sentry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ha...@apache.org
Subject [sentry] branch master updated: SENTRY-2522: Add a new thrift API for getting all privileges a user has for a given set of authorizable (Hao Hao reviewed by Arjun Mishra)
Date Mon, 10 Jun 2019 19:43:18 GMT
This is an automated email from the ASF dual-hosted git repository.

hahao pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/sentry.git


The following commit(s) were added to refs/heads/master by this push:
     new 148ba6c  SENTRY-2522: Add a new thrift API for getting all privileges a user has for a given set of authorizable (Hao Hao reviewed by Arjun Mishra)
148ba6c is described below

commit 148ba6c225ac785844476213f3d70ccbf637e9ba
Author: Hao Hao <hao.hao@cloudera.com>
AuthorDate: Thu Jun 6 23:33:36 2019 -0700

    SENTRY-2522: Add a new thrift API for getting all privileges a user has for a given set of authorizable (Hao Hao reviewed by Arjun Mishra)
    
    Change-Id: Ie49d8ee57b840f21e3e8276914fcb6c950399aee
---
 .../api/service/thrift/SentryPolicyService.java    | 858 +++++++++++++++++++++
 .../TListSentryPrivilegesByAuthUserRequest.java    | 746 ++++++++++++++++++
 .../TListSentryPrivilegesByAuthUserResponse.java   | 598 ++++++++++++++
 .../main/resources/sentry_policy_service.thrift    |  19 +
 .../sentry/api/service/thrift/SentryMetrics.java   |   2 +
 .../service/thrift/SentryPolicyStoreProcessor.java |  94 +++
 .../thrift/TestSentryPolicyStoreProcessor.java     | 127 ++-
 7 files changed, 2442 insertions(+), 2 deletions(-)

diff --git a/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java b/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java
index df18706..44e31dd 100644
--- a/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java
+++ b/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/SentryPolicyService.java
@@ -75,6 +75,8 @@ public class SentryPolicyService {
 
     public TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable(TListSentryPrivilegesByAuthRequest request) throws org.apache.thrift.TException;
 
+    public TListSentryPrivilegesByAuthUserResponse list_sentry_privileges_by_authorizable_and_user(TListSentryPrivilegesByAuthUserRequest request) throws org.apache.thrift.TException;
+
     public TSentryConfigValueResponse get_sentry_config_value(TSentryConfigValueRequest request) throws org.apache.thrift.TException;
 
     public TSentryExportMappingDataResponse export_sentry_mapping_data(TSentryExportMappingDataRequest request) throws org.apache.thrift.TException;
@@ -129,6 +131,8 @@ public class SentryPolicyService {
 
     public void list_sentry_privileges_by_authorizable(TListSentryPrivilegesByAuthRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException;
 
+    public void list_sentry_privileges_by_authorizable_and_user(TListSentryPrivilegesByAuthUserRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException;
+
     public void get_sentry_config_value(TSentryConfigValueRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException;
 
     public void export_sentry_mapping_data(TSentryExportMappingDataRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException;
@@ -579,6 +583,29 @@ public class SentryPolicyService {
       throw new org.apache.thrift.TApplicationException(org.apache.thrift.TApplicationException.MISSING_RESULT, "list_sentry_privileges_by_authorizable failed: unknown result");
     }
 
+    public TListSentryPrivilegesByAuthUserResponse list_sentry_privileges_by_authorizable_and_user(TListSentryPrivilegesByAuthUserRequest request) throws org.apache.thrift.TException
+    {
+      send_list_sentry_privileges_by_authorizable_and_user(request);
+      return recv_list_sentry_privileges_by_authorizable_and_user();
+    }
+
+    public void send_list_sentry_privileges_by_authorizable_and_user(TListSentryPrivilegesByAuthUserRequest request) throws org.apache.thrift.TException
+    {
+      list_sentry_privileges_by_authorizable_and_user_args args = new list_sentry_privileges_by_authorizable_and_user_args();
+      args.setRequest(request);
+      sendBase("list_sentry_privileges_by_authorizable_and_user", args);
+    }
+
+    public TListSentryPrivilegesByAuthUserResponse recv_list_sentry_privileges_by_authorizable_and_user() throws org.apache.thrift.TException
+    {
+      list_sentry_privileges_by_authorizable_and_user_result result = new list_sentry_privileges_by_authorizable_and_user_result();
+      receiveBase(result, "list_sentry_privileges_by_authorizable_and_user");
+      if (result.isSetSuccess()) {
+        return result.success;
+      }
+      throw new org.apache.thrift.TApplicationException(org.apache.thrift.TApplicationException.MISSING_RESULT, "list_sentry_privileges_by_authorizable_and_user failed: unknown result");
+    }
+
     public TSentryConfigValueResponse get_sentry_config_value(TSentryConfigValueRequest request) throws org.apache.thrift.TException
     {
       send_get_sentry_config_value(request);
@@ -1334,6 +1361,38 @@ public class SentryPolicyService {
       }
     }
 
+    public void list_sentry_privileges_by_authorizable_and_user(TListSentryPrivilegesByAuthUserRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException {
+      checkReady();
+      list_sentry_privileges_by_authorizable_and_user_call method_call = new list_sentry_privileges_by_authorizable_and_user_call(request, resultHandler, this, ___protocolFactory, ___transport);
+      this.___currentMethod = method_call;
+      ___manager.call(method_call);
+    }
+
+    public static class list_sentry_privileges_by_authorizable_and_user_call extends org.apache.thrift.async.TAsyncMethodCall {
+      private TListSentryPrivilegesByAuthUserRequest request;
+      public list_sentry_privileges_by_authorizable_and_user_call(TListSentryPrivilegesByAuthUserRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler, org.apache.thrift.async.TAsyncClient client, org.apache.thrift.protocol.TProtocolFactory protocolFactory, org.apache.thrift.transport.TNonblockingTransport transport) throws org.apache.thrift.TException {
+        super(client, protocolFactory, transport, resultHandler, false);
+        this.request = request;
+      }
+
+      public void write_args(org.apache.thrift.protocol.TProtocol prot) throws org.apache.thrift.TException {
+        prot.writeMessageBegin(new org.apache.thrift.protocol.TMessage("list_sentry_privileges_by_authorizable_and_user", org.apache.thrift.protocol.TMessageType.CALL, 0));
+        list_sentry_privileges_by_authorizable_and_user_args args = new list_sentry_privileges_by_authorizable_and_user_args();
+        args.setRequest(request);
+        args.write(prot);
+        prot.writeMessageEnd();
+      }
+
+      public TListSentryPrivilegesByAuthUserResponse getResult() throws org.apache.thrift.TException {
+        if (getState() != org.apache.thrift.async.TAsyncMethodCall.State.RESPONSE_READ) {
+          throw new IllegalStateException("Method call not finished!");
+        }
+        org.apache.thrift.transport.TMemoryInputTransport memoryTransport = new org.apache.thrift.transport.TMemoryInputTransport(getFrameBuffer().array());
+        org.apache.thrift.protocol.TProtocol prot = client.getProtocolFactory().getProtocol(memoryTransport);
+        return (new Client(prot)).recv_list_sentry_privileges_by_authorizable_and_user();
+      }
+    }
+
     public void get_sentry_config_value(TSentryConfigValueRequest request, org.apache.thrift.async.AsyncMethodCallback resultHandler) throws org.apache.thrift.TException {
       checkReady();
       get_sentry_config_value_call method_call = new get_sentry_config_value_call(request, resultHandler, this, ___protocolFactory, ___transport);
@@ -1589,6 +1648,7 @@ public class SentryPolicyService {
       processMap.put("drop_sentry_privilege", new drop_sentry_privilege());
       processMap.put("rename_sentry_privilege", new rename_sentry_privilege());
       processMap.put("list_sentry_privileges_by_authorizable", new list_sentry_privileges_by_authorizable());
+      processMap.put("list_sentry_privileges_by_authorizable_and_user", new list_sentry_privileges_by_authorizable_and_user());
       processMap.put("get_sentry_config_value", new get_sentry_config_value());
       processMap.put("export_sentry_mapping_data", new export_sentry_mapping_data());
       processMap.put("import_sentry_mapping_data", new import_sentry_mapping_data());
@@ -1959,6 +2019,26 @@ public class SentryPolicyService {
       }
     }
 
+    public static class list_sentry_privileges_by_authorizable_and_user<I extends Iface> extends org.apache.thrift.ProcessFunction<I, list_sentry_privileges_by_authorizable_and_user_args> {
+      public list_sentry_privileges_by_authorizable_and_user() {
+        super("list_sentry_privileges_by_authorizable_and_user");
+      }
+
+      public list_sentry_privileges_by_authorizable_and_user_args getEmptyArgsInstance() {
+        return new list_sentry_privileges_by_authorizable_and_user_args();
+      }
+
+      protected boolean isOneway() {
+        return false;
+      }
+
+      public list_sentry_privileges_by_authorizable_and_user_result getResult(I iface, list_sentry_privileges_by_authorizable_and_user_args args) throws org.apache.thrift.TException {
+        list_sentry_privileges_by_authorizable_and_user_result result = new list_sentry_privileges_by_authorizable_and_user_result();
+        result.success = iface.list_sentry_privileges_by_authorizable_and_user(args.request);
+        return result;
+      }
+    }
+
     public static class get_sentry_config_value<I extends Iface> extends org.apache.thrift.ProcessFunction<I, get_sentry_config_value_args> {
       public get_sentry_config_value() {
         super("get_sentry_config_value");
@@ -2130,6 +2210,7 @@ public class SentryPolicyService {
       processMap.put("drop_sentry_privilege", new drop_sentry_privilege());
       processMap.put("rename_sentry_privilege", new rename_sentry_privilege());
       processMap.put("list_sentry_privileges_by_authorizable", new list_sentry_privileges_by_authorizable());
+      processMap.put("list_sentry_privileges_by_authorizable_and_user", new list_sentry_privileges_by_authorizable_and_user());
       processMap.put("get_sentry_config_value", new get_sentry_config_value());
       processMap.put("export_sentry_mapping_data", new export_sentry_mapping_data());
       processMap.put("import_sentry_mapping_data", new import_sentry_mapping_data());
@@ -3058,6 +3139,57 @@ public class SentryPolicyService {
       }
     }
 
+    public static class list_sentry_privileges_by_authorizable_and_user<I extends AsyncIface> extends org.apache.thrift.AsyncProcessFunction<I, list_sentry_privileges_by_authorizable_and_user_args, TListSentryPrivilegesByAuthUserResponse> {
+      public list_sentry_privileges_by_authorizable_and_user() {
+        super("list_sentry_privileges_by_authorizable_and_user");
+      }
+
+      public list_sentry_privileges_by_authorizable_and_user_args getEmptyArgsInstance() {
+        return new list_sentry_privileges_by_authorizable_and_user_args();
+      }
+
+      public AsyncMethodCallback<TListSentryPrivilegesByAuthUserResponse> getResultHandler(final AsyncFrameBuffer fb, final int seqid) {
+        final org.apache.thrift.AsyncProcessFunction fcall = this;
+        return new AsyncMethodCallback<TListSentryPrivilegesByAuthUserResponse>() { 
+          public void onComplete(TListSentryPrivilegesByAuthUserResponse o) {
+            list_sentry_privileges_by_authorizable_and_user_result result = new list_sentry_privileges_by_authorizable_and_user_result();
+            result.success = o;
+            try {
+              fcall.sendResponse(fb,result, org.apache.thrift.protocol.TMessageType.REPLY,seqid);
+              return;
+            } catch (Exception e) {
+              LOGGER.error("Exception writing to internal frame buffer", e);
+            }
+            fb.close();
+          }
+          public void onError(Exception e) {
+            byte msgType = org.apache.thrift.protocol.TMessageType.REPLY;
+            org.apache.thrift.TBase msg;
+            list_sentry_privileges_by_authorizable_and_user_result result = new list_sentry_privileges_by_authorizable_and_user_result();
+            {
+              msgType = org.apache.thrift.protocol.TMessageType.EXCEPTION;
+              msg = (org.apache.thrift.TBase)new org.apache.thrift.TApplicationException(org.apache.thrift.TApplicationException.INTERNAL_ERROR, e.getMessage());
+            }
+            try {
+              fcall.sendResponse(fb,msg,msgType,seqid);
+              return;
+            } catch (Exception ex) {
+              LOGGER.error("Exception writing to internal frame buffer", ex);
+            }
+            fb.close();
+          }
+        };
+      }
+
+      protected boolean isOneway() {
+        return false;
+      }
+
+      public void start(I iface, list_sentry_privileges_by_authorizable_and_user_args args, org.apache.thrift.async.AsyncMethodCallback<TListSentryPrivilegesByAuthUserResponse> resultHandler) throws TException {
+        iface.list_sentry_privileges_by_authorizable_and_user(args.request,resultHandler);
+      }
+    }
+
     public static class get_sentry_config_value<I extends AsyncIface> extends org.apache.thrift.AsyncProcessFunction<I, get_sentry_config_value_args, TSentryConfigValueResponse> {
       public get_sentry_config_value() {
         super("get_sentry_config_value");
@@ -16485,6 +16617,732 @@ public class SentryPolicyService {
 
