sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From co...@apache.org
Subject [22/44] sentry git commit: SENTRY-1287: Create sentry-service-server module(Colin Ma, reviewed by Dapeng Sun)
Date Fri, 24 Jun 2016 06:00:51 GMT
http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java
new file mode 100644
index 0000000..c23042d
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/DelegateSentryStore.java
@@ -0,0 +1,542 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.persistent;
+
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Set;
+
+import javax.jdo.PersistenceManager;
+import javax.jdo.Query;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
+import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
+import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
+import org.apache.sentry.core.common.exception.SentryInvalidInputException;
+import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
+import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
+import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
+import org.apache.sentry.provider.db.service.model.MSentryGroup;
+import org.apache.sentry.provider.db.service.model.MSentryRole;
+import org.apache.sentry.provider.db.service.persistent.CommitContext;
+import org.apache.sentry.provider.db.service.persistent.SentryStore;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor;
+import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
+import org.apache.sentry.provider.db.service.thrift.TSentryRole;
+import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Joiner;
+import com.google.common.base.Preconditions;
+import com.google.common.base.Strings;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+
+/**
+ * The DelegateSentryStore will supports the generic authorizable model. It stores the authorizables
+ * into separated column. Take the authorizables:[DATABASE=db1,TABLE=tb1,COLUMN=cl1] for example,
+ * The DATABASE,db1,TABLE,tb1,COLUMN and cl1 will be stored into the six columns(resourceName0=db1,resourceType0=DATABASE,
+ * resourceName1=tb1,resourceType1=TABLE,
+ * resourceName2=cl1,resourceType2=COLUMN ) of generic privilege table
+ */
+public class DelegateSentryStore implements SentryStoreLayer {
+  private SentryStore delegate;
+  private Configuration conf;
+  private Set<String> adminGroups;
+  private PrivilegeOperatePersistence privilegeOperator;
+
+  public DelegateSentryStore(Configuration conf) throws SentryNoSuchObjectException,
+      SentryAccessDeniedException, SentrySiteConfigurationException, IOException {
+    this.privilegeOperator = new PrivilegeOperatePersistence(conf);
+    // The generic model doesn't turn on the thread that cleans hive privileges
+    conf.set(ServerConfig.SENTRY_STORE_ORPHANED_PRIVILEGE_REMOVAL,"false");
+    this.conf = conf;
+    //delegated old sentryStore
+    this.delegate = new SentryStore(conf);
+    adminGroups = ImmutableSet.copyOf(toTrimmed(Sets.newHashSet(conf.getStrings(
+        ServerConfig.ADMIN_GROUPS, new String[]{}))));
+  }
+
+  private PersistenceManager openTransaction() {
+    return delegate.openTransaction();
+  }
+
+  private CommitContext commitUpdateTransaction(PersistenceManager pm) {
+    return delegate.commitUpdateTransaction(pm);
+  }
+
+  private void rollbackTransaction(PersistenceManager pm) {
+    delegate.rollbackTransaction(pm);
+  }
+
+  private void commitTransaction(PersistenceManager pm) {
+    delegate.commitTransaction(pm);
+  }
+
+  private MSentryRole getRole(String roleName, PersistenceManager pm) {
+    return delegate.getMSentryRole(pm, roleName);
+  }
+
+  @Override
+  public CommitContext createRole(String component, String role,
+      String requestor) throws SentryAlreadyExistsException {
+    return delegate.createSentryRole(role);
+  }
+
+  /**
+   * The role is global in the generic model, such as the role may be has more than one component
+   * privileges, so delete role will remove all privileges related to it.
+   */
+  @Override
+  public CommitContext dropRole(String component, String role, String requestor)
+      throws SentryNoSuchObjectException {
+    boolean rollbackTransaction = true;
+    PersistenceManager pm = null;
+    String trimmedRole = toTrimmedLower(role);
+    try {
+      pm = openTransaction();
+      Query query = pm.newQuery(MSentryRole.class);
+      query.setFilter("this.roleName == t");
+      query.declareParameters("java.lang.String t");
+      query.setUnique(true);
+      MSentryRole sentryRole = (MSentryRole) query.execute(trimmedRole);
+      if (sentryRole == null) {
+        throw new SentryNoSuchObjectException("Role: " + trimmedRole + " doesn't exist");
+      } else {
+        pm.retrieve(sentryRole);
+        sentryRole.removeGMPrivileges();
+        sentryRole.removePrivileges();
+        pm.deletePersistent(sentryRole);
+      }
+      CommitContext commit = commitUpdateTransaction(pm);
+      rollbackTransaction = false;
+      return commit;
+    } finally {
+      if (rollbackTransaction) {
+        rollbackTransaction(pm);
+      }
+    }
+  }
+
+  @Override
+  public Set<String> getAllRoleNames() {
+    return delegate.getAllRoleNames();
+  }
+
+  @Override
+  public CommitContext alterRoleAddGroups(String component, String role,
+      Set<String> groups, String requestor) throws SentryNoSuchObjectException {
+    return delegate.alterSentryRoleAddGroups(requestor, role, toTSentryGroups(groups));
+  }
+
+  @Override
+  public CommitContext alterRoleDeleteGroups(String component, String role,
+      Set<String> groups, String requestor) throws SentryNoSuchObjectException {
+  //called to old sentryStore
+    return delegate.alterSentryRoleDeleteGroups(role, toTSentryGroups(groups));
+  }
+
+  @Override
+  public CommitContext alterRoleGrantPrivilege(String component, String role,
+      PrivilegeObject privilege, String grantorPrincipal)
+      throws SentryUserException {
+    String trimmedRole = toTrimmedLower(role);
+    PersistenceManager pm = null;
+    boolean rollbackTransaction = true;
+    try{
+      pm = openTransaction();
+      MSentryRole mRole = getRole(trimmedRole, pm);
+      if (mRole == null) {
+        throw new SentryNoSuchObjectException("Role: " + trimmedRole + " doesn't exist");
+      }
+      /**
+       * check with grant option
+       */
+      grantOptionCheck(privilege, grantorPrincipal, pm);
+
+      privilegeOperator.grantPrivilege(privilege, mRole, pm);
+
+      CommitContext commitContext = delegate.commitUpdateTransaction(pm);
+      rollbackTransaction = false;
+      return commitContext;
+
+    } finally {
+      if (rollbackTransaction) {
+        rollbackTransaction(pm);
+      }
+    }
+  }
+
+  @Override
+  public CommitContext alterRoleRevokePrivilege(String component,
+      String role, PrivilegeObject privilege, String grantorPrincipal)
+      throws SentryUserException {
+    String trimmedRole = toTrimmedLower(role);
+    PersistenceManager pm = null;
+    boolean rollbackTransaction = true;
+    try{
+      pm = openTransaction();
+      MSentryRole mRole = getRole(trimmedRole, pm);
+      if (mRole == null) {
+        throw new SentryNoSuchObjectException("Role: " + trimmedRole + " doesn't exist");
+      }
+      /**
+       * check with grant option
+       */
+      grantOptionCheck(privilege, grantorPrincipal, pm);
+
+      privilegeOperator.revokePrivilege(privilege, mRole, pm);
+
+      CommitContext commitContext = commitUpdateTransaction(pm);
+      rollbackTransaction = false;
+      return commitContext;
+
+    } finally {
+      if (rollbackTransaction) {
