You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@sentry.apache.org by co...@apache.org on 2016/07/21 05:54:56 UTC
[02/51] [partial] sentry git commit: SENTRY-1205: Refactor the code
for sentry-provider-db and create sentry-service module(Colin Ma,
reviewed by Dapeng Sun)
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
deleted file mode 100644
index 81059c5..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/provider/db/tools/TestSentryShellHive.java
+++ /dev/null
@@ -1,608 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.db.tools;
-
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
-
-import java.io.ByteArrayOutputStream;
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.PrintStream;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.Set;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.sentry.core.common.exception.SentryUserException;
-import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
-import org.apache.sentry.provider.db.service.thrift.TSentryRole;
-import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
-import org.junit.After;
-import org.junit.Before;
-import org.junit.Test;
-
-import com.google.common.collect.Sets;
-import com.google.common.io.Files;
-
-public class TestSentryShellHive extends SentryServiceIntegrationBase {
-
- private File confDir;
- private File confPath;
- private static String TEST_ROLE_NAME_1 = "testRole1";
- private static String TEST_ROLE_NAME_2 = "testRole2";
- private String requestorName = "";
-
- @Before
- public void prepareForTest() throws Exception {
- confDir = Files.createTempDir();
- confPath = new File(confDir, "sentry-site.xml");
- if (confPath.createNewFile()) {
- FileOutputStream to = new FileOutputStream(confPath);
- conf.writeXml(to);
- to.close();
- }
- requestorName = clientUgi.getShortUserName();
- Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
- setLocalGroupMapping(requestorName, requestorUserGroupNames);
- // add ADMIN_USER for the after() in SentryServiceIntegrationBase
- setLocalGroupMapping(ADMIN_USER, requestorUserGroupNames);
- writePolicyFile();
- }
-
- @After
- public void clearTestData() throws Exception {
- FileUtils.deleteQuietly(confDir);
- }
-
- @Test
- public void testCreateDropRole() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // test: create role with -cr
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: create role with --create_role
- args = new String[] { "--create_role", "-r", TEST_ROLE_NAME_2, "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // validate the result, list roles with -lr
- args = new String[] { "-lr", "-conf", confPath.getAbsolutePath() };
- SentryShellHive sentryShell = new SentryShellHive();
- Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
-
- // validate the result, list roles with --list_role
- args = new String[] { "--list_role", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
-
- // test: drop role with -dr
- args = new String[] { "-dr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: drop role with --drop_role
- args = new String[] { "--drop_role", "-r", TEST_ROLE_NAME_2, "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // validate the result
- Set<TSentryRole> roles = client.listRoles(requestorName);
- assertEquals("Incorrect number of roles", 0, roles.size());
- }
- });
- }
-
- @Test
- public void testAddDeleteRoleForGroup() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // create the role for test
- client.createRole(requestorName, TEST_ROLE_NAME_1);
- client.createRole(requestorName, TEST_ROLE_NAME_2);
- // test: add role to group with -arg
- String[] args = { "-arg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: add role to multiple groups
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup2,testGroup3",
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: add role to group with --add_role_group
- args = new String[] { "--add_role_group", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1",
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // validate the result list roles with -lr and -g
- args = new String[] { "-lr", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- SentryShellHive sentryShell = new SentryShellHive();
- Set<String> roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1, TEST_ROLE_NAME_2);
-
-
- // list roles with --list_role and -g
- args = new String[] { "--list_role", "-g", "testGroup2", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1);
-
- args = new String[] { "--list_role", "-g", "testGroup3", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- roleNames = getShellResultWithOSRedirect(sentryShell, args, true);
- validateRoleNames(roleNames, TEST_ROLE_NAME_1);
-
- // test: delete role from group with -drg
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: delete role to multiple groups
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_1, "-g", "testGroup2,testGroup3",
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // test: delete role from group with --delete_role_group
- args = new String[] { "--delete_role_group", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // validate the result
- Set<TSentryRole> roles = client.listRolesByGroupName(requestorName, "testGroup1");
- assertEquals("Incorrect number of roles", 0, roles.size());
- roles = client.listRolesByGroupName(requestorName, "testGroup2");
- assertEquals("Incorrect number of roles", 0, roles.size());
- roles = client.listRolesByGroupName(requestorName, "testGroup3");
- assertEquals("Incorrect number of roles", 0, roles.size());
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1);
- client.dropRole(requestorName, TEST_ROLE_NAME_2);
- }
- });
- }
-
- @Test
- public void testGrantRevokePrivilegeWithShortOption() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // create the role for test
- client.createRole(requestorName, TEST_ROLE_NAME_1);
- client.createRole(requestorName, TEST_ROLE_NAME_2);
-
- // test: grant privilege to role with -gpr
- String[] args = { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->action=*",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // for the uri privilege, the action will be awalys *
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // test the list privilege with -lp
- args = new String[] { "-lp", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellHive sentryShell = new SentryShellHive();
- Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
- // validate the result for -lp
- assertEquals("Incorrect number of privileges", 6, privilegeStrs.size());
- assertTrue(privilegeStrs.contains("server=server1->action=*"));
- assertTrue(privilegeStrs.contains("server=server1->db=db1->action=select"));
- assertTrue(privilegeStrs.contains("server=server1->db=db1->table=tbl1->action=insert"));
- assertTrue(privilegeStrs
- .contains("server=server1->db=db1->table=tbl1->column=col1->action=insert"));
- assertTrue(privilegeStrs
- .contains("server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true"));
- // for the uri privilege, the action will be awalys *
- assertTrue(privilegeStrs.contains("server=server1->uri=hdfs://path/testuri->action=*"));
-
- // test: revoke privilege from role with -rpr
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName,
- TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 5, privileges.size());
-
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 4, privileges.size());
-
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 3, privileges.size());
-
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 2, privileges.size());
-
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 1, privileges.size());
-
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-p", "server=server1->action=*",
