sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ha...@apache.org
Subject [2/2] sentry git commit: SENTRY-2371: Add a new thrift API for getting all privileges a user has (Hao Hao, reviewed by Na Li, Sergio Pena)
Date Wed, 26 Sep 2018 18:58:35 GMT
SENTRY-2371: Add a new thrift API for getting all privileges a user has (Hao Hao, reviewed by Na Li, Sergio Pena)


Project: http://git-wip-us.apache.org/repos/asf/sentry/repo
Commit: http://git-wip-us.apache.org/repos/asf/sentry/commit/e90ab35d
Tree: http://git-wip-us.apache.org/repos/asf/sentry/tree/e90ab35d
Diff: http://git-wip-us.apache.org/repos/asf/sentry/diff/e90ab35d

Branch: refs/heads/master
Commit: e90ab35db32e34eb359f39cd94a9ca48b8c7aeda
Parents: c7c5df2
Author: Hao Hao <hao.hao@cloudera.com>
Authored: Tue Sep 25 14:10:41 2018 -0700
Committer: Hao Hao <hao.hao@cloudera.com>
Committed: Wed Sep 26 11:54:08 2018 -0700

----------------------------------------------------------------------
 .../api/service/thrift/SentryPolicyService.java | 858 +++++++++++++++++++
 .../main/resources/sentry_policy_service.thrift |  10 +-
 .../api/service/thrift/SentryMetrics.java       |   2 +
 .../thrift/SentryPolicyStoreProcessor.java      |  73 +-
 .../db/service/persistent/SentryStore.java      |  35 +-
 .../persistent/SentryStoreInterface.java        |  32 +-
 .../db/service/persistent/TestSentryStore.java  |  43 +
 7 files changed, 1032 insertions(+), 21 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/sentry/blob/e90ab35d/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java b/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java
index 0cbd8ab..7025653 100644
--- a/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java
+++ b/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java
@@ -63,6 +63,8 @@ public class SentryPolicyService {
 
     public TListSentryPrivilegesResponse list_sentry_privileges_by_user(TListSentryPrivilegesRequest request) throws org.apache.thrift.TException;
 
+    public TListSentryPrivilegesResponse list_sentry_privileges_by_user_and_itsgroups(TListSentryPrivilegesRequest request) throws org.apache.thrift.TException;
+
     public TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(TListSentryPrivilegesForProviderRequest request) throws org.apache.thrift.TException;
 
     public TDropPrivilegesResponse drop_sentry_privilege(TDropPrivilegesRequest request) throws org.apache.thrift.TException;
@@ -113,6 +115,8 @@ public class SentryPolicyService {
 
     public void list_sentry_privileges_by_user(TListSentryPrivilegesRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException;
 
+    public void list_sentry_privileges_by_user_and_itsgroups(TListSentryPrivilegesRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException;
+
     public void list_sentry_privileges_for_provider(TListSentryPrivilegesForProviderRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException;
 
     public void drop_sentry_privilege(TDropPrivilegesRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException;
@@ -433,6 +437,29 @@ public class SentryPolicyService {
       throw new org.apache.thrift.TApplicationException(org.apache.thrift.TApplicationException.MISSING_RESULT, "list_sentry_privileges_by_user failed: unknown result");
     }
 
+    public TListSentryPrivilegesResponse list_sentry_privileges_by_user_and_itsgroups(TListSentryPrivilegesRequest request) throws org.apache.thrift.TException
+    {
+      send_list_sentry_privileges_by_user_and_itsgroups(request);
+      return recv_list_sentry_privileges_by_user_and_itsgroups();
+    }
+
+    public void send_list_sentry_privileges_by_user_and_itsgroups(TListSentryPrivilegesRequest request) throws org.apache.thrift.TException
+    {
+      list_sentry_privileges_by_user_and_itsgroups_args args = new list_sentry_privileges_by_user_and_itsgroups_args();
+      args.setRequest(request);
+      sendBase("list_sentry_privileges_by_user_and_itsgroups", args);
+    }
+
+    public TListSentryPrivilegesResponse recv_list_sentry_privileges_by_user_and_itsgroups() throws org.apache.thrift.TException
+    {
+      list_sentry_privileges_by_user_and_itsgroups_result result = new list_sentry_privileges_by_user_and_itsgroups_result();
+      receiveBase(result, "list_sentry_privileges_by_user_and_itsgroups");
+      if (result.isSetSuccess()) {
+        return result.success;
+      }
+      throw new org.apache.thrift.TApplicationException(org.apache.thrift.TApplicationException.MISSING_RESULT, "list_sentry_privileges_by_user_and_itsgroups failed: unknown result");
+    }
+
     public TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(TListSentryPrivilegesForProviderRequest request) throws org.apache.thrift.TException
     {
       send_list_sentry_privileges_for_provider(request);
@@ -1088,6 +1115,38 @@ public class SentryPolicyService {
       }
     }
 
