sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sp...@apache.org
Subject [17/17] sentry git commit: SENTRY-2282: Remove hive-authzv2 binding and tests modules completely (Sergio Pena, reviewed by Na Li)
Date Wed, 27 Jun 2018 16:47:44 GMT
SENTRY-2282: Remove hive-authzv2 binding and tests modules completely (Sergio Pena, reviewed by Na Li)


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/e358fde7
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/e358fde7
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/e358fde7

Branch: refs/heads/master
Commit: e358fde7f7a22f6848f464d55644d6eec89b5f88
Parents: 0397fc5
Author: Sergio Pena <sergio.pena@cloudera.com>
Authored: Wed Jun 27 11:44:47 2018 -0500
Committer: Sergio Pena <sergio.pena@cloudera.com>
Committed: Wed Jun 27 11:44:47 2018 -0500

----------------------------------------------------------------------
 sentry-binding/pom.xml                          |   22 +-
 sentry-binding/sentry-binding-hive-v2/pom.xml   |  163 --
 .../hive/ql/exec/SentryFilterDDLTask.java       |  162 --
 .../binding/hive/authz/SentryConfigTool.java    |  643 -----
 .../hive/v2/HiveAuthzBindingHookBaseV2.java     |  880 -------
 .../binding/hive/v2/HiveAuthzBindingHookV2.java |  157 --
 .../hive/v2/HiveAuthzBindingSessionHookV2.java  |  129 -
 .../hive/v2/HiveAuthzPrivilegesMapV2.java       |  327 ---
 .../hive/v2/SentryAuthorizerFactory.java        |  164 --
 ...entryHiveAuthorizationTaskFactoryImplV2.java |   64 -
 .../hive/v2/SentryHivePrivilegeObject.java      |   32 -
 .../DefaultSentryAccessController.java          |  564 -----
 .../v2/authorizer/DefaultSentryValidator.java   |  477 ----
 .../authorizer/SentryHiveAccessController.java  |  200 --
 .../SentryHiveAuthorizationValidator.java       |   58 -
 .../v2/authorizer/SentryHiveAuthorizer.java     |  192 --
 .../metastore/AuthorizingObjectStoreBaseV2.java |  412 ----
 .../v2/metastore/AuthorizingObjectStoreV2.java  |  412 ----
 .../metastore/MetastoreAuthzBindingBaseV2.java  |  459 ----
 .../v2/metastore/MetastoreAuthzBindingV2.java   |   99 -
 .../metastore/SentryHiveMetaStoreClientV2.java  |  161 --
 .../v2/metastore/SentryMetaStoreFilterHook.java |  201 --
 .../SentryMetastorePostEventListenerBaseV2.java |  416 ----
 .../SentryMetastorePostEventListenerV2.java     |   73 -
 .../hive/v2/util/SentryAuthorizerUtil.java      |  362 ---
 .../hive/v2/util/SimpleSemanticAnalyzer.java    |  372 ---
 .../v2/DummyHiveAuthenticationProvider.java     |   63 -
 sentry-tests/sentry-tests-hive-v2/pom.xml       |  530 -----
 .../dbprovider/AbstractTestWithDbProvider.java  |  166 --
 .../e2e/dbprovider/TestColumnEndToEnd.java      |  417 ----
 .../e2e/dbprovider/TestConcurrentClients.java   |  343 ---
 .../e2e/dbprovider/TestDatabaseProvider.java    | 2215 ------------------
 .../TestDbColumnLevelMetaDataOps.java           |  374 ---
 .../tests/e2e/dbprovider/TestDbComplexView.java |  314 ---
 .../tests/e2e/dbprovider/TestDbConnections.java |  150 --
 .../tests/e2e/dbprovider/TestDbCrossDbOps.java  |   40 -
 .../tests/e2e/dbprovider/TestDbDDLAuditLog.java |  293 ---
 .../tests/e2e/dbprovider/TestDbEndToEnd.java    |  251 --
 .../TestDbExportImportPrivileges.java           |   44 -
 .../e2e/dbprovider/TestDbJDBCInterface.java     |   45 -
 .../TestDbMetadataObjectRetrieval.java          |   44 -
 .../dbprovider/TestDbMetadataPermissions.java   |   39 -
 .../dbprovider/TestDbMovingToProduction.java    |   38 -
 .../tests/e2e/dbprovider/TestDbOperations.java  |   37 -
 .../dbprovider/TestDbPrivilegeAtTransform.java  |   38 -
 .../TestDbPrivilegeCleanupOnDrop.java           |  354 ---
 .../TestDbPrivilegesAtColumnScope.java          |   38 -
 .../TestDbPrivilegesAtDatabaseScope.java        |   46 -
 .../TestDbPrivilegesAtFunctionScope.java        |   39 -
 .../TestDbPrivilegesAtTableScope.java           |   39 -
 .../TestDbRuntimeMetadataRetrieval.java         |   46 -
 .../tests/e2e/dbprovider/TestDbSandboxOps.java  |   49 -
 .../TestDbSentryOnFailureHookLoading.java       |  271 ---
 .../e2e/dbprovider/TestDbUriPermissions.java    |   45 -
 .../e2e/dbprovider/TestGrantUserToRole.java     |  261 ---
 .../TestPrivilegeWithGrantOption.java           |  379 ---
 .../TestPrivilegeWithHAGrantOption.java         |  160 --
 .../tests/e2e/hdfs/TestHDFSIntegration.java     | 1932 ---------------
 .../e2e/hdfs/TestHDFSIntegrationWithHA.java     |   28 -
 .../e2e/hive/AbstractTestWithHiveServer.java    |   94 -
 .../AbstractTestWithStaticConfiguration.java    |  723 ------
 .../apache/sentry/tests/e2e/hive/Context.java   |  321 ---
 .../e2e/hive/DummySentryOnFailureHook.java      |   44 -
 .../sentry/tests/e2e/hive/PolicyFileEditor.java |   78 -
 .../tests/e2e/hive/PrivilegeResultSet.java      |  124 -
 .../sentry/tests/e2e/hive/StaticUserGroup.java  |   55 -
 .../sentry/tests/e2e/hive/TestConfigTool.java   |  346 ---
 .../sentry/tests/e2e/hive/TestCrossDbOps.java   |  669 ------
 .../e2e/hive/TestCustomSerdePrivileges.java     |  120 -
 .../sentry/tests/e2e/hive/TestEndToEnd.java     |  128 -
 .../e2e/hive/TestExportImportPrivileges.java    |  162 --
 .../tests/e2e/hive/TestJDBCInterface.java       |  228 --
 .../tests/e2e/hive/TestLockPrivileges.java      |  214 --
 .../e2e/hive/TestMetadataObjectRetrieval.java   |  501 ----
 .../tests/e2e/hive/TestMetadataPermissions.java |  128 -
 .../tests/e2e/hive/TestMovingToProduction.java  |  220 --
 .../sentry/tests/e2e/hive/TestOperations.java   | 1289 ----------
 .../tests/e2e/hive/TestPerDBConfiguration.java  |  408 ----
 .../e2e/hive/TestPerDatabasePolicyFile.java     |  118 -
 .../tests/e2e/hive/TestPolicyImportExport.java  |  196 --
 .../e2e/hive/TestPrivilegeAtTransform.java      |  118 -
 .../e2e/hive/TestPrivilegesAtColumnScope.java   |  518 ----
 .../e2e/hive/TestPrivilegesAtDatabaseScope.java |  399 ----
 .../e2e/hive/TestPrivilegesAtFunctionScope.java |  262 ---
 .../e2e/hive/TestPrivilegesAtTableScope.java    |  662 ------
 .../tests/e2e/hive/TestReloadPrivileges.java    |   54 -
 .../e2e/hive/TestRuntimeMetadataRetrieval.java  |  429 ----
 .../sentry/tests/e2e/hive/TestSandboxOps.java   |  529 -----
 .../hive/TestSentryOnFailureHookLoading.java    |  134 --
 .../tests/e2e/hive/TestServerConfiguration.java |  265 ---
 .../tests/e2e/hive/TestUriPermissions.java      |  262 ---
 .../tests/e2e/hive/TestUserManagement.java      |  383 ---
 .../tests/e2e/hive/TestViewPrivileges.java      |  138 --
 .../sentry/tests/e2e/hive/fs/AbstractDFS.java   |   87 -
 .../sentry/tests/e2e/hive/fs/ClusterDFS.java    |   69 -
 .../apache/sentry/tests/e2e/hive/fs/DFS.java    |   32 -
 .../sentry/tests/e2e/hive/fs/DFSFactory.java    |   49 -
 .../sentry/tests/e2e/hive/fs/MiniDFS.java       |   94 -
 .../e2e/hive/hiveserver/AbstractHiveServer.java |   95 -
 .../e2e/hive/hiveserver/EmbeddedHiveServer.java |   60 -
 .../e2e/hive/hiveserver/ExternalHiveServer.java |  124 -
 .../tests/e2e/hive/hiveserver/HiveServer.java   |   34 -
 .../e2e/hive/hiveserver/HiveServerFactory.java  |  296 ---
 .../e2e/hive/hiveserver/InternalHiveServer.java |   47 -
 .../hiveserver/InternalMetastoreServer.java     |   80 -
 .../hive/hiveserver/UnmanagedHiveServer.java    |  113 -
 ...actMetastoreTestWithStaticConfiguration.java |  218 --
 .../metastore/SentryPolicyProviderForDb.java    |  165 --
 .../metastore/TestAuthorizingObjectStore.java   | 1106 ---------
 .../e2e/metastore/TestMetaStoreWithPigHCat.java |  113 -
 .../e2e/metastore/TestMetastoreEndToEnd.java    |  628 -----
 .../tests/e2e/minisentry/InternalSentrySrv.java |  235 --
 .../sentry/tests/e2e/minisentry/SentrySrv.java  |   86 -
 .../tests/e2e/minisentry/SentrySrvFactory.java  |   45 -
 .../resources/core-site-for-sentry-test.xml     |   34 -
 .../src/test/resources/emp.dat                  |   12 -
 .../src/test/resources/hadoop                   |  107 -
 .../src/test/resources/kv1.dat                  |  500 ----
 .../src/test/resources/log4j.properties         |   35 -
 .../src/test/resources/log4j2.properties        |   53 -
 .../src/test/resources/sentry-provider.ini      |   25 -
 .../src/test/resources/sentry-site.xml          |   33 -
 .../src/test/resources/testPolicyImport.ini     |   25 -
 .../test/resources/testPolicyImportAdmin.ini    |   22 -
 .../test/resources/testPolicyImportError.ini    |   21 -
 .../scale-test/create-many-dbs-tables.sh        |  277 ---
 126 files changed, 1 insertion(+), 31567 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-binding/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-binding/pom.xml b/sentry-binding/pom.xml
index 17b0f1a..fd5e28b 100644
--- a/sentry-binding/pom.xml
+++ b/sentry-binding/pom.xml
@@ -37,26 +37,6 @@ limitations under the License.
