sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From co...@apache.org
Subject [20/44] sentry git commit: SENTRY-1287: Create sentry-service-server module(Colin Ma, reviewed by Dapeng Sun)
Date Fri, 24 Jun 2016 06:00:49 GMT
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
new file mode 100644
index 0000000..3058650
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/CommandUtil.java
@@ -0,0 +1,233 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.util;
+
+import java.net.InetAddress;
+import java.net.NetworkInterface;
+import java.util.Enumeration;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.commons.lang.StringUtils;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+
+import com.google.common.annotations.VisibleForTesting;
+
+public final class CommandUtil {
+    
+  public CommandUtil() {
+    // Make constructor private to avoid instantiation
+  }
+
+  public static String createCmdForCreateOrDropRole(String roleName,
+      boolean isCreate) {
+    if (isCreate) {
+      return "CREATE ROLE " + roleName;
+    }
+    return "DROP ROLE " + roleName;
+  }
+
+  public static String createCmdForRoleAddGroup(String roleName, String groups) {
+    return createCmdForRoleGrant(roleName, groups, true, true);
+  }
+
+  public static String createCmdForRoleDeleteGroup(String roleName, String groups) {
+    return createCmdForRoleGrant(roleName, groups, false, true);
+  }
+
+  private static String createCmdForRoleGrant(String roleName, String principals,
+      boolean isGrant, boolean isGroup) {
+    StringBuilder sb = new StringBuilder();
+    if (isGrant) {
+      sb.append("GRANT ROLE ");
+    } else {
+      sb.append("REVOKE ROLE ");
+    }
+    sb.append(roleName);
+    if (isGrant) {
+      sb.append(" TO ");
+    } else {
+      sb.append(" FROM ");
+    }
+
+    String principalType = isGroup ? "GROUP" : "USER";
+    if (!StringUtils.isEmpty(principals)) {
+      sb.append(principalType).append(" ").append(principals);
+    } else {
+      sb = new StringBuilder("Missing " + principalType + " information.");
+    }
+
+    return sb.toString();
+  }
+
+  public static String createCmdForRoleAddUser(String roleName, String users) {
+    return createCmdForRoleGrant(roleName, users, true, false);
+  }
+
+  public static String createCmdForRoleDeleteUser(String roleName, String users) {
+    return createCmdForRoleGrant(roleName, users, false, false);
+  }
+
+  public static String createCmdForGrantPrivilege(
+      TAlterSentryRoleGrantPrivilegeRequest request) {
+    return createCmdForGrantOrRevokePrivileges(request.getRoleName(),
+        request.getPrivileges(), true);
+  }
+
+  public static String createCmdForRevokePrivilege(
+      TAlterSentryRoleRevokePrivilegeRequest request) {
+    return createCmdForGrantOrRevokePrivileges(request.getRoleName(),
+        request.getPrivileges(), false);
+  }
+
+  private static String createCmdForGrantOrRevokePrivileges(String roleName,
+      Set<TSentryPrivilege> privileges, boolean isGrant) {
+    StringBuilder sb = new StringBuilder();
+    if (privileges != null) {
+      for (TSentryPrivilege privilege : privileges) {
+        sb.append(createCmdForGrantOrRevokePrivilege(roleName, privilege, isGrant));
+      }
+    }
+    return sb.toString();
+  }
+
+  private static String createCmdForGrantOrRevokePrivilege(String roleName,
+      TSentryPrivilege privilege, boolean isGrant) {
+    StringBuilder sb = new StringBuilder();
+    if (isGrant) {
+      sb.append("GRANT ");
+    } else {
+      sb.append("REVOKE ");
+    }
+
+    String action = privilege.getAction();
+    String privilegeScope = privilege.getPrivilegeScope();
+    if (AccessConstants.ALL.equalsIgnoreCase(action)) {
+      sb.append("ALL");
+    } else {
+      if (action != null) {
+        action = action.toUpperCase();
+      }
+      sb.append(action);
+    }
+
+    sb.append(" ON ").append(privilege.getPrivilegeScope()).append(" ");
+    if (PrivilegeScope.DATABASE.name().equalsIgnoreCase(privilegeScope)) {
+      sb.append(privilege.getDbName());
+    } else if (PrivilegeScope.TABLE.name().equalsIgnoreCase(privilegeScope)) {
+      sb.append(privilege.getTableName());
+    } else if (PrivilegeScope.SERVER.name().equalsIgnoreCase(privilegeScope)) {
+      sb.append(privilege.getServerName());
+    } else if (PrivilegeScope.URI.name().equalsIgnoreCase(privilegeScope)) {
+      sb.append(privilege.getURI());
+    }
+
+    if (isGrant) {
+      sb.append(" TO ROLE ");
+    } else {
+      sb.append(" FROM ROLE ");
+    }
+    sb.append(roleName);
+
+    if (privilege.getGrantOption() == TSentryGrantOption.TRUE) {
+      sb.append(" WITH GRANT OPTION");
+    }
+
+    return sb.toString();
+  }
+
+  public static String createCmdForGrantGMPrivilege(
+      org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest request) {
+    return createCmdForGrantOrRevokeGMPrivilege(request.getRoleName(), request.getPrivilege(), true);
+  }
+
+  public static String createCmdForRevokeGMPrivilege(
+      org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest request) {
+    return createCmdForGrantOrRevokeGMPrivilege(request.getRoleName(), request.getPrivilege(),
+        false);
+  }
+
+  private static String createCmdForGrantOrRevokeGMPrivilege(String roleName,
+      org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege privilege,
+      boolean isGrant) {
+    StringBuilder sb = new StringBuilder();
+    if (isGrant) {
+      sb.append("GRANT ");
+    } else {
+      sb.append("REVOKE ");
+    }
+
+    String action = privilege.getAction();
+    if (AccessConstants.ALL.equalsIgnoreCase(action)) {
+      sb.append("ALL");
+    } else {
+      if (action != null) {
+        action = action.toUpperCase();
+      }
+      sb.append(action);
+    }
+
+    sb.append(" ON");
+
+    List<TAuthorizable> authorizables = privilege.getAuthorizables();
+    if (authorizables != null) {
+      for (TAuthorizable authorizable : authorizables) {
+        sb.append(" ").append(authorizable.getType()).append(" ").append(authorizable.getName());
+      }
+    }
+
+    if (isGrant) {
+      sb.append(" TO ROLE ");
+    } else {
+      sb.append(" FROM ROLE ");
+    }
+    sb.append(roleName);
+
+    if (privilege.getGrantOption() == org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption.TRUE) {
+      sb.append(" WITH GRANT OPTION");
+    }
+
+    return sb.toString();
+  }
+
+  // Check if the given IP is one of the local IP.