+    public void list_sentry_privileges_by_user_and_itsgroups(TListSentryPrivilegesRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException {
+      checkReady();
+      list_sentry_privileges_by_user_and_itsgroups_call method_call = new list_sentry_privileges_by_user_and_itsgroups_call(request, resultHandler, this, ___protocolFactory, ___transport);
+      this.___currentMethod = method_call;
+      ___manager.call(method_call);
+    }
+
+    public static class list_sentry_privileges_by_user_and_itsgroups_call extends org.apache.thrift.async.TAsyncMethodCall {
+      private TListSentryPrivilegesRequest request;
+      public list_sentry_privileges_by_user_and_itsgroups_call(TListSentryPrivilegesRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler, org.apache.thrift.async.TAsyncClient client, org.apache.thrift.protocol.TProtocolFactory protocolFactory, org.apache.thrift.transport.TNonblockingTransport transport) throws org.apache.thrift.TException {
+        super(client, protocolFactory, transport, resultHandler, false);
+        this.request = request;
+      }
+
+      public void write_args(org.apache.thrift.protocol.TProtocol prot) throws org.apache.thrift.TException {
+        prot.writeMessageBegin(new org.apache.thrift.protocol.TMessage("list_sentry_privileges_by_user_and_itsgroups", org.apache.thrift.protocol.TMessageType.CALL, 0));
+        list_sentry_privileges_by_user_and_itsgroups_args args = new list_sentry_privileges_by_user_and_itsgroups_args();
+        args.setRequest(request);
+        args.write(prot);
+        prot.writeMessageEnd();
+      }
+
+      public TListSentryPrivilegesResponse getResult() throws org.apache.thrift.TException {
+        if (getState() != org.apache.thrift.async.TAsyncMethodCall.State.RESPONSE_READ) {
+          throw new IllegalStateException("Method call not finished!");
+        }
+        org.apache.thrift.transport.TMemoryInputTransport memoryTransport = new org.apache.thrift.transport.TMemoryInputTransport(getFrameBuffer().array());
+        org.apache.thrift.protocol.TProtocol prot = client.getProtocolFactory().getProtocol(memoryTransport);
+        return (new Client(prot)).recv_list_sentry_privileges_by_user_and_itsgroups();
+      }
+    }
+
     public void list_sentry_privileges_for_provider(TListSentryPrivilegesForProviderRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException {
       checkReady();
       list_sentry_privileges_for_provider_call method_call = new list_sentry_privileges_for_provider_call(request, resultHandler, this, ___protocolFactory, ___transport);
@@ -1465,6 +1524,7 @@ public class SentryPolicyService {
       processMap.put("list_sentry_roles_by_user", new list_sentry_roles_by_user());
       processMap.put("list_sentry_privileges_by_role", new list_sentry_privileges_by_role());
       processMap.put("list_sentry_privileges_by_user", new list_sentry_privileges_by_user());
+      processMap.put("list_sentry_privileges_by_user_and_itsgroups", new list_sentry_privileges_by_user_and_itsgroups());
       processMap.put("list_sentry_privileges_for_provider", new list_sentry_privileges_for_provider());
       processMap.put("drop_sentry_privilege", new drop_sentry_privilege());
       processMap.put("rename_sentry_privilege", new rename_sentry_privilege());
@@ -1719,6 +1779,26 @@ public class SentryPolicyService {
       }
     }
 
+    public static class list_sentry_privileges_by_user_and_itsgroups<I extends Iface> extends org.apache.thrift.ProcessFunction<I, list_sentry_privileges_by_user_and_itsgroups_args> {
+      public list_sentry_privileges_by_user_and_itsgroups() {
+        super("list_sentry_privileges_by_user_and_itsgroups");
+      }
+
+      public list_sentry_privileges_by_user_and_itsgroups_args getEmptyArgsInstance() {
+        return new list_sentry_privileges_by_user_and_itsgroups_args();
+      }
+
+      protected boolean isOneway() {
+        return false;
+      }
+
+      public list_sentry_privileges_by_user_and_itsgroups_result getResult(I iface, list_sentry_privileges_by_user_and_itsgroups_args args) throws org.apache.thrift.TException {
+        list_sentry_privileges_by_user_and_itsgroups_result result = new list_sentry_privileges_by_user_and_itsgroups_result();
+        result.success = iface.list_sentry_privileges_by_user_and_itsgroups(args.request);
+        return result;
+      }
+    }
+
     public static class list_sentry_privileges_for_provider<I extends Iface> extends org.apache.thrift.ProcessFunction<I, list_sentry_privileges_for_provider_args> {
       public list_sentry_privileges_for_provider() {
         super("list_sentry_privileges_for_provider");
@@ -1964,6 +2044,7 @@ public class SentryPolicyService {
       processMap.put("list_sentry_roles_by_user", new list_sentry_roles_by_user());
       processMap.put("list_sentry_privileges_by_role", new list_sentry_privileges_by_role());
       processMap.put("list_sentry_privileges_by_user", new list_sentry_privileges_by_user());
+      processMap.put("list_sentry_privileges_by_user_and_itsgroups", new list_sentry_privileges_by_user_and_itsgroups());
       processMap.put("list_sentry_privileges_for_provider", new list_sentry_privileges_for_provider());
       processMap.put("drop_sentry_privilege", new drop_sentry_privilege());
       processMap.put("rename_sentry_privilege", new rename_sentry_privilege());
@@ -2590,6 +2671,57 @@ public class SentryPolicyService {
       }
     }
 
+    public static class list_sentry_privileges_by_user_and_itsgroups<I extends AsyncIface> extends org.apache.thrift.AsyncProcessFunction<I, list_sentry_privileges_by_user_and_itsgroups_args, TListSentryPrivilegesResponse> {
+      public list_sentry_privileges_by_user_and_itsgroups() {
+        super("list_sentry_privileges_by_user_and_itsgroups");
+      }
+
+      public list_sentry_privileges_by_user_and_itsgroups_args getEmptyArgsInstance() {
+        return new list_sentry_privileges_by_user_and_itsgroups_args();
+      }
+
+      public AsyncMethodCallback<TListSentryPrivilegesResponse> getResultHandler(final AsyncFrameBuffer fb, final int seqid) {
+        final org.apache.thrift.AsyncProcessFunction fcall = this;
+        return new AsyncMethodCallback<TListSentryPrivilegesResponse>() { 
+          public void onComplete(TListSentryPrivilegesResponse o) {
+            list_sentry_privileges_by_user_and_itsgroups_result result = new list_sentry_privileges_by_user_and_itsgroups_result();
+            result.success = o;
+            try {
+              fcall.sendResponse(fb,result, org.apache.thrift.protocol.TMessageType.REPLY,seqid);
+              return;
+            } catch (Exception e) {
+              LOGGER.error("Exception writing to internal frame buffer", e);
+            }
+            fb.close();
+          }
+          public void onError(Exception e) {
+            byte msgType = org.apache.thrift.protocol.TMessageType.REPLY;
+            org.apache.thrift.TBase msg;
+            list_sentry_privileges_by_user_and_itsgroups_result result = new list_sentry_privileges_by_user_and_itsgroups_result();
+            {
+              msgType = org.apache.thrift.protocol.TMessageType.EXCEPTION;
+              msg = (org.apache.thrift.TBase)new org.apache.thrift.TApplicationException(org.apache.thrift.TApplicationException.INTERNAL_ERROR, e.getMessage());
+            }
+            try {
+              fcall.sendResponse(fb,msg,msgType,seqid);
+              return;
+            } catch (Exception ex) {
+              LOGGER.error("Exception writing to internal frame buffer", ex);
+            }
+            fb.close();
+          }
+        };
+      }
+
+      protected boolean isOneway() {
+        return false;
+      }
+
+      public void start(I iface, list_sentry_privileges_by_user_and_itsgroups_args args, org.apache.thrift.async.AsyncMethodCallback<TListSentryPrivilegesResponse> resultHandler) throws TException {
+        iface.list_sentry_privileges_by_user_and_itsgroups(args.request,resultHandler);
+      }
+    }
+
     public static class list_sentry_privileges_for_provider<I extends AsyncIface> extends org.apache.thrift.AsyncProcessFunction<I, list_sentry_privileges_for_provider_args, TListSentryPrivilegesForProviderResponse> {
       public list_sentry_privileges_for_provider() {
         super("list_sentry_privileges_for_provider");
@@ -11865,6 +11997,732 @@ public class SentryPolicyService {
 