   }
 
+  public static class list_sentry_privileges_by_authorizable_and_user_args implements org.apache.thrift.TBase<list_sentry_privileges_by_authorizable_and_user_args, list_sentry_privileges_by_authorizable_and_user_args._Fields>, java.io.Serializable, Cloneable, Comparable<list_sentry_privileges_by_authorizable_and_user_args>   {
+    private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("list_sentry_privileges_by_authorizable_and_user_args");
+
+    private static final org.apache.thrift.protocol.TField REQUEST_FIELD_DESC = new org.apache.thrift.protocol.TField("request", org.apache.thrift.protocol.TType.STRUCT, (short)1);
+
+    private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>();
+    static {
+      schemes.put(StandardScheme.class, new list_sentry_privileges_by_authorizable_and_user_argsStandardSchemeFactory());
+      schemes.put(TupleScheme.class, new list_sentry_privileges_by_authorizable_and_user_argsTupleSchemeFactory());
+    }
+
+    private TListSentryPrivilegesByAuthUserRequest request; // required
+
+    /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */
+    public enum _Fields implements org.apache.thrift.TFieldIdEnum {
+      REQUEST((short)1, "request");
+
+      private static final Map<String, _Fields> byName = new HashMap<String, _Fields>();
+
+      static {
+        for (_Fields field : EnumSet.allOf(_Fields.class)) {
+          byName.put(field.getFieldName(), field);
+        }
+      }
+
+      /**
+       * Find the _Fields constant that matches fieldId, or null if its not found.
+       */
+      public static _Fields findByThriftId(int fieldId) {
+        switch(fieldId) {
+          case 1: // REQUEST
+            return REQUEST;
+          default:
+            return null;
+        }
+      }
+
+      /**
+       * Find the _Fields constant that matches fieldId, throwing an exception
+       * if it is not found.
+       */
+      public static _Fields findByThriftIdOrThrow(int fieldId) {
+        _Fields fields = findByThriftId(fieldId);
+        if (fields == null) throw new IllegalArgumentException("Field " + fieldId + " doesn't exist!");
+        return fields;
+      }
+
+      /**
+       * Find the _Fields constant that matches name, or null if its not found.
+       */
+      public static _Fields findByName(String name) {
+        return byName.get(name);
+      }
+
+      private final short _thriftId;
+      private final String _fieldName;
+
+      _Fields(short thriftId, String fieldName) {
+        _thriftId = thriftId;
+        _fieldName = fieldName;
+      }
+
+      public short getThriftFieldId() {
+        return _thriftId;
+      }
+
+      public String getFieldName() {
+        return _fieldName;
+      }
+    }
+
+    // isset id assignments
+    public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap;
+    static {
+      Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class);
+      tmpMap.put(_Fields.REQUEST, new org.apache.thrift.meta_data.FieldMetaData("request", org.apache.thrift.TFieldRequirementType.DEFAULT, 
+          new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TListSentryPrivilegesByAuthUserRequest.class)));
+      metaDataMap = Collections.unmodifiableMap(tmpMap);
+      org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(list_sentry_privileges_by_authorizable_and_user_args.class, metaDataMap);
+    }
+
+    public list_sentry_privileges_by_authorizable_and_user_args() {
+    }
+
+    public list_sentry_privileges_by_authorizable_and_user_args(
+      TListSentryPrivilegesByAuthUserRequest request)
+    {
+      this();
+      this.request = request;
+    }
+
+    /**
+     * Performs a deep copy on <i>other</i>.
+     */
+    public list_sentry_privileges_by_authorizable_and_user_args(list_sentry_privileges_by_authorizable_and_user_args other) {
+      if (other.isSetRequest()) {
+        this.request = new TListSentryPrivilegesByAuthUserRequest(other.request);
+      }
+    }
+
+    public list_sentry_privileges_by_authorizable_and_user_args deepCopy() {
+      return new list_sentry_privileges_by_authorizable_and_user_args(this);
+    }
+
+    @Override
+    public void clear() {
+      this.request = null;
+    }
+
+    public TListSentryPrivilegesByAuthUserRequest getRequest() {
+      return this.request;
+    }
+
+    public void setRequest(TListSentryPrivilegesByAuthUserRequest request) {
+      this.request = request;
+    }
+
+    public void unsetRequest() {
+      this.request = null;
+    }
+
+    /** Returns true if field request is set (has been assigned a value) and false otherwise */
+    public boolean isSetRequest() {
+      return this.request != null;
+    }
+
+    public void setRequestIsSet(boolean value) {
+      if (!value) {
+        this.request = null;
+      }
+    }
+
+    public void setFieldValue(_Fields field, Object value) {
+      switch (field) {
+      case REQUEST:
+        if (value == null) {
+          unsetRequest();
+        } else {
+          setRequest((TListSentryPrivilegesByAuthUserRequest)value);
+        }
+        break;
+
+      }
+    }
+
+    public Object getFieldValue(_Fields field) {
+      switch (field) {
+      case REQUEST:
+        return getRequest();
+
+      }
+      throw new IllegalStateException();
+    }
+
+    /** Returns true if field corresponding to fieldID is set (has been assigned a value) and false otherwise */
+    public boolean isSet(_Fields field) {
+      if (field == null) {
+        throw new IllegalArgumentException();
+      }
+
+      switch (field) {
+      case REQUEST:
+        return isSetRequest();
+      }
+      throw new IllegalStateException();
+    }
+
+    @Override
+    public boolean equals(Object that) {
+      if (that == null)
+        return false;
+      if (that instanceof list_sentry_privileges_by_authorizable_and_user_args)
+        return this.equals((list_sentry_privileges_by_authorizable_and_user_args)that);
+      return false;
+    }
+
+    public boolean equals(list_sentry_privileges_by_authorizable_and_user_args that) {
+      if (that == null)
+        return false;
+
+      boolean this_present_request = true && this.isSetRequest();
+      boolean that_present_request = true && that.isSetRequest();
+      if (this_present_request || that_present_request) {
+        if (!(this_present_request && that_present_request))
+          return false;
+        if (!this.request.equals(that.request))
+          return false;
+      }
+
+      return true;
+    }
+
+    @Override
+    public int hashCode() {
+      List<Object> list = new ArrayList<Object>();
+
+      boolean present_request = true && (isSetRequest());
+      list.add(present_request);
+      if (present_request)
+        list.add(request);
+
+      return list.hashCode();
+    }
+
+    @Override
+    public int compareTo(list_sentry_privileges_by_authorizable_and_user_args other) {
+      if (!getClass().equals(other.getClass())) {
+        return getClass().getName().compareTo(other.getClass().getName());
+      }
+
+      int lastComparison = 0;
+
+      lastComparison = Boolean.valueOf(isSetRequest()).compareTo(other.isSetRequest());
+      if (lastComparison != 0) {
+        return lastComparison;
+      }
+      if (isSetRequest()) {
+        lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.request, other.request);
+        if (lastComparison != 0) {
+          return lastComparison;
+        }
+      }
+      return 0;
+    }
+
+    public _Fields fieldForId(int fieldId) {
+      return _Fields.findByThriftId(fieldId);
+    }
+
+    public void read(org.apache.thrift.protocol.TProtocol iprot) throws org.apache.thrift.TException {
+      schemes.get(iprot.getScheme()).getScheme().read(iprot, this);
+    }
+
+    public void write(org.apache.thrift.protocol.TProtocol oprot) throws org.apache.thrift.TException {
+      schemes.get(oprot.getScheme()).getScheme().write(oprot, this);
+    }
+
+    @Override
+    public String toString() {
+      StringBuilder sb = new StringBuilder("list_sentry_privileges_by_authorizable_and_user_args(");
+      boolean first = true;
+
+      sb.append("request:");
+      if (this.request == null) {
+        sb.append("null");
+      } else {
+        sb.append(this.request);
+      }
+      first = false;
+      sb.append(")");
+      return sb.toString();
+    }
+
+    public void validate() throws org.apache.thrift.TException {
+      // check for required fields
+      // check for sub-struct validity
+      if (request != null) {
+        request.validate();
+      }
+    }
+
+    private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException {
+      try {
+        write(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(out)));
+      } catch (org.apache.thrift.TException te) {
+        throw new java.io.IOException(te);
+      }
+    }
+
+    private void readObject(java.io.ObjectInputStream in) throws java.io.IOException, ClassNotFoundException {
+      try {
+        read(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(in)));
+      } catch (org.apache.thrift.TException te) {
+        throw new java.io.IOException(te);
+      }
+    }
+
+    private static class list_sentry_privileges_by_authorizable_and_user_argsStandardSchemeFactory implements SchemeFactory {
+      public list_sentry_privileges_by_authorizable_and_user_argsStandardScheme getScheme() {
+        return new list_sentry_privileges_by_authorizable_and_user_argsStandardScheme();
+      }
+    }
+
+    private static class list_sentry_privileges_by_authorizable_and_user_argsStandardScheme extends StandardScheme<list_sentry_privileges_by_authorizable_and_user_args> {
+
+      public void read(org.apache.thrift.protocol.TProtocol iprot, list_sentry_privileges_by_authorizable_and_user_args struct) throws org.apache.thrift.TException {
+        org.apache.thrift.protocol.TField schemeField;
+        iprot.readStructBegin();
+        while (true)
+        {
+          schemeField = iprot.readFieldBegin();
+          if (schemeField.type == org.apache.thrift.protocol.TType.STOP) { 
+            break;
+          }
+          switch (schemeField.id) {
+            case 1: // REQUEST
+              if (schemeField.type == org.apache.thrift.protocol.TType.STRUCT) {
+                struct.request = new TListSentryPrivilegesByAuthUserRequest();
+                struct.request.read(iprot);
+                struct.setRequestIsSet(true);
+              } else { 
+                org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+              }
+              break;
+            default:
+              org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+          }
+          iprot.readFieldEnd();
+        }
+        iprot.readStructEnd();
+        struct.validate();
+      }
+
+      public void write(org.apache.thrift.protocol.TProtocol oprot, list_sentry_privileges_by_authorizable_and_user_args struct) throws org.apache.thrift.TException {
+        struct.validate();
+
+        oprot.writeStructBegin(STRUCT_DESC);
+        if (struct.request != null) {
+          oprot.writeFieldBegin(REQUEST_FIELD_DESC);
+          struct.request.write(oprot);
+          oprot.writeFieldEnd();
+        }
+        oprot.writeFieldStop();
+        oprot.writeStructEnd();
+      }
+
+    }
+
+    private static class list_sentry_privileges_by_authorizable_and_user_argsTupleSchemeFactory implements SchemeFactory {
+      public list_sentry_privileges_by_authorizable_and_user_argsTupleScheme getScheme() {
+        return new list_sentry_privileges_by_authorizable_and_user_argsTupleScheme();
+      }
+    }
+
+    private static class list_sentry_privileges_by_authorizable_and_user_argsTupleScheme extends TupleScheme<list_sentry_privileges_by_authorizable_and_user_args> {
+
+      @Override
+      public void write(org.apache.thrift.protocol.TProtocol prot, list_sentry_privileges_by_authorizable_and_user_args struct) throws org.apache.thrift.TException {
+        TTupleProtocol oprot = (TTupleProtocol) prot;
+        BitSet optionals = new BitSet();
+        if (struct.isSetRequest()) {
+          optionals.set(0);
+        }
+        oprot.writeBitSet(optionals, 1);
+        if (struct.isSetRequest()) {
+          struct.request.write(oprot);
+        }
+      }
+
+      @Override
+      public void read(org.apache.thrift.protocol.TProtocol prot, list_sentry_privileges_by_authorizable_and_user_args struct) throws org.apache.thrift.TException {
+        TTupleProtocol iprot = (TTupleProtocol) prot;
+        BitSet incoming = iprot.readBitSet(1);
+        if (incoming.get(0)) {
+          struct.request = new TListSentryPrivilegesByAuthUserRequest();
+          struct.request.read(iprot);
+          struct.setRequestIsSet(true);
+        }
+      }
+    }
+
+  }
+
+  public static class list_sentry_privileges_by_authorizable_and_user_result implements org.apache.thrift.TBase<list_sentry_privileges_by_authorizable_and_user_result, list_sentry_privileges_by_authorizable_and_user_result._Fields>, java.io.Serializable, Cloneable, Comparable<list_sentry_privileges_by_authorizable_and_user_result>   {
+    private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("list_sentry_privileges_by_authorizable_and_user_result");
+
+    private static final org.apache.thrift.protocol.TField SUCCESS_FIELD_DESC = new org.apache.thrift.protocol.TField("success", org.apache.thrift.protocol.TType.STRUCT, (short)0);
+
+    private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>();
+    static {
+      schemes.put(StandardScheme.class, new list_sentry_privileges_by_authorizable_and_user_resultStandardSchemeFactory());
+      schemes.put(TupleScheme.class, new list_sentry_privileges_by_authorizable_and_user_resultTupleSchemeFactory());
+    }
+
+    private TListSentryPrivilegesByAuthUserResponse success; // required
+
+    /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */
+    public enum _Fields implements org.apache.thrift.TFieldIdEnum {
+      SUCCESS((short)0, "success");
+
+      private static final Map<String, _Fields> byName = new HashMap<String, _Fields>();
+
+      static {
+        for (_Fields field : EnumSet.allOf(_Fields.class)) {
+          byName.put(field.getFieldName(), field);
+        }
+      }
+
+      /**
+       * Find the _Fields constant that matches fieldId, or null if its not found.
+       */
+      public static _Fields findByThriftId(int fieldId) {
+        switch(fieldId) {
+          case 0: // SUCCESS
+            return SUCCESS;
+          default:
+            return null;
+        }
+      }
+
+      /**
+       * Find the _Fields constant that matches fieldId, throwing an exception
+       * if it is not found.
+       */
+      public static _Fields findByThriftIdOrThrow(int fieldId) {
+        _Fields fields = findByThriftId(fieldId);
+        if (fields == null) throw new IllegalArgumentException("Field " + fieldId + " doesn't exist!");
+        return fields;
+      }
+
+      /**
+       * Find the _Fields constant that matches name, or null if its not found.
+       */
+      public static _Fields findByName(String name) {
+        return byName.get(name);
+      }
+
+      private final short _thriftId;
+      private final String _fieldName;
+
+      _Fields(short thriftId, String fieldName) {
+        _thriftId = thriftId;
+        _fieldName = fieldName;
+      }
+
+      public short getThriftFieldId() {
+        return _thriftId;
+      }
+
+      public String getFieldName() {
+        return _fieldName;
+      }
+    }
+
+    // isset id assignments
+    public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap;
+    static {
+      Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class);
+      tmpMap.put(_Fields.SUCCESS, new org.apache.thrift.meta_data.FieldMetaData("success", org.apache.thrift.TFieldRequirementType.DEFAULT, 
+          new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TListSentryPrivilegesByAuthUserResponse.class)));
+      metaDataMap = Collections.unmodifiableMap(tmpMap);
+      org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(list_sentry_privileges_by_authorizable_and_user_result.class, metaDataMap);
+    }
+
+    public list_sentry_privileges_by_authorizable_and_user_result() {
+    }
+
+    public list_sentry_privileges_by_authorizable_and_user_result(
+      TListSentryPrivilegesByAuthUserResponse success)
+    {
+      this();
+      this.success = success;
+    }
+
+    /**
+     * Performs a deep copy on <i>other</i>.
+     */
+    public list_sentry_privileges_by_authorizable_and_user_result(list_sentry_privileges_by_authorizable_and_user_result other) {
+      if (other.isSetSuccess()) {
+        this.success = new TListSentryPrivilegesByAuthUserResponse(other.success);
+      }
+    }
+
+    public list_sentry_privileges_by_authorizable_and_user_result deepCopy() {
+      return new list_sentry_privileges_by_authorizable_and_user_result(this);
+    }
+
+    @Override
+    public void clear() {
+      this.success = null;
+    }
+
+    public TListSentryPrivilegesByAuthUserResponse getSuccess() {
+      return this.success;
+    }
+
+    public void setSuccess(TListSentryPrivilegesByAuthUserResponse success) {
+      this.success = success;
+    }
+
+    public void unsetSuccess() {
+      this.success = null;
+    }
+
+    /** Returns true if field success is set (has been assigned a value) and false otherwise */
+    public boolean isSetSuccess() {
+      return this.success != null;
+    }
+
+    public void setSuccessIsSet(boolean value) {
+      if (!value) {
+        this.success = null;
+      }
+    }
+
+    public void setFieldValue(_Fields field, Object value) {
+      switch (field) {
+      case SUCCESS:
+        if (value == null) {
+          unsetSuccess();
+        } else {
+          setSuccess((TListSentryPrivilegesByAuthUserResponse)value);
+        }
+        break;
+
+      }
+    }
+
+    public Object getFieldValue(_Fields field) {
+      switch (field) {
+      case SUCCESS:
+        return getSuccess();
+
+      }
+      throw new IllegalStateException();
+    }
+
+    /** Returns true if field corresponding to fieldID is set (has been assigned a value) and false otherwise */
+    public boolean isSet(_Fields field) {
+      if (field == null) {
+        throw new IllegalArgumentException();
+      }
+
+      switch (field) {
+      case SUCCESS:
+        return isSetSuccess();
+      }
+      throw new IllegalStateException();
+    }
+
+    @Override
+    public boolean equals(Object that) {
+      if (that == null)
+        return false;
+      if (that instanceof list_sentry_privileges_by_authorizable_and_user_result)
+        return this.equals((list_sentry_privileges_by_authorizable_and_user_result)that);
+      return false;
+    }
+
+    public boolean equals(list_sentry_privileges_by_authorizable_and_user_result that) {
+      if (that == null)
+        return false;
+
+      boolean this_present_success = true && this.isSetSuccess();
+      boolean that_present_success = true && that.isSetSuccess();
+      if (this_present_success || that_present_success) {
+        if (!(this_present_success && that_present_success))
+          return false;
+        if (!this.success.equals(that.success))
+          return false;
+      }
+
+      return true;
+    }
+
+    @Override
+    public int hashCode() {
+      List<Object> list = new ArrayList<Object>();
+
+      boolean present_success = true && (isSetSuccess());
+      list.add(present_success);
+      if (present_success)
+        list.add(success);
+
+      return list.hashCode();
+    }
+
+    @Override
+    public int compareTo(list_sentry_privileges_by_authorizable_and_user_result other) {
+      if (!getClass().equals(other.getClass())) {
+        return getClass().getName().compareTo(other.getClass().getName());
+      }
+
+      int lastComparison = 0;
+
+      lastComparison = Boolean.valueOf(isSetSuccess()).compareTo(other.isSetSuccess());
+      if (lastComparison != 0) {
+        return lastComparison;
+      }
+      if (isSetSuccess()) {
+        lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.success, other.success);
+        if (lastComparison != 0) {
+          return lastComparison;
+        }
+      }
+      return 0;
+    }
+
+    public _Fields fieldForId(int fieldId) {
+      return _Fields.findByThriftId(fieldId);
+    }
+
+    public void read(org.apache.thrift.protocol.TProtocol iprot) throws org.apache.thrift.TException {
+      schemes.get(iprot.getScheme()).getScheme().read(iprot, this);
+    }
+
+    public void write(org.apache.thrift.protocol.TProtocol oprot) throws org.apache.thrift.TException {
+      schemes.get(oprot.getScheme()).getScheme().write(oprot, this);
+      }
+
+    @Override
+    public String toString() {
+      StringBuilder sb = new StringBuilder("list_sentry_privileges_by_authorizable_and_user_result(");
+      boolean first = true;
+
+      sb.append("success:");
+      if (this.success == null) {
+        sb.append("null");
+      } else {
+        sb.append(this.success);
+      }
+      first = false;
+      sb.append(")");
+      return sb.toString();
+    }
+
+    public void validate() throws org.apache.thrift.TException {
+      // check for required fields
+      // check for sub-struct validity
+      if (success != null) {
+        success.validate();
+      }
+    }
+
+    private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException {
+      try {
+        write(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(out)));
+      } catch (org.apache.thrift.TException te) {
+        throw new java.io.IOException(te);
+      }
+    }
+
+    private void readObject(java.io.ObjectInputStream in) throws java.io.IOException, ClassNotFoundException {
+      try {
+        read(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(in)));
+      } catch (org.apache.thrift.TException te) {
+        throw new java.io.IOException(te);
+      }
+    }
+
+    private static class list_sentry_privileges_by_authorizable_and_user_resultStandardSchemeFactory implements SchemeFactory {
+      public list_sentry_privileges_by_authorizable_and_user_resultStandardScheme getScheme() {
+        return new list_sentry_privileges_by_authorizable_and_user_resultStandardScheme();
+      }
+    }
+
+    private static class list_sentry_privileges_by_authorizable_and_user_resultStandardScheme extends StandardScheme<list_sentry_privileges_by_authorizable_and_user_result> {
+
+      public void read(org.apache.thrift.protocol.TProtocol iprot, list_sentry_privileges_by_authorizable_and_user_result struct) throws org.apache.thrift.TException {
+        org.apache.thrift.protocol.TField schemeField;
+        iprot.readStructBegin();
+        while (true)
+        {
+          schemeField = iprot.readFieldBegin();
+          if (schemeField.type == org.apache.thrift.protocol.TType.STOP) { 
+            break;
+          }
+          switch (schemeField.id) {
+            case 0: // SUCCESS
+              if (schemeField.type == org.apache.thrift.protocol.TType.STRUCT) {
+                struct.success = new TListSentryPrivilegesByAuthUserResponse();
+                struct.success.read(iprot);
+                struct.setSuccessIsSet(true);
+              } else { 
+                org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+              }
+              break;
+            default:
+              org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+          }
+          iprot.readFieldEnd();
+        }
+        iprot.readStructEnd();
+        struct.validate();
+      }
+
+      public void write(org.apache.thrift.protocol.TProtocol oprot, list_sentry_privileges_by_authorizable_and_user_result struct) throws org.apache.thrift.TException {
+        struct.validate();
+
+        oprot.writeStructBegin(STRUCT_DESC);
+        if (struct.success != null) {
+          oprot.writeFieldBegin(SUCCESS_FIELD_DESC);
+          struct.success.write(oprot);
+          oprot.writeFieldEnd();
+        }
+        oprot.writeFieldStop();
+        oprot.writeStructEnd();
+      }
+
+    }
+
+    private static class list_sentry_privileges_by_authorizable_and_user_resultTupleSchemeFactory implements SchemeFactory {
+      public list_sentry_privileges_by_authorizable_and_user_resultTupleScheme getScheme() {
+        return new list_sentry_privileges_by_authorizable_and_user_resultTupleScheme();
+      }
+    }
+
+    private static class list_sentry_privileges_by_authorizable_and_user_resultTupleScheme extends TupleScheme<list_sentry_privileges_by_authorizable_and_user_result> {
+
+      @Override
+      public void write(org.apache.thrift.protocol.TProtocol prot, list_sentry_privileges_by_authorizable_and_user_result struct) throws org.apache.thrift.TException {
+        TTupleProtocol oprot = (TTupleProtocol) prot;
+        BitSet optionals = new BitSet();
+        if (struct.isSetSuccess()) {
+          optionals.set(0);
+        }
+        oprot.writeBitSet(optionals, 1);
+        if (struct.isSetSuccess()) {
+          struct.success.write(oprot);
+        }
+      }
+
+      @Override
+      public void read(org.apache.thrift.protocol.TProtocol prot, list_sentry_privileges_by_authorizable_and_user_result struct) throws org.apache.thrift.TException {
+        TTupleProtocol iprot = (TTupleProtocol) prot;
+        BitSet incoming = iprot.readBitSet(1);
+        if (incoming.get(0)) {
+          struct.success = new TListSentryPrivilegesByAuthUserResponse();
+          struct.success.read(iprot);
+          struct.setSuccessIsSet(true);
+        }
+      }
+    }
+
+  }
+
   public static class get_sentry_config_value_args implements org.apache.thrift.TBase<get_sentry_config_value_args, get_sentry_config_value_args._Fields>, java.io.Serializable, Cloneable, Comparable<get_sentry_config_value_args>   {
     private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("get_sentry_config_value_args");
 