     <module>sentry-binding-hbase-indexer</module>
     <module>sentry-binding-hive-conf</module>
     <module>sentry-binding-hive-follower</module>
+    <module>sentry-binding-hive</module>
   </modules>
-
-  <profiles>
-    <profile>
-      <id>hive-authz1</id>
-      <activation>
-        <activeByDefault>true</activeByDefault>
-      </activation>
-      <modules>
-        <module>sentry-binding-hive</module>
-      </modules>
-    </profile>
-    <profile>
-      <id>hive-authz2</id>
-      <activation>
-        <activeByDefault>false</activeByDefault>
-      </activation>
-      <modules>
-        <module>sentry-binding-hive-v2</module>
-      </modules>
-    </profile>
-  </profiles>
 </project>

http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-binding/sentry-binding-hive-v2/pom.xml
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/pom.xml b/sentry-binding/sentry-binding-hive-v2/pom.xml
deleted file mode 100644
index f77e64e..0000000
--- a/sentry-binding/sentry-binding-hive-v2/pom.xml
+++ /dev/null
@@ -1,163 +0,0 @@
-<?xml version="1.0"?>
-<!--
-Licensed to the Apache Software Foundation (ASF) under one or more
-contributor license agreements.  See the NOTICE file distributed with
-this work for additional information regarding copyright ownership.
-The ASF licenses this file to You under the Apache License, Version 2.0
-(the "License"); you may not use this file except in compliance with
-the License.  You may obtain a copy of the License at
-
-     http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
--->
-<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
-  <modelVersion>4.0.0</modelVersion>
-
-  <parent>
-    <groupId>org.apache.sentry</groupId>
-    <artifactId>sentry-binding</artifactId>
-    <version>2.1.0-SNAPSHOT</version>
-  </parent>
-
-  <artifactId>sentry-binding-hive-v2</artifactId>
-  <name>Sentry Binding v2 for Hive</name>
-
-  <dependencies>
-    <dependency>
-      <groupId>org.apache.sentry</groupId>
-      <artifactId>sentry-binding-hive-common</artifactId>
-      <exclusions>
-        <exclusion>
-          <groupId>org.apache.httpcomponents</groupId>
-          <artifactId>httpclient</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.apache.httpcomponents</groupId>
-          <artifactId>httpcore</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.thrift</groupId>
-      <artifactId>libthrift</artifactId>
-      <exclusions>
-        <exclusion>
-          <groupId>org.apache.httpcomponents</groupId>
-          <artifactId>httpclient</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.apache.httpcomponents</groupId>
-          <artifactId>httpcore</artifactId>
-        </exclusion>
-      </exclusions>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.derby</groupId>
-      <artifactId>derby</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>junit</groupId>
-      <artifactId>junit</artifactId>
-      <scope>test</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.hive</groupId>
-      <artifactId>hive-exec</artifactId>
-      <version>${hive.version}</version>
-      <scope>provided</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.hive</groupId>
-      <artifactId>hive-service</artifactId>
-      <version>${hive.version}</version>
-      <scope>provided</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.hive</groupId>
-      <artifactId>hive-metastore</artifactId>
-      <version>${hive.version}</version>
-      <scope>provided</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.hive</groupId>
-      <artifactId>hive-shims</artifactId>
-      <version>${hive.version}</version>
-      <scope>provided</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.hive</groupId>
-      <artifactId>hive-serde</artifactId>
-      <version>${hive.version}</version>
-      <scope>provided</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.hive</groupId>
-      <artifactId>hive-common</artifactId>
-      <version>${hive.version}</version>
-      <scope>provided</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.sentry</groupId>
-      <artifactId>sentry-core-common</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.sentry</groupId>
-      <artifactId>sentry-core-model-db</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.sentry</groupId>
-      <artifactId>sentry-provider-common</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.sentry</groupId>
-      <artifactId>sentry-provider-file</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.sentry</groupId>
-      <artifactId>sentry-policy-engine</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.hadoop</groupId>
-      <artifactId>hadoop-common</artifactId>
-      <scope>provided</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.apache.hadoop</groupId>
-      <artifactId>hadoop-client</artifactId>
-      <version>${hadoop.version}</version>
-      <scope>provided</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.mockito</groupId>
-      <artifactId>mockito-all</artifactId>
-      <scope>test</scope>
-    </dependency>
-    <dependency>
-      <groupId>org.datanucleus</groupId>
-      <artifactId>datanucleus-core</artifactId>
-      <version>${datanucleus-core.version}</version>
-    </dependency>
-    <dependency>
-      <groupId>org.datanucleus</groupId>
-      <artifactId>datanucleus-api-jdo</artifactId>
-      <version>${datanucleus-api-jdo.version}</version>
-    </dependency>
-    <dependency>
-      <groupId>org.datanucleus</groupId>
-      <artifactId>datanucleus-rdbms</artifactId>
-      <version>${datanucleus-rdbms.version}</version>
-    </dependency>
-    <dependency>
-      <groupId>org.datanucleus</groupId>
-      <artifactId>javax.jdo</artifactId>
-      <version>${datanucleus-jdo.version}</version>
-    </dependency>
-  </dependencies>
-
-</project>

http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/hadoop/hive/ql/exec/SentryFilterDDLTask.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/hadoop/hive/ql/exec/SentryFilterDDLTask.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/hadoop/hive/ql/exec/SentryFilterDDLTask.java
deleted file mode 100644
index 0b1acf1..0000000
--- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/hadoop/hive/ql/exec/SentryFilterDDLTask.java
+++ /dev/null
@@ -1,162 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.hadoop.hive.ql.exec;
-
-import static org.apache.hadoop.util.StringUtils.stringifyException;
-
-import java.io.DataOutputStream;
-import java.io.IOException;
-import java.util.List;
-
-import org.apache.commons.logging.Log;
-import org.apache.commons.logging.LogFactory;
-import org.apache.hadoop.fs.FileSystem;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.hive.metastore.api.FieldSchema;
-import org.apache.hadoop.hive.ql.DriverContext;
-import org.apache.hadoop.hive.ql.ErrorMsg;
-import org.apache.hadoop.hive.ql.metadata.Hive;
-import org.apache.hadoop.hive.ql.metadata.HiveException;
-import org.apache.hadoop.hive.ql.metadata.Table;
-import org.apache.hadoop.hive.ql.metadata.formatting.MetaDataFormatUtils;
-import org.apache.hadoop.hive.ql.plan.HiveOperation;
-import org.apache.hadoop.hive.ql.plan.ShowColumnsDesc;
-import org.apache.hadoop.hive.ql.session.SessionState;
-import org.apache.hadoop.io.IOUtils;
-import org.apache.sentry.binding.hive.HiveAuthzBindingHookBaseV2;
-import org.apache.sentry.binding.hive.authz.HiveAuthzBinding;
-import org.apache.sentry.core.common.Subject;
-
-import com.google.common.base.Preconditions;
-
-public class SentryFilterDDLTask extends DDLTask {
-  private static final long serialVersionUID = 1L;
-  private static final Log LOG = LogFactory.getLog(SentryFilterDDLTask.class);
-
-  private HiveAuthzBinding hiveAuthzBinding;
-  private Subject subject;
-  private HiveOperation stmtOperation;
-
-  public SentryFilterDDLTask(HiveAuthzBinding hiveAuthzBinding, Subject subject,
-      HiveOperation stmtOperation) {
-    Preconditions.checkNotNull(hiveAuthzBinding);
-    Preconditions.checkNotNull(subject);
-    Preconditions.checkNotNull(stmtOperation);
-
-    this.hiveAuthzBinding = hiveAuthzBinding;
-    this.subject = subject;
-    this.stmtOperation = stmtOperation;
-  }
-
-  public HiveAuthzBinding getHiveAuthzBinding() {
-    return hiveAuthzBinding;
-  }
-
-  public Subject getSubject() {
-    return subject;
-  }
-
-  public HiveOperation getStmtOperation() {
-    return stmtOperation;
-  }
-
-  @Override
-  public int execute(DriverContext driverContext) {
-    // Currently the SentryFilterDDLTask only supports filter the "show columns in table " command.
-    ShowColumnsDesc showCols = work.getShowColumnsDesc();
-    try {
-      if (showCols != null) {
-        return showFilterColumns(showCols);
-      }
-    } catch (Throwable e) {
-      failed(e);
-      return 1;
-    }
-
-    return super.execute(driverContext);
-  }
-
-  private void failed(Throwable e) {
-    // Get the cause of the exception if available
-    Throwable error = e;
-    while (error.getCause() != null && error.getClass() == RuntimeException.class) {
-      error = error.getCause();
-    }
-    setException(error);
-    LOG.error(stringifyException(error));
-  }
-
-  /**
-   * Filter the command "show columns in table"
-   *
-   */
-  private int showFilterColumns(ShowColumnsDesc showCols) throws HiveException {
-    Table table = Hive.get(conf).getTable(showCols.getTableName());
-
-    // write the results in the file
-    DataOutputStream outStream = null;
-    try {
-      Path resFile = new Path(showCols.getResFile());
-      FileSystem fs = resFile.getFileSystem(conf);
-      outStream = fs.create(resFile);
-
-      List<FieldSchema> cols = table.getCols();
-      cols.addAll(table.getPartCols());
-      // In case the query is served by HiveServer2, don't pad it with spaces,
-      // as HiveServer2 output is consumed by JDBC/ODBC clients.