   }
 
+  public static class list_sentry_privileges_by_user_and_itsgroups_args implements org.apache.thrift.TBase<list_sentry_privileges_by_user_and_itsgroups_args, list_sentry_privileges_by_user_and_itsgroups_args._Fields>, java.io.Serializable, Cloneable, Comparable<list_sentry_privileges_by_user_and_itsgroups_args>   {
+    private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("list_sentry_privileges_by_user_and_itsgroups_args");
+
+    private static final org.apache.thrift.protocol.TField REQUEST_FIELD_DESC = new org.apache.thrift.protocol.TField("request", org.apache.thrift.protocol.TType.STRUCT, (short)1);
+
+    private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>();
+    static {
+      schemes.put(StandardScheme.class, new list_sentry_privileges_by_user_and_itsgroups_argsStandardSchemeFactory());
+      schemes.put(TupleScheme.class, new list_sentry_privileges_by_user_and_itsgroups_argsTupleSchemeFactory());
+    }
+
+    private TListSentryPrivilegesRequest request; // required
+
+    /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */
+    public enum _Fields implements org.apache.thrift.TFieldIdEnum {
+      REQUEST((short)1, "request");
+
+      private static final Map<String, _Fields> byName = new HashMap<String, _Fields>();
+
+      static {
+        for (_Fields field : EnumSet.allOf(_Fields.class)) {
+          byName.put(field.getFieldName(), field);
+        }
+      }
+
+      /**
+       * Find the _Fields constant that matches fieldId, or null if its not found.
+       */
+      public static _Fields findByThriftId(int fieldId) {
+        switch(fieldId) {
+          case 1: // REQUEST
+            return REQUEST;
+          default:
+            return null;
+        }
+      }
+
+      /**
+       * Find the _Fields constant that matches fieldId, throwing an exception
+       * if it is not found.
+       */
+      public static _Fields findByThriftIdOrThrow(int fieldId) {
+        _Fields fields = findByThriftId(fieldId);
+        if (fields == null) throw new IllegalArgumentException("Field " + fieldId + " doesn't exist!");
+        return fields;
+      }
+
+      /**
+       * Find the _Fields constant that matches name, or null if its not found.
+       */
+      public static _Fields findByName(String name) {
+        return byName.get(name);
+      }
+
+      private final short _thriftId;
+      private final String _fieldName;
+
+      _Fields(short thriftId, String fieldName) {
+        _thriftId = thriftId;
+        _fieldName = fieldName;
+      }
+
+      public short getThriftFieldId() {
+        return _thriftId;
+      }
+
+      public String getFieldName() {
+        return _fieldName;
+      }
+    }
+
+    // isset id assignments
+    public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap;
+    static {
+      Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class);
+      tmpMap.put(_Fields.REQUEST, new org.apache.thrift.meta_data.FieldMetaData("request", org.apache.thrift.TFieldRequirementType.DEFAULT, 
+          new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TListSentryPrivilegesRequest.class)));
+      metaDataMap = Collections.unmodifiableMap(tmpMap);
+      org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(list_sentry_privileges_by_user_and_itsgroups_args.class, metaDataMap);
+    }
+
+    public list_sentry_privileges_by_user_and_itsgroups_args() {
+    }
+
+    public list_sentry_privileges_by_user_and_itsgroups_args(
+      TListSentryPrivilegesRequest request)
+    {
+      this();
+      this.request = request;
+    }
+
+    /**
+     * Performs a deep copy on <i>other</i>.
+     */
+    public list_sentry_privileges_by_user_and_itsgroups_args(list_sentry_privileges_by_user_and_itsgroups_args other) {
+      if (other.isSetRequest()) {
+        this.request = new TListSentryPrivilegesRequest(other.request);
+      }
+    }
+
+    public list_sentry_privileges_by_user_and_itsgroups_args deepCopy() {
+      return new list_sentry_privileges_by_user_and_itsgroups_args(this);
+    }
+
+    @Override
+    public void clear() {
+      this.request = null;
+    }
+
+    public TListSentryPrivilegesRequest getRequest() {
+      return this.request;
+    }
+
+    public void setRequest(TListSentryPrivilegesRequest request) {
+      this.request = request;
+    }
+
+    public void unsetRequest() {
+      this.request = null;
+    }
+
+    /** Returns true if field request is set (has been assigned a value) and false otherwise */
+    public boolean isSetRequest() {
+      return this.request != null;
+    }
+
+    public void setRequestIsSet(boolean value) {
+      if (!value) {
+        this.request = null;
+      }
+    }
+
+    public void setFieldValue(_Fields field, Object value) {
+      switch (field) {
+      case REQUEST:
+        if (value == null) {
+          unsetRequest();
+        } else {
+          setRequest((TListSentryPrivilegesRequest)value);
+        }
+        break;
+
+      }
+    }
+
+    public Object getFieldValue(_Fields field) {
+      switch (field) {
+      case REQUEST:
+        return getRequest();
+
+      }
+      throw new IllegalStateException();
+    }
+
+    /** Returns true if field corresponding to fieldID is set (has been assigned a value) and false otherwise */
+    public boolean isSet(_Fields field) {
+      if (field == null) {
+        throw new IllegalArgumentException();
+      }
+
+      switch (field) {
+      case REQUEST:
+        return isSetRequest();
+      }
+      throw new IllegalStateException();
+    }
+
+    @Override
+    public boolean equals(Object that) {
+      if (that == null)
+        return false;
+      if (that instanceof list_sentry_privileges_by_user_and_itsgroups_args)
+        return this.equals((list_sentry_privileges_by_user_and_itsgroups_args)that);
+      return false;
+    }
+
+    public boolean equals(list_sentry_privileges_by_user_and_itsgroups_args that) {
+      if (that == null)
+        return false;
+
+      boolean this_present_request = true && this.isSetRequest();
+      boolean that_present_request = true && that.isSetRequest();
+      if (this_present_request || that_present_request) {
+        if (!(this_present_request && that_present_request))
+          return false;
+        if (!this.request.equals(that.request))
+          return false;
+      }
+
+      return true;
+    }
+
+    @Override
+    public int hashCode() {
