sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sp...@apache.org
Subject [19/51] [abbrv] [partial] sentry git commit: SENTRY-2206: Refactor out sentry api from sentry-provider-db to own module (Steve Moist, reviewed by Sergio Pena)
Date Tue, 15 May 2018 21:44:37 GMT
http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestSentryGenericPolicyProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestSentryGenericPolicyProcessor.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestSentryGenericPolicyProcessor.java
new file mode 100644
index 0000000..4c207e9
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestSentryGenericPolicyProcessor.java
@@ -0,0 +1,364 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.api.generic.thrift;
+
+import static org.mockito.Matchers.any;
+import static org.mockito.Matchers.anyListOf;
+import static org.mockito.Matchers.anySetOf;
+import static org.mockito.Matchers.anyString;
+
+import java.util.*;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
+import org.apache.sentry.core.model.solr.Collection;
+import org.apache.sentry.core.model.solr.Field;
+import org.apache.sentry.core.model.solr.SolrConstants;
+import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
+import org.apache.sentry.core.common.exception.SentryGrantDeniedException;
+import org.apache.sentry.core.common.exception.SentryInvalidInputException;
+import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
+import org.apache.sentry.provider.common.GroupMappingService;
+import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject;
+import org.apache.sentry.provider.db.generic.service.persistent.SentryStoreLayer;
+import org.apache.sentry.provider.db.generic.service.persistent.PrivilegeObject.Builder;
+import org.apache.sentry.provider.db.service.model.MSentryGMPrivilege;
+import org.apache.sentry.provider.db.service.model.MSentryRole;
+import org.apache.sentry.core.common.utils.PolicyStoreConstants;
+import org.apache.sentry.service.common.ServiceConstants.ServerConfig;
+import org.apache.sentry.api.common.Status;
+import org.apache.sentry.service.thrift.TSentryResponseStatus;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+import com.google.common.collect.Sets;
+
+public class TestSentryGenericPolicyProcessor extends org.junit.Assert {
+  private static final String ADMIN_GROUP = "admin_group";
+  private static final String ADMIN_USER = "admin_user";
+  private static final String NOT_ADMIN_USER = "not_admin_user";
+  private static final String NOT_ADMIN_GROUP = "not_admin_group";
+  private static final String NO_GROUP_USER = "no_group_user";
+
+  private SentryStoreLayer mockStore = Mockito.mock(SentryStoreLayer.class);
+  private SentryGenericPolicyProcessor processor;
+
+  @Before
+  public void setup() throws Exception {
+    Configuration conf = new Configuration();
+    conf.set(ServerConfig.ADMIN_GROUPS, ADMIN_GROUP);
+    conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING, MockGroupMapping.class.getName());
+    processor =  new SentryGenericPolicyProcessor(conf, mockStore);
+  }
+
+  @Test
+  public void testNotAdminOperation() throws Exception {
+    String requestUser = NOT_ADMIN_USER;
+    Status validateStatus = Status.ACCESS_DENIED;
+    testOperation(requestUser, validateStatus);
+  }
+
+  private void testOperation(String requestUser, Status validateStatus) throws Exception {
+    TCreateSentryRoleRequest createrequest = new TCreateSentryRoleRequest();
+    createrequest.setRequestorUserName(requestUser);
+    createrequest.setRoleName("r1");
+    assertEquals(validateStatus, fromTSentryStatus(processor.create_sentry_role(createrequest).getStatus()));
+
+    TDropSentryRoleRequest dropRequest = new TDropSentryRoleRequest();
+    dropRequest.setRequestorUserName(requestUser);
+    dropRequest.setRoleName("r1");
+    assertEquals(validateStatus, fromTSentryStatus(processor.drop_sentry_role(dropRequest).getStatus()));
+
+    TAlterSentryRoleAddGroupsRequest addRequest = new TAlterSentryRoleAddGroupsRequest();
+    addRequest.setRequestorUserName(requestUser);
+    addRequest.setRoleName("r1");
+    addRequest.setGroups(Sets.newHashSet("g1"));
+    assertEquals(validateStatus, fromTSentryStatus(processor.alter_sentry_role_add_groups(addRequest).getStatus()));
+
+    TAlterSentryRoleDeleteGroupsRequest delRequest = new TAlterSentryRoleDeleteGroupsRequest();
+    delRequest.setRequestorUserName(requestUser);
+    delRequest.setRoleName("r1");
+    delRequest.setGroups(Sets.newHashSet("g1"));
+    assertEquals(validateStatus, fromTSentryStatus(processor.alter_sentry_role_delete_groups(delRequest).getStatus()));
+
+    TDropPrivilegesRequest dropPrivRequest = new TDropPrivilegesRequest();
+    dropPrivRequest.setRequestorUserName(requestUser);
+    dropPrivRequest.setPrivilege(new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test"));
+    assertEquals(validateStatus, fromTSentryStatus(processor.drop_sentry_privilege(dropPrivRequest).getStatus()));
+
+    TRenamePrivilegesRequest renameRequest = new TRenamePrivilegesRequest();
+    renameRequest.setRequestorUserName(requestUser);
+    assertEquals(validateStatus, fromTSentryStatus(processor.rename_sentry_privilege(renameRequest).getStatus()));
+  }
+
+  private Status fromTSentryStatus(TSentryResponseStatus status) {
+    return Status.fromCode(status.getValue());
+  }
+
+  @Test
+  public void testAdminOperation() throws Exception {
+    testOperation(ADMIN_USER, Status.OK);
+  }
+
+  @Test
+  public void testGrantAndRevokePrivilege() throws Exception {
+    setup();
+
+    TSentryPrivilege tprivilege = new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test");
+    tprivilege.setGrantOption(TSentryGrantOption.UNSET);
+
+    TAlterSentryRoleGrantPrivilegeRequest grantRequest = new TAlterSentryRoleGrantPrivilegeRequest();
+    grantRequest.setRequestorUserName(ADMIN_USER);
+    grantRequest.setRoleName("r1");
+    grantRequest.setPrivilege(tprivilege);
+    assertEquals(Status.OK, fromTSentryStatus(processor.alter_sentry_role_grant_privilege(grantRequest).getStatus()));
+
+    TAlterSentryRoleRevokePrivilegeRequest revokeRequest = new TAlterSentryRoleRevokePrivilegeRequest();
+    revokeRequest.setRequestorUserName(ADMIN_USER);
+    revokeRequest.setRoleName("r1");
+    revokeRequest.setPrivilege(tprivilege);
+    assertEquals(Status.OK, fromTSentryStatus(processor.alter_sentry_role_revoke_privilege(revokeRequest).getStatus()));
+  }
+
+  @Test
+  public void testOperationWithException() throws Exception {
+    String roleName = anyString();
+    Mockito.when(mockStore.createRole(anyString(), roleName, anyString()))
+      .thenThrow(new SentryAlreadyExistsException("Role: " + roleName));
+
+    roleName = anyString();
+    Mockito.when(mockStore.dropRole(anyString(), roleName, anyString()))
+      .thenThrow(new SentryNoSuchObjectException("Role: " + roleName ));
+
+    roleName = anyString();
+    Mockito.when(mockStore.alterRoleAddGroups(anyString(), roleName, anySetOf(String.class),anyString()))
+      .thenThrow(new SentryNoSuchObjectException("Role: " + roleName));
+
+    roleName = anyString();
+    Mockito.when(mockStore.alterRoleDeleteGroups(anyString(), roleName, anySetOf(String.class), anyString()))
+      .thenThrow(new SentryNoSuchObjectException("Role: " + roleName));
+
+    roleName = anyString();
+    Mockito.when(mockStore.alterRoleGrantPrivilege(anyString(), roleName, any(PrivilegeObject.class), anyString()))
+    .thenThrow(new SentryGrantDeniedException("Role: " + roleName + " is not allowed to do grant"));
+
+    roleName = anyString();
+    Mockito.when(mockStore.alterRoleRevokePrivilege(anyString(), roleName, any(PrivilegeObject.class), anyString()))
+    .thenThrow(new SentryGrantDeniedException("Role: " + roleName + " is not allowed to do grant"));
+
+    Mockito.when(mockStore.dropPrivilege(anyString(), any(PrivilegeObject.class), anyString()))
+    .thenThrow(new SentryInvalidInputException("Invalid input privilege object"));
+
+    Mockito.when(mockStore.renamePrivilege(anyString(), anyString(), anyListOf(Authorizable.class),