diff --git a/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/TListSentryPrivilegesByAuthUserRequest.java b/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/TListSentryPrivilegesByAuthUserRequest.java
new file mode 100644
index 0000000..62c0210
--- /dev/null
+++ b/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/TListSentryPrivilegesByAuthUserRequest.java
@@ -0,0 +1,746 @@
+/**
+ * Autogenerated by Thrift Compiler (0.9.3)
+ *
+ * DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING
+ *  @generated
+ */
+package org.apache.sentry.api.service.thrift;
+
+import org.apache.thrift.scheme.IScheme;
+import org.apache.thrift.scheme.SchemeFactory;
+import org.apache.thrift.scheme.StandardScheme;
+
+import org.apache.thrift.scheme.TupleScheme;
+import org.apache.thrift.protocol.TTupleProtocol;
+import org.apache.thrift.protocol.TProtocolException;
+import org.apache.thrift.EncodingUtils;
+import org.apache.thrift.TException;
+import org.apache.thrift.async.AsyncMethodCallback;
+import org.apache.thrift.server.AbstractNonblockingServer.*;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Map;
+import java.util.HashMap;
+import java.util.EnumMap;
+import java.util.Set;
+import java.util.HashSet;
+import java.util.EnumSet;
+import java.util.Collections;
+import java.util.BitSet;
+import java.nio.ByteBuffer;
+import java.util.Arrays;
+import javax.annotation.Generated;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+@SuppressWarnings({"cast", "rawtypes", "serial", "unchecked"})
+@Generated(value = "Autogenerated by Thrift Compiler (0.9.3)")
+public class TListSentryPrivilegesByAuthUserRequest implements org.apache.thrift.TBase<TListSentryPrivilegesByAuthUserRequest, TListSentryPrivilegesByAuthUserRequest._Fields>, java.io.Serializable, Cloneable, Comparable<TListSentryPrivilegesByAuthUserRequest> {
+  private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("TListSentryPrivilegesByAuthUserRequest");
+
+  private static final org.apache.thrift.protocol.TField PROTOCOL_VERSION_FIELD_DESC = new org.apache.thrift.protocol.TField("protocol_version", org.apache.thrift.protocol.TType.I32, (short)1);
+  private static final org.apache.thrift.protocol.TField REQUESTOR_USER_NAME_FIELD_DESC = new org.apache.thrift.protocol.TField("requestorUserName", org.apache.thrift.protocol.TType.STRING, (short)2);
+  private static final org.apache.thrift.protocol.TField AUTHORIZABLE_SET_FIELD_DESC = new org.apache.thrift.protocol.TField("authorizableSet", org.apache.thrift.protocol.TType.SET, (short)3);
+  private static final org.apache.thrift.protocol.TField USER_FIELD_DESC = new org.apache.thrift.protocol.TField("user", org.apache.thrift.protocol.TType.STRING, (short)4);
+
+  private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>();
+  static {
+    schemes.put(StandardScheme.class, new TListSentryPrivilegesByAuthUserRequestStandardSchemeFactory());
+    schemes.put(TupleScheme.class, new TListSentryPrivilegesByAuthUserRequestTupleSchemeFactory());
+  }
+
+  private int protocol_version; // required
+  private String requestorUserName; // required
+  private Set<TSentryAuthorizable> authorizableSet; // required
+  private String user; // required
+
+  /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */
+  public enum _Fields implements org.apache.thrift.TFieldIdEnum {
+    PROTOCOL_VERSION((short)1, "protocol_version"),
+    REQUESTOR_USER_NAME((short)2, "requestorUserName"),
+    AUTHORIZABLE_SET((short)3, "authorizableSet"),
+    USER((short)4, "user");
+
+    private static final Map<String, _Fields> byName = new HashMap<String, _Fields>();
+
+    static {
+      for (_Fields field : EnumSet.allOf(_Fields.class)) {
+        byName.put(field.getFieldName(), field);
+      }
+    }
+
+    /**
+     * Find the _Fields constant that matches fieldId, or null if its not found.
+     */
+    public static _Fields findByThriftId(int fieldId) {
+      switch(fieldId) {
+        case 1: // PROTOCOL_VERSION
+          return PROTOCOL_VERSION;
+        case 2: // REQUESTOR_USER_NAME
+          return REQUESTOR_USER_NAME;
+        case 3: // AUTHORIZABLE_SET
+          return AUTHORIZABLE_SET;
+        case 4: // USER
+          return USER;
+        default:
+          return null;
+      }
+    }
+
+    /**
+     * Find the _Fields constant that matches fieldId, throwing an exception
+     * if it is not found.
+     */
+    public static _Fields findByThriftIdOrThrow(int fieldId) {
+      _Fields fields = findByThriftId(fieldId);
+      if (fields == null) throw new IllegalArgumentException("Field " + fieldId + " doesn't exist!");
+      return fields;
+    }
+
+    /**
+     * Find the _Fields constant that matches name, or null if its not found.
+     */
+    public static _Fields findByName(String name) {
+      return byName.get(name);
+    }
+
+    private final short _thriftId;
+    private final String _fieldName;
+
+    _Fields(short thriftId, String fieldName) {
+      _thriftId = thriftId;
+      _fieldName = fieldName;
+    }
+
+    public short getThriftFieldId() {
+      return _thriftId;
+    }
+
+    public String getFieldName() {
+      return _fieldName;
+    }
+  }
+
+  // isset id assignments
+  private static final int __PROTOCOL_VERSION_ISSET_ID = 0;
+  private byte __isset_bitfield = 0;
+  public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap;
+  static {
+    Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class);
+    tmpMap.put(_Fields.PROTOCOL_VERSION, new org.apache.thrift.meta_data.FieldMetaData("protocol_version", org.apache.thrift.TFieldRequirementType.REQUIRED, 
+        new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.I32)));
+    tmpMap.put(_Fields.REQUESTOR_USER_NAME, new org.apache.thrift.meta_data.FieldMetaData("requestorUserName", org.apache.thrift.TFieldRequirementType.REQUIRED, 
+        new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING)));
+    tmpMap.put(_Fields.AUTHORIZABLE_SET, new org.apache.thrift.meta_data.FieldMetaData("authorizableSet", org.apache.thrift.TFieldRequirementType.REQUIRED, 
+        new org.apache.thrift.meta_data.SetMetaData(org.apache.thrift.protocol.TType.SET, 
+            new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryAuthorizable.class))));
+    tmpMap.put(_Fields.USER, new org.apache.thrift.meta_data.FieldMetaData("user", org.apache.thrift.TFieldRequirementType.REQUIRED, 
+        new org.apache.thrift.meta_data.FieldValueMetaData(org.apache.thrift.protocol.TType.STRING)));
+    metaDataMap = Collections.unmodifiableMap(tmpMap);
+    org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(TListSentryPrivilegesByAuthUserRequest.class, metaDataMap);
+  }
+
+  public TListSentryPrivilegesByAuthUserRequest() {
+    this.protocol_version = 2;
+
+  }
+
+  public TListSentryPrivilegesByAuthUserRequest(
+    int protocol_version,
+    String requestorUserName,
+    Set<TSentryAuthorizable> authorizableSet,
+    String user)
+  {
+    this();
+    this.protocol_version = protocol_version;
+    setProtocol_versionIsSet(true);
+    this.requestorUserName = requestorUserName;
+    this.authorizableSet = authorizableSet;
+    this.user = user;
+  }
+
+  /**
+   * Performs a deep copy on <i>other</i>.
+   */
+  public TListSentryPrivilegesByAuthUserRequest(TListSentryPrivilegesByAuthUserRequest other) {
+    __isset_bitfield = other.__isset_bitfield;
+    this.protocol_version = other.protocol_version;
+    if (other.isSetRequestorUserName()) {
+      this.requestorUserName = other.requestorUserName;
+    }
+    if (other.isSetAuthorizableSet()) {
+      Set<TSentryAuthorizable> __this__authorizableSet = new HashSet<TSentryAuthorizable>(other.authorizableSet.size());
+      for (TSentryAuthorizable other_element : other.authorizableSet) {
+        __this__authorizableSet.add(new TSentryAuthorizable(other_element));
+      }
+      this.authorizableSet = __this__authorizableSet;
+    }
+    if (other.isSetUser()) {
+      this.user = other.user;
+    }
+  }
+
+  public TListSentryPrivilegesByAuthUserRequest deepCopy() {
+    return new TListSentryPrivilegesByAuthUserRequest(this);
+  }
+
+  @Override
+  public void clear() {
+    this.protocol_version = 2;
+
+    this.requestorUserName = null;
+    this.authorizableSet = null;
+    this.user = null;
+  }
+
+  public int getProtocol_version() {
+    return this.protocol_version;
+  }
+
+  public void setProtocol_version(int protocol_version) {
+    this.protocol_version = protocol_version;
+    setProtocol_versionIsSet(true);
+  }
+
+  public void unsetProtocol_version() {
+    __isset_bitfield = EncodingUtils.clearBit(__isset_bitfield, __PROTOCOL_VERSION_ISSET_ID);
+  }
+
+  /** Returns true if field protocol_version is set (has been assigned a value) and false otherwise */
+  public boolean isSetProtocol_version() {
+    return EncodingUtils.testBit(__isset_bitfield, __PROTOCOL_VERSION_ISSET_ID);
+  }
+
+  public void setProtocol_versionIsSet(boolean value) {
+    __isset_bitfield = EncodingUtils.setBit(__isset_bitfield, __PROTOCOL_VERSION_ISSET_ID, value);
+  }
+
+  public String getRequestorUserName() {
+    return this.requestorUserName;
+  }
+
+  public void setRequestorUserName(String requestorUserName) {
+    this.requestorUserName = requestorUserName;
+  }
+
+  public void unsetRequestorUserName() {
+    this.requestorUserName = null;
+  }
+
+  /** Returns true if field requestorUserName is set (has been assigned a value) and false otherwise */
+  public boolean isSetRequestorUserName() {
+    return this.requestorUserName != null;
+  }
+
+  public void setRequestorUserNameIsSet(boolean value) {
+    if (!value) {
+      this.requestorUserName = null;
+    }
+  }
+
+  public int getAuthorizableSetSize() {
+    return (this.authorizableSet == null) ? 0 : this.authorizableSet.size();
+  }
+
+  public java.util.Iterator<TSentryAuthorizable> getAuthorizableSetIterator() {
+    return (this.authorizableSet == null) ? null : this.authorizableSet.iterator();
+  }
+
+  public void addToAuthorizableSet(TSentryAuthorizable elem) {
+    if (this.authorizableSet == null) {
+      this.authorizableSet = new HashSet<TSentryAuthorizable>();
+    }
+    this.authorizableSet.add(elem);
+  }
+
+  public Set<TSentryAuthorizable> getAuthorizableSet() {
+    return this.authorizableSet;
+  }
+
+  public void setAuthorizableSet(Set<TSentryAuthorizable> authorizableSet) {
+    this.authorizableSet = authorizableSet;
+  }
+
+  public void unsetAuthorizableSet() {
+    this.authorizableSet = null;
+  }
+
+  /** Returns true if field authorizableSet is set (has been assigned a value) and false otherwise */
+  public boolean isSetAuthorizableSet() {
+    return this.authorizableSet != null;
+  }
+
+  public void setAuthorizableSetIsSet(boolean value) {
+    if (!value) {
+      this.authorizableSet = null;
+    }
+  }
+
+  public String getUser() {
+    return this.user;
+  }
+
+  public void setUser(String user) {
+    this.user = user;
+  }
+
+  public void unsetUser() {
+    this.user = null;
+  }
+
+  /** Returns true if field user is set (has been assigned a value) and false otherwise */
+  public boolean isSetUser() {
+    return this.user != null;
+  }
+
+  public void setUserIsSet(boolean value) {
+    if (!value) {
+      this.user = null;
+    }
+  }
+
+  public void setFieldValue(_Fields field, Object value) {
+    switch (field) {
+    case PROTOCOL_VERSION:
+      if (value == null) {
+        unsetProtocol_version();
+      } else {
+        setProtocol_version((Integer)value);
+      }
+      break;
+
+    case REQUESTOR_USER_NAME:
+      if (value == null) {
+        unsetRequestorUserName();
+      } else {
+        setRequestorUserName((String)value);
+      }
+      break;
+
+    case AUTHORIZABLE_SET:
+      if (value == null) {
+        unsetAuthorizableSet();
+      } else {
+        setAuthorizableSet((Set<TSentryAuthorizable>)value);
+      }
+      break;
+
+    case USER:
+      if (value == null) {
+        unsetUser();
+      } else {
+        setUser((String)value);
+      }
+      break;
+
+    }
+  }
+
+  public Object getFieldValue(_Fields field) {
+    switch (field) {
+    case PROTOCOL_VERSION:
+      return getProtocol_version();
+
+    case REQUESTOR_USER_NAME:
+      return getRequestorUserName();
+
+    case AUTHORIZABLE_SET:
+      return getAuthorizableSet();
+
+    case USER:
+      return getUser();
+
+    }
+    throw new IllegalStateException();
+  }
+
+  /** Returns true if field corresponding to fieldID is set (has been assigned a value) and false otherwise */