+      List<Object> list = new ArrayList<Object>();
+
+      boolean present_request = true && (isSetRequest());
+      list.add(present_request);
+      if (present_request)
+        list.add(request);
+
+      return list.hashCode();
+    }
+
+    @Override
+    public int compareTo(list_sentry_privileges_by_user_and_itsgroups_args other) {
+      if (!getClass().equals(other.getClass())) {
+        return getClass().getName().compareTo(other.getClass().getName());
+      }
+
+      int lastComparison = 0;
+
+      lastComparison = Boolean.valueOf(isSetRequest()).compareTo(other.isSetRequest());
+      if (lastComparison != 0) {
+        return lastComparison;
+      }
+      if (isSetRequest()) {
+        lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.request, other.request);
+        if (lastComparison != 0) {
+          return lastComparison;
+        }
+      }
+      return 0;
+    }
+
+    public _Fields fieldForId(int fieldId) {
+      return _Fields.findByThriftId(fieldId);
+    }
+
+    public void read(org.apache.thrift.protocol.TProtocol iprot) throws org.apache.thrift.TException {
+      schemes.get(iprot.getScheme()).getScheme().read(iprot, this);
+    }
+
+    public void write(org.apache.thrift.protocol.TProtocol oprot) throws org.apache.thrift.TException {
+      schemes.get(oprot.getScheme()).getScheme().write(oprot, this);
+    }
+
+    @Override
+    public String toString() {
+      StringBuilder sb = new StringBuilder("list_sentry_privileges_by_user_and_itsgroups_args(");
+      boolean first = true;
+
+      sb.append("request:");
+      if (this.request == null) {
+        sb.append("null");
+      } else {
+        sb.append(this.request);
+      }
+      first = false;
+      sb.append(")");
+      return sb.toString();
+    }
+
+    public void validate() throws org.apache.thrift.TException {
+      // check for required fields
+      // check for sub-struct validity
+      if (request != null) {
+        request.validate();
+      }
+    }
+
+    private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException {
+      try {
+        write(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(out)));
+      } catch (org.apache.thrift.TException te) {
+        throw new java.io.IOException(te);
+      }
+    }
+
+    private void readObject(java.io.ObjectInputStream in) throws java.io.IOException, ClassNotFoundException {
+      try {
+        read(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(in)));
+      } catch (org.apache.thrift.TException te) {
+        throw new java.io.IOException(te);
+      }
+    }
+
+    private static class list_sentry_privileges_by_user_and_itsgroups_argsStandardSchemeFactory implements SchemeFactory {
+      public list_sentry_privileges_by_user_and_itsgroups_argsStandardScheme getScheme() {
+        return new list_sentry_privileges_by_user_and_itsgroups_argsStandardScheme();
+      }
+    }
+
+    private static class list_sentry_privileges_by_user_and_itsgroups_argsStandardScheme extends StandardScheme<list_sentry_privileges_by_user_and_itsgroups_args> {
+
+      public void read(org.apache.thrift.protocol.TProtocol iprot, list_sentry_privileges_by_user_and_itsgroups_args struct) throws org.apache.thrift.TException {
+        org.apache.thrift.protocol.TField schemeField;
+        iprot.readStructBegin();
+        while (true)
+        {
+          schemeField = iprot.readFieldBegin();
+          if (schemeField.type == org.apache.thrift.protocol.TType.STOP) { 
+            break;
+          }
+          switch (schemeField.id) {
+            case 1: // REQUEST
+              if (schemeField.type == org.apache.thrift.protocol.TType.STRUCT) {
+                struct.request = new TListSentryPrivilegesRequest();
+                struct.request.read(iprot);
+                struct.setRequestIsSet(true);
+              } else { 
+                org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+              }
+              break;
+            default:
+              org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+          }
+          iprot.readFieldEnd();
+        }
+        iprot.readStructEnd();
+        struct.validate();
+      }
+
+      public void write(org.apache.thrift.protocol.TProtocol oprot, list_sentry_privileges_by_user_and_itsgroups_args struct) throws org.apache.thrift.TException {
+        struct.validate();
+
+        oprot.writeStructBegin(STRUCT_DESC);
+        if (struct.request != null) {
+          oprot.writeFieldBegin(REQUEST_FIELD_DESC);
+          struct.request.write(oprot);
+          oprot.writeFieldEnd();
+        }
+        oprot.writeFieldStop();
+        oprot.writeStructEnd();
+      }
+
+    }
+
+    private static class list_sentry_privileges_by_user_and_itsgroups_argsTupleSchemeFactory implements SchemeFactory {
+      public list_sentry_privileges_by_user_and_itsgroups_argsTupleScheme getScheme() {
+        return new list_sentry_privileges_by_user_and_itsgroups_argsTupleScheme();
+      }
+    }
+
+    private static class list_sentry_privileges_by_user_and_itsgroups_argsTupleScheme extends TupleScheme<list_sentry_privileges_by_user_and_itsgroups_args> {
+
+      @Override
+      public void write(org.apache.thrift.protocol.TProtocol prot, list_sentry_privileges_by_user_and_itsgroups_args struct) throws org.apache.thrift.TException {
+        TTupleProtocol oprot = (TTupleProtocol) prot;
+        BitSet optionals = new BitSet();
+        if (struct.isSetRequest()) {
+          optionals.set(0);
+        }
+        oprot.writeBitSet(optionals, 1);
+        if (struct.isSetRequest()) {
+          struct.request.write(oprot);
+        }
+      }
+
+      @Override
+      public void read(org.apache.thrift.protocol.TProtocol prot, list_sentry_privileges_by_user_and_itsgroups_args struct) throws org.apache.thrift.TException {
+        TTupleProtocol iprot = (TTupleProtocol) prot;
+        BitSet incoming = iprot.readBitSet(1);
+        if (incoming.get(0)) {
+          struct.request = new TListSentryPrivilegesRequest();
+          struct.request.read(iprot);
+          struct.setRequestIsSet(true);
+        }
+      }
+    }
+
+  }
+
+  public static class list_sentry_privileges_by_user_and_itsgroups_result implements org.apache.thrift.TBase<list_sentry_privileges_by_user_and_itsgroups_result, list_sentry_privileges_by_user_and_itsgroups_result._Fields>, java.io.Serializable, Cloneable, Comparable<list_sentry_privileges_by_user_and_itsgroups_result>   {