+        anyListOf(Authorizable.class), anyString()))
+    .thenThrow(new RuntimeException("Unknown error"));
+
+    setup();
+
+    TCreateSentryRoleRequest createrequest = new TCreateSentryRoleRequest();
+    createrequest.setRequestorUserName(ADMIN_USER);
+    createrequest.setRoleName("r1");
+    assertEquals(Status.ALREADY_EXISTS, fromTSentryStatus(processor.create_sentry_role(createrequest).getStatus()));
+
+    TDropSentryRoleRequest dropRequest = new TDropSentryRoleRequest();
+    dropRequest.setRequestorUserName(ADMIN_USER);
+    dropRequest.setRoleName("r1");
+    assertEquals(Status.NO_SUCH_OBJECT, fromTSentryStatus(processor.drop_sentry_role(dropRequest).getStatus()));
+
+    TAlterSentryRoleAddGroupsRequest addRequest = new TAlterSentryRoleAddGroupsRequest();
+    addRequest.setRequestorUserName(ADMIN_USER);
+    addRequest.setRoleName("r1");
+    addRequest.setGroups(Sets.newHashSet("g1"));
+    assertEquals(Status.NO_SUCH_OBJECT, fromTSentryStatus(processor.alter_sentry_role_add_groups(addRequest).getStatus()));
+
+    TAlterSentryRoleDeleteGroupsRequest delRequest = new TAlterSentryRoleDeleteGroupsRequest();
+    delRequest.setRequestorUserName(ADMIN_USER);
+    delRequest.setRoleName("r1");
+    delRequest.setGroups(Sets.newHashSet("g1"));
+    assertEquals(Status.NO_SUCH_OBJECT, fromTSentryStatus(processor.alter_sentry_role_delete_groups(delRequest).getStatus()));
+
+    TDropPrivilegesRequest dropPrivRequest = new TDropPrivilegesRequest();
+    dropPrivRequest.setRequestorUserName(ADMIN_USER);
+    dropPrivRequest.setPrivilege(new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test"));
+    assertEquals(Status.INVALID_INPUT, fromTSentryStatus(processor.drop_sentry_privilege(dropPrivRequest).getStatus()));
+
+    TRenamePrivilegesRequest renameRequest = new TRenamePrivilegesRequest();
+    renameRequest.setRequestorUserName(ADMIN_USER);
+    assertEquals(Status.RUNTIME_ERROR, fromTSentryStatus(processor.rename_sentry_privilege(renameRequest).getStatus()));
+
+    TSentryPrivilege tprivilege = new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test");
+    tprivilege.setGrantOption(TSentryGrantOption.UNSET);
+
+    TAlterSentryRoleGrantPrivilegeRequest grantRequest = new TAlterSentryRoleGrantPrivilegeRequest();
+    grantRequest.setRequestorUserName(ADMIN_USER);
+    grantRequest.setRoleName("r1");
+    grantRequest.setPrivilege(tprivilege);
+    assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.alter_sentry_role_grant_privilege(grantRequest).getStatus()));
+
+    TAlterSentryRoleRevokePrivilegeRequest revokeRequest = new TAlterSentryRoleRevokePrivilegeRequest();
+    revokeRequest.setRequestorUserName(ADMIN_USER);
+    revokeRequest.setRoleName("r1");
+    revokeRequest.setPrivilege(tprivilege);
+    assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.alter_sentry_role_revoke_privilege(revokeRequest).getStatus()));
+  }
+
+  @Test
+  public void testUserWithNoGroup() throws Exception {
+    setup();
+
+    TCreateSentryRoleRequest createrequest = new TCreateSentryRoleRequest();
+    createrequest.setRequestorUserName(NO_GROUP_USER);
+    createrequest.setRoleName("r1");
+    assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.create_sentry_role(createrequest).getStatus()));
+
+    TDropSentryRoleRequest dropRequest = new TDropSentryRoleRequest();
+    dropRequest.setRequestorUserName(NO_GROUP_USER);
+    dropRequest.setRoleName("r1");
+    assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.drop_sentry_role(dropRequest).getStatus()));
+
+    TAlterSentryRoleAddGroupsRequest addRequest = new TAlterSentryRoleAddGroupsRequest();
+    addRequest.setRequestorUserName(NO_GROUP_USER);
+    addRequest.setRoleName("r1");
+    addRequest.setGroups(Sets.newHashSet("g1"));
+    assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.alter_sentry_role_add_groups(addRequest).getStatus()));
+
+    TAlterSentryRoleDeleteGroupsRequest delRequest = new TAlterSentryRoleDeleteGroupsRequest();
+    delRequest.setRequestorUserName(NO_GROUP_USER);
+    delRequest.setRoleName("r1");
+    delRequest.setGroups(Sets.newHashSet("g1"));
+    assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.alter_sentry_role_delete_groups(delRequest).getStatus()));
+
+    TDropPrivilegesRequest dropPrivRequest = new TDropPrivilegesRequest();
+    dropPrivRequest.setRequestorUserName(NO_GROUP_USER);
+    dropPrivRequest.setPrivilege(new TSentryPrivilege("test", "test", new ArrayList<TAuthorizable>(), "test"));
+    assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.drop_sentry_privilege(dropPrivRequest).getStatus()));
+
+    TRenamePrivilegesRequest renameRequest = new TRenamePrivilegesRequest();
+    renameRequest.setRequestorUserName(NO_GROUP_USER);
+    assertEquals(Status.ACCESS_DENIED, fromTSentryStatus(processor.rename_sentry_privilege(renameRequest).getStatus()));
+
+    // Can't test GrantPrivilege / RevokePrivilege since the authorization happens
+    // in the persistence layer, which isn't setup in this test.
+  }
+
+  @Test
+  public void testGetRolesAndPrivileges() throws Exception {
+    String roleName = "r1";
+    String groupName = "g1";
+    PrivilegeObject queryPrivilege = new Builder()
+                                   .setComponent("SOLR")
+                                   .setAction(SolrConstants.QUERY)
+                                   .setService("service1")
+                                   .setAuthorizables(Arrays.asList(new Collection("c1"), new Field("f1")))
+                                   .build();
+    PrivilegeObject updatePrivilege = new Builder(queryPrivilege)
+                                   .setAction(SolrConstants.UPDATE)
+                                   .build();
+
+    MSentryGMPrivilege mSentryGMPrivilege = new MSentryGMPrivilege("SOLR", "service1",
+    Arrays.asList(new Collection("c1"), new Field("f1")),
+    SolrConstants.QUERY, true);
+
+    MSentryRole role = new MSentryRole("r1", 290);
+    mSentryGMPrivilege.setRoles(Sets.newHashSet(role));
+
+    Mockito.when(mockStore.getRolesByGroups(anyString(), anySetOf(String.class)))
+    .thenReturn(Sets.newHashSet(roleName));
+
+    Mockito.when(mockStore.getPrivilegesByProvider(anyString(), anyString(), anySetOf(String.class),
+        anySetOf(String.class), anyListOf(Authorizable.class)))
+    .thenReturn(Sets.newHashSet(queryPrivilege, updatePrivilege));
+
+    Mockito.when(mockStore.getGroupsByRoles(anyString(), anySetOf(String.class)))
+    .thenReturn(Sets.newHashSet(groupName));
+
+    Mockito.when(mockStore.getPrivilegesByAuthorizable(anyString(), anyString(), anySetOf(String.class), anyListOf(Authorizable.class)))
+    .thenReturn(Sets.newHashSet(mSentryGMPrivilege));
+
+    Mockito.when(mockStore.getAllRoleNames())
+    .thenReturn(Sets.newHashSet(roleName));
+
+    TListSentryPrivilegesRequest request1 = new TListSentryPrivilegesRequest();
+    request1.setRoleName(roleName);
+    request1.setRequestorUserName(ADMIN_USER);
+    TListSentryPrivilegesResponse response1 = processor.list_sentry_privileges_by_role(request1);
+    assertEquals(Status.OK, fromTSentryStatus(response1.getStatus()));
+    assertEquals(2, response1.getPrivileges().size());
+
+    TListSentryRolesRequest request2 = new TListSentryRolesRequest();
+    request2.setRequestorUserName(ADMIN_USER);
+    request2.setGroupName(groupName);
+    TListSentryRolesResponse response2 = processor.list_sentry_roles_by_group(request2);
+    assertEquals(Status.OK, fromTSentryStatus(response2.getStatus()));
+    assertEquals(1, response2.getRoles().size());
+
+    TListSentryPrivilegesForProviderRequest request3 = new TListSentryPrivilegesForProviderRequest();
+    request3.setGroups(Sets.newHashSet(groupName));
+    request3.setRoleSet(new TSentryActiveRoleSet(true, null));
+    TListSentryPrivilegesForProviderResponse response3 = processor.list_sentry_privileges_for_provider(request3);
+    assertEquals(Status.OK, fromTSentryStatus(response3.getStatus()));
+    assertEquals(2, response3.getPrivileges().size());
+
+    // Optional parameters activeRoleSet and requested group name are both provided.
