sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From co...@apache.org
Subject [2/2] sentry git commit: SENTRY-1406:Refactor: move AuthorizationProvider out of sentry-provider-common(Colin Ma, reviewed by Dapeng Sun, Ke Jia)
Date Mon, 15 Aug 2016 07:23:44 GMT
SENTRY-1406:Refactor: move AuthorizationProvider out of sentry-provider-common(Colin Ma, reviewed by Dapeng Sun, Ke Jia)


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/f45727ab
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/f45727ab
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/f45727ab

Branch: refs/heads/master
Commit: f45727ab1a70a8e108c326da38aab2d00ba00f75
Parents: ddae7c0
Author: Colin Ma <colin@apache.org>
Authored: Mon Aug 15 15:30:34 2016 +0800
Committer: Colin Ma <colin@apache.org>
Committed: Mon Aug 15 15:30:34 2016 +0800

----------------------------------------------------------------------
 pom.xml                                         |   5 +
 .../sentry-binding-hive-common/pom.xml          |   4 +
 sentry-binding/sentry-binding-kafka/pom.xml     |   4 +
 sentry-binding/sentry-binding-solr/pom.xml      |   4 +
 sentry-binding/sentry-binding-sqoop/pom.xml     |   4 +
 sentry-dist/pom.xml                             |   4 +
 sentry-policy/sentry-policy-common/pom.xml      |   4 -
 sentry-policy/sentry-policy-engine/pom.xml      |   4 +
 sentry-policy/sentry-policy-indexer/pom.xml     |   5 +
 sentry-provider/pom.xml                         |   1 +
 .../sentry-authorization-provider/pom.xml       |  45 ++++
 .../provider/common/AuthorizationProvider.java  | 100 ++++++++
 ...adoopGroupResourceAuthorizationProvider.java |  64 ++++++
 .../common/NoAuthorizationProvider.java         |  79 +++++++
 .../common/ResourceAuthorizationProvider.java   | 227 +++++++++++++++++++
 ...adoopGroupResourceAuthorizationProvider.java |  51 +++++
 .../provider/file/LocalGroupMappingService.java | 122 ++++++++++
 ...LocalGroupResourceAuthorizationProvider.java |  41 ++++
 .../provider/common/TestGetGroupMapping.java    |  91 ++++++++
 .../common/TestNoAuthorizationProvider.java     |  38 ++++
 .../provider/file/TestLocalGroupMapping.java    |  74 ++++++
 .../src/test/resources/log4j.properties         |  31 +++
 .../test-authz-provider-local-group-mapping.ini |  33 +++
 sentry-provider/sentry-provider-cache/pom.xml   |   4 +
 sentry-provider/sentry-provider-common/pom.xml  |   7 +-
 .../provider/common/AuthorizationProvider.java  | 100 --------
 ...adoopGroupResourceAuthorizationProvider.java |  64 ------
 .../common/NoAuthorizationProvider.java         |  79 -------
 .../common/ResourceAuthorizationProvider.java   | 227 -------------------
 ...adoopGroupResourceAuthorizationProvider.java |  51 -----
 .../provider/common/TestGetGroupMapping.java    |  91 --------
 .../common/TestNoAuthorizationProvider.java     |  40 ----
 .../provider/file/LocalGroupMappingService.java | 122 ----------
 ...LocalGroupResourceAuthorizationProvider.java |  41 ----
 .../file/SimpleFileProviderBackend.java         |   4 +-
 .../provider/file/TestLocalGroupMapping.java    |  74 ------
 sentry-service/sentry-service-server/pom.xml    |   5 +
 37 files changed, 1043 insertions(+), 901 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index 294ddb9..b53e776 100644
--- a/pom.xml
+++ b/pom.xml
@@ -435,6 +435,11 @@ limitations under the License.
       </dependency>
       <dependency>
         <groupId>org.apache.sentry</groupId>
+        <artifactId>sentry-authorization-provider</artifactId>
+        <version>${project.version}</version>
+      </dependency>
+      <dependency>
+        <groupId>org.apache.sentry</groupId>
         <artifactId>sentry-provider-common</artifactId>
         <version>${project.version}</version>
       </dependency>

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-binding/sentry-binding-hive-common/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-common/pom.xml b/sentry-binding/sentry-binding-hive-common/pom.xml
index 685df0c..bac07ce 100644
--- a/sentry-binding/sentry-binding-hive-common/pom.xml
+++ b/sentry-binding/sentry-binding-hive-common/pom.xml
@@ -84,6 +84,10 @@ limitations under the License.
       <artifactId>mockito-all</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-authorization-provider</artifactId>
+    </dependency>
     <!-- required for SentryGrantRevokeTask -->
     <dependency>
       <groupId>org.apache.sentry</groupId>

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-binding/sentry-binding-kafka/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-kafka/pom.xml b/sentry-binding/sentry-binding-kafka/pom.xml
index f868786..b156d25 100644
--- a/sentry-binding/sentry-binding-kafka/pom.xml
+++ b/sentry-binding/sentry-binding-kafka/pom.xml
@@ -41,6 +41,10 @@ limitations under the License.
     </dependency>
     <dependency>
       <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-authorization-provider</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
       <artifactId>sentry-provider-db</artifactId>
     </dependency>
     <dependency>

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-binding/sentry-binding-solr/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-solr/pom.xml b/sentry-binding/sentry-binding-solr/pom.xml
index cc99948..1cb5b57 100644
--- a/sentry-binding/sentry-binding-solr/pom.xml
+++ b/sentry-binding/sentry-binding-solr/pom.xml
@@ -40,6 +40,10 @@ limitations under the License.
     </dependency>
     <dependency>
       <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-authorization-provider</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
       <artifactId>sentry-provider-db</artifactId>
     </dependency>
     <dependency>

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-binding/sentry-binding-sqoop/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-sqoop/pom.xml b/sentry-binding/sentry-binding-sqoop/pom.xml
index e96802f..462e8bc 100644
--- a/sentry-binding/sentry-binding-sqoop/pom.xml
+++ b/sentry-binding/sentry-binding-sqoop/pom.xml
@@ -40,6 +40,10 @@ limitations under the License.
     </dependency>
     <dependency>
       <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-authorization-provider</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
       <artifactId>sentry-provider-file</artifactId>
     </dependency>
     <dependency>

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-dist/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-dist/pom.xml b/sentry-dist/pom.xml
index 04645ad..ccd112d 100644
--- a/sentry-dist/pom.xml
+++ b/sentry-dist/pom.xml
@@ -84,6 +84,10 @@ limitations under the License.
     </dependency>
     <dependency>
       <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-authorization-provider</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
       <artifactId>sentry-provider-common</artifactId>
     </dependency>
     <dependency>