-      boolean isOutputPadded = !SessionState.get().isHiveServerQuery();
-      outStream.writeBytes(MetaDataFormatUtils.getAllColumnsInformation(
-          fiterColumns(cols, table), false, isOutputPadded, null));
-      outStream.close();
-      outStream = null;
-    } catch (IOException e) {
-      throw new HiveException(e, ErrorMsg.GENERIC_ERROR);
-    } finally {
-      IOUtils.closeStream(outStream);
-    }
-    return 0;
-  }
-
-  private List<FieldSchema> fiterColumns(List<FieldSchema> cols, Table table) throws HiveException {
-    // filter some columns that the subject has privilege on
-    return HiveAuthzBindingHookBaseV2.filterShowColumns(getHiveAuthzBinding(),
-        cols, getStmtOperation(), getSubject().getName(), table.getTableName(), table.getDbName());
-  }
-
-  public void copyDDLTask(DDLTask ddlTask) {
-    work = ddlTask.getWork();
-    rootTask = ddlTask.isRootTask();
-    childTasks = ddlTask.getChildTasks();
-    parentTasks = ddlTask.getParentTasks();
-    backupTask = ddlTask.getBackupTask();
-    backupChildrenTasks = ddlTask.getBackupChildrenTasks();
-    started = ddlTask.started();
-    isdone = ddlTask.done();
-    queued = ddlTask.getQueued();
-    id = ddlTask.getId();
-    taskCounters = ddlTask.getCounters();
-    feedSubscribers = ddlTask.getFeedSubscribers();
-    taskTag = ddlTask.getTaskTag();
-    setLocalMode(ddlTask.isLocalMode());
-    setRetryCmdWhenFail(ddlTask.ifRetryCmdWhenFail());
-    queryPlan = ddlTask.getQueryPlan();
-    jobID = ddlTask.getJobID();
-    setException(ddlTask.getException());
-    console = ddlTask.console;
-    setFetchSource(ddlTask.isFetchSource());
-  }
-}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
deleted file mode 100644
index f6b4518..0000000
--- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/authz/SentryConfigTool.java
+++ /dev/null
@@ -1,643 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.apache.sentry.binding.hive.authz;
-
-import java.security.CodeSource;
-import java.sql.Connection;
-import java.sql.DriverManager;
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.sql.Statement;
-import java.util.Map;
-import java.util.Set;
-
-import org.apache.commons.cli.CommandLine;
-import org.apache.commons.cli.GnuParser;
-import org.apache.commons.cli.HelpFormatter;
-import org.apache.commons.cli.Option;
-import org.apache.commons.cli.OptionGroup;
-import org.apache.commons.cli.Options;
-import org.apache.commons.cli.ParseException;
-import org.apache.commons.cli.Parser;
-import org.apache.commons.lang3.StringUtils;
-import org.apache.hadoop.hive.conf.HiveConf;
-import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
-import org.apache.hadoop.hive.ql.Driver;
-import org.apache.hadoop.hive.ql.parse.SemanticException;
-import org.apache.hadoop.hive.ql.processors.CommandProcessorResponse;
-import org.apache.hadoop.hive.ql.session.SessionState;
-import org.apache.log4j.Level;
-import org.apache.log4j.LogManager;
-import org.apache.sentry.Command;
-import org.apache.sentry.binding.hive.HiveAuthzBindingHookBaseV2;
-import org.apache.sentry.binding.hive.SentryPolicyFileFormatFactory;
-import org.apache.sentry.binding.hive.SentryPolicyFileFormatter;
-import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
-import org.apache.sentry.binding.hive.conf.HiveAuthzConf.AuthzConfVars;
-import org.apache.sentry.core.common.exception.SentryConfigurationException;
-import org.apache.sentry.core.common.Subject;
-import org.apache.sentry.core.model.db.Server;
-import org.apache.sentry.provider.common.AuthorizationProvider;
-import org.apache.sentry.api.service.thrift.SentryPolicyServiceClient;
-import org.apache.sentry.service.thrift.SentryServiceClientFactory;
-
-/**
- * set the required system property to be read by HiveConf and AuthzConf
- *
- * @throws Exception
- */
-// Hack, hiveConf doesn't provide a reliable way check if it found a valid
-// hive-site
-// load auth provider
-// get the configured sentry provider
-// validate policy files
-// import policy files
-public class SentryConfigTool {
-  private String sentrySiteFile = null;
-  private String policyFile = null;
-  private String query = null;
-  private String jdbcURL = null;
-  private String user = null;
-  private String passWord = null;
-  private String importPolicyFilePath = null;
-  private String exportPolicyFilePath = null;
-  private String objectPath = null;
-  private boolean listPrivs = false;
-  private boolean validate = false;
-  private boolean importOverwriteRole = false;
-  private HiveConf hiveConf = null;
-  private HiveAuthzConf authzConf = null;
-  private AuthorizationProvider sentryProvider = null;
-
-  public SentryConfigTool() {
-
-  }
-
-  public AuthorizationProvider getSentryProvider() {
-    return sentryProvider;
-  }
-
-  public void setSentryProvider(AuthorizationProvider sentryProvider) {
-    this.sentryProvider = sentryProvider;
-  }
-
-  public HiveConf getHiveConf() {
-    return hiveConf;
-  }
-
-  public void setHiveConf(HiveConf hiveConf) {
-    this.hiveConf = hiveConf;
-  }
-
-  public HiveAuthzConf getAuthzConf() {
-    return authzConf;
-  }
-
-  public void setAuthzConf(HiveAuthzConf authzConf) {
-    this.authzConf = authzConf;
-  }
-
-  public boolean isValidate() {
-    return validate;
-  }
-
-  public void setValidate(boolean validate) {
-    this.validate = validate;
-  }
-
-  public String getImportPolicyFilePath() {
-    return importPolicyFilePath;
-  }
-
-  public void setImportPolicyFilePath(String importPolicyFilePath) {
-    this.importPolicyFilePath = importPolicyFilePath;
-  }
-
-  public String getObjectPath() {
-    return objectPath;
-  }
-
-  public void setObjectPath(String objectPath) {
-    this.objectPath = objectPath;
-  }
-
-  public String getExportPolicyFilePath() {
-    return exportPolicyFilePath;
-  }
-
-  public void setExportPolicyFilePath(String exportPolicyFilePath) {
-    this.exportPolicyFilePath = exportPolicyFilePath;
-  }
-
-  public String getSentrySiteFile() {
-    return sentrySiteFile;
-  }
-
-  public void setSentrySiteFile(String sentrySiteFile) {
-    this.sentrySiteFile = sentrySiteFile;
-  }
-
-  public String getPolicyFile() {
-    return policyFile;
-  }
-
-  public void setPolicyFile(String policyFile) {
-    this.policyFile = policyFile;
-  }
-
-  public String getQuery() {
-    return query;
-  }
-
-  public void setQuery(String query) {
-    this.query = query;
-  }
-
-  public String getJdbcURL() {
-    return jdbcURL;
-  }
-
-  public void setJdbcURL(String jdbcURL) {
-    this.jdbcURL = jdbcURL;
-  }
-
-  public String getUser() {
-    return user;
-  }
-
-  public void setUser(String user) {
-    this.user = user;
-  }
-
-  public String getPassWord() {
-    return passWord;
-  }
-
-  public void setPassWord(String passWord) {
-    this.passWord = passWord;
-  }
-
-  public boolean isListPrivs() {
-    return listPrivs;
-  }
-
-  public void setListPrivs(boolean listPrivs) {
-    this.listPrivs = listPrivs;
-  }
-
-  public boolean isImportOverwriteRole() {
-    return importOverwriteRole;
-  }
-
-  public void setImportOverwriteRole(boolean importOverwriteRole) {
-    this.importOverwriteRole = importOverwriteRole;
-  }
-
-  /**
-   * set the required system property to be read by HiveConf and AuthzConf
-   * @throws Exception
-   */
-  public void setupConfig() throws Exception {
-    System.out.println("Configuration: ");
-    CodeSource src = SentryConfigTool.class.getProtectionDomain()
-        .getCodeSource();
-    if (src != null) {
-      System.out.println("Sentry package jar: " + src.getLocation());
-    }
-
-    if (getPolicyFile() != null) {
-      System.setProperty(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(),
-          getPolicyFile());
-    }
-    System.setProperty(AuthzConfVars.SENTRY_TESTING_MODE.getVar(), "true");
-    setHiveConf(new HiveConf(SessionState.class));
-    getHiveConf().setVar(ConfVars.SEMANTIC_ANALYZER_HOOK,
-        HiveAuthzBindingHookBaseV2.class.getName());
-    try {
-      System.out.println("Hive config: " + HiveConf.getHiveSiteLocation());
-    } catch (NullPointerException e) {
-      // Hack, hiveConf doesn't provide a reliable way check if it found a valid
-      // hive-site
-      throw new SentryConfigurationException("Didn't find a hive-site.xml");
-
-    }
-
-    if (getSentrySiteFile() != null) {
-      getHiveConf()
-          .set(HiveAuthzConf.HIVE_SENTRY_CONF_URL, getSentrySiteFile());
-    }
-
-    setAuthzConf(HiveAuthzConf.getAuthzConf(getHiveConf()));
-    System.out.println("Sentry config: "
-        + getAuthzConf().getHiveAuthzSiteFile());
-    System.out.println("Sentry Policy: "
-        + getAuthzConf().get(AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar()));
-    System.out.println("Sentry server: "
-        + getAuthzConf().get(AuthzConfVars.AUTHZ_SERVER_NAME.getVar()));
-
-    setSentryProvider(getAuthorizationProvider());
-  }
-
-  // load auth provider
-  private AuthorizationProvider getAuthorizationProvider()
-      throws IllegalStateException, SentryConfigurationException {
-    String serverName = new Server(getAuthzConf().get(
-        AuthzConfVars.AUTHZ_SERVER_NAME.getVar())).getName();
-    // get the configured sentry provider
-    try {
-      return HiveAuthzBinding.getAuthProvider(getHiveConf(),
-          authzConf, serverName);
-    } catch (SentryConfigurationException eC) {
-      printConfigErrors(eC);
-      throw eC;
-    } catch (Exception e) {
-      throw new IllegalStateException("Couldn't load sentry provider ", e);
-    }
-  }
-
-  // validate policy files
-  public void validatePolicy() throws Exception {
-    try {
-      getSentryProvider().validateResource(true);
-    } catch (SentryConfigurationException e) {
-      printConfigErrors(e);
-      throw e;
-    }
-    System.out.println("No errors found in the policy file");
-  }
-
-  // import the sentry mapping data to database
-  public void importPolicy() throws Exception {
-    String requestorUserName = System.getProperty("user.name", "");
-    // get the FileFormatter according to the configuration
-    SentryPolicyFileFormatter sentryPolicyFileFormatter = SentryPolicyFileFormatFactory
-        .createFileFormatter(authzConf);
-    // parse the input file, get the mapping data in map structure
-    Map<String, Map<String, Set<String>>> policyFileMappingData = sentryPolicyFileFormatter.parse(
-        importPolicyFilePath, authzConf);
-    // todo: here should be an validator to check the data's value, format, hierarchy
-    try(SentryPolicyServiceClient client =
-                SentryServiceClientFactory.create(getAuthzConf())) {
-      // import the mapping data to database
-      client.importPolicy(policyFileMappingData, requestorUserName, importOverwriteRole);
-    }
-  }
-
-  // export the sentry mapping data to file
-  public void exportPolicy() throws Exception {