+  @VisibleForTesting
+  public static boolean assertIPInAuditLog(String ipInAuditLog) throws Exception {
+    if (ipInAuditLog == null) {
+      return false;
+    }
+    Enumeration<NetworkInterface> netInterfaces = NetworkInterface.getNetworkInterfaces();
+    while (netInterfaces.hasMoreElements()) {
+      NetworkInterface ni = netInterfaces.nextElement();
+      Enumeration<InetAddress> ips = ni.getInetAddresses();
+      while (ips.hasMoreElements()) {
+        if (ipInAuditLog.indexOf(ips.nextElement().getHostAddress()) != -1) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
new file mode 100644
index 0000000..2e71ce0
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/log/util/Constants.java
@@ -0,0 +1,162 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.log.util;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.sentry.provider.db.service.thrift.*;
+
+public final class Constants {
+  public final static String AUDIT_LOGGER_NAME = "sentry.hive.authorization.ddl.logger";
+  public final static String AUDIT_LOGGER_NAME_GENERIC = "sentry.generic.authorization.ddl.logger";
+
+  public final static String LOG_FIELD_SERVICE_NAME = "serviceName";
+  public final static String LOG_FIELD_USER_NAME = "userName";
+  public final static String LOG_FIELD_IMPERSONATOR = "impersonator";
+  public final static String LOG_FIELD_IP_ADDRESS = "ipAddress";
+  public final static String LOG_FIELD_OPERATION = "operation";
+  public final static String LOG_FIELD_EVENT_TIME = "eventTime";
+  public final static String LOG_FIELD_OPERATION_TEXT = "operationText";
+  public final static String LOG_FIELD_ALLOWED = "allowed";
+  public final static String LOG_FIELD_DATABASE_NAME = "databaseName";
+  public final static String LOG_FIELD_TABLE_NAME = "tableName";
+  public final static String LOG_FIELD_COLUMN_NAME = "column";
+  public final static String LOG_FIELD_RESOURCE_PATH = "resourcePath";
+  public final static String LOG_FIELD_OBJECT_TYPE = "objectType";
+  public final static String LOG_FIELD_COMPONENT = "component";
+
+  public final static String OPERATION_CREATE_ROLE = "CREATE_ROLE";
+  public final static String OPERATION_DROP_ROLE = "DROP_ROLE";
+  public final static String OPERATION_ADD_ROLE = "ADD_ROLE_TO_GROUP";
+  public final static String OPERATION_DELETE_ROLE = "DELETE_ROLE_FROM_GROUP";
+  public final static String OPERATION_ADD_ROLE_USER = "ADD_ROLE_TO_USER";
+  public final static String OPERATION_DELETE_ROLE_USER = "DELETE_ROLE_FROM_USER";
+  public final static String OPERATION_GRANT_PRIVILEGE = "GRANT_PRIVILEGE";
+  public final static String OPERATION_REVOKE_PRIVILEGE = "REVOKE_PRIVILEGE";
+
+  public final static String OBJECT_TYPE_PRINCIPAL = "PRINCIPAL";
+  public final static String OBJECT_TYPE_ROLE = "ROLE";
+
+  public final static String TRUE = "true";
+  public final static String FALSE = "false";
+
+  public static final Map<String, String> requestTypeToOperationMap = new HashMap<String, String>();
+  public static final Map<String, String> requestTypeToObjectTypeMap = new HashMap<String, String>();
+
+  static {
+    // for hive audit log
+    requestTypeToOperationMap.put(TCreateSentryRoleRequest.class.getName(),
+        Constants.OPERATION_CREATE_ROLE);
+    requestTypeToOperationMap.put(
+        TAlterSentryRoleGrantPrivilegeRequest.class.getName(),
+        Constants.OPERATION_GRANT_PRIVILEGE);
+    requestTypeToOperationMap.put(
+        TAlterSentryRoleRevokePrivilegeRequest.class.getName(),
+        Constants.OPERATION_REVOKE_PRIVILEGE);
+    requestTypeToOperationMap.put(TDropSentryRoleRequest.class.getName(),
+        Constants.OPERATION_DROP_ROLE);
+    requestTypeToOperationMap.put(
+        TAlterSentryRoleAddGroupsRequest.class.getName(),
+        Constants.OPERATION_ADD_ROLE);
+    requestTypeToOperationMap.put(
+        TAlterSentryRoleDeleteGroupsRequest.class.getName(),
+        Constants.OPERATION_DELETE_ROLE);
+    requestTypeToOperationMap.put(
+        TAlterSentryRoleAddUsersRequest.class.getName(),
+        Constants.OPERATION_ADD_ROLE_USER);
+    requestTypeToOperationMap.put(
+        TAlterSentryRoleDeleteUsersRequest.class.getName(),
+        Constants.OPERATION_DELETE_ROLE_USER);
+
+    // for generic model audit log
+    requestTypeToOperationMap.put(
+        org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleRequest.class
+            .getName(), Constants.OPERATION_CREATE_ROLE);
+    requestTypeToOperationMap
+        .put(org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleRequest.class
+            .getName(), Constants.OPERATION_DROP_ROLE);
+    requestTypeToOperationMap
+        .put(
+            org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest.class
+                .getName(), Constants.OPERATION_GRANT_PRIVILEGE);
+    requestTypeToOperationMap
+        .put(
+            org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest.class
+                .getName(), Constants.OPERATION_REVOKE_PRIVILEGE);
+    requestTypeToOperationMap.put(
+        org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsRequest.class
+            .getName(), Constants.OPERATION_ADD_ROLE);
+    requestTypeToOperationMap
+        .put(
+            org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsRequest.class
+                .getName(), Constants.OPERATION_DELETE_ROLE);
+
+    // for hive audit log
+    requestTypeToObjectTypeMap.put(TCreateSentryRoleRequest.class.getName(),
+        Constants.OBJECT_TYPE_ROLE);
+    requestTypeToObjectTypeMap.put(TDropSentryRoleRequest.class.getName(),
+        Constants.OBJECT_TYPE_ROLE);
+    requestTypeToObjectTypeMap.put(
+        TAlterSentryRoleAddGroupsRequest.class.getName(),
+        Constants.OBJECT_TYPE_ROLE);
+    requestTypeToObjectTypeMap.put(
+        TAlterSentryRoleDeleteGroupsRequest.class.getName(),
+        Constants.OBJECT_TYPE_ROLE);
+    requestTypeToObjectTypeMap.put(
+        TAlterSentryRoleAddUsersRequest.class.getName(),
+        Constants.OBJECT_TYPE_ROLE);
+    requestTypeToObjectTypeMap.put(
+        TAlterSentryRoleDeleteUsersRequest.class.getName(),
+        Constants.OBJECT_TYPE_ROLE);
+    requestTypeToObjectTypeMap.put(
+        TAlterSentryRoleGrantPrivilegeRequest.class.getName(),
+        Constants.OBJECT_TYPE_PRINCIPAL);
+    requestTypeToObjectTypeMap.put(
+        TAlterSentryRoleRevokePrivilegeRequest.class.getName(),
+        Constants.OBJECT_TYPE_PRINCIPAL);
+    // for generic model audit log
+    requestTypeToObjectTypeMap.put(
+        org.apache.sentry.provider.db.generic.service.thrift.TCreateSentryRoleRequest.class
+            .getName(), Constants.OBJECT_TYPE_ROLE);
+    requestTypeToObjectTypeMap
+        .put(org.apache.sentry.provider.db.generic.service.thrift.TDropSentryRoleRequest.class
+            .getName(), Constants.OBJECT_TYPE_ROLE);
+    requestTypeToObjectTypeMap.put(
+        org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleAddGroupsRequest.class
+            .getName(), Constants.OBJECT_TYPE_ROLE);
+    requestTypeToObjectTypeMap
+        .put(
+            org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleDeleteGroupsRequest.class
+                .getName(), Constants.OBJECT_TYPE_ROLE);
+    requestTypeToObjectTypeMap
+        .put(
+            org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleGrantPrivilegeRequest.class
+                .getName(), Constants.OBJECT_TYPE_PRINCIPAL);
+    requestTypeToObjectTypeMap
+        .put(
+            org.apache.sentry.provider.db.generic.service.thrift.TAlterSentryRoleRevokePrivilegeRequest.class
+                .getName(), Constants.OBJECT_TYPE_PRINCIPAL);
+  }
+
+  private Constants() {
+    // Make constructor private to avoid instantiation
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java
new file mode 100644
index 0000000..55b61ac
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java
@@ -0,0 +1,497 @@
+/**
+vim  * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.service.model;
+
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
+
+import java.lang.reflect.Field;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+
+import javax.jdo.annotations.PersistenceCapable;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.model.db.AccessConstants;
+
+import com.google.common.base.Strings;
+import com.google.common.collect.Lists;
+
+/**
+ * Database backed Sentry Generic Privilege for new authorization Model
+ * Any changes to this object
+ * require re-running the maven build so DN an re-enhance.