+        rollbackTransaction(pm);
+      }
+    }
+  }
+
+  @Override
+  public CommitContext renamePrivilege(String component, String service,
+      List<? extends Authorizable> oldAuthorizables,
+      List<? extends Authorizable> newAuthorizables, String requestor)
+      throws SentryUserException {
+    Preconditions.checkNotNull(component);
+    Preconditions.checkNotNull(service);
+    Preconditions.checkNotNull(oldAuthorizables);
+    Preconditions.checkNotNull(newAuthorizables);
+
+    if (oldAuthorizables.size() != newAuthorizables.size()) {
+      throw new SentryAccessDeniedException(
+          "rename privilege denied: the size of oldAuthorizables must equals the newAuthorizables "
+              + "oldAuthorizables:" + Arrays.toString(oldAuthorizables.toArray()) + " "
+              + "newAuthorizables:" + Arrays.toString(newAuthorizables.toArray()));
+    }
+
+    PersistenceManager pm = null;
+    boolean rollbackTransaction = true;
+    try {
+      pm = openTransaction();
+
+      privilegeOperator.renamePrivilege(toTrimmedLower(component), toTrimmedLower(service),
+          oldAuthorizables, newAuthorizables, requestor, pm);
+
+      CommitContext commitContext = commitUpdateTransaction(pm);
+      rollbackTransaction = false;
+      return commitContext;
+    } finally {
+      if (rollbackTransaction) {
+        rollbackTransaction(pm);
+      }
+    }
+  }
+
+  @Override
+  public CommitContext dropPrivilege(String component,
+      PrivilegeObject privilege, String requestor) throws SentryUserException {
+    Preconditions.checkNotNull(requestor);
+
+    PersistenceManager pm = null;
+    boolean rollbackTransaction = true;
+    try {
+      pm = openTransaction();
+
+      privilegeOperator.dropPrivilege(privilege, pm);
+
+      CommitContext commitContext = commitUpdateTransaction(pm);
+      rollbackTransaction = false;
+      return commitContext;
+    } finally {
+      if (rollbackTransaction) {
+        rollbackTransaction(pm);
+      }
+    }
+  }
+
+  /**
+   * Grant option check
+   * @param component
+   * @param pm
+   * @param privilegeReader
+   * @throws SentryUserException
+   */
+  private void grantOptionCheck(PrivilegeObject requestPrivilege, String grantorPrincipal,PersistenceManager pm)
+      throws SentryUserException {
+
+    if (Strings.isNullOrEmpty(grantorPrincipal)) {
+      throw new SentryInvalidInputException("grantorPrincipal should not be null or empty");
+    }
+
+    Set<String> groups = getRequestorGroups(grantorPrincipal);
+    if (groups == null || groups.isEmpty()) {
+      throw new SentryGrantDeniedException(grantorPrincipal
+          + " has no grant!");
+    }
+    //admin group check
+    if (!Sets.intersection(adminGroups, toTrimmed(groups)).isEmpty()) {
+      return;
+    }
+    //privilege grant option check
+    Set<MSentryRole> mRoles = delegate.getRolesForGroups(pm, groups);
+    if (!privilegeOperator.checkPrivilegeOption(mRoles, requestPrivilege, pm)) {
+      throw new SentryGrantDeniedException(grantorPrincipal
+          + " has no grant!");
+    }
+  }
+
+  @Override
+  public Set<String> getRolesByGroups(String component, Set<String> groups)
+      throws SentryUserException {
+    Set<String> roles = Sets.newHashSet();
+    if (groups == null) {
+      return roles;
+    }
+    for (TSentryRole tSentryRole : delegate.getTSentryRolesByGroupName(groups, true)) {
+      roles.add(tSentryRole.getRoleName());
+    }
+    return roles;
+  }
+
+  @Override
+  public Set<String> getGroupsByRoles(String component, Set<String> roles)
+      throws SentryUserException {
+    Set<String> trimmedRoles = toTrimmedLower(roles);
+    Set<String> groupNames = Sets.newHashSet();
+    if (trimmedRoles.size() == 0) {
+      return groupNames;
+    }
+
+    PersistenceManager pm = null;
+    try{
+      pm = openTransaction();
+      //get groups by roles
+      Query query = pm.newQuery(MSentryGroup.class);
+      StringBuilder filters = new StringBuilder();
+      query.declareVariables("MSentryRole role");
+      List<String> rolesFiler = new LinkedList<String>();
+      for (String role : trimmedRoles) {
+        rolesFiler.add("role.roleName == \"" + role + "\" ");
+      }
+      filters.append("roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")");
+      query.setFilter(filters.toString());
+
+      List<MSentryGroup> groups = (List<MSentryGroup>)query.execute();
+      if (groups == null) {
+        return groupNames;
+      }
+      for (MSentryGroup group : groups) {
+        groupNames.add(group.getGroupName());
+      }
+      return groupNames;
+    } finally {
+      if (pm != null) {
+        commitTransaction(pm);
+      }
+    }
+  }
+
+  @Override
+  public Set<PrivilegeObject> getPrivilegesByRole(String component,
+      Set<String> roles) throws SentryUserException {
+    Preconditions.checkNotNull(roles);
+    Set<PrivilegeObject> privileges = Sets.newHashSet();
+    if (roles.isEmpty()) {
+      return privileges;
+    }
+
+    PersistenceManager pm = null;
+    try {
+      pm = openTransaction();
+      Set<MSentryRole> mRoles = Sets.newHashSet();
+      for (String role : roles) {
+        MSentryRole mRole = getRole(toTrimmedLower(role), pm);
+        if (mRole != null) {
+          mRoles.add(mRole);
+        }
+      }
+      privileges.addAll(privilegeOperator.getPrivilegesByRole(mRoles, pm));
+    } finally {
+      if (pm != null) {
+        commitTransaction(pm);
+      }
+    }
+    return privileges;
+  }
+
+  @Override
+  public Set<PrivilegeObject> getPrivilegesByProvider(String component,
+      String service, Set<String> roles, Set<String> groups,
+      List<? extends Authorizable> authorizables) throws SentryUserException {
+    Preconditions.checkNotNull(component);
+    Preconditions.checkNotNull(service);
+
+    String trimmedComponent = toTrimmedLower(component);
+    String trimmedService = toTrimmedLower(service);
+
+    Set<PrivilegeObject> privileges = Sets.newHashSet();
+    PersistenceManager pm = null;
+    try {
+      pm = openTransaction();
+      //CaseInsensitive roleNames
+      Set<String> trimmedRoles = toTrimmedLower(roles);
+
+      if (groups != null) {
+        trimmedRoles.addAll(delegate.getRoleNamesForGroups(groups));
+      }
+
+      if (trimmedRoles.size() == 0) {
+        return privileges;
+      }
+
+      Set<MSentryRole> mRoles = Sets.newHashSet();
+      for (String role : trimmedRoles) {
+        MSentryRole mRole = getRole(role, pm);
+        if (mRole != null) {
+          mRoles.add(mRole);
+        }
+      }
+      //get the privileges
+      privileges.addAll(privilegeOperator.getPrivilegesByProvider(trimmedComponent, trimmedService, mRoles, authorizables, pm));
+    } finally {
+      if (pm != null) {
+        commitTransaction(pm);
+      }
+    }
+    return privileges;
+  }
+
+  @Override
+  public Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String component, String service,
+      Set<String> validActiveRoles, List<? extends Authorizable> authorizables)
+      throws SentryUserException {
+
+    Preconditions.checkNotNull(component);
+    Preconditions.checkNotNull(service);
+
+    component = toTrimmedLower(component);
+    service = toTrimmedLower(service);
+
+    Set<MSentryGMPrivilege> privileges = Sets.newHashSet();
+
+    if (validActiveRoles == null || validActiveRoles.isEmpty()) {
+      return privileges;
+    }
+
+    PersistenceManager pm = null;
+    try {
+      pm = openTransaction();
+
+      Set<MSentryRole> mRoles = Sets.newHashSet();
+      for (String role : validActiveRoles) {