+    TListSentryPrivilegesByAuthRequest request4 = new TListSentryPrivilegesByAuthRequest();
+    request4.setGroups(Sets.newHashSet(groupName));
+    request4.setRoleSet(new TSentryActiveRoleSet(true, null));
+    request4.setRequestorUserName(ADMIN_USER);
+    Set<String> authorizablesSet = Sets.newHashSet("Collection=c1->Field=f1");
+    request4.setAuthorizablesSet(authorizablesSet);
+
+    TListSentryPrivilegesByAuthResponse response4 = processor.list_sentry_privileges_by_authorizable(request4);
+    assertEquals(Status.OK, fromTSentryStatus(response4.getStatus()));
+    assertEquals(1, response4.getPrivilegesMapByAuth().size());
+
+    // Optional parameters activeRoleSet and requested group name are both not provided.
+    TListSentryPrivilegesByAuthRequest request5 = new TListSentryPrivilegesByAuthRequest();
+    request5.setRequestorUserName("not_" + ADMIN_USER);
+    authorizablesSet = Sets.newHashSet("Collection=c1->Field=f2");
+    request5.setAuthorizablesSet(authorizablesSet);
+
+    TListSentryPrivilegesByAuthResponse response5 = processor.list_sentry_privileges_by_authorizable(request5);
+    assertEquals(Status.OK, fromTSentryStatus(response5.getStatus()));
+    assertEquals(1, response5.getPrivilegesMapByAuth().size());
+  }
+
+  @Test(expected=SentrySiteConfigurationException.class)
+  public void testConfigCannotCreateNotificationHandler() throws Exception {
+    Configuration conf = new Configuration();
+    conf.set(PolicyStoreConstants.SENTRY_GENERIC_POLICY_NOTIFICATION,"junk");
+    SentryGenericPolicyProcessor.createHandlers(conf);
+  }
+
+  public static class MockGroupMapping implements GroupMappingService {
+    public MockGroupMapping(Configuration conf, String resource) { //NOPMD
+    }
+    @Override
+    public Set<String> getGroups(String user) {
+      if (user.equalsIgnoreCase(ADMIN_USER)) {
+        return Sets.newHashSet(ADMIN_GROUP);
+      } else if (user.equalsIgnoreCase(NOT_ADMIN_USER)){
+        return Sets.newHashSet(NOT_ADMIN_GROUP);
+      } else {
+        return Collections.emptySet();
+      }
+    }
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestSentryGenericServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestSentryGenericServiceClient.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestSentryGenericServiceClient.java
new file mode 100644
index 0000000..2f72e88
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestSentryGenericServiceClient.java
@@ -0,0 +1,61 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.api.generic.thrift;
+
+import java.util.Set;
+
+import org.apache.sentry.service.thrift.SentryServiceFactory;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+
+public class TestSentryGenericServiceClient extends SentryGenericServiceIntegrationBase {
+
+  @BeforeClass
+  public static void setup() throws Exception {
+    beforeSetup();
+    setupConf();
+    startSentryService();
+    afterSetup();
+    kerberos = false;
+  }
+
+  @Test
+  public void testConnectionWhenReconnect() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String requestorUserName = ADMIN_USER;
+        Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+        String roleName = "admin_r";
+        setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+        writePolicyFile();
+
+        client.dropRoleIfExists(requestorUserName, roleName, "solr");
+        client.createRole(requestorUserName, roleName, "solr");
+        stopSentryService();
+        server = SentryServiceFactory.create(conf);
+        startSentryService();
+        client.dropRole(requestorUserName, roleName, "solr");
+      }
+    });
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestSentryGenericServiceIntegration.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestSentryGenericServiceIntegration.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestSentryGenericServiceIntegration.java
new file mode 100644
index 0000000..8a3ce02
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/generic/thrift/TestSentryGenericServiceIntegration.java
@@ -0,0 +1,503 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.api.generic.thrift;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.sentry.core.common.exception.SentryUserException;
+import org.apache.sentry.core.common.ActiveRoleSet;
+import org.apache.sentry.core.common.Authorizable;
+import org.apache.sentry.core.model.solr.Collection;
+import org.apache.sentry.core.model.solr.Field;
+import org.apache.sentry.core.model.solr.SolrConstants;
+import org.junit.Test;
+
+import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
+
+public class TestSentryGenericServiceIntegration extends SentryGenericServiceIntegrationBase {
+
+  @Test
+  public void testCreateDropShowRole() throws Exception {
+    runTestAsSubject(new TestOperation(){
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String requestorUserName = ADMIN_USER;
+        Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+        String roleName = "admin_r";
+        setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+        writePolicyFile();
+
+        client.dropRoleIfExists(requestorUserName, roleName, SOLR);
+
+        client.createRole(requestorUserName, roleName, SOLR);
+
+        client.grantRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(requestorUserGroupNames));
+
+        Set<TSentryRole> roles = client.listUserRoles(requestorUserName,SOLR);
+        assertEquals("Incorrect number of roles", 1, roles.size());
+        for (TSentryRole role:roles) {
+          assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
+        }
+        client.dropRole(requestorUserName, roleName, SOLR);
+      }});
+  }
+
+  @Test
+  public void testAddDeleteRoleToGroup() throws Exception {
+    runTestAsSubject(new TestOperation(){
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String requestorUserName = ADMIN_USER;
+        Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+        String testGroupName = "g1";
+        String roleName = "admin_r";
+        setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+        setLocalGroupMapping(requestorUserName, Sets.newHashSet(testGroupName));
+        writePolicyFile();
+
+        client.dropRoleIfExists(requestorUserName, roleName, SOLR);
+
+        client.createRole(requestorUserName, roleName, SOLR);
+
+        client.grantRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(testGroupName));
+
+        Set<TSentryRole> roles = client.listUserRoles(requestorUserName,SOLR);
+        assertEquals("Incorrect number of roles", 1, roles.size());
+        for (TSentryRole role:roles) {
+          assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
+          assertTrue(role.getGroups().size() == 1);
+          for (String group :role.getGroups()) {
+            assertEquals(testGroupName, group);
+          }
+        }
+
+        client.revokeRoleFromGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(testGroupName));
+        roles = client.listUserRoles(requestorUserName,SOLR);
+        assertEquals("Incorrect number of roles", 0, roles.size());
+
+        client.dropRole(requestorUserName, roleName, SOLR);
+      }});
+  }
+
+  @Test
+  public void testGranRevokePrivilege() throws Exception {
+    runTestAsSubject(new TestOperation(){
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String requestorUserName = ADMIN_USER;