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-policy/sentry-policy-common/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-common/pom.xml b/sentry-policy/sentry-policy-common/pom.xml
index 57fc9d9..7804a0f 100644
--- a/sentry-policy/sentry-policy-common/pom.xml
+++ b/sentry-policy/sentry-policy-common/pom.xml
@@ -33,10 +33,6 @@ limitations under the License.
       <artifactId>sentry-core-common</artifactId>
     </dependency>
     <dependency>
-      <groupId>org.apache.shiro</groupId>
-      <artifactId>shiro-core</artifactId>
-    </dependency>
-    <dependency>
       <groupId>com.google.guava</groupId>
       <artifactId>guava</artifactId>
     </dependency>

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-policy/sentry-policy-engine/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-engine/pom.xml b/sentry-policy/sentry-policy-engine/pom.xml
index e9c44d7..4e6da63 100644
--- a/sentry-policy/sentry-policy-engine/pom.xml
+++ b/sentry-policy/sentry-policy-engine/pom.xml
@@ -48,6 +48,10 @@ limitations under the License.
             <groupId>org.apache.sentry</groupId>
             <artifactId>sentry-provider-common</artifactId>
         </dependency>
+      <dependency>
+        <groupId>org.apache.sentry</groupId>
+        <artifactId>sentry-policy-common</artifactId>
+      </dependency>
     </dependencies>
 
 </project>

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-policy/sentry-policy-indexer/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-policy/sentry-policy-indexer/pom.xml b/sentry-policy/sentry-policy-indexer/pom.xml
index e6ef72f..fa89192 100644
--- a/sentry-policy/sentry-policy-indexer/pom.xml
+++ b/sentry-policy/sentry-policy-indexer/pom.xml
@@ -81,6 +81,11 @@ limitations under the License.
     </dependency>
     <dependency>
       <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-authorization-provider</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
       <artifactId>sentry-provider-common</artifactId>
       <scope>test</scope>
       <type>test-jar</type>

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/pom.xml b/sentry-provider/pom.xml
index a929b00..6a32f30 100644
--- a/sentry-provider/pom.xml
+++ b/sentry-provider/pom.xml
@@ -34,6 +34,7 @@ limitations under the License.
     <module>sentry-provider-file</module>
     <module>sentry-provider-db</module>
     <module>sentry-provider-cache</module>
+    <module>sentry-authorization-provider</module>
   </modules>
 
 </project>

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-authorization-provider/pom.xml b/sentry-provider/sentry-authorization-provider/pom.xml
new file mode 100644
index 0000000..46b3015
--- /dev/null
+++ b/sentry-provider/sentry-authorization-provider/pom.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements.  See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License.  You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>org.apache.sentry</groupId>
+    <artifactId>sentry-provider</artifactId>
+    <version>1.8.0-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>sentry-authorization-provider</artifactId>
+  <name>Sentry Authorization Provider</name>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-policy-common</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-common</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+</project>