-    String requestorUserName = System.getProperty("user.name", "");
-    try (SentryPolicyServiceClient client =
-                SentryServiceClientFactory.create(getAuthzConf())) {
-      // export the sentry mapping data from database to map structure
-      Map<String, Map<String, Set<String>>> policyFileMappingData = client
-              .exportPolicy(requestorUserName, objectPath);
-      // get the FileFormatter according to the configuration
-      SentryPolicyFileFormatter sentryPolicyFileFormatter = SentryPolicyFileFormatFactory
-              .createFileFormatter(authzConf);
-      // write the sentry mapping data to exportPolicyFilePath with the data in map structure
-      sentryPolicyFileFormatter.write(exportPolicyFilePath, policyFileMappingData);
-    }
-  }
-
-  // list permissions for given user
-  public void listPrivs() throws Exception {
-    getSentryProvider().validateResource(true);
-    System.out.println("Available privileges for user " + getUser() + ":");
-    Set<String> permList = getSentryProvider().listPrivilegesForSubject(
-        new Subject(getUser()));
-    for (String perms : permList) {
-      System.out.println("\t" + perms);
-    }
-    if (permList.isEmpty()) {
-      System.out.println("\t*** No permissions available ***");
-    }
-  }
-
-  // Verify the given query
-  public void verifyLocalQuery(String queryStr) throws Exception {
-    // setup Hive driver
-    SessionState session = new SessionState(getHiveConf());
-    SessionState.start(session);
-    Driver driver = new Driver(session.getConf(), getUser());
-
-    // compile the query
-    CommandProcessorResponse compilerStatus = driver
-        .compileAndRespond(queryStr);
-    if (compilerStatus.getResponseCode() != 0) {
-      String errMsg = compilerStatus.getErrorMessage();
-      if (errMsg.contains(HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE)) {
-        printMissingPerms(getHiveConf().get(
-            HiveAuthzConf.HIVE_SENTRY_AUTH_ERRORS));
-      }
-      throw new SemanticException("Compilation error: "
-          + compilerStatus.getErrorMessage());
-    }
-    driver.close();
-    System.out
-        .println("User " + getUser() + " has privileges to run the query");
-  }
-
-  // connect to remote HS2 and run mock query
-  public void verifyRemoteQuery(String queryStr) throws Exception {
-    Class.forName("org.apache.hive.jdbc.HiveDriver");
-    Connection conn = DriverManager.getConnection(getJdbcURL(), getUser(),
-        getPassWord());
-    Statement stmt = conn.createStatement();
-    if (!isSentryEnabledOnHiveServer(stmt)) {
-      throw new IllegalStateException("Sentry is not enabled on HiveServer2");
-    }
-    stmt.execute("set " + HiveAuthzConf.HIVE_SENTRY_MOCK_COMPILATION + "=true");
-    try {
-      stmt.execute(queryStr);
-    } catch (SQLException e) {
-      String errMsg = e.getMessage();
-      if (errMsg.contains(HiveAuthzConf.HIVE_SENTRY_MOCK_ERROR)) {
-        System.out.println("User "
-            + readConfig(stmt, HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME)
-            + " has privileges to run the query");
-        return;
-      } else if (errMsg
-          .contains(HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE)) {
-        printMissingPerms(readConfig(stmt,
-            HiveAuthzConf.HIVE_SENTRY_AUTH_ERRORS));
-        throw e;
-      } else {
-        throw e;
-      }
-    } finally {
-      if (!stmt.isClosed()) {
-        stmt.close();
-      }
-      conn.close();
-    }
-
-  }
-
-  // verify senty session hook is set
-  private boolean isSentryEnabledOnHiveServer(Statement stmt)
-      throws SQLException {
-    String bindingString = readConfig(stmt, HiveConf.ConfVars.HIVE_SERVER2_SESSION_HOOK.varname).toUpperCase();
-    return bindingString.contains("org.apache.sentry.binding.hive".toUpperCase())
-        && bindingString.contains("HiveAuthzBindingSessionHook".toUpperCase());
-  }
-
-  // read a config value using 'set' statement
-  private String readConfig(Statement stmt, String configKey)
-      throws SQLException {
-    try (ResultSet res = stmt.executeQuery("set " + configKey)) {
-      if (!res.next()) {
-        return null;
-      }
-      // parse key=value result format
-      String result = res.getString(1);
-      res.close();
-      return result.substring(result.indexOf("=") + 1);
-    }
-  }
-
-  // print configuration/policy file errors and warnings
-  private void printConfigErrors(SentryConfigurationException configException)
-      throws SentryConfigurationException {
-    System.out.println(" *** Found configuration problems *** ");
-    for (String errMsg : configException.getConfigErrors()) {
-      System.out.println("ERROR: " + errMsg);
-    }
-    for (String warnMsg : configException.getConfigWarnings()) {
-      System.out.println("Warning: " + warnMsg);
-    }
-  }
-
-  // extract the authorization errors from config property and print
-  private void printMissingPerms(String errMsg) {
-    if (errMsg == null || errMsg.isEmpty()) {
-      return;
-    }
-    System.out.println("*** Query compilation failed ***");
-    String perms[] = errMsg.replaceFirst(
-        ".*" + HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE, "")
-        .split(";");
-    System.out.println("Required privileges for given query:");
-    for (int count = 0; count < perms.length; count++) {
-      System.out.println(" \t " + perms[count]);
-    }
-  }
-
-  // print usage
-  private void usage(Options sentryOptions) {
-    HelpFormatter formatter = new HelpFormatter();
-    formatter.printHelp("sentry --command config-tool", sentryOptions);
-    System.exit(-1);
-  }
-
-  /**
-   * parse arguments
-   *
-   * <pre>
-   *   -d,--debug                  Enable debug output
-   *   -e,--query <arg>            Query privilege verification, requires -u
-   *   -h,--help                   Print usage
-   *   -i,--policyIni <arg>        Policy file path
-   *   -j,--jdbcURL <arg>          JDBC URL
-   *   -l,--listPrivs,--listPerms  List privilges for given user, requires -u
-   *   -p,--password <arg>         Password
-   *   -s,--sentry-site <arg>      sentry-site file path
-   *   -u,--user <arg>             user name
-   *   -v,--validate               Validate policy file
-   *   -I,--import                 Import policy file
-   *   -E,--export                 Export policy file
-   *   -o,--overwrite              Overwrite the exist role data when do the import
-   *   -b,--objectPath             The path of the object whose privileges will be exported
-   * </pre>
-   *
-   * @param args
-   */
-  private void parseArgs(String[] args) {
-    boolean enableDebug = false;
-
-    Options sentryOptions = new Options();
-
-    Option helpOpt = new Option("h", "help", false, "Print usage");
-    helpOpt.setRequired(false);
-
-    Option validateOpt = new Option("v", "validate", false,
-        "Validate policy file");
-    validateOpt.setRequired(false);
-
-    Option queryOpt = new Option("e", "query", true,
-        "Query privilege verification, requires -u");
-    queryOpt.setRequired(false);
-
-    Option listPermsOpt = new Option("l", "listPerms", false,
-        "list permissions for given user, requires -u");
-    listPermsOpt.setRequired(false);
-    Option listPrivsOpt = new Option("listPrivs", false,
-        "list privileges for given user, requires -u");
-    listPrivsOpt.setRequired(false);
-
-    Option importOpt = new Option("I", "import", true,
-        "Import policy file");
-    importOpt.setRequired(false);
-
-    Option exportOpt = new Option("E", "export", true, "Export policy file");
-    exportOpt.setRequired(false);
-    // required args
-    OptionGroup sentryOptGroup = new OptionGroup();
-    sentryOptGroup.addOption(helpOpt);
-    sentryOptGroup.addOption(validateOpt);
-    sentryOptGroup.addOption(queryOpt);
-    sentryOptGroup.addOption(listPermsOpt);
-    sentryOptGroup.addOption(listPrivsOpt);
-    sentryOptGroup.addOption(importOpt);
-    sentryOptGroup.addOption(exportOpt);
-    sentryOptGroup.setRequired(true);
-    sentryOptions.addOptionGroup(sentryOptGroup);
-
-    // optional args
-    Option jdbcArg = new Option("j", "jdbcURL", true, "JDBC URL");
-    jdbcArg.setRequired(false);
-    sentryOptions.addOption(jdbcArg);
-
-    Option sentrySitePath = new Option("s", "sentry-site", true,
-        "sentry-site file path");
-    sentrySitePath.setRequired(false);
-    sentryOptions.addOption(sentrySitePath);
-
-    Option globalPolicyPath = new Option("i", "policyIni", true,
-        "Policy file path");
-    globalPolicyPath.setRequired(false);
-    sentryOptions.addOption(globalPolicyPath);
-
-    Option userOpt = new Option("u", "user", true, "user name");
-    userOpt.setRequired(false);
-    sentryOptions.addOption(userOpt);
-
-    Option passWordOpt = new Option("p", "password", true, "Password");
-    userOpt.setRequired(false);
-    sentryOptions.addOption(passWordOpt);
-
-    Option debugOpt = new Option("d", "debug", false, "enable debug output");
-    debugOpt.setRequired(false);
-    sentryOptions.addOption(debugOpt);
-
-    Option overwriteOpt = new Option("o", "overwrite", false, "enable import overwrite");
-    overwriteOpt.setRequired(false);
-    sentryOptions.addOption(overwriteOpt);
-
-    Option objectPathOpt = new Option("b", "objectPath",
-        false, "The path of the object whose privileges will be exported");
-    objectPathOpt.setRequired(false);
-    sentryOptions.addOption(objectPathOpt);
-
-    try {
-      Parser parser = new GnuParser();
-      CommandLine cmd = parser.parse(sentryOptions, args);
-
-      for (Option opt : cmd.getOptions()) {
-        if (opt.getOpt().equals("s")) {
-          setSentrySiteFile(opt.getValue());
-        } else if (opt.getOpt().equals("i")) {
-          setPolicyFile(opt.getValue());
-        } else if (opt.getOpt().equals("e")) {
-          setQuery(opt.getValue());
-        } else if (opt.getOpt().equals("j")) {
-          setJdbcURL(opt.getValue());
-        } else if (opt.getOpt().equals("u")) {
-          setUser(opt.getValue());
-        } else if (opt.getOpt().equals("p")) {
-          setPassWord(opt.getValue());
-        } else if (opt.getOpt().equals("l") || opt.getOpt().equals("listPrivs")) {
-          setListPrivs(true);
-        } else if (opt.getOpt().equals("v")) {
-          setValidate(true);
-        } else if (opt.getOpt().equals("I")) {
-          setImportPolicyFilePath(opt.getValue());
-        } else if (opt.getOpt().equals("E")) {
-          setExportPolicyFilePath(opt.getValue());
-        } else if (opt.getOpt().equals("h")) {
-          usage(sentryOptions);
-        } else if (opt.getOpt().equals("d")) {
-          enableDebug = true;
-        } else if (opt.getOpt().equals("o")) {
-          setImportOverwriteRole(true);