+    private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("list_sentry_privileges_by_user_and_itsgroups_result");
+
+    private static final org.apache.thrift.protocol.TField SUCCESS_FIELD_DESC = new org.apache.thrift.protocol.TField("success", org.apache.thrift.protocol.TType.STRUCT, (short)0);
+
+    private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>();
+    static {
+      schemes.put(StandardScheme.class, new list_sentry_privileges_by_user_and_itsgroups_resultStandardSchemeFactory());
+      schemes.put(TupleScheme.class, new list_sentry_privileges_by_user_and_itsgroups_resultTupleSchemeFactory());
+    }
+
+    private TListSentryPrivilegesResponse success; // required
+
+    /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */
+    public enum _Fields implements org.apache.thrift.TFieldIdEnum {
+      SUCCESS((short)0, "success");
+
+      private static final Map<String, _Fields> byName = new HashMap<String, _Fields>();
+
+      static {
+        for (_Fields field : EnumSet.allOf(_Fields.class)) {
+          byName.put(field.getFieldName(), field);
+        }
+      }
+
+      /**
+       * Find the _Fields constant that matches fieldId, or null if its not found.
+       */
+      public static _Fields findByThriftId(int fieldId) {
+        switch(fieldId) {
+          case 0: // SUCCESS
+            return SUCCESS;
+          default:
+            return null;
+        }
+      }
+
+      /**
+       * Find the _Fields constant that matches fieldId, throwing an exception
+       * if it is not found.
+       */
+      public static _Fields findByThriftIdOrThrow(int fieldId) {
+        _Fields fields = findByThriftId(fieldId);
+        if (fields == null) throw new IllegalArgumentException("Field " + fieldId + " doesn't exist!");
+        return fields;
+      }
+
+      /**
+       * Find the _Fields constant that matches name, or null if its not found.
+       */
+      public static _Fields findByName(String name) {
+        return byName.get(name);
+      }
+
+      private final short _thriftId;
+      private final String _fieldName;
+
+      _Fields(short thriftId, String fieldName) {
+        _thriftId = thriftId;
+        _fieldName = fieldName;
+      }
+
+      public short getThriftFieldId() {
+        return _thriftId;
+      }
+
+      public String getFieldName() {
+        return _fieldName;
+      }
+    }
+
+    // isset id assignments
+    public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap;
+    static {
+      Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class);
+      tmpMap.put(_Fields.SUCCESS, new org.apache.thrift.meta_data.FieldMetaData("success", org.apache.thrift.TFieldRequirementType.DEFAULT, 
+          new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TListSentryPrivilegesResponse.class)));
+      metaDataMap = Collections.unmodifiableMap(tmpMap);
+      org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(list_sentry_privileges_by_user_and_itsgroups_result.class, metaDataMap);
+    }
+
+    public list_sentry_privileges_by_user_and_itsgroups_result() {
+    }
+
+    public list_sentry_privileges_by_user_and_itsgroups_result(
+      TListSentryPrivilegesResponse success)
+    {
+      this();
+      this.success = success;
+    }
+
+    /**
+     * Performs a deep copy on <i>other</i>.
+     */
+    public list_sentry_privileges_by_user_and_itsgroups_result(list_sentry_privileges_by_user_and_itsgroups_result other) {
+      if (other.isSetSuccess()) {
+        this.success = new TListSentryPrivilegesResponse(other.success);
+      }
+    }
+
+    public list_sentry_privileges_by_user_and_itsgroups_result deepCopy() {
+      return new list_sentry_privileges_by_user_and_itsgroups_result(this);
+    }
+
+    @Override
+    public void clear() {
+      this.success = null;
+    }
+
+    public TListSentryPrivilegesResponse getSuccess() {
+      return this.success;
+    }
+
+    public void setSuccess(TListSentryPrivilegesResponse success) {
+      this.success = success;
+    }
+
+    public void unsetSuccess() {
+      this.success = null;
+    }
+
+    /** Returns true if field success is set (has been assigned a value) and false otherwise */
+    public boolean isSetSuccess() {
+      return this.success != null;
+    }
+
+    public void setSuccessIsSet(boolean value) {
+      if (!value) {
+        this.success = null;
+      }
+    }
+
+    public void setFieldValue(_Fields field, Object value) {
+      switch (field) {
+      case SUCCESS:
+        if (value == null) {
+          unsetSuccess();
+        } else {
+          setSuccess((TListSentryPrivilegesResponse)value);
+        }
+        break;
+
+      }
+    }
+
+    public Object getFieldValue(_Fields field) {
+      switch (field) {
+      case SUCCESS:
+        return getSuccess();
+
+      }
+      throw new IllegalStateException();
+    }
+
+    /** Returns true if field corresponding to fieldID is set (has been assigned a value) and false otherwise */
+    public boolean isSet(_Fields field) {
+      if (field == null) {
+        throw new IllegalArgumentException();
+      }
+
+      switch (field) {
+      case SUCCESS:
+        return isSetSuccess();
+      }
+      throw new IllegalStateException();
+    }
+
+    @Override
+    public boolean equals(Object that) {
+      if (that == null)
+        return false;
+      if (that instanceof list_sentry_privileges_by_user_and_itsgroups_result)
+        return this.equals((list_sentry_privileges_by_user_and_itsgroups_result)that);
+      return false;
+    }
+
+    public boolean equals(list_sentry_privileges_by_user_and_itsgroups_result that) {
+      if (that == null)
+        return false;
+
+      boolean this_present_success = true && this.isSetSuccess();
+      boolean that_present_success = true && that.isSetSuccess();
+      if (this_present_success || that_present_success) {
+        if (!(this_present_success && that_present_success))
+          return false;
+        if (!this.success.equals(that.success))
+          return false;
+      }
+
+      return true;
+    }
+
+    @Override
+    public int hashCode() {
+      List<Object> list = new ArrayList<Object>();
+
+      boolean present_success = true && (isSetSuccess());
+      list.add(present_success);
+      if (present_success)