+  public boolean isSet(_Fields field) {
+    if (field == null) {
+      throw new IllegalArgumentException();
+    }
+
+    switch (field) {
+    case PROTOCOL_VERSION:
+      return isSetProtocol_version();
+    case REQUESTOR_USER_NAME:
+      return isSetRequestorUserName();
+    case AUTHORIZABLE_SET:
+      return isSetAuthorizableSet();
+    case USER:
+      return isSetUser();
+    }
+    throw new IllegalStateException();
+  }
+
+  @Override
+  public boolean equals(Object that) {
+    if (that == null)
+      return false;
+    if (that instanceof TListSentryPrivilegesByAuthUserRequest)
+      return this.equals((TListSentryPrivilegesByAuthUserRequest)that);
+    return false;
+  }
+
+  public boolean equals(TListSentryPrivilegesByAuthUserRequest that) {
+    if (that == null)
+      return false;
+
+    boolean this_present_protocol_version = true;
+    boolean that_present_protocol_version = true;
+    if (this_present_protocol_version || that_present_protocol_version) {
+      if (!(this_present_protocol_version && that_present_protocol_version))
+        return false;
+      if (this.protocol_version != that.protocol_version)
+        return false;
+    }
+
+    boolean this_present_requestorUserName = true && this.isSetRequestorUserName();
+    boolean that_present_requestorUserName = true && that.isSetRequestorUserName();
+    if (this_present_requestorUserName || that_present_requestorUserName) {
+      if (!(this_present_requestorUserName && that_present_requestorUserName))
+        return false;
+      if (!this.requestorUserName.equals(that.requestorUserName))
+        return false;
+    }
+
+    boolean this_present_authorizableSet = true && this.isSetAuthorizableSet();
+    boolean that_present_authorizableSet = true && that.isSetAuthorizableSet();
+    if (this_present_authorizableSet || that_present_authorizableSet) {
+      if (!(this_present_authorizableSet && that_present_authorizableSet))
+        return false;
+      if (!this.authorizableSet.equals(that.authorizableSet))
+        return false;
+    }
+
+    boolean this_present_user = true && this.isSetUser();
+    boolean that_present_user = true && that.isSetUser();
+    if (this_present_user || that_present_user) {
+      if (!(this_present_user && that_present_user))
+        return false;
+      if (!this.user.equals(that.user))
+        return false;
+    }
+
+    return true;
+  }
+
+  @Override
+  public int hashCode() {
+    List<Object> list = new ArrayList<Object>();
+
+    boolean present_protocol_version = true;
+    list.add(present_protocol_version);
+    if (present_protocol_version)
+      list.add(protocol_version);
+
+    boolean present_requestorUserName = true && (isSetRequestorUserName());
+    list.add(present_requestorUserName);
+    if (present_requestorUserName)
+      list.add(requestorUserName);
+
+    boolean present_authorizableSet = true && (isSetAuthorizableSet());
+    list.add(present_authorizableSet);
+    if (present_authorizableSet)
+      list.add(authorizableSet);
+
+    boolean present_user = true && (isSetUser());
+    list.add(present_user);
+    if (present_user)
+      list.add(user);
+
+    return list.hashCode();
+  }
+
+  @Override
+  public int compareTo(TListSentryPrivilegesByAuthUserRequest other) {
+    if (!getClass().equals(other.getClass())) {
+      return getClass().getName().compareTo(other.getClass().getName());
+    }
+
+    int lastComparison = 0;
+
+    lastComparison = Boolean.valueOf(isSetProtocol_version()).compareTo(other.isSetProtocol_version());
+    if (lastComparison != 0) {
+      return lastComparison;
+    }
+    if (isSetProtocol_version()) {
+      lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.protocol_version, other.protocol_version);
+      if (lastComparison != 0) {
+        return lastComparison;
+      }
+    }
+    lastComparison = Boolean.valueOf(isSetRequestorUserName()).compareTo(other.isSetRequestorUserName());
+    if (lastComparison != 0) {
+      return lastComparison;
+    }
+    if (isSetRequestorUserName()) {
+      lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.requestorUserName, other.requestorUserName);
+      if (lastComparison != 0) {
+        return lastComparison;
+      }
+    }
+    lastComparison = Boolean.valueOf(isSetAuthorizableSet()).compareTo(other.isSetAuthorizableSet());
+    if (lastComparison != 0) {
+      return lastComparison;
+    }
+    if (isSetAuthorizableSet()) {
+      lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.authorizableSet, other.authorizableSet);
+      if (lastComparison != 0) {
+        return lastComparison;
+      }
+    }
+    lastComparison = Boolean.valueOf(isSetUser()).compareTo(other.isSetUser());
+    if (lastComparison != 0) {
+      return lastComparison;
+    }
+    if (isSetUser()) {
+      lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.user, other.user);
+      if (lastComparison != 0) {
+        return lastComparison;
+      }
+    }
+    return 0;
+  }
+
+  public _Fields fieldForId(int fieldId) {
+    return _Fields.findByThriftId(fieldId);
+  }
+
+  public void read(org.apache.thrift.protocol.TProtocol iprot) throws org.apache.thrift.TException {
+    schemes.get(iprot.getScheme()).getScheme().read(iprot, this);
+  }
+
+  public void write(org.apache.thrift.protocol.TProtocol oprot) throws org.apache.thrift.TException {
+    schemes.get(oprot.getScheme()).getScheme().write(oprot, this);
+  }
+
+  @Override
+  public String toString() {
+    StringBuilder sb = new StringBuilder("TListSentryPrivilegesByAuthUserRequest(");
+    boolean first = true;
+
+    sb.append("protocol_version:");
+    sb.append(this.protocol_version);
+    first = false;
+    if (!first) sb.append(", ");
+    sb.append("requestorUserName:");
+    if (this.requestorUserName == null) {
+      sb.append("null");
+    } else {
+      sb.append(this.requestorUserName);
+    }
+    first = false;
+    if (!first) sb.append(", ");
+    sb.append("authorizableSet:");
+    if (this.authorizableSet == null) {
+      sb.append("null");
+    } else {
+      sb.append(this.authorizableSet);
+    }
+    first = false;
+    if (!first) sb.append(", ");
+    sb.append("user:");
+    if (this.user == null) {
+      sb.append("null");
+    } else {
+      sb.append(this.user);
+    }
+    first = false;
+    sb.append(")");
+    return sb.toString();
+  }
+
+  public void validate() throws org.apache.thrift.TException {
+    // check for required fields
+    if (!isSetProtocol_version()) {
+      throw new org.apache.thrift.protocol.TProtocolException("Required field 'protocol_version' is unset! Struct:" + toString());
+    }
+
+    if (!isSetRequestorUserName()) {
+      throw new org.apache.thrift.protocol.TProtocolException("Required field 'requestorUserName' is unset! Struct:" + toString());
+    }
+
+    if (!isSetAuthorizableSet()) {
+      throw new org.apache.thrift.protocol.TProtocolException("Required field 'authorizableSet' is unset! Struct:" + toString());
+    }
+
+    if (!isSetUser()) {
+      throw new org.apache.thrift.protocol.TProtocolException("Required field 'user' is unset! Struct:" + toString());
+    }
+
+    // check for sub-struct validity
+  }
+
+  private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException {
+    try {
+      write(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(out)));
+    } catch (org.apache.thrift.TException te) {
+      throw new java.io.IOException(te);
+    }
+  }
+
+  private void readObject(java.io.ObjectInputStream in) throws java.io.IOException, ClassNotFoundException {
+    try {
+      // it doesn't seem like you should have to do this, but java serialization is wacky, and doesn't call the default constructor.
+      __isset_bitfield = 0;
+      read(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(in)));
+    } catch (org.apache.thrift.TException te) {
+      throw new java.io.IOException(te);
+    }
+  }
+
+  private static class TListSentryPrivilegesByAuthUserRequestStandardSchemeFactory implements SchemeFactory {
+    public TListSentryPrivilegesByAuthUserRequestStandardScheme getScheme() {
+      return new TListSentryPrivilegesByAuthUserRequestStandardScheme();
+    }
+  }
+
+  private static class TListSentryPrivilegesByAuthUserRequestStandardScheme extends StandardScheme<TListSentryPrivilegesByAuthUserRequest> {
+
+    public void read(org.apache.thrift.protocol.TProtocol iprot, TListSentryPrivilegesByAuthUserRequest struct) throws org.apache.thrift.TException {
+      org.apache.thrift.protocol.TField schemeField;
+      iprot.readStructBegin();
+      while (true)
+      {
+        schemeField = iprot.readFieldBegin();
+        if (schemeField.type == org.apache.thrift.protocol.TType.STOP) { 
+          break;
+        }
+        switch (schemeField.id) {
+          case 1: // PROTOCOL_VERSION
+            if (schemeField.type == org.apache.thrift.protocol.TType.I32) {
+              struct.protocol_version = iprot.readI32();
+              struct.setProtocol_versionIsSet(true);
+            } else { 
+              org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+            }
+            break;
+          case 2: // REQUESTOR_USER_NAME
+            if (schemeField.type == org.apache.thrift.protocol.TType.STRING) {
+              struct.requestorUserName = iprot.readString();
+              struct.setRequestorUserNameIsSet(true);
+            } else { 
+              org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+            }
+            break;
+          case 3: // AUTHORIZABLE_SET
+            if (schemeField.type == org.apache.thrift.protocol.TType.SET) {
+              {
+                org.apache.thrift.protocol.TSet _set174 = iprot.readSetBegin();
+                struct.authorizableSet = new HashSet<TSentryAuthorizable>(2*_set174.size);
+                TSentryAuthorizable _elem175;
+                for (int _i176 = 0; _i176 < _set174.size; ++_i176)
+                {
+                  _elem175 = new TSentryAuthorizable();
+                  _elem175.read(iprot);
+                  struct.authorizableSet.add(_elem175);
+                }
+                iprot.readSetEnd();
+              }
+              struct.setAuthorizableSetIsSet(true);
+            } else { 
+              org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+            }
+            break;
+          case 4: // USER
+            if (schemeField.type == org.apache.thrift.protocol.TType.STRING) {
+              struct.user = iprot.readString();
+              struct.setUserIsSet(true);
+            } else { 
+              org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+            }
+            break;
+          default:
+            org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+        }
+        iprot.readFieldEnd();
+      }
+      iprot.readStructEnd();
+      struct.validate();
+    }
+
+    public void write(org.apache.thrift.protocol.TProtocol oprot, TListSentryPrivilegesByAuthUserRequest struct) throws org.apache.thrift.TException {
+      struct.validate();
+
+      oprot.writeStructBegin(STRUCT_DESC);
+      oprot.writeFieldBegin(PROTOCOL_VERSION_FIELD_DESC);
+      oprot.writeI32(struct.protocol_version);
+      oprot.writeFieldEnd();
+      if (struct.requestorUserName != null) {
+        oprot.writeFieldBegin(REQUESTOR_USER_NAME_FIELD_DESC);
+        oprot.writeString(struct.requestorUserName);
+        oprot.writeFieldEnd();
+      }
+      if (struct.authorizableSet != null) {
+        oprot.writeFieldBegin(AUTHORIZABLE_SET_FIELD_DESC);
+        {
+          oprot.writeSetBegin(new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, struct.authorizableSet.size()));
+          for (TSentryAuthorizable _iter177 : struct.authorizableSet)
+          {
+            _iter177.write(oprot);
+          }
+          oprot.writeSetEnd();
+        }
+        oprot.writeFieldEnd();
+      }
+      if (struct.user != null) {
+        oprot.writeFieldBegin(USER_FIELD_DESC);
+        oprot.writeString(struct.user);
+        oprot.writeFieldEnd();
+      }
+      oprot.writeFieldStop();
+      oprot.writeStructEnd();
+    }
+
+  }
+
+  private static class TListSentryPrivilegesByAuthUserRequestTupleSchemeFactory implements SchemeFactory {
+    public TListSentryPrivilegesByAuthUserRequestTupleScheme getScheme() {
+      return new TListSentryPrivilegesByAuthUserRequestTupleScheme();
+    }
+  }
+
+  private static class TListSentryPrivilegesByAuthUserRequestTupleScheme extends TupleScheme<TListSentryPrivilegesByAuthUserRequest> {
+