+ */
+@PersistenceCapable
+public class MSentryGMPrivilege {
+  private static final String PREFIX_RESOURCE_NAME = "resourceName";
+  private static final String PREFIX_RESOURCE_TYPE = "resourceType";
+  private static final String NULL_COL = "__NULL__";
+  private static final String SERVICE_SCOPE = "Server";
+  private static final int AUTHORIZABLE_LEVEL = 4;
+  /**
+   * The authorizable List has been stored into resourceName and resourceField columns
+   * We assume that the generic model privilege for any component(hive/impala or solr) doesn't exceed four level.
+   * This generic model privilege currently can support maximum 4 level.
+   **/
+  private String resourceName0 = NULL_COL; //NOPMD
+  private String resourceType0 = NULL_COL; //NOPMD
+  private String resourceName1 = NULL_COL; //NOPMD
+  private String resourceType1 = NULL_COL; //NOPMD
+  private String resourceName2 = NULL_COL; //NOPMD
+  private String resourceType2 = NULL_COL; //NOPMD
+  private String resourceName3 = NULL_COL; //NOPMD
+  private String resourceType3 = NULL_COL; //NOPMD
+
+
+  private String serviceName;
+  private String componentName;
+  private String action;
+  private String scope;
+
+  private Boolean grantOption = false;
+  // roles this privilege is a part of
+  private Set<MSentryRole> roles;
+  private long createTime;
+
+  public MSentryGMPrivilege() {
+    this.roles = new HashSet<MSentryRole>();
+  }
+
+  public MSentryGMPrivilege(String componentName, String serviceName,
+                                 List<? extends Authorizable> authorizables,
+                                 String action, Boolean grantOption) {
+    this.componentName = componentName;
+    this.serviceName = serviceName;
+    this.action = action;
+    this.grantOption = grantOption;
+    this.roles = new HashSet<MSentryRole>();
+    this.createTime = System.currentTimeMillis();
+    setAuthorizables(authorizables);
+  }
+
+  public MSentryGMPrivilege(MSentryGMPrivilege copy) {
+    this.action = copy.action;
+    this.componentName = copy.componentName;
+    this.serviceName = copy.serviceName;
+    this.grantOption = copy.grantOption;
+    this.scope = copy.scope;
+    this.createTime = copy.createTime;
+    setAuthorizables(copy.getAuthorizables());
+    this.roles = new HashSet<MSentryRole>();
+    for (MSentryRole role : copy.roles) {
+      roles.add(role);
+    }
+  }
+
+  public String getServiceName() {
+    return serviceName;
+  }
+
+  public void setServiceName(String serviceName) {
+    this.serviceName = serviceName;
+  }
+
+  public String getComponentName() {
+    return componentName;
+  }
+
+  public void setComponentName(String componentName) {
+    this.componentName = componentName;
+  }
+
+  public String getAction() {
+    return action;
+  }
+
+  public void setAction(String action) {
+    this.action = action;
+  }
+
+  public Boolean getGrantOption() {
+    return grantOption;
+  }
+
+  public void setGrantOption(Boolean grantOption) {
+    this.grantOption = grantOption;
+  }
+
+  public Set<MSentryRole> getRoles() {
+    return roles;
+  }
+
+  public void setRoles(Set<MSentryRole> roles) {
+    this.roles = roles;
+  }
+
+  public long getCreateTime() {
+    return createTime;
+  }
+
+  public void setCreateTime(long createTime) {
+    this.createTime = createTime;
+  }
+
+  public String getScope() {
+    return scope;
+  }
+
+  public List<? extends Authorizable> getAuthorizables() {
+    List<Authorizable> authorizables = Lists.newArrayList();
+    //construct atuhorizable lists
+    for (int i = 0; i < AUTHORIZABLE_LEVEL; i++) {
+      final String resourceName = (String) getField(this, PREFIX_RESOURCE_NAME + String.valueOf(i));
+      final String resourceTYpe = (String) getField(this, PREFIX_RESOURCE_TYPE + String.valueOf(i));
+
+      if (notNULL(resourceName) && notNULL(resourceTYpe)) {
+        authorizables.add(new Authorizable() {
+          @Override
+          public String getTypeName() {
+            return resourceTYpe;
+          }
+          @Override
+          public String getName() {
+            return resourceName;
+          }
+        });
+      }
+    }
+    return authorizables;
+  }
+
+  /**
+   * Only allow strict hierarchies. That is, can level =1 be not null when level = 0 is null
+   * @param authorizables
+   */
+  public void setAuthorizables(List<? extends Authorizable> authorizables) {
+    if (authorizables == null || authorizables.isEmpty()) {
+      //service scope
+      scope = SERVICE_SCOPE;
+      return;
+    }
+    if (authorizables.size() > AUTHORIZABLE_LEVEL) {
+      throw new IllegalStateException("This generic privilege model only supports maximum 4 level.");
+    }
+
+    for (int i = 0; i < authorizables.size(); i++) {
+      Authorizable authorizable = authorizables.get(i);
+      if (authorizable == null) {
+        String msg = String.format("The authorizable can't be null. Please check authorizables[%d]:", i);
+        throw new IllegalStateException(msg);
+      }
+      String resourceName = authorizable.getName();
+      String resourceTYpe = authorizable.getTypeName();
+      if (isNULL(resourceName) || isNULL(resourceTYpe)) {
+        String msg = String.format("The name and type of authorizable can't be empty or null.Please check authorizables[%d]", i);
+        throw new IllegalStateException(msg);
+      }
+      setField(this, PREFIX_RESOURCE_NAME + String.valueOf(i), toNULLCol(resourceName));
+      setField(this, PREFIX_RESOURCE_TYPE + String.valueOf(i), toNULLCol(resourceTYpe));
+      scope = resourceTYpe;
+    }
+  }
+
+  public void appendRole(MSentryRole role) {
+    if (roles.add(role)) {
+      role.appendGMPrivilege(this);
+    }
+  }
+
+  public void removeRole(MSentryRole role) {
+    if(roles.remove(role)) {
+      role.removeGMPrivilege(this);
+    }
+  }
+
+  @Override
+  public int hashCode() {
+    final int prime = 31;
+    int result = 1;
+    result = prime * result + ((action == null) ? 0 : action.hashCode());
+    result = prime * result + ((componentName == null) ? 0 : componentName.hashCode());
+    result = prime * result + ((serviceName == null) ? 0 : serviceName.hashCode());
+    result = prime * result + ((grantOption == null) ? 0 : grantOption.hashCode());
+    result = prime * result + ((scope == null) ? 0 : scope.hashCode());
+
+    for (Authorizable authorizable : getAuthorizables()) {
+      result = prime * result + authorizable.getName().hashCode();
+      result = prime * result + authorizable.getTypeName().hashCode();
+    }
+
+    return result;
+  }
+
+  @Override
+  public String toString() {
+    List<String> unifiedNames = Lists.newArrayList();
+    for (Authorizable auth : getAuthorizables()) {
+      unifiedNames.add(KV_JOINER.join(auth.getTypeName(),auth.getName()));
+    }
+
+    return "MSentryGMPrivilege ["
+        + "serverName=" + serviceName + ", componentName=" + componentName
+        + ", authorizables=" + AUTHORIZABLE_JOINER.join(unifiedNames)+ ", scope=" + scope
+        + ", action=" + action + ", roles=[...]"  + ", createTime="
+        + createTime + ", grantOption=" + grantOption +"]";
+  }
+
+  @Override
+  public boolean equals(Object obj) {
+      if (this == obj) {
+          return true;
+      }
+      if (obj == null) {
+          return false;
+      }
+      if (getClass() != obj.getClass()) {
+          return false;
+      }
+      MSentryGMPrivilege other = (MSentryGMPrivilege) obj;
+      if (action == null) {
+          if (other.action != null) {
+              return false;
+          }
+      } else if (!action.equalsIgnoreCase(other.action)) {
+          return false;
+      }
+      if (scope == null) {
+        if (other.scope != null) {
+            return false;
+        }
+      } else if (!scope.equals(other.scope)) {