+        list.add(success);
+
+      return list.hashCode();
+    }
+
+    @Override
+    public int compareTo(list_sentry_privileges_by_user_and_itsgroups_result other) {
+      if (!getClass().equals(other.getClass())) {
+        return getClass().getName().compareTo(other.getClass().getName());
+      }
+
+      int lastComparison = 0;
+
+      lastComparison = Boolean.valueOf(isSetSuccess()).compareTo(other.isSetSuccess());
+      if (lastComparison != 0) {
+        return lastComparison;
+      }
+      if (isSetSuccess()) {
+        lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.success, other.success);
+        if (lastComparison != 0) {
+          return lastComparison;
+        }
+      }
+      return 0;
+    }
+
+    public _Fields fieldForId(int fieldId) {
+      return _Fields.findByThriftId(fieldId);
+    }
+
+    public void read(org.apache.thrift.protocol.TProtocol iprot) throws org.apache.thrift.TException {
+      schemes.get(iprot.getScheme()).getScheme().read(iprot, this);
+    }
+
+    public void write(org.apache.thrift.protocol.TProtocol oprot) throws org.apache.thrift.TException {
+      schemes.get(oprot.getScheme()).getScheme().write(oprot, this);
+      }
+
+    @Override
+    public String toString() {
+      StringBuilder sb = new StringBuilder("list_sentry_privileges_by_user_and_itsgroups_result(");
+      boolean first = true;
+
+      sb.append("success:");
+      if (this.success == null) {
+        sb.append("null");
+      } else {
+        sb.append(this.success);
+      }
+      first = false;
+      sb.append(")");
+      return sb.toString();
+    }
+
+    public void validate() throws org.apache.thrift.TException {
+      // check for required fields
+      // check for sub-struct validity
+      if (success != null) {
+        success.validate();
+      }
+    }
+
+    private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException {
+      try {
+        write(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(out)));
+      } catch (org.apache.thrift.TException te) {
+        throw new java.io.IOException(te);
+      }
+    }
+
+    private void readObject(java.io.ObjectInputStream in) throws java.io.IOException, ClassNotFoundException {
+      try {
+        read(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(in)));
+      } catch (org.apache.thrift.TException te) {
+        throw new java.io.IOException(te);
+      }
+    }
+
+    private static class list_sentry_privileges_by_user_and_itsgroups_resultStandardSchemeFactory implements SchemeFactory {
+      public list_sentry_privileges_by_user_and_itsgroups_resultStandardScheme getScheme() {
+        return new list_sentry_privileges_by_user_and_itsgroups_resultStandardScheme();
+      }
+    }
+
+    private static class list_sentry_privileges_by_user_and_itsgroups_resultStandardScheme extends StandardScheme<list_sentry_privileges_by_user_and_itsgroups_result> {
+
+      public void read(org.apache.thrift.protocol.TProtocol iprot, list_sentry_privileges_by_user_and_itsgroups_result struct) throws org.apache.thrift.TException {
+        org.apache.thrift.protocol.TField schemeField;
+        iprot.readStructBegin();
+        while (true)
+        {
+          schemeField = iprot.readFieldBegin();
+          if (schemeField.type == org.apache.thrift.protocol.TType.STOP) { 
+            break;
+          }
+          switch (schemeField.id) {
+            case 0: // SUCCESS
+              if (schemeField.type == org.apache.thrift.protocol.TType.STRUCT) {
+                struct.success = new TListSentryPrivilegesResponse();
+                struct.success.read(iprot);
+                struct.setSuccessIsSet(true);
+              } else { 
+                org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+              }
+              break;
+            default:
+              org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+          }
+          iprot.readFieldEnd();
+        }
+        iprot.readStructEnd();
+        struct.validate();
+      }
+
+      public void write(org.apache.thrift.protocol.TProtocol oprot, list_sentry_privileges_by_user_and_itsgroups_result struct) throws org.apache.thrift.TException {
+        struct.validate();
+
+        oprot.writeStructBegin(STRUCT_DESC);
+        if (struct.success != null) {
+          oprot.writeFieldBegin(SUCCESS_FIELD_DESC);
+          struct.success.write(oprot);
+          oprot.writeFieldEnd();
+        }
+        oprot.writeFieldStop();
+        oprot.writeStructEnd();
+      }
+
+    }
+
+    private static class list_sentry_privileges_by_user_and_itsgroups_resultTupleSchemeFactory implements SchemeFactory {
+      public list_sentry_privileges_by_user_and_itsgroups_resultTupleScheme getScheme() {
+        return new list_sentry_privileges_by_user_and_itsgroups_resultTupleScheme();
+      }
+    }
+
+    private static class list_sentry_privileges_by_user_and_itsgroups_resultTupleScheme extends TupleScheme<list_sentry_privileges_by_user_and_itsgroups_result> {
+
+      @Override
+      public void write(org.apache.thrift.protocol.TProtocol prot, list_sentry_privileges_by_user_and_itsgroups_result struct) throws org.apache.thrift.TException {
+        TTupleProtocol oprot = (TTupleProtocol) prot;
+        BitSet optionals = new BitSet();
+        if (struct.isSetSuccess()) {
+          optionals.set(0);
+        }
+        oprot.writeBitSet(optionals, 1);
+        if (struct.isSetSuccess()) {
+          struct.success.write(oprot);
+        }
+      }
+
+      @Override
+      public void read(org.apache.thrift.protocol.TProtocol prot, list_sentry_privileges_by_user_and_itsgroups_result struct) throws org.apache.thrift.TException {
+        TTupleProtocol iprot = (TTupleProtocol) prot;
+        BitSet incoming = iprot.readBitSet(1);
+        if (incoming.get(0)) {
+          struct.success = new TListSentryPrivilegesResponse();
+          struct.success.read(iprot);
+          struct.setSuccessIsSet(true);
+        }
+      }
+    }
+
+  }
+
   public static class list_sentry_privileges_for_provider_args implements org.apache.thrift.TBase<list_sentry_privileges_for_provider_args, list_sentry_privileges_for_provider_args._Fields>, java.io.Serializable, Cloneable, Comparable<list_sentry_privileges_for_provider_args>   {
     private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("list_sentry_privileges_for_provider_args");
 