+    @Override
+    public void write(org.apache.thrift.protocol.TProtocol prot, TListSentryPrivilegesByAuthUserRequest struct) throws org.apache.thrift.TException {
+      TTupleProtocol oprot = (TTupleProtocol) prot;
+      oprot.writeI32(struct.protocol_version);
+      oprot.writeString(struct.requestorUserName);
+      {
+        oprot.writeI32(struct.authorizableSet.size());
+        for (TSentryAuthorizable _iter178 : struct.authorizableSet)
+        {
+          _iter178.write(oprot);
+        }
+      }
+      oprot.writeString(struct.user);
+    }
+
+    @Override
+    public void read(org.apache.thrift.protocol.TProtocol prot, TListSentryPrivilegesByAuthUserRequest struct) throws org.apache.thrift.TException {
+      TTupleProtocol iprot = (TTupleProtocol) prot;
+      struct.protocol_version = iprot.readI32();
+      struct.setProtocol_versionIsSet(true);
+      struct.requestorUserName = iprot.readString();
+      struct.setRequestorUserNameIsSet(true);
+      {
+        org.apache.thrift.protocol.TSet _set179 = new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, iprot.readI32());
+        struct.authorizableSet = new HashSet<TSentryAuthorizable>(2*_set179.size);
+        TSentryAuthorizable _elem180;
+        for (int _i181 = 0; _i181 < _set179.size; ++_i181)
+        {
+          _elem180 = new TSentryAuthorizable();
+          _elem180.read(iprot);
+          struct.authorizableSet.add(_elem180);
+        }
+      }
+      struct.setAuthorizableSetIsSet(true);
+      struct.user = iprot.readString();
+      struct.setUserIsSet(true);
+    }
+  }
+
+}
+
diff --git a/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/TListSentryPrivilegesByAuthUserResponse.java b/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/TListSentryPrivilegesByAuthUserResponse.java
new file mode 100644
index 0000000..f9f0e64
--- /dev/null
+++ b/sentry-service/sentry-service-api/src/gen/thrift/gen-javabean/org/apache/sentry/api/service/thrift/TListSentryPrivilegesByAuthUserResponse.java
@@ -0,0 +1,598 @@
+/**
+ * Autogenerated by Thrift Compiler (0.9.3)
+ *
+ * DO NOT EDIT UNLESS YOU ARE SURE THAT YOU KNOW WHAT YOU ARE DOING
+ *  @generated
+ */
+package org.apache.sentry.api.service.thrift;
+
+import org.apache.thrift.scheme.IScheme;
+import org.apache.thrift.scheme.SchemeFactory;
+import org.apache.thrift.scheme.StandardScheme;
+
+import org.apache.thrift.scheme.TupleScheme;
+import org.apache.thrift.protocol.TTupleProtocol;
+import org.apache.thrift.protocol.TProtocolException;
+import org.apache.thrift.EncodingUtils;
+import org.apache.thrift.TException;
+import org.apache.thrift.async.AsyncMethodCallback;
+import org.apache.thrift.server.AbstractNonblockingServer.*;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Map;
+import java.util.HashMap;
+import java.util.EnumMap;
+import java.util.Set;
+import java.util.HashSet;
+import java.util.EnumSet;
+import java.util.Collections;
+import java.util.BitSet;
+import java.nio.ByteBuffer;
+import java.util.Arrays;
+import javax.annotation.Generated;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+@SuppressWarnings({"cast", "rawtypes", "serial", "unchecked"})
+@Generated(value = "Autogenerated by Thrift Compiler (0.9.3)")
+public class TListSentryPrivilegesByAuthUserResponse implements org.apache.thrift.TBase<TListSentryPrivilegesByAuthUserResponse, TListSentryPrivilegesByAuthUserResponse._Fields>, java.io.Serializable, Cloneable, Comparable<TListSentryPrivilegesByAuthUserResponse> {
+  private static final org.apache.thrift.protocol.TStruct STRUCT_DESC = new org.apache.thrift.protocol.TStruct("TListSentryPrivilegesByAuthUserResponse");
+
+  private static final org.apache.thrift.protocol.TField STATUS_FIELD_DESC = new org.apache.thrift.protocol.TField("status", org.apache.thrift.protocol.TType.STRUCT, (short)1);
+  private static final org.apache.thrift.protocol.TField PRIVILEGES_MAP_BY_AUTH_FIELD_DESC = new org.apache.thrift.protocol.TField("privilegesMapByAuth", org.apache.thrift.protocol.TType.MAP, (short)2);
+
+  private static final Map<Class<? extends IScheme>, SchemeFactory> schemes = new HashMap<Class<? extends IScheme>, SchemeFactory>();
+  static {
+    schemes.put(StandardScheme.class, new TListSentryPrivilegesByAuthUserResponseStandardSchemeFactory());
+    schemes.put(TupleScheme.class, new TListSentryPrivilegesByAuthUserResponseTupleSchemeFactory());
+  }
+
+  private org.apache.sentry.service.thrift.TSentryResponseStatus status; // required
+  private Map<TSentryAuthorizable,Set<TSentryPrivilege>> privilegesMapByAuth; // required
+
+  /** The set of fields this struct contains, along with convenience methods for finding and manipulating them. */
+  public enum _Fields implements org.apache.thrift.TFieldIdEnum {
+    STATUS((short)1, "status"),
+    PRIVILEGES_MAP_BY_AUTH((short)2, "privilegesMapByAuth");
+
+    private static final Map<String, _Fields> byName = new HashMap<String, _Fields>();
+
+    static {
+      for (_Fields field : EnumSet.allOf(_Fields.class)) {
+        byName.put(field.getFieldName(), field);
+      }
+    }
+
+    /**
+     * Find the _Fields constant that matches fieldId, or null if its not found.
+     */
+    public static _Fields findByThriftId(int fieldId) {
+      switch(fieldId) {
+        case 1: // STATUS
+          return STATUS;
+        case 2: // PRIVILEGES_MAP_BY_AUTH
+          return PRIVILEGES_MAP_BY_AUTH;
+        default:
+          return null;
+      }
+    }
+
+    /**
+     * Find the _Fields constant that matches fieldId, throwing an exception
+     * if it is not found.
+     */
+    public static _Fields findByThriftIdOrThrow(int fieldId) {
+      _Fields fields = findByThriftId(fieldId);
+      if (fields == null) throw new IllegalArgumentException("Field " + fieldId + " doesn't exist!");
+      return fields;
+    }
+
+    /**
+     * Find the _Fields constant that matches name, or null if its not found.
+     */
+    public static _Fields findByName(String name) {
+      return byName.get(name);
+    }
+
+    private final short _thriftId;
+    private final String _fieldName;
+
+    _Fields(short thriftId, String fieldName) {
+      _thriftId = thriftId;
+      _fieldName = fieldName;
+    }
+
+    public short getThriftFieldId() {
+      return _thriftId;
+    }
+
+    public String getFieldName() {
+      return _fieldName;
+    }
+  }
+
+  // isset id assignments
+  public static final Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> metaDataMap;
+  static {
+    Map<_Fields, org.apache.thrift.meta_data.FieldMetaData> tmpMap = new EnumMap<_Fields, org.apache.thrift.meta_data.FieldMetaData>(_Fields.class);
+    tmpMap.put(_Fields.STATUS, new org.apache.thrift.meta_data.FieldMetaData("status", org.apache.thrift.TFieldRequirementType.REQUIRED, 
+        new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, org.apache.sentry.service.thrift.TSentryResponseStatus.class)));
+    tmpMap.put(_Fields.PRIVILEGES_MAP_BY_AUTH, new org.apache.thrift.meta_data.FieldMetaData("privilegesMapByAuth", org.apache.thrift.TFieldRequirementType.REQUIRED, 
+        new org.apache.thrift.meta_data.MapMetaData(org.apache.thrift.protocol.TType.MAP, 
+            new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryAuthorizable.class), 
+            new org.apache.thrift.meta_data.SetMetaData(org.apache.thrift.protocol.TType.SET, 
+                new org.apache.thrift.meta_data.StructMetaData(org.apache.thrift.protocol.TType.STRUCT, TSentryPrivilege.class)))));
+    metaDataMap = Collections.unmodifiableMap(tmpMap);
+    org.apache.thrift.meta_data.FieldMetaData.addStructMetaDataMap(TListSentryPrivilegesByAuthUserResponse.class, metaDataMap);
+  }
+
+  public TListSentryPrivilegesByAuthUserResponse() {
+  }
+
+  public TListSentryPrivilegesByAuthUserResponse(
+    org.apache.sentry.service.thrift.TSentryResponseStatus status,
+    Map<TSentryAuthorizable,Set<TSentryPrivilege>> privilegesMapByAuth)
+  {
+    this();
+    this.status = status;
+    this.privilegesMapByAuth = privilegesMapByAuth;
+  }
+
+  /**
+   * Performs a deep copy on <i>other</i>.
+   */
+  public TListSentryPrivilegesByAuthUserResponse(TListSentryPrivilegesByAuthUserResponse other) {
+    if (other.isSetStatus()) {
+      this.status = new org.apache.sentry.service.thrift.TSentryResponseStatus(other.status);
+    }
+    if (other.isSetPrivilegesMapByAuth()) {
+      Map<TSentryAuthorizable,Set<TSentryPrivilege>> __this__privilegesMapByAuth = new HashMap<TSentryAuthorizable,Set<TSentryPrivilege>>(other.privilegesMapByAuth.size());
+      for (Map.Entry<TSentryAuthorizable, Set<TSentryPrivilege>> other_element : other.privilegesMapByAuth.entrySet()) {
+
+        TSentryAuthorizable other_element_key = other_element.getKey();
+        Set<TSentryPrivilege> other_element_value = other_element.getValue();
+
+        TSentryAuthorizable __this__privilegesMapByAuth_copy_key = new TSentryAuthorizable(other_element_key);
+
+        Set<TSentryPrivilege> __this__privilegesMapByAuth_copy_value = new HashSet<TSentryPrivilege>(other_element_value.size());
+        for (TSentryPrivilege other_element_value_element : other_element_value) {
+          __this__privilegesMapByAuth_copy_value.add(new TSentryPrivilege(other_element_value_element));
+        }
+
+        __this__privilegesMapByAuth.put(__this__privilegesMapByAuth_copy_key, __this__privilegesMapByAuth_copy_value);
+      }
+      this.privilegesMapByAuth = __this__privilegesMapByAuth;
+    }
+  }
+
+  public TListSentryPrivilegesByAuthUserResponse deepCopy() {
+    return new TListSentryPrivilegesByAuthUserResponse(this);
+  }
+
+  @Override
+  public void clear() {
+    this.status = null;
+    this.privilegesMapByAuth = null;
+  }
+
+  public org.apache.sentry.service.thrift.TSentryResponseStatus getStatus() {
+    return this.status;
+  }
+
+  public void setStatus(org.apache.sentry.service.thrift.TSentryResponseStatus status) {
+    this.status = status;
+  }
+
+  public void unsetStatus() {
+    this.status = null;
+  }
+
+  /** Returns true if field status is set (has been assigned a value) and false otherwise */
+  public boolean isSetStatus() {
+    return this.status != null;
+  }
+
+  public void setStatusIsSet(boolean value) {
+    if (!value) {
+      this.status = null;
+    }
+  }
+
+  public int getPrivilegesMapByAuthSize() {
+    return (this.privilegesMapByAuth == null) ? 0 : this.privilegesMapByAuth.size();
+  }
+
+  public void putToPrivilegesMapByAuth(TSentryAuthorizable key, Set<TSentryPrivilege> val) {
+    if (this.privilegesMapByAuth == null) {
+      this.privilegesMapByAuth = new HashMap<TSentryAuthorizable,Set<TSentryPrivilege>>();
+    }
+    this.privilegesMapByAuth.put(key, val);
+  }
+
+  public Map<TSentryAuthorizable,Set<TSentryPrivilege>> getPrivilegesMapByAuth() {
+    return this.privilegesMapByAuth;
+  }
+
+  public void setPrivilegesMapByAuth(Map<TSentryAuthorizable,Set<TSentryPrivilege>> privilegesMapByAuth) {
+    this.privilegesMapByAuth = privilegesMapByAuth;
+  }
+
+  public void unsetPrivilegesMapByAuth() {
+    this.privilegesMapByAuth = null;
+  }
+
+  /** Returns true if field privilegesMapByAuth is set (has been assigned a value) and false otherwise */
+  public boolean isSetPrivilegesMapByAuth() {
+    return this.privilegesMapByAuth != null;
+  }
+
+  public void setPrivilegesMapByAuthIsSet(boolean value) {
+    if (!value) {
+      this.privilegesMapByAuth = null;
+    }
+  }
+
+  public void setFieldValue(_Fields field, Object value) {
+    switch (field) {
+    case STATUS:
+      if (value == null) {
+        unsetStatus();
+      } else {
+        setStatus((org.apache.sentry.service.thrift.TSentryResponseStatus)value);
+      }
+      break;
+
+    case PRIVILEGES_MAP_BY_AUTH:
+      if (value == null) {
+        unsetPrivilegesMapByAuth();
+      } else {
+        setPrivilegesMapByAuth((Map<TSentryAuthorizable,Set<TSentryPrivilege>>)value);
+      }
+      break;
+
+    }
+  }
+
+  public Object getFieldValue(_Fields field) {
+    switch (field) {
+    case STATUS:
+      return getStatus();
+
+    case PRIVILEGES_MAP_BY_AUTH:
+      return getPrivilegesMapByAuth();
+
+    }
+    throw new IllegalStateException();
+  }
+
+  /** Returns true if field corresponding to fieldID is set (has been assigned a value) and false otherwise */
+  public boolean isSet(_Fields field) {
+    if (field == null) {
+      throw new IllegalArgumentException();
+    }
+
+    switch (field) {
+    case STATUS:
+      return isSetStatus();
+    case PRIVILEGES_MAP_BY_AUTH:
+      return isSetPrivilegesMapByAuth();
+    }
+    throw new IllegalStateException();
+  }
+
+  @Override
+  public boolean equals(Object that) {
+    if (that == null)
+      return false;
+    if (that instanceof TListSentryPrivilegesByAuthUserResponse)
+      return this.equals((TListSentryPrivilegesByAuthUserResponse)that);
+    return false;
+  }
+
+  public boolean equals(TListSentryPrivilegesByAuthUserResponse that) {
+    if (that == null)
+      return false;
+
+    boolean this_present_status = true && this.isSetStatus();
+    boolean that_present_status = true && that.isSetStatus();
+    if (this_present_status || that_present_status) {
+      if (!(this_present_status && that_present_status))
+        return false;
+      if (!this.status.equals(that.status))
+        return false;
+    }
+
+    boolean this_present_privilegesMapByAuth = true && this.isSetPrivilegesMapByAuth();
+    boolean that_present_privilegesMapByAuth = true && that.isSetPrivilegesMapByAuth();
+    if (this_present_privilegesMapByAuth || that_present_privilegesMapByAuth) {
+      if (!(this_present_privilegesMapByAuth && that_present_privilegesMapByAuth))
+        return false;
+      if (!this.privilegesMapByAuth.equals(that.privilegesMapByAuth))
+        return false;
+    }
+
+    return true;
+  }
+
+  @Override
+  public int hashCode() {
+    List<Object> list = new ArrayList<Object>();
+
+    boolean present_status = true && (isSetStatus());
+    list.add(present_status);
+    if (present_status)
+      list.add(status);
+
+    boolean present_privilegesMapByAuth = true && (isSetPrivilegesMapByAuth());
+    list.add(present_privilegesMapByAuth);
+    if (present_privilegesMapByAuth)
+      list.add(privilegesMapByAuth);
+
+    return list.hashCode();
+  }
+
+  @Override
+  public int compareTo(TListSentryPrivilegesByAuthUserResponse other) {
+    if (!getClass().equals(other.getClass())) {
+      return getClass().getName().compareTo(other.getClass().getName());
+    }
+
+    int lastComparison = 0;
+
+    lastComparison = Boolean.valueOf(isSetStatus()).compareTo(other.isSetStatus());
+    if (lastComparison != 0) {
+      return lastComparison;
+    }
+    if (isSetStatus()) {
+      lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.status, other.status);
+      if (lastComparison != 0) {
+        return lastComparison;
+      }
+    }
+    lastComparison = Boolean.valueOf(isSetPrivilegesMapByAuth()).compareTo(other.isSetPrivilegesMapByAuth());
+    if (lastComparison != 0) {
+      return lastComparison;
+    }
+    if (isSetPrivilegesMapByAuth()) {
+      lastComparison = org.apache.thrift.TBaseHelper.compareTo(this.privilegesMapByAuth, other.privilegesMapByAuth);
+      if (lastComparison != 0) {
+        return lastComparison;
+      }
+    }
+    return 0;
+  }
+
+  public _Fields fieldForId(int fieldId) {
+    return _Fields.findByThriftId(fieldId);
+  }
+
+  public void read(org.apache.thrift.protocol.TProtocol iprot) throws org.apache.thrift.TException {
+    schemes.get(iprot.getScheme()).getScheme().read(iprot, this);
+  }
+
+  public void write(org.apache.thrift.protocol.TProtocol oprot) throws org.apache.thrift.TException {
+    schemes.get(oprot.getScheme()).getScheme().write(oprot, this);
+  }
+
+  @Override
+  public String toString() {
+    StringBuilder sb = new StringBuilder("TListSentryPrivilegesByAuthUserResponse(");
+    boolean first = true;
+
+    sb.append("status:");
+    if (this.status == null) {
+      sb.append("null");
+    } else {
+      sb.append(this.status);
+    }
+    first = false;
+    if (!first) sb.append(", ");
+    sb.append("privilegesMapByAuth:");
+    if (this.privilegesMapByAuth == null) {
+      sb.append("null");
+    } else {
+      sb.append(this.privilegesMapByAuth);
+    }
+    first = false;
+    sb.append(")");
+    return sb.toString();
+  }
+
+  public void validate() throws org.apache.thrift.TException {
+    // check for required fields
+    if (!isSetStatus()) {
+      throw new org.apache.thrift.protocol.TProtocolException("Required field 'status' is unset! Struct:" + toString());
+    }
+
+    if (!isSetPrivilegesMapByAuth()) {
+      throw new org.apache.thrift.protocol.TProtocolException("Required field 'privilegesMapByAuth' is unset! Struct:" + toString());
+    }
+
+    // check for sub-struct validity
+    if (status != null) {
+      status.validate();
+    }
+  }
+
+  private void writeObject(java.io.ObjectOutputStream out) throws java.io.IOException {
+    try {
+      write(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(out)));
+    } catch (org.apache.thrift.TException te) {
+      throw new java.io.IOException(te);
+    }
+  }
+
+  private void readObject(java.io.ObjectInputStream in) throws java.io.IOException, ClassNotFoundException {
+    try {
+      read(new org.apache.thrift.protocol.TCompactProtocol(new org.apache.thrift.transport.TIOStreamTransport(in)));
+    } catch (org.apache.thrift.TException te) {
+      throw new java.io.IOException(te);
+    }
+  }
+
+  private static class TListSentryPrivilegesByAuthUserResponseStandardSchemeFactory implements SchemeFactory {
+    public TListSentryPrivilegesByAuthUserResponseStandardScheme getScheme() {
+      return new TListSentryPrivilegesByAuthUserResponseStandardScheme();
+    }
+  }
+
+  private static class TListSentryPrivilegesByAuthUserResponseStandardScheme extends StandardScheme<TListSentryPrivilegesByAuthUserResponse> {
+
+    public void read(org.apache.thrift.protocol.TProtocol iprot, TListSentryPrivilegesByAuthUserResponse struct) throws org.apache.thrift.TException {
+      org.apache.thrift.protocol.TField schemeField;
+      iprot.readStructBegin();
+      while (true)
+      {
+        schemeField = iprot.readFieldBegin();
+        if (schemeField.type == org.apache.thrift.protocol.TType.STOP) { 
+          break;
+        }
+        switch (schemeField.id) {
+          case 1: // STATUS
+            if (schemeField.type == org.apache.thrift.protocol.TType.STRUCT) {
+              struct.status = new org.apache.sentry.service.thrift.TSentryResponseStatus();
+              struct.status.read(iprot);
+              struct.setStatusIsSet(true);
+            } else { 
+              org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+            }
+            break;
+          case 2: // PRIVILEGES_MAP_BY_AUTH
+            if (schemeField.type == org.apache.thrift.protocol.TType.MAP) {
+              {
+                org.apache.thrift.protocol.TMap _map182 = iprot.readMapBegin();
+                struct.privilegesMapByAuth = new HashMap<TSentryAuthorizable,Set<TSentryPrivilege>>(2*_map182.size);
+                TSentryAuthorizable _key183;
+                Set<TSentryPrivilege> _val184;
+                for (int _i185 = 0; _i185 < _map182.size; ++_i185)
+                {
+                  _key183 = new TSentryAuthorizable();
+                  _key183.read(iprot);
+                  {
+                    org.apache.thrift.protocol.TSet _set186 = iprot.readSetBegin();
+                    _val184 = new HashSet<TSentryPrivilege>(2*_set186.size);
+                    TSentryPrivilege _elem187;
+                    for (int _i188 = 0; _i188 < _set186.size; ++_i188)
+                    {
+                      _elem187 = new TSentryPrivilege();
+                      _elem187.read(iprot);
+                      _val184.add(_elem187);
+                    }
+                    iprot.readSetEnd();
+                  }
+                  struct.privilegesMapByAuth.put(_key183, _val184);
+                }
+                iprot.readMapEnd();
+              }
+              struct.setPrivilegesMapByAuthIsSet(true);
+            } else { 
+              org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+            }
+            break;
+          default:
+            org.apache.thrift.protocol.TProtocolUtil.skip(iprot, schemeField.type);
+        }
+        iprot.readFieldEnd();
+      }
+      iprot.readStructEnd();
+      struct.validate();
+    }
+
+    public void write(org.apache.thrift.protocol.TProtocol oprot, TListSentryPrivilegesByAuthUserResponse struct) throws org.apache.thrift.TException {
+      struct.validate();
+
+      oprot.writeStructBegin(STRUCT_DESC);
+      if (struct.status != null) {
+        oprot.writeFieldBegin(STATUS_FIELD_DESC);
+        struct.status.write(oprot);
+        oprot.writeFieldEnd();
+      }
+      if (struct.privilegesMapByAuth != null) {
+        oprot.writeFieldBegin(PRIVILEGES_MAP_BY_AUTH_FIELD_DESC);
+        {
+          oprot.writeMapBegin(new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRUCT, org.apache.thrift.protocol.TType.SET, struct.privilegesMapByAuth.size()));
+          for (Map.Entry<TSentryAuthorizable, Set<TSentryPrivilege>> _iter189 : struct.privilegesMapByAuth.entrySet())
+          {
+            _iter189.getKey().write(oprot);
+            {
+              oprot.writeSetBegin(new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, _iter189.getValue().size()));
+              for (TSentryPrivilege _iter190 : _iter189.getValue())
+              {
+                _iter190.write(oprot);
+              }
+              oprot.writeSetEnd();
+            }
+          }
+          oprot.writeMapEnd();
+        }
+        oprot.writeFieldEnd();
+      }
+      oprot.writeFieldStop();
+      oprot.writeStructEnd();
+    }
+
+  }
+
+  private static class TListSentryPrivilegesByAuthUserResponseTupleSchemeFactory implements SchemeFactory {
+    public TListSentryPrivilegesByAuthUserResponseTupleScheme getScheme() {
+      return new TListSentryPrivilegesByAuthUserResponseTupleScheme();
+    }
+  }
+
+  private static class TListSentryPrivilegesByAuthUserResponseTupleScheme extends TupleScheme<TListSentryPrivilegesByAuthUserResponse> {
+
+    @Override
+    public void write(org.apache.thrift.protocol.TProtocol prot, TListSentryPrivilegesByAuthUserResponse struct) throws org.apache.thrift.TException {
+      TTupleProtocol oprot = (TTupleProtocol) prot;
+      struct.status.write(oprot);
+      {
+        oprot.writeI32(struct.privilegesMapByAuth.size());
+        for (Map.Entry<TSentryAuthorizable, Set<TSentryPrivilege>> _iter191 : struct.privilegesMapByAuth.entrySet())
+        {
+          _iter191.getKey().write(oprot);
+          {
+            oprot.writeI32(_iter191.getValue().size());
+            for (TSentryPrivilege _iter192 : _iter191.getValue())
+            {
+              _iter192.write(oprot);
+            }
+          }
+        }
+      }
+    }
+
+    @Override
+    public void read(org.apache.thrift.protocol.TProtocol prot, TListSentryPrivilegesByAuthUserResponse struct) throws org.apache.thrift.TException {
+      TTupleProtocol iprot = (TTupleProtocol) prot;
+      struct.status = new org.apache.sentry.service.thrift.TSentryResponseStatus();
+      struct.status.read(iprot);
+      struct.setStatusIsSet(true);
+      {
+        org.apache.thrift.protocol.TMap _map193 = new org.apache.thrift.protocol.TMap(org.apache.thrift.protocol.TType.STRUCT, org.apache.thrift.protocol.TType.SET, iprot.readI32());
+        struct.privilegesMapByAuth = new HashMap<TSentryAuthorizable,Set<TSentryPrivilege>>(2*_map193.size);
+        TSentryAuthorizable _key194;
+        Set<TSentryPrivilege> _val195;
+        for (int _i196 = 0; _i196 < _map193.size; ++_i196)
+        {
+          _key194 = new TSentryAuthorizable();
+          _key194.read(iprot);
+          {
+            org.apache.thrift.protocol.TSet _set197 = new org.apache.thrift.protocol.TSet(org.apache.thrift.protocol.TType.STRUCT, iprot.readI32());
+            _val195 = new HashSet<TSentryPrivilege>(2*_set197.size);
+            TSentryPrivilege _elem198;
+            for (int _i199 = 0; _i199 < _set197.size; ++_i199)
+            {
+              _elem198 = new TSentryPrivilege();
+              _elem198.read(iprot);
+              _val195.add(_elem198);
+            }
+          }
+          struct.privilegesMapByAuth.put(_key194, _val195);
+        }
+      }
+      struct.setPrivilegesMapByAuthIsSet(true);
+    }
+  }
+
+}
+
diff --git a/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift b/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift
index 74837a8..953b96b 100644
--- a/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift
+++ b/sentry-service/sentry-service-api/src/main/resources/sentry_policy_service.thrift
@@ -283,6 +283,19 @@ struct TListSentryPrivilegesByAuthResponse {
 3: optional map<TSentryAuthorizable, TSentryPrivilegeMap> privilegesMapByAuthForUsers
 }
 