+        return false;
+      }
+      if (serviceName == null) {
+          if (other.serviceName != null) {
+              return false;
+          }
+      } else if (!serviceName.equals(other.serviceName)) {
+          return false;
+      }
+      if (componentName == null) {
+          if (other.componentName != null) {
+              return false;
+          }
+      } else if (!componentName.equals(other.componentName)) {
+          return false;
+      }
+      if (grantOption == null) {
+        if (other.grantOption != null) {
+          return false;
+        }
+      } else if (!grantOption.equals(other.grantOption)) {
+        return false;
+      }
+
+      List<? extends Authorizable> authorizables = getAuthorizables();
+      List<? extends Authorizable> otherAuthorizables = other.getAuthorizables();
+
+      if (authorizables.size() != otherAuthorizables.size()) {
+        return false;
+      }
+      for (int i = 0; i < authorizables.size(); i++) {
+        String o1 = KV_JOINER.join(authorizables.get(i).getTypeName(),
+                                         authorizables.get(i).getName());
+        String o2 = KV_JOINER.join(otherAuthorizables.get(i).getTypeName(),
+                                   otherAuthorizables.get(i).getName());
+        if (!o1.equals(o2)) {
+          return false;
+        }
+      }
+      return true;
+  }
+
+  /**
+   * Return true if this privilege implies request privilege
+   * Otherwise, return false
+   * @param other, other privilege
+   */
+  public boolean implies(MSentryGMPrivilege request) {
+    //component check
+    if (!componentName.equals(request.getComponentName())) {
+      return false;
+    }
+    //service check
+    if (!serviceName.equals(request.getServiceName())) {
+      return false;
+    }
+    // check action implies
+    if (!action.equalsIgnoreCase(AccessConstants.ALL)
+        && !action.equalsIgnoreCase(request.getAction())
+        && !action.equalsIgnoreCase(AccessConstants.ACTION_ALL)) {
+      return false;
+    }
+    //check authorizable list implies
+    Iterator<? extends Authorizable> existIterator = getAuthorizables().iterator();
+    Iterator<? extends Authorizable> requestIterator = request.getAuthorizables().iterator();
+    while (existIterator.hasNext() && requestIterator.hasNext()) {
+      Authorizable existAuth = existIterator.next();
+      Authorizable requestAuth = requestIterator.next();
+      //check authorizable type
+      if (!existAuth.getTypeName().equals(requestAuth.getTypeName())) {
+        return false;
+      }
+      //check authorizable name
+      if (!existAuth.getName().equals(requestAuth.getName())) {
+        /**The persistent authorizable isn't equal the request authorizable
+        * but the following situations are pass check
+        * The name of persistent authorizable is ALL or "*"
+        */
+        if (existAuth.getName().equalsIgnoreCase(AccessConstants.ACTION_ALL)
+            || existAuth.getName().equalsIgnoreCase(AccessConstants.ALL)) {
+          continue;
+        } else {
+          return false;
+        }
+      }
+    }
+
+    if ( !existIterator.hasNext() && !requestIterator.hasNext() ){
+      /**
+       * The persistent privilege has the same authorizables size as the requested privilege
+       * The check is pass
+       */
+      return true;
+
+    } else if (existIterator.hasNext()) {
+      /**
+       * The persistent privilege has much more authorizables than request privilege,so its scope is less
+       * than the requested privilege.
+       * There is a situation that the check is pass, the name of the exceeding authorizables is ALL or "*".
+       * Take the Solr for example,the exist privilege is collection=c1->field=*->action=query
+       * the request privilege is collection=c1->action=query, the check is pass
+       */
+      while (existIterator.hasNext()) {
+        Authorizable existAuthorizable = existIterator.next();
+        if (existAuthorizable.getName().equalsIgnoreCase(AccessConstants.ALL)
+            || existAuthorizable.getName().equalsIgnoreCase(AccessConstants.ACTION_ALL)) {
+          continue;
+        } else {
+          return false;
+        }
+      }
+    } else {
+      /**
+       * The requested privilege has much more authorizables than persistent privilege, so its scope is less
+       * than the persistent privilege
+       * The check is pass
+       */
+      return true;
+    }
+
+    return true;
+  }
+
+  public static String toNULLCol(String col) {
+    return Strings.isNullOrEmpty(col) ? NULL_COL : col;
+  }
+
+  public static boolean notNULL(String s) {
+    return !(Strings.isNullOrEmpty(s) || NULL_COL.equals(s));
+  }
+
+  public static boolean isNULL(String s) {
+    return !notNULL(s);
+  }
+
+  public static <T> void setField(Object obj, String fieldName, T fieldValue) {
+    try {
+      Class<?> clazz = obj.getClass();
+      Field field=clazz.getDeclaredField(fieldName);
+      field.setAccessible(true);
+      field.set(obj, fieldValue);
+    } catch (Exception e) {
+      throw new RuntimeException("setField error: " + e.getMessage(), e);
+    }
+  }
+
+  @SuppressWarnings("unchecked")
+  public static <T> T getField(Object obj, String fieldName) {
+    try {
+      Class<?> clazz = obj.getClass();
+      Field field=clazz.getDeclaredField(fieldName);
+      field.setAccessible(true);
+      return (T)field.get(obj);
+    } catch (Exception e) {
+      throw new RuntimeException("getField error: " + e.getMessage(), e);
+    }
+  }
+
+  /**
+   * return the query to execute in JDO for search the given privilege
+   * @param privilege
+   * @return query
+   */
+  public static String toQuery(MSentryGMPrivilege privilege) {
+    StringBuilder query = new StringBuilder();
+    query.append("serviceName == \"" + toNULLCol(privilege.getServiceName()) + "\" ");
+    query.append("&& componentName == \"" + toNULLCol(privilege.getComponentName()) + "\" ");
+    query.append("&& scope == \"" + toNULLCol(privilege.getScope()) + "\" ");
+    query.append("&& action == \"" + toNULLCol(privilege.getAction()) + "\"");
+    if (privilege.getGrantOption() == null) {
+      query.append("&& this.grantOption == null ");
+    } else if (privilege.getGrantOption()) {
+      query.append("&& grantOption ");
+    } else {
+      query.append("&& !grantOption ");
+    }
+    List<? extends Authorizable> authorizables = privilege.getAuthorizables();
+    for (int i = 0; i < AUTHORIZABLE_LEVEL; i++) {
+      String resourceName = PREFIX_RESOURCE_NAME + String.valueOf(i);
+      String resourceType = PREFIX_RESOURCE_TYPE + String.valueOf(i);
+
+      if (i >= authorizables.size()) {
+        query.append("&& " + resourceName + " == \"" + NULL_COL + "\" ");
+        query.append("&& " + resourceType + " == \"" + NULL_COL + "\" ");
+      } else {
+        query.append("&& " + resourceName + " == \"" + authorizables.get(i).getName() + "\" ");
+        query.append("&& " + resourceType + " == \"" + authorizables.get(i).getTypeName() + "\" ");
+      }
+    }
+    return query.toString();
+  }
+
+  /**
+   * Get the query to execute in the JDO deducing privileges include the scope of according to the given privilege
+   * The query was used in three privilege operations:
+   * 1.revoking privilege
+   * 2.renaming privilege
+   * 3.dropping privilege
+   * Take the Solr for example, if there exists three privileges such as p1:Collection=c1->action=query,
+   * p2:Collection=c1->Field=f1->action=query and p3:Collection=c1->Field=f2->action=query.
+   * When the revoking operation happens, the request privilege is p4:Collection=c1->action=query.
+   * The result is that not only p1 should be revoked, but also p2 and p3 should be revoked together.