- "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 0, privileges.size());
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1);
- client.dropRole(requestorName, TEST_ROLE_NAME_2);
- }
- });
- }
-
- @Test
- public void testGrantRevokePrivilegeWithLongOption() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- // create the role for test
- client.createRole(requestorName, TEST_ROLE_NAME_1);
- client.createRole(requestorName, TEST_ROLE_NAME_2);
-
- // test: grant privilege to role with -gpr
- String[] args = { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->action=*", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- // for the uri privilege, the action will be awalys *
- args = new String[] { "--grant_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
-
- // test the list privilege with -lp
- args = new String[] { "--list_privilege", "-r", TEST_ROLE_NAME_1, "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive sentryShell = new SentryShellHive();
- Set<String> privilegeStrs = getShellResultWithOSRedirect(sentryShell, args, true);
- // validate the result for -lp
- assertEquals("Incorrect number of privileges", 6, privilegeStrs.size());
- assertTrue(privilegeStrs.contains("server=server1->action=*"));
- assertTrue(privilegeStrs.contains("server=server1->db=db1->action=select"));
- assertTrue(privilegeStrs.contains("server=server1->db=db1->table=tbl1->action=insert"));
- assertTrue(privilegeStrs
- .contains("server=server1->db=db1->table=tbl1->column=col1->action=insert"));
- assertTrue(privilegeStrs
- .contains("server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true"));
- // for the uri privilege, the action will be awalys *
- assertTrue(privilegeStrs.contains("server=server1->uri=hdfs://path/testuri->action=*"));
-
- // test: revoke privilege from role with -rpr
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorName,
- TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 5, privileges.size());
-
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->column=col2->action=insert->grantoption=true",
- "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 4, privileges.size());
-
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->uri=hdfs://path/testuri", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 3, privileges.size());
-
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->table=tbl1->action=insert", "-conf",
- confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 2, privileges.size());
-
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->db=db1->action=select", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 1, privileges.size());
-
- args = new String[] { "--revoke_privilege_role", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->action=*", "-conf", confPath.getAbsolutePath() };
- SentryShellHive.main(args);
- privileges = client.listAllPrivilegesByRoleName(requestorName, TEST_ROLE_NAME_1);
- assertEquals("Incorrect number of privileges", 0, privileges.size());
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1);
- client.dropRole(requestorName, TEST_ROLE_NAME_2);
- }
- });
- }
-
- @Test
- public void testNegativeCaseWithInvalidArgument() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- client.createRole(requestorName, TEST_ROLE_NAME_1);
- // test: create duplicate role with -cr
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- SentryShellHive sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for creating duplicate role");
- } catch (SentryUserException e) {
- // excepted exception
- }
-
- // test: drop non-exist role with -dr
- args = new String[] { "-dr", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for dropping non-exist role");
- } catch (SentryUserException e) {
- // excepted exception
- }
-
- // test: add non-exist role to group with -arg
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for granting non-exist role to group");
- } catch (SentryUserException e) {
- // excepted exception
- }
-
- // test: drop group from non-exist role with -drg
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-g", "testGroup1", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for drop group from non-exist role");
- } catch (SentryUserException e) {
- // excepted exception
- }
-
- // test: grant privilege to role with the error privilege format
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p", "serverserver1->action=*",
- "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for the error privilege format, invalid key value.");
- } catch (IllegalArgumentException e) {
- // excepted exception
- }
-
- // test: grant privilege to role with the error privilege hierarchy
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-p",
- "server=server1->table=tbl1->column=col2->action=insert", "-conf",
- confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- try {
- sentryShell.executeShell(args);
- fail("Exception should be thrown for the error privilege format, invalid key value.");
- } catch (IllegalArgumentException e) {
- // excepted exception
- }
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1);
- }
- });
- }
-
- @Test
- public void testNegativeCaseWithoutRequiredArgument() throws Exception {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- String strOptionConf = "conf";
- client.createRole(requestorName, TEST_ROLE_NAME_1);
- // test: the conf is required argument
- String[] args = { "-cr", "-r", TEST_ROLE_NAME_1 };
- SentryShellHive sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + strOptionConf);
-
- // test: -r is required when create role
- args = new String[] { "-cr", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -r is required when drop role
- args = new String[] { "-dr", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -r is required when add role to group
- args = new String[] { "-arg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -g is required when add role to group
- args = new String[] { "-arg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
-
- // test: -r is required when delete role from group
- args = new String[] { "-drg", "-g", "testGroup1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -g is required when delete role from group
- args = new String[] { "-drg", "-r", TEST_ROLE_NAME_2, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_GROUP_NAME);
-
- // test: -r is required when grant privilege to role
- args = new String[] { "-gpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -p is required when grant privilege to role
- args = new String[] { "-gpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
-
- // test: -r is required when revoke privilege from role
- args = new String[] { "-rpr", "-p", "server=server1", "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_ROLE_NAME);
-
- // test: -p is required when revoke privilege from role
- args = new String[] { "-rpr", "-r", TEST_ROLE_NAME_1, "-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsg(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + SentryShellCommon.OPTION_DESC_PRIVILEGE);
-
- // test: command option is required for shell
- args = new String[] {"-conf", confPath.getAbsolutePath() };
- sentryShell = new SentryShellHive();
- validateMissingParameterMsgsContains(sentryShell, args,
- SentryShellCommon.PREFIX_MESSAGE_MISSING_OPTION + "[",
- "-arg Add role to group",
- "-cr Create role",
- "-rpr Revoke privilege from role",
- "-drg Delete role from group",
- "-lr List role",
- "-lp List privilege",
- "-gpr Grant privilege to role",
- "-dr Drop role");
-
- // clear the test data
- client.dropRole(requestorName, TEST_ROLE_NAME_1);
- }
- });
- }
-
- // redirect the System.out to ByteArrayOutputStream, then execute the command and parse the result.