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
new file mode 100644
index 0000000..3d6440f
--- /dev/null
+++ b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
@@ -0,0 +1,100 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.common;
+
+import java.util.List;
+import java.util.Set;
+
+import javax.annotation.concurrent.ThreadSafe;
+
+import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.exception.SentryConfigurationException;
+import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.common.service.GroupMappingService;
+import org.apache.sentry.policy.common.PolicyEngine;
+
+/**
+ * Implementations of AuthorizationProvider must be threadsafe.
+ */
+@ThreadSafe
+public interface AuthorizationProvider {
+
+  String SENTRY_PROVIDER = "sentry.provider";
+
+  /***
+   * Returns validate subject privileges on given Authorizable object
+   *
+   * @param subject: UserID to validate privileges
+   * @param authorizableHierarchy : List of object according to namespace hierarchy.
+   *        eg. Server->Db->Table or Server->Function
+   *        The privileges will be validated from the higher to lower scope
+   * @param actions : Privileges to validate
+   * @param roleSet : Roles which should be used when obtaining privileges
+   * @return
+   *        True if the subject is authorized to perform requested action on the given object
+   */
+  boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy,
+      Set<? extends Action> actions, ActiveRoleSet roleSet);
+
+  /***
+   * Get the GroupMappingService used by the AuthorizationProvider
+   *
+   * @return GroupMappingService used by the AuthorizationProvider
+   */
+  GroupMappingService getGroupMapping();
+
+  /***
+   * Validate the policy file format for syntax and semantic errors
+   * @param strictValidation
+   * @throws SentryConfigurationException
+   */
+  void validateResource(boolean strictValidation) throws SentryConfigurationException;
+
+  /***
+   * Returns the list privileges for the given subject
+   * @param subject
+   * @return
+   * @throws SentryConfigurationException
+   */
+  Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException;
+
+  /**
+   * Returns the list privileges for the given group
+   * @param groupName
+   * @return
+   * @throws SentryConfigurationException
+   */
+  Set<String> listPrivilegesForGroup(String groupName) throws SentryConfigurationException;
+
+  /***
+   * Returns the list of missing privileges of the last access request
+   * @return
+   */
+  List<String> getLastFailedPrivileges();
+
+  /**
+   * Frees any resources held by the the provider
+   */
+  void close();
+
+  /**
+   * Get the policy engine
+   */
+  PolicyEngine getPolicyEngine();
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
new file mode 100644
index 0000000..6e5dbc3
--- /dev/null
+++ b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.common;
+
+import java.io.IOException;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.security.Groups;
+import org.apache.sentry.core.common.Model;
+import org.apache.sentry.core.common.service.GroupMappingService;
+import org.apache.sentry.core.common.service.HadoopGroupMappingService;
+import org.apache.sentry.policy.common.PolicyEngine;
+
+import com.google.common.annotations.VisibleForTesting;
+
+public class HadoopGroupResourceAuthorizationProvider extends
+  ResourceAuthorizationProvider {
+
+  // if set to true in the Configuration, constructs a new Group object
+  // for the GroupMappingService rather than using Hadoop's static mapping.
+  public static final String CONF_PREFIX = HadoopGroupResourceAuthorizationProvider.class.getName();
+  public static final String USE_NEW_GROUPS = CONF_PREFIX + ".useNewGroups";
+
+  // resource parameter present so that other AuthorizationProviders (e.g.
+  // LocalGroupResourceAuthorizationProvider) has the same constructor params.
+  public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy,
+      Model model) throws IOException {
+    this(new Configuration(), resource, policy, model);
+  }
+
+  public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource, //NOPMD
+      PolicyEngine policy, Model model) throws IOException {
+    this(policy, new HadoopGroupMappingService(getGroups(conf)), model);
+  }
+
+  @VisibleForTesting
+  public HadoopGroupResourceAuthorizationProvider(PolicyEngine policy,
+      GroupMappingService groupService, Model model) {
+    super(policy, groupService, model);
+  }
+
+  private static Groups getGroups(Configuration conf) {
+    if (conf.getBoolean(USE_NEW_GROUPS, false)) {
+      return new Groups(conf);
+    } else {
+      return Groups.getUserToGroupsMappingService(conf);
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
new file mode 100644
index 0000000..11dbfb7
--- /dev/null
+++ b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
@@ -0,0 +1,79 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.common;
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.exception.SentryConfigurationException;
+import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.common.service.GroupMappingService;
+import org.apache.sentry.core.common.service.NoGroupMappingService;
+import org.apache.sentry.policy.common.PolicyEngine;
+
+public class NoAuthorizationProvider implements AuthorizationProvider {
+  private GroupMappingService noGroupMappingService = new NoGroupMappingService();
+
+  @Override
+  public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy,
+      Set<? extends Action> actions, ActiveRoleSet roleSet) {
+    return false;
+  }
+
+  @Override
+  public GroupMappingService getGroupMapping() {
+    return noGroupMappingService;
+  }
+
+  @Override
+  public void validateResource(boolean strictValidation) throws SentryConfigurationException {
+  }
+
+  @Override
+  public Set<String> listPrivilegesForSubject(Subject subject)
+      throws SentryConfigurationException {
+    return new HashSet<String>();
+  }
+
+  @Override
+  public Set<String> listPrivilegesForGroup(String groupName)
+      throws SentryConfigurationException {
+    return new HashSet<String>();
+  }
+
+  @Override
+  public List<String> getLastFailedPrivileges() {
+    return new ArrayList<String>();
+  }
+
+  @Override
+  public void close() {
+
+  }
+
+  // the class is only for the test TestNoAuthorizationProvider. this method won't be called,
+  // just for override. Return null has no problem here.
+  @Override
+  public PolicyEngine getPolicyEngine() {
+    return null;
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
new file mode 100644
index 0000000..a6b2047
--- /dev/null
+++ b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
@@ -0,0 +1,227 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.common;
+
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SPLITTER;
+import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
+import static org.apache.sentry.core.common.utils.SentryConstants.PRIVILEGE_NAME;
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.sentry.core.common.Action;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.Model;
+import org.apache.sentry.core.common.exception.SentryConfigurationException;
+import org.apache.sentry.core.common.Subject;
+import org.apache.sentry.core.common.service.GroupMappingService;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.policy.common.Privilege;
+import org.apache.sentry.policy.common.PrivilegeFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Function;
+import com.google.common.base.Preconditions;
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Iterables;
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
+
+public abstract class ResourceAuthorizationProvider implements AuthorizationProvider {
+  private static final Logger LOGGER = LoggerFactory
+      .getLogger(ResourceAuthorizationProvider.class);
+  private final static ThreadLocal<List<String>> lastFailedPrivileges =
+      new ThreadLocal<List<String>>() {
+        @Override
+        protected List<String> initialValue() {
+          return new ArrayList<String>();
+        }
+      };
+
+  private final GroupMappingService groupService;
+  private final PolicyEngine policy;
+  private final PrivilegeFactory privilegeFactory;
+  private final Model model;
+
+  public ResourceAuthorizationProvider(PolicyEngine policy,
+      GroupMappingService groupService, Model model) {
+    this.policy = policy;
+    this.groupService = groupService;
+    this.privilegeFactory = policy.getPrivilegeFactory();
+    this.model = model;
+  }
+
+  /***
+   * @param subject: UserID to validate privileges
+   * @param authorizableHierarchy : List of object according to namespace hierarchy.
+   *        eg. Server->Db->Table or Server->Function
+   *        The privileges will be validated from the higher to lower scope
+   * @param actions : Privileges to validate
+   * @return
+   *        True if the subject is authorized to perform requested action on the given object
+   */
+  @Override
+  public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy,
+      Set<? extends Action> actions, ActiveRoleSet roleSet) {
+    if(LOGGER.isDebugEnabled()) {
+      LOGGER.debug("Authorization Request for " + subject + " " +
+          authorizableHierarchy + " and " + actions);
+    }
+    Preconditions.checkNotNull(subject, "Subject cannot be null");
+    Preconditions.checkNotNull(authorizableHierarchy, "Authorizable cannot be null");
+    Preconditions.checkArgument(!authorizableHierarchy.isEmpty(), "Authorizable cannot be empty");
+    Preconditions.checkNotNull(actions, "Actions cannot be null");
+    Preconditions.checkArgument(!actions.isEmpty(), "Actions cannot be empty");
+    Preconditions.checkNotNull(roleSet, "ActiveRoleSet cannot be null");
+    return doHasAccess(subject, authorizableHierarchy, actions, roleSet);
+  }
+
+  private boolean doHasAccess(Subject subject,
+      List<? extends Authorizable> authorizables, Set<? extends Action> actions,
+      ActiveRoleSet roleSet) {
+    Set<String> groups =  getGroups(subject);
+    Set<String> users = Sets.newHashSet(subject.getName());
+    Set<String> hierarchy = new HashSet<String>();
+    for (Authorizable authorizable : authorizables) {
+      hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName()));
+    }
+    List<String> requestPrivileges = buildPermissions(authorizables, actions);
+    Iterable<Privilege> privileges = getPrivileges(groups, users, roleSet,
+        authorizables.toArray(new Authorizable[0]));
+    lastFailedPrivileges.get().clear();
+
+    for (String requestPrivilege : requestPrivileges) {
+      Privilege priv = privilegeFactory.createPrivilege(requestPrivilege);
+      for (Privilege permission : privileges) {
+        /*
+         * Does the permission granted in the policy file imply the requested action?
+         */
+        boolean result = permission.implies(priv, model);
+        if (LOGGER.isDebugEnabled()) {
+          LOGGER.debug("ProviderPrivilege {}, RequestPrivilege {}, RoleSet, {}, Result {}",
+              new Object[]{ permission, requestPrivilege, roleSet, result});
+        }
+        if (result) {
+          return true;
+        }
+      }
+    }
+
+    lastFailedPrivileges.get().addAll(requestPrivileges);
+    return false;
+  }
+
+  private Iterable<Privilege> getPrivileges(Set<String> groups, Set<String> users,
+      ActiveRoleSet roleSet, Authorizable[] authorizables) {
+    ImmutableSet<String> privileges = policy.getPrivileges(groups, users, roleSet, authorizables);
+    return Iterables.transform(appendDefaultDBPriv(privileges, authorizables),
+        new Function<String, Privilege>() {
+      @Override
+      public Privilege apply(String privilege) {
+        return privilegeFactory.createPrivilege(privilege);
+      }
+    });
+  }
+
+  private ImmutableSet<String> appendDefaultDBPriv(ImmutableSet<String> privileges, Authorizable[] authorizables) {
+    // Only for switch db
+    if (authorizables != null && authorizables.length == 4 && authorizables[2].getName().equals("+")
+      && privileges.size() == 1 && hasOnlyServerPrivilege(privileges.asList().get(0))) {
+      // Assuming authorizable[0] will always be the server
+      // This Code is only reachable only when user fires a 'use default'
+      // and the user has a privilege on atleast 1 privilized Object
+      String defaultPriv = "Server=" + authorizables[0].getName()
+          + "->Db=default->Table=*->Column=*->action=select";
+      Set<String> newPrivs = Sets.newHashSet(defaultPriv);
+      return ImmutableSet.copyOf(newPrivs);
+    }
+    return privileges;
+  }
+
+  private boolean hasOnlyServerPrivilege(String priv) {
+    ArrayList<String> l = Lists.newArrayList(AUTHORIZABLE_SPLITTER.split(priv));
+    if (l.size() == 1 && l.get(0).toLowerCase().startsWith("server")) {
+      return l.get(0).toLowerCase().split("=")[1].endsWith("+");
+    }
+    return false;
+  }
+
+  @Override
+  public GroupMappingService getGroupMapping() {
+    return groupService;
+  }
+
+  private Set<String> getGroups(Subject subject) {
+    return groupService.getGroups(subject.getName());
+  }
+
+  @Override
+  public void validateResource(boolean strictValidation) throws SentryConfigurationException {
+    policy.validatePolicy(strictValidation);
+  }
+
+  @Override
+  public Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException {
+    return policy.getPrivileges(getGroups(subject), Sets.newHashSet(subject.getName()),
+        ActiveRoleSet.ALL, (Authorizable[]) null);
+  }
+
+  @Override
+  public Set<String> listPrivilegesForGroup(String groupName) throws SentryConfigurationException {