+        MSentryRole mRole = getRole(role, pm);
+        if (mRole != null) {
+          mRoles.add(mRole);
+        }
+      }
+
+      //get the privileges
+      Set<MSentryGMPrivilege> mSentryGMPrivileges =  privilegeOperator.getPrivilegesByAuthorizable(component, service, mRoles, authorizables, pm);
+
+      for (MSentryGMPrivilege mSentryGMPrivilege : mSentryGMPrivileges) {
+        /**
+         * force to load all roles related this privilege
+         * avoid the lazy-loading
+         */
+        pm.retrieve(mSentryGMPrivilege);
+        privileges.add(mSentryGMPrivilege);
+      }
+
+    } finally {
+      commitTransaction(pm);
+    }
+    return privileges;
+  }
+
+   @Override
+  public void close() {
+    delegate.stop();
+  }
+
+  private Set<TSentryGroup> toTSentryGroups(Set<String> groups) {
+    Set<TSentryGroup> tSentryGroups = Sets.newHashSet();
+    for (String group : groups) {
+      tSentryGroups.add(new TSentryGroup(group));
+    }
+    return tSentryGroups;
+  }
+
+  private Set<String> toTrimmedLower(Set<String> s) {
+    if (s == null) {
+      return new HashSet<String>();
+    }
+    Set<String> result = Sets.newHashSet();
+    for (String v : s) {
+      result.add(v.trim().toLowerCase());
+    }
+    return result;
+  }
+
+  private Set<String> toTrimmed(Set<String> s) {
+    if (s == null) {
+      return new HashSet<String>();
+    }
+    Set<String> result = Sets.newHashSet();
+    for (String v : s) {
+      result.add(v.trim());
+    }
+    return result;
+  }
+
+  private String toTrimmedLower(String s) {
+    if (s == null) {
+      return "";
+    }
+    return s.trim().toLowerCase();
+  }
+
+  private Set<String> getRequestorGroups(String userName)
+      throws SentryUserException {
+    return SentryPolicyStoreProcessor.getGroupsFromUserName(this.conf, userName);
+  }
+
+  @VisibleForTesting
+  void clearAllTables() {
+    boolean rollbackTransaction = true;
+    PersistenceManager pm = null;
+    try {
+      pm = openTransaction();
+      pm.newQuery(MSentryRole.class).deletePersistentAll();
+      pm.newQuery(MSentryGroup.class).deletePersistentAll();
+      pm.newQuery(MSentryGMPrivilege.class).deletePersistentAll();
+      commitUpdateTransaction(pm);
+      rollbackTransaction = false;
+    } finally {
+      if (rollbackTransaction) {
+        rollbackTransaction(pm);
+      }
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java
new file mode 100644
index 0000000..feab1e9
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeObject.java
@@ -0,0 +1,231 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.persistent;
+
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
+
+import java.util.List;
+import org.apache.sentry.core.common.Authorizable;
+import com.google.common.base.Preconditions;
+import com.google.common.collect.Lists;
+
+public final class PrivilegeObject {
+  private final String component;
+  private final String service;
+  private final String action;
+  private final Boolean grantOption;
+  private List<? extends Authorizable> authorizables;
+
+  private PrivilegeObject(String component, String service, String action,
+      Boolean grantOption,
+      List<? extends Authorizable> authorizables) {
+    this.component = component;
+    this.service = service;
+    this.action = action;
+    this.grantOption = grantOption;
+    this.authorizables = authorizables;
+  }
+
+  public List<? extends Authorizable> getAuthorizables() {
+    return authorizables;
+  }
+
+  public String getAction() {
+    return action;
+  }
+
+  public String getComponent() {
+    return component;
+  }
+
+  public String getService() {
+    return service;
+  }
+
+  public Boolean getGrantOption() {
+    return grantOption;
+  }
+
+  @Override
+  public String toString() {
+    List<String> authorizable = Lists.newArrayList();
+    for (Authorizable az : authorizables) {
+      authorizable.add(KV_JOINER.join(az.getTypeName(),az.getName()));
+    }
+    return "PrivilegeObject [" + ", service=" + service + ", component="
+        + component + ", authorizables=" + AUTHORIZABLE_JOINER.join(authorizable)
+        + ", action=" + action + ", grantOption=" + grantOption + "]";
+  }
+
+  @Override
+  public int hashCode() {
+    final int prime = 31;
+    int result = 1;
+    result = prime * result + ((action == null) ? 0 : action.hashCode());
+    result = prime * result + ((component == null) ? 0 : component.hashCode());
+    result = prime * result + ((service == null) ? 0 : service.hashCode());
+    result = prime * result + ((grantOption == null) ? 0 : grantOption.hashCode());
+    for (Authorizable authorizable : authorizables) {
+      result = prime * result + authorizable.getTypeName().hashCode();
+      result = prime * result + authorizable.getName().hashCode();
+    }
+    return result;
+  }
+
+  @Override
+  public boolean equals(Object obj) {
+    if (this == obj) {
+      return true;
+    }
+    if (obj == null) {
+      return false;
+    }
+    if (getClass() != obj.getClass()) {
+      return false;
+    }
+    PrivilegeObject other = (PrivilegeObject) obj;
+    if (action == null) {
+      if (other.action != null) {
+        return false;
+      }
+    } else if (!action.equals(other.action)) {
+      return false;
+    }
+    if (service == null) {
+      if (other.service != null) {
+        return false;
+      }
+    } else if (!service.equals(other.service)) {
+      return false;
+    }
+    if (component == null) {
+      if (other.component != null) {
+        return false;
+      }
+    } else if (!component.equals(other.component)) {
+      return false;
+    }
+    if (grantOption == null) {
+      if (other.grantOption != null) {
+        return false;
+      }
+    } else if (!grantOption.equals(other.grantOption)) {
+      return false;
+    }
+
+    if (authorizables.size() != other.authorizables.size()) {
+      return false;
+    }
+    for (int i = 0; i < authorizables.size(); i++) {
+      String o1 = KV_JOINER.join(authorizables.get(i).getTypeName(),
+          authorizables.get(i).getName());
+      String o2 = KV_JOINER.join(other.authorizables.get(i).getTypeName(),
+          other.authorizables.get(i).getName());
+      if (!o1.equalsIgnoreCase(o2)) {
+        return false;
+      }
+    }
+    return true;
+  }
+
+  public static class Builder {
+    private String component;
+    private String service;
+    private String action;
+    private Boolean grantOption;
+    private List<? extends Authorizable> authorizables;
+
+    public Builder() {
+
+    }
+
+    public Builder(PrivilegeObject privilege) {
+      this.component = privilege.component;
+      this.service = privilege.service;
+      this.action = privilege.action;
+      this.grantOption = privilege.grantOption;
+      this.authorizables = privilege.authorizables;
+    }
+
+    public Builder setComponent(String component) {
+      this.component = component;
+      return this;
+    }
+
+    public Builder setService(String service) {
+      this.service = service;
+      return this;
+    }
+
+    public Builder setAction(String action) {
+      this.action = action;
+      return this;
+    }
+
+    public Builder withGrantOption(Boolean grantOption) {
+      this.grantOption = grantOption;
+      return this;
+    }
+
+    public Builder setAuthorizables(List<? extends Authorizable> authorizables) {
+      this.authorizables = authorizables;
+      return this;
+    }
+
+    /**
+     * TolowerCase the authorizable name, the authorizable type is define when it was created.