+        Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+        setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+        writePolicyFile();
+        String roleName1 = "admin_r1";
+        String roleName2 = "admin_r2";
+
+        client.dropRoleIfExists(requestorUserName,  roleName1, SOLR);
+        client.createRole(requestorUserName,  roleName1, SOLR);
+
+        client.dropRoleIfExists(requestorUserName,  roleName2, SOLR);
+        client.createRole(requestorUserName,  roleName2, SOLR);
+
+        TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+                                              fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+                                              SolrConstants.QUERY);
+
+        TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
+            fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+            SolrConstants.UPDATE);
+
+        client.grantPrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
+        client.grantPrivilege(requestorUserName, roleName2, SOLR, updatePrivilege);
+
+        client.revokePrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
+        client.revokePrivilege(requestorUserName, roleName2, SOLR, updatePrivilege);
+      }});
+  }
+
+  @Test
+  public void testMultipleRolesSamePrivilege() throws Exception {
+    runTestAsSubject(new TestOperation(){
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String requestorUserName = ADMIN_USER;
+        Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+        setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+        writePolicyFile();
+        String roleName1 = "admin_r1";
+        String roleName2 = "admin_r2";
+
+        client.dropRoleIfExists(requestorUserName, roleName1, SOLR);
+        client.createRole(requestorUserName,  roleName1, SOLR);
+
+        client.dropRoleIfExists(requestorUserName,  roleName2, SOLR);
+        client.createRole(requestorUserName,  roleName2, SOLR);
+
+        TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+            fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+            SolrConstants.QUERY);
+
+        client.grantPrivilege(requestorUserName, roleName1, SOLR, queryPrivilege);
+        Set<TSentryPrivilege> listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName1, SOLR, "service1");
+        assertTrue("Privilege not assigned to role1 !!", listPrivilegesByRoleName.size() == 1);
+
+        client.grantPrivilege(requestorUserName, roleName2, SOLR, queryPrivilege);
+        listPrivilegesByRoleName = client.listAllPrivilegesByRoleName(requestorUserName, roleName2, SOLR, "service1");
+        assertTrue("Privilege not assigned to role2 !!", listPrivilegesByRoleName.size() == 1);
+      }});
+  }
+
+  @Test
+  public void testShowRoleGrant() throws Exception {
+    runTestAsSubject(new TestOperation(){
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String requestorUserName = ADMIN_USER;
+        Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+        String roleName = "admin_r1";
+        String groupName = "group1";
+        setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+        setLocalGroupMapping(requestorUserName, Sets.newHashSet(groupName));
+        writePolicyFile();
+
+        client.dropRoleIfExists(requestorUserName, roleName, SOLR);
+        client.createRole(requestorUserName, roleName, SOLR);
+        client.grantRoleToGroups(requestorUserName, roleName, SOLR, Sets.newHashSet(groupName));
+
+        Set<TSentryRole> groupRoles = client.listRolesByGroupName(requestorUserName, groupName,SOLR);
+        assertTrue(groupRoles.size() == 1);
+        for (TSentryRole role:groupRoles) {
+          assertTrue(role.getRoleName(), role.getRoleName().equalsIgnoreCase(roleName));
+          assertTrue(role.getGroups().size() == 1);
+          for (String group :role.getGroups()) {
+            assertEquals(groupName, group);
+          }
+        }
+
+        client.dropRole(requestorUserName, roleName, SOLR);
+      }});
+  }
+
+  @Test
+  public void testShowGrant() throws Exception {
+    runTestAsSubject(new TestOperation(){
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String requestorUserName = ADMIN_USER;
+        Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+        String roleName = "admin_r1";
+        setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+        writePolicyFile();
+
+        client.dropRoleIfExists(requestorUserName, roleName, SOLR);
+        client.createRole(requestorUserName, roleName, SOLR);
+
+        TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+            fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+            SolrConstants.QUERY);
+
+        TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
+            fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+            SolrConstants.UPDATE);
+
+        client.grantPrivilege(requestorUserName, roleName, SOLR, updatePrivilege);
+        client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
+        Set<TSentryPrivilege> privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1");
+        assertTrue(privileges.size() == 2);
+
+        client.revokePrivilege(requestorUserName, roleName, SOLR, updatePrivilege);
+        privileges = client.listAllPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1");
+        assertTrue(privileges.size() == 1);
+      }});
+  }
+
+  @Test
+  public void testSameGrantTwice() throws Exception {
+    runTestAsSubject(new TestOperation(){
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String requestorUserName = ADMIN_USER;
+        Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+        setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+        writePolicyFile();
+        String roleName = "admin_r1";
+
+        client.createRole(requestorUserName, roleName, SOLR);
+
+        TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+            fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+            SolrConstants.QUERY);
+
+        client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
+        assertEquals(1, client.listAllPrivilegesByRoleName(requestorUserName, roleName, SOLR, "service1").size());
+      }});
+  }
+
+  @Test
+  public void testGrantRevokeWithGrantOption() throws Exception {
+    runTestAsSubject(new TestOperation(){
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String adminUser = ADMIN_USER;
+        Set<String> adminGroup = Sets.newHashSet(ADMIN_GROUP);
+        String grantOptionUser = "user1";
+        Set<String> grantOptionGroup = Sets.newHashSet("group1");
+        String noGrantOptionUser = "user2";
+        Set<String> noGrantOptionGroup = Sets.newHashSet("group2");
+
+        setLocalGroupMapping(adminUser, adminGroup);
+        setLocalGroupMapping(grantOptionUser, grantOptionGroup);
+        setLocalGroupMapping(noGrantOptionUser, noGrantOptionGroup);
+        writePolicyFile();
+
+        String grantRole = "grant_r";
+        String noGrantRole = "no_grant_r";
+        String testRole = "test_role";
+
+        client.createRole(adminUser, grantRole, SOLR);
+        client.createRole(adminUser, noGrantRole, SOLR);
+        client.createRole(adminUser, testRole, SOLR);
+
+        TSentryPrivilege grantPrivilege = new TSentryPrivilege(SOLR, "service1",