- private Set<String> getShellResultWithOSRedirect(SentryShellHive sentryShell,
- String[] args, boolean exceptedExecuteResult) throws Exception {
- PrintStream oldOut = System.out;
- ByteArrayOutputStream outContent = new ByteArrayOutputStream();
- System.setOut(new PrintStream(outContent));
- assertEquals(exceptedExecuteResult, sentryShell.executeShell(args));
- Set<String> resultSet = Sets.newHashSet(outContent.toString().split("\n"));
- System.setOut(oldOut);
- return resultSet;
- }
-
- private void validateRoleNames(Set<String> roleNames, String ... expectedRoleNames) {
- if (expectedRoleNames != null && expectedRoleNames.length > 0) {
- assertEquals("Found: " + roleNames.size() + " roles, expected: " + expectedRoleNames.length,
- expectedRoleNames.length, roleNames.size());
- Set<String> lowerCaseRoles = new HashSet<String>();
- for (String role : roleNames) {
- lowerCaseRoles.add(role.toLowerCase());
- }
-
- for (String expectedRole : expectedRoleNames) {
- assertTrue("Expected role: " + expectedRole,
- lowerCaseRoles.contains(expectedRole.toLowerCase()));
- }
- }
- }
-
- private void validateMissingParameterMsg(SentryShellHive sentryShell, String[] args,
- String exceptedErrorMsg) throws Exception {
- Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
- assertTrue(errorMsgs.contains(exceptedErrorMsg));
- }
-
- private void validateMissingParameterMsgsContains(SentryShellHive sentryShell, String[] args,
- String ... expectedErrorMsgsContains) throws Exception {
- Set<String> errorMsgs = getShellResultWithOSRedirect(sentryShell, args, false);
- boolean foundAllMessages = false;
- Iterator<String> it = errorMsgs.iterator();
- while (it.hasNext()) {
- String errorMessage = it.next();
- boolean missingExpected = false;
- for (String expectedContains : expectedErrorMsgsContains) {
- if (!errorMessage.contains(expectedContains)) {
- missingExpected = true;
- break;
- }
- }
- if (!missingExpected) {
- foundAllMessages = true;
- break;
- }
- }
- assertTrue(foundAllMessages);
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
deleted file mode 100644
index cb2d9c9..0000000
--- a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/service/thrift/SentryServiceIntegrationBase.java
+++ /dev/null
@@ -1,355 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.service.thrift;
-import java.io.File;
-import java.security.PrivilegedExceptionAction;
-import java.util.Properties;
-import java.util.Set;
-import java.util.concurrent.TimeoutException;
-
-
-import com.google.common.io.Resources;
-import org.apache.commons.io.FileUtils;
-import org.apache.curator.test.TestingServer;
-import org.apache.hadoop.conf.Configuration;
-import org.apache.hadoop.minikdc.MiniKdc;
-import org.apache.hadoop.net.NetUtils;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.apache.sentry.provider.db.service.persistent.HAContext;
-import org.apache.sentry.provider.db.service.thrift.SentryMiniKdcTestcase;
-import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.provider.db.service.thrift.TSentryRole;
-import org.apache.sentry.provider.file.PolicyFile;
-import org.apache.sentry.service.thrift.ServiceConstants.ClientConfig;
-import org.apache.sentry.service.thrift.ServiceConstants.ServerConfig;
-import org.apache.zookeeper.server.ZooKeeperSaslServer;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Assert;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Strings;
-import com.google.common.io.Files;
-
-public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase {
- private static final Logger LOGGER = LoggerFactory.getLogger(SentryServiceIntegrationBase.class);
-
- protected static final String SERVER_HOST = NetUtils.createSocketAddr("localhost:80").getAddress().getCanonicalHostName();
- protected static final String REALM = "EXAMPLE.COM";
- protected static final String SERVER_PRINCIPAL = "sentry/" + SERVER_HOST;
- protected static String SERVER_KERBEROS_NAME = "sentry/" + SERVER_HOST + "@" + REALM;
- protected static final String HTTP_PRINCIPAL = "HTTP/" + SERVER_HOST;
- protected static final String CLIENT_PRINCIPAL = "hive/" + SERVER_HOST;
- protected static final String CLIENT_KERBEROS_SHORT_NAME = "hive";
- protected static final String CLIENT_KERBEROS_NAME = CLIENT_KERBEROS_SHORT_NAME
- + "/" + SERVER_HOST + "@" + REALM;
- protected static final String ADMIN_USER = "admin_user";
- protected static final String ADMIN_GROUP = "admin_group";
-
- protected static SentryService server;
- protected SentryPolicyServiceClient client;
- protected static MiniKdc kdc;
- protected static File kdcWorkDir;
- protected static File dbDir;
- protected static File serverKeytab;
- protected static File httpKeytab;
- protected static File clientKeytab;
- protected static UserGroupInformation clientUgi;
- protected static boolean kerberos;
- protected final static Configuration conf = new Configuration(false);
- protected PolicyFile policyFile;
- protected File policyFilePath;
- protected static Properties kdcConfOverlay = new Properties();
-
- protected static boolean haEnabled = false;
- protected static final String ZK_SERVER_PRINCIPAL = "zookeeper/" + SERVER_HOST;
- protected static TestingServer zkServer;
-
- private static File ZKKeytabFile;
-
- protected static boolean webServerEnabled = false;
- protected static int webServerPort = ServerConfig.SENTRY_WEB_PORT_DEFAULT;
- protected static boolean webSecurity = false;
-
- protected static boolean pooled = false;
-
- protected static boolean useSSL = false;
-
- @BeforeClass
- public static void setup() throws Exception {
- kerberos = true;
- pooled = true;
- beforeSetup();
- setupConf();
- startSentryService();
- afterSetup();
- }
-
- private static void setupKdc() throws Exception {
- startMiniKdc(kdcConfOverlay);
- }
-
- public static void startSentryService() throws Exception {
- server.start();
- final long start = System.currentTimeMillis();