+struct TListSentryPrivilegesByAuthUserRequest {
+1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
+2: required string requestorUserName, # user on whose behalf the request is issued
+3: required set<TSentryAuthorizable> authorizableSet,
+4: required string user
+}
+
+struct TListSentryPrivilegesByAuthUserResponse {
+1: required sentry_common_service.TSentryResponseStatus status,
+# Authorizable to set of privileges map
+2: required map<TSentryAuthorizable, set<TSentryPrivilege>> privilegesMapByAuth,
+}
+
 # Obtain a config value from the Sentry service
 struct TSentryConfigValueRequest {
 1: required i32 protocol_version = sentry_common_service.TSENTRY_SERVICE_V2,
@@ -437,8 +450,14 @@ service SentryPolicyService
 
   TRenamePrivilegesResponse rename_sentry_privilege(1:TRenamePrivilegesRequest request);
 
+  # List sentry privileges filterted based on a set of authorizables, that
+  # granted to the given user and the given role if present.
   TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable(1:TListSentryPrivilegesByAuthRequest request);
 
+  # List sentry privileges filterted based on a set of authorizables, that
+  # granted to the given user and the groups the user associated with.
+  TListSentryPrivilegesByAuthUserResponse list_sentry_privileges_by_authorizable_and_user(1:TListSentryPrivilegesByAuthUserRequest request);
+
   TSentryConfigValueResponse get_sentry_config_value(1:TSentryConfigValueRequest request);
 