+            fromAuthorizable(Arrays.asList(new Collection("c1"))),
+            SolrConstants.QUERY);
+        grantPrivilege.setGrantOption(TSentryGrantOption.TRUE);
+
+        TSentryPrivilege noGrantPrivilege = new TSentryPrivilege(SOLR, "service1",
+            fromAuthorizable(Arrays.asList(new Collection("c1"))),
+            SolrConstants.QUERY);
+        noGrantPrivilege.setGrantOption(TSentryGrantOption.FALSE);
+
+        TSentryPrivilege testPrivilege = new TSentryPrivilege(SOLR, "service1",
+            fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+            SolrConstants.QUERY);
+        testPrivilege.setGrantOption(TSentryGrantOption.FALSE);
+
+        client.grantPrivilege(adminUser, grantRole, SOLR, grantPrivilege);
+        client.grantPrivilege(adminUser, noGrantRole, SOLR, noGrantPrivilege);
+
+        client.grantRoleToGroups(adminUser, grantRole, SOLR, grantOptionGroup);
+        client.grantRoleToGroups(adminUser, noGrantRole, SOLR, noGrantOptionGroup);
+
+        try {
+          client.grantPrivilege(grantOptionUser,testRole,SOLR, testPrivilege);
+        } catch (SentryUserException e) {
+          fail("grantOptionUser failed grant privilege to user");
+        }
+
+        try {
+          client.grantPrivilege(noGrantOptionUser, testRole, SOLR, testPrivilege);
+          fail("noGrantOptionUser can't grant privilege to user");
+        } catch (SentryUserException e) {
+        }
+
+        try {
+          client.revokePrivilege(grantOptionUser, testRole, SOLR, testPrivilege);
+        } catch(SentryUserException e) {
+          fail("grantOptionUser failed revoke privilege to user");
+        }
+
+        try {
+          client.revokePrivilege(noGrantOptionUser, testRole, SOLR, testPrivilege);
+          fail("noGrantOptionUser can't revoke privilege to user");
+        } catch (SentryUserException e) {
+        }
+      }});
+  }
+
+  @Test
+  public void testGetPrivilegeByHierarchy() throws Exception {
+    runTestAsSubject(new TestOperation(){
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String adminUser = ADMIN_USER;
+        Set<String> adminGroup = Sets.newHashSet(ADMIN_GROUP);
+        String testRole = "role1";
+        Set<String> testGroup = Sets.newHashSet("group1");
+        String testUser = "user1";
+        setLocalGroupMapping(adminUser, adminGroup);
+        setLocalGroupMapping(testUser, testGroup);
+        writePolicyFile();
+
+
+        client.createRole(adminUser, testRole, SOLR);
+        client.grantRoleToGroups(adminUser, testRole, SOLR, testGroup);
+
+        TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+            fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+            SolrConstants.QUERY);
+
+        TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
+            fromAuthorizable(Arrays.asList(new Collection("c2"), new Field("f2"))),
+            SolrConstants.UPDATE);
+
+        client.grantPrivilege(adminUser, testRole, SOLR, queryPrivilege);
+        client.grantPrivilege(adminUser, testRole, SOLR, updatePrivilege);
+
+        assertEquals(2, client.listAllPrivilegesByRoleName(testUser, testRole, SOLR, "service1").size());
+
+        assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
+            SOLR, "service1", Arrays.asList(new Collection("c1"))).size());
+
+        assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
+            SOLR, "service1", Arrays.asList(new Collection("c2"))).size());
+
+        assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
+            SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
+
+        assertEquals(1, client.listPrivilegesByRoleName(testUser, testRole,
+            SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
+
+       //test listPrivilegesForProvider by group(testGroup)
+        ActiveRoleSet roleSet = ActiveRoleSet.ALL;
+
+        assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
+            testGroup, Arrays.asList(new Collection("c1"))).size());
+
+        assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
+            testGroup, Arrays.asList(new Collection("c2"))).size());
+
+        assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
+            testGroup, Arrays.asList(new Collection("c1"), new Field("f1"))).size());
+
+        assertEquals(1, client.listPrivilegesForProvider(SOLR, "service1", roleSet,
+            testGroup, Arrays.asList(new Collection("c2"), new Field("f2"))).size());
+      }});
+  }
+
+  @Test
+  public void testGetPrivilegeByAuthorizable() throws Exception {
+    runTestAsSubject(new TestOperation(){
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String adminUser = ADMIN_USER;
+        Set<String> adminGroup = Sets.newHashSet(ADMIN_GROUP);
+        String testRole = "role1";
+        Set<String> testGroup = Sets.newHashSet("group1");
+        String testUser = "user1";
+        setLocalGroupMapping(adminUser, adminGroup);
+        setLocalGroupMapping(testUser, testGroup);
+        writePolicyFile();
+
+        client.createRole(adminUser, testRole, SOLR);
+        client.grantRoleToGroups(adminUser, testRole, SOLR, adminGroup);
+
+        TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+        fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+        SolrConstants.QUERY);
+
+        TSentryPrivilege updatePrivilege = new TSentryPrivilege(SOLR, "service1",
+        fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f2"))),
+        SolrConstants.UPDATE);
+
+        client.grantPrivilege(adminUser, testRole, SOLR, queryPrivilege);
+        client.grantPrivilege(adminUser, testRole, SOLR, updatePrivilege);
+
+        //test listPrivilegesbyAuthorizable without requested group and active role set.
+        assertEquals(1, client.listPrivilegesbyAuthorizable(SOLR, "service1", adminUser,
+            Sets.newHashSet(new String("Collection=c1->Field=f1")), null, null).size());
+
+        //test listPrivilegesbyAuthorizable with requested group (testGroup)
+        Map<String, TSentryPrivilegeMap> privilegeMap = client.listPrivilegesbyAuthorizable(SOLR,
+            "service1", adminUser, Sets.newHashSet(new String("Collection=c1->Field=f1")), testGroup, null);
+        TSentryPrivilegeMap actualMap = privilegeMap.get(new String("Collection=c1->Field=f1"));
+        assertEquals(0, actualMap.getPrivilegeMap().size());
+
+        //test listPrivilegesbyAuthorizable with active role set.
+        ActiveRoleSet roleSet = ActiveRoleSet.ALL;
+        assertEquals(1, client.listPrivilegesbyAuthorizable(SOLR, "service1", adminUser,
+            Sets.newHashSet(new String("Collection=c1->Field=f1")), null, roleSet).size());
+        privilegeMap = client.listPrivilegesbyAuthorizable(SOLR,
+          "service1", adminUser, Sets.newHashSet(new String("Collection=c1->Field=f1")), null, roleSet);
+        actualMap = privilegeMap.get(new String("Collection=c1->Field=f1"));
+        assertEquals(1, actualMap.getPrivilegeMap().size());
+
+        privilegeMap = client.listPrivilegesbyAuthorizable(SOLR,
+            "service1", testUser, Sets.newHashSet(new String("Collection=c1->Field=f1")), null, roleSet);
+        actualMap = privilegeMap.get(new String("Collection=c1->Field=f1"));
+        assertEquals(0, actualMap.getPrivilegeMap().size());
+
+        // grant tesRole to testGroup.