http://git-wip-us.apache.org/repos/asf/sentry/blob/e90ab35d/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift b/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift
index 2e79e56..3364648 100644
--- a/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift
+++ b/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift
@@ -196,7 +196,7 @@ struct TListSentryPrivilegesRequest {
 4: required string roleName, # get privileges assigned for this role
 5: optional TSentryAuthorizable authorizableHierarchy, # get privileges assigned for this role
 
-# Get privileges assigned for this principal name. This principalName should be set to a a role name
+# Get privileges assigned for this principal name. This principalName should be set to a role name
 # or user name depending of which function you call, either list_sentry_privileges_by_role or
 # list_sentry_privileges_by_user
 6: optional string principalName
@@ -407,8 +407,16 @@ service SentryPolicyService
   TListSentryRolesResponse list_sentry_roles_by_group(1:TListSentryRolesRequest request)
   TListSentryRolesResponse list_sentry_roles_by_user(1:TListSentryRolesForUserRequest request)
 
+  # List sentry privileges granted to the given role, filterted
+  # based on authorization hierarchy if present.
   TListSentryPrivilegesResponse list_sentry_privileges_by_role(1:TListSentryPrivilegesRequest request)
+  # List sentry privileges granted to the given user, filterted
+  # based on authorization hierarchy if present.
   TListSentryPrivilegesResponse list_sentry_privileges_by_user(1:TListSentryPrivilegesRequest request)
+  # List sentry privileges granted to the given user and the groups
+  # the user associated with, filterted based on authorization
+  # hierarchy if present.
+  TListSentryPrivilegesResponse list_sentry_privileges_by_user_and_itsgroups(1:TListSentryPrivilegesRequest request)
 
   # For use with ProviderBackend.getPrivileges only
   TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(1:TListSentryPrivilegesForProviderRequest request)

http://git-wip-us.apache.org/repos/asf/sentry/blob/e90ab35d/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java
index 236a07b..d34340c 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java
@@ -109,6 +109,8 @@ public final class SentryMetrics {
       name(SentryPolicyStoreProcessor.class, "list-privileges-by-role"));
   final Timer listPrivilegesByUserTimer = METRIC_REGISTRY.timer(
     name(SentryPolicyStoreProcessor.class, "list-privileges-by-user"));
+  final Timer listPrivilegesForUserTimer = METRIC_REGISTRY.timer(
+          name(SentryPolicyStoreProcessor.class, "list-sentry-privileges-by-user-and-itsgroups"));
   final Timer listPrivilegesForProviderTimer = METRIC_REGISTRY.timer(
       name(SentryPolicyStoreProcessor.class, "list-privileges-for-provider"));
   final Timer listPrivilegesByAuthorizableTimer = METRIC_REGISTRY.timer(

http://git-wip-us.apache.org/repos/asf/sentry/blob/e90ab35d/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
index 3087529..709434c 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
@@ -825,10 +825,11 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
     Set<TSentryPrivilege> privilegeSet = new HashSet<TSentryPrivilege>();
     String subject = request.getRequestorUserName();
 
-    // The 'entityName' parameter is made optional in thrift, so we need to check that is not
+    // The 'principalName' parameter is made optional in thrift, so we need to check that is not
     // null before proceed.
     TSentryResponseStatus status =
-      checkRequiredParameter(request.getPrincipalName(), "entityName parameter must not be null");
+      checkRequiredParameter(request.getPrincipalName(),
+                             "principalName parameter must not be null");
     if (status != null) {
       response.setStatus(status);
       return response;
@@ -880,6 +881,74 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
     return response;
   }
 
+  @Override
+  public TListSentryPrivilegesResponse list_sentry_privileges_by_user_and_itsgroups(
+          TListSentryPrivilegesRequest request) throws TException {
+    final Timer.Context timerContext = sentryMetrics.listPrivilegesForUserTimer.time();
+    TListSentryPrivilegesResponse response = new TListSentryPrivilegesResponse();
+
+    // The 'principalName' parameter is made optional in thrift, so we need to
+    // check that is not null before proceed.
+    TSentryResponseStatus status = checkRequiredParameter(request.getPrincipalName(),
+                                                          "principalName parameter must not be null");
+    if (status != null) {
+      response.setStatus(status);
+      return response;
+    }
+
+    String requestor = request.getRequestorUserName();
+    String principalName = request.getPrincipalName().trim();
+    Set<TSentryPrivilege> privilegeSet = new HashSet<>();
+
+    try {
+      validateClientVersion(request.getProtocol_version());
+
+      // To allow listing the privileges, the requestor user must be part of
+      // the admins group, or the requestor user must be the same user requesting
+      // privileges for.
+      Set<String> requestorGroups = getRequestorGroups(requestor);
+      Boolean admin = inAdminGroups(requestorGroups);
+      if(!admin && !principalName.equalsIgnoreCase(requestor)) {
+        throw new SentryAccessDeniedException("Access denied to " + requestor);
+      }
+
+      // Get the groups the user is associated with.
+      Set<String> principalGroups;
+      if (principalName.equals(requestor)) {
+        principalGroups = requestorGroups;
+      } else {
+        principalGroups = getRequestorGroups(principalName);
+      }
+      Set<String> principalUsers = new HashSet<>();
+      principalUsers.add(principalName);
+      privilegeSet.addAll(sentryStore.listSentryPrivilegesByUsersAndGroups(
+              principalGroups, principalUsers,
+              new TSentryActiveRoleSet(true, null),
+              request.getAuthorizableHierarchy()));
+      response.setPrivileges(privilegeSet);
+      response.setStatus(Status.OK());
+    } catch (SentryThriftAPIMismatchException e) {
+      LOGGER.error(e.getMessage(), e);
+      response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+    } catch (SentryAccessDeniedException e) {
+      LOGGER.error(e.getMessage(), e);
+      response.setStatus(Status.AccessDenied(e.getMessage(), e));
+    } catch (SentryInvalidInputException e) {
+      LOGGER.error(e.getMessage(), e);
+      response.setStatus(Status.InvalidInput(e.getMessage(), e));
+    } catch (SentryUserException e) {
+      LOGGER.error(e.getMessage(), e);
+      response.setStatus(Status.AccessDenied(e.getMessage(), e));
+    } catch (Exception e) {
+      String msg = "Unknown error for request: " + request + ", message: " + e.getMessage();
+      LOGGER.error(msg, e);
+      response.setStatus(Status.RuntimeError(msg, e));
+    } finally {
+      timerContext.stop();
+    }
+    return response;
+  }
+
   /**
    * This method was created specifically for ProviderBackend.getPrivileges() and is not meant
    * to be used for general privilege retrieval. More details in the .thrift file.

http://git-wip-us.apache.org/repos/asf/sentry/blob/e90ab35d/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
index 1eda41b..1722109 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStore.java
@@ -2400,29 +2400,40 @@ public class SentryStore implements SentryStoreInterface {
     return result;
   }
 
-  Set<String> listAllSentryPrivilegesForProvider(Set<String> groups, Set<String> users,
+  public Set<TSentryPrivilege> listSentryPrivilegesByUsersAndGroups(
+      Set<String> groups, Set<String> users, TSentryActiveRoleSet roleSet,
+      TSentryAuthorizable authHierarchy) throws Exception {
+    return convertToTSentryPrivileges(listSentryPrivilegesForProviderCore(
+        groups, users, roleSet, authHierarchy));
+  }
+
+  Set<String> listAllSentryPrivilegesForProvider(
+      Set<String> groups, Set<String> users,
       TSentryActiveRoleSet roleSet) throws Exception {
     return listSentryPrivilegesForProvider(groups, users, roleSet, null);
   }
 
