sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sp...@apache.org
Subject [30/86] sentry git commit: Revert "SENTRY-2208: Refactor out Sentry service into own module from sentry-provider-db (Anthony Young-Garner, reviewed by Sergio Pena, Steve Moist, Na Li)"
Date Thu, 31 May 2018 03:32:08 GMT
http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestNotificationHandlerInvoker.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestNotificationHandlerInvoker.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestNotificationHandlerInvoker.java
new file mode 100644
index 0000000..92f3f8b
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestNotificationHandlerInvoker.java
@@ -0,0 +1,102 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.api.service.thrift;
+
+import org.apache.hadoop.conf.Configuration;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+import com.google.common.collect.Lists;
+
+public class TestNotificationHandlerInvoker {
+
+  private Configuration conf;
+  private NotificationHandler handler;
+  private NotificationHandlerInvoker invoker;
+
+  @Before
+  public void setup() throws Exception {
+    conf = new Configuration(false);
+    handler = Mockito.spy(new NotificationHandler(conf) {});
+    invoker = new NotificationHandlerInvoker(conf,
+        Lists.newArrayList(new ThrowingNotificationHandler(conf), handler));
+  }
+
+  @Test
+  public void testCreateSentryRole() throws Exception {
+    TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
+    TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
+    invoker.create_sentry_role(request, response);
+    Mockito.verify(handler).create_sentry_role(request, response);
+  }
+
+  @Test
+  public void testDropSentryRole() throws Exception {
+    TDropSentryRoleRequest request = new TDropSentryRoleRequest();
+    TDropSentryRoleResponse response = new TDropSentryRoleResponse();
+    invoker.drop_sentry_role(request, response);
+    Mockito.verify(handler).drop_sentry_role(request, response);
+  }
+
+
+
+  @Test
+  public void testAlterSentryRoleAddGroups() throws Exception {
+    TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
+    TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse();
+    invoker.alter_sentry_role_add_groups(request, response);
+    Mockito.verify(handler).alter_sentry_role_add_groups(request, response);
+  }
+
+  @Test
+  public void testAlterSentryRoleDeleteGroups() throws Exception {
+    TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
+    TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse();
+    invoker.alter_sentry_role_delete_groups(request, response);
+    Mockito.verify(handler).alter_sentry_role_delete_groups(request, response);
+  }
+
+  public static class ThrowingNotificationHandler extends NotificationHandler {
+    public ThrowingNotificationHandler(Configuration config) throws Exception {
+      super(config);
+    }
+    @Override
+    public void create_sentry_role(TCreateSentryRoleRequest request,
+                                   TCreateSentryRoleResponse response) {
+      throw new RuntimeException();
+    }
+    public void drop_sentry_role(TDropSentryRoleRequest request,
+                                 TDropSentryRoleResponse response) {
+      throw new RuntimeException();
+    }
+    @Override
+    public void alter_sentry_role_add_groups(
+            TAlterSentryRoleAddGroupsRequest request,
+            TAlterSentryRoleAddGroupsResponse response) {
+      throw new RuntimeException();
+    }
+    @Override
+    public void alter_sentry_role_delete_groups(
+      TAlterSentryRoleDeleteGroupsRequest request,
+      TAlterSentryRoleDeleteGroupsResponse response) {
+      throw new RuntimeException();
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyServiceClient.java
new file mode 100644
index 0000000..e845936
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyServiceClient.java
@@ -0,0 +1,64 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.api.service.thrift;
+
+import java.util.Set;
+
+import org.apache.sentry.service.thrift.SentryServiceFactory;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+
+public class TestSentryPolicyServiceClient extends SentryServiceIntegrationBase {
+
+  @BeforeClass
+  public static void setup() throws Exception {
+    beforeSetup();
+    setupConf();
+    startSentryService();
+    afterSetup();
+    kerberos = false;
+  }
+
+  @Test
+  public void testConnectionWhenReconnect() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String requestorUserName = ADMIN_USER;
+        Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+        String roleName = "admin_r";
+        setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+        writePolicyFile();
+
+        client.dropRoleIfExists(requestorUserName, roleName);
+        client.createRole(requestorUserName, roleName);
+        client.listAllRoles(requestorUserName);
+        stopSentryService();
+        server = SentryServiceFactory.create(conf);
+        startSentryService();
+        client.listAllRoles(requestorUserName);
+        client.dropRole(requestorUserName, roleName);
+      }
+    });
+  }
+
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
new file mode 100644
index 0000000..efacf19
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
@@ -0,0 +1,81 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.api.service.thrift;
+
+import org.apache.sentry.api.common.ThriftConstants;
+import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
+import org.junit.Assert;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryThriftAPIMismatchException;
+import org.apache.sentry.core.common.utils.PolicyStoreConstants.PolicyStoreServerConfig;
+import org.junit.Before;
+import org.junit.Test;
+
+public class TestSentryPolicyStoreProcessor {
+
+  private Configuration conf;
+
+  @Before
+  public void setup() {
+    conf = new Configuration(false);
+  }
+  @Test(expected=SentrySiteConfigurationException.class)
+  public void testConfigNotNotificationHandler() throws Exception {
+    conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, Object.class.getName());
+    SentryPolicyStoreProcessor.createHandlers(conf);
+  }
+  @Test(expected=SentrySiteConfigurationException.class)
+  public void testConfigCannotCreateNotificationHandler() throws Exception {
+    conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS,
+        ExceptionInConstructorNotificationHandler.class.getName());
+    SentryPolicyStoreProcessor.createHandlers(conf);
+  }
+  @Test(expected=SentrySiteConfigurationException.class)
+  public void testConfigNotAClassNotificationHandler() throws Exception {
+    conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, "junk");
+    SentryPolicyStoreProcessor.createHandlers(conf);
+  }
+  @Test
+  public void testConfigMultipleNotificationHandlers() throws Exception {
+    conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS,
+        NoopNotificationHandler.class.getName() + "," +
+            NoopNotificationHandler.class.getName() + " " +
+            NoopNotificationHandler.class.getName());
+    Assert.assertEquals(3, SentryPolicyStoreProcessor.createHandlers(conf).size());
+  }
+  public static class ExceptionInConstructorNotificationHandler extends NotificationHandler {
+    public ExceptionInConstructorNotificationHandler(Configuration config) throws Exception {
+      super(config);
+      throw new Exception();
+    }
+  }
+  public static class NoopNotificationHandler extends NotificationHandler {
+    public NoopNotificationHandler(Configuration config) throws Exception {
+      super(config);
+    }
+  }
+  @Test(expected=SentryThriftAPIMismatchException.class)
+  public void testSentryThriftAPIMismatch() throws Exception {
+    SentryPolicyStoreProcessor.validateClientVersion(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT -1);
+  }
+  @Test
+  public void testSentryThriftAPIMatchVersion() throws Exception {
+    SentryPolicyStoreProcessor.validateClientVersion(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerForPoolWithoutKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerForPoolWithoutKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerForPoolWithoutKerberos.java
new file mode 100644
index 0000000..7330204
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerForPoolWithoutKerberos.java
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless createRequired by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.api.service.thrift;
+
+import org.junit.BeforeClass;
+
+public class TestSentryServerForPoolWithoutKerberos extends TestSentryServerWithoutKerberos {
+
+  @BeforeClass
+  public static void setup() throws Exception {
+    kerberos = false;
+    pooled = true;
+    beforeSetup();
+    setupConf();
+    startSentryService();
+    afterSetup();
+  }
+
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerLogLevel.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerLogLevel.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerLogLevel.java
new file mode 100644
index 0000000..6290fb7
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerLogLevel.java
@@ -0,0 +1,100 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.api.service.thrift;
+
+import org.apache.commons.io.IOUtils;
+import org.apache.log4j.LogManager;
+import org.apache.log4j.Logger;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.*;
+
+import java.net.HttpURLConnection;
+import java.net.URL;
+
+public class TestSentryServerLogLevel extends SentryServiceIntegrationBase {
+  private final String CLASS_NAME = "org.eclipse.jetty.server.handler.ContextHandler";
+
+  @BeforeClass
+  public static void setup() throws Exception {
+    webServerEnabled = true;
+    webSecurity = false;
+    SentryServiceIntegrationBase.setup();
+  }
+
+  @Override
+  @Before
+  public void before() throws Exception {
+  }
+
+  @Override
+  @After
+  public void after() {
+  }
+
+  /**
+   * Get the log level for the specified class
+   * @param className: Name of class
+   * @return
+   *        Log level of the class
+   */
+  private String getLogLevel(String className) {
+    Logger logInstance = LogManager.getLogger(className);
+    return logInstance.getEffectiveLevel().toString();
+  }
+
+  /**
+   * Send log level and class name via the HTTP interface and verify that it is set at the loogger.