+        client.grantRoleToGroups(adminUser, testRole, SOLR, testGroup);
+
+        privilegeMap = client.listPrivilegesbyAuthorizable(SOLR,
+            "service1", testUser, Sets.newHashSet(new String("Collection=c1")), null, roleSet);
+        actualMap = privilegeMap.get(new String("Collection=c1"));
+        assertEquals(1, actualMap.getPrivilegeMap().size());
+        assertEquals(2, actualMap.getPrivilegeMap().get(testRole).size());
+      }});
+  }
+
+  @Test
+  public void testDropAndRenamePrivilege() throws Exception {
+    runTestAsSubject(new TestOperation(){
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String requestorUserName = ADMIN_USER;
+        Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+        setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+        writePolicyFile();
+        String roleName = "admin_r1";
+
+        client.createRole(requestorUserName, roleName, SOLR);
+
+        TSentryPrivilege queryPrivilege = new TSentryPrivilege(SOLR, "service1",
+            fromAuthorizable(Arrays.asList(new Collection("c1"), new Field("f1"))),
+            SolrConstants.QUERY);
+        client.grantPrivilege(requestorUserName, roleName, SOLR, queryPrivilege);
+
+        assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName,
+            SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
+
+        assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
+            SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
+
+        client.renamePrivilege(requestorUserName, SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1")),
+            Arrays.asList(new Collection("c2"), new Field("f2")));
+
+        assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
+            SOLR, "service1", Arrays.asList(new Collection("c1"), new Field("f1"))).size());
+
+        assertEquals(1, client.listPrivilegesByRoleName(requestorUserName, roleName,
+            SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
+
+        TSentryPrivilege dropPrivilege = new TSentryPrivilege(SOLR, "service1",
+            fromAuthorizable(Arrays.asList(new Collection("c2"), new Field("f2"))),
+            SolrConstants.QUERY);
+
+        client.dropPrivilege(requestorUserName, SOLR, dropPrivilege);
+
+        assertEquals(0, client.listPrivilegesByRoleName(requestorUserName, roleName,
+            SOLR, "service1", Arrays.asList(new Collection("c2"), new Field("f2"))).size());
+      }});
+  }
+
+  private List<TAuthorizable> fromAuthorizable(List<? extends Authorizable> authorizables) {
+    List<TAuthorizable> tAuthorizables = Lists.newArrayList();
+    for (Authorizable authorizable : authorizables) {
+      tAuthorizables.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
+    }
+    return tAuthorizables;
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/SentryMiniKdcTestcase.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/SentryMiniKdcTestcase.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/SentryMiniKdcTestcase.java
new file mode 100644
index 0000000..fb5c9a0
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/SentryMiniKdcTestcase.java
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.api.service.thrift;
+
+import java.io.File;
+import java.util.Properties;
+
+import org.apache.hadoop.minikdc.MiniKdc;
+
+public class SentryMiniKdcTestcase {
+
+  private static File workDir;
+  private static Properties conf;
+  private static MiniKdc kdc;
+
+  public static void startMiniKdc(Properties confOverlay) throws Exception {
+    createTestDir();
+    createMiniKdcConf(confOverlay);
+    kdc = new MiniKdc(conf, workDir);
+    kdc.start();
+  }
+
+  private static void createMiniKdcConf(Properties confOverlay) {
+    conf = MiniKdc.createConf();
+    for ( Object property : confOverlay.keySet()) {
+      conf.put(property, confOverlay.get(property));
+    }
+  }
+
+  private static void createTestDir() {
+    workDir = new File(System.getProperty("test.dir", "target"));
+  }
+
+  public static void stopMiniKdc() {
+    if (kdc != null) {
+      kdc.stop();
+    }
+  }
+
+  public static MiniKdc getKdc() {
+    return kdc;
+  }
+
+  public static File getWorkDir() {
+    return workDir;
+  }
+
+  public Properties getConf() {
+    return conf;
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java
new file mode 100644
index 0000000..fb41241
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.java
@@ -0,0 +1,295 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.api.service.thrift;
+
+import static org.hamcrest.core.Is.is;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.log4j.Level;
+import org.apache.log4j.Logger;
+import org.apache.sentry.provider.db.log.appender.AuditLoggerTestAppender;
+import org.apache.sentry.provider.db.log.util.CommandUtil;
+import org.apache.sentry.provider.db.log.util.Constants;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.codehaus.jettison.json.JSONObject;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+
+public class TestAuthorizingDDLAuditLogWithKerberos extends SentryServiceIntegrationBase {
+
+  @BeforeClass
+  public static void setupLog4j() throws Exception {
+    Logger logger = Logger.getLogger("sentry.hive.authorization.ddl.logger");
+    AuditLoggerTestAppender testAppender = new AuditLoggerTestAppender();
+    logger.addAppender(testAppender);
+    logger.setLevel(Level.INFO);
+  }
+
+  @Test
+  public void testBasic() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String requestorUserName = ADMIN_USER;
+        Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+        setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+        writePolicyFile();
+
+        String roleName = "testRole";
+        String errorRoleName = "errorRole";
+        String serverName = "server1";
+        String groupName = "testGroup";
+        String dbName = "dbTest";
+        String tableName = "tableTest";
+        Map<String, String> fieldValueMap = new HashMap<String, String>();
+
+        // for successful audit log
+      client.createRole(requestorUserName, roleName);
+      fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
+      fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
+        fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+        // for ip address, there is another logic to test the result
+      fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+      assertAuditLog(fieldValueMap);
+
+        client.grantRoleToGroup(requestorUserName, groupName, roleName);
+      fieldValueMap.clear();
+      fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
+        fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + roleName
+            + " TO GROUP " + groupName);
+        fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+      fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+      assertAuditLog(fieldValueMap);
+
+        client.grantDatabasePrivilege(requestorUserName, roleName, serverName, dbName, "ALL");
+      fieldValueMap.clear();
+      fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+      fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ALL ON DATABASE " + dbName
+            + " TO ROLE " + roleName);
+        fieldValueMap.put(Constants.LOG_FIELD_DATABASE_NAME, dbName);
+        fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+      fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+      assertAuditLog(fieldValueMap);
+
+        client.grantTablePrivilege(requestorUserName, roleName, serverName, dbName, tableName,
+            "SELECT", true);
+      fieldValueMap.clear();
+      fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+      fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON TABLE " + tableName
+            + " TO ROLE " + roleName + " WITH GRANT OPTION");
+        fieldValueMap.put(Constants.LOG_FIELD_TABLE_NAME, tableName);
+        fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+      fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+      assertAuditLog(fieldValueMap);
+
+        // for error audit log
+        try {
+          client.createRole(requestorUserName, roleName);
+          fail("Exception should have been thrown");
+        } catch (Exception e) {
+          fieldValueMap.clear();
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_CREATE_ROLE);
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "CREATE ROLE " + roleName);
+          fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+          fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+          assertAuditLog(fieldValueMap);
+        }
+        try {
+          client.grantRoleToGroup(requestorUserName, groupName, errorRoleName);
+          fail("Exception should have been thrown");
+        } catch (Exception e) {
+          fieldValueMap.clear();
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_ADD_ROLE);
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ROLE " + errorRoleName
+              + " TO GROUP " + groupName);
+          fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+          fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+          assertAuditLog(fieldValueMap);
+        }
+        try {
+          client
+              .grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName, "ALL");
+          fail("Exception should have been thrown");
+        } catch (Exception e) {
+          fieldValueMap.clear();
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT ALL ON DATABASE " + dbName
+              + " TO ROLE " + errorRoleName);
+          fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+          fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+          assertAuditLog(fieldValueMap);
+        }
+        try {
+          client.grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+              "INSERT");
+          fail("Exception should have been thrown");
+        } catch (Exception e) {
+          fieldValueMap.clear();
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT INSERT ON DATABASE "
+              + dbName + " TO ROLE " + errorRoleName);
+          fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+          fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+          assertAuditLog(fieldValueMap);
+        }