+    return policy.getPrivileges(Sets.newHashSet(groupName), ActiveRoleSet.ALL);
+  }
+
+  @Override
+  public List<String> getLastFailedPrivileges() {
+    return lastFailedPrivileges.get();
+  }
+
+  @Override
+  public void close() {
+    if (policy != null) {
+      policy.close();
+    }
+  }
+
+  private List<String> buildPermissions(List<? extends Authorizable> authorizables,
+      Set<? extends Action> actions) {
+    List<String> hierarchy = new ArrayList<String>();
+    List<String> requestedPermissions = new ArrayList<String>();
+
+    for (Authorizable authorizable : authorizables) {
+      hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName()));
+    }
+
+    for (Action action : actions) {
+      String requestPermission = AUTHORIZABLE_JOINER.join(hierarchy);
+      requestPermission = AUTHORIZABLE_JOINER.join(requestPermission,
+          KV_JOINER.join(PRIVILEGE_NAME, action.getValue()));
+      requestedPermissions.add(requestPermission);
+    }
+    return requestedPermissions;
+  }
+
+  @Override
+  public PolicyEngine getPolicyEngine() {
+    return policy;
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
new file mode 100644
index 0000000..bf2c5a1
--- /dev/null
+++ b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
@@ -0,0 +1,51 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.file;
+
+import java.io.IOException;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.Model;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.core.common.service.GroupMappingService;
+
+import com.google.common.annotations.VisibleForTesting;
+
+/**
+ * Kept for backwards compatibility
+ */
+@Deprecated
+public class HadoopGroupResourceAuthorizationProvider extends
+  org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider {
+
+  public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy, Model model) throws IOException {
+    super(resource, policy, model);
+  }
+
+  public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource,
+      PolicyEngine policy, Model model) throws IOException {
+    super(conf, resource, policy, model);
+  }
+
+  @VisibleForTesting
+  public HadoopGroupResourceAuthorizationProvider(PolicyEngine policy,
+      GroupMappingService groupService, Model model) {
+    super(policy, groupService, model);
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
new file mode 100644
index 0000000..7e570ae
--- /dev/null
+++ b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
@@ -0,0 +1,122 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.file;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Map.Entry;
+import java.util.Set;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.FileSystem;
+import org.apache.hadoop.fs.Path;
+import org.apache.sentry.core.common.service.GroupMappingService;
+import org.apache.sentry.core.common.utils.PolicyFiles;
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.core.common.utils.PolicyFileConstants;
+import org.apache.sentry.core.common.exception.SentryGroupNotFoundException;
+import org.apache.shiro.config.Ini;
+import org.apache.shiro.config.Ini.Section;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.annotations.VisibleForTesting;
+import com.google.common.base.Strings;
+import com.google.common.collect.Sets;
+
+/**
+ * Mapping users to groups
+ * parse the ini file with section [users] that contains the user names.
+ * For each user in that list, there's section that contains the group
+ * name for that user If there's no user section or no group section for
+ * one of users, then just print a warning and continue.
+ * Example -
+ * [users]
+ * usr1
+ * usr2
+ *
+ * [[usr1]
+ * group1
+ * group11
+ *
+ * [usr2]
+ * group21
+ * group22
+ *
+ */
+public class LocalGroupMappingService implements GroupMappingService {
+
+  private static final Logger LOGGER = LoggerFactory
+      .getLogger(LocalGroupMappingService.class);
+
+  private final Map <String, Set<String>> groupMap =
+      new HashMap <String, Set<String>> ();
+
+  public LocalGroupMappingService(Path resourcePath) throws IOException {
+    this(new Configuration(), resourcePath);
+  }
+
+  @VisibleForTesting
+  public LocalGroupMappingService(Configuration configuration, Path resourcePath)
+      throws IOException {
+    // parse user/group mapping
+    parseGroups(resourcePath.getFileSystem(configuration), resourcePath);
+  }
+
+  public LocalGroupMappingService(Configuration configuration, String resource)
+      throws IOException {
+    this(configuration, new Path(resource));
+  }
+
+  @Override
+  public Set<String> getGroups(String user) {
+    Set<String> groups = groupMap.get(user);
+    if (groups == null || groups.isEmpty()) {
+      throw new SentryGroupNotFoundException("Unable to obtain groups for " + user);
+    }
+    return groups;
+  }
+
+  private void parseGroups(FileSystem fileSystem, Path resourcePath) throws IOException {
+    Ini ini = PolicyFiles.loadFromPath(fileSystem, resourcePath);
+    Section usersSection = ini.getSection(PolicyFileConstants.USERS);
+    if (usersSection == null) {
+      LOGGER.warn("No section " + PolicyFileConstants.USERS + " in the " + resourcePath);
+      return;
+    }
+    for (Entry<String, String> userEntry : usersSection.entrySet()) {
+      String userName = Strings.nullToEmpty(userEntry.getKey()).trim();
+      String groupNames = Strings.nullToEmpty(userEntry.getValue()).trim();
+      if (userName.isEmpty()) {
+        LOGGER.error("Invalid user name in the " + resourcePath);
+        continue;
+      }
+      if (groupNames.isEmpty()) {
+        LOGGER.warn("No groups available for user " + userName +
+            " in the " + resourcePath);
+        continue;
+      }
+      Set<String> groupList = Sets.newHashSet(SentryConstants.ROLE_SPLITTER.trimResults().split(
+          groupNames));
+      LOGGER.debug("Got user mapping: " + userName + ", Groups: " + groupNames);
+      groupMap.put(userName, groupList);
+    }
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java
new file mode 100644
index 0000000..a9e7836
--- /dev/null
+++ b/sentry-provider/sentry-authorization-provider/src/main/java/org/apache/sentry/provider/file/LocalGroupResourceAuthorizationProvider.java
@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.file;
+
+import java.io.IOException;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.fs.Path;
+import org.apache.sentry.core.common.Model;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.provider.common.ResourceAuthorizationProvider;
+
+
+public class LocalGroupResourceAuthorizationProvider extends
+  ResourceAuthorizationProvider {
+
+  public LocalGroupResourceAuthorizationProvider(String resource, PolicyEngine policy,
+      Model model) throws IOException {
+    super(policy, new LocalGroupMappingService(new Path(resource)), model);
+  }
+
+  public LocalGroupResourceAuthorizationProvider(Configuration conf, String resource, PolicyEngine policy,
+      Model model) throws IOException {
+    super(policy, new LocalGroupMappingService(conf, new Path(resource)), model);
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java b/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
new file mode 100644
index 0000000..f6d8c05
--- /dev/null
+++ b/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
@@ -0,0 +1,91 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.common;
+
+import static org.junit.Assert.assertSame;
+
+import java.util.Set;
+
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.exception.SentryConfigurationException;
+import org.apache.sentry.core.common.service.GroupMappingService;
+import org.apache.sentry.policy.common.PolicyEngine;
+import org.apache.sentry.policy.common.PrivilegeFactory;
+import org.junit.Test;
+
+import com.google.common.collect.ImmutableSet;
+import com.google.common.collect.Sets;
+
+public class TestGetGroupMapping {
+
+  private static class TestResourceAuthorizationProvider extends ResourceAuthorizationProvider {
+    public TestResourceAuthorizationProvider(PolicyEngine policy,
+      GroupMappingService groupService) {
+      super(policy, groupService, null);
+    }
+  };
+
+  @Test
+  public void testResourceAuthorizationProvider() {
+    final Set<String> set = Sets.newHashSet("a", "b", "c");
+    GroupMappingService mappingService = new GroupMappingService() {
+      @Override
+      public Set<String> getGroups(String user) { return set; }
+    };
+    PolicyEngine policyEngine = new PolicyEngine() {
+      @Override
+      public PrivilegeFactory getPrivilegeFactory() { return null; }
+
+      @Override
+      public ImmutableSet<String> getAllPrivileges(Set<String> groups,
+          ActiveRoleSet roleSet) throws SentryConfigurationException {
+        return getPrivileges(groups, roleSet);
+      }
+
+      @Override
+      public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) {
+        return ImmutableSet.of();
+      }
+
+      @Override
+      public void validatePolicy(boolean strictValidation)
+          throws SentryConfigurationException {
+      }
+
+      @Override
+      public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String> users,
+          ActiveRoleSet roleSet) throws SentryConfigurationException {
+        return getPrivileges(groups, users, roleSet);
+      }
+
+      @Override
+      public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users,
+          ActiveRoleSet roleSet, Authorizable... authorizableHierarchy)
+          throws SentryConfigurationException {
+        return ImmutableSet.of();
+      }
+
+      @Override
+      public void close() {}
+    };
+
+    TestResourceAuthorizationProvider authProvider =
+      new TestResourceAuthorizationProvider(policyEngine, mappingService);
+    assertSame(authProvider.getGroupMapping(), mappingService);
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java b/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
new file mode 100644
index 0000000..9762b99
--- /dev/null
+++ b/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/common/TestNoAuthorizationProvider.java
@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.common;
+
+import org.apache.sentry.core.common.service.GroupMappingService;
+import org.junit.Assert;
+import org.junit.Test;
+
+/**
+ * Tests around the NoAuthorizationProvider
+ */
+public class TestNoAuthorizationProvider {
+
+  @Test
+  public void testNoAuthorizationProvider() {
+    NoAuthorizationProvider nap = new NoAuthorizationProvider();
+    Assert.assertFalse(nap.hasAccess(null, null, null, null));
+
+    GroupMappingService gms = nap.getGroupMapping();
+    Assert.assertEquals(gms.getGroups(null).size(), 0);
+    Assert.assertEquals(gms.getGroups("").size(), 0);
+    Assert.assertEquals(gms.getGroups("a").size(), 0);
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java b/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
new file mode 100644
index 0000000..9864b82
--- /dev/null
+++ b/sentry-provider/sentry-authorization-provider/src/test/java/org/apache/sentry/provider/file/TestLocalGroupMapping.java
@@ -0,0 +1,74 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.provider.file;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.Set;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.hadoop.fs.Path;
+import org.apache.sentry.core.common.exception.SentryGroupNotFoundException;
+import org.apache.sentry.core.common.utils.PolicyFiles;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+import com.google.common.io.Files;
+
+public class TestLocalGroupMapping {
+
+  private static final String resourcePath = "test-authz-provider-local-group-mapping.ini";
+  private static final Set<String> fooGroups = Sets.newHashSet("admin", "analyst");
+  private static final Set<String> barGroups = Sets.newHashSet("jranalyst");
+
+  private LocalGroupMappingService localGroupMapping;
+
+  private File baseDir;
+
+  @Before
+  public void setup() throws IOException {
+    baseDir = Files.createTempDir();
+    PolicyFiles.copyToDir(baseDir, resourcePath);
+    localGroupMapping = new LocalGroupMappingService(new Path(new File(baseDir, resourcePath).getPath()));
+  }
+
+  @After
+  public void teardown() {
+    if(baseDir != null) {
+      FileUtils.deleteQuietly(baseDir);
+    }
+  }
+
+  @Test
+  public void testGroupMapping() {
+    Set<String> fooGroupsFromResource = localGroupMapping.getGroups("foo");
+    Assert.assertEquals(fooGroupsFromResource, fooGroups);
+
+    Set<String> barGroupsFromResource = localGroupMapping.getGroups("bar");
+    Assert.assertEquals(barGroupsFromResource, barGroups);
+
+    try {
+      localGroupMapping.getGroups("unknown");
+      Assert.fail("SentryGroupNotFoundException should be thrown.");
+    } catch (SentryGroupNotFoundException sgnfe) {
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/test/resources/log4j.properties
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-authorization-provider/src/test/resources/log4j.properties b/sentry-provider/sentry-authorization-provider/src/test/resources/log4j.properties
new file mode 100644
index 0000000..c41373c
--- /dev/null
+++ b/sentry-provider/sentry-authorization-provider/src/test/resources/log4j.properties
@@ -0,0 +1,31 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+# Define some default values that can be overridden by system properties.
+#
+# For testing, it may also be convenient to specify
+
+log4j.rootLogger=DEBUG,console
+
+log4j.appender.console=org.apache.log4j.ConsoleAppender
+log4j.appender.console.target=System.err
+log4j.appender.console.layout=org.apache.log4j.PatternLayout
+log4j.appender.console.layout.ConversionPattern=%d (%t) [%p - %l] %m%n
+
+log4j.logger.org.apache.hadoop.conf.Configuration=INFO