+   * @throws Exception
+   */
+  @Test
+  public void testSetLogLevel() throws Exception {
+    final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/admin/logLevel?log="
+            + CLASS_NAME + "&level=INFO");
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+    String response = IOUtils.toString(conn.getInputStream());
+    Assert.assertTrue(response.contains("INFO"));
+    Assert.assertEquals("INFO", getLogLevel(CLASS_NAME));
+  }
+
+  /**
+   * Send class name via the HTTP interface and verify that it is get at the loogger.
+   * @throws Exception
+   */
+  @Test
+  public void testGetLogLevel() throws Exception {
+    final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/admin/logLevel?log=" + CLASS_NAME);
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+    String response = IOUtils.toString(conn.getInputStream());
+    Assert.assertTrue(response.contains("INFO"));
+    Assert.assertEquals("INFO", getLogLevel(CLASS_NAME));
+  }
+
+  /**
+   * Send class name and invalid log level via the HTTP interface and verify that it returns error response.
+   * @throws Exception
+   */
+  @Test
+  public void testInvalidLogLevel() throws Exception {
+    final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/admin/logLevel?log="
+            + CLASS_NAME + "&level=ABCD");
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    Assert.assertEquals(HttpURLConnection.HTTP_BAD_REQUEST, conn.getResponseCode());
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerPubSub.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerPubSub.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerPubSub.java
new file mode 100644
index 0000000..716109f
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerPubSub.java
@@ -0,0 +1,181 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.api.service.thrift;
+
+import org.apache.sentry.core.common.utils.PubSub;
+import org.apache.sentry.core.common.utils.PubSub.Topic;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+
+import org.junit.*;
+
+import java.net.HttpURLConnection;
+import java.net.URL;
+
+public class TestSentryServerPubSub extends SentryServiceIntegrationBase {
+
+  private static final Topic[] topics = Topic.values();
+  private static final String[] messages = { "message1", "message2", "message3", "" };
+
+  private static volatile String REQUEST_URL;
+
+  private final TestSubscriber testSubscriber = new TestSubscriber();
+
+  private static final class TestSubscriber implements PubSub.Subscriber {
+    private volatile Topic topic;
+    private volatile String message;
+    private volatile int count;
+    @Override
+    public void onMessage(Topic topic, String message) {
+      this.topic = topic;
+      this.message = message;
+      this.count++;
+    }
+  }
+
+  @BeforeClass
+  public static void setup() throws Exception {
+    webServerEnabled = true;
+    webSecurity = false;
+    SentryServiceIntegrationBase.setup();
+    REQUEST_URL= "http://" + SERVER_HOST + ":" + webServerPort + "/admin/publishMessage?topic=%s&message=%s";
+  }
+
+  @Override
+  @Before
+  public void before() throws Exception {
+
+    // Subscribe  to all defined topics.
+    // After each successfull HTTP-GET, testSubscriber.onMessage()
+    // will be called and "topic" and "message" fields will be
+    // set according to HTTP-GET parameters.
+    testSubscriber.count = 0;
+    for (Topic topic : topics) {
+      PubSub.getInstance().subscribe(topic, testSubscriber);
+    }
+    Assert.assertEquals("Unexpected number of registered topics", topics.length, PubSub.getInstance().getTopics().size());
+  }
+
+  @Override
+  @After
+  public void after() {
+    // unsubscribe
+    for (Topic topic : topics) {
+      PubSub.getInstance().unsubscribe(topic, testSubscriber);
+    }
+    testSubscriber.count = 0;
+    Assert.assertTrue("Topics should have been removed after unsubscribe()", PubSub.getInstance().getTopics().isEmpty());
+  }
+
+  /**
+   * Successfully publish notifications
+   * @throws Exception
+   */
+  @Test
+  public void testPubSub() throws Exception {
+    int count = 0;
+    for (Topic topic : topics) {
+      for (String message : messages) {
+        URL url = new URL(String.format(REQUEST_URL, topic.getName(), message));
+        HttpURLConnection conn = null;
+        try {
+          conn = (HttpURLConnection) url.openConnection();
+          Assert.assertEquals("Unexpected response code", HttpURLConnection.HTTP_OK, conn.getResponseCode());
+        } finally {
+          safeClose(conn);
+        }
+        Assert.assertEquals("Unexpected topic", topic, testSubscriber.topic);
+        if (message.isEmpty()) {
+          Assert.assertEquals("Unexpected message", null, testSubscriber.message);
+        } else {
+          Assert.assertEquals("Unexpected message", message, testSubscriber.message);
+        }
+        Assert.assertEquals("Unexpected number of PubSub.onMessage() callbacks", ++count, testSubscriber.count);
+      }
+    }
+  }
+
+  /**
+   * Submit empty topic. It's ok, generates form page.