+        try {
+          client.grantDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+              "SELECT");
+          fail("Exception should have been thrown");
+        } catch (Exception e) {
+          fieldValueMap.clear();
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON DATABASE "
+              + dbName + " TO ROLE " + errorRoleName);
+          fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+          fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+          assertAuditLog(fieldValueMap);
+        }
+        try {
+          client.grantTablePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+              tableName, "SELECT");
+          fail("Exception should have been thrown");
+        } catch (Exception e) {
+          fieldValueMap.clear();
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_GRANT_PRIVILEGE);
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "GRANT SELECT ON TABLE "
+              + tableName + " TO ROLE " + errorRoleName);
+          fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+          fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+          assertAuditLog(fieldValueMap);
+        }
+
+        client.revokeTablePrivilege(requestorUserName, roleName, serverName, dbName, tableName,
+          "SELECT");
+      fieldValueMap.clear();
+      fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+      fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE SELECT ON TABLE " + tableName
+            + " FROM ROLE " + roleName);
+        fieldValueMap.put(Constants.LOG_FIELD_TABLE_NAME, tableName);
+        fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+      fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+      assertAuditLog(fieldValueMap);
+
+        client.revokeDatabasePrivilege(requestorUserName, roleName, serverName, dbName, "ALL");
+      fieldValueMap.clear();
+      fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+      fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ALL ON DATABASE " + dbName
+            + " FROM ROLE " + roleName);
+        fieldValueMap.put(Constants.LOG_FIELD_DATABASE_NAME, dbName);
+        fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+      fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+      assertAuditLog(fieldValueMap);
+
+        client.revokeRoleFromGroup(requestorUserName, groupName, roleName);
+      fieldValueMap.clear();
+      fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
+        fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + roleName
+          + " FROM GROUP " + groupName);
+        fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+      fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+      assertAuditLog(fieldValueMap);
+
+        client.dropRole(requestorUserName, roleName);
+      fieldValueMap.clear();
+      fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
+        fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + roleName);
+        fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.TRUE);
+      fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+      assertAuditLog(fieldValueMap);
+
+        // for error audit log
+        try {
+          client.revokeTablePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+              tableName, "SELECT");
+          fail("Exception should have been thrown");
+        } catch (Exception e) {
+          fieldValueMap.clear();
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE SELECT ON TABLE "
+              + tableName + " FROM ROLE " + errorRoleName);
+          fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+          fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+          assertAuditLog(fieldValueMap);
+        }
+
+        try {
+          client.revokeDatabasePrivilege(requestorUserName, errorRoleName, serverName, dbName,
+              "ALL");
+          fail("Exception should have been thrown");
+        } catch (Exception e) {
+          fieldValueMap.clear();
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_REVOKE_PRIVILEGE);
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ALL ON DATABASE " + dbName
+              + " FROM ROLE " + errorRoleName);
+          fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+          fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+          assertAuditLog(fieldValueMap);
+        }
+
+        try {
+          client.revokeRoleFromGroup(requestorUserName, groupName, errorRoleName);
+          fail("Exception should have been thrown");
+        } catch (Exception e) {
+          fieldValueMap.clear();
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DELETE_ROLE);
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "REVOKE ROLE " + errorRoleName
+              + " FROM GROUP " + groupName);
+          fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+          fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+          assertAuditLog(fieldValueMap);
+        }
+
+        try {
+          client.dropRole(requestorUserName, errorRoleName);
+          fail("Exception should have been thrown");
+        } catch (Exception e) {
+          fieldValueMap.clear();
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION, Constants.OPERATION_DROP_ROLE);
+          fieldValueMap.put(Constants.LOG_FIELD_OPERATION_TEXT, "DROP ROLE " + errorRoleName);
+          fieldValueMap.put(Constants.LOG_FIELD_ALLOWED, Constants.FALSE);
+          fieldValueMap.put(Constants.LOG_FIELD_IP_ADDRESS, null);
+          assertAuditLog(fieldValueMap);
+        }
+      }
+    });
+  }
+
+  private void assertAuditLog(Map<String, String> fieldValueMap) throws Exception {
+    assertThat(AuditLoggerTestAppender.getLastLogLevel(), is(Level.INFO));
+    JSONObject jsonObject = new JSONObject(AuditLoggerTestAppender.getLastLogEvent());
+    if (fieldValueMap != null) {
+      for (Map.Entry<String, String> entry : fieldValueMap.entrySet()) {
+        String entryKey = entry.getKey();
+        if (Constants.LOG_FIELD_IP_ADDRESS.equals(entryKey)) {
+          assertTrue(CommandUtil.assertIPInAuditLog(jsonObject.get(entryKey).toString()));
+        } else {
+          assertTrue(entry.getValue().equalsIgnoreCase(jsonObject.get(entryKey).toString()));
+        }
+      }
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestConnectionWithTicketTimeout.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestConnectionWithTicketTimeout.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestConnectionWithTicketTimeout.java
new file mode 100644
index 0000000..7d8c58d
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestConnectionWithTicketTimeout.java
@@ -0,0 +1,57 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.api.service.thrift;
+
+import org.apache.hadoop.minikdc.MiniKdc;
+import org.apache.sentry.service.common.ServiceConstants;
+import org.junit.BeforeClass;
+import org.junit.Ignore;
+import org.junit.Test;
+
+@Ignore("SENTRY-515: Not part of automated unit testing, as it takes too long. Fails until we move to a hadoop 2.6.1. See HADOOP-10786")
+public class TestConnectionWithTicketTimeout extends
+    org.apache.sentry.service.thrift.SentryServiceIntegrationBase {
+
+  @BeforeClass
+  public static void setup() throws Exception {
+    kerberos = true;
+    beforeSetup();
+    setupConf();
+    startSentryService();
+    afterSetup();
+  }
+
+  public static void beforeSetup() throws Exception {
+    kdcConfOverlay.setProperty(MiniKdc.MAX_TICKET_LIFETIME, "360001");
+    //Only UGI based client connections renew their TGT, this is not a problem in the real world
+    // as this is not configurable and always true
+    conf.set(ServiceConstants.ServerConfig.SECURITY_USE_UGI_TRANSPORT, "true");
+  }
+
+  /***
+   * Test is run only when sentry.hive.test.ticket.timeout is set to "true"
+   * @throws Exception
+   */
+  @Test
+  public void testConnectionAfterTicketTimeout() throws Exception {
+    Thread.sleep(400000);
+    connectToSentryService();
+  }
+
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestNotificationHandlerInvoker.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestNotificationHandlerInvoker.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestNotificationHandlerInvoker.java
new file mode 100644
index 0000000..92f3f8b
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestNotificationHandlerInvoker.java
@@ -0,0 +1,102 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.api.service.thrift;
+
+import org.apache.hadoop.conf.Configuration;
+import org.junit.Before;
+import org.junit.Test;
+import org.mockito.Mockito;
+
+import com.google.common.collect.Lists;
+
+public class TestNotificationHandlerInvoker {
+
+  private Configuration conf;
+  private NotificationHandler handler;
+  private NotificationHandlerInvoker invoker;
+
+  @Before
+  public void setup() throws Exception {
+    conf = new Configuration(false);
+    handler = Mockito.spy(new NotificationHandler(conf) {});
+    invoker = new NotificationHandlerInvoker(conf,
+        Lists.newArrayList(new ThrowingNotificationHandler(conf), handler));
+  }
+
+  @Test
+  public void testCreateSentryRole() throws Exception {
+    TCreateSentryRoleRequest request = new TCreateSentryRoleRequest();
+    TCreateSentryRoleResponse response = new TCreateSentryRoleResponse();
+    invoker.create_sentry_role(request, response);
+    Mockito.verify(handler).create_sentry_role(request, response);
+  }
+
+  @Test
+  public void testDropSentryRole() throws Exception {
+    TDropSentryRoleRequest request = new TDropSentryRoleRequest();
+    TDropSentryRoleResponse response = new TDropSentryRoleResponse();
+    invoker.drop_sentry_role(request, response);
+    Mockito.verify(handler).drop_sentry_role(request, response);
+  }
+
+
+
+  @Test
+  public void testAlterSentryRoleAddGroups() throws Exception {
+    TAlterSentryRoleAddGroupsRequest request = new TAlterSentryRoleAddGroupsRequest();
+    TAlterSentryRoleAddGroupsResponse response = new TAlterSentryRoleAddGroupsResponse();
+    invoker.alter_sentry_role_add_groups(request, response);
+    Mockito.verify(handler).alter_sentry_role_add_groups(request, response);
+  }
+
+  @Test
+  public void testAlterSentryRoleDeleteGroups() throws Exception {