- while(!server.isRunning()) {
- Thread.sleep(1000);
- if(System.currentTimeMillis() - start > 60000L) {
- throw new TimeoutException("Server did not start after 60 seconds");
- }
- }
- }
-
- public void stopSentryService() throws Exception {
- server.stop();
- Thread.sleep(30000);
- }
-
- public static void setupConf() throws Exception {
- if (kerberos) {
- setupKdc();
- kdc = getKdc();
- kdcWorkDir = getWorkDir();
- serverKeytab = new File(kdcWorkDir, "server.keytab");
- clientKeytab = new File(kdcWorkDir, "client.keytab");
- kdc.createPrincipal(serverKeytab, SERVER_PRINCIPAL);
- kdc.createPrincipal(clientKeytab, CLIENT_PRINCIPAL);
- conf.set(ServerConfig.PRINCIPAL, getServerKerberosName());
- conf.set(ServerConfig.KEY_TAB, serverKeytab.getPath());
- conf.set(ServerConfig.ALLOW_CONNECT, CLIENT_KERBEROS_SHORT_NAME);
- conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_PRINCIPAL,
- getServerKerberosName());
- conf.set(ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_KEYTAB,
- serverKeytab.getPath());
-
- conf.set(ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true");
- conf.set("hadoop.security.authentication", "kerberos");
- UserGroupInformation.setConfiguration(conf);
- UserGroupInformation.loginUserFromKeytab(CLIENT_PRINCIPAL, clientKeytab.getPath());
- clientUgi = UserGroupInformation.getLoginUser();
- } else {
- LOGGER.info("Stopped KDC");
- conf.set(ServerConfig.SECURITY_MODE, ServerConfig.SECURITY_MODE_NONE);
- }
- if (haEnabled) {
- zkServer = getZKServer();
- conf.set(ServerConfig.SENTRY_HA_ENABLED, "true");
- conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_QUORUM, zkServer.getConnectString());
- conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_NAMESPACE, "sentry-test-case");
- if (kerberos) {
- conf.set(ServerConfig.SENTRY_HA_ZOOKEEPER_SECURITY, "true");
- }
- }
- if (webServerEnabled) {
- conf.set(ServerConfig.SENTRY_WEB_ENABLE, "true");
- conf.set(ServerConfig.SENTRY_WEB_PORT, String.valueOf(webServerPort));
- if (webSecurity) {
- httpKeytab = new File(kdcWorkDir, "http.keytab");
- kdc.createPrincipal(httpKeytab, HTTP_PRINCIPAL);
- conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE,
- ServerConfig.SENTRY_WEB_SECURITY_TYPE_KERBEROS);
- conf.set(ServerConfig.SENTRY_WEB_SECURITY_PRINCIPAL, HTTP_PRINCIPAL);
- conf.set(ServerConfig.SENTRY_WEB_SECURITY_KEYTAB, httpKeytab.getPath());
- } else {
- conf.set(ServerConfig.SENTRY_WEB_SECURITY_TYPE,
- ServerConfig.SENTRY_WEB_SECURITY_TYPE_NONE);
- }
- } else {
- conf.set(ServerConfig.SENTRY_WEB_ENABLE, "false");
- }
- if (pooled) {
- conf.set(ClientConfig.SENTRY_POOL_ENABLED, "true");
- }
- if (useSSL) {
- conf.set(ServerConfig.SENTRY_WEB_USE_SSL, "true");
- conf.set(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PATH,
- Resources.getResource("keystore.jks").getPath());
- conf.set(ServerConfig.SENTRY_WEB_SSL_KEYSTORE_PASSWORD, "password");
- }
- conf.set(ServerConfig.SENTRY_VERIFY_SCHEM_VERSION, "false");
- conf.set(ServerConfig.ADMIN_GROUPS, ADMIN_GROUP);
- conf.set(ServerConfig.RPC_ADDRESS, SERVER_HOST);
- conf.set(ServerConfig.RPC_PORT, String.valueOf(0));
- dbDir = new File(Files.createTempDir(), "sentry_policy_db");
- conf.set(ServerConfig.SENTRY_STORE_JDBC_URL,
- "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true");
- conf.set(ServerConfig.SENTRY_STORE_JDBC_PASS, "dummy");
- server = new SentryServiceFactory().create(conf);
- conf.set(ClientConfig.SERVER_RPC_ADDRESS, server.getAddress().getHostName());
- conf.set(ClientConfig.SERVER_RPC_PORT, String.valueOf(server.getAddress().getPort()));
- conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING,
- ServerConfig.SENTRY_STORE_LOCAL_GROUP_MAPPING);
- }
-
- @Before
- public void before() throws Exception {
- policyFilePath = new File(dbDir, "local_policy_file.ini");
- conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE,
- policyFilePath.getPath());
- policyFile = new PolicyFile();
- connectToSentryService();
- }
-
- @After
- public void after() {
- try {
- runTestAsSubject(new TestOperation() {
- @Override
- public void runTestAsSubject() throws Exception {
- if (client != null) {
- Set<TSentryRole> tRoles = client.listRoles(ADMIN_USER);
- if (tRoles != null) {
- for (TSentryRole tRole : tRoles) {
- client.dropRole(ADMIN_USER, tRole.getRoleName());
- }
- }
- client.close();
- }
- }
- });
- } catch (Exception e) {
- LOGGER.error(e.getMessage(), e);
- } finally {
- policyFilePath.delete();
- }
- }
-
- public void connectToSentryService() throws Exception {
- if (kerberos) {
- client = clientUgi.doAs(new PrivilegedExceptionAction<SentryPolicyServiceClient>() {
- @Override
- public SentryPolicyServiceClient run() throws Exception {
- return SentryServiceClientFactory.create(conf);
- }
- });
- } else {
- client = SentryServiceClientFactory.create(conf);
- }
- }
-
- @AfterClass
- public static void tearDown() throws Exception {
- beforeTeardown();
-
- if(server != null) {
- server.stop();
- }
- if (dbDir != null) {
- FileUtils.deleteQuietly(dbDir);
- }
- stopMiniKdc();
- afterTeardown();
- }
-
- public static String getServerKerberosName() {
- return SERVER_KERBEROS_NAME;
- }
-
- public static void beforeSetup() throws Exception {
-
- }
- public static void afterSetup() throws Exception {
-
- }
- public static void beforeTeardown() throws Exception {
-
- }
- public static void afterTeardown() throws Exception {
-
- }
- protected static void assertOK(TSentryResponseStatus resp) {
- assertStatus(Status.OK, resp);
- }
-
- protected static void assertStatus(Status status, TSentryResponseStatus resp) {
- if (resp.getValue() != status.getCode()) {
- String message = "Expected: " + status + ", Response: " + Status.fromCode(resp.getValue())
- + ", Code: " + resp.getValue() + ", Message: " + resp.getMessage();
- String stackTrace = Strings.nullToEmpty(resp.getStack()).trim();
- if (!stackTrace.isEmpty()) {
- message += ", StackTrace: " + stackTrace;