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-authorization-provider/src/test/resources/test-authz-provider-local-group-mapping.ini
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-authorization-provider/src/test/resources/test-authz-provider-local-group-mapping.ini b/sentry-provider/sentry-authorization-provider/src/test/resources/test-authz-provider-local-group-mapping.ini
new file mode 100644
index 0000000..e6fc290
--- /dev/null
+++ b/sentry-provider/sentry-authorization-provider/src/test/resources/test-authz-provider-local-group-mapping.ini
@@ -0,0 +1,33 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+[groups]
+manager = analyst_role, junior_analyst_role, functions
+analyst = analyst_role
+jranalyst = junior_analyst_role
+admin = admin
+
+[roles]
+analyst_role = server=server1->db=customers->table=purchases->select, server=server1->db=analyst1, \
+	server=server1->db=jranalyst1->table=*->select
+junior_analyst_role = server=server1->db=jranalyst1
+functions = server=server1->functions
+admin = server=server1
+
+[users]
+foo = admin,analyst
+bar = jranalyst

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-provider-cache/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-cache/pom.xml b/sentry-provider/sentry-provider-cache/pom.xml
index 694df36..d4e0b8b 100644
--- a/sentry-provider/sentry-provider-cache/pom.xml
+++ b/sentry-provider/sentry-provider-cache/pom.xml
@@ -72,6 +72,10 @@ limitations under the License.
     </dependency>
     <dependency>
       <groupId>org.apache.sentry</groupId>
+      <artifactId>sentry-policy-engine</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.sentry</groupId>
       <artifactId>sentry-provider-file</artifactId>
       <scope>test</scope>
     </dependency>