+     * Take the Solr for example, it has two Authorizable objects. They have the type Collection
+     * and Field, they are can't be changed. So we should unified the authorizable name tolowercase.
+     * @return new authorizable lists
+     */
+    private List<? extends Authorizable> toLowerAuthorizableName(List<? extends Authorizable> authorizables) {
+      List<Authorizable> newAuthorizable = Lists.newArrayList();
+      if (authorizables == null || authorizables.size() == 0) {
+        return newAuthorizable;
+      }
+      for (final Authorizable authorizable : authorizables) {
+        newAuthorizable.add(new Authorizable() {
+          @Override
+          public String getTypeName() {
+            return authorizable.getTypeName();
+          }
+          @Override
+          public String getName() {
+            return authorizable.getName();
+          }
+        });
+      }
+      return newAuthorizable;
+    }
+
+    public PrivilegeObject build() {
+      Preconditions.checkNotNull(component);
+      Preconditions.checkNotNull(service);
+      Preconditions.checkNotNull(action);
+      //CaseInsensitive authorizable name
+      List<? extends Authorizable> newAuthorizable = toLowerAuthorizableName(authorizables);
+
+      return new PrivilegeObject(component.toLowerCase(),
+                                     service.toLowerCase(),
+                                     action.toLowerCase(),
+                                     grantOption,
+                                     newAuthorizable);
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java
new file mode 100644
index 0000000..b1180bf
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/PrivilegeOperatePersistence.java
@@ -0,0 +1,485 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.persistent;
+
+import java.lang.reflect.Constructor;
+import java.util.ArrayList;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import javax.jdo.PersistenceManager;
+import javax.jdo.Query;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.BitFieldAction;
+import org.apache.sentry.core.common.BitFieldActionFactory;
+import org.apache.sentry.core.model.kafka.KafkaActionFactory;
+import org.apache.sentry.core.model.search.SearchActionFactory;
+import org.apache.sentry.core.model.sqoop.SqoopActionFactory;
+import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder;
+import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
+import org.apache.sentry.provider.db.service.model.MSentryRole;
+
+import com.google.common.base.Joiner;
+import com.google.common.base.Strings;
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
+import org.apache.sentry.service.thrift.ServiceConstants;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * This class used do some operations related privilege and make the results
+ * persistence
+ */
+public class PrivilegeOperatePersistence {
+  private static final Logger LOGGER = LoggerFactory.getLogger(PrivilegeOperatePersistence.class);
+  private static final Map<String, BitFieldActionFactory> actionFactories = Maps.newHashMap();
+  static{
+    actionFactories.put("solr", new SearchActionFactory());
+    actionFactories.put("sqoop", new SqoopActionFactory());
+    actionFactories.put("kafka", KafkaActionFactory.getInstance());
+  }
+
+  private final Configuration conf;
+
+  public PrivilegeOperatePersistence(Configuration conf) {
+    this.conf = conf;
+  }
+
+  public boolean checkPrivilegeOption(Set<MSentryRole> roles, PrivilegeObject privilege, PersistenceManager pm) {
+    MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege);
+    boolean hasGrant = false;
+    //get persistent privileges by roles
+    Query query = pm.newQuery(MSentryGMPrivilege.class);
+    StringBuilder filters = new StringBuilder();
+    if (roles != null && roles.size() > 0) {
+      query.declareVariables("MSentryRole role");
+      List<String> rolesFiler = new LinkedList<String>();
+      for (MSentryRole role : roles) {
+        rolesFiler.add("role.roleName == \"" + role.getRoleName() + "\" ");
+      }
+      filters.append("roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")");
+    }
+    query.setFilter(filters.toString());
+
+    List<MSentryGMPrivilege> tPrivileges = (List<MSentryGMPrivilege>)query.execute();
+    for (MSentryGMPrivilege tPrivilege : tPrivileges) {
+      if (tPrivilege.getGrantOption() && tPrivilege.implies(requestPrivilege)) {
+        hasGrant = true;
+        break;
+      }
+    }
+    return hasGrant;
+  }
+  public void grantPrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException {
+    MSentryGMPrivilege mPrivilege = convertToPrivilege(privilege);
+    grantRolePartial(mPrivilege, role, pm);
+  }
+
+  private void grantRolePartial(MSentryGMPrivilege grantPrivilege,
+      MSentryRole role,PersistenceManager pm) {
+    /**
+     * If Grant is for ALL action and other actions belongs to ALL action already exists..
+     * need to remove it and GRANT ALL action
+     */
+    String component = grantPrivilege.getComponentName();
+    BitFieldAction action = getAction(component, grantPrivilege.getAction());
+    BitFieldAction allAction = getAction(component, Action.ALL);
+
+    if (action.implies(allAction)) {
+      /**
+       * ALL action is a multi-bit set action that includes some actions such as INSERT,SELECT and CREATE.
+       */
+      List<? extends BitFieldAction> actions = getActionFactory(component).getActionsByCode(allAction.getActionCode());
+      for (BitFieldAction ac : actions) {
+        grantPrivilege.setAction(ac.getValue());
+        MSentryGMPrivilege existPriv = getPrivilege(grantPrivilege, pm);
+        if (existPriv != null && role.getGmPrivileges().contains(existPriv)) {
+          /**
+           * force to load all roles related this privilege
+           * avoid the lazy-loading risk,such as:
+           * if the roles field of privilege aren't loaded, then the roles is a empty set
+           * privilege.removeRole(role) and pm.makePersistent(privilege)
+           * will remove other roles that shouldn't been removed
+           */
+          pm.retrieve(existPriv);
+          existPriv.removeRole(role);
+          pm.makePersistent(existPriv);
+        }
+      }
+    } else {
+      /**
+       * If ALL Action already exists..
+       * do nothing.