+   * So the populateIncludePrivilegesQuery should be Collection=c1
+   * @param privilege
+   * @return query
+   */
+  public static String populateIncludePrivilegesQuery(MSentryGMPrivilege privilege) {
+    StringBuilder query = new StringBuilder();
+    query.append("serviceName == \"" + toNULLCol(privilege.getServiceName()) + "\" ");
+    query.append("&& componentName == \"" + toNULLCol(privilege.getComponentName()) + "\" ");
+    List<? extends Authorizable> authorizables = privilege.getAuthorizables();
+    for (int i= 0 ; i < authorizables.size(); i++) {
+      String resourceName = PREFIX_RESOURCE_NAME + String.valueOf(i);
+      String resourceType = PREFIX_RESOURCE_TYPE + String.valueOf(i);
+      query.append("&& " + resourceName + " == \"" + authorizables.get(i).getName() + "\" ");
+      query.append("&& " + resourceType + " == \"" + authorizables.get(i).getTypeName() + "\" ");
+    }
+    return query.toString();
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java
new file mode 100644
index 0000000..7e41c93
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGroup.java
@@ -0,0 +1,116 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.model;
+
+import java.util.Set;
+
+import javax.jdo.annotations.PersistenceCapable;
+
+/**
+ * Database backed Sentry Group. Any changes to this object
+ * require re-running the maven build so DN an re-enhance.
+ */
+@PersistenceCapable
+public class MSentryGroup {
+
+  /**
+   * Group name is unique
+   */
+  private String groupName;
+  // set of roles granted to this group
+  private Set<MSentryRole> roles;
+  private long createTime;
+
+  public MSentryGroup(String groupName, long createTime, Set<MSentryRole> roles) {
+    this.setGroupName(groupName);
+    this.createTime = createTime;
+    this.roles = roles;
+  }
+
+  public long getCreateTime() {
+    return createTime;
+  }
+
+  public void setCreateTime(long createTime) {
+    this.createTime = createTime;
+  }
+
+  public Set<MSentryRole> getRoles() {
+    return roles;
+  }
+
+  public String getGroupName() {
+    return groupName;
+  }
+
+  public void setGroupName(String groupName) {
+    this.groupName = groupName;
+  }
+
+  public void appendRole(MSentryRole role) {
+    if (roles.add(role)) {
+      role.appendGroup(this);
+    }
+  }
+
+  public void removeRole(MSentryRole role) {
+    if (roles.remove(role)) {
+      role.removeGroup(this);
+    }
+  }
+
+  @Override
+  public String toString() {
+    return "MSentryGroup [groupName=" + groupName + ", roles=[...]"
+        + ", createTime=" + createTime +  "]";
+  }
+
+  @Override
+  public int hashCode() {
+    final int prime = 31;
+    int result = 1;
+    result = prime * result + ((groupName == null) ? 0 : groupName.hashCode());
+    return result;
+  }
+
+  @Override
+  public boolean equals(Object obj) {
+    if (this == obj) {
+      return true;
+    }
+    if (obj == null) {
+      return false;
+    }
+    if (getClass() != obj.getClass()) {
+      return false;
+    }
+    MSentryGroup other = (MSentryGroup) obj;
+    if (createTime != other.createTime) {
+      return false;
+    }
+    if (groupName == null) {
+      if (other.groupName != null) {
+        return false;
+      }
+    } else if (!groupName.equals(other.groupName)) {
+      return false;
+    }
+    return true;
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
new file mode 100644
index 0000000..4c3af79
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryPrivilege.java
@@ -0,0 +1,332 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.model;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.jdo.annotations.PersistenceCapable;
+
+import org.apache.sentry.core.common.utils.PathUtils;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.provider.db.service.persistent.SentryStore;
+
+/**
+ * Database backed Sentry Privilege. Any changes to this object
+ * require re-running the maven build so DN an re-enhance.
+ */
+@PersistenceCapable
+public class MSentryPrivilege {
+
+  private String privilegeScope;
+  /**
+   * Privilege name is unique
+   */
+  private String serverName = "";
+  private String dbName = "";
+  private String tableName = "";
+  private String columnName = "";
+  private String URI = "";
+  private String action = "";
+  private Boolean grantOption = false;
+  // roles this privilege is a part of
+  private Set<MSentryRole> roles;
+  private long createTime;
+
+  public MSentryPrivilege() {
+    this.roles = new HashSet<MSentryRole>();
+  }
+
+  public MSentryPrivilege(String privilegeScope,
+      String serverName, String dbName, String tableName, String columnName,
+      String URI, String action, Boolean grantOption) {
+    this.privilegeScope = privilegeScope;
+    this.serverName = serverName;
+    this.dbName = SentryStore.toNULLCol(dbName);
+    this.tableName = SentryStore.toNULLCol(tableName);
+    this.columnName = SentryStore.toNULLCol(columnName);
+    this.URI = SentryStore.toNULLCol(URI);
+    this.action = SentryStore.toNULLCol(action);
+    this.grantOption = grantOption;
+    this.roles = new HashSet<MSentryRole>();
+  }
+
+  public MSentryPrivilege(String privilegeScope,
+      String serverName, String dbName, String tableName, String columnName,
+      String URI, String action) {
+    this(privilegeScope, serverName, dbName, tableName,
+        columnName, URI, action, false);
+  }
+
+  public MSentryPrivilege(MSentryPrivilege other) {
+    this.privilegeScope = other.privilegeScope;
+    this.serverName = other.serverName;
+    this.dbName = SentryStore.toNULLCol(other.dbName);
+    this.tableName = SentryStore.toNULLCol(other.tableName);
+    this.columnName = SentryStore.toNULLCol(other.columnName);
+    this.URI = SentryStore.toNULLCol(other.URI);
+    this.action = SentryStore.toNULLCol(other.action);
+    this.grantOption = other.grantOption;
+    this.roles = new HashSet<MSentryRole>();
+    for (MSentryRole role : other.roles) {
+      roles.add(role);
+    }
+  }
+
+  public String getServerName() {
+    return serverName;
+  }
+
+  public void setServerName(String serverName) {
+    this.serverName = (serverName == null) ? "" : serverName;
+  }
+
+  public String getDbName() {
+    return dbName;
+  }
+
+  public void setDbName(String dbName) {
+    this.dbName = (dbName == null) ? "" : dbName;
+  }
+
+  public String getTableName() {
+    return tableName;
+  }
+
+  public void setTableName(String tableName) {
+    this.tableName = (tableName == null) ? "" : tableName;
+  }
+
+  public String getColumnName() {
+    return columnName;
+  }
+
+  public void setColumnName(String columnName) {
+    this.columnName = (columnName == null) ? "" : columnName;
+  }
+
+  public String getURI() {
+    return URI;
+  }
+
+  public void setURI(String uRI) {
+    URI = (uRI == null) ? "" : uRI;
+  }
+
+  public String getAction() {
+    return action;
+  }
+
+  public void setAction(String action) {
+    this.action = (action == null) ? "" : action;
+  }
+
+  public long getCreateTime() {
+    return createTime;
+  }
+
+  public void setCreateTime(long createTime) {
+    this.createTime = createTime;
+  }
+
+  public String getPrivilegeScope() {
+    return privilegeScope;
+  }
+
+  public void setPrivilegeScope(String privilegeScope) {
+    this.privilegeScope = privilegeScope;
+  }
+
+   public Boolean getGrantOption() {
+     return grantOption;
+   }
+
+   public void setGrantOption(Boolean grantOption) {
+     this.grantOption = grantOption;
+   }
+
+  public void appendRole(MSentryRole role) {
+    roles.add(role);
+  }
+
+  public Set<MSentryRole> getRoles() {
+    return roles;
+  }
+
+  public void removeRole(MSentryRole role) {
+    roles.remove(role);
+    role.removePrivilege(this);
+  }
+
+  @Override
+  public String toString() {
+    return "MSentryPrivilege [privilegeScope=" + privilegeScope
+        + ", serverName=" + serverName + ", dbName=" + dbName
+        + ", tableName=" + tableName + ", columnName=" + columnName
+        + ", URI=" + URI + ", action=" + action + ", roles=[...]"
