RuntimeException sue) {
+          // excepted exception
+        }
+      }
+    });
+  }
+
   // verify the mapping data
   public void validateSentryMappingData(
       Map<String, Map<String, Set<String>>> actualMappingData,


Mime
View raw message