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-provider-common/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/pom.xml b/sentry-provider/sentry-provider-common/pom.xml
index f83f594..4c8b13e 100644
--- a/sentry-provider/sentry-provider-common/pom.xml
+++ b/sentry-provider/sentry-provider-common/pom.xml
@@ -29,17 +29,12 @@ limitations under the License.
 
   <dependencies>
     <dependency>
-      <groupId>junit</groupId>
-      <artifactId>junit</artifactId>
-      <scope>test</scope>
-    </dependency>
-    <dependency>
       <groupId>org.apache.hadoop</groupId>
       <artifactId>hadoop-common</artifactId>
     </dependency>
     <dependency>
       <groupId>org.apache.sentry</groupId>
-      <artifactId>sentry-policy-common</artifactId>
+      <artifactId>sentry-core-common</artifactId>
     </dependency>
     <dependency>
       <groupId>com.google.guava</groupId>

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
deleted file mode 100644
index 3d6440f..0000000
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/AuthorizationProvider.java
+++ /dev/null
@@ -1,100 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.common;
-
-import java.util.List;
-import java.util.Set;
-
-import javax.annotation.concurrent.ThreadSafe;
-
-import org.apache.sentry.core.common.Action;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.exception.SentryConfigurationException;
-import org.apache.sentry.core.common.Subject;
-import org.apache.sentry.core.common.service.GroupMappingService;
-import org.apache.sentry.policy.common.PolicyEngine;
-
-/**
- * Implementations of AuthorizationProvider must be threadsafe.
- */
-@ThreadSafe
-public interface AuthorizationProvider {
-
-  String SENTRY_PROVIDER = "sentry.provider";
-
-  /***
-   * Returns validate subject privileges on given Authorizable object
-   *
-   * @param subject: UserID to validate privileges
-   * @param authorizableHierarchy : List of object according to namespace hierarchy.
-   *        eg. Server->Db->Table or Server->Function
-   *        The privileges will be validated from the higher to lower scope
-   * @param actions : Privileges to validate
-   * @param roleSet : Roles which should be used when obtaining privileges
-   * @return
-   *        True if the subject is authorized to perform requested action on the given object
-   */
-  boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy,
-      Set<? extends Action> actions, ActiveRoleSet roleSet);
-
-  /***
-   * Get the GroupMappingService used by the AuthorizationProvider
-   *
-   * @return GroupMappingService used by the AuthorizationProvider
-   */
-  GroupMappingService getGroupMapping();
-
-  /***
-   * Validate the policy file format for syntax and semantic errors
-   * @param strictValidation
-   * @throws SentryConfigurationException
-   */
-  void validateResource(boolean strictValidation) throws SentryConfigurationException;
-
-  /***
-   * Returns the list privileges for the given subject
-   * @param subject
-   * @return
-   * @throws SentryConfigurationException
-   */
-  Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException;
-
-  /**
-   * Returns the list privileges for the given group
-   * @param groupName
-   * @return
-   * @throws SentryConfigurationException
-   */
-  Set<String> listPrivilegesForGroup(String groupName) throws SentryConfigurationException;
-
-  /***
-   * Returns the list of missing privileges of the last access request
-   * @return
-   */
-  List<String> getLastFailedPrivileges();
-
-  /**
-   * Frees any resources held by the the provider
-   */
-  void close();
-
-  /**
-   * Get the policy engine
-   */
-  PolicyEngine getPolicyEngine();
-}

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
deleted file mode 100644
index 6e5dbc3..0000000
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupResourceAuthorizationProvider.java
+++ /dev/null
@@ -1,64 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.common;
-
-import java.io.IOException;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.security.Groups;
-import org.apache.sentry.core.common.Model;
-import org.apache.sentry.core.common.service.GroupMappingService;
-import org.apache.sentry.core.common.service.HadoopGroupMappingService;
-import org.apache.sentry.policy.common.PolicyEngine;
-
-import com.google.common.annotations.VisibleForTesting;
-
-public class HadoopGroupResourceAuthorizationProvider extends
-  ResourceAuthorizationProvider {
-
-  // if set to true in the Configuration, constructs a new Group object
-  // for the GroupMappingService rather than using Hadoop's static mapping.
-  public static final String CONF_PREFIX = HadoopGroupResourceAuthorizationProvider.class.getName();
-  public static final String USE_NEW_GROUPS = CONF_PREFIX + ".useNewGroups";
-
-  // resource parameter present so that other AuthorizationProviders (e.g.
-  // LocalGroupResourceAuthorizationProvider) has the same constructor params.
-  public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy,
-      Model model) throws IOException {
-    this(new Configuration(), resource, policy, model);
-  }
-
-  public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource, //NOPMD
-      PolicyEngine policy, Model model) throws IOException {
-    this(policy, new HadoopGroupMappingService(getGroups(conf)), model);
-  }
-
-  @VisibleForTesting
-  public HadoopGroupResourceAuthorizationProvider(PolicyEngine policy,
-      GroupMappingService groupService, Model model) {
-    super(policy, groupService, model);
-  }
-
-  private static Groups getGroups(Configuration conf) {
-    if (conf.getBoolean(USE_NEW_GROUPS, false)) {
-      return new Groups(conf);
-    } else {
-      return Groups.getUserToGroupsMappingService(conf);
-    }
-  }
-}