-
-  public Set<String> listSentryPrivilegesForProvider(Set<String> groups, Set<String> users,
-      TSentryActiveRoleSet roleSet, TSentryAuthorizable authHierarchy) throws Exception {
+  public Set<String> listSentryPrivilegesForProvider(
+      Set<String> groups, Set<String> users, TSentryActiveRoleSet roleSet,
+      TSentryAuthorizable authHierarchy) throws Exception {
     Set<String> result = Sets.newHashSet();
-    Set<String> rolesToQuery = getRolesToQuery(groups, users, roleSet);
-    List<MSentryPrivilege> mSentryPrivileges = getMSentryPrivileges(SentryPrincipalType.ROLE, rolesToQuery, authHierarchy);
-    for (MSentryPrivilege priv : mSentryPrivileges) {
-      result.add(toAuthorizable(priv));
-    }
-
-    mSentryPrivileges = getMSentryPrivileges(SentryPrincipalType.USER, users, authHierarchy);
+    Set<MSentryPrivilege> mSentryPrivileges = listSentryPrivilegesForProviderCore(
+        groups, users, roleSet, authHierarchy);
     for (MSentryPrivilege priv : mSentryPrivileges) {
       result.add(toAuthorizable(priv));
     }
-
     return result;
   }
 
+  private Set<MSentryPrivilege> listSentryPrivilegesForProviderCore(Set<String> groups, Set<String> users,
+      TSentryActiveRoleSet roleSet, TSentryAuthorizable authHierarchy) throws Exception {
+    Set<MSentryPrivilege> privilegeSet = Sets.newHashSet();
+    Set<String> rolesToQuery = getRolesToQuery(groups, users, roleSet);
+    privilegeSet.addAll(getMSentryPrivileges(SentryPrincipalType.ROLE, rolesToQuery, authHierarchy));
+    privilegeSet.addAll(getMSentryPrivileges(SentryPrincipalType.USER, users, authHierarchy));
+    return privilegeSet;
+  }
+
   public boolean hasAnyServerPrivileges(Set<String> groups, Set<String> users,
       TSentryActiveRoleSet roleSet, String server) throws Exception {
     Set<String> rolesToQuery = getRolesToQuery(groups, users, roleSet);

http://git-wip-us.apache.org/repos/asf/sentry/blob/e90ab35d/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java
index 0b4f4aa..3a68eb6 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/provider/db/service/persistent/SentryStoreInterface.java
@@ -216,12 +216,14 @@ public interface SentryStoreInterface {
   Set<TSentryPrivilege> getAllTSentryPrivilegesByUserName(String userName) throws Exception;
 
   /**
-   * Set of Sentry Privileges for provider.
-   * @param groups
-   * @param users
-   * @param roleSet
-   * @param authHierarchy
-   * @return
+   * Gets sentry privileges granted to the given user and groups from the
+   * persistence layer. This method is only intent to be used for provider.
+   * @param groups the set of group names
+   * @param users the set of user names
+   * @param roleSet the active roleSet
+   * @param authHierarchy filter push down based on auth hierarchy (optional)
+   * @return a set of sentry privilege string belongs to the given users
+   *         and groups.
    * @throws Exception
    */
   Set<String> listSentryPrivilegesForProvider(Set<String> groups,
@@ -231,6 +233,24 @@ public interface SentryStoreInterface {
     throws Exception;
 
   /**
+   * Similar to {@link SentryStoreInterface#listSentryPrivilegesForProvider(Set, Set,
+   * TSentryActiveRoleSet, TSentryAuthorizable)}, but returns a set of thrift sentry
+   * privilege objects instead.
+   * @param groups the set of group names
+   * @param users the set of user names
+   * @param roleSet the active roleSet
+   * @param authHierarchy filter push down based on auth hierarchy (optional)
+   * @return a set of thrift sentry privilege objects belongs to the given
+   *         users and groups.
+   * @throws Exception
+   */
+  Set<TSentryPrivilege> listSentryPrivilegesByUsersAndGroups(Set<String> groups,
+                                                             Set<String> users,
+                                                             TSentryActiveRoleSet roleSet,
+                                                             TSentryAuthorizable authHierarchy)
+    throws Exception;
+
+  /**
    * True if the given set of group
    * @param groups
    * @param users

http://git-wip-us.apache.org/repos/asf/sentry/blob/e90ab35d/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
----------------------------------------------------------------------
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
index d8c0ab4..a299e00 100644
--- a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/provider/db/service/persistent/TestSentryStore.java
@@ -4273,6 +4273,49 @@ public class TestSentryStore extends org.junit.Assert {
   }
 
   @Test
+  public void testListSentryPrivilegesForUsersAndGroups() throws Exception {
+    String roleName = "role1";
+    String groupName = "list-privs-g1";
+    String userName = "u1";
+    String grantor = "g1";
+    sentryStore.createSentryRole(roleName);
+
+    TSentryPrivilege privilege1 = new TSentryPrivilege();
+    privilege1.setPrivilegeScope("TABLE");
+    privilege1.setServerName("server1");
+    privilege1.setDbName("db1");
+    privilege1.setTableName("tbl1");
+    privilege1.setAction("SELECT");
+    privilege1.setCreateTime(System.currentTimeMillis());
+    sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.ROLE, roleName, privilege1, null);
+
+    TSentryPrivilege privilege2 = new TSentryPrivilege();
+    privilege2.setPrivilegeScope("SERVER");
+    privilege2.setServerName("server1");
+    privilege2.setCreateTime(System.currentTimeMillis());
+    sentryStore.alterSentryGrantPrivilege(grantor, SentryPrincipalType.USER, userName, privilege2, null);
+
+    Set<TSentryGroup> groups = Sets.newHashSet();
+    TSentryGroup group = new TSentryGroup();
+    group.setGroupName(groupName);
+    groups.add(group);
+    sentryStore.alterSentryRoleAddGroups(grantor, roleName, groups);
+
+    // list-privs-g1 has privilege1
+    // u1 has privilege2
+    Set<TSentryPrivilege> expectedPrivs = new HashSet<>();
+    expectedPrivs.add(privilege1);
+    expectedPrivs.add(privilege2);
+
+    assertEquals(expectedPrivs,
+                 sentryStore.listSentryPrivilegesByUsersAndGroups(
+                     Sets.newHashSet(groupName),
+                     Sets.newHashSet(userName),
+                     new TSentryActiveRoleSet(true, new HashSet<>()),
+                     null));
+  }
+
+  @Test
   public void testListSentryPrivilegesForProviderForUser() throws Exception {
     String userName1 = "list-privs-user1";
     String userName2 = "list-privs-user2";


Mime
View raw message