-        } else if (opt.getOpt().equals("b")) {
-          setObjectPath(opt.getValue());
-        }
-      }
-
-      if (isListPrivs() && getUser() == null) {
-        throw new ParseException("Can't use -l without -u ");
-      }
-      if (getQuery() != null && getUser() == null) {
-        throw new ParseException("Must use -u with -e ");
-      }
-    } catch (ParseException e1) {
-      usage(sentryOptions);
-    }
-
-    if (!enableDebug) {
-      // turn off log
-      LogManager.getRootLogger().setLevel(Level.OFF);
-    }
-  }
-
-  public static class CommandImpl implements Command {
-    @Override
-    public void run(String[] args) throws Exception {
-      SentryConfigTool sentryTool = new SentryConfigTool();
-
-      try {
-        // parse arguments
-        sentryTool.parseArgs(args);
-
-        // load configuration
-        sentryTool.setupConfig();
-
-        // validate configuration
-        if (sentryTool.isValidate()) {
-          sentryTool.validatePolicy();
-        }
-
-        if (!StringUtils.isEmpty(sentryTool.getImportPolicyFilePath())) {
-          sentryTool.importPolicy();
-        }
-
-        if (!StringUtils.isEmpty(sentryTool.getExportPolicyFilePath())) {
-          sentryTool.exportPolicy();
-        }
-
-        // list permissions for give user
-        if (sentryTool.isListPrivs()) {
-          sentryTool.listPrivs();
-        }
-
-        // verify given query
-        if (sentryTool.getQuery() != null) {
-          if (sentryTool.getJdbcURL() != null) {
-            sentryTool.verifyRemoteQuery(sentryTool.getQuery());
-          } else {
-            sentryTool.verifyLocalQuery(sentryTool.getQuery());
-          }
-        }
-      } catch (Exception e) {
-        System.out.println("Sentry tool reported Errors: " + e.getMessage());
-        e.printStackTrace(System.out);
-        System.exit(1);
-      }
-    }
-  }
-}

http://git-wip-us.apache.org/repos/asf/sentry/blob/e358fde7/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingHookBaseV2.java
----------------------------------------------------------------------
diff --git a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingHookBaseV2.java b/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingHookBaseV2.java
deleted file mode 100644
index 5a21dd3..0000000
--- a/sentry-binding/sentry-binding-hive-v2/src/main/java/org/apache/sentry/binding/hive/v2/HiveAuthzBindingHookBaseV2.java
+++ /dev/null
@@ -1,880 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements.  See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License.  You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.sentry.binding.hive;
-
-import static org.apache.hadoop.hive.metastore.MetaStoreUtils.DEFAULT_DATABASE_NAME;
-
-import java.io.Serializable;
-import java.net.MalformedURLException;
-import java.net.URI;
-import java.net.URL;
-import java.security.CodeSource;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.EnumSet;
-import java.util.List;
-import java.util.Set;
-
-import com.google.common.base.Preconditions;
-import org.apache.hadoop.fs.FileSystem;
-import org.apache.hadoop.fs.Path;
-import org.apache.hadoop.hive.common.JavaUtils;
-import org.apache.hadoop.hive.conf.HiveConf;
-import org.apache.hadoop.hive.conf.HiveConf.ConfVars;
-import org.apache.hadoop.hive.metastore.api.FieldSchema;
-import org.apache.hadoop.hive.ql.exec.FunctionRegistry;
-import org.apache.hadoop.hive.ql.exec.Task;
-import org.apache.hadoop.hive.ql.exec.Utilities;
-import org.apache.hadoop.hive.ql.hooks.Entity;
-import org.apache.hadoop.hive.ql.hooks.Entity.Type;
-import org.apache.hadoop.hive.ql.hooks.Hook;
-import org.apache.hadoop.hive.ql.hooks.ReadEntity;
-import org.apache.hadoop.hive.ql.hooks.WriteEntity;
-import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
-import org.apache.hadoop.hive.ql.parse.ASTNode;
-import org.apache.hadoop.hive.ql.parse.AbstractSemanticAnalyzerHook;
-import org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer;
-import org.apache.hadoop.hive.ql.parse.HiveParser;
-import org.apache.hadoop.hive.ql.parse.HiveSemanticAnalyzerHookContext;
-import org.apache.hadoop.hive.ql.parse.SemanticException;
-import org.apache.hadoop.hive.ql.plan.HiveOperation;
-import org.apache.hadoop.hive.ql.plan.PlanUtils;
-import org.apache.hadoop.hive.ql.session.SessionState;
-import org.apache.sentry.binding.hive.authz.HiveAuthzBinding;
-import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges;
-import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationScope;
-import org.apache.sentry.binding.hive.authz.HiveAuthzPrivileges.HiveOperationType;
-import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
-import org.apache.sentry.core.common.Subject;
-import org.apache.sentry.core.common.utils.PathUtils;
-import org.apache.sentry.core.model.db.AccessURI;
-import org.apache.sentry.core.model.db.Column;
-import org.apache.sentry.core.model.db.DBModelAction;
-import org.apache.sentry.core.model.db.DBModelAuthorizable;
-import org.apache.sentry.core.model.db.DBModelAuthorizable.AuthorizableType;
-import org.apache.sentry.core.model.db.Database;
-import org.apache.sentry.core.model.db.Table;
-import org.apache.sentry.provider.cache.PrivilegeCache;
-import org.apache.sentry.provider.cache.SimplePrivilegeCache;
-import org.apache.sentry.provider.common.AuthorizationProvider;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.annotations.VisibleForTesting;
-import com.google.common.base.Splitter;
-import com.google.common.collect.ImmutableList;
-import com.google.common.collect.Lists;
-import com.google.common.collect.Sets;
-
-public abstract class HiveAuthzBindingHookBaseV2 extends AbstractSemanticAnalyzerHook {
-  private static final Logger LOG = LoggerFactory
-      .getLogger(HiveAuthzBindingHookBaseV2.class);
-  protected final HiveAuthzBinding hiveAuthzBinding;
-  protected final HiveAuthzConf authzConf;
-  protected Database currDB = Database.ALL;
-  protected Table currTab;
-  protected List<AccessURI> udfURIs;
-  protected AccessURI serdeURI;
-  protected AccessURI partitionURI;
-  protected Table currOutTab = null;
-  protected Database currOutDB = null;
-  protected final List<String> serdeWhiteList;
-  protected boolean serdeURIPrivilegesEnabled;
-
-  protected final static HiveAuthzPrivileges columnMetaDataPrivilege =
-      new HiveAuthzPrivileges.AuthzPrivilegeBuilder()
-          .addInputObjectPriviledge(AuthorizableType.Column,
-              EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT))
-          .setOperationScope(HiveOperationScope.COLUMN).setOperationType(HiveOperationType.INFO)
-          .build();
-
-  // True if this is a basic DESCRIBE <table> operation. False for other DESCRIBE variants
-  // like DESCRIBE [FORMATTED|EXTENDED]. Required because Hive treats these stmts as the same
-  // HiveOperationType, but we want to enforces different privileges on each statement.
-  // Basic DESCRIBE <table> is allowed with only column-level privs, while the variants
-  // require table-level privileges.
-  protected boolean isDescTableBasic = false;
-
-  public HiveAuthzBindingHookBaseV2() throws Exception {
-    SessionState session = SessionState.get();
-    if(session == null) {
-      throw new IllegalStateException("Session has not been started");
-    }
-    // HACK: set a random classname to force the Auth V2 in Hive
-    SessionState.get().setAuthorizer(null);
-
-    HiveConf hiveConf = session.getConf();
-    if(hiveConf == null) {
-      throw new IllegalStateException("Session HiveConf is null");
-    }
-    authzConf = loadAuthzConf(hiveConf);
-    udfURIs = Lists.newArrayList();
-    hiveAuthzBinding = new HiveAuthzBinding(hiveConf, authzConf);
-    String serdeWhiteLists =
-        authzConf.get(HiveAuthzConf.HIVE_SENTRY_SERDE_WHITELIST,
-            HiveAuthzConf.HIVE_SENTRY_SERDE_WHITELIST_DEFAULT);
-    serdeWhiteList = Arrays.asList(serdeWhiteLists.split(","));
-    serdeURIPrivilegesEnabled =
-        authzConf.getBoolean(HiveAuthzConf.HIVE_SENTRY_SERDE_URI_PRIVILIEGES_ENABLED,
-            HiveAuthzConf.HIVE_SENTRY_SERDE_URI_PRIVILIEGES_ENABLED_DEFAULT);
-
-    FunctionRegistry.setupPermissionsForBuiltinUDFs("", HiveAuthzConf.HIVE_UDF_BLACK_LIST);
-  }
-
-  public static HiveAuthzConf loadAuthzConf(HiveConf hiveConf) {
-    boolean depreicatedConfigFile = false;
-    HiveAuthzConf newAuthzConf = null;
-    String hiveAuthzConf = hiveConf.get(HiveAuthzConf.HIVE_SENTRY_CONF_URL);
-    if(hiveAuthzConf == null || (hiveAuthzConf = hiveAuthzConf.trim()).isEmpty()) {
-      hiveAuthzConf = hiveConf.get(HiveAuthzConf.HIVE_ACCESS_CONF_URL);
-      depreicatedConfigFile = true;
-    }
-
-    if(hiveAuthzConf == null || (hiveAuthzConf = hiveAuthzConf.trim()).isEmpty()) {
-      throw new IllegalArgumentException("Configuration key " + HiveAuthzConf.HIVE_SENTRY_CONF_URL
-          + " value '" + hiveAuthzConf + "' is invalid.");
-    }
-    try {
-      newAuthzConf = new HiveAuthzConf(new URL(hiveAuthzConf));
-    } catch (MalformedURLException e) {
-      if (depreicatedConfigFile) {
-        throw new IllegalArgumentException("Configuration key " + HiveAuthzConf.HIVE_ACCESS_CONF_URL
-            + " specifies a malformed URL '" + hiveAuthzConf + "'", e);
-      } else {
-        throw new IllegalArgumentException("Configuration key " + HiveAuthzConf.HIVE_SENTRY_CONF_URL
-            + " specifies a malformed URL '" + hiveAuthzConf + "'", e);
-      }
-    }
-    return newAuthzConf;
-  }
-
-  @Override
-  public abstract ASTNode preAnalyze(HiveSemanticAnalyzerHookContext context, ASTNode ast)
-      throws SemanticException;
-
-  /**
-   * Post analyze hook that invokes hive auth bindings
-   */
-  @Override
-  public abstract void postAnalyze(HiveSemanticAnalyzerHookContext context,
-      List<Task<? extends Serializable>> rootTasks) throws SemanticException;
-
-  protected void executeOnFailureHooks(HiveSemanticAnalyzerHookContext context,
-      HiveOperation hiveOp, AuthorizationException e) {
-    SentryOnFailureHookContext hookCtx = new SentryOnFailureHookContextImpl(
-        context.getCommand(), context.getInputs(), context.getOutputs(),
-        hiveOp, currDB, currTab, udfURIs, null, context.getUserName(),
-        context.getIpAddress(), e, context.getConf());
-    String csHooks = authzConf.get(
-        HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(), "").trim();
-
-    try {
-      for (Hook aofh : getHooks(csHooks)) {
-        ((SentryOnFailureHook)aofh).run(hookCtx);
-      }
-    } catch (Exception ex) {
-      LOG.error("Error executing hook:", ex);
-    }
-  }
-
-  /**
-   * The command 'create function ... using jar <jar resources>' can create a function
-   * with the supplied jar resources in the command, which is translated into ASTNode being
-   * [functionName functionClass resourceList] and resourceList being [resourceType resourcePath].