+   * @throws Exception
+   */
+  @Test
+  public void testPubSubEmptyTopic() throws Exception {
+    URL url = new URL(String.format(REQUEST_URL, "", "message"));
+    HttpURLConnection conn = null;
+    try {
+      conn = (HttpURLConnection) url.openConnection();
+      Assert.assertEquals("Unexpected response code", HttpURLConnection.HTTP_OK,  conn.getResponseCode());
+    } finally {
+      safeClose(conn);
+    }
+    Assert.assertEquals("Unexpected number of PubSub.onMessage() callbacks", 0, testSubscriber.count);
+  }
+
+  /**
+   * Submit invalid topic
+   * @throws Exception
+   */
+  @Test
+  public void testPubSubInvalidTopic() throws Exception {
+    String[] invalid_topics = { "invalid_topic_1", "invalid_topic_2", "invalid_topic_3" };
+    for (String topic : invalid_topics) {
+      URL url = new URL(String.format(REQUEST_URL, topic, "message"));
+      HttpURLConnection conn = null;
+      try {
+        conn = (HttpURLConnection) url.openConnection();
+        Assert.assertEquals("Unexpected response code", HttpURLConnection.HTTP_BAD_REQUEST,  conn.getResponseCode());
+      } finally {
+        safeClose(conn);
+      }
+      Assert.assertEquals("Unexpected number of PubSub.onMessage() callbacks", 0, testSubscriber.count);
+    }
+  }
+
+  /**
+   * Submit topic that has no subscribers.
+   * @throws Exception
+   */
+  @Test
+  public void testPubSubNonSubscribedTopic() throws Exception {
+    // At this point all valid Topic values have been subscribed to
+    // in before() method.
+    // Unsubscribe from one topic and then try publishing to it.
+    PubSub.getInstance().unsubscribe(Topic.HDFS_SYNC_HMS, testSubscriber);
+    Assert.assertEquals("Unexpected number of registered topics", topics.length-1, PubSub.getInstance().getTopics().size());
+
+    URL url = new URL(String.format(REQUEST_URL, Topic.HDFS_SYNC_HMS.getName(), "message"));
+    HttpURLConnection conn = null;
+    try {
+      conn = (HttpURLConnection) url.openConnection();
+      Assert.assertEquals("Unexpected response code", HttpURLConnection.HTTP_BAD_REQUEST,  conn.getResponseCode());
+    } finally {
+      safeClose(conn);
+    }
+    // re-subscribe, not to upset after() method which expects all topics to be subscribed to
+    PubSub.getInstance().subscribe(Topic.HDFS_SYNC_HMS, testSubscriber);
+  }
+
+  private static void safeClose(HttpURLConnection conn) {
+    if (conn != null) {
+      try {
+        conn.disconnect();
+      } catch (Exception ignore) {
+      }
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerWithoutKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerWithoutKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerWithoutKerberos.java
new file mode 100644
index 0000000..3deadab
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerWithoutKerberos.java
@@ -0,0 +1,214 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless createRequired by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.api.service.thrift;
+import static org.junit.Assert.assertEquals;
+
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.Set;
+
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.model.db.AccessConstants;
+import org.apache.sentry.core.model.db.Database;
+import org.apache.sentry.core.model.db.Server;
+import org.apache.sentry.core.model.db.Table;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
+
+public class TestSentryServerWithoutKerberos extends SentryServiceIntegrationBase {
+
+  @BeforeClass
+  public static void setup() throws Exception {
+    kerberos = false;
+    beforeSetup();
+    setupConf();
+    startSentryService();
+    afterSetup();
+  }
+
+  @Test
+  public void testCreateRole() throws Exception {
+    String requestorUserName = ADMIN_USER;
+    Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+    setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+    writePolicyFile();
+    String roleName = "admin_r";
+    client.dropRoleIfExists(requestorUserName, roleName);
+    client.createRole(requestorUserName, roleName);
+    client.dropRole(requestorUserName, roleName);
+  }
+
+  @Test
+  public void testQueryPushDown() throws Exception {
+    String requestorUserName = ADMIN_USER;
+    Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+    setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+    writePolicyFile();
+
+    String roleName1 = "admin_r1";
+    String roleName2 = "admin_r2";
+
+    String group1 = "g1";
+    String group2 = "g2";
+
+    client.dropRoleIfExists(requestorUserName, roleName1);
+    client.createRole(requestorUserName, roleName1);
+    client.grantRoleToGroup(requestorUserName, group1, roleName1);
+
+    client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table1", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName1, "server", "db1", "table2", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table3", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName1, "server", "db2", "table4", "ALL");
+
+    client.dropRoleIfExists(requestorUserName, roleName2);
+    client.createRole(requestorUserName, roleName2);
+    client.grantRoleToGroup(requestorUserName, group1, roleName2);
+    client.grantRoleToGroup(requestorUserName, group2, roleName2);
+
+    client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table1", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName2, "server", "db1", "table2", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table3", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName2, "server", "db2", "table4", "ALL");
+    client.grantTablePrivilege(requestorUserName, roleName2, "server", "db3", "table5", "ALL");
+
+    Set<TSentryPrivilege> listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, null);
+    assertEquals("Privilege not assigned to role2 !!", 5, listPrivilegesByRoleName.size());
+
+    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, new ArrayList<Authorizable>());
+    assertEquals("Privilege not assigned to role2 !!", 5, listPrivilegesByRoleName.size());
+
+    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1")));
+    assertEquals("Privilege not assigned to role2 !!", 2, listPrivilegesByRoleName.size());
+
+    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db2"), new Table("table1")));
+    assertEquals("Privilege not assigned to role2 !!", 0, listPrivilegesByRoleName.size());
+
+    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db1"), new Table("table1")));
+    assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size());
+
+    listPrivilegesByRoleName = client.listPrivilegesByRoleName(requestorUserName, roleName2, Lists.newArrayList(new Server("server"), new Database("db3")));
+    assertEquals("Privilege not assigned to role2 !!", 1, listPrivilegesByRoleName.size());
+
+    Set<String> listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, ActiveRoleSet.ALL, new Server("server"), new Database("db2"));
+    assertEquals("Privilege not correctly assigned to roles !!",
+        Sets.newHashSet("server=server->db=db2->table=table4->action=all", "server=server->db=db2->table=table3->action=all"),
+        listPrivilegesForProvider);
+
+    listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, ActiveRoleSet.ALL, new Server("server"), new Database("db3"));
+    assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=server->db=db3->table=table5->action=all"), listPrivilegesForProvider);
+
+    listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server"), new Database("db3"));
+    assertEquals("Privilege not correctly assigned to roles !!", Sets.newHashSet("server=+"), listPrivilegesForProvider);
+
+    listPrivilegesForProvider = client.listPrivilegesForProvider(Sets.newHashSet(group1, group2), null, new ActiveRoleSet(Sets.newHashSet(roleName1)), new Server("server1"));
+    assertEquals("Privilege not correctly assigned to roles !!", new HashSet<String>(), listPrivilegesForProvider);
+  }
+
+
+
+  /**
+   * Create role, add privileges and grant it to a group drop the role and
+   * verify the privileges are no longer visible recreate the role with same
+   * name and verify the privileges again.