+       */
+      grantPrivilege.setAction(allAction.getValue());
+      MSentryGMPrivilege allPrivilege = getPrivilege(grantPrivilege, pm);
+      if (allPrivilege != null && role.getGmPrivileges().contains(allPrivilege)) {
+        return;
+      }
+    }
+
+    /**
+     * restore the action
+     */
+    grantPrivilege.setAction(action.getValue());
+    /**
+     * check the privilege is exist or not
+     */
+    MSentryGMPrivilege mPrivilege = getPrivilege(grantPrivilege, pm);
+    if (mPrivilege == null) {
+      mPrivilege = grantPrivilege;
+    }
+    mPrivilege.appendRole(role);
+    pm.makePersistent(mPrivilege);
+  }
+
+
+  public void revokePrivilege(PrivilegeObject privilege,MSentryRole role, PersistenceManager pm) throws SentryUserException {
+    MSentryGMPrivilege mPrivilege = getPrivilege(convertToPrivilege(privilege), pm);
+    if (mPrivilege == null) {
+      mPrivilege = convertToPrivilege(privilege);
+    } else {
+      mPrivilege = (MSentryGMPrivilege) pm.detachCopy(mPrivilege);
+    }
+
+    Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
+    privilegeGraph.addAll(populateIncludePrivileges(Sets.newHashSet(role), mPrivilege, pm));
+
+    /**
+     * Get the privilege graph
+     * populateIncludePrivileges will get the privileges that needed revoke
+     */
+    for (MSentryGMPrivilege persistedPriv : privilegeGraph) {
+      /**
+       * force to load all roles related this privilege
+       * avoid the lazy-loading risk,such as:
+       * if the roles field of privilege aren't loaded, then the roles is a empty set
+       * privilege.removeRole(role) and pm.makePersistent(privilege)
+       * will remove other roles that shouldn't been removed
+       */
+      revokeRolePartial(mPrivilege, persistedPriv, role, pm);
+    }
+    pm.makePersistent(role);
+  }
+
+  /**
+   * Explore Privilege graph and collect privileges that are belong to the specific privilege
+   */
+  @SuppressWarnings("unchecked")
+  private Set<MSentryGMPrivilege> populateIncludePrivileges(Set<MSentryRole> roles,
+      MSentryGMPrivilege parent, PersistenceManager pm) {
+    Set<MSentryGMPrivilege> childrens = Sets.newHashSet();
+
+    Query query = pm.newQuery(MSentryGMPrivilege.class);
+    StringBuilder filters = new StringBuilder();
+    //add populateIncludePrivilegesQuery
+    filters.append(MSentryGMPrivilege.populateIncludePrivilegesQuery(parent));
+    // add filter for role names
+    if (roles != null && roles.size() > 0) {
+      query.declareVariables("MSentryRole role");
+      List<String> rolesFiler = new LinkedList<String>();
+      for (MSentryRole role : roles) {
+        rolesFiler.add("role.roleName == \"" + role.getRoleName() + "\" ");
+      }
+      filters.append("&& roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")");
+    }
+    query.setFilter(filters.toString());
+
+    List<MSentryGMPrivilege> privileges = (List<MSentryGMPrivilege>)query.execute();
+    childrens.addAll(privileges);
+    return childrens;
+  }
+
+  /**
+   * Roles can be granted multi-bit set action like ALL action on resource object.
+   * Take solr component for example, When a role has been granted ALL action but
+   * QUERY or UPDATE or CREATE are revoked, we need to remove the ALL
+   * privilege and add left privileges like UPDATE and CREATE(QUERY was revoked) or
+   * QUERY and UPDATE(CREATEE was revoked).
+   */
+  private void revokeRolePartial(MSentryGMPrivilege revokePrivilege,
+      MSentryGMPrivilege persistedPriv, MSentryRole role,
+      PersistenceManager pm) {
+    String component = revokePrivilege.getComponentName();
+    BitFieldAction revokeaction = getAction(component, revokePrivilege.getAction());
+    BitFieldAction persistedAction = getAction(component, persistedPriv.getAction());
+    BitFieldAction allAction = getAction(component, Action.ALL);
+
+    if (revokeaction.implies(allAction)) {
+      /**
+       * if revoke action is ALL, directly revoke its children privileges and itself
+       */
+      persistedPriv.removeRole(role);
+      pm.makePersistent(persistedPriv);
+    } else {
+      /**
+       * if persisted action is ALL, it only revoke the requested action and left partial actions
+       * like the requested action is SELECT, the UPDATE and CREATE action are left
+       */
+      if (persistedAction.implies(allAction)) {
+        /**
+         * revoke the ALL privilege
+         */
+        persistedPriv.removeRole(role);
+        pm.makePersistent(persistedPriv);
+
+        List<? extends BitFieldAction> actions = getActionFactory(component).getActionsByCode(allAction.getActionCode());
+        for (BitFieldAction ac: actions) {
+          if (ac.getActionCode() != revokeaction.getActionCode()) {
+            /**
+             * grant the left privileges to role
+             */
+            MSentryGMPrivilege tmpPriv = new MSentryGMPrivilege(persistedPriv);
+            tmpPriv.setAction(ac.getValue());
+            MSentryGMPrivilege leftPersistedPriv = getPrivilege(tmpPriv, pm);
+            if (leftPersistedPriv == null) {
+              //leftPersistedPriv isn't exist
+              leftPersistedPriv = tmpPriv;
+              role.appendGMPrivilege(leftPersistedPriv);
+            }
+            leftPersistedPriv.appendRole(role);
+            pm.makePersistent(leftPersistedPriv);
+          }
+        }
+      } else if (revokeaction.implies(persistedAction)) {
+        /**
+         * if the revoke action is equal to the persisted action and they aren't ALL action
+         * directly remove the role from privilege
+         */
+        persistedPriv.removeRole(role);
+        pm.makePersistent(persistedPriv);
+      }
+      /**
+       * if the revoke action is not equal to the persisted action,
+       * do nothing
+       */
+    }
+  }
+
+  /**
+   * Drop any role related to the requested privilege and its children privileges
+   */
+  public void dropPrivilege(PrivilegeObject privilege,PersistenceManager pm) {
+    MSentryGMPrivilege requestPrivilege = convertToPrivilege(privilege);
+
+    if (Strings.isNullOrEmpty(privilege.getAction())) {
+      requestPrivilege.setAction(getAction(privilege.getComponent(), Action.ALL).getValue());
+    }
+    /**
+     * Get the privilege graph
+     * populateIncludePrivileges will get the privileges that need dropped,
+     */
+    Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
+    privilegeGraph.addAll(populateIncludePrivileges(null, requestPrivilege, pm));
+
+    for (MSentryGMPrivilege mPrivilege : privilegeGraph) {
+      /**
+       * force to load all roles related this privilege
+       * avoid the lazy-loading
+       */
+      pm.retrieve(mPrivilege);
+      Set<MSentryRole> roles = mPrivilege.getRoles();
+      for (MSentryRole role : roles) {
+        revokeRolePartial(requestPrivilege, mPrivilege, role, pm);
+      }
+    }
+  }
+
+  private MSentryGMPrivilege convertToPrivilege(PrivilegeObject privilege) {
+    return new MSentryGMPrivilege(privilege.getComponent(),
+        privilege.getService(), privilege.getAuthorizables(),
+        privilege.getAction(), privilege.getGrantOption());
+  }
+
+  private MSentryGMPrivilege getPrivilege(MSentryGMPrivilege privilege, PersistenceManager pm) {
+    Query query = pm.newQuery(MSentryGMPrivilege.class);
+    query.setFilter(MSentryGMPrivilege.toQuery(privilege));
+    query.setUnique(true);
+    return (MSentryGMPrivilege)query.execute();
+  }
+
+  @SuppressWarnings("unchecked")
+  public Set<PrivilegeObject> getPrivilegesByRole(Set<MSentryRole> roles, PersistenceManager pm) {
+    Set<PrivilegeObject> privileges = Sets.newHashSet();
+    if (roles == null || roles.size() == 0) {
+      return privileges;
+    }
+    Query query = pm.newQuery(MSentryGMPrivilege.class);
+    StringBuilder filters = new StringBuilder();
+    // add filter for role names
+    query.declareVariables("MSentryRole role");
+    List<String> rolesFiler = new LinkedList<String>();
+    for (MSentryRole role : roles) {
+      rolesFiler.add("role.roleName == \"" + role.getRoleName() + "\" ");
+    }
+    filters.append("roles.contains(role) " + "&& (" + Joiner.on(" || ").join(rolesFiler) + ")");
+
+    query.setFilter(filters.toString());