- }
- Assert.fail(message);
- }
- }
-
- protected void setLocalGroupMapping(String user, Set<String> groupSet) {
- for (String group : groupSet) {
- policyFile.addGroupsToUser(user, group);
- }
- }
-
- protected void writePolicyFile() throws Exception {
- policyFile.write(policyFilePath);
- }
-
- protected static TestingServer getZKServer() throws Exception {
- if (!kerberos) {
- LOGGER.info("Creating a non-security ZooKeeper Server.");
- return new TestingServer();
- } else {
- LOGGER.info("Creating a security ZooKeeper Server.");
- // Not entirely sure exactly what "javax.security.auth.useSubjectCredsOnly=false" does, but it has something to do with
- // re-authenticating in cases where it otherwise wouldn't. One of the sections on this page briefly mentions it:
- // http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/Troubleshooting.html
- System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
-
- // Setup KDC and principal
- kdc = getKdc();
- ZKKeytabFile = new File(kdcWorkDir, "test.keytab");
- kdc.createPrincipal(ZKKeytabFile, ZK_SERVER_PRINCIPAL);
-
- System.setProperty("zookeeper.authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
- System.setProperty("zookeeper.kerberos.removeHostFromPrincipal", "true");
- System.setProperty("zookeeper.kerberos.removeRealmFromPrincipal", "true");
-
- JaasConfiguration.addEntryForKeytab("Server", ZK_SERVER_PRINCIPAL, ZKKeytabFile.getAbsolutePath());
- // Here's where we add the "Client" to the jaas configuration, even though we'd like not to
- JaasConfiguration.addEntryForKeytab(HAContext.SENTRY_ZK_JAAS_NAME,
- SERVER_KERBEROS_NAME, serverKeytab.getAbsolutePath());
- javax.security.auth.login.Configuration.setConfiguration(JaasConfiguration.getInstance());
-
- System.setProperty(ZooKeeperSaslServer.LOGIN_CONTEXT_NAME_KEY, "Server");
-
- return new TestingServer();
- }
-
- }
-
- protected void runTestAsSubject(final TestOperation test) throws Exception {
- /*if (false) {
- clientUgi.doAs(new PrivilegedExceptionAction<Void>() {
- @Override
- public Void run() throws Exception {
- test.runTestAsSubject();
- return null;
- }});
- } else {
- */ test.runTestAsSubject();
- //}
- }
-
- protected interface TestOperation {
- void runTestAsSubject() throws Exception;
- }
-
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks b/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks
deleted file mode 100644
index 6ac6495..0000000
Binary files a/sentry-provider/sentry-provider-db/src/test/resources/cacerts.jks and /dev/null differ
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks b/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks
deleted file mode 100644
index a6beece..0000000
Binary files a/sentry-provider/sentry-provider-db/src/test/resources/keystore.jks and /dev/null differ
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties b/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties
deleted file mode 100644
index 9766758..0000000
--- a/sentry-provider/sentry-provider-db/src/test/resources/log4j.properties
+++ /dev/null
@@ -1,34 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-
-# Define some default values that can be overridden by system properties.
-#
-# For testing, it may also be convenient to specify
-
-log4j.rootLogger=DEBUG,console
-
-log4j.appender.console=org.apache.log4j.ConsoleAppender
-log4j.appender.console.target=System.err
-log4j.appender.console.layout=org.apache.log4j.PatternLayout
-log4j.appender.console.layout.ConversionPattern=%d (%t) [%p - %l] %m%n
-
-log4j.logger.org.apache.hadoop.conf.Configuration=INFO
-log4j.logger.org.apache.hadoop.metrics2=INFO
-log4j.logger.org.apache.directory=INFO
-log4j.logger.org.apache.directory.api.ldap.model.entry.AbstractValue=WARN
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/test/resources/solr_case.ini
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/solr_case.ini b/sentry-provider/sentry-provider-db/src/test/resources/solr_case.ini
deleted file mode 100644
index fbbebfc..0000000
--- a/sentry-provider/sentry-provider-db/src/test/resources/solr_case.ini
+++ /dev/null
@@ -1,26 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-[groups]
-groupa = RoLe1
-groupb = rOlE1
-groupc = ROLE2
-
-[roles]
-RoLe1 = collection=*
-rOlE1 = collection=*
-ROLE2 = collection=*
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/test/resources/solr_config_import_tool.ini
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/solr_config_import_tool.ini b/sentry-provider/sentry-provider-db/src/test/resources/solr_config_import_tool.ini
deleted file mode 100644
index da7df4c..0000000
--- a/sentry-provider/sentry-provider-db/src/test/resources/solr_config_import_tool.ini
+++ /dev/null
@@ -1,29 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-[groups]
-corporal = corporal_role
-sergeant = corporal_role, sergeant_role
-general = corporal_role, sergeant_role, general_role
-commander_in_chief = corporal_role, sergeant_role, general_role, commander_in_chief_role
-
-[roles]
-corporal_role = collection=info->action=query, \
- collection=info->action=update
-sergeant_role = collection=info->action=update
-general_role = collection=info->action=*
-commander_in_chief_role = collection=*
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-db/src/test/resources/solr_invalid.ini
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/resources/solr_invalid.ini b/sentry-provider/sentry-provider-db/src/test/resources/solr_invalid.ini
deleted file mode 100644
index 03083a7..0000000
--- a/sentry-provider/sentry-provider-db/src/test/resources/solr_invalid.ini
+++ /dev/null
@@ -1,21 +0,0 @@
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements. See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership. The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied. See the License for the
-# specific language governing permissions and limitations
-# under the License.
-
-[groups]
-
-[roles]
-
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-file/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/pom.xml b/sentry-provider/sentry-provider-file/pom.xml
index 04f38d8..25db036 100644
--- a/sentry-provider/sentry-provider-file/pom.xml
+++ b/sentry-provider/sentry-provider-file/pom.xml
@@ -29,11 +29,6 @@ limitations under the License.
<dependencies>
<dependency>
- <groupId>org.apache.hadoop</groupId>
- <artifactId>hadoop-common</artifactId>
- <scope>provided</scope>
- </dependency>
- <dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<scope>test</scope>
@@ -43,14 +38,6 @@ limitations under the License.
<artifactId>log4j</artifactId>
</dependency>
<dependency>
- <groupId>org.apache.shiro</groupId>
- <artifactId>shiro-core</artifactId>
- </dependency>
- <dependency>
- <groupId>com.google.guava</groupId>
- <artifactId>guava</artifactId>
- </dependency>
- <dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
</dependency>
@@ -60,10 +47,6 @@ limitations under the License.
</dependency>
<dependency>
<groupId>org.apache.sentry</groupId>
- <artifactId>sentry-core-common</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.sentry</groupId>
<artifactId>sentry-provider-common</artifactId>
</dependency>
</dependencies>
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
index dec47c2..eb23ff1 100644
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
+++ b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/LocalGroupMappingService.java
@@ -26,8 +26,8 @@ import java.util.Set;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
+import org.apache.sentry.core.common.service.GroupMappingService;
import org.apache.sentry.core.common.utils.SentryConstants;
-import org.apache.sentry.provider.common.GroupMappingService;
import org.apache.sentry.core.common.utils.PolicyFileConstants;
import org.apache.sentry.core.common.exception.SentryGroupNotFoundException;
import org.apache.shiro.config.Ini;
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java b/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java
deleted file mode 100644
index 6a77827..0000000
--- a/sentry-provider/sentry-provider-file/src/main/java/org/apache/sentry/provider/file/PolicyFile.java
+++ /dev/null
@@ -1,202 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.provider.file;
-
-import static org.apache.sentry.core.common.utils.PolicyFileConstants.DATABASES;
-import static org.apache.sentry.core.common.utils.PolicyFileConstants.GROUPS;
-import static org.apache.sentry.core.common.utils.PolicyFileConstants.ROLES;
-import static org.apache.sentry.core.common.utils.PolicyFileConstants.USERS;
-
-import java.io.File;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
-import java.util.Map.Entry;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Charsets;
-import com.google.common.base.Joiner;
-import com.google.common.collect.ArrayListMultimap;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Maps;
-import com.google.common.collect.Multimap;
-import com.google.common.io.Files;
-
-/**
- * PolicyFile creator. Written specifically to be used with tests. Specifically
- * due to the fact that methods that would typically return true or false to
- * indicate success or failure these methods throw an unchecked exception.
- * This is because in a test if you mean to remove a user from the policy file,
- * the user should absolutely be there. If not, the test is mis-behaving.
- */
-@VisibleForTesting
-public class PolicyFile {
-
- private static final Logger LOGGER = LoggerFactory
- .getLogger(PolicyFile.class);
-
- private static final String NL = System.getProperty("line.separator", "\n");
-
- private final Map<String, String> databasesToPolicyFiles = Maps.newHashMap();
- private final Multimap<String, String> usersToGroups = ArrayListMultimap.create();
- private final Multimap<String, String> groupsToRoles = ArrayListMultimap
- .create();
- private final Multimap<String, String> rolesToPermissions = ArrayListMultimap
- .create();
-
- public Multimap<String, String> getGroupsToRoles() {
- return groupsToRoles;
- }
- public Multimap<String, String> getRolesToPermissions() {
- return rolesToPermissions;
- }
- public PolicyFile addRolesToGroup(String groupName, String... roleNames)
- throws Exception {
- return addRolesToGroup(groupName, false, roleNames);
- }
- public PolicyFile addRolesToGroup(String groupName, boolean allowDuplicates, String... roleNames) {
- return add(groupsToRoles.get(groupName), allowDuplicates, roleNames);
- }
- public PolicyFile addPermissionsToRole(String roleName, String... permissionNames) {
- return addPermissionsToRole(roleName, false, permissionNames);
- }
- public PolicyFile addPermissionsToRole(String roleName, boolean allowDuplicates, String... permissionNames) {
- return add(rolesToPermissions.get(roleName), allowDuplicates, permissionNames);
- }
- public PolicyFile addGroupsToUser(String userName, String... groupNames) {
- LOGGER.warn("Static user:group mapping is not being used");
- return addGroupsToUser(userName, false, groupNames);
- }
- public PolicyFile addGroupsToUser(String userName, boolean allowDuplicates, String... groupNames) {
- LOGGER.warn("Static user:group mapping is not being used");
- return add(usersToGroups.get(userName), allowDuplicates, groupNames);
- }
- public PolicyFile setUserGroupMapping(Map<String, String> mapping) {
- for (Entry<String, String> entry : mapping.entrySet()) {
- usersToGroups.put(entry.getKey(), entry.getValue());
- }
- return this;
- }
- public PolicyFile addDatabase(String databaseName, String path) {
- String oldPath = databasesToPolicyFiles.put(databaseName, path);
- if (oldPath != null) {
- throw new IllegalStateException("Database " + databaseName + " already existed in " +
- databasesToPolicyFiles + " with value of " + oldPath);
- }
- databasesToPolicyFiles.put(databaseName, path);
- return this;
- }
- public PolicyFile removeRolesFromGroup(String groupName, String... roleNames) {
- return remove(groupsToRoles.get(groupName), roleNames);
- }
- public PolicyFile removePermissionsFromRole(String roleName, String... permissionNames) {
- return remove(rolesToPermissions.get(roleName), permissionNames);
- }
- public PolicyFile removeGroupsFromUser(String userName, String... groupNames) {
- LOGGER.warn("Static user:group mapping is not being used");
- return remove(usersToGroups.get(userName), groupNames);
- }
- public PolicyFile removeDatabase(String databaseName) {
- if(databasesToPolicyFiles.remove(databaseName) == null) {
- throw new IllegalStateException("Database " + databaseName + " did not exist in " +
- databasesToPolicyFiles);
- }
- return this;
- }
- public PolicyFile copy() {
- PolicyFile other = new PolicyFile();
- other.databasesToPolicyFiles.putAll(databasesToPolicyFiles);
- other.usersToGroups.putAll(usersToGroups);
- other.groupsToRoles.putAll(groupsToRoles);
- other.rolesToPermissions.putAll(rolesToPermissions);
- return other;
- }
-
- public void write(File clientFile, File serverFile) throws Exception {
- write(clientFile);
- write(serverFile);
- }
-
- public void write(File file) throws Exception {
- if(file.exists() && !file.delete()) {
- throw new IllegalStateException("Unable to delete " + file);
- }
- String contents = Joiner.on(NL)
- .join(getSection(DATABASES, databasesToPolicyFiles),
- getSection(USERS, usersToGroups),
- getSection(GROUPS, groupsToRoles),
- getSection(ROLES, rolesToPermissions),
- "");
- LOGGER.info("Writing policy file to " + file + ":\n" + contents);
- Files.write(contents, file, Charsets.UTF_8);
- }
-
- private String getSection(String name, Map<String, String> mapping) {
- if(mapping.isEmpty()) {
- return "";
- }
- Joiner kvJoiner = Joiner.on(" = ");
- List<String> lines = Lists.newArrayList();
- lines.add("[" + name + "]");
- for (Entry<String, String> entry : mapping.entrySet()) {
- lines.add(kvJoiner.join(entry.getKey(), entry.getValue()));
- }
- return Joiner.on(NL).join(lines);
- }
- private String getSection(String name, Multimap<String, String> mapping) {
- if(mapping.isEmpty()) {
- return "";
- }
- Joiner kvJoiner = Joiner.on(" = ");
- Joiner itemJoiner = Joiner.on(" , ");
- List<String> lines = Lists.newArrayList();
- lines.add("[" + name + "]");
- for(String key : mapping.keySet()) {
- lines.add(kvJoiner.join(key, itemJoiner.join(mapping.get(key))));
- }
- return Joiner.on(NL).join(lines);
- }
-
- private PolicyFile remove(Collection<String> exitingItems, String[] newItems) {
- for(String newItem : newItems) {
- if(!exitingItems.remove(newItem)) {
- throw new IllegalStateException("Item " + newItem + " did not exist in " + exitingItems);
- }
- }
- return this;
- }
- private PolicyFile add(Collection<String> exitingItems, boolean allowDuplicates, String[] newItems) {
- for(String newItem : newItems) {
- if(exitingItems.contains(newItem) && !allowDuplicates) {
- throw new IllegalStateException("Item " + newItem + " already exists in " + exitingItems);
- }
- exitingItems.add(newItem);
- }
- return this;
- }
-
- //User:Group mapping for the admin user needs to be set separately
- public static PolicyFile setAdminOnServer1(String admin) throws Exception {
- return new PolicyFile()
- .addRolesToGroup(admin, "admin_role")
- .addPermissionsToRole("admin_role", "server=server1");
- }
-}
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-service/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-service/pom.xml b/sentry-service/pom.xml
new file mode 100644
index 0000000..4bcb7f1
--- /dev/null
+++ b/sentry-service/pom.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry</artifactId>
+ <version>1.8.0-SNAPSHOT</version>
+ </parent>
+
+ <artifactId>sentry-service</artifactId>
+ <name>Sentry Service</name>
+ <packaging>pom</packaging>
+
+ <modules>
+ <module>sentry-service-common</module>
+ <module>sentry-service-server</module>
+ <module>sentry-service-client</module>
+ </modules>
+
+</project>
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-service/sentry-service-client/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/pom.xml b/sentry-service/sentry-service-client/pom.xml
new file mode 100644
index 0000000..fc37c5e
--- /dev/null
+++ b/sentry-service/sentry-service-client/pom.xml
@@ -0,0 +1,57 @@
+<?xml version="1.0"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one or more
+contributor license agreements. See the NOTICE file distributed with
+this work for additional information regarding copyright ownership.
+The ASF licenses this file to You under the Apache License, Version 2.0
+(the "License"); you may not use this file except in compliance with
+the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-service</artifactId>
+ <version>1.8.0-SNAPSHOT</version>
+ </parent>
+
+ <artifactId>sentry-service-client</artifactId>
+ <name>Sentry Service Client</name>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-service-common</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-model-kafka</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-model-db</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-core-model-search</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.sentry</groupId>
+ <artifactId>sentry-provider-file</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-pool2</artifactId>
+ </dependency>
+ </dependencies>
+
+</project>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/sentry/blob/f1332300/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java
new file mode 100644
index 0000000..11cdee7
--- /dev/null
+++ b/sentry-service/sentry-service-client/src/main/java/org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClient.java
@@ -0,0 +1,196 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.provider.db.generic.service.thrift;
+
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+
+public interface SentryGenericServiceClient {
+
+ /**
+ * Create a sentry role
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @throws SentryUserException
+ */
+ void createRole(String requestorUserName, String roleName,
+ String component) throws SentryUserException;
+
+ void createRoleIfNotExist(String requestorUserName,
+ String roleName, String component) throws SentryUserException;
+
+ /**
+ * Drop a sentry role
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @throws SentryUserException
+ */
+ void dropRole(String requestorUserName, String roleName,
+ String component) throws SentryUserException;
+
+ void dropRoleIfExists(String requestorUserName, String roleName,
+ String component) throws SentryUserException;
+
+ /**
+ * add a sentry role to groups.
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @param groups: The name of groups
+ * @throws SentryUserException
+ */
+ void addRoleToGroups(String requestorUserName, String roleName,
+ String component, Set<String> groups) throws SentryUserException;
+
+ /**
+ * delete a sentry role from groups.
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @param groups: The name of groups
+ * @throws SentryUserException
+ */
+ void deleteRoleToGroups(String requestorUserName, String roleName,
+ String component, Set<String> groups) throws SentryUserException;
+
+ /**
+ * grant privilege
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @param privilege
+ * @throws SentryUserException
+ */
+ void grantPrivilege(String requestorUserName, String roleName,
+ String component, TSentryPrivilege privilege) throws SentryUserException;
+
+ /**
+ * revoke privilege
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName: Name of the role
+ * @param component: The request is issued to which component
+ * @param privilege
+ * @throws SentryUserException
+ */
+ void revokePrivilege(String requestorUserName, String roleName,
+ String component, TSentryPrivilege privilege) throws SentryUserException;
+
+ /**
+ * drop privilege
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param component: The request is issued to which component
+ * @param privilege
+ * @throws SentryUserException
+ */
+ void dropPrivilege(String requestorUserName,String component,
+ TSentryPrivilege privilege) throws SentryUserException;
+
+ /**
+ * rename privilege
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param component: The request is issued to which component
+ * @param serviceName: The Authorizable belongs to which service
+ * @param oldAuthorizables
+ * @param newAuthorizables
+ * @throws SentryUserException
+ */
+ void renamePrivilege(String requestorUserName, String component,
+ String serviceName, List<? extends Authorizable> oldAuthorizables,
+ List<? extends Authorizable> newAuthorizables) throws SentryUserException;
+
+ /**
+ * Gets sentry role objects for a given groupName using the Sentry service
+ * @param requestorUserName : user on whose behalf the request is issued
+ * @param groupName : groupName to look up ( if null returns all roles for groups related to requestorUserName)
+ * @param component: The request is issued to which component
+ * @return Set of thrift sentry role objects
+ * @throws SentryUserException
+ */
+ Set<TSentryRole> listRolesByGroupName(
+ String requestorUserName,
+ String groupName,
+ String component)
+ throws SentryUserException;
+
+ Set<TSentryRole> listUserRoles(String requestorUserName, String component)
+ throws SentryUserException;
+
+ Set<TSentryRole> listAllRoles(String requestorUserName, String component)
+ throws SentryUserException;
+
+ /**
+ * Gets sentry privileges for a given roleName and Authorizable Hierarchy using the Sentry service
+ * @param requestorUserName: user on whose behalf the request is issued
+ * @param roleName:
+ * @param component: The request is issued to which component
+ * @param serviceName
+ * @param authorizables
+ * @return
+ * @throws SentryUserException
+ */
+ Set<TSentryPrivilege> listPrivilegesByRoleName(
+ String requestorUserName, String roleName, String component,
+ String serviceName, List<? extends Authorizable> authorizables)
+ throws SentryUserException;
+
+ Set<TSentryPrivilege> listPrivilegesByRoleName(
+ String requestorUserName, String roleName, String component,
+ String serviceName) throws SentryUserException;
+
+ /**
+ * get sentry permissions from provider as followings:
+ * @param: component: The request is issued to which component
+ * @param: serviceName: The privilege belongs to which service
+ * @param: roleSet
+ * @param: groupNames
+ * @param: the authorizables
+ * @returns the set of permissions
+ * @throws SentryUserException
+ */
+ Set<String> listPrivilegesForProvider(String component,
+ String serviceName, ActiveRoleSet roleSet, Set<String> groups,
+ List<? extends Authorizable> authorizables) throws SentryUserException;
+
+ /**
+ * Get sentry privileges based on valid active roles and the authorize objects. Note that
+ * it is client responsibility to ensure the requestor username, etc. is not impersonated.
+ *
+ * @param component: The request respond to which component.
+ * @param serviceName: The name of service.
+ * @param requestorUserName: The requestor user name.
+ * @param authorizablesSet: The set of authorize objects. One authorize object is represented
+ * as a string. e.g resourceType1=resourceName1->resourceType2=resourceName2->resourceType3=resourceName3.
+ * @param groups: The requested groups.
+ * @param roleSet: The active roles set.
+ *
+ * @returns The mapping of authorize objects and TSentryPrivilegeMap(<role, set<privileges>).
+ * @throws SentryUserException
+ */
+ Map<String, TSentryPrivilegeMap> listPrivilegsbyAuthorizable(String component,
+ String serviceName, String requestorUserName, Set<String> authorizablesSet,
+ Set<String> groups, ActiveRoleSet roleSet) throws SentryUserException;
+
+ void close();
+}