+   * @throws Exception
+   */
+  @Test
+  public void testDropRole() throws Exception {
+    String requestorUserName = ADMIN_USER;
+    Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+    setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+    writePolicyFile();
+    String roleName = "admin_r";
+
+    // create role and add privileges
+    client.dropRoleIfExists(requestorUserName, roleName);
+    client.createRole(requestorUserName, roleName);
+    client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName);
+    client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
+    client.grantTablePrivilege(requestorUserName, roleName, "server1", "db3", "tab3", "ALL");
+    assertEquals(2, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+            ActiveRoleSet.ALL).size());
+
+    // drop role and verify privileges
+    client.dropRole(requestorUserName, roleName);
+    assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+            ActiveRoleSet.ALL).size());
+
+    // recreate the role
+    client.createRole(requestorUserName, roleName);
+    client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName);
+    assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+            ActiveRoleSet.ALL).size());
+
+    // grant different privileges and verify
+    client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
+    assertEquals(1, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+            ActiveRoleSet.ALL).size());
+    client.dropRole(requestorUserName, roleName);
+    assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+            ActiveRoleSet.ALL).size());
+    assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, null,
+            ActiveRoleSet.ALL).size());
+  }
+
+  @Test
+  public void testDropRoleOnUser() throws Exception {
+    String requestorUserName = ADMIN_USER;
+    Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+    Set<String> requestorUserNames = Sets.newHashSet(ADMIN_USER);
+    setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+    writePolicyFile();
+    String roleName = "admin_r";
+
+    // create role and add privileges
+    client.dropRoleIfExists(requestorUserName, roleName);
+    client.createRole(requestorUserName, roleName);
+    client.grantRoleToUser(requestorUserName, ADMIN_USER, roleName);
+    client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
+    client.grantTablePrivilege(requestorUserName, roleName, "server1", "db3", "tab3", "ALL");
+    assertEquals(2, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+            ActiveRoleSet.ALL).size());
+
+    // drop role and verify privileges
+    client.dropRole(requestorUserName, roleName);
+    assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+            ActiveRoleSet.ALL).size());
+
+    // recreate the role
+    client.createRole(requestorUserName, roleName);
+    client.grantRoleToGroup(requestorUserName, ADMIN_GROUP, roleName);
+    assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+            ActiveRoleSet.ALL).size());
+
+    // grant different privileges and verify
+    client.grantDatabasePrivilege(requestorUserName, roleName, "server1", "db2", AccessConstants.ALL);
+    assertEquals(1, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+            ActiveRoleSet.ALL).size());
+    client.dropRole(requestorUserName, roleName);
+    assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+            ActiveRoleSet.ALL).size());
+    assertEquals(0, client.listPrivilegesForProvider(requestorUserGroupNames, requestorUserNames,
+            ActiveRoleSet.ALL).size());
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceClientPool.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceClientPool.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceClientPool.java
new file mode 100644
index 0000000..6c88955
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceClientPool.java
@@ -0,0 +1,111 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.api.service.thrift;
+
+import static org.junit.Assert.assertTrue;
+
+import java.security.PrivilegedExceptionAction;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.FutureTask;
+
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.service.thrift.SentryServiceFactory;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+
+public class TestSentryServiceClientPool extends SentryServiceIntegrationBase {
+
+  @Test
+  public void testConnectionWhenReconnect() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String requestorUserName = ADMIN_USER;
+        Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+        String roleName = "admin_r";
+        setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+        writePolicyFile();
+
+        client.dropRoleIfExists(requestorUserName, roleName);
+        client.createRole(requestorUserName, roleName);
+        client.listAllRoles(requestorUserName);
+        stopSentryService();
+        server = SentryServiceFactory.create(conf);
+        startSentryService();
+        client.listAllRoles(requestorUserName);
+        client.dropRole(requestorUserName, roleName);
+      }
+    });
+  }
+
+  @Test
+  public void testConnectionWithMultipleRetries() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        List<Future<Boolean>> tasks = new ArrayList<Future<Boolean>>();
+        String requestorUserName = ADMIN_USER;
+        Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+        String roleName = "admin_r";
+        setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+        writePolicyFile();
+
+        client.dropRoleIfExists(requestorUserName, roleName);
+        client.createRole(requestorUserName, roleName);
+
+        ExecutorService executorService = Executors.newFixedThreadPool(20);
+
+        Callable<Boolean> func = new Callable<Boolean>() {
+          public Boolean call() throws Exception {
+            return clientUgi.doAs(new PrivilegedExceptionAction<Boolean>() {
+              @Override
+              public Boolean run() throws Exception {
+                try {
+                  client.listAllRoles(ADMIN_USER);
+                  return true;
+                } catch (SentryUserException sue) {
+                  return false;
+                }
+              }
+            });
+          }
+        };
+
+        for (int i = 0; i < 30; i++) {
+          FutureTask<Boolean> task = new FutureTask<Boolean>(func);
+          tasks.add(task);
+          executorService.submit(task);
+        }
+
+        for (Future<Boolean> task : tasks) {
+          Boolean result = task.get();
+          assertTrue("Some tasks are failed.", result);
+        }
+      }
+    });
+  }
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceFailureCase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceFailureCase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceFailureCase.java
new file mode 100644
index 0000000..fa67f27
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceFailureCase.java
@@ -0,0 +1,75 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.api.service.thrift;
+
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.apache.sentry.service.common.ServiceConstants.ServerConfig;
+import org.junit.After;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.base.Strings;
+
+public class TestSentryServiceFailureCase extends SentryServiceIntegrationBase {
+  private static final Logger LOGGER = LoggerFactory.getLogger(TestSentryServiceFailureCase.class);
+  private static final String PEER_CALLBACK_FAILURE = "Peer indicated failure: Problem with callback handler";
+
+  @BeforeClass
+  public static void setup() throws Exception {
+    kerberos = true;
+    beforeSetup();
+    setupConf();
+    conf.set(ServerConfig.ALLOW_CONNECT, "");
+    startSentryService();
+    afterSetup();
+  }
+
+  @Override
+  @Before
+  public void before() throws Exception {
+  }
+
+  @Override
+  @After
+  public void after() {
+  }
+
+  @Test
+  public void testClientServerConnectionFailure()  throws Exception {
+    try {
+      connectToSentryService();
+      String requestorUserName = ADMIN_USER;
+      client.listAllRoles(requestorUserName);
+      Assert.fail("Failed to receive Exception");
+    } catch(Exception e) {
+      LOGGER.info("Excepted exception", e);
+      Throwable cause = e.getCause();
+      if (cause == null) {
+        throw e;
+      }
+      String msg = "Exception message: " + cause.getMessage();
+      Assert.assertTrue(msg, Strings.nullToEmpty(cause.getMessage())
+          .contains(PEER_CALLBACK_FAILURE));
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceForPoolWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceForPoolWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceForPoolWithKerberos.java
new file mode 100644
index 0000000..aa156f2
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceForPoolWithKerberos.java
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless createRequired by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.api.service.thrift;
+
+import org.junit.BeforeClass;
+
+public class TestSentryServiceForPoolWithKerberos extends TestSentryServiceWithKerberos {
+
+  @BeforeClass
+  public static void setup() throws Exception {
+    kerberos = true;
+    pooled = true;
+    beforeSetup();
+    setupConf();
+    startSentryService();
+    afterSetup();
+  }
+
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/sentry/blob/9351d19d/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceImportExport.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceImportExport.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceImportExport.java
new file mode 100644
index 0000000..cf1fdab
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServiceImportExport.java
@@ -0,0 +1,751 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.api.service.thrift;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.sentry.core.common.utils.SentryConstants;
+import org.apache.sentry.core.common.utils.PolicyFileConstants;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
+
+public class TestSentryServiceImportExport extends SentryServiceIntegrationBase {
+
+  // define the privileges
+  public static String PRIVILIEGE1 = "server=server1";
+  public static String PRIVILIEGE2 = "server=server1->action=select->grantoption=false";
+  public static String PRIVILIEGE3 = "server=server1->db=db2->action=insert->grantoption=true";
+  public static String PRIVILIEGE4 = "server=server1->db=db1->table=tbl1->action=insert";
+  public static String PRIVILIEGE5 = "server=server1->db=db1->table=tbl2->column=col1->action=insert";
+  public static String PRIVILIEGE6 = "server=server1->db=db1->table=tbl3->column=col1->action=*->grantoption=true";
+  public static String PRIVILIEGE7 = "server=server1->db=db1->table=tbl4->column=col1->action=all->grantoption=true";
+  public static String PRIVILIEGE8 = "server=server1->uri=hdfs://testserver:9999/path2->action=insert";
+  public static String PRIVILIEGE9 = "server=server1->db=db2->table=tbl1->action=insert";
+
+  @BeforeClass
+  public static void setup() throws Exception {
+    kerberos = false;
+    setupConf();
+    startSentryService();
+  }
+
+  @Before
+  public void preparePolicyFile() throws Exception {
+    super.before();
+    String requestorUserName = ADMIN_USER;
+    Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+    setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+    writePolicyFile();
+  }
+
+  // Befor import, database is empty.