+    List<MSentryGMPrivilege> mPrivileges = (List<MSentryGMPrivilege>) query.execute();
+    if (mPrivileges == null || mPrivileges.isEmpty()) {
+      return privileges;
+    }
+    for (MSentryGMPrivilege mPrivilege : mPrivileges) {
+      privileges.add(new Builder()
+                               .setComponent(mPrivilege.getComponentName())
+                               .setService(mPrivilege.getServiceName())
+                               .setAction(mPrivilege.getAction())
+                               .setAuthorizables(mPrivilege.getAuthorizables())
+                               .withGrantOption(mPrivilege.getGrantOption())
+                               .build());
+    }
+    return privileges;
+  }
+
+  public Set<PrivilegeObject> getPrivilegesByProvider(String component,
+      String service, Set<MSentryRole> roles,
+      List<? extends Authorizable> authorizables, PersistenceManager pm) {
+    Set<PrivilegeObject> privileges = Sets.newHashSet();
+    if (roles == null || roles.isEmpty()) {
+      return privileges;
+    }
+
+    MSentryGMPrivilege parentPrivilege = new MSentryGMPrivilege(component, service, authorizables, null, null);
+    Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
+    privilegeGraph.addAll(populateIncludePrivileges(roles, parentPrivilege, pm));
+
+    for (MSentryGMPrivilege mPrivilege : privilegeGraph) {
+      privileges.add(new Builder()
+                               .setComponent(mPrivilege.getComponentName())
+                               .setService(mPrivilege.getServiceName())
+                               .setAction(mPrivilege.getAction())
+                               .setAuthorizables(mPrivilege.getAuthorizables())
+                               .withGrantOption(mPrivilege.getGrantOption())
+                               .build());
+    }
+    return privileges;
+  }
+
+  public Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String component,
+      String service, Set<MSentryRole> roles,
+      List<? extends Authorizable> authorizables, PersistenceManager pm) {
+
+    Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
+
+    if (roles == null || roles.isEmpty()) {
+      return privilegeGraph;
+    }
+
+    MSentryGMPrivilege parentPrivilege = new MSentryGMPrivilege(component, service, authorizables, null, null);
+    privilegeGraph.addAll(populateIncludePrivileges(roles, parentPrivilege, pm));
+    return privilegeGraph;
+  }
+
+  public void renamePrivilege(String component, String service,
+      List<? extends Authorizable> oldAuthorizables, List<? extends Authorizable> newAuthorizables,
+      String grantorPrincipal, PersistenceManager pm)
+      throws SentryUserException {
+    MSentryGMPrivilege oldPrivilege = new MSentryGMPrivilege(component, service, oldAuthorizables, null, null);
+    oldPrivilege.setAction(getAction(component,Action.ALL).getValue());
+    /**
+     * Get the privilege graph
+     * populateIncludePrivileges will get the old privileges that need dropped
+     */
+    Set<MSentryGMPrivilege> privilegeGraph = Sets.newHashSet();
+    privilegeGraph.addAll(populateIncludePrivileges(null, oldPrivilege, pm));
+
+    for (MSentryGMPrivilege dropPrivilege : privilegeGraph) {
+      /**
+       * construct the new privilege needed to add
+       */
+      List<Authorizable> authorizables = new ArrayList<Authorizable>(
+          dropPrivilege.getAuthorizables());
+      for (int i = 0; i < newAuthorizables.size(); i++) {
+        authorizables.set(i, newAuthorizables.get(i));
+      }
+      MSentryGMPrivilege newPrivilge = new MSentryGMPrivilege(
+          component,service, authorizables, dropPrivilege.getAction(),
+          dropPrivilege.getGrantOption());
+
+      /**
+       * force to load all roles related this privilege
+       * avoid the lazy-loading
+       */
+      pm.retrieve(dropPrivilege);
+
+      Set<MSentryRole> roles = dropPrivilege.getRoles();
+      for (MSentryRole role : roles) {
+        revokeRolePartial(oldPrivilege, dropPrivilege, role, pm);
+        grantRolePartial(newPrivilge, role, pm);
+      }
+    }
+  }
+
+  private BitFieldAction getAction(String component, String name) {
+    BitFieldActionFactory actionFactory = getActionFactory(component);
+    BitFieldAction action = actionFactory.getActionByName(name);
+    if (action == null) {
+      throw new RuntimeException("Can not get BitFieldAction for name: " + name);
+    }
+    return action;
+  }
+
+  private BitFieldActionFactory getActionFactory(String component) {
+    String caseInsensitiveComponent = component.toLowerCase();
+    if (actionFactories.containsKey(caseInsensitiveComponent)) {
+      return actionFactories.get(caseInsensitiveComponent);
+    }
+    BitFieldActionFactory actionFactory = createActionFactory(caseInsensitiveComponent);
+    actionFactories.put(caseInsensitiveComponent, actionFactory);
+    LOGGER.info("Action factory for component {} is not found in cache. Loaded it from configuration as {}.",
+                component, actionFactory.getClass().getName());
+    return actionFactory;
+  }
+
+  private BitFieldActionFactory createActionFactory(String component) {
+    String actionFactoryClassName =
+      conf.get(String.format(ServiceConstants.ServerConfig.SENTRY_COMPONENT_ACTION_FACTORY_FORMAT, component));
+    if (actionFactoryClassName == null) {
+      throw new RuntimeException("ActionFactory not defined for component " + component +
+                                   ". Please define the parameter " +
+                                   "sentry." + component + ".action.factory in configuration");
+    }
+    Class<?> actionFactoryClass;
+    try {
+      actionFactoryClass = Class.forName(actionFactoryClassName);
+    } catch (ClassNotFoundException e) {
+      throw new RuntimeException("ActionFactory class " + actionFactoryClassName + " not found.");
+    }
+    if (!BitFieldActionFactory.class.isAssignableFrom(actionFactoryClass)) {
+      throw new RuntimeException("ActionFactory class " + actionFactoryClassName + " must extend "
+                                   + BitFieldActionFactory.class.getName());
+    }
+    BitFieldActionFactory actionFactory;
+    try {
+      Constructor<?> actionFactoryConstructor = actionFactoryClass.getDeclaredConstructor();
+      actionFactoryConstructor.setAccessible(true);
+      actionFactory = (BitFieldActionFactory) actionFactoryClass.newInstance();
+    } catch (NoSuchMethodException | InstantiationException | IllegalAccessException e) {
+      throw new RuntimeException("Could not instantiate actionFactory " + actionFactoryClassName +
+                                   " for component: " + component, e);
+    }
+    return actionFactory;
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java
new file mode 100644
index 0000000..c003965
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/persistent/SentryStoreLayer.java
@@ -0,0 +1,198 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.persistent;
+
+import java.util.List;
+import java.util.Set;
+
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
+import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
+import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
+import org.apache.sentry.provider.db.service.persistent.CommitContext;
+
+/**
+ * Sentry store for persistent the authorize object to database
+ */
+public interface SentryStoreLayer {
+  /**
+   * Create a role
+   * @param component: The request respond to which component
+   * @param role: The name of role
+   * @param requestor: User on whose behalf the request is launched
+   * @returns commit context used for notification handlers
+   * @throws SentryAlreadyExistsException
+   */
+  CommitContext createRole(String component, String role,
+      String requestor) throws SentryAlreadyExistsException;
+
+  /**
+   * Drop a role
+   * @param component: The request respond to which component
+   * @param role: The name of role
+   * @param requestor: user on whose behalf the request is launched
+   * @returns commit context used for notification handlers
+   * @throws SentryNoSuchObjectException
+   */
+  CommitContext dropRole(String component, String role,
+      String requestor) throws SentryNoSuchObjectException;
+
+  /**
+   * Add a role to groups.