-   * This function collects all the jar paths for the supplied jar resources.
-   *
-   * @param ast the AST node for the command
-   * @return    the jar path list if any or an empty list
-   */
-  protected List<String> getFunctionJars(ASTNode ast) {
-    ASTNode resourcesNode = (ASTNode) ast.getFirstChildWithType(HiveParser.TOK_RESOURCE_LIST);
-
-    List<String> resources = new ArrayList<String>();
-    if (resourcesNode != null) {
-      for (int idx = 0; idx < resourcesNode.getChildCount(); ++idx) {
-        ASTNode resNode = (ASTNode) resourcesNode.getChild(idx);
-        ASTNode resTypeNode = (ASTNode) resNode.getChild(0);
-        ASTNode resUriNode = (ASTNode) resNode.getChild(1);
-        if (resTypeNode.getType() == HiveParser.TOK_JAR) {
-          resources.add(PlanUtils.stripQuotes(resUriNode.getText()));
-        }
-      }
-    }
-
-    return resources;
-  }
-
-  @VisibleForTesting
-  protected static AccessURI extractPartition(ASTNode ast) throws SemanticException {
-    for (int i = 0; i < ast.getChildCount(); i++) {
-      ASTNode child = (ASTNode)ast.getChild(i);
-      if (child.getToken().getType() == HiveParser.TOK_PARTITIONLOCATION &&
-          child.getChildCount() == 1) {
-        return parseURI(BaseSemanticAnalyzer.
-          unescapeSQLString(child.getChild(0).getText()));
-      }
-    }
-    return null;
-  }
-
-  @VisibleForTesting
-  protected static AccessURI parseURI(String uri) throws SemanticException {
-    return parseURI(uri, false);
-  }
-
-  @VisibleForTesting
-  protected static AccessURI parseURI(String uri, boolean isLocal)
-      throws SemanticException {
-    try {
-      HiveConf conf = SessionState.get().getConf();
-      String warehouseDir = conf.getVar(ConfVars.METASTOREWAREHOUSE);
-      Path warehousePath = new Path(warehouseDir);
-
-      // If warehousePath is an absolute path and a scheme is null and authority is null as well,
-      // qualified it with default file system scheme and authority.
-      if (warehousePath.isAbsoluteAndSchemeAuthorityNull()) {
-        URI defaultUri = FileSystem.getDefaultUri(conf);
-        warehousePath = warehousePath.makeQualified(defaultUri, warehousePath);
-        warehouseDir = warehousePath.toUri().toString();
-      }
-      return new AccessURI(PathUtils.parseURI(warehouseDir, uri, isLocal));
-    } catch (Exception e) {
-      throw new SemanticException("Error parsing URI " + uri + ": " +
-        e.getMessage(), e);
-    }
-  }
-
-  // Find the current database for session
-  protected Database getCanonicalDb() {
-    return new Database(SessionState.get().getCurrentDatabase());
-  }
-
-  protected void extractDbTableNameFromTOKTABLE(ASTNode astNode) throws SemanticException{
-    String[] fqTableName = BaseSemanticAnalyzer.getQualifiedTableName(astNode);
-    Preconditions.checkArgument(fqTableName.length == 2, "BaseSemanticAnalyzer.getQualifiedTableName should return " +
-            "an array with dbName and tableName");
-    currOutDB = new Database(fqTableName[0]);
-    currOutTab = new Table(fqTableName[1]);
-  }
-
-  /*TODO: Deprecate */
-  protected Database extractDatabase(ASTNode ast) throws SemanticException {
-    String tableName = BaseSemanticAnalyzer.getUnescapedName(ast);
-    if (tableName.contains(".")) {
-      return new Database(tableName.split("\\.")[0]);
-    } else {
-      return getCanonicalDb();
-    }
-  }
-  /*TODO: Deprecate */
-  protected Table extractTable(ASTNode ast) throws SemanticException {
-    String tableName = BaseSemanticAnalyzer.getUnescapedName(ast);
-    if (tableName.contains(".")) {
-      return new Table(tableName.split("\\.")[1]);
-    } else {
-      return new Table(tableName);
-    }
-  }
-
-  public static void runFailureHook(SentryOnFailureHookContext hookContext,
-      String csHooks) {
-    try {
-      for (Hook aofh : getHooks(csHooks)) {
-        ((SentryOnFailureHook) aofh).run(hookContext);
-      }
-    } catch (Exception ex) {
-      LOG.error("Error executing hook:", ex);
-    }
-  }
-  /**
-   * Convert the input/output entities into authorizables. generate
-   * authorizables for cases like Database and metadata operations where the
-   * compiler doesn't capture entities. invoke the hive binding to validate
-   * permissions
-   *
-   * @param context
-   * @param stmtAuthObject
-   * @param stmtOperation
-   * @throws AuthorizationException
-   */
-  protected void authorizeWithHiveBindings(HiveSemanticAnalyzerHookContext context,
-      HiveAuthzPrivileges stmtAuthObject, HiveOperation stmtOperation) throws  AuthorizationException {
-    Set<ReadEntity> inputs = context.getInputs();
-    Set<WriteEntity> outputs = context.getOutputs();
-    List<List<DBModelAuthorizable>> inputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
-    List<List<DBModelAuthorizable>> outputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
-
-    if(LOG.isDebugEnabled()) {
-      LOG.debug("stmtAuthObject.getOperationScope() = " + stmtAuthObject.getOperationScope());
-      LOG.debug("context.getInputs() = " + context.getInputs());
-      LOG.debug("context.getOutputs() = " + context.getOutputs());
-    }
-
-    // Workaround to allow DESCRIBE <table> to be executed with only column-level privileges, while
-    // still authorizing DESCRIBE [EXTENDED|FORMATTED] as table-level.
-    // This is done by treating DESCRIBE <table> the same as SHOW COLUMNS, which only requires column
-    // level privs.
-    if (isDescTableBasic) {
-      stmtAuthObject = columnMetaDataPrivilege;
-    }
-
-    switch (stmtAuthObject.getOperationScope()) {
-
-    case SERVER :
-      // validate server level privileges if applicable. Eg create UDF,register jar etc ..
-      List<DBModelAuthorizable> serverHierarchy = new ArrayList<DBModelAuthorizable>();
-      serverHierarchy.add(hiveAuthzBinding.getAuthServer());
-      inputHierarchy.add(serverHierarchy);
-      break;
-    case DATABASE:
-      // workaround for database scope statements (create/alter/drop db)
-      List<DBModelAuthorizable> dbHierarchy = new ArrayList<DBModelAuthorizable>();
-      dbHierarchy.add(hiveAuthzBinding.getAuthServer());
-      dbHierarchy.add(currDB);
-      inputHierarchy.add(dbHierarchy);
-
-      if (currOutDB != null) {
-        List<DBModelAuthorizable> outputDbHierarchy = new ArrayList<DBModelAuthorizable>();
-        outputDbHierarchy.add(hiveAuthzBinding.getAuthServer());
-        outputDbHierarchy.add(currOutDB);
-        outputHierarchy.add(outputDbHierarchy);
-      } else {
-        outputHierarchy.add(dbHierarchy);
-      }
-
-      getInputHierarchyFromInputs(inputHierarchy, inputs);
-
-      if (serdeURI != null) {
-        List<DBModelAuthorizable> serdeUriHierarchy = new ArrayList<DBModelAuthorizable>();
-        serdeUriHierarchy.add(hiveAuthzBinding.getAuthServer());
-        serdeUriHierarchy.add(serdeURI);
-        outputHierarchy.add(serdeUriHierarchy);
-      }
-      break;
-    case TABLE:
-      // workaround for add partitions
-      if(partitionURI != null) {
-        inputHierarchy.add(ImmutableList.of(hiveAuthzBinding.getAuthServer(), partitionURI));
-      }
-
-      getInputHierarchyFromInputs(inputHierarchy, inputs);
-      for (WriteEntity writeEntity: outputs) {
-        if (filterWriteEntity(writeEntity)) {
-          continue;
-        }
-        List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>();
-        entityHierarchy.add(hiveAuthzBinding.getAuthServer());
-        entityHierarchy.addAll(getAuthzHierarchyFromEntity(writeEntity));
-        outputHierarchy.add(entityHierarchy);
-      }
-      // workaround for metadata queries.