+  // The following information is imported:
+  // group1=role1,role2,role3
+  // group2=role1,role2,role3
+  // group3=role1,role2,role3
+  // role1=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
+  // role2=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
+  // role3=privilege1,privilege2,privilege3,privilege4,privilege5,privilege6,privilege7,privilege8
+  // Both import API importPolicy and export API exportPoicy are tested.
+  @Test
+  public void testImportExportPolicy1() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap();
+        Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
+        Set<String> roles = Sets.newHashSet("role1", "role2", "role3");
+        groupRolesMap.put("group1", roles);
+        groupRolesMap.put("group2", roles);
+        groupRolesMap.put("group3", roles);
+        Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap();
+        for (String roleName : roles) {
+          rolePrivilegesMap.put(roleName, Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3,
+              PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+        }
+        policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
+        policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap);
+        client.importPolicy(policyFileMappingData, ADMIN_USER, false);
+
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
+        validateSentryMappingData(sentryMappingData,
+            policyFileMappingData);
+      }
+    });
+  }
+
+  // call import twice, and there has no duplicate data:
+  // The data for 1st import:
+  // group1=role1
+  // role1=privilege1,privilege2,privilege3,privilege4
+  // The data for 2nd import:
+  // group2=role2,role3
+  // group3=role2,role3
+  // role2=privilege5,privilege6,privilege7,privilege8
+  // role3=privilege5,privilege6,privilege7,privilege8
+  // Both import API importPolicy and export API exportPoicy are tested.
+  @Test
+  public void testImportExportPolicy2() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
+        Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
+        groupRolesMap1.put("group1", Sets.newHashSet("role1"));
+        Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
+        rolePrivilegesMap1.put("role1",
+            Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4));
+        policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
+        policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
+        client.importPolicy(policyFileMappingData1, ADMIN_USER, false);
+
+        Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
+        Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
+        groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
+        groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
+        Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
+        rolePrivilegesMap2.put("role2",
+            Sets.newHashSet(PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+        rolePrivilegesMap2.put("role3",
+            Sets.newHashSet(PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+        policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
+        policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
+        client.importPolicy(policyFileMappingData2, ADMIN_USER, false);
+
+        Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
+        // for exceptedMappingData, combine policyFileMappingData1 and policyFileMappingData2
+        exceptedMappingData.put(PolicyFileConstants.GROUPS,
+            policyFileMappingData1.get(PolicyFileConstants.GROUPS));
+        exceptedMappingData.get(PolicyFileConstants.GROUPS).putAll(
+            policyFileMappingData2.get(PolicyFileConstants.GROUPS));
+        exceptedMappingData.put(PolicyFileConstants.ROLES,
+            policyFileMappingData1.get(PolicyFileConstants.ROLES));
+        exceptedMappingData.get(PolicyFileConstants.ROLES).putAll(
+            policyFileMappingData2.get(PolicyFileConstants.ROLES));
+
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
+        validateSentryMappingData(sentryMappingData, exceptedMappingData);
+      }
+    });
+  }
+
+  // Call import twice, and there has overlapping groups
+  // The data for 1st import:
+  // group1=role1, role2
+  // group2=role1, role2
+  // group3=role1, role2
+  // role1=privilege1,privilege2,privilege3,privilege4,privilege5
+  // role2=privilege1,privilege2,privilege3,privilege4,privilege5
+  // The data for 2nd import:
+  // group1=role2,role3
+  // group2=role2,role3
+  // group3=role2,role3
+  // role2=privilege4,privilege5,privilege6,privilege7,privilege8
+  // role3=privilege4,privilege5,privilege6,privilege7,privilege8
+  // Both import API importPolicy and export API exportPoicy are tested.
+  @Test
+  public void testImportExportPolicy3() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
+        Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
+        groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+        groupRolesMap1.put("group2", Sets.newHashSet("role1", "role2"));
+        groupRolesMap1.put("group3", Sets.newHashSet("role1", "role2"));
+        Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
+        rolePrivilegesMap1.put("role1",
+            Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
+        rolePrivilegesMap1.put("role2",
+            Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
+        policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
+        policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
+        client.importPolicy(policyFileMappingData1, ADMIN_USER, false);
+
+        Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
+        Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
+        groupRolesMap2.put("group1", Sets.newHashSet("role2", "role3"));
+        groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
+        groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
+        Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
+        rolePrivilegesMap2.put("role2",
+            Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+        rolePrivilegesMap2.put("role3",
+            Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+        policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
+        policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
+        client.importPolicy(policyFileMappingData2, ADMIN_USER, false);
+
+        Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
+        Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap();
+        exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
+        exceptedRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
+        exceptedRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
+        Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap();
+        exceptedPrivilegesMap.put("role1",
+            Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
+        exceptedPrivilegesMap.put("role2", Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3,
+            PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+        exceptedPrivilegesMap.put("role3",
+            Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+        exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
+        exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
+
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
+        validateSentryMappingData(sentryMappingData, exceptedMappingData);
+      }
+    });
+  }
+
+  // Only mapping data for [group,role] is imported:
+  // group1=role1,role2
+  @Test
+  public void testImportExportPolicy4() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap();
+        Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
+        Set<String> roles = Sets.newHashSet("role1", "role2");
+        groupRolesMap.put("group1", roles);
+        Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap();
+        policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
+        policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap);
+        client.importPolicy(policyFileMappingData, ADMIN_USER, false);
+
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
+        validateSentryMappingData(sentryMappingData,
+            policyFileMappingData);
+      }
+    });
+  }
+
+  // call import twice, and there has no duplicate data, the import will be with the overwrite mode:
+  // The data for 1st import:
+  // group1=role1
+  // role1=privilege1
+  // The data for 2nd import:
+  // group2=role2,role3
+  // group3=role2,role3
+  // role2=privilege2
+  // role3=privilege2
+  // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
+  // getPrivilegesList are tested.