+        + ", createTime=" + createTime + ", grantOption=" + grantOption +"]";
+  }
+
+  @Override
+  public int hashCode() {
+    final int prime = 31;
+    int result = 1;
+    result = prime * result + ((URI == null) ? 0 : URI.hashCode());
+    result = prime * result + ((action == null) ? 0 : action.hashCode());
+    result = prime * result + ((dbName == null) ? 0 : dbName.hashCode());
+    result = prime * result
+        + ((serverName == null) ? 0 : serverName.hashCode());
+    result = prime * result + ((tableName == null) ? 0 : tableName.hashCode());
+    result = prime * result
+        + ((columnName == null) ? 0 : columnName.hashCode());
+    result = prime * result
+        + ((grantOption == null) ? 0 : grantOption.hashCode());
+    return result;
+  }
+
+  @Override
+  public boolean equals(Object obj) {
+    if (this == obj) {
+      return true;
+    }
+    if (obj == null) {
+      return false;
+    }
+    if (getClass() != obj.getClass()) {
+      return false;
+    }
+    MSentryPrivilege other = (MSentryPrivilege) obj;
+    if (URI == null) {
+      if (other.URI != null) {
+        return false;
+      }
+    } else if (!URI.equals(other.URI)) {
+      return false;
+    }
+    if (action == null) {
+      if (other.action != null) {
+        return false;
+      }
+    } else if (!action.equals(other.action)) {
+      return false;
+    }
+    if (dbName == null) {
+      if (other.dbName != null) {
+        return false;
+      }
+    } else if (!dbName.equals(other.dbName)) {
+      return false;
+    }
+    if (serverName == null) {
+      if (other.serverName != null) {
+        return false;
+      }
+    } else if (!serverName.equals(other.serverName)) {
+      return false;
+    }
+    if (tableName == null) {
+      if (other.tableName != null) {
+        return false;
+      }
+    } else if (!tableName.equals(other.tableName)) {
+      return false;
+    }
+    if (columnName == null) {
+      if (other.columnName != null) {
+        return false;
+      }
+    } else if (!columnName.equals(other.columnName)) {
+      return false;
+    }
+    if (grantOption == null) {
+      if (other.grantOption != null) {
+        return false;
+      }
+    } else if (!grantOption.equals(other.grantOption)) {
+      return false;
+    }
+    return true;
+  }
+
+  /**
+   * Return true if this privilege implies other privilege
+   * Otherwise, return false
+   * @param other, other privilege
+   */
+  public boolean implies(MSentryPrivilege other) {
+    // serverName never be null
+    if (isNULL(serverName) || isNULL(other.serverName)) {
+      return false;
+    } else if (!serverName.equals(other.serverName)) {
+      return false;
+    }
+
+    // check URI implies
+    if (!isNULL(URI) && !isNULL(other.URI)) {
+      if (!PathUtils.impliesURI(URI, other.URI)) {
+        return false;
+      }
+      // if URI is NULL, check dbName and tableName
+    } else if (isNULL(URI) && isNULL(other.URI)) {
+      if (!isNULL(dbName)) {
+        if (isNULL(other.dbName)) {
+          return false;
+        } else if (!dbName.equals(other.dbName)) {
+          return false;
+        }
+      }
+      if (!isNULL(tableName)) {
+        if (isNULL(other.tableName)) {
+          return false;
+        } else if (!tableName.equals(other.tableName)) {
+          return false;
+        }
+      }
+      if (!isNULL(columnName)) {
+        if (isNULL(other.columnName)) {
+          return false;
+        } else if (!columnName.equals(other.columnName)) {
+          return false;
+        }
+      }
+      // if URI is not NULL, but other's URI is NULL, return false
+    } else if (!isNULL(URI) && isNULL(other.URI)){
+      return false;
+    }
+
+    // check action implies
+    if (!action.equalsIgnoreCase(AccessConstants.ALL)
+        && !action.equalsIgnoreCase(other.action)
+        && !action.equalsIgnoreCase(AccessConstants.ACTION_ALL)) {
+      return false;
+    }
+
+    return true;
+  }
+
+  private boolean isNULL(String s) {
+    return SentryStore.isNULL(s);
+  }
+
+  public boolean isActionALL() {
+    return AccessConstants.ACTION_ALL.equalsIgnoreCase(action)
+        || AccessConstants.ALL.equals(action);
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
new file mode 100644
index 0000000..0484eaa
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryRole.java
@@ -0,0 +1,216 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.model;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.jdo.annotations.PersistenceCapable;
+
+import com.google.common.base.Preconditions;
+import com.google.common.collect.ImmutableSet;
+
+/**
+ * Database backed Sentry Role. Any changes to this object
+ * require re-running the maven build so DN an re-enhance.
+ */
+@PersistenceCapable
+public class MSentryRole {
+
+  private String roleName;
+  // set of privileges granted to this role
+  private Set<MSentryPrivilege> privileges;
+  // set of generic model privileges grant ro this role
+  private Set<MSentryGMPrivilege> gmPrivileges;
+
+  // set of groups this role belongs to
+  private Set<MSentryGroup> groups;
+  // set of users this role belongs to
+  private Set<MSentryUser> users;
+  private long createTime;
+
+  public MSentryRole(String roleName, long createTime) {
+    this.roleName = roleName;
+    this.createTime = createTime;
+    privileges = new HashSet<MSentryPrivilege>();
+    gmPrivileges = new HashSet<MSentryGMPrivilege>();
+    groups = new HashSet<MSentryGroup>();
+    users = new HashSet<MSentryUser>();
+  }
+
+  public long getCreateTime() {
+    return createTime;
+  }
+
+  public void setCreateTime(long createTime) {
+    this.createTime = createTime;
+  }
+
+  public String getRoleName() {
+    return roleName;
+  }
+
+  public void setRoleName(String roleName) {
+    this.roleName = roleName;
+  }
+
+  public void setPrivileges(Set<MSentryPrivilege> privileges) {
+    this.privileges = privileges;
+  }
+
+  public Set<MSentryPrivilege> getPrivileges() {
+    return privileges;
+  }
+
+  public Set<MSentryGMPrivilege> getGmPrivileges() {
+    return gmPrivileges;
+  }
+
+  public void setGmPrivileges(Set<MSentryGMPrivilege> gmPrivileges) {
+    this.gmPrivileges = gmPrivileges;
+  }
+
+  public void setGroups(Set<MSentryGroup> groups) {
+    this.groups = groups;
+  }
+
+  public Set<MSentryGroup> getGroups() {
+    return groups;
+  }
+
+  public Set<MSentryUser> getUsers() {
+    return users;
+  }
+
+  public void setUsers(Set<MSentryUser> users) {
+    this.users = users;
+  }
+
+  public void removePrivilege(MSentryPrivilege privilege) {
+    if (privileges.remove(privilege)) {
+      privilege.removeRole(this);
+    }
+  }
+
+  public void appendPrivileges(Set<MSentryPrivilege> privileges) {
+    this.privileges.addAll(privileges);
+  }
+
+  public void appendPrivilege(MSentryPrivilege privilege) {
+    if (privileges.add(privilege)) {
+      privilege.appendRole(this);
+    }
+  }
+
+  public void removeGMPrivilege(MSentryGMPrivilege gmPrivilege) {
+    if (gmPrivileges.remove(gmPrivilege)) {
+      gmPrivilege.removeRole(this);
+    }
+  }
+
+  public void appendGMPrivilege(MSentryGMPrivilege gmPrivilege) {
+    if (gmPrivileges.add(gmPrivilege)) {
+      gmPrivilege.appendRole(this);
+    }
+  }
+
+  public void removeGMPrivileges() {
+    for (MSentryGMPrivilege privilege : ImmutableSet.copyOf(gmPrivileges)) {
+      privilege.removeRole(this);
+    }
+    Preconditions.checkState(gmPrivileges.isEmpty(), "gmPrivileges should be empty: " + gmPrivileges);
+  }
+
+  public void appendGroups(Set<MSentryGroup> groups) {
+    this.groups.addAll(groups);
+  }
+
+  public void appendGroup(MSentryGroup group) {
+    if (groups.add(group)) {
+      group.appendRole(this);
+    }
+  }
+
+  public void removeGroup(MSentryGroup group) {
+    if (groups.remove(group)) {
+      group.removeRole(this);
+    }
+  }
+
+  public void appendUsers(Set<MSentryUser> users) {
+    this.users.addAll(users);
+  }
+
+  public void appendUser(MSentryUser user) {
+    if (users.add(user)) {
+      user.appendRole(this);
+    }
+  }
+
+  public void removeUser(MSentryUser user) {
+    if (users.remove(user)) {
+      user.removeRole(this);
+    }
+  }
+
+  public void removePrivileges() {
+    // copy is required since privilege.removeRole will call remotePrivilege
+    for (MSentryPrivilege privilege : ImmutableSet.copyOf(privileges)) {
+      privilege.removeRole(this);
+    }
+    Preconditions.checkState(privileges.isEmpty(), "Privileges should be empty: " + privileges);
+  }
+
+  @Override
+  public String toString() {
+    return "MSentryRole [roleName=" + roleName + ", privileges=[..]" + ", gmPrivileges=[..]"