-      // Capture the table name in pre-analyze and include that in the input entity list
-      if (currTab != null) {
-        List<DBModelAuthorizable> externalAuthorizableHierarchy = new ArrayList<DBModelAuthorizable>();
-        externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer());
-        externalAuthorizableHierarchy.add(currDB);
-        externalAuthorizableHierarchy.add(currTab);
-        inputHierarchy.add(externalAuthorizableHierarchy);
-      }
-
-
-
-      // workaround for DDL statements
-      // Capture the table name in pre-analyze and include that in the output entity list
-      if (currOutTab != null) {
-        List<DBModelAuthorizable> externalAuthorizableHierarchy = new ArrayList<DBModelAuthorizable>();
-        externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer());
-        externalAuthorizableHierarchy.add(currOutDB);
-        externalAuthorizableHierarchy.add(currOutTab);
-        outputHierarchy.add(externalAuthorizableHierarchy);
-      }
-
-      if (serdeURI != null) {
-        List<DBModelAuthorizable> serdeUriHierarchy = new ArrayList<DBModelAuthorizable>();
-        serdeUriHierarchy.add(hiveAuthzBinding.getAuthServer());
-        serdeUriHierarchy.add(serdeURI);
-        outputHierarchy.add(serdeUriHierarchy);
-      }
-
-      break;
-    case FUNCTION:
-      /* The 'FUNCTION' privilege scope currently used for
-       *  - CREATE TEMP FUNCTION
-       *  - DROP TEMP FUNCTION.
-       */
-      if (!udfURIs.isEmpty()) {
-        List<DBModelAuthorizable> udfUriHierarchy = new ArrayList<DBModelAuthorizable>();
-        udfUriHierarchy.add(hiveAuthzBinding.getAuthServer());
-        udfUriHierarchy.addAll(udfURIs);
-        inputHierarchy.add(udfUriHierarchy);
-        for (WriteEntity writeEntity : outputs) {
-          List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>();
-          entityHierarchy.add(hiveAuthzBinding.getAuthServer());
-          entityHierarchy.addAll(getAuthzHierarchyFromEntity(writeEntity));
-          outputHierarchy.add(entityHierarchy);
-        }
-      }
-      break;
-    case CONNECT:
-      /* The 'CONNECT' is an implicit privilege scope currently used for
-       *  - USE <db>
-       *  It's allowed when the user has any privilege on the current database. For application
-       *  backward compatibility, we allow (optional) implicit connect permission on 'default' db.
-       */
-      List<DBModelAuthorizable> connectHierarchy = new ArrayList<DBModelAuthorizable>();
-      connectHierarchy.add(hiveAuthzBinding.getAuthServer());
-      // by default allow connect access to default db
-      Table currTbl = Table.ALL;
-      Column currCol = Column.ALL;
-      if (DEFAULT_DATABASE_NAME.equalsIgnoreCase(currDB.getName()) &&
-          "false".equalsIgnoreCase(authzConf.
-              get(HiveAuthzConf.AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB.getVar(), "false"))) {
-        currDB = Database.ALL;
-        currTbl = Table.SOME;
-      }
-
-      connectHierarchy.add(currDB);
-      connectHierarchy.add(currTbl);
-      connectHierarchy.add(currCol);
-
-      inputHierarchy.add(connectHierarchy);
-      outputHierarchy.add(connectHierarchy);
-      break;
-    case COLUMN:
-      for (ReadEntity readEntity: inputs) {
-        if (readEntity.getAccessedColumns() != null && !readEntity.getAccessedColumns().isEmpty()) {
-          addColumnHierarchy(inputHierarchy, readEntity);
-        } else {
-          List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>();
-          entityHierarchy.add(hiveAuthzBinding.getAuthServer());
-          entityHierarchy.addAll(getAuthzHierarchyFromEntity(readEntity));
-          entityHierarchy.add(Column.ALL);
-          inputHierarchy.add(entityHierarchy);
-        }
-      }
-      break;
-    default:
-      throw new AuthorizationException("Unknown operation scope type " +
-          stmtAuthObject.getOperationScope().toString());
-    }
-
-    HiveAuthzBinding binding = null;
-    try {
-      binding = getHiveBindingWithPrivilegeCache(hiveAuthzBinding, context.getUserName());
-    } catch (SemanticException e) {
-      // Will use the original hiveAuthzBinding
-      binding = hiveAuthzBinding;
-    }
-    // validate permission
-    binding.authorize(stmtOperation, stmtAuthObject, getCurrentSubject(context), inputHierarchy,
-        outputHierarchy);
-  }
-
-  // Build the hierarchy of authorizable object for the given entity type.
-  private List<DBModelAuthorizable> getAuthzHierarchyFromEntity(Entity entity) {
-    List<DBModelAuthorizable> objectHierarchy = new ArrayList<DBModelAuthorizable>();
-    switch (entity.getType()) {
-    case TABLE:
-      objectHierarchy.add(new Database(entity.getTable().getDbName()));
-      objectHierarchy.add(new Table(entity.getTable().getTableName()));
-      break;
-    case PARTITION:
-    case DUMMYPARTITION:
-      objectHierarchy.add(new Database(entity.getPartition().getTable().getDbName()));
-      objectHierarchy.add(new Table(entity.getPartition().getTable().getTableName()));
-      break;
-    case DFS_DIR:
-    case LOCAL_DIR:
-      try {
-        objectHierarchy.add(parseURI(entity.toString(),
-            entity.getType().equals(Entity.Type.LOCAL_DIR)));
-      } catch (Exception e) {
-        throw new AuthorizationException("Failed to get File URI", e);
-      }
-      break;
-    case DATABASE:
-    case FUNCTION:
-      // TODO use database entities from compiler instead of capturing from AST
-      break;
-    default:
-      throw new UnsupportedOperationException("Unsupported entity type " +
-          entity.getType().name());
-    }
-    return objectHierarchy;
-  }
-
-  /**
-   * Add column level hierarchy to inputHierarchy
-   *
-   * @param inputHierarchy
-   * @param entity
-   * @param sentryContext
-   */
-  protected void addColumnHierarchy(List<List<DBModelAuthorizable>> inputHierarchy,
-      ReadEntity entity) {
-    List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>();
-    entityHierarchy.add(hiveAuthzBinding.getAuthServer());
-    entityHierarchy.addAll(getAuthzHierarchyFromEntity(entity));
-
-    switch (entity.getType()) {
-    case TABLE:
-    case PARTITION:
-      List<String> cols = entity.getAccessedColumns();
-      for (String col : cols) {
-        List<DBModelAuthorizable> colHierarchy = new ArrayList<DBModelAuthorizable>(entityHierarchy);
-        colHierarchy.add(new Column(col));
-        inputHierarchy.add(colHierarchy);
-      }
-      break;
-    default:
-      inputHierarchy.add(entityHierarchy);
-    }
-  }
-
-  /**
-   * Get Authorizable from inputs and put into inputHierarchy
-   *
-   * @param inputHierarchy
-   * @param entity
-   * @param sentryContext
-   */
-  protected void getInputHierarchyFromInputs(List<List<DBModelAuthorizable>> inputHierarchy,
-      Set<ReadEntity> inputs) {
-    for (ReadEntity readEntity: inputs) {
-      // skip the tables/view that are part of expanded view definition
-      // skip the Hive generated dummy entities created for queries like 'select <expr>'
-      if (isChildTabForView(readEntity) || isDummyEntity(readEntity)) {
-        continue;
-      }
-      if (readEntity.getAccessedColumns() != null && !readEntity.getAccessedColumns().isEmpty()) {
-        addColumnHierarchy(inputHierarchy, readEntity);
-      } else {
-        List<DBModelAuthorizable> entityHierarchy = new ArrayList<DBModelAuthorizable>();
-        entityHierarchy.add(hiveAuthzBinding.getAuthServer());
-        entityHierarchy.addAll(getAuthzHierarchyFromEntity(readEntity));
-        inputHierarchy.add(entityHierarchy);
-      }
-    }
-  }
-
-  // Check if this write entity needs to skipped
-  private boolean filterWriteEntity(WriteEntity writeEntity)
-      throws AuthorizationException {
-    // skip URI validation for session scratch file URIs
-    if (writeEntity.isTempURI()) {
-      return true;
-    }
-    try {
-      if (writeEntity.getTyp().equals(Type.DFS_DIR)
-          || writeEntity.getTyp().equals(Type.LOCAL_DIR)) {
-        HiveConf conf = SessionState.get().getConf();
-        String warehouseDir = conf.getVar(ConfVars.METASTOREWAREHOUSE);
-        URI scratchURI = new URI(PathUtils.parseDFSURI(warehouseDir,
-          conf.getVar(HiveConf.ConfVars.SCRATCHDIR)));
-        URI requestURI = new URI(PathUtils.parseDFSURI(warehouseDir,
-          writeEntity.getLocation().getPath()));
-        LOG.debug("scratchURI = " + scratchURI + ", requestURI = " + requestURI);
-        if (PathUtils.impliesURI(scratchURI, requestURI)) {
-          return true;
-        }
-        URI localScratchURI = new URI(PathUtils.parseLocalURI(conf.getVar(HiveConf.ConfVars.LOCALSCRATCHDIR)));
-        URI localRequestURI = new URI(PathUtils.parseLocalURI(writeEntity.getLocation().getPath()));
-        LOG.debug("localScratchURI = " + localScratchURI + ", localRequestURI = " + localRequestURI);
-        if (PathUtils.impliesURI(localScratchURI, localRequestURI)) {
-          return true;
-        }
-      }
-    } catch (Exception e) {
-      throw new AuthorizationException("Failed to extract uri details", e);
-    }
-    return false;
-  }
-
-  public static List<String> filterShowTables(
-      HiveAuthzBinding hiveAuthzBinding, List<String> queryResult,
-      HiveOperation operation, String userName, String dbName)
-          throws SemanticException {
-    List<String> filteredResult = new ArrayList<String>();
-    Subject subject = new Subject(userName);
-    HiveAuthzPrivileges tableMetaDataPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder().
-        addInputObjectPriviledge(AuthorizableType.Column, EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT)).
-        setOperationScope(HiveOperationScope.TABLE).
-        setOperationType(HiveOperationType.INFO).
-        build();
-
-    HiveAuthzBinding hiveBindingWithPrivilegeCache = getHiveBindingWithPrivilegeCache(hiveAuthzBinding, userName);
-
-    for (String tableName : queryResult) {
-      // if user has privileges on table, add to filtered list, else discard
-      Table table = new Table(tableName);
-      Database database;
-      database = new Database(dbName);
-
-      List<List<DBModelAuthorizable>> inputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
-      List<List<DBModelAuthorizable>> outputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
-      List<DBModelAuthorizable> externalAuthorizableHierarchy = new ArrayList<DBModelAuthorizable>();
-      externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer());
-      externalAuthorizableHierarchy.add(database);
-      externalAuthorizableHierarchy.add(table);
-      externalAuthorizableHierarchy.add(Column.ALL);
-      inputHierarchy.add(externalAuthorizableHierarchy);
-
-      try {
-        // do the authorization by new HiveAuthzBinding with PrivilegeCache
-        hiveBindingWithPrivilegeCache.authorize(operation, tableMetaDataPrivilege, subject,
-            inputHierarchy, outputHierarchy);
-        filteredResult.add(table.getName());
-      } catch (AuthorizationException e) {
-        // squash the exception, user doesn't have privileges, so the table is
-        // not added to
-        // filtered list.