+  @Test
+  public void testImportExportPolicy5() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
+        Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
+        groupRolesMap1.put("group1", Sets.newHashSet("role1"));
+        Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
+        rolePrivilegesMap1.put("role1", Sets.newHashSet(PRIVILIEGE1));
+        policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
+        policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
+        client.importPolicy(policyFileMappingData1, ADMIN_USER, true);
+
+        Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
+        Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
+        groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
+        groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
+        Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
+        rolePrivilegesMap2.put("role2", Sets.newHashSet(PRIVILIEGE2));
+        rolePrivilegesMap2.put("role3", Sets.newHashSet(PRIVILIEGE2));
+        policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
+        policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
+        client.importPolicy(policyFileMappingData2, ADMIN_USER, true);
+
+        Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
+        Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap();
+        exceptedRolesMap.put("group1", Sets.newHashSet("role1"));
+        exceptedRolesMap.put("group2", Sets.newHashSet("role2", "role3"));
+        exceptedRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+        Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap();
+        exceptedPrivilegesMap.put("role1", Sets.newHashSet(PRIVILIEGE1));
+        exceptedPrivilegesMap.put("role2", Sets.newHashSet(PRIVILIEGE2));
+        exceptedPrivilegesMap.put("role3", Sets.newHashSet(PRIVILIEGE2));
+        exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
+        exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
+
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
+        validateSentryMappingData(sentryMappingData, exceptedMappingData);
+      }
+    });
+  }
+
+  // call import twice, and there has data overlap, the import will be with the overwrite mode:
+  // The data for 1st import:
+  // group1=role1, role2
+  // group2=role1, role2
+  // group3=role1, role2
+  // role1=privilege1,privilege2,privilege3,privilege4,privilege5
+  // role2=privilege1,privilege2,privilege3,privilege4,privilege5
+  // The data for 2nd import:
+  // group1=role2,role3
+  // group2=role2,role3
+  // group3=role2,role3
+  // role2=privilege4,privilege5,privilege6,privilege7,privilege8
+  // role3=privilege4,privilege5,privilege6,privilege7,privilege8
+  // Both import API importSentryMetaData and export APIs getRolesMap, getGroupsMap,
+  // getPrivilegesList are tested.
+  @Test
+  public void testImportExportPolicy6() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
+        Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
+        groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+        groupRolesMap1.put("group2", Sets.newHashSet("role1", "role2"));
+        groupRolesMap1.put("group3", Sets.newHashSet("role1", "role2"));
+        Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
+        rolePrivilegesMap1.put("role1",
+            Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
+        rolePrivilegesMap1.put("role2",
+            Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
+        policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
+        policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
+        client.importPolicy(policyFileMappingData1, ADMIN_USER, true);
+
+        Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
+        Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
+        groupRolesMap2.put("group1", Sets.newHashSet("role2", "role3"));
+        groupRolesMap2.put("group2", Sets.newHashSet("role2", "role3"));
+        groupRolesMap2.put("group3", Sets.newHashSet("role2", "role3"));
+        Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
+        rolePrivilegesMap2.put("role2",
+            Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+        rolePrivilegesMap2.put("role3",
+            Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+        policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
+        policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
+        client.importPolicy(policyFileMappingData2, ADMIN_USER, true);
+
+        Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
+        Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap();
+        exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2", "role3"));
+        exceptedRolesMap.put("group2", Sets.newHashSet("role1", "role2", "role3"));
+        exceptedRolesMap.put("group3", Sets.newHashSet("role1", "role2", "role3"));
+        Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap();
+        exceptedPrivilegesMap.put("role1",
+            Sets.newHashSet(PRIVILIEGE1, PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5));
+        exceptedPrivilegesMap.put("role2",
+            Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+        exceptedPrivilegesMap.put("role3",
+            Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+        exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
+        exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
+
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
+        validateSentryMappingData(sentryMappingData, exceptedMappingData);
+      }
+    });
+  }
+
+  // test the import privileges with the action: All, *, select, insert
+  // All and * should replace the select and insert
+  // The data for import:
+  // group1=role1, role2
+  // role1=testPrivilege1,testPrivilege2,testPrivilege3,testPrivilege4
+  // role2=testPrivilege5, testPrivilege6,testPrivilege7,testPrivilege8
+  @Test
+  public void testImportExportPolicy7() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String testPrivilege1 = "server=server1->db=db1->table=tbl1->action=select->grantoption=true";
+        String testPrivilege2 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=false";
+        String testPrivilege3 = "server=server1->db=db1->table=tbl1->action=all->grantoption=true";
+        String testPrivilege4 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=true";
+        String testPrivilege5 = "server=server1->db=db1->table=tbl2->action=select->grantoption=true";
+        String testPrivilege6 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=false";
+        String testPrivilege7 = "server=server1->db=db1->table=tbl2->action=*->grantoption=true";
+        String testPrivilege8 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=true";
+
+        Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
+        Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
+        groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+        Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
+        rolePrivilegesMap1.put("role1",
+            Sets.newHashSet(testPrivilege1, testPrivilege2, testPrivilege3, testPrivilege4));
+        rolePrivilegesMap1.put("role2",
+            Sets.newHashSet(testPrivilege5, testPrivilege6, testPrivilege7, testPrivilege8));
+        policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
+        policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
+        client.importPolicy(policyFileMappingData1, ADMIN_USER, true);
+
+        Map<String, Map<String, Set<String>>> exceptedMappingData = Maps.newHashMap();
+        Map<String, Set<String>> exceptedRolesMap = Maps.newHashMap();
+        exceptedRolesMap.put("group1", Sets.newHashSet("role1", "role2"));
+        Map<String, Set<String>> exceptedPrivilegesMap = Maps.newHashMap();
+        exceptedPrivilegesMap.put("role1", Sets.newHashSet(testPrivilege2, testPrivilege3));
+        exceptedPrivilegesMap.put("role2", Sets.newHashSet(testPrivilege6, testPrivilege7));
+        exceptedMappingData.put(PolicyFileConstants.GROUPS, exceptedRolesMap);
+        exceptedMappingData.put(PolicyFileConstants.ROLES, exceptedPrivilegesMap);
+
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
+        validateSentryMappingData(sentryMappingData, exceptedMappingData);
+      }
+    });
+  }
+
+  // Call import twice, and there has overlapping actions, all and * should replace the select and
+  // insert