+        + ", groups=[...]" + ", users=[...]" + ", createTime=" + createTime + "]";
+  }
+
+  @Override
+  public int hashCode() {
+    final int prime = 31;
+    int result = 1;
+    result = prime * result + ((roleName == null) ? 0 : roleName.hashCode());
+    return result;
+  }
+
+  @Override
+  public boolean equals(Object obj) {
+    if (this == obj) {
+      return true;
+    }
+    if (obj == null) {
+      return false;
+    }
+    if (getClass() != obj.getClass()) {
+      return false;
+    }
+    MSentryRole other = (MSentryRole) obj;
+    if (roleName == null) {
+      if (other.roleName != null) {
+        return false;
+      }
+    } else if (!roleName.equals(other.roleName)) {
+      return false;
+    }
+    return true;
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryUser.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryUser.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryUser.java
new file mode 100644
index 0000000..ff57249
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryUser.java
@@ -0,0 +1,116 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.model;
+
+import java.util.Set;
+
+import javax.jdo.annotations.PersistenceCapable;
+
+/**
+ * Database backed Sentry User. Any changes to this object
+ * require re-running the maven build so DN an re-enhance.
+ */
+@PersistenceCapable
+public class MSentryUser {
+
+  /**
+   * User name is unique
+   */
+  private String userName;
+  // set of roles granted to this user
+  private Set<MSentryRole> roles;
+  private long createTime;
+
+  public MSentryUser(String userName, long createTime, Set<MSentryRole> roles) {
+    this.setUserName(userName);
+    this.createTime = createTime;
+    this.roles = roles;
+  }
+
+  public long getCreateTime() {
+    return createTime;
+  }
+
+  public void setCreateTime(long createTime) {
+    this.createTime = createTime;
+  }
+
+  public Set<MSentryRole> getRoles() {
+    return roles;
+  }
+
+  public String getUserName() {
+    return userName;
+  }
+
+  public void setUserName(String userName) {
+    this.userName = userName;
+  }
+
+  public void appendRole(MSentryRole role) {
+    if (roles.add(role)) {
+      role.appendUser(this);
+    }
+  }
+
+  public void removeRole(MSentryRole role) {
+    if (roles.remove(role)) {
+      role.removeUser(this);
+    }
+  }
+
+  @Override
+  public String toString() {
+    return "MSentryUser [userName=" + userName + ", roles=[...]" + ", createTime=" + createTime
+        + "]";
+  }
+
+  @Override
+  public int hashCode() {
+    final int prime = 31;
+    int result = 1;
+    result = prime * result + ((userName == null) ? 0 : userName.hashCode());
+    return result;
+  }
+
+  @Override
+  public boolean equals(Object obj) {
+    if (this == obj) {
+      return true;
+    }
+    if (obj == null) {
+      return false;
+    }
+    if (getClass() != obj.getClass()) {
+      return false;
+    }
+    MSentryUser other = (MSentryUser) obj;
+    if (createTime != other.createTime) {
+      return false;
+    }
+    if (userName == null) {
+      if (other.userName != null) {
+        return false;
+      }
+    } else if (!userName.equals(other.userName)) {
+      return false;
+    }
+    return true;
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryVersion.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryVersion.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryVersion.java
new file mode 100644
index 0000000..ff8830f
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/MSentryVersion.java
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.model;
+
+import javax.jdo.annotations.PersistenceCapable;
+
+@PersistenceCapable
+public class MSentryVersion {
+  private String schemaVersion;
+  private String versionComment;
+
+  public MSentryVersion() {
+  }
+
+  public MSentryVersion(String schemaVersion, String versionComment) {
+    this.schemaVersion = schemaVersion;
+    this.versionComment = versionComment;
+  }
+
+  /**
+   * @return the versionComment
+   */
+  public String getVersionComment() {
+    return versionComment;
+  }
+
+  /**
+   * @param versionComment
+   *          the versionComment to set
+   */
+  public void setVersionComment(String versionComment) {
+    this.versionComment = versionComment;
+  }
+
+  /**
+   * @return the schemaVersion
+   */
+  public String getSchemaVersion() {
+    return schemaVersion;
+  }
+
+  /**
+   * @param schemaVersion
+   *          the schemaVersion to set
+   */
+  public void setSchemaVersion(String schemaVersion) {
+    this.schemaVersion = schemaVersion;
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo
new file mode 100644
index 0000000..b3b9494
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/model/package.jdo
@@ -0,0 +1,242 @@
+<?xml version="1.0"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<!DOCTYPE jdo PUBLIC "-//Sun Microsystems, Inc.//DTD Java Data Objects Metadata 2.0//EN"
+  "http://java.sun.com/dtd/jdo_2_0.dtd">
+<!--
+  Size Limitations:
+
+  Indexed VARCHAR: 767 bytes (MySQL running on InnoDB Engine http://bugs.mysql.com/bug.php?id=13315)
+  Non-indexed VARCHAR: 4000 bytes (max length on Oracle 9i/10g/11g)
+
+-->
+<jdo>
+  <package name="org.apache.sentry.provider.db.service.model">
+    <class name="MSentryGroup" identity-type="datastore" table="SENTRY_GROUP" detachable="true">
+      <datastore-identity>
+        <column name="GROUP_ID"/>
+      </datastore-identity>
+      <field name="groupName">
+        <column name="GROUP_NAME" length="128" jdbc-type="VARCHAR"/>
+        <index name="SentryGroupName" unique="true"/>
+      </field>
+      <field name = "createTime">
+        <column name = "CREATE_TIME" jdbc-type="BIGINT"/>
+      </field>
+
+      <field name="roles" mapped-by="groups">
+         <collection element-type="org.apache.sentry.provider.db.service.model.MSentryRole"/>
+      </field>
+
+    </class>
+
+    <class name="MSentryUser" identity-type="datastore" table="SENTRY_USER" detachable="true">
+      <datastore-identity>
+        <column name="USER_ID"/>
+      </datastore-identity>
+      <field name="userName">
+        <column name="USER_NAME" length="128" jdbc-type="VARCHAR"/>
+        <index name="SentryUserName" unique="true"/>
+      </field>
+      <field name = "createTime">
+        <column name = "CREATE_TIME" jdbc-type="BIGINT"/>
+      </field>
+
+      <field name="roles" mapped-by="users">
+         <collection element-type="org.apache.sentry.provider.db.service.model.MSentryRole"/>
+      </field>
+
+    </class>
+
+    <class name="MSentryRole" identity-type="datastore" table="SENTRY_ROLE" detachable="true">
+      <datastore-identity>
+        <column name="ROLE_ID"/>
+      </datastore-identity>
+      <field name="roleName">
+        <column name="ROLE_NAME" length="128" jdbc-type="VARCHAR"/>
+        <index name="SentryRoleName" unique="true"/>
+      </field>
+      <field name = "createTime">
+        <column name = "CREATE_TIME" jdbc-type="BIGINT"/>
+      </field>
+      <field name = "privileges" table="SENTRY_ROLE_DB_PRIVILEGE_MAP" default-fetch-group="true">
+        <collection element-type="org.apache.sentry.provider.db.service.model.MSentryPrivilege"/>
+            <join>