-      }
-    }
-    return filteredResult;
-  }
-
-  public static List<FieldSchema> filterShowColumns(
-      HiveAuthzBinding hiveAuthzBinding, List<FieldSchema> cols,
-      HiveOperation operation, String userName, String tableName, String dbName)
-          throws SemanticException {
-    List<FieldSchema> filteredResult = new ArrayList<FieldSchema>();
-    Subject subject = new Subject(userName);
-    HiveAuthzBinding hiveBindingWithPrivilegeCache = getHiveBindingWithPrivilegeCache(hiveAuthzBinding, userName);
-
-    Database database = new Database(dbName);
-    Table table = new Table(tableName);
-    for (FieldSchema col : cols) {
-      // if user has privileges on column, add to filtered list, else discard
-      List<List<DBModelAuthorizable>> inputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
-      List<List<DBModelAuthorizable>> outputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
-      List<DBModelAuthorizable> externalAuthorizableHierarchy = new ArrayList<DBModelAuthorizable>();
-      externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer());
-      externalAuthorizableHierarchy.add(database);
-      externalAuthorizableHierarchy.add(table);
-      externalAuthorizableHierarchy.add(new Column(col.getName()));
-      inputHierarchy.add(externalAuthorizableHierarchy);
-
-      try {
-        // do the authorization by new HiveAuthzBinding with PrivilegeCache
-        hiveBindingWithPrivilegeCache.authorize(operation, columnMetaDataPrivilege, subject,
-            inputHierarchy, outputHierarchy);
-        filteredResult.add(col);
-      } catch (AuthorizationException e) {
-        // squash the exception, user doesn't have privileges, so the column is
-        // not added to
-        // filtered list.
-      }
-    }
-    return filteredResult;
-  }
-
-  public static List<String> filterShowDatabases(
-      HiveAuthzBinding hiveAuthzBinding, List<String> queryResult,
-      HiveOperation operation, String userName) throws SemanticException {
-    List<String> filteredResult = new ArrayList<String>();
-    Subject subject = new Subject(userName);
-    HiveAuthzBinding hiveBindingWithPrivilegeCache = getHiveBindingWithPrivilegeCache(hiveAuthzBinding, userName);
-
-    HiveAuthzPrivileges anyPrivilege = new HiveAuthzPrivileges.AuthzPrivilegeBuilder().
-        addInputObjectPriviledge(AuthorizableType.Column, EnumSet.of(DBModelAction.SELECT, DBModelAction.INSERT)).
-        addInputObjectPriviledge(AuthorizableType.URI, EnumSet.of(DBModelAction.SELECT)).
-        setOperationScope(HiveOperationScope.CONNECT).
-        setOperationType(HiveOperationType.QUERY).
-        build();
-
-    for (String dbName:queryResult) {
-      // if user has privileges on database, add to filtered list, else discard
-      Database database = null;
-
-      // if default is not restricted, continue
-      if (DEFAULT_DATABASE_NAME.equalsIgnoreCase(dbName) && "false".equalsIgnoreCase(
-        hiveAuthzBinding.getAuthzConf().get(
-              HiveAuthzConf.AuthzConfVars.AUTHZ_RESTRICT_DEFAULT_DB.getVar(),
-              "false"))) {
-        filteredResult.add(DEFAULT_DATABASE_NAME);
-        continue;
-      }
-
-      database = new Database(dbName);
-
-      List<List<DBModelAuthorizable>> inputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
-      List<List<DBModelAuthorizable>> outputHierarchy = new ArrayList<List<DBModelAuthorizable>>();
-      List<DBModelAuthorizable> externalAuthorizableHierarchy = new ArrayList<DBModelAuthorizable>();
-      externalAuthorizableHierarchy.add(hiveAuthzBinding.getAuthServer());
-      externalAuthorizableHierarchy.add(database);
-      externalAuthorizableHierarchy.add(Table.ALL);
-      externalAuthorizableHierarchy.add(Column.ALL);
-      inputHierarchy.add(externalAuthorizableHierarchy);
-
-      try {
-        // do the authorization by new HiveAuthzBinding with PrivilegeCache
-        hiveBindingWithPrivilegeCache.authorize(operation, anyPrivilege, subject,
-            inputHierarchy, outputHierarchy);
-        filteredResult.add(database.getName());
-      } catch (AuthorizationException e) {
-        // squash the exception, user doesn't have privileges, so the table is
-        // not added to
-        // filtered list.
-      }
-    }
-
-    return filteredResult;
-  }
-
-  /**
-   * Check if the given read entity is a table that has parents of type Table
-   * Hive compiler performs a query rewrite by replacing view with its definition. In the process, tt captures both
-   * the original view and the tables/view that it selects from .
-   * The access authorization is only interested in the top level views and not the underlying tables.
-   * @param readEntity
-   * @return
-   */
-  private boolean isChildTabForView(ReadEntity readEntity) {
-    // If this is a table added for view, then we need to skip that
-    if (!readEntity.getType().equals(Type.TABLE) && !readEntity.getType().equals(Type.PARTITION)) {
-      return false;
-    }
-    if (readEntity.getParents() != null && readEntity.getParents().size() > 0) {
-      for (ReadEntity parentEntity : readEntity.getParents()) {
-        if (!parentEntity.getType().equals(Type.TABLE)) {
-          return false;
-        }
-      }
-      return true;
-    } else {
-      return false;
-    }
-  }
-
-  /**
-   * Returns the hooks specified in a configuration variable.  The hooks are returned in a list in
-   * the order they were specified in the configuration variable.
-   *
-   * @param hookConfVar The configuration variable specifying a comma separated list of the hook
-   *                    class names.
-   * @return            A list of the hooks, in the order they are listed in the value of hookConfVar
-   * @throws Exception
-   */
-  private static <T extends Hook> List<T> getHooks(String csHooks) throws Exception {
-
-    List<T> hooks = new ArrayList<T>();
-    if (csHooks.isEmpty()) {
-      return hooks;
-    }
-    for (String hookClass : Splitter.on(",").omitEmptyStrings().trimResults().split(csHooks)) {
-      try {
-        @SuppressWarnings("unchecked")
-        T hook =
-            (T) Class.forName(hookClass, true, JavaUtils.getClassLoader()).newInstance();
-        hooks.add(hook);
-      } catch (ClassNotFoundException e) {
-        LOG.error(hookClass + " Class not found:" + e.getMessage());
-        throw e;
-      }
-    }
-
-    return hooks;
-  }
-
-  // Check if the given entity is identified as dummy by Hive compilers.
-  private boolean isDummyEntity(Entity entity) {
-    return entity.isDummy();
-  }
-
-  // create hiveBinding with PrivilegeCache
-  private static HiveAuthzBinding getHiveBindingWithPrivilegeCache(HiveAuthzBinding hiveAuthzBinding,
-      String userName) throws SemanticException {
-    // get the original HiveAuthzBinding, and get the user's privileges by AuthorizationProvider
-    AuthorizationProvider authProvider = hiveAuthzBinding.getCurrentAuthProvider();
-    Set<String> userPrivileges =
-        authProvider.getPolicyEngine().getPrivileges(
-            authProvider.getGroupMapping().getGroups(userName), Sets.newHashSet(userName),
-            hiveAuthzBinding.getActiveRoleSet(), hiveAuthzBinding.getAuthServer());
-
-    // create PrivilegeCache using user's privileges
-    PrivilegeCache privilegeCache = new SimplePrivilegeCache(userPrivileges);
-    try {
-      // create new instance of HiveAuthzBinding whose backend provider should be SimpleCacheProviderBackend
-      return new HiveAuthzBinding(HiveAuthzBinding.HiveHook.HiveServer2, hiveAuthzBinding.getHiveConf(),
-              hiveAuthzBinding.getAuthzConf(), privilegeCache);
-    } catch (Exception e) {
-      LOG.error("Can not create HiveAuthzBinding with privilege cache.");
-      throw new SemanticException(e);
-    }
-  }
-
-  private static boolean hasPrefixMatch(List<String> prefixList, final String str) {
-    for (String prefix : prefixList) {
-      if (str.startsWith(prefix)) {
-        return true;
-      }
-    }
-
-    return false;
-  }
-
-  /**
-   * Set the Serde URI privileges. If the URI privileges are not set, which serdeURI will be null,
-   * the URI authorization checks will be skipped.
-   */
-  protected void setSerdeURI(String serdeClassName) throws SemanticException {
-    if (!serdeURIPrivilegesEnabled) {
-      return;
-    }
-
-    // WhiteList Serde Jar can be used by any users. WhiteList checking is
-    // done by comparing the Java package name. The assumption is cluster
-    // admin will ensure there is no Java namespace collision.
-    // e.g org.apache.hadoop.hive.serde2 is used by hive and cluster admin should
-    // ensure no custom Serde class is introduced under the same namespace.
-    if (!hasPrefixMatch(serdeWhiteList, serdeClassName)) {
-      try {
-        CodeSource serdeSrc =
-            Class.forName(serdeClassName, true, Utilities.getSessionSpecifiedClassLoader())
-                .getProtectionDomain().getCodeSource();
-        if (serdeSrc == null) {
-          throw new SemanticException("Could not resolve the jar for Serde class " + serdeClassName);
-        }
-
-        String serdeJar = serdeSrc.getLocation().getPath();
-        if (serdeJar == null || serdeJar.isEmpty()) {
-          throw new SemanticException("Could not find the jar for Serde class " + serdeClassName
-              + "to validate privileges");
-        }
-
-        serdeURI = parseURI(serdeSrc.getLocation().toString(), true);
-      } catch (ClassNotFoundException e) {
-        throw new SemanticException("Error retrieving Serde class:" + e.getMessage(), e);
-      }
-    }
-  }
-
-  protected HiveOperation getCurrentHiveStmtOp() {
-    SessionState sessState = SessionState.get();
-    if (sessState == null) {
-      // TODO: Warn
-      return null;
-    }
-    return sessState.getHiveOperation();
-  }
-
-  protected Subject getCurrentSubject(HiveSemanticAnalyzerHookContext context) {
-    // Extract the username from the hook context
-    return new Subject(context.getUserName());
-  }
-
-}


Mime
View raw message