+  // The data for 1st import:
+  // group1=role1, role2
+  // role1=privilege1(with select action),privilege2(with insert action)
+  // role2=privilege4(with select action),privilege5(with insert action)
+  // The data for 2nd import:
+  // group1=role1, role2
+  // role1=privilege3(with all action)
+  // role2=privilege6(with * action)
+  @Test
+  public void testImportExportPolicy8() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String testPrivilege1 = "server=server1->db=db1->table=tbl1->action=select->grantoption=true";
+        String testPrivilege2 = "server=server1->db=db1->table=tbl1->action=insert->grantoption=true";
+        String testPrivilege3 = "server=server1->db=db1->table=tbl1->action=all->grantoption=true";
+        String testPrivilege4 = "server=server1->db=db1->table=tbl2->action=select->grantoption=true";
+        String testPrivilege5 = "server=server1->db=db1->table=tbl2->action=insert->grantoption=true";
+        String testPrivilege6 = "server=server1->db=db1->table=tbl2->action=*->grantoption=true";
+
+        Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
+        Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
+        groupRolesMap1.put("group1", Sets.newHashSet("role1", "role2"));
+        Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
+        rolePrivilegesMap1.put("role1", Sets.newHashSet(testPrivilege1, testPrivilege2));
+        rolePrivilegesMap1.put("role2", Sets.newHashSet(testPrivilege4, testPrivilege5));
+        policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
+        policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
+        client.importPolicy(policyFileMappingData1, ADMIN_USER, false);
+
+        Map<String, Map<String, Set<String>>> policyFileMappingData2 = Maps.newHashMap();
+        Map<String, Set<String>> groupRolesMap2 = Maps.newHashMap();
+        groupRolesMap2.put("group1", Sets.newHashSet("role1", "role2"));
+        Map<String, Set<String>> rolePrivilegesMap2 = Maps.newHashMap();
+        rolePrivilegesMap2.put("role1", Sets.newHashSet(testPrivilege3));
+        rolePrivilegesMap2.put("role2", Sets.newHashSet(testPrivilege6));
+        policyFileMappingData2.put(PolicyFileConstants.GROUPS, groupRolesMap2);
+        policyFileMappingData2.put(PolicyFileConstants.ROLES, rolePrivilegesMap2);
+        client.importPolicy(policyFileMappingData2, ADMIN_USER, false);
+
+        Map<String, Map<String, Set<String>>> exceptedMappingData = policyFileMappingData2;
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
+        // all and * should replace the select and insert
+        validateSentryMappingData(sentryMappingData, exceptedMappingData);
+      }
+    });
+  }
+
+  // test the user not in the admin group can't do the import/export
+  @Test
+  public void testImportExportPolicy9() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        Map<String, Map<String, Set<String>>> policyFileMappingData1 = Maps.newHashMap();
+        Map<String, Set<String>> groupRolesMap1 = Maps.newHashMap();
+        Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
+        policyFileMappingData1.put(PolicyFileConstants.GROUPS, groupRolesMap1);
+        policyFileMappingData1.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
+        try {
+          client.importPolicy(policyFileMappingData1, "no-admin-user", false);
+          fail("non-admin can't do the import.");
+        } catch (Exception e) {
+          // excepted exception
+        }
+
+        try {
+          client.exportPolicy("no-admin-user", null);
+          fail("non-admin can't do the export.");
+        } catch (Exception e) {
+          // excepted exception
+        }
+      }
+    });
+  }
+
+  // The following data is imported:
+  // group1=role1
+  // group2=role1,role2
+  // group3=role2,role3
+  // group4=role1,role2,role3
+  // role1=privilege3,privilege4,privilege9
+  // role2=privilege3,privilege4,privilege5,privilege6,privilege7
+  // role3=privilege4,privilege5,privilege6,privilege7,privilege8
+  // Export APIs getRoleNameTPrivilegesMap, getGroupNameRoleNamesMap are tested.
+  @Test
+  public void testExportPolicyWithSpecificObject() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        // import the test data
+        Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap();
+        Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
+        groupRolesMap.put("group1", Sets.newHashSet("role1"));
+        groupRolesMap.put("group2", Sets.newHashSet("role1", "role2"));
+        groupRolesMap.put("group3", Sets.newHashSet("role2", "role3"));
+        groupRolesMap.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+        Map<String, Set<String>> rolePrivilegesMap1 = Maps.newHashMap();
+        rolePrivilegesMap1.put("role1",
+            Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9));
+        rolePrivilegesMap1.put("role2",
+            Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE5,
+            PRIVILIEGE6, PRIVILIEGE7));
+        rolePrivilegesMap1.put("role3",
+            Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE5, PRIVILIEGE6,
+            PRIVILIEGE7, PRIVILIEGE8));
+        policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
+        policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap1);
+        client.importPolicy(policyFileMappingData, ADMIN_USER, true);
+
+        // verify the rolePrivilegesMap and groupRolesMap with null objectPath
+        Map<String, Map<String, Set<String>>> expectedMappingData = Maps.newHashMap();
+        Map<String, Set<String>> expectedGroupRoles = Maps.newHashMap();
+        expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+        expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+        expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+        expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+        Map<String, Set<String>> expectedRolePrivileges = Maps.newHashMap();
+        expectedRolePrivileges.put("role1", Sets.newHashSet(
+            PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9));
+        expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4,
+            PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
+        expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4,
+            PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+        expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+        expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+        Map<String, Map<String, Set<String>>> sentryMappingData = client.exportPolicy(ADMIN_USER, null);
+        validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+        // verify the rolePrivilegesMap and groupRolesMap with empty objectPath
+        expectedMappingData = Maps.newHashMap();
+        expectedGroupRoles = Maps.newHashMap();
+        expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+        expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+        expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+        expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+        expectedRolePrivileges = Maps.newHashMap();
+        expectedRolePrivileges.put("role1", Sets.newHashSet(
+            PRIVILIEGE3, PRIVILIEGE4, PRIVILIEGE9));
+        expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE4,
+            PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
+        expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4,
+            PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7, PRIVILIEGE8));
+        expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+        expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+        sentryMappingData = client.exportPolicy(ADMIN_USER, "");
+        validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+        // verify the rolePrivilegesMap and groupRolesMap for db=db1
+        expectedMappingData = Maps.newHashMap();
+        expectedGroupRoles = Maps.newHashMap();
+        expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+        expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+        expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+        expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+        expectedRolePrivileges = Maps.newHashMap();
+        expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4));
+        expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4,
+            PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