+                <column name="ROLE_ID"/>
+            </join>
+            <element>
+                <column name="DB_PRIVILEGE_ID"/>
+            </element>
+      </field>
+
+      <field name = "gmPrivileges" table="SENTRY_ROLE_GM_PRIVILEGE_MAP" default-fetch-group="true">
+        <collection element-type="org.apache.sentry.provider.db.service.model.MSentryGMPrivilege"/>
+            <join>
+                <column name="ROLE_ID"/>
+            </join>
+            <element>
+                <column name="GM_PRIVILEGE_ID"/>
+            </element>
+      </field>
+
+      <field name = "groups" table="SENTRY_ROLE_GROUP_MAP" default-fetch-group="true">
+        <collection element-type="org.apache.sentry.provider.db.service.model.MSentryGroup"/>
+            <join>
+                <column name="ROLE_ID"/>
+            </join>
+            <element>
+                <column name="GROUP_ID"/>
+            </element>
+      </field>
+
+      <field name = "users" table="SENTRY_ROLE_USER_MAP" default-fetch-group="true">
+        <collection element-type="org.apache.sentry.provider.db.service.model.MSentryUser"/>
+            <join>
+                <column name="ROLE_ID"/>
+            </join>
+            <element>
+                <column name="USER_ID"/>
+            </element>
+      </field>
+    </class>
+
+    <class name="MSentryPrivilege" identity-type="datastore" table="SENTRY_DB_PRIVILEGE" detachable="true">
+      <datastore-identity>
+        <column name="DB_PRIVILEGE_ID"/>
+      </datastore-identity>
+      <index name="PRIVILEGE_INDEX" unique="true">
+        <field name="serverName"/>
+        <field name="dbName"/>
+        <field name="tableName"/>
+        <field name="columnName"/>
+        <field name="URI"/>
+        <field name="action"/>
+        <field name="grantOption"/>
+      </index>
+      <field name="privilegeScope">
+        <column name="PRIVILEGE_SCOPE" length="40" jdbc-type="VARCHAR"/>
+      </field>
+      <field name="serverName">
+        <column name="SERVER_NAME" length="4000" jdbc-type="VARCHAR"/>
+      </field>
+      <field name="dbName">
+        <column name="DB_NAME" length="4000" jdbc-type="VARCHAR"/>
+      </field>
+      <field name="tableName">
+        <column name="TABLE_NAME" length="4000" jdbc-type="VARCHAR"/>
+      </field>
+      <field name="columnName">
+        <column name="COLUMN_NAME" length="4000" jdbc-type="VARCHAR"/>
+      </field>
+      <field name="URI">
+        <column name="URI" length="4000" jdbc-type="VARCHAR"/>
+      </field>
+      <field name="action">
+        <column name="ACTION" length="40" jdbc-type="VARCHAR"/>
+      </field>
+      <field name = "createTime">
+        <column name = "CREATE_TIME" jdbc-type="BIGINT"/>
+      </field>
+      <field name="grantOption">
+        <column name="WITH_GRANT_OPTION" length="1" jdbc-type="CHAR"/>
+      </field>
+      <field name="roles" mapped-by="privileges">
+         <collection element-type="org.apache.sentry.provider.db.service.model.MSentryRole"/>
+      </field>
+    </class>
+
+    <class name="MSentryGMPrivilege" identity-type="datastore" table="SENTRY_GM_PRIVILEGE" detachable="true">
+      <datastore-identity>
+        <column name="GM_PRIVILEGE_ID"/>
+      </datastore-identity>
+      <index name="GM_PRIVILEGE_INDEX" unique="true">
+        <field name="componentName"/>
+        <field name="serviceName"/>
+        <field name="resourceName0"/>
+        <field name="resourceType0"/>
+        <field name="resourceName1"/>
+        <field name="resourceType1"/>
+        <field name="resourceName2"/>
+        <field name="resourceType2"/>
+        <field name="resourceName3"/>
+        <field name="resourceType3"/>
+        <field name="action"/>
+        <field name="grantOption"/>
+      </index>
+      <field name="componentName">
+        <column name="COMPONENT_NAME" length="100" jdbc-type="VARCHAR"/>
+      </field>
+      <field name="serviceName">
+        <column name="SERVICE_NAME" length="100" jdbc-type="VARCHAR"/>
+      </field>
+      <field name="resourceName0">
+        <column name="RESOURCE_NAME_0" length="100" jdbc-type="VARCHAR"/>
+      </field>
+      <field name="resourceType0">
+        <column name="RESOURCE_TYPE_0" length="100" jdbc-type="VARCHAR"/>
+      </field>
+      <field name="resourceName1">
+        <column name="RESOURCE_NAME_1" length="100" jdbc-type="VARCHAR"/>
+      </field>
+      <field name="resourceType1">
+        <column name="RESOURCE_TYPE_1" length="100" jdbc-type="VARCHAR"/>
+      </field>
+      <field name="resourceName2">
+        <column name="RESOURCE_NAME_2" length="100" jdbc-type="VARCHAR"/>
+      </field>
+      <field name="resourceType2">
+        <column name="RESOURCE_TYPE_2" length="100" jdbc-type="VARCHAR"/>
+      </field>
+      <field name="resourceName3">
+        <column name="RESOURCE_NAME_3" length="100" jdbc-type="VARCHAR"/>
+      </field>
+      <field name="resourceType3">
+        <column name="RESOURCE_TYPE_3" length="100" jdbc-type="VARCHAR"/>
+      </field>
+      <field name="action">
+        <column name="ACTION" length="100" jdbc-type="VARCHAR"/>
+      </field>
+      <field name="scope">
+        <column name="SCOPE" length="100" jdbc-type="VARCHAR"/>
+      </field>
+      <field name = "createTime">
+        <column name = "CREATE_TIME" jdbc-type="BIGINT"/>
+      </field>
+      <field name="grantOption">
+        <column name="WITH_GRANT_OPTION" length="1" jdbc-type="CHAR"/>
+      </field>
+      <field name="roles" mapped-by="gmPrivileges">
+        <collection element-type="org.apache.sentry.provider.db.service.model.MSentryRole"/>
+      </field>
+    </class>
+
+    <class name="MSentryVersion" table="SENTRY_VERSION" identity-type="datastore" detachable="true">
+      <datastore-identity>
+        <column name="VER_ID"/>
+      </datastore-identity>
+      <field name ="schemaVersion">
+        <column name="SCHEMA_VERSION" length="127" jdbc-type="VARCHAR" allows-null="false"/>
+      </field>
+      <field name ="versionComment">
+        <column name="VERSION_COMMENT" length="255" jdbc-type="VARCHAR" allows-null="false"/>
+      </field>
+     </class>
+
+  </package>
+</jdo>
+

http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/CommitContext.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/CommitContext.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/CommitContext.java
new file mode 100644
index 0000000..c74dbf3
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/CommitContext.java
@@ -0,0 +1,42 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.db.service.persistent;
+
+import java.util.UUID;
+
+/**
+ * Stores the UUID associated with the server who processed
+ * a commit and a commit order sequence id.
+ */
+public class CommitContext {
+
+  private final String serverUUID;
+  private final long sequenceId;
+
+  public CommitContext(UUID serverUUID, long sequenceId) {
+    this.serverUUID = serverUUID.toString();
+    this.sequenceId = sequenceId;
+  }
+  public String getServerUUID() {
+    return serverUUID;
+  }
+  public long getSequenceId() {
+    return sequenceId;
+  }
+}
\ No newline at end of file


Mime
View raw message