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
deleted file mode 100644
index 11dbfb7..0000000
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/NoAuthorizationProvider.java
+++ /dev/null
@@ -1,79 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.common;
-
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import org.apache.sentry.core.common.Action;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.exception.SentryConfigurationException;
-import org.apache.sentry.core.common.Subject;
-import org.apache.sentry.core.common.service.GroupMappingService;
-import org.apache.sentry.core.common.service.NoGroupMappingService;
-import org.apache.sentry.policy.common.PolicyEngine;
-
-public class NoAuthorizationProvider implements AuthorizationProvider {
-  private GroupMappingService noGroupMappingService = new NoGroupMappingService();
-
-  @Override
-  public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy,
-      Set<? extends Action> actions, ActiveRoleSet roleSet) {
-    return false;
-  }
-
-  @Override
-  public GroupMappingService getGroupMapping() {
-    return noGroupMappingService;
-  }
-
-  @Override
-  public void validateResource(boolean strictValidation) throws SentryConfigurationException {
-  }
-
-  @Override
-  public Set<String> listPrivilegesForSubject(Subject subject)
-      throws SentryConfigurationException {
-    return new HashSet<String>();
-  }
-
-  @Override
-  public Set<String> listPrivilegesForGroup(String groupName)
-      throws SentryConfigurationException {
-    return new HashSet<String>();
-  }
-
-  @Override
-  public List<String> getLastFailedPrivileges() {
-    return new ArrayList<String>();
-  }
-
-  @Override
-  public void close() {
-
-  }
-
-  // the class is only for the test TestNoAuthorizationProvider. this method won't be called,
-  // just for override. Return null has no problem here.
-  @Override
-  public PolicyEngine getPolicyEngine() {
-    return null;
-  }
-}

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
deleted file mode 100644
index a6b2047..0000000
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/ResourceAuthorizationProvider.java
+++ /dev/null
@@ -1,227 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.common;
-
-import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_JOINER;
-import static org.apache.sentry.core.common.utils.SentryConstants.AUTHORIZABLE_SPLITTER;
-import static org.apache.sentry.core.common.utils.SentryConstants.KV_JOINER;
-import static org.apache.sentry.core.common.utils.SentryConstants.PRIVILEGE_NAME;
-
-import java.util.ArrayList;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Set;
-
-import org.apache.sentry.core.common.Action;
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.Model;
-import org.apache.sentry.core.common.exception.SentryConfigurationException;
-import org.apache.sentry.core.common.Subject;
-import org.apache.sentry.core.common.service.GroupMappingService;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.policy.common.Privilege;
-import org.apache.sentry.policy.common.PrivilegeFactory;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Function;
-import com.google.common.base.Preconditions;
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Iterables;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
-
-public abstract class ResourceAuthorizationProvider implements AuthorizationProvider {
-  private static final Logger LOGGER = LoggerFactory
-      .getLogger(ResourceAuthorizationProvider.class);
-  private final static ThreadLocal<List<String>> lastFailedPrivileges =
-      new ThreadLocal<List<String>>() {
-        @Override
-        protected List<String> initialValue() {
-          return new ArrayList<String>();
-        }
-      };
-
-  private final GroupMappingService groupService;
-  private final PolicyEngine policy;
-  private final PrivilegeFactory privilegeFactory;
-  private final Model model;
-
-  public ResourceAuthorizationProvider(PolicyEngine policy,
-      GroupMappingService groupService, Model model) {
-    this.policy = policy;
-    this.groupService = groupService;
-    this.privilegeFactory = policy.getPrivilegeFactory();
-    this.model = model;
-  }
-
-  /***
-   * @param subject: UserID to validate privileges
-   * @param authorizableHierarchy : List of object according to namespace hierarchy.
-   *        eg. Server->Db->Table or Server->Function
-   *        The privileges will be validated from the higher to lower scope
-   * @param actions : Privileges to validate
-   * @return
-   *        True if the subject is authorized to perform requested action on the given object
-   */
-  @Override
-  public boolean hasAccess(Subject subject, List<? extends Authorizable> authorizableHierarchy,
-      Set<? extends Action> actions, ActiveRoleSet roleSet) {
-    if(LOGGER.isDebugEnabled()) {
-      LOGGER.debug("Authorization Request for " + subject + " " +
-          authorizableHierarchy + " and " + actions);
-    }
-    Preconditions.checkNotNull(subject, "Subject cannot be null");
-    Preconditions.checkNotNull(authorizableHierarchy, "Authorizable cannot be null");
-    Preconditions.checkArgument(!authorizableHierarchy.isEmpty(), "Authorizable cannot be empty");
-    Preconditions.checkNotNull(actions, "Actions cannot be null");
-    Preconditions.checkArgument(!actions.isEmpty(), "Actions cannot be empty");
-    Preconditions.checkNotNull(roleSet, "ActiveRoleSet cannot be null");
-    return doHasAccess(subject, authorizableHierarchy, actions, roleSet);
-  }
-
-  private boolean doHasAccess(Subject subject,
-      List<? extends Authorizable> authorizables, Set<? extends Action> actions,
-      ActiveRoleSet roleSet) {
-    Set<String> groups =  getGroups(subject);
-    Set<String> users = Sets.newHashSet(subject.getName());
-    Set<String> hierarchy = new HashSet<String>();
-    for (Authorizable authorizable : authorizables) {
-      hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName()));
-    }
-    List<String> requestPrivileges = buildPermissions(authorizables, actions);
-    Iterable<Privilege> privileges = getPrivileges(groups, users, roleSet,
-        authorizables.toArray(new Authorizable[0]));
-    lastFailedPrivileges.get().clear();
-
-    for (String requestPrivilege : requestPrivileges) {
-      Privilege priv = privilegeFactory.createPrivilege(requestPrivilege);
-      for (Privilege permission : privileges) {
-        /*
-         * Does the permission granted in the policy file imply the requested action?
-         */
-        boolean result = permission.implies(priv, model);
-        if (LOGGER.isDebugEnabled()) {
-          LOGGER.debug("ProviderPrivilege {}, RequestPrivilege {}, RoleSet, {}, Result {}",
-              new Object[]{ permission, requestPrivilege, roleSet, result});
-        }
-        if (result) {
-          return true;
-        }
-      }
-    }
-
-    lastFailedPrivileges.get().addAll(requestPrivileges);
-    return false;
-  }
-
-  private Iterable<Privilege> getPrivileges(Set<String> groups, Set<String> users,
-      ActiveRoleSet roleSet, Authorizable[] authorizables) {
-    ImmutableSet<String> privileges = policy.getPrivileges(groups, users, roleSet, authorizables);
-    return Iterables.transform(appendDefaultDBPriv(privileges, authorizables),
-        new Function<String, Privilege>() {
-      @Override
-      public Privilege apply(String privilege) {
-        return privilegeFactory.createPrivilege(privilege);
-      }
-    });
-  }
-
-  private ImmutableSet<String> appendDefaultDBPriv(ImmutableSet<String> privileges, Authorizable[] authorizables) {
-    // Only for switch db
-    if (authorizables != null && authorizables.length == 4 && authorizables[2].getName().equals("+")
-      && privileges.size() == 1 && hasOnlyServerPrivilege(privileges.asList().get(0))) {
-      // Assuming authorizable[0] will always be the server
-      // This Code is only reachable only when user fires a 'use default'
-      // and the user has a privilege on atleast 1 privilized Object
-      String defaultPriv = "Server=" + authorizables[0].getName()
-          + "->Db=default->Table=*->Column=*->action=select";
-      Set<String> newPrivs = Sets.newHashSet(defaultPriv);
-      return ImmutableSet.copyOf(newPrivs);
-    }
-    return privileges;
-  }
-
-  private boolean hasOnlyServerPrivilege(String priv) {
-    ArrayList<String> l = Lists.newArrayList(AUTHORIZABLE_SPLITTER.split(priv));
-    if (l.size() == 1 && l.get(0).toLowerCase().startsWith("server")) {
-      return l.get(0).toLowerCase().split("=")[1].endsWith("+");
-    }
-    return false;
-  }
-
-  @Override
-  public GroupMappingService getGroupMapping() {
-    return groupService;
-  }
-
-  private Set<String> getGroups(Subject subject) {
-    return groupService.getGroups(subject.getName());
-  }
-
-  @Override
-  public void validateResource(boolean strictValidation) throws SentryConfigurationException {
-    policy.validatePolicy(strictValidation);
-  }
-
-  @Override
-  public Set<String> listPrivilegesForSubject(Subject subject) throws SentryConfigurationException {
-    return policy.getPrivileges(getGroups(subject), Sets.newHashSet(subject.getName()),
-        ActiveRoleSet.ALL, (Authorizable[]) null);
-  }
-
-  @Override
-  public Set<String> listPrivilegesForGroup(String groupName) throws SentryConfigurationException {
-    return policy.getPrivileges(Sets.newHashSet(groupName), ActiveRoleSet.ALL);
-  }
-
-  @Override
-  public List<String> getLastFailedPrivileges() {
-    return lastFailedPrivileges.get();
-  }
-
-  @Override
-  public void close() {
-    if (policy != null) {
-      policy.close();
-    }
-  }
-
-  private List<String> buildPermissions(List<? extends Authorizable> authorizables,
-      Set<? extends Action> actions) {
-    List<String> hierarchy = new ArrayList<String>();
-    List<String> requestedPermissions = new ArrayList<String>();
-
-    for (Authorizable authorizable : authorizables) {
-      hierarchy.add(KV_JOINER.join(authorizable.getTypeName(), authorizable.getName()));
-    }
-
-    for (Action action : actions) {
-      String requestPermission = AUTHORIZABLE_JOINER.join(hierarchy);
-      requestPermission = AUTHORIZABLE_JOINER.join(requestPermission,
-          KV_JOINER.join(PRIVILEGE_NAME, action.getValue()));
-      requestedPermissions.add(requestPermission);
-    }
-    return requestedPermissions;
-  }
-
-  @Override
-  public PolicyEngine getPolicyEngine() {
-    return policy;
-  }
-}