+        expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4,
+            PRIVILIEGE5, PRIVILIEGE6, PRIVILIEGE7));
+        expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+        expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+        sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db1");
+        validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+        // verify the rolePrivilegesMap and groupRolesMap for db=db2
+        expectedMappingData = Maps.newHashMap();
+        expectedGroupRoles = Maps.newHashMap();
+        expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+        expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+        expectedGroupRoles.put("group3", Sets.newHashSet("role2"));
+        expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2"));
+        expectedRolePrivileges = Maps.newHashMap();
+        expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE3, PRIVILIEGE9));
+        expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE3));
+        expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+        expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+        sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db2");
+        validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+        // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl1
+        expectedMappingData = Maps.newHashMap();
+        expectedGroupRoles = Maps.newHashMap();
+        expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+        expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+        expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+        expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+        expectedRolePrivileges = Maps.newHashMap();
+        expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4));
+        expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4));
+        expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4));
+        expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+        expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+        sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db1->table=tbl1");
+        validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+        // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl2
+        expectedMappingData = Maps.newHashMap();
+        expectedGroupRoles = Maps.newHashMap();
+        expectedGroupRoles.put("group2", Sets.newHashSet("role2"));
+        expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+        expectedGroupRoles.put("group4", Sets.newHashSet("role2", "role3"));
+        expectedRolePrivileges = Maps.newHashMap();
+        expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE5));
+        expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE5));
+        expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+        expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+        sentryMappingData = client.exportPolicy(ADMIN_USER, "db=db1->table=tbl2");
+        validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+        // verify the rolePrivilegesMap and groupRolesMap for db=db1->table=tbl1
+        expectedMappingData = Maps.newHashMap();
+        expectedGroupRoles = Maps.newHashMap();
+        expectedGroupRoles.put("group1", Sets.newHashSet("role1"));
+        expectedGroupRoles.put("group2", Sets.newHashSet("role1", "role2"));
+        expectedGroupRoles.put("group3", Sets.newHashSet("role2", "role3"));
+        expectedGroupRoles.put("group4", Sets.newHashSet("role1", "role2", "role3"));
+        expectedRolePrivileges = Maps.newHashMap();
+        expectedRolePrivileges.put("role1", Sets.newHashSet(PRIVILIEGE4, PRIVILIEGE9));
+        expectedRolePrivileges.put("role2", Sets.newHashSet(PRIVILIEGE4));
+        expectedRolePrivileges.put("role3", Sets.newHashSet(PRIVILIEGE4));
+        expectedMappingData.put(PolicyFileConstants.GROUPS, expectedGroupRoles);
+        expectedMappingData.put(PolicyFileConstants.ROLES, expectedRolePrivileges);
+
+        sentryMappingData = client.exportPolicy(ADMIN_USER, "table=tbl1");
+        validateSentryMappingData(sentryMappingData, expectedMappingData);
+
+        // verify the invalid exportObject string
+        try {
+          client.exportPolicy(ADMIN_USER, "invalidString");
+          fail("RuntimeException should be thrown.");
+        } catch (RuntimeException sue) {
+          // excepted exception
+        }
+      }
+    });
+  }
+
+  // Befor import, database is empty.
+  // The following information is imported:
+  // group1=role1,role2,role3
+  // group2=role1,role2,role3
+  // user1=role1,role2,role3
+  // user2=role1,role2,role3
+  // role1=privilege1,privilege2,privilege3,privilege4
+  // role2=privilege1,privilege2,privilege3,privilege4
+  // role3=privilege1,privilege2,privilege3,privilege4
+  @Test
+  public void testImportExportPolicyWithUser() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        Map<String, Map<String, Set<String>>> policyFileMappingData = Maps.newHashMap();
+        Map<String, Set<String>> groupRolesMap = Maps.newHashMap();
+        Map<String, Set<String>> userRolesMap = Maps.newHashMap();
+        Set<String> roles = Sets.newHashSet("role1", "role2", "role3");
+        groupRolesMap.put("group1", roles);
+        groupRolesMap.put("group2", roles);
+        userRolesMap.put("user1", roles);
+        userRolesMap.put("user2", roles);
+        Map<String, Set<String>> rolePrivilegesMap = Maps.newHashMap();
+        for (String roleName : roles) {
+          rolePrivilegesMap.put(roleName, Sets.newHashSet(PRIVILIEGE1,
+              PRIVILIEGE2, PRIVILIEGE3, PRIVILIEGE4));
+        }
+        policyFileMappingData.put(PolicyFileConstants.USER_ROLES, userRolesMap);
+        policyFileMappingData.put(PolicyFileConstants.GROUPS, groupRolesMap);
+        policyFileMappingData.put(PolicyFileConstants.ROLES, rolePrivilegesMap);
+        client.importPolicy(policyFileMappingData, ADMIN_USER, false);
+
+        Map<String, Map<String, Set<String>>> sentryMappingData =
+            client.exportPolicy(ADMIN_USER, null);
+        // validate the [user, role] mapping
+        validateRolesMap(sentryMappingData.get(PolicyFileConstants.USER_ROLES),
+            policyFileMappingData.get(PolicyFileConstants.USER_ROLES));
+        validateSentryMappingData(sentryMappingData,
+            policyFileMappingData);
+      }
+    });
+  }
+
+  // verify the mapping data
+  public void validateSentryMappingData(
+      Map<String, Map<String, Set<String>>> actualMappingData,
+      Map<String, Map<String, Set<String>>> expectedMappingData) {
+    validateRolesMap(actualMappingData.get(PolicyFileConstants.GROUPS),
+        expectedMappingData.get(PolicyFileConstants.GROUPS));
+    validateRolePrivilegesMap(actualMappingData.get(PolicyFileConstants.ROLES),
+        expectedMappingData.get(PolicyFileConstants.ROLES));
+  }
+
+  // verify the mapping data for [group,role] and [user,role]
+  private void validateRolesMap(Map<String, Set<String>> actualMap,
+      Map<String, Set<String>> expectedMap) {
+    assertEquals(expectedMap.keySet().size(), actualMap.keySet().size());
+    for (String name : actualMap.keySet()) {
+      Set<String> actualRoles = actualMap.get(name);
+      Set<String> expectedRoles = expectedMap.get(name);
+      assertEquals(actualRoles.size(), expectedRoles.size());
+      assertTrue(actualRoles.equals(expectedRoles));
+    }
+  }
+
+  // verify the mapping data for [role,privilege]
+  private void validateRolePrivilegesMap(Map<String, Set<String>> actualMap,
+      Map<String, Set<String>> expectedMap) {
+    assertEquals(expectedMap.keySet().size(), actualMap.keySet().size());
+    for (String roleName : actualMap.keySet()) {
+      Set<String> actualPrivileges = actualMap.get(roleName);
+      Set<String> exceptedPrivileges = expectedMap.get(roleName);
+      assertEquals(exceptedPrivileges.size(), actualPrivileges.size());
+      for (String actualPrivilege : actualPrivileges) {
+        boolean isFound = exceptedPrivileges.contains(actualPrivilege);
+        if (!isFound) {
+          String withOptionPrivilege = SentryConstants.AUTHORIZABLE_JOINER.join(actualPrivilege,
+              SentryConstants.KV_JOINER.join(PolicyFileConstants.PRIVILEGE_GRANT_OPTION_NAME,
+                  "false"));
+          isFound = exceptedPrivileges.contains(withOptionPrivilege);
+        }
+        assertTrue(isFound);
+      }
+    }
+  }
+}


Mime
View raw message