+   * @param component: The request respond to which component
+   * @param role: The name of role
+   * @param groups: The name of groups
+   * @param requestor: User on whose behalf the request is issued
+   * @returns commit context used for notification handlers
+   * @throws SentryNoSuchObjectException
+   */
+  CommitContext alterRoleAddGroups(String component, String role,
+      Set<String> groups, String requestor) throws SentryNoSuchObjectException;
+
+  /**
+   * Delete a role from groups.
+   * @param component: The request respond to which component
+   * @param role: The name of role
+   * @param groups: The name of groups
+   * @param requestor: User on whose behalf the request is launched
+   * @returns commit context used for notification handlers
+   * @throws SentryNoSuchObjectException
+   */
+  CommitContext alterRoleDeleteGroups(String component, String role,
+      Set<String> groups, String requestor) throws SentryNoSuchObjectException;
+
+  /**
+   * Grant a privilege to role.
+   * @param component: The request respond to which component
+   * @param role: The name of role
+   * @param privilege: The privilege object will be granted
+   * @param grantorPrincipal: User on whose behalf the request is launched
+   * @returns commit context Used for notification handlers
+   * @throws SentryUserException
+   */
+  CommitContext alterRoleGrantPrivilege(String component, String role,
+      PrivilegeObject privilege, String grantorPrincipal) throws SentryUserException;
+
+  /**
+   * Revoke a privilege from role.
+   * @param component: The request respond to which component
+   * @param role: The name of role
+   * @param privilege: The privilege object will revoked
+   * @param grantorPrincipal: User on whose behalf the request is launched
+   * @returns commit context used for notification handlers
+   * @throws SentryUserException
+   */
+  CommitContext alterRoleRevokePrivilege(String component, String role,
+      PrivilegeObject privilege, String grantorPrincipal) throws SentryUserException;
+
+  /**
+   * Rename privilege
+   *
+   * @param component: The request respond to which component
+   * @param service: The name of service
+   * @param oldAuthorizables: The old list of authorize objects
+   * @param newAuthorizables: The new list of authorize objects
+   * @param requestor: User on whose behalf the request is launched
+   * @returns commit context used for notification handlers
+   * @throws SentryUserException
+   */
+  CommitContext renamePrivilege(
+      String component, String service, List<? extends Authorizable> oldAuthorizables,
+      List<? extends Authorizable> newAuthorizables, String requestor) throws SentryUserException;
+
+  /**
+   * Drop privilege
+   * @param component: The request respond to which component
+   * @param privilege: The privilege will be dropped
+   * @param requestor: User on whose behalf the request is launched
+   * @returns commit context used for notification handlers
+   * @throws SentryUserException
+   */
+  CommitContext dropPrivilege(String component, PrivilegeObject privilege,
+      String requestor) throws SentryUserException;
+
+  /**
+   * Get roles
+   * @param component: The request respond to which component
+   * @param groups: The name of groups
+   * @returns the set of roles
+   * @throws SentryUserException
+   */
+  Set<String> getRolesByGroups(String component, Set<String> groups) throws SentryUserException;
+
+  /**
+   * Get groups
+   * @param component: The request respond to which component
+   * @param roles: The name of roles
+   * @returns the set of groups
+   * @throws SentryUserException
+   */
+  Set<String> getGroupsByRoles(String component, Set<String> roles) throws SentryUserException;
+
+  /**
+   * Get privileges
+   * @param component: The request respond to which component
+   * @param roles: The name of roles
+   * @returns the set of privileges
+   * @throws SentryUserException
+   */
+  Set<PrivilegeObject> getPrivilegesByRole(String component, Set<String> roles) throws SentryUserException;
+
+  /**
+   * get sentry privileges from provider as followings:
+   * @param component: The request respond to which component
+   * @param service: The name of service
+   * @param roles: The name of roles
+   * @param groups: The name of groups
+   * @param authorizables: The list of authorize objects
+   * @returns the set of privileges
+   * @throws SentryUserException
+   */
+
+  Set<PrivilegeObject> getPrivilegesByProvider(String component, String service, Set<String> roles,
+       Set<String> groups, List<? extends Authorizable> authorizables)
+       throws SentryUserException;
+
+  /**
+   * Get all roles name.
+   *
+   * @returns The set of roles name,
+   */
+  Set<String> getAllRoleNames();
+
+  /**
+   * Get sentry privileges based on valid active roles and the authorize objects.