   # export the mapping data in sentry
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java
index 7626e2c..01dcaac 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryMetrics.java
@@ -119,6 +119,8 @@ public final class SentryMetrics {
       name(SentryPolicyStoreProcessor.class, "list-privileges-for-provider"));
   final Timer listPrivilegesByAuthorizableTimer = METRIC_REGISTRY.timer(
       name(SentryPolicyStoreProcessor.class, "list-privileges-by-authorizable"));
+  final Timer listPrivilegesByAuthorizableAndUserTimer = METRIC_REGISTRY.timer(
+          name(SentryPolicyStoreProcessor.class, "list-privileges-by-authorizable-and-user"));
   final Timer listRolesPrivilegesTimer = METRIC_REGISTRY.timer(
       name(SentryPolicyStoreProcessor.class, "list-roles-privileges"));
   final Timer listUsersPrivilegesTimer = METRIC_REGISTRY.timer(
diff --git a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
index b2731b1..b808a55 100644
--- a/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
+++ b/sentry-service/sentry-service-server/src/main/java/org/apache/sentry/api/service/thrift/SentryPolicyStoreProcessor.java
@@ -1295,6 +1295,100 @@ public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
     return response;
   }
 
+  @Override
+  public TListSentryPrivilegesByAuthUserResponse list_sentry_privileges_by_authorizable_and_user(
+      TListSentryPrivilegesByAuthUserRequest request) throws TException {
+    final Timer.Context timerContext =
+        sentryMetrics.listPrivilegesByAuthorizableAndUserTimer.time();
+    TListSentryPrivilegesByAuthUserResponse response =
+        new TListSentryPrivilegesByAuthUserResponse();
+
+    // Sanity validation of the required fields.
+    String requestor = request.getRequestorUserName();
+    String principalName = request.getUser();
+    TSentryResponseStatus status =
+        checkRequiredParameter(requestor, "requestor parameter must not be null");
+    status = status != null ?
+        status : checkRequiredParameter(principalName, "user parameter must not be null");
+    if (status != null) {
+      response.setStatus(status);
+      return response;
+    }
+    principalName = principalName.trim();
+    Map<TSentryAuthorizable, Set<TSentryPrivilege>> authMap = Maps.newHashMap();
+
+    try {
+      validateClientVersion(request.getProtocol_version());
+
+      // To allow listing the privileges, the requestor user must be part of
+      // the admins group, or the requestor user must be the same user requesting
+      // privileges for.
+      Set<String> requestorGroups = getRequestorGroups(requestor);
+      Boolean admin = inAdminGroups(requestorGroups);
+      if(!admin && !principalName.equalsIgnoreCase(requestor)) {
+        throw new SentryAccessDeniedException("Access denied to " + requestor);
+      }
+
+      // Get the groups the user is associated with.
+      Set<String> principalGroups;
+      if (principalName.equals(requestor)) {
+        principalGroups = requestorGroups;
+      } else {
+        principalGroups = getRequestorGroups(principalName);
+      }
+      Set<String> principalUsers = new HashSet<>();
+      principalUsers.add(principalName);
+
+      // Return the privileges found that granted to the given user and the groups the
+      // user associated with per authorizable object.
+      for (TSentryAuthorizable authorizable : request.getAuthorizableSet()) {
+        Set<TSentryPrivilege> privileges = new HashSet();
+
+        // Search for privileges granted to the groups the user associated with.
+        TSentryPrivilegeMap groupMap = sentryStore.listSentryPrivilegesByAuthorizable(
+            principalGroups, null, authorizable, false);
+        if (groupMap.getPrivilegeMap() != null) {
+          for (Set<TSentryPrivilege> groupPrivilege : groupMap.getPrivilegeMap().values()) {
+            privileges.addAll(groupPrivilege);
+          }
+        }
+
+        // Search for privileges granted to the user.
+        TSentryPrivilegeMap userMap = sentryStore.listSentryPrivilegesByAuthorizableForUser(
+            principalUsers, authorizable, false);
+        if (userMap.getPrivilegeMap() != null) {
+          for (Set<TSentryPrivilege> userPrivilege : userMap.getPrivilegeMap().values()) {
+            privileges.addAll(userPrivilege);
+          }
+        }
+
+        authMap.put(authorizable, privileges);
+      }
+      response.setPrivilegesMapByAuth(authMap);
+      response.setStatus(Status.OK());
+    } catch (SentryAccessDeniedException e) {
+      LOGGER.error(e.getMessage(), e);
+      response.setStatus(Status.AccessDenied(e.getMessage(), e));
+    } catch (SentryGroupNotFoundException e) {
+      LOGGER.error(e.getMessage(), e);
+      response.setStatus(Status.AccessDenied(e.getMessage(), e));
+    } catch (SentryThriftAPIMismatchException e) {
+      LOGGER.error(e.getMessage(), e);
+      response.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
+    } catch (SentryInvalidInputException e) {
+      LOGGER.error(e.getMessage(), e);
+      response.setStatus(Status.InvalidInput(e.getMessage(), e));
+    } catch (Exception e) {
+      String msg = "Unknown error for request: " + request + ", message: "
+          + e.getMessage();
+      LOGGER.error(msg, e);
+      response.setStatus(Status.RuntimeError(msg, e));
+    } finally {
+      timerContext.stop();
+    }
+    return response;
+  }
+
   /**
    * Respond to a request for a config value in the sentry server.  The client
    * can request any config value that starts with "sentry." and doesn't contain
diff --git a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
index 6f90fb4..e593870 100644
--- a/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
+++ b/sentry-service/sentry-service-server/src/test/java/org/apache/sentry/api/service/thrift/TestSentryPolicyStoreProcessor.java
@@ -25,9 +25,11 @@ import static org.junit.Assert.assertTrue;
 
 import com.codahale.metrics.Gauge;
 import com.google.common.collect.ImmutableMap;
+import com.google.common.collect.Maps;
 import com.google.common.collect.Sets;
-import java.util.Collections;
-import java.util.Set;
+
+import java.util.*;
+
 import org.apache.hadoop.hive.metastore.messaging.EventMessage;
 import org.apache.hadoop.hive.metastore.messaging.EventMessage.EventType;
 import org.apache.sentry.api.common.ApiConstants;
@@ -342,6 +344,127 @@ public class TestSentryPolicyStoreProcessor {
       returnedResp.getPrivileges().contains(newSentryPrivilege("database", "db1", "t1", "*")));
   }
 
+  @Test
+  public void testListPrivilegesByAuthorizableAndUser() throws Exception {
+    MockGroupMappingService.addUserGroupMapping("admin", Sets.newHashSet("admin"));
+    String user1 = "user1";
+    String g1 = "g1";
+    MockGroupMappingService.addUserGroupMapping(user1, Sets.newHashSet(g1));
+
+    Configuration conf = new Configuration();
+    conf.set(ServerConfig.SENTRY_STORE_GROUP_MAPPING,
+        "org.apache.sentry.api.service.thrift.MockGroupMappingService");
+    conf.set(ServerConfig.ADMIN_GROUPS, "admin");
+
+    SentryPolicyStoreProcessor policyStoreProcessor = new SentryPolicyStoreProcessor(
+        ApiConstants.SentryPolicyServiceConstants.SENTRY_POLICY_SERVICE_NAME,
+        conf, sentryStore);
+    TListSentryPrivilegesByAuthUserResponse returnedResp;
+    TListSentryPrivilegesByAuthUserResponse expectedResp;
+
+    // Request privileges when user is null must throw an exception that
+    // user must not be null.
+    returnedResp = policyStoreProcessor.list_sentry_privileges_by_authorizable_and_user(
+        newAuthRequest("admin", null, null));
+    expectedResp = new TListSentryPrivilegesByAuthUserResponse();
+    expectedResp.setStatus(Status.InvalidInput("user parameter must not be null",
+        new SentryInvalidInputException("user parameter must not be null")));
+    Assert.assertEquals(expectedResp.getStatus().getValue(),
+        returnedResp.getStatus().getValue());
+
+    // Prepare request for getting privileges for user1 based on the given authorizables
+    TSentryAuthorizable requestedAuthorizable = new TSentryAuthorizable();
+    requestedAuthorizable.setServer("server1");
+    requestedAuthorizable.setDb("db1");
+    Set<TSentryAuthorizable> requestedAuthorizables = new HashSet<>();
+    requestedAuthorizables.add(requestedAuthorizable);
+
+    Set<String> users = new HashSet<>();
+    users.add(user1);
+    Set<String> groups = new HashSet<>();
+    groups.add(g1);
+
+    Set<TSentryPrivilege> user1Privileges = Sets.newHashSet(
+        newSentryPrivilege("database", "db1", "t1", "*"),
+        newSentryPrivilege("database", "db1", "t2", "*"));
+    Map<String, Set<TSentryPrivilege>> user1PrivilegesMap = Maps.newTreeMap();
+    user1PrivilegesMap.put(user1, user1Privileges);
+
+    Mockito.when(sentryStore.listSentryPrivilegesByAuthorizableForUser(
+        users, requestedAuthorizable, false)).thenReturn(
+            new TSentryPrivilegeMap(user1PrivilegesMap));
+
+    Mockito.when(sentryStore.listSentryPrivilegesByAuthorizable(
+        groups, null, requestedAuthorizable, false)).thenReturn(
+            new TSentryPrivilegeMap());
+
+    // Request privileges of a user as admin
+    returnedResp = policyStoreProcessor.list_sentry_privileges_by_authorizable_and_user(
+        newAuthRequest("admin", requestedAuthorizables, user1));
+    Assert.assertEquals(1, returnedResp.getPrivilegesMapByAuthSize());
+    Assert.assertEquals(2, returnedResp.getPrivilegesMapByAuth().get(requestedAuthorizable).size());
+    Assert.assertEquals(Status.OK(),  returnedResp.getStatus());
+    assertTrue("User1 should have ALL privileges in db1.t1",
+        returnedResp.getPrivilegesMapByAuth().get(requestedAuthorizable).contains(
+            newSentryPrivilege("database", "db1", "t1", "*")));
+    assertTrue("User1 should have ALL privileges in db1.t2",
+        returnedResp.getPrivilegesMapByAuth().get(requestedAuthorizable).contains(
+            newSentryPrivilege("database", "db1", "t2", "*")));
+
+    // Request privileges of a user as the same user
+    returnedResp = policyStoreProcessor.list_sentry_privileges_by_authorizable_and_user(
+        newAuthRequest(user1, requestedAuthorizables, user1));
+    Assert.assertEquals(1, returnedResp.getPrivilegesMapByAuthSize());
+    Assert.assertEquals(2, returnedResp.getPrivilegesMapByAuth().get(requestedAuthorizable).size());
+    Assert.assertEquals(Status.OK(),  returnedResp.getStatus());
+    assertTrue("User1 should have ALL privileges in db1.t1",
+        returnedResp.getPrivilegesMapByAuth().get(requestedAuthorizable).contains(
+            newSentryPrivilege("database", "db1", "t1", "*")));
+    assertTrue("User1 should have ALL privileges in db1.t2",
+        returnedResp.getPrivilegesMapByAuth().get(requestedAuthorizable).contains(
+            newSentryPrivilege("database", "db1", "t2", "*")));
+
+    // Request privileges of a user as an unauthorized user
+    returnedResp = policyStoreProcessor.list_sentry_privileges_by_authorizable_and_user(
+        newAuthRequest("bad_user", requestedAuthorizables, user1));
+    Assert.assertEquals(Status.ACCESS_DENIED.getCode(), returnedResp.getStatus().getValue());
+    assertNull(returnedResp.getPrivilegesMapByAuth());
+
+    // Assign new privileges for g1 based on the given authorizables
+    Set<TSentryPrivilege> g1Privileges = Sets.newHashSet(
+        newSentryPrivilege("database", "db1", "t3", "*"));
+    Map<String, Set<TSentryPrivilege>> g1PrivilegesMap = Maps.newTreeMap();
+    g1PrivilegesMap.put(g1, g1Privileges);
+
+    Mockito.when(sentryStore.listSentryPrivilegesByAuthorizable(
+        groups, null, requestedAuthorizable, false)).thenReturn(
+            new TSentryPrivilegeMap(g1PrivilegesMap));
+    returnedResp = policyStoreProcessor.list_sentry_privileges_by_authorizable_and_user(
+            newAuthRequest(user1, requestedAuthorizables, user1));
+    Assert.assertEquals(1, returnedResp.getPrivilegesMapByAuthSize());
+    Assert.assertEquals(3, returnedResp.getPrivilegesMapByAuth().get(requestedAuthorizable).size());
+    Assert.assertEquals(Status.OK(),  returnedResp.getStatus());
+    assertTrue("User1 should have ALL privileges in db1.t1",
+        returnedResp.getPrivilegesMapByAuth().get(requestedAuthorizable).contains(
+            newSentryPrivilege("database", "db1", "t1", "*")));
+    assertTrue("User1 should have ALL privileges in db1.t2",
+        returnedResp.getPrivilegesMapByAuth().get(requestedAuