sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [18/26] sentry git commit: SENTRY-1978: Move the hive-authz2 grant/revoke implementation into the sentry-binding-hive module (Sergio Pena, reviewed by kalyan kumar kalvagadda, Na Li)
Date Thu, 19 Oct 2017 08:59:59 GMT
SENTRY-1978: Move the hive-authz2 grant/revoke implementation into the sentry-binding-hive module (Sergio Pena, reviewed by kalyan kumar kalvagadda, Na Li)


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/e901041d
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/e901041d
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/e901041d

Branch: refs/heads/akolb-cli
Commit: e901041d810635e5f8e36ae0438e43017012e274
Parents: ce04971
Author: Sergio Pena <sergio.pena@cloudera.com>
Authored: Mon Oct 16 15:10:28 2017 -0500
Committer: Sergio Pena <sergio.pena@cloudera.com>
Committed: Mon Oct 16 15:10:28 2017 -0500

----------------------------------------------------------------------
 .../binding/hive/HiveAuthzBindingHook.java      |  16 -
 .../hive/HiveAuthzBindingSessionHook.java       |  21 +-
 .../SentryHiveAuthorizationTaskFactoryImpl.java |  12 +-
 .../binding/hive/SentryHivePrivilegeObject.java |  32 ++
 .../authz/DefaultSentryAccessController.java    | 561 +++++++++++++++++++
 .../hive/authz/SentryHiveAccessController.java  | 199 +++++++
 .../hive/authz/SentryHiveAuthorizerFactory.java |  27 +-
 .../hive/authz/SentryHiveAuthorizerImpl.java    |  86 ++-
 .../binding/util/SentryAuthorizerUtil.java      | 360 ++++++++++++
 .../e2e/dbprovider/TestDatabaseProvider.java    |  12 +-
 .../tests/e2e/hdfs/TestHDFSIntegrationBase.java |   2 +-
 .../e2e/hive/hiveserver/HiveServerFactory.java  |   6 +-
 .../e2e/metastore/TestMetastoreEndToEnd.java    |   2 +-
 13 files changed, 1281 insertions(+), 55 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
index 3454910..f1531ed 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingHook.java
@@ -21,12 +21,10 @@ import java.net.MalformedURLException;
 import java.net.URL;
 import java.security.CodeSource;
 import java.util.List;
-import java.util.Set;
 
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.ql.exec.DDLTask;
 import org.apache.hadoop.hive.ql.exec.SentryFilterDDLTask;
-import org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask;
 import org.apache.hadoop.hive.ql.exec.Task;
 import org.apache.hadoop.hive.ql.exec.Utilities;
 import org.apache.hadoop.hive.ql.lib.Node;
@@ -297,21 +295,7 @@ public class HiveAuthzBindingHook extends HiveAuthzBindingHookBase {
 
     stmtAuthObject = HiveAuthzPrivilegesMap.getHiveAuthzPrivileges(stmtOperation);
 
-    // must occur above the null check on stmtAuthObject
-    // since GRANT/REVOKE/etc are not authorized by binding layer at present
     Subject subject = getCurrentSubject(context);
-    Set<String> subjectGroups = hiveAuthzBinding.getGroups(subject);
-    for (Task<? extends Serializable> task : rootTasks) {
-      if (task instanceof SentryGrantRevokeTask) {
-        SentryGrantRevokeTask sentryTask = (SentryGrantRevokeTask)task;
-        sentryTask.setHiveAuthzBinding(hiveAuthzBinding);
-        sentryTask.setAuthzConf(authzConf);
-        sentryTask.setSubject(subject);
-        sentryTask.setSubjectGroups(subjectGroups);
-        sentryTask.setIpAddress(context.getIpAddress());
-        sentryTask.setOperation(stmtOperation);
-      }
-    }
 
     try {
       if (stmtAuthObject == null) {

http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
index 994ae7a..7250891 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.java
@@ -18,6 +18,7 @@ package org.apache.sentry.binding.hive;
 
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator;
 import org.apache.hadoop.mapreduce.JobContext;
 import org.apache.hive.service.cli.HiveSQLException;
 import org.apache.hive.service.cli.session.HiveSessionHookContext;
@@ -29,10 +30,7 @@ import com.google.common.base.Joiner;
 public class HiveAuthzBindingSessionHook
     implements org.apache.hive.service.cli.session.HiveSessionHook {
 
-  public static final String SEMANTIC_HOOK =
-    "org.apache.sentry.binding.hive.HiveAuthzBindingHook";
-  public static final String FILTER_HOOK =
-    "org.apache.sentry.binding.hive.HiveAuthzBindingHook";
+  public static final String SEMANTIC_HOOK = HiveAuthzBindingHook.class.getName();
   public static final String SCRATCH_DIR_PERMISSIONS = "700";
   public static final String ACCESS_RESTRICT_LIST = Joiner.on(",").join(
     ConfVars.SEMANTIC_ANALYZER_HOOK.varname,
@@ -70,20 +68,26 @@ public class HiveAuthzBindingSessionHook
     // Add sentry hooks to the session configuration
     HiveConf sessionConf = sessionHookContext.getSessionConf();
 
+    // set semantic hooks to request authorization permissions to sentry
     appendConfVar(sessionConf, ConfVars.SEMANTIC_ANALYZER_HOOK.varname,
         SEMANTIC_HOOK);
+
+    // set security command list
     HiveAuthzConf authzConf = HiveAuthzBindingHookBase.loadAuthzConf(sessionConf);
     String commandWhitelist =
         authzConf.get(HiveAuthzConf.HIVE_SENTRY_SECURITY_COMMAND_WHITELIST,
             HiveAuthzConf.HIVE_SENTRY_SECURITY_COMMAND_WHITELIST_DEFAULT);
     sessionConf.setVar(ConfVars.HIVE_SECURITY_COMMAND_WHITELIST, commandWhitelist);
+
+    // set additional configuration properties required for auth
     sessionConf.setVar(ConfVars.SCRATCHDIRPERMISSION, SCRATCH_DIR_PERMISSIONS);
+
+    // Enable compiler to capture transform URI referred in the query
     sessionConf.setBoolVar(ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY, true);
 
     // set user name
     sessionConf.set(HiveAuthzConf.HIVE_ACCESS_SUBJECT_NAME, sessionHookContext.getSessionUser());
     sessionConf.set(HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME, sessionHookContext.getSessionUser());
-    sessionConf.setVar(ConfVars.HIVE_AUTHORIZATION_MANAGER, SentryHiveAuthorizerFactory.class.getName());
 
     // Set MR ACLs to session user
     appendConfVar(sessionConf, JobContext.JOB_ACL_VIEW_JOB,
@@ -93,6 +97,13 @@ public class HiveAuthzBindingSessionHook
 
     // setup restrict list
     sessionConf.addToRestrictList(ACCESS_RESTRICT_LIST);
+
+    // enable hive authorization V2
+    sessionConf.setBoolean(HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED.varname, true);
+    sessionConf.set(HiveConf.ConfVars.HIVE_AUTHENTICATOR_MANAGER.varname,
+        SessionStateUserAuthenticator.class.getName());
+    sessionConf.set(ConfVars.HIVE_AUTHORIZATION_MANAGER.varname,
+        SentryHiveAuthorizerFactory.class.getName());
   }
 
   // Setup given sentry hooks

http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java
index ceb3b17..1e520c0 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHiveAuthorizationTaskFactoryImpl.java
@@ -25,7 +25,6 @@ import org.apache.hadoop.fs.Path;
 import org.apache.hadoop.hive.SentryHiveConstants;
 import org.apache.hadoop.hive.conf.HiveConf;
 import org.apache.hadoop.hive.metastore.api.PrincipalType;
-import org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask;
 import org.apache.hadoop.hive.ql.exec.SentryHivePrivilegeObjectDesc;
 import org.apache.hadoop.hive.ql.exec.Task;
 import org.apache.hadoop.hive.ql.exec.TaskFactory;
@@ -60,8 +59,10 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization
 
   private static final Logger LOG = LoggerFactory.getLogger(SentryHiveAuthorizationTaskFactoryImpl.class);
 
-  public SentryHiveAuthorizationTaskFactoryImpl(HiveConf conf, Hive db) { //NOPMD
+  private final HiveConf conf;
 
+  public SentryHiveAuthorizationTaskFactoryImpl(HiveConf conf, Hive db) { //NOPMD
+    this.conf = conf;
   }
 
   @Override
@@ -377,11 +378,8 @@ public class SentryHiveAuthorizationTaskFactoryImpl implements HiveAuthorization
     return ret;
   }
 
-  private static Task<? extends Serializable> createTask(DDLWork work) {
-    SentryGrantRevokeTask task = new SentryGrantRevokeTask();
-    task.setId("Stage-" + Integer.toString(TaskFactory.getAndIncrementId()));
-    task.setWork(work);
-    return task;
+  private Task<? extends Serializable> createTask(DDLWork work) {
+    return TaskFactory.get(work, conf);
   }
 
   //TODO temp workaround and copied from HiveAuthorizationTaskFactoryImpl and modified

http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java
new file mode 100644
index 0000000..f5402f6
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/SentryHivePrivilegeObject.java
@@ -0,0 +1,32 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+
+package org.apache.sentry.binding.hive;
+
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+
+public class SentryHivePrivilegeObject extends HivePrivilegeObject {
+
+  boolean isServer = false;
+
+  boolean isUri = false;
+
+  String objectName = "";
+
+  public SentryHivePrivilegeObject(HivePrivilegeObjectType type, String objectName) {
+    super(type, null, objectName);
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java
new file mode 100644
index 0000000..0bfa52b
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/DefaultSentryAccessController.java
@@ -0,0 +1,561 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.sentry.binding.hive.authz;
+
+import com.google.common.base.Preconditions;
+import com.google.common.collect.Sets;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import org.apache.hadoop.hive.SentryHiveConstants;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
+import org.apache.hadoop.hive.ql.plan.HiveOperation;
+import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
+import org.apache.sentry.binding.hive.SentryOnFailureHookContext;
+import org.apache.sentry.binding.hive.SentryOnFailureHookContextImpl;
+import org.apache.sentry.binding.hive.authz.HiveAuthzBinding.HiveHook;
+import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
+import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars;
+import org.apache.sentry.binding.util.SentryAuthorizerUtil;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.db.DBModelAuthorizable;
+import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.service.thrift.TSentryRole;
+import org.apache.sentry.service.thrift.SentryServiceClientFactory;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class DefaultSentryAccessController extends SentryHiveAccessController {
+
+  public static final Logger LOG = LoggerFactory.getLogger(DefaultSentryAccessController.class);
+
+  public static final String REQUIRED_AUTHZ_SERVER_NAME = "Config "
+      + AuthzConfVars.AUTHZ_SERVER_NAME.getVar() + " is required";
+
+  private HiveAuthenticationProvider authenticator;
+  private String serverName;
+  private HiveConf conf;
+  private HiveAuthzConf authzConf;
+  private HiveAuthzSessionContext ctx;
+
+  private HiveHook hiveHook;
+  private HiveAuthzBinding hiveAuthzBinding;
+  protected SentryPolicyServiceClient sentryClient;
+
+
+  public DefaultSentryAccessController(HiveConf conf, HiveAuthzConf authzConf,
+      HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception {
+    initilize(conf, authzConf, authenticator, ctx);
+    this.hiveHook = HiveHook.HiveServer2;
+  }
+
+  public DefaultSentryAccessController(HiveHook hiveHook, HiveConf conf, HiveAuthzConf authzConf,
+      HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception {
+    initilize(conf, authzConf, authenticator, ctx);
+    this.hiveHook = hiveHook;
+  }
+
+  /**
+   * initialize authenticator and hiveAuthzBinding.
+   */
+  protected void initilize(HiveConf conf, HiveAuthzConf authzConf,
+      HiveAuthenticationProvider authenticator, HiveAuthzSessionContext ctx) throws Exception {
+    Preconditions.checkNotNull(conf, "HiveConf cannot be null");
+    Preconditions.checkNotNull(authzConf, "HiveAuthzConf cannot be null");
+    Preconditions.checkNotNull(authenticator, "Hive authenticator provider cannot be null");
+    Preconditions.checkNotNull(ctx, "HiveAuthzSessionContext cannot be null");
+
+    this.conf = conf;
+    this.authzConf = authzConf;
+    this.authenticator = authenticator;
+    this.ctx = ctx;
+    this.serverName =
+        Preconditions.checkNotNull(authzConf.get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar()),
+            REQUIRED_AUTHZ_SERVER_NAME);
+  }
+
+  @Override
+  public void createRole(String roleName, HivePrincipal adminGrantor)
+      throws HiveAuthzPluginException, HiveAccessControlException {
+    if (AccessConstants.RESERVED_ROLE_NAMES.contains(roleName.toUpperCase())) {
+      String msg =
+          "Roles cannot be one of the reserved roles: " + AccessConstants.RESERVED_ROLE_NAMES;
+      throw new HiveAccessControlException(msg);
+    }
+    try {
+      sentryClient = getSentryClient();
+      sentryClient.createRole(authenticator.getUserName(), roleName);
+    } catch (SentryAccessDeniedException e) {
+      HiveOperation hiveOp = HiveOperation.CREATEROLE;
+      executeOnFailureHooks(hiveOp, e);
+    } catch (SentryUserException e) {
+      String msg = "Error occurred when Sentry client creating role: " + e.getMessage();
+      executeOnErrorHooks(msg, e);
+    } finally {
+      closeClient();
+    }
+  }
+
+  @Override
+  public void dropRole(String roleName) throws HiveAuthzPluginException, HiveAccessControlException {
+    if (AccessConstants.RESERVED_ROLE_NAMES.contains(roleName.toUpperCase())) {
+      String msg =
+          "Roles cannot be one of the reserved roles: " + AccessConstants.RESERVED_ROLE_NAMES;
+      throw new HiveAccessControlException(msg);
+    }
+    try {
+      sentryClient = getSentryClient();
+      sentryClient.dropRole(authenticator.getUserName(), roleName);
+    } catch (SentryAccessDeniedException e) {
+      HiveOperation hiveOp = HiveOperation.DROPROLE;
+      executeOnFailureHooks(hiveOp, e);
+    } catch (SentryUserException e) {
+      String msg = "Error occurred when Sentry client creating role: " + e.getMessage();
+      executeOnErrorHooks(msg, e);
+    } finally {
+      closeClient();
+    }
+  }
+
+  @Override
+  public List<String> getAllRoles() throws HiveAccessControlException, HiveAuthzPluginException {
+    List<String> roles = new ArrayList<String>();
+    try {
+      sentryClient = getSentryClient();
+      roles = convert2RoleList(sentryClient.listRoles(authenticator.getUserName()));
+    } catch (SentryAccessDeniedException e) {
+      HiveOperation hiveOp = HiveOperation.SHOW_ROLES;
+      executeOnFailureHooks(hiveOp, e);
+    } catch (SentryUserException e) {
+      String msg = "Error when sentryClient listRoles: " + e.getMessage();
+      executeOnErrorHooks(msg, e);
+    } finally {
+      closeClient();
+    }
+    return roles;
+  }
+
+  @Override
+  public void grantPrivileges(List<HivePrincipal> hivePrincipals,
+      List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
+      HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
+      HiveAccessControlException {
+    grantOrRevokePrivlegeOnRole(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, true);
+  }
+
+  @Override
+  public void revokePrivileges(List<HivePrincipal> hivePrincipals,
+      List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
+      HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
+      HiveAccessControlException {
+    grantOrRevokePrivlegeOnRole(hivePrincipals, hivePrivileges, hivePrivObject, grantOption, false);
+  }
+
+  @Override
+  public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles,
+      boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
+      HiveAccessControlException {
+    grantOrRevokeRoleOnGroup(hivePrincipals, roles, grantorPrinc, true);
+  }
+
+  @Override
+  public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles,
+      boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
+      HiveAccessControlException {
+    grantOrRevokeRoleOnGroup(hivePrincipals, roles, grantorPrinc, false);
+  }
+
+
+  @Override
+  public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal, HivePrivilegeObject privObj)
+      throws HiveAuthzPluginException, HiveAccessControlException {
+    if (principal.getType() != HivePrincipalType.ROLE) {
+      String msg =
+          SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principal.getType();
+      throw new HiveAuthzPluginException(msg);
+    }
+    List<HivePrivilegeInfo> infoList = new ArrayList<HivePrivilegeInfo>();
+    try {
+      sentryClient = getSentryClient();
+      List<List<DBModelAuthorizable>> authorizables =
+          SentryAuthorizerUtil.getAuthzHierarchy(new Server(serverName), privObj);
+      Set<TSentryPrivilege> tPrivilges = new HashSet<TSentryPrivilege>();
+      if (authorizables != null && !authorizables.isEmpty()) {
+        for (List<? extends Authorizable> authorizable : authorizables) {
+          tPrivilges.addAll(sentryClient.listPrivilegesByRoleName(authenticator.getUserName(),
+              principal.getName(), authorizable));
+        }
+      } else {
+        tPrivilges.addAll(sentryClient.listPrivilegesByRoleName(authenticator.getUserName(),
+            principal.getName(), null));
+      }
+
+      if (tPrivilges != null && !tPrivilges.isEmpty()) {
+        for (TSentryPrivilege privilege : tPrivilges) {
+          infoList.add(SentryAuthorizerUtil.convert2HivePrivilegeInfo(privilege, principal));
+        }
+      }
+    } catch (SentryAccessDeniedException e) {
+      HiveOperation hiveOp = HiveOperation.SHOW_GRANT;
+      executeOnFailureHooks(hiveOp, e);
+    } catch (SentryUserException e) {
+      String msg = "Error when sentryClient listPrivilegesByRoleName: " + e.getMessage();
+      executeOnErrorHooks(msg, e);
+    } finally {
+      closeClient();
+    }
+    return infoList;
+  }
+
+  @Override
+  public void setCurrentRole(String roleName) throws HiveAccessControlException,
+      HiveAuthzPluginException {
+    try {
+      sentryClient = getSentryClient();
+      hiveAuthzBinding = new HiveAuthzBinding(hiveHook, conf, authzConf);
+      hiveAuthzBinding.setActiveRoleSet(roleName,
+          sentryClient.listUserRoles(authenticator.getUserName()));
+    } catch (SentryAccessDeniedException e) {
+      HiveOperation hiveOp = HiveOperation.GRANT_ROLE;
+      executeOnFailureHooks(hiveOp, e);
+    } catch (Exception e) {
+      String msg = "Error when sentryClient setCurrentRole: " + e.getMessage();
+      executeOnErrorHooks(msg, e);
+    } finally {
+      closeClient();
+      if (hiveAuthzBinding != null) {
+        hiveAuthzBinding.close();
+      }
+    }
+  }
+
+  @Override
+  public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
+    List<String> roles = new ArrayList<String>();
+    try {
+      sentryClient = getSentryClient();
+      hiveAuthzBinding = new HiveAuthzBinding(hiveHook, conf, authzConf);
+      ActiveRoleSet roleSet = hiveAuthzBinding.getActiveRoleSet();
+      if (roleSet.isAll()) {
+        roles = convert2RoleList(sentryClient.listUserRoles(authenticator.getUserName()));
+      } else {
+        roles.addAll(roleSet.getRoles());
+      }
+    } catch (Exception e) {
+      String msg = "Error when sentryClient listUserRoles: " + e.getMessage();
+      executeOnErrorHooks(msg, e);
+    } finally {
+      closeClient();
+      if (hiveAuthzBinding != null) {
+        hiveAuthzBinding.close();
+      }
+    }
+    return roles;
+  }
+
+  @Override
+  public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName)
+      throws HiveAuthzPluginException {
+    // TODO we will support in future
+    throw new HiveAuthzPluginException("Not supported of SHOW_ROLE_PRINCIPALS in Sentry");
+  }
+
+  @Override
+  public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal)
+      throws HiveAccessControlException, HiveAuthzPluginException {
+    List<HiveRoleGrant> hiveRoleGrants = new ArrayList<HiveRoleGrant>();
+    try {
+      sentryClient = getSentryClient();
+      Set<TSentryRole> roles = null;
+      if (principal.getType() == HivePrincipalType.GROUP) {
+        roles = sentryClient.listRolesByGroupName(authenticator.getUserName(), principal.getName());
+      } else if (principal.getType() == HivePrincipalType.USER) {
+        roles = sentryClient.listRolesByUserName(authenticator.getUserName(), principal.getName());
+      } else {
+        String msg =
+            SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principal.getType();
+        throw new HiveAuthzPluginException(msg);
+      }
+      if (roles != null && !roles.isEmpty()) {
+        for (TSentryRole role : roles) {
+          hiveRoleGrants.add(SentryAuthorizerUtil.convert2HiveRoleGrant(role));
+        }
+      }
+    } catch (SentryAccessDeniedException e) {
+      HiveOperation hiveOp = HiveOperation.SHOW_ROLE_GRANT;
+      executeOnFailureHooks(hiveOp, e);
+    } catch (SentryUserException e) {
+      String msg = "Error when sentryClient listRolesByGroupName: " + e.getMessage();
+      executeOnErrorHooks(msg, e);
+    } finally {
+      closeClient();
+    }
+    return hiveRoleGrants;
+  }
+
+  @Override
+  public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException {
+    // Apply rest of the configuration only to HiveServer2
+    if (ctx.getClientType() != CLIENT_TYPE.HIVESERVER2
+        || !hiveConf.getBoolVar(ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
+      throw new HiveAuthzPluginException("Sentry only supports hiveserver2");
+    }
+  }
+
+  /**
+   * Grant(isGrant is true) or revoke(isGrant is false) db privileges to/from role via sentryClient,
+   * which is a instance of SentryPolicyServiceClientV2
+   *
+   * @param hivePrincipals
+   * @param hivePrivileges
+   * @param hivePrivObject
+   * @param grantOption
+   * @param isGrant
+   */
+  private void grantOrRevokePrivlegeOnRole(List<HivePrincipal> hivePrincipals,
+      List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject, boolean grantOption,
+      boolean isGrant) throws HiveAuthzPluginException, HiveAccessControlException {
+    try {
+      sentryClient = getSentryClient();
+
+      for (HivePrincipal principal : hivePrincipals) {
+        // Sentry only support grant privilege to ROLE
+        if (principal.getType() != HivePrincipalType.ROLE) {
+          String msg =
+              SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principal.getType();
+          throw new HiveAuthzPluginException(msg);
+        }
+        for (HivePrivilege privilege : hivePrivileges) {
+          String grantorName = authenticator.getUserName();
+          String roleName = principal.getName();
+          String action = SentryAuthorizerUtil.convert2SentryAction(privilege);
+          List<String> columnNames = privilege.getColumns();
+          Boolean grantOp = null;
+          if (isGrant) {
+            grantOp = grantOption;
+          }
+
+          switch (hivePrivObject.getType()) {
+            case GLOBAL:
+              if (isGrant) {
+                sentryClient.grantServerPrivilege(grantorName, roleName,
+                    hivePrivObject.getObjectName(), action, grantOp);
+              } else {
+                sentryClient.revokeServerPrivilege(grantorName, roleName,
+                    hivePrivObject.getObjectName(), action, grantOp);
+              }
+              break;
+            case DATABASE:
+              if (isGrant) {
+                sentryClient.grantDatabasePrivilege(grantorName, roleName, serverName,
+                    hivePrivObject.getDbname(), action, grantOp);
+              } else {
+                sentryClient.revokeDatabasePrivilege(grantorName, roleName, serverName,
+                    hivePrivObject.getDbname(), action, grantOp);
+              }
+              break;
+            case TABLE_OR_VIEW:
+              // For column level security
+              if (columnNames != null && !columnNames.isEmpty()) {
+                if (action.equalsIgnoreCase(AccessConstants.INSERT)
+                    || action.equalsIgnoreCase(AccessConstants.ALL)) {
+                  String msg =
+                      SentryHiveConstants.PRIVILEGE_NOT_SUPPORTED + privilege.getName()
+                          + " on Column";
+                  throw new HiveAuthzPluginException(msg);
+                }
+                if (isGrant) {
+                  sentryClient.grantColumnsPrivileges(grantorName, roleName, serverName,
+                      hivePrivObject.getDbname(), hivePrivObject.getObjectName(), columnNames,
+                      action, grantOp);
+                } else {
+                  sentryClient.revokeColumnsPrivilege(grantorName, roleName, serverName,
+                      hivePrivObject.getDbname(), hivePrivObject.getObjectName(), columnNames,
+                      action, grantOp);
+                }
+              } else {
+                if (isGrant) {
+                  sentryClient.grantTablePrivilege(grantorName, roleName, serverName,
+                      hivePrivObject.getDbname(), hivePrivObject.getObjectName(), action, grantOp);
+                } else {
+                  sentryClient.revokeTablePrivilege(grantorName, roleName, serverName,
+                      hivePrivObject.getDbname(), hivePrivObject.getObjectName(), action, grantOp);
+                }
+              }
+              break;
+            case LOCAL_URI:
+            case DFS_URI:
+              String uRIString = hivePrivObject.getObjectName().replace("'", "").replace("\"", "");
+              if (isGrant) {
+                sentryClient.grantURIPrivilege(grantorName, roleName, serverName,
+                    uRIString, grantOp);
+              } else {
+                sentryClient.revokeURIPrivilege(grantorName, roleName, serverName,
+                    uRIString, grantOp);
+              }
+              break;
+            case FUNCTION:
+            case PARTITION:
+            case COLUMN:
+            case COMMAND_PARAMS:
+              // not support these type
+              throw new HiveAuthzPluginException(hivePrivObject.getType().name()
+                  + " are not supported in sentry");
+            default:
+              break;
+          }
+        }
+      }
+    } catch (SentryAccessDeniedException e) {
+      HiveOperation hiveOp =
+          isGrant ? HiveOperation.GRANT_PRIVILEGE : HiveOperation.REVOKE_PRIVILEGE;
+      executeOnFailureHooks(hiveOp, e);
+    } catch (SentryUserException e) {
+      String msg = "Error when sentryClient grant/revoke privilege:" + e.getMessage();
+      executeOnErrorHooks(msg, e);
+    } finally {
+      closeClient();
+    }
+  }
+  /**
+   * Grant(isGrant is true) or revoke(isGrant is false) role to/from group via sentryClient, which
+   * is a instance of SentryPolicyServiceClientV2
+   *
+   * @param hivePrincipals
+   * @param roles
+   * @param grantorPrinc
+   * @param isGrant
+   */
+  private void grantOrRevokeRoleOnGroup(List<HivePrincipal> hivePrincipals, List<String> roles,
+      HivePrincipal grantorPrinc, boolean isGrant) throws HiveAuthzPluginException,
+      HiveAccessControlException {
+    try {
+      sentryClient = getSentryClient();
+      // get principals
+      Set<String> groups = Sets.newHashSet();
+      Set<String> users = Sets.newHashSet();
+      for (HivePrincipal principal : hivePrincipals) {
+        if (principal.getType() == HivePrincipalType.GROUP) {
+          groups.add(principal.getName());
+        } else if (principal.getType() == HivePrincipalType.USER) {
+          users.add(principal.getName());
+        } else {
+          String msg =
+              SentryHiveConstants.GRANT_REVOKE_NOT_SUPPORTED_FOR_PRINCIPAL + principal.getType();
+          throw new HiveAuthzPluginException(msg);
+
+        }
+      }
+
+      // grant/revoke role to/from principals
+      for (String roleName : roles) {
+        if (isGrant) {
+          if (groups.size() > 0) {
+            sentryClient.grantRoleToGroups(grantorPrinc.getName(), roleName, groups);
+          }
+          if (users.size() > 0) {
+            sentryClient.grantRoleToUsers(grantorPrinc.getName(), roleName, users);
+          }
+        } else {
+          if (groups.size() > 0) {
+            sentryClient.revokeRoleFromGroups(grantorPrinc.getName(), roleName, groups);
+          }
+          if (users.size() > 0) {
+            sentryClient.revokeRoleFromUsers(grantorPrinc.getName(), roleName, users);
+          }
+        }
+      }
+
+    } catch (SentryAccessDeniedException e) {
+      HiveOperation hiveOp = isGrant ? HiveOperation.GRANT_ROLE : HiveOperation.REVOKE_ROLE;
+      executeOnFailureHooks(hiveOp, e);
+    } catch (SentryUserException e) {
+      String msg = "Error when sentryClient grant/revoke role:" + e.getMessage();
+      executeOnErrorHooks(msg, e);
+    } finally {
+      closeClient();
+    }
+  }
+
+  private void executeOnFailureHooks(HiveOperation hiveOp, SentryAccessDeniedException e)
+      throws HiveAccessControlException {
+
+    // With Hive 2.x cmd information is not available from SessionState. More over cmd information
+    // is not used in SentryOnFailureHookContextImpl. If this information is really needed an issue
+    // should be raised with  Hive community to update HiveAccessController interface to pass
+    // HiveSemanticAnalyzerHookContext, which has cmd information. For now, empty string is used for
+    // cmd.
+    SentryOnFailureHookContext hookCtx =
+        new SentryOnFailureHookContextImpl("", null, null, hiveOp, null,
+            null, null, null, authenticator.getUserName(), null, new AuthorizationException(e),
+            authzConf);
+    SentryAuthorizerUtil.executeOnFailureHooks(hookCtx, authzConf);
+    throw new HiveAccessControlException(e.getMessage(), e);
+  }
+
+  private void executeOnErrorHooks(String msg, Exception e) throws HiveAuthzPluginException {
+    LOG.error(msg, e);
+    throw new HiveAuthzPluginException(msg, e);
+  }
+
+  private List<String> convert2RoleList(Set<TSentryRole> roleSet) {
+    List<String> roles = new ArrayList<String>();
+    if (roleSet != null && !roleSet.isEmpty()) {
+      for (TSentryRole tRole : roleSet) {
+        roles.add(tRole.getRoleName());
+      }
+    }
+    return roles;
+  }
+
+  private SentryPolicyServiceClient getSentryClient() throws HiveAuthzPluginException {
+    try {
+      Preconditions.checkNotNull(authzConf, "HiveAuthConf cannot be null");
+      return SentryServiceClientFactory.create(authzConf);
+    } catch (Exception e) {
+      String msg = "Error occurred when creating Sentry client: " + e.getMessage();
+      throw new HiveAuthzPluginException(msg, e);
+    }
+  }
+  private void closeClient() {
+    if (sentryClient != null) {
+      try {
+        sentryClient.close();
+      } catch (Exception e) {
+        LOG.error("Error while closing the connection with sentry server", e);
+      }
+    }
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java
new file mode 100644
index 0000000..f206bfe
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAccessController.java
@@ -0,0 +1,199 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.sentry.binding.hive.authz;
+
+import java.util.List;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
+
+/**
+ * Abstract class to do access control commands, e.g. grant/revoke privileges, grant/revoke role,
+ * create/drop role.
+ */
+public abstract class SentryHiveAccessController implements HiveAccessController {
+
+  /**
+   * Hive statement: Grant privilege GRANT priv_type [, priv_type ] ... ON table_or_view_name TO
+   * principal_specification [, principal_specification] ... [WITH GRANT OPTION];
+   * principal_specification : USER user | ROLE role
+   *
+   * priv_type : INSERT | SELECT | UPDATE | DELETE | ALL
+   *
+   * @param hivePrincipals
+   * @param hivePrivileges
+   * @param hivePrivObject
+   * @param grantorPrincipal
+   * @param grantOption
+   * @throws HiveAuthzPluginException, HiveAccessControlException
+   */
+  @Override
+  public abstract void grantPrivileges(List<HivePrincipal> hivePrincipals,
+      List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
+      HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
+      HiveAccessControlException;
+
+  /**
+   * Hive statement: Revoke privilege REVOKE priv_type [, priv_type ] ... ON table_or_view_name FROM
+   * principal_specification [, principal_specification] ... ;
+   *
+   * principal_specification : USER user | ROLE role
+   *
+   * priv_type : INSERT | SELECT | UPDATE | DELETE | ALL
+   *
+   * @param hivePrincipals
+   * @param hivePrivileges
+   * @param hivePrivObject
+   * @param grantorPrincipal
+   * @param grantOption
+   * @throws HiveAuthzPluginException, HiveAccessControlException
+   */
+  @Override
+  public abstract void revokePrivileges(List<HivePrincipal> hivePrincipals,
+      List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
+      HivePrincipal grantorPrincipal, boolean grantOption) throws HiveAuthzPluginException,
+      HiveAccessControlException;
+
+  /**
+   * Hive statement: Create role CREATE ROLE role_name;
+   *
+   * @param roleName
+   * @param adminGrantor
+   * @throws HiveAuthzPluginException, HiveAccessControlException
+   */
+  @Override
+  public abstract void createRole(String roleName, HivePrincipal adminGrantor)
+      throws HiveAuthzPluginException, HiveAccessControlException;
+
+  /**
+   * Hive statement: Drop role DROP ROLE role_name;
+   *
+   * @param roleName
+   * @throws HiveAuthzPluginException, HiveAccessControlException
+   */
+  @Override
+  public abstract void dropRole(String roleName) throws HiveAuthzPluginException,
+      HiveAccessControlException;
+
+  /**
+   * Hive statement: Grant role GRANT role_name [, role_name] ... TO principal_specification [,
+   * principal_specification] ... [ WITH ADMIN OPTION ];
+   *
+   * principal_specification : USER user | ROLE role
+   *
+   * @param hivePrincipals
+   * @param roles
+   * @param grantOption
+   * @param grantorPrinc
+   * @throws HiveAuthzPluginException, HiveAccessControlException
+   */
+  @Override
+  public abstract void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles,
+      boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
+      HiveAccessControlException;
+
+
+  /**
+   * Hive statement: Revoke role REVOKE [ADMIN OPTION FOR] role_name [, role_name] ... FROM
+   * principal_specification [, principal_specification] ... ;
+   *
+   * principal_specification : USER user | ROLE role
+   *
+   * @param hivePrincipals
+   * @param roles
+   * @param grantOption
+   * @param grantorPrinc
+   * @throws HiveAuthzPluginException, HiveAccessControlException
+   */
+  @Override
+  public abstract void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles,
+      boolean grantOption, HivePrincipal grantorPrinc) throws HiveAuthzPluginException,
+      HiveAccessControlException;
+
+  /**
+   * Hive statement: Show roles SHOW ROLES;
+   *
+   * @throws HiveAuthzPluginException, HiveAccessControlException
+   */
+  @Override
+  public abstract List<String> getAllRoles() throws HiveAuthzPluginException,
+      HiveAccessControlException;
+
+  /**
+   * Hive statement: Show grant SHOW GRANT [principal_name] ON (ALL| ([TABLE] table_or_view_name);
+   *
+   * @param principal
+   * @param privObj
+   * @throws HiveAuthzPluginException, HiveAccessControlException
+   */
+  @Override
+  public abstract List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal,
+      HivePrivilegeObject privObj) throws HiveAuthzPluginException, HiveAccessControlException;
+
+  /**
+   * Hive statement: Set role SET ROLE (role_name|ALL);
+   *
+   * @param roleName
+   * @throws HiveAuthzPluginException, HiveAccessControlException
+   */
+  @Override
+  public abstract void setCurrentRole(String roleName) throws HiveAuthzPluginException,
+      HiveAccessControlException;
+
+  /**
+   * Hive statement: Show current roles SHOW CURRENT ROLES;
+   *
+   * @throws HiveAuthzPluginException
+   */
+  @Override
+  public abstract List<String> getCurrentRoleNames() throws HiveAuthzPluginException;
+
+  /**
+   * Hive statement: Set role privileges SHOW PRINCIPALS role_name;
+   *
+   * @param roleName
+   * @throws HiveAuthzPluginException, HiveAccessControlException
+   */
+  @Override
+  public abstract List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName)
+      throws HiveAuthzPluginException, HiveAccessControlException;
+
+  /**
+   * Hive statement: Set role grant SHOW ROLE GRANT (USER|ROLE) principal_name;
+   *
+   * @param principal
+   * @throws HiveAuthzPluginException, HiveAccessControlException
+   */
+  @Override
+  public abstract List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal)
+      throws HiveAuthzPluginException, HiveAccessControlException;
+
+  /**
+   * Apply configuration files for authorization V2
+   *
+   * @param hiveConf
+   * @throws HiveAuthzPluginException
+   */
+  @Override
+  public abstract void applyAuthorizationConfigPolicy(HiveConf hiveConf)
+      throws HiveAuthzPluginException;
+
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java
index f6297e9..76a757a 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerFactory.java
@@ -17,12 +17,15 @@
 package org.apache.sentry.binding.hive.authz;
 
 import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
 import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext.CLIENT_TYPE;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
+import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
 
 /**
  * Factory class that creates a HiveAuthorizer implementation for the Hive authorization V2
@@ -40,6 +43,28 @@ public class SentryHiveAuthorizerFactory implements HiveAuthorizerFactory {
   public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
       HiveConf conf, HiveAuthenticationProvider hiveAuthenticator, HiveAuthzSessionContext ctx)
       throws HiveAuthzPluginException {
-    return new SentryHiveAuthorizerImpl();
+    HiveAuthzConf authzConf = HiveAuthzBindingHookBase.loadAuthzConf(conf);
+    HiveAuthzSessionContext sessionContext = applyTestSettings(ctx, conf);
+
+    SentryHiveAccessController accessController;
+    try {
+      accessController =
+          new DefaultSentryAccessController(conf, authzConf, hiveAuthenticator, sessionContext);
+    } catch (Exception e) {
+      throw new HiveAuthzPluginException(e);
+    }
+
+    return new SentryHiveAuthorizerImpl(accessController);
+  }
+
+  private HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext ctx, HiveConf conf) {
+    if (conf.getBoolVar(ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE)
+        && ctx.getClientType() == CLIENT_TYPE.HIVECLI) {
+      // create new session ctx object with HS2 as client type
+      HiveAuthzSessionContext.Builder ctxBuilder = new HiveAuthzSessionContext.Builder(ctx);
+      ctxBuilder.setClientType(CLIENT_TYPE.HIVESERVER2);
+      return ctxBuilder.build();
+    }
+    return ctx;
   }
 }

http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
index 9c72876..4aff76f 100644
--- a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/hive/authz/SentryHiveAuthorizerImpl.java
@@ -19,8 +19,13 @@ package org.apache.sentry.binding.hive.authz;
 import java.util.ArrayList;
 import java.util.List;
 import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.ql.exec.SentryHivePrivilegeObjectDesc;
+import org.apache.hadoop.hive.ql.metadata.HiveException;
+import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc;
+import org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationTranslator;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.AbstractHiveAuthorizer;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationTranslator;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
@@ -30,6 +35,7 @@ import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
 import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
+import org.apache.sentry.binding.hive.SentryHivePrivilegeObject;
 import org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook;
 
 /**
@@ -37,19 +43,25 @@ import org.apache.sentry.binding.metastore.SentryMetaStoreFilterHook;
  * of an object, execute GRANT/REVOKE DDL statements and filter HMS metadata. This class is
  * part of the Hive authorization V2.
  * <p>
- * NOTE: For this first version of the class, only the HMS metadata filtering is implemented.
+ * NOTE: For this first version of the class, only the HMS metadata filtering
+ * and grant/revoke privileges are implemented.
  * The rest of the authorization is still using Hive authorization V1 API.
  */
 public class SentryHiveAuthorizerImpl extends AbstractHiveAuthorizer {
+  private SentryHiveAccessController accessController;
+  static private HiveAuthorizationTranslator hiveTranslator =
+      new SentryHiveAuthorizationTranslator();
+
   private SentryMetaStoreFilterHook filterHook;
 
-  public SentryHiveAuthorizerImpl() {
-    filterHook = new SentryMetaStoreFilterHook(null);
+  public SentryHiveAuthorizerImpl(SentryHiveAccessController accessController) {
+    this.accessController = accessController;
+    this.filterHook = new SentryMetaStoreFilterHook(null);
   }
 
   @Override
   public VERSION getVersion() {
-    throw new UnsupportedOperationException();
+    return VERSION.V1;
   }
 
   @Override
@@ -57,7 +69,8 @@ public class SentryHiveAuthorizerImpl extends AbstractHiveAuthorizer {
       List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
       HivePrincipal grantorPrincipal, boolean grantOption)
       throws HiveAuthzPluginException, HiveAccessControlException {
-    throw new UnsupportedOperationException();
+    accessController.grantPrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
+        grantorPrincipal, grantOption);
   }
 
   @Override
@@ -65,51 +78,52 @@ public class SentryHiveAuthorizerImpl extends AbstractHiveAuthorizer {
       List<HivePrivilege> hivePrivileges, HivePrivilegeObject hivePrivObject,
       HivePrincipal grantorPrincipal, boolean grantOption)
       throws HiveAuthzPluginException, HiveAccessControlException {
-    throw new UnsupportedOperationException();
+    accessController.revokePrivileges(hivePrincipals, hivePrivileges, hivePrivObject,
+        grantorPrincipal, grantOption);
   }
 
   @Override
   public void createRole(String roleName, HivePrincipal adminGrantor)
       throws HiveAuthzPluginException, HiveAccessControlException {
-    throw new UnsupportedOperationException();
+    accessController.createRole(roleName, adminGrantor);
   }
 
   @Override
   public void dropRole(String roleName)
       throws HiveAuthzPluginException, HiveAccessControlException {
-    throw new UnsupportedOperationException();
+    accessController.dropRole(roleName);
   }
 
   @Override
   public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName)
       throws HiveAuthzPluginException, HiveAccessControlException {
-    throw new UnsupportedOperationException();
+    return accessController.getPrincipalGrantInfoForRole(roleName);
   }
 
   @Override
   public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal principal)
       throws HiveAuthzPluginException, HiveAccessControlException {
-    throw new UnsupportedOperationException();
+    return accessController.getRoleGrantInfoForPrincipal(principal);
   }
 
   @Override
   public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles, boolean grantOption,
       HivePrincipal grantorPrinc) throws HiveAuthzPluginException, HiveAccessControlException {
-    throw new UnsupportedOperationException();
+    accessController.grantRole(hivePrincipals, roles, grantOption, grantorPrinc);
   }
 
   @Override
   public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles,
       boolean grantOption, HivePrincipal grantorPrinc)
       throws HiveAuthzPluginException, HiveAccessControlException {
-    throw new UnsupportedOperationException();
+    accessController.revokeRole(hivePrincipals, roles, grantOption, grantorPrinc);
   }
 
   @Override
   public void checkPrivileges(HiveOperationType hiveOpType, List<HivePrivilegeObject> inputsHObjs,
       List<HivePrivilegeObject> outputHObjs, HiveAuthzContext context)
       throws HiveAuthzPluginException, HiveAccessControlException {
-    throw new UnsupportedOperationException();
+    // Nothing to do there. Privileges are checked on the Semantic hooks
   }
 
   @Override
@@ -131,29 +145,34 @@ public class SentryHiveAuthorizerImpl extends AbstractHiveAuthorizer {
 
   @Override
   public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException {
-    throw new UnsupportedOperationException();
+    return accessController.getAllRoles();
   }
 
   @Override
   public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal,
       HivePrivilegeObject privObj) throws HiveAuthzPluginException, HiveAccessControlException {
-    throw new UnsupportedOperationException();
+    return accessController.showPrivileges(principal, privObj);
   }
 
   @Override
   public void setCurrentRole(String roleName)
       throws HiveAccessControlException, HiveAuthzPluginException {
-    throw new UnsupportedOperationException();
+    accessController.setCurrentRole(roleName);
   }
 
   @Override
   public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
-    throw new UnsupportedOperationException();
+    return accessController.getCurrentRoleNames();
   }
 
   @Override
   public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException {
+    accessController.applyAuthorizationConfigPolicy(hiveConf);
+  }
 
+  @Override
+  public HiveAuthorizationTranslator getHiveAuthorizationTranslator() throws HiveAuthzPluginException {
+    return hiveTranslator;
   }
 
   private List<HivePrivilegeObject> filterDbs(List<HivePrivilegeObject> listObjs) {
@@ -193,4 +212,37 @@ public class SentryHiveAuthorizerImpl extends AbstractHiveAuthorizer {
 
     return filterObjs;
   }
+
+  protected static HivePrivilegeObjectType getPrivObjectType(
+      SentryHivePrivilegeObjectDesc privSubjectDesc) {
+    if (privSubjectDesc.getObject() == null) {
+      return null;
+    }
+    if (privSubjectDesc.getServer()) {
+      return HivePrivilegeObjectType.GLOBAL;
+    } else if (privSubjectDesc.getUri()) {
+      return HivePrivilegeObjectType.LOCAL_URI;
+    } else {
+      return privSubjectDesc.getTable() ? HivePrivilegeObjectType.TABLE_OR_VIEW
+          : HivePrivilegeObjectType.DATABASE;
+    }
+  }
+
+  private static class SentryHiveAuthorizationTranslator extends
+      DefaultHiveAuthorizationTranslator {
+
+    @Override
+    public HivePrivilegeObject getHivePrivilegeObject(PrivilegeObjectDesc privSubjectDesc)
+        throws HiveException {
+      if (privSubjectDesc != null && privSubjectDesc instanceof SentryHivePrivilegeObjectDesc) {
+        SentryHivePrivilegeObjectDesc sPrivSubjectDesc =
+            (SentryHivePrivilegeObjectDesc) privSubjectDesc;
+        if (sPrivSubjectDesc.isSentryPrivObjectDesc()) {
+          HivePrivilegeObjectType objectType = getPrivObjectType(sPrivSubjectDesc);
+          return new SentryHivePrivilegeObject(objectType, privSubjectDesc.getObject());
+        }
+      }
+      return super.getHivePrivilegeObject(privSubjectDesc);
+    }
+  }
 }

http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java
new file mode 100644
index 0000000..b536283
--- /dev/null
+++ b/sentry-binding/sentry-binding-hive/src/main/java/org/apache/sentry/binding/util/SentryAuthorizerUtil.java
@@ -0,0 +1,360 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
+ * agreements. See the NOTICE file distributed with this work for additional information regarding
+ * copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License. You may obtain a
+ * copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License
+ * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
+ * or implied. See the License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.sentry.binding.util;
+
+import com.google.common.base.Splitter;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.common.JavaUtils;
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
+import org.apache.hadoop.hive.metastore.api.PrincipalType;
+import org.apache.hadoop.hive.ql.hooks.Hook;
+import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
+import org.apache.hadoop.hive.ql.parse.SemanticException;
+import org.apache.hadoop.hive.ql.plan.HiveOperation;
+import org.apache.hadoop.hive.ql.security.authorization.PrivilegeType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal.HivePrincipalType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
+import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
+import org.apache.hadoop.hive.ql.session.SessionState;
+import org.apache.sentry.binding.hive.SentryOnFailureHook;
+import org.apache.sentry.binding.hive.SentryOnFailureHookContext;
+import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
+import org.apache.sentry.core.common.utils.PathUtils;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.db.AccessURI;
+import org.apache.sentry.core.model.db.Column;
+import org.apache.sentry.core.model.db.DBModelAuthorizable;
+import org.apache.sentry.core.model.db.Database;
+import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.core.model.db.Table;
+import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
+import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
+import org.apache.sentry.provider.db.service.thrift.TSentryRole;
+import org.apache.sentry.service.thrift.ServiceConstants.PrivilegeScope;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class SentryAuthorizerUtil {
+  public static final Logger LOG = LoggerFactory.getLogger(SentryAuthorizerUtil.class);
+  public static String UNKONWN_GRANTOR = "--";
+
+  /**
+   * Convert string to URI
+   *
+   * @param uri
+   * @param isLocal
+   * @throws SemanticException
+   * @throws URISyntaxException
+   */
+  public static AccessURI parseURI(String uri, boolean isLocal) throws URISyntaxException {
+    HiveConf conf = SessionState.get().getConf();
+    String warehouseDir = conf.getVar(ConfVars.METASTOREWAREHOUSE);
+    return new AccessURI(PathUtils.parseURI(warehouseDir, uri, isLocal));
+  }
+
+  /**
+   * Convert HivePrivilegeObject to DBModelAuthorizable list Now hive 0.13 don't support column
+   * level
+   *
+   * @param server
+   * @param privilege
+   */
+  public static List<List<DBModelAuthorizable>> getAuthzHierarchy(Server server,
+      HivePrivilegeObject privilege) {
+    List<DBModelAuthorizable> baseHierarchy = new ArrayList<DBModelAuthorizable>();
+    List<List<DBModelAuthorizable>> objectHierarchy = new ArrayList<List<DBModelAuthorizable>>();
+    boolean isLocal = false;
+    if (privilege.getType() != null) {
+      switch (privilege.getType()) {
+        case GLOBAL:
+          baseHierarchy.add(new Server(privilege.getObjectName()));
+          objectHierarchy.add(baseHierarchy);
+          break;
+        case DATABASE:
+          baseHierarchy.add(server);
+          baseHierarchy.add(new Database(privilege.getDbname()));
+          objectHierarchy.add(baseHierarchy);
+          break;
+        case TABLE_OR_VIEW:
+          baseHierarchy.add(server);
+          baseHierarchy.add(new Database(privilege.getDbname()));
+          baseHierarchy.add(new Table(privilege.getObjectName()));
+          if (privilege.getColumns() != null) {
+            for (String columnName : privilege.getColumns()) {
+              List<DBModelAuthorizable> columnHierarchy =
+                  new ArrayList<DBModelAuthorizable>(baseHierarchy);
+              columnHierarchy.add(new Column(columnName));
+              objectHierarchy.add(columnHierarchy);
+            }
+          } else {
+            objectHierarchy.add(baseHierarchy);
+          }
+          break;
+        case LOCAL_URI:
+          isLocal = true;
+        case DFS_URI:
+          if (privilege.getObjectName() == null) {
+            break;
+          }
+          try {
+            baseHierarchy.add(server);
+            baseHierarchy.add(parseURI(privilege.getObjectName(), isLocal));
+            objectHierarchy.add(baseHierarchy);
+          } catch (Exception e) {
+            throw new AuthorizationException("Failed to get File URI", e);
+          }
+          break;
+        case FUNCTION:
+        case PARTITION:
+        case COLUMN:
+        case COMMAND_PARAMS:
+          // not support these type
+          break;
+        default:
+          break;
+      }
+    }
+    return objectHierarchy;
+  }
+
+  /**
+   * Convert HivePrivilegeObject list to List<List<DBModelAuthorizable>>
+   *
+   * @param server
+   * @param privilges
+   */
+  public static List<List<DBModelAuthorizable>> convert2SentryPrivilegeList(Server server,
+      List<HivePrivilegeObject> privilges) {
+    List<List<DBModelAuthorizable>> hierarchyList = new ArrayList<List<DBModelAuthorizable>>();
+    if (privilges != null && !privilges.isEmpty()) {
+      for (HivePrivilegeObject p : privilges) {
+        hierarchyList.addAll(getAuthzHierarchy(server, p));
+      }
+    }
+    return hierarchyList;
+  }
+
+  /**
+   * Convert HiveOperationType to HiveOperation
+   *
+   * @param type
+   */
+  public static HiveOperation convert2HiveOperation(String typeName) {
+    try {
+      return HiveOperation.valueOf(typeName);
+    } catch (Exception e) {
+      return null;
+    }
+  }
+
+  /**
+   * Convert HivePrivilege to Sentry Action
+   *
+   * @param hivePrivilege
+   */
+  public static String convert2SentryAction(HivePrivilege hivePrivilege) {
+    if (PrivilegeType.ALL.name().equals(hivePrivilege.getName())) {
+      return AccessConstants.ALL;
+    } else {
+      return hivePrivilege.getName();
+    }
+  }
+
+  /**
+   * Convert Sentry Action to HivePrivilege
+   *
+   * @param hivePrivilege
+   */
+  public static HivePrivilege convert2HivePrivilege(String action) {
+    return new HivePrivilege(action, null);
+  }
+
+  /**
+   * Convert TSentryRole Set to String List
+   *
+   * @param roleSet
+   */
+  public static List<String> convert2RoleList(Set<TSentryRole> roleSet) {
+    List<String> roles = new ArrayList<String>();
+    if (roleSet != null && !roleSet.isEmpty()) {
+      for (TSentryRole tRole : roleSet) {
+        roles.add(tRole.getRoleName());
+      }
+    }
+    return roles;
+  }
+
+  /**
+   * Convert TSentryPrivilege to HivePrivilegeInfo
+   *
+   * @param tPrivilege
+   * @param principal
+   */
+  public static HivePrivilegeInfo convert2HivePrivilegeInfo(TSentryPrivilege tPrivilege,
+      HivePrincipal principal) {
+    HivePrivilege hivePrivilege = convert2HivePrivilege(tPrivilege.getAction());
+    HivePrivilegeObject hivePrivilegeObject = convert2HivePrivilegeObject(tPrivilege);
+    // now sentry don't show grantor of a privilege
+    HivePrincipal grantor = new HivePrincipal(UNKONWN_GRANTOR, HivePrincipalType.ROLE);
+    boolean grantOption =
+        tPrivilege.getGrantOption().equals(TSentryGrantOption.TRUE) ? true : false;
+    return new HivePrivilegeInfo(principal, hivePrivilege, hivePrivilegeObject, grantor,
+        grantOption, (int) tPrivilege.getCreateTime());
+  }
+
+  /**
+   * Convert TSentryPrivilege to HivePrivilegeObject
+   *
+   * @param tSentryPrivilege
+   */
+  public static HivePrivilegeObject convert2HivePrivilegeObject(TSentryPrivilege tSentryPrivilege) {
+    HivePrivilegeObject privilege = null;
+    switch (PrivilegeScope.valueOf(tSentryPrivilege.getPrivilegeScope())) {
+      case SERVER:
+        privilege = new HivePrivilegeObject(HivePrivilegeObjectType.GLOBAL, "*", null);
+        break;
+      case DATABASE:
+        privilege =
+            new HivePrivilegeObject(HivePrivilegeObjectType.DATABASE, tSentryPrivilege.getDbName(),
+                null);
+        break;
+      case TABLE:
+        privilege =
+            new HivePrivilegeObject(HivePrivilegeObjectType.TABLE_OR_VIEW,
+                tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName());
+        break;
+      case COLUMN:
+        privilege =
+            new HivePrivilegeObject(HivePrivilegeObjectType.COLUMN, tSentryPrivilege.getDbName(),
+                tSentryPrivilege.getTableName(), null, tSentryPrivilege.getColumnName());
+        break;
+      case URI:
+        String uriString = tSentryPrivilege.getURI();
+        try {
+          uriString = uriString.replace("'", "").replace("\"", "");
+          HivePrivilegeObjectType type =
+              isLocalUri(uriString) ? HivePrivilegeObjectType.LOCAL_URI
+                  : HivePrivilegeObjectType.DFS_URI;
+          privilege = new HivePrivilegeObject(type, uriString, null);
+        } catch (URISyntaxException e1) {
+          throw new RuntimeException(uriString + "is not a URI");
+        }
+      default:
+        LOG.warn("Unknown PrivilegeScope: "
+            + PrivilegeScope.valueOf(tSentryPrivilege.getPrivilegeScope()));
+        break;
+    }
+    return privilege;
+  }
+
+  public static boolean isLocalUri(String uriString) throws URISyntaxException {
+    URI uri = new URI(uriString);
+    if (uri.getScheme().equalsIgnoreCase("file")) {
+      return true;
+    }
+
+    return false;
+  }
+
+  /**
+   * Convert TSentryRole to HiveRoleGrant
+   *
+   * @param role
+   */
+  public static HiveRoleGrant convert2HiveRoleGrant(TSentryRole role) {
+    HiveRoleGrant hiveRoleGrant = new HiveRoleGrant();
+    hiveRoleGrant.setRoleName(role.getRoleName());
+    hiveRoleGrant.setPrincipalName(role.getRoleName());
+    hiveRoleGrant.setPrincipalType(PrincipalType.ROLE.name());
+    hiveRoleGrant.setGrantOption(false);
+    hiveRoleGrant.setGrantor(role.getGrantorPrincipal());
+    hiveRoleGrant.setGrantorType(PrincipalType.USER.name());
+    return hiveRoleGrant;
+  }
+
+  /**
+   * Execute on failure hooks for e2e tests
+   *
+   * @param context
+   * @param conf
+   * @param hiveOp
+   */
+  public static void executeOnFailureHooks(SentryOnFailureHookContext hookCtx, Configuration conf) {
+    String csHooks =
+        conf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(), "").trim();
+
+    try {
+      for (Hook aofh : SentryAuthorizerUtil.getHooks(csHooks)) {
+        ((SentryOnFailureHook) aofh).run(hookCtx);
+      }
+    } catch (Exception ex) {
+      LOG.error("Error executing hook:", ex);
+    }
+  }
+
+  /**
+   * Returns a set of hooks specified in a configuration variable.
+   *
+   * See getHooks(HiveAuthzConf.AuthzConfVars hookConfVar, Class<T> clazz)
+   *
+   * @param hookConfVar
+   * @return
+   * @throws Exception
+   */
+  public static List<Hook> getHooks(String csHooks) throws Exception {
+    return getHooks(csHooks, Hook.class);
+  }
+
+  /**
+   * Returns the hooks specified in a configuration variable. The hooks are returned in a list in
+   * the order they were specified in the configuration variable.
+   *
+   * @param hookConfVar The configuration variable specifying a comma separated list of the hook
+   *        class names.
+   * @param clazz The super type of the hooks.
+   * @return A list of the hooks cast as the type specified in clazz, in the order they are listed
+   *         in the value of hookConfVar
+   * @throws Exception
+   */
+  public static <T extends Hook> List<T> getHooks(String csHooks, Class<T> clazz) throws Exception {
+
+    List<T> hooks = new ArrayList<T>();
+    if (csHooks.isEmpty()) {
+      return hooks;
+    }
+    for (String hookClass : Splitter.on(",").omitEmptyStrings().trimResults().split(csHooks)) {
+      try {
+        @SuppressWarnings("unchecked")
+        T hook = (T) Class.forName(hookClass, true, JavaUtils.getClassLoader()).newInstance();
+        hooks.add(hook);
+      } catch (ClassNotFoundException e) {
+        LOG.error(hookClass + " Class not found:" + e.getMessage());
+        throw e;
+      }
+    }
+
+    return hooks;
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
index a62a0a6..ae13164 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/dbprovider/TestDatabaseProvider.java
@@ -1566,7 +1566,7 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration {
       assertThat(resultSet.getString(1), equalToIgnoringCase("default"));
       assertThat(resultSet.getString(2), equalToIgnoringCase("t1"));
       assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition
-      assertThat(resultSet.getString(4), equalToIgnoringCase("c1"));//column
+      assertThat(resultSet.getString(4), equalToIgnoringCase("[c1]"));//column
       assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName
       assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType
       assertThat(resultSet.getString(7), equalToIgnoringCase("select"));
@@ -1583,7 +1583,7 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration {
       assertThat(resultSet.getString(1), equalToIgnoringCase("default"));
       assertThat(resultSet.getString(2), equalToIgnoringCase("t2"));
       assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition
-      assertThat(resultSet.getString(4), equalToIgnoringCase("c2"));//column
+      assertThat(resultSet.getString(4), equalToIgnoringCase("[c2]"));//column
       assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName
       assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType
       assertThat(resultSet.getString(7), equalToIgnoringCase("select"));
@@ -1600,7 +1600,7 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration {
       assertThat(resultSet.getString(1), equalToIgnoringCase("default"));
       assertThat(resultSet.getString(2), equalToIgnoringCase("t3"));
       assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition
-      assertThat(resultSet.getString(4), equalToIgnoringCase("c1"));//column
+      assertThat(resultSet.getString(4), equalToIgnoringCase("[c1]"));//column
       assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName
       assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType
       assertThat(resultSet.getString(7), equalToIgnoringCase("select"));
@@ -1617,7 +1617,7 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration {
       assertThat(resultSet.getString(1), equalToIgnoringCase("default"));
       assertThat(resultSet.getString(2), equalToIgnoringCase("t3"));
       assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition
-      assertThat(resultSet.getString(4), equalToIgnoringCase("c2"));//column
+      assertThat(resultSet.getString(4), equalToIgnoringCase("[c2]"));//column
       assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName
       assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType
       assertThat(resultSet.getString(7), equalToIgnoringCase("select"));
@@ -1634,7 +1634,7 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration {
       assertThat(resultSet.getString(1), equalToIgnoringCase("default"));
       assertThat(resultSet.getString(2), equalToIgnoringCase("t4"));
       assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition
-      assertThat(resultSet.getString(4), equalToIgnoringCase("c1"));//column
+      assertThat(resultSet.getString(4), equalToIgnoringCase("[c1]"));//column
       assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName
       assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType
       assertThat(resultSet.getString(7), equalToIgnoringCase("select"));
@@ -1651,7 +1651,7 @@ public class TestDatabaseProvider extends AbstractTestWithStaticConfiguration {
       assertThat(resultSet.getString(1), equalToIgnoringCase("default"));
       assertThat(resultSet.getString(2), equalToIgnoringCase("t4"));
       assertThat(resultSet.getString(3), equalToIgnoringCase(""));//partition
-      assertThat(resultSet.getString(4), equalToIgnoringCase("c2"));//column
+      assertThat(resultSet.getString(4), equalToIgnoringCase("[c2]"));//column
       assertThat(resultSet.getString(5), equalToIgnoringCase("role1"));//principalName
       assertThat(resultSet.getString(6), equalToIgnoringCase("role"));//principalType
       assertThat(resultSet.getString(7), equalToIgnoringCase("select"));

http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
index 27cfba9..3c96d55 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hdfs/TestHDFSIntegrationBase.java
@@ -564,7 +564,7 @@ public abstract class TestHDFSIntegrationBase {
         hiveConf.set("datanucleus.autoStartMechanism", "SchemaTable");
         hiveConf.set("datanucleus.schema.autoCreateTables", "true");
 
-        hiveConf.set(ConfVars.HIVE_AUTHORIZATION_ENABLED.varname, "false");
+        hiveConf.set(ConfVars.HIVE_AUTHORIZATION_ENABLED.varname, "true");
         hiveConf.set(ConfVars.HIVE_AUTHORIZATION_MANAGER.varname, SentryHiveAuthorizerFactory.class.getName());
         hiveConf.set(ConfVars.HIVE_CBO_ENABLED.varname, "false");
         hiveConf.set(ConfVars.METASTORE_DISALLOW_INCOMPATIBLE_COL_TYPE_CHANGES.varname, "false");

http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java
index 35cb2bb..64c6394 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/hive/hiveserver/HiveServerFactory.java
@@ -182,7 +182,7 @@ public class HiveServerFactory {
       properties.put(ConfVars.METASTORESERVERMINTHREADS.varname, "5");
     }
 
-    properties.put(ConfVars.HIVE_AUTHORIZATION_ENABLED.varname, "false");
+    properties.put(ConfVars.HIVE_AUTHORIZATION_ENABLED.varname, "true");
     properties.put(ConfVars.HIVE_AUTHORIZATION_MANAGER.varname, SentryHiveAuthorizerFactory.class.getName());
 
     // CBO has a bug on Hive 2.0.0 with VIEWS because ReadIdentity objects are sent without
@@ -197,6 +197,10 @@ public class HiveServerFactory {
     // HS2 is configured for concurrency
     properties.put(ConfVars.HIVE_IN_TEST.varname, "true");
 
+    // This configuration is used by SentryHiveAuthorizerFactory to change the client type
+    // to HIVESERVER2 if we're using the authorization V2 in test mode.
+    properties.put(ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE.varname, "true");
+
     if (!properties.containsKey(METASTORE_BYPASS)) {
       properties.put(METASTORE_BYPASS, "hive,impala," + System.getProperty("user.name", ""));
     } else {

http://git-wip-us.apache.org/repos/asf/sentry/blob/e901041d/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java
----------------------------------------------------------------------
diff --git a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java
index 5cd69e1..7f53527 100644
--- a/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java
+++ b/sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/metastore/TestMetastoreEndToEnd.java
@@ -48,7 +48,7 @@ import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
 import com.google.common.io.Resources;
 
-public class TestMetastoreEndToEnd extends
+public class  TestMetastoreEndToEnd extends
     AbstractMetastoreTestWithStaticConfiguration {
 
   private PolicyFile policyFile;


Mime
View raw message