+   *
+   * @param component: The request respond to which component
+   * @param service: The name of service
+   * @param validActiveRoles: The valid active roles
+   * @param authorizables: The list of authorize objects
+   * @returns The set of MSentryGMPrivilege
+   * @throws SentryUserException
+   */
+  Set<MSentryGMPrivilege> getPrivilegesByAuthorizable(String component, String service,
+      Set<String> validActiveRoles, List<? extends Authorizable> authorizables)
+      throws SentryUserException;
+
+  /**
+   * close sentryStore
+   */
+  void close();
+
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandler.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandler.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandler.java
new file mode 100644
index 0000000..e0a5f03
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandler.java
@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import org.apache.sentry.provider.db.service.persistent.CommitContext;
+
+public interface NotificationHandler {
+
+  void create_sentry_role(CommitContext context,
+      TCreateSentryRoleRequest request, TCreateSentryRoleResponse response);
+
+  void drop_sentry_role(CommitContext context, TDropSentryRoleRequest request,
+      TDropSentryRoleResponse response);
+
+  void alter_sentry_role_grant_privilege(CommitContext context, TAlterSentryRoleGrantPrivilegeRequest request,
+      TAlterSentryRoleGrantPrivilegeResponse response);
+
+  void alter_sentry_role_revoke_privilege(CommitContext context, TAlterSentryRoleRevokePrivilegeRequest request,
+      TAlterSentryRoleRevokePrivilegeResponse response);
+
+  void alter_sentry_role_add_groups(CommitContext context,TAlterSentryRoleAddGroupsRequest request,
+      TAlterSentryRoleAddGroupsResponse response);
+
+  void alter_sentry_role_delete_groups(CommitContext context, TAlterSentryRoleDeleteGroupsRequest request,
+      TAlterSentryRoleDeleteGroupsResponse response);
+
+  void drop_sentry_privilege(CommitContext context, TDropPrivilegesRequest request,
+      TDropPrivilegesResponse response);
+
+  void rename_sentry_privilege(CommitContext context, TRenamePrivilegesRequest request,
+      TRenamePrivilegesResponse response);
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e72e6eac/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandlerInvoker.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandlerInvoker.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandlerInvoker.java
new file mode 100644
index 0000000..1d9c246
--- /dev/null
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/NotificationHandlerInvoker.java
@@ -0,0 +1,164 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import java.util.List;
+
+import org.apache.sentry.provider.db.service.persistent.CommitContext;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.collect.Lists;
+
+/**
+ * Invokes configured instances of NotificationHandler. Importantly
+ * NotificationHandler's each receive a copy of the request and
+ * response thrift objects from each successful request.
+ */
+public class NotificationHandlerInvoker implements NotificationHandler {
+  private static final Logger LOGGER = LoggerFactory.getLogger(NotificationHandlerInvoker.class);
+  private List<? extends NotificationHandler> handlers = Lists.newArrayList();
+
+  public NotificationHandlerInvoker(List<? extends NotificationHandler> handlers) {
+    this.handlers = handlers;
+  }
+  @Override
+  public void create_sentry_role(CommitContext context,
+      TCreateSentryRoleRequest request, TCreateSentryRoleResponse response) {
+    for (NotificationHandler handler : handlers) {
+      try {
+        LOGGER.debug("Calling " + handler);
+        handler.create_sentry_role(context,  new TCreateSentryRoleRequest(request),
+                                   new TCreateSentryRoleResponse(response));
+      } catch (Exception ex) {
+        LOGGER.error("Unexpected error in " + handler + ". Request: "
+                     + request + ", Response: " + response, ex);
+      }
+    }
+  }
+
+  @Override
+  public void drop_sentry_role(CommitContext context,
+      TDropSentryRoleRequest request, TDropSentryRoleResponse response) {
+    for (NotificationHandler handler : handlers) {
+      try {
+        LOGGER.debug("Calling " + handler);
+        handler.drop_sentry_role(context,  new TDropSentryRoleRequest(request),
+                                 new TDropSentryRoleResponse(response));
+      } catch (Exception ex) {
+        LOGGER.error("Unexpected error in " + handler + ". Request: "
+                     + request + ", Response: " + response, ex);
+      }
+    }
+  }
+
+  @Override
+  public void alter_sentry_role_grant_privilege(CommitContext context,
+      TAlterSentryRoleGrantPrivilegeRequest request,
+      TAlterSentryRoleGrantPrivilegeResponse response) {
+    for (NotificationHandler handler : handlers) {
+      try {
+        LOGGER.debug("Calling " + handler);
+        handler.alter_sentry_role_grant_privilege(context,
+            new TAlterSentryRoleGrantPrivilegeRequest(request),
+            new TAlterSentryRoleGrantPrivilegeResponse(response));
+      } catch (Exception ex) {
+        LOGGER.error("Unexpected error in " + handler + ". Request: "
+                     + request + ", Response: " + response, ex);
+      }
+    }
+  }
+
+  @Override
+  public void alter_sentry_role_revoke_privilege(CommitContext context,
+      TAlterSentryRoleRevokePrivilegeRequest request,
+      TAlterSentryRoleRevokePrivilegeResponse response) {
+    for (NotificationHandler handler : handlers) {
+      try {
+        LOGGER.debug("Calling " + handler);
+        handler.alter_sentry_role_revoke_privilege(context,
+            new TAlterSentryRoleRevokePrivilegeRequest(request),
+            new TAlterSentryRoleRevokePrivilegeResponse(response));
+      } catch (Exception ex) {
+        LOGGER.error("Unexpected error in " + handler + ". Request: "
+                     + request + ", Response: " + response, ex);
+      }
+    }
+  }
+
+  @Override
+  public void alter_sentry_role_add_groups(CommitContext context,
+      TAlterSentryRoleAddGroupsRequest request,
+      TAlterSentryRoleAddGroupsResponse response) {
+    for (NotificationHandler handler : handlers) {
+      try {
+        LOGGER.debug("Calling " + handler);
+        handler.alter_sentry_role_add_groups(context, new TAlterSentryRoleAddGroupsRequest(request),
+                                             new TAlterSentryRoleAddGroupsResponse(response));
+      } catch (Exception ex) {
+        LOGGER.error("Unexpected error in " + handler + ". Request: "
+                     + request + ", Response: " + response, ex);
+      }
+    }
+  }
+
+  @Override
+  public void alter_sentry_role_delete_groups(CommitContext context,
+      TAlterSentryRoleDeleteGroupsRequest request,
+      TAlterSentryRoleDeleteGroupsResponse response) {
+    for (NotificationHandler handler : handlers) {
+      try {
+        LOGGER.debug("Calling " + handler);
+        handler.alter_sentry_role_delete_groups(context, new TAlterSentryRoleDeleteGroupsRequest(request),
+                                                new TAlterSentryRoleDeleteGroupsResponse(response));
+      } catch (Exception ex) {
+        LOGGER.error("Unexpected error in " + handler + ". Request: "
+                     + request + ", Response: " + response, ex);
+      }
+    }
+  }
+  @Override
+  public void drop_sentry_privilege(CommitContext context,
+      TDropPrivilegesRequest request, TDropPrivilegesResponse response) {
+    for (NotificationHandler handler : handlers) {
+      try {
+        LOGGER.debug("Calling " + handler);
+        handler.drop_sentry_privilege(context, new TDropPrivilegesRequest(request),
+                                                new TDropPrivilegesResponse(response));
+      } catch (Exception ex) {
+        LOGGER.error("Unexpected error in " + handler + ". Request: "
+                     + request + ", Response: " + response, ex);
+      }
+    }
+  }
+  @Override
+  public void rename_sentry_privilege(CommitContext context,
+      TRenamePrivilegesRequest request, TRenamePrivilegesResponse response) {
+    for (NotificationHandler handler : handlers) {
+      try {
+        LOGGER.debug("Calling " + handler);
+        handler.rename_sentry_privilege(context, new TRenamePrivilegesRequest(request),
+                                                new TRenamePrivilegesResponse(response));
+      } catch (Exception ex) {
+        LOGGER.error("Unexpected error in " + handler + ". Request: "
+                     + request + ", Response: " + response, ex);
+      }
+    }
+  }
+
+}


Mime
View raw message