+    TAlterSentryRoleDeleteGroupsRequest request = new TAlterSentryRoleDeleteGroupsRequest();
+    TAlterSentryRoleDeleteGroupsResponse response = new TAlterSentryRoleDeleteGroupsResponse();
+    invoker.alter_sentry_role_delete_groups(request, response);
+    Mockito.verify(handler).alter_sentry_role_delete_groups(request, response);
+  }
+
+  public static class ThrowingNotificationHandler extends NotificationHandler {
+    public ThrowingNotificationHandler(Configuration config) throws Exception {
+      super(config);
+    }
+    @Override
+    public void create_sentry_role(TCreateSentryRoleRequest request,
+                                   TCreateSentryRoleResponse response) {
+      throw new RuntimeException();
+    }
+    public void drop_sentry_role(TDropSentryRoleRequest request,
+                                 TDropSentryRoleResponse response) {
+      throw new RuntimeException();
+    }
+    @Override
+    public void alter_sentry_role_add_groups(
+            TAlterSentryRoleAddGroupsRequest request,
+            TAlterSentryRoleAddGroupsResponse response) {
+      throw new RuntimeException();
+    }
+    @Override
+    public void alter_sentry_role_delete_groups(
+      TAlterSentryRoleDeleteGroupsRequest request,
+      TAlterSentryRoleDeleteGroupsResponse response) {
+      throw new RuntimeException();
+    }
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyServiceClient.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyServiceClient.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyServiceClient.java
new file mode 100644
index 0000000..e845936
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyServiceClient.java
@@ -0,0 +1,64 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.api.service.thrift;
+
+import java.util.Set;
+
+import org.apache.sentry.service.thrift.SentryServiceFactory;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import com.google.common.collect.Sets;
+
+public class TestSentryPolicyServiceClient extends SentryServiceIntegrationBase {
+
+  @BeforeClass
+  public static void setup() throws Exception {
+    beforeSetup();
+    setupConf();
+    startSentryService();
+    afterSetup();
+    kerberos = false;
+  }
+
+  @Test
+  public void testConnectionWhenReconnect() throws Exception {
+    runTestAsSubject(new TestOperation() {
+      @Override
+      public void runTestAsSubject() throws Exception {
+        String requestorUserName = ADMIN_USER;
+        Set<String> requestorUserGroupNames = Sets.newHashSet(ADMIN_GROUP);
+        String roleName = "admin_r";
+        setLocalGroupMapping(requestorUserName, requestorUserGroupNames);
+        writePolicyFile();
+
+        client.dropRoleIfExists(requestorUserName, roleName);
+        client.createRole(requestorUserName, roleName);
+        client.listAllRoles(requestorUserName);
+        stopSentryService();
+        server = SentryServiceFactory.create(conf);
+        startSentryService();
+        client.listAllRoles(requestorUserName);
+        client.dropRole(requestorUserName, roleName);
+      }
+    });
+  }
+
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
new file mode 100644
index 0000000..efacf19
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
@@ -0,0 +1,81 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.api.service.thrift;
+
+import org.apache.sentry.api.common.ThriftConstants;
+import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
+import org.junit.Assert;
+
+import org.apache.hadoop.conf.Configuration;
+import org.apache.sentry.core.common.exception.SentryThriftAPIMismatchException;
+import org.apache.sentry.core.common.utils.PolicyStoreConstants.PolicyStoreServerConfig;
+import org.junit.Before;
+import org.junit.Test;
+
+public class TestSentryPolicyStoreProcessor {
+
+  private Configuration conf;
+
+  @Before
+  public void setup() {
+    conf = new Configuration(false);
+  }
+  @Test(expected=SentrySiteConfigurationException.class)
+  public void testConfigNotNotificationHandler() throws Exception {
+    conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, Object.class.getName());
+    SentryPolicyStoreProcessor.createHandlers(conf);
+  }
+  @Test(expected=SentrySiteConfigurationException.class)
+  public void testConfigCannotCreateNotificationHandler() throws Exception {
+    conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS,
+        ExceptionInConstructorNotificationHandler.class.getName());
+    SentryPolicyStoreProcessor.createHandlers(conf);
+  }
+  @Test(expected=SentrySiteConfigurationException.class)
+  public void testConfigNotAClassNotificationHandler() throws Exception {
+    conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS, "junk");
+    SentryPolicyStoreProcessor.createHandlers(conf);
+  }
+  @Test
+  public void testConfigMultipleNotificationHandlers() throws Exception {
+    conf.set(PolicyStoreServerConfig.NOTIFICATION_HANDLERS,
+        NoopNotificationHandler.class.getName() + "," +
+            NoopNotificationHandler.class.getName() + " " +
+            NoopNotificationHandler.class.getName());
+    Assert.assertEquals(3, SentryPolicyStoreProcessor.createHandlers(conf).size());
+  }
+  public static class ExceptionInConstructorNotificationHandler extends NotificationHandler {
+    public ExceptionInConstructorNotificationHandler(Configuration config) throws Exception {
+      super(config);
+      throw new Exception();
+    }
+  }
+  public static class NoopNotificationHandler extends NotificationHandler {
+    public NoopNotificationHandler(Configuration config) throws Exception {
+      super(config);
+    }
+  }
+  @Test(expected=SentryThriftAPIMismatchException.class)
+  public void testSentryThriftAPIMismatch() throws Exception {
+    SentryPolicyStoreProcessor.validateClientVersion(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT -1);
+  }
+  @Test
+  public void testSentryThriftAPIMatchVersion() throws Exception {
+    SentryPolicyStoreProcessor.validateClientVersion(ThriftConstants.TSENTRY_SERVICE_VERSION_CURRENT);
+  }
+}

http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerForPoolWithoutKerberos.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerForPoolWithoutKerberos.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerForPoolWithoutKerberos.java
new file mode 100644
index 0000000..7330204
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerForPoolWithoutKerberos.java
@@ -0,0 +1,35 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless createRequired by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.sentry.api.service.thrift;
+
+import org.junit.BeforeClass;
+
+public class TestSentryServerForPoolWithoutKerberos extends TestSentryServerWithoutKerberos {
+
+  @BeforeClass
+  public static void setup() throws Exception {
+    kerberos = false;
+    pooled = true;
+    beforeSetup();
+    setupConf();
+    startSentryService();
+    afterSetup();
+  }
+
+}
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/sentry/blob/48422f4c/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerLogLevel.java
----------------------------------------------------------------------
diff --git a/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerLogLevel.java b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerLogLevel.java
new file mode 100644
index 0000000..6290fb7
--- /dev/null
+++ b/sentry-provider/sentry-provider-db/src/test/java/org/apache/sentry/api/service/thrift/TestSentryServerLogLevel.java
@@ -0,0 +1,100 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.sentry.api.service.thrift;
+
+import org.apache.commons.io.IOUtils;
+import org.apache.log4j.LogManager;
+import org.apache.log4j.Logger;
+import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
+import org.junit.*;
+
+import java.net.HttpURLConnection;
+import java.net.URL;
+
+public class TestSentryServerLogLevel extends SentryServiceIntegrationBase {
+  private final String CLASS_NAME = "org.eclipse.jetty.server.handler.ContextHandler";
+
+  @BeforeClass
+  public static void setup() throws Exception {
+    webServerEnabled = true;
+    webSecurity = false;
+    SentryServiceIntegrationBase.setup();
+  }
+
+  @Override
+  @Before
+  public void before() throws Exception {
+  }
+
+  @Override
+  @After
+  public void after() {
+  }
+
+  /**
+   * Get the log level for the specified class
+   * @param className: Name of class
+   * @return
+   *        Log level of the class
+   */
+  private String getLogLevel(String className) {
+    Logger logInstance = LogManager.getLogger(className);
+    return logInstance.getEffectiveLevel().toString();
+  }
+
+  /**
+   * Send log level and class name via the HTTP interface and verify that it is set at the loogger.
+   * @throws Exception
+   */
+  @Test
+  public void testSetLogLevel() throws Exception {
+    final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/admin/logLevel?log="
+            + CLASS_NAME + "&level=INFO");
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+    String response = IOUtils.toString(conn.getInputStream());
+    Assert.assertTrue(response.contains("INFO"));
+    Assert.assertEquals("INFO", getLogLevel(CLASS_NAME));
+  }
+
+  /**
+   * Send class name via the HTTP interface and verify that it is get at the loogger.
+   * @throws Exception
+   */
+  @Test
+  public void testGetLogLevel() throws Exception {
+    final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/admin/logLevel?log=" + CLASS_NAME);
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    Assert.assertEquals(HttpURLConnection.HTTP_OK, conn.getResponseCode());
+    String response = IOUtils.toString(conn.getInputStream());
+    Assert.assertTrue(response.contains("INFO"));
+    Assert.assertEquals("INFO", getLogLevel(CLASS_NAME));
+  }
+
+  /**
+   * Send class name and invalid log level via the HTTP interface and verify that it returns error response.
+   * @throws Exception
+   */
+  @Test
+  public void testInvalidLogLevel() throws Exception {
+    final URL url = new URL("http://"+ SERVER_HOST + ":" + webServerPort + "/admin/logLevel?log="
+            + CLASS_NAME + "&level=ABCD");
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    Assert.assertEquals(HttpURLConnection.HTTP_BAD_REQUEST, conn.getResponseCode());
+  }
+}


Mime
View raw message