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java b/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
deleted file mode 100644
index bf2c5a1..0000000
--- a/sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/file/HadoopGroupResourceAuthorizationProvider.java
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.file;
-
-import java.io.IOException;
-
-import org.apache.hadoop.conf.Configuration;
-import org.apache.sentry.core.common.Model;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.core.common.service.GroupMappingService;
-
-import com.google.common.annotations.VisibleForTesting;
-
-/**
- * Kept for backwards compatibility
- */
-@Deprecated
-public class HadoopGroupResourceAuthorizationProvider extends
-  org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider {
-
-  public HadoopGroupResourceAuthorizationProvider(String resource, PolicyEngine policy, Model model) throws IOException {
-    super(resource, policy, model);
-  }
-
-  public HadoopGroupResourceAuthorizationProvider(Configuration conf, String resource,
-      PolicyEngine policy, Model model) throws IOException {
-    super(conf, resource, policy, model);
-  }
-
-  @VisibleForTesting
-  public HadoopGroupResourceAuthorizationProvider(PolicyEngine policy,
-      GroupMappingService groupService, Model model) {
-    super(policy, groupService, model);
-  }
-
-}

http://git-wip-us.apache.org/repos/asf/sentry/blob/f45727ab/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java b/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
deleted file mode 100644
index f6d8c05..0000000
--- a/sentry-provider/sentry-provider-common/src/test/java/org/apache/sentry/provider/common/TestGetGroupMapping.java
+++ /dev/null
@@ -1,91 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.provider.common;
-
-import static org.junit.Assert.assertSame;
-
-import java.util.Set;
-
-import org.apache.sentry.core.common.ActiveRoleSet;
-import org.apache.sentry.core.common.Authorizable;
-import org.apache.sentry.core.common.exception.SentryConfigurationException;
-import org.apache.sentry.core.common.service.GroupMappingService;
-import org.apache.sentry.policy.common.PolicyEngine;
-import org.apache.sentry.policy.common.PrivilegeFactory;
-import org.junit.Test;
-
-import com.google.common.collect.ImmutableSet;
-import com.google.common.collect.Sets;
-
-public class TestGetGroupMapping {
-
-  private static class TestResourceAuthorizationProvider extends ResourceAuthorizationProvider {
-    public TestResourceAuthorizationProvider(PolicyEngine policy,
-      GroupMappingService groupService) {
-      super(policy, groupService, null);
-    }
-  };
-
-  @Test
-  public void testResourceAuthorizationProvider() {
-    final Set<String> set = Sets.newHashSet("a", "b", "c");
-    GroupMappingService mappingService = new GroupMappingService() {
-      @Override
-      public Set<String> getGroups(String user) { return set; }
-    };
-    PolicyEngine policyEngine = new PolicyEngine() {
-      @Override
-      public PrivilegeFactory getPrivilegeFactory() { return null; }
-
-      @Override
-      public ImmutableSet<String> getAllPrivileges(Set<String> groups,
-          ActiveRoleSet roleSet) throws SentryConfigurationException {
-        return getPrivileges(groups, roleSet);
-      }
-
-      @Override
-      public ImmutableSet<String> getPrivileges(Set<String> groups, ActiveRoleSet roleSet, Authorizable... authorizableHierarchy) {
-        return ImmutableSet.of();
-      }
-
-      @Override
-      public void validatePolicy(boolean strictValidation)
-          throws SentryConfigurationException {
-      }
-
-      @Override
-      public ImmutableSet<String> getAllPrivileges(Set<String> groups, Set<String> users,
-          ActiveRoleSet roleSet) throws SentryConfigurationException {
-        return getPrivileges(groups, users, roleSet);
-      }
-
-      @Override
-      public ImmutableSet<String> getPrivileges(Set<String> groups, Set<String> users,
-          ActiveRoleSet roleSet, Authorizable... authorizableHierarchy)
-          throws SentryConfigurationException {
-        return ImmutableSet.of();
-      }
-
-      @Override
-      public void close() {}
-    };
-
-    TestResourceAuthorizationProvider authProvider =
-      new TestResourceAuthorizationProvider(policyEngine, mappingService);
-    assertSame(authProvider.getGroupMapping(), mappingService);
-  }
-}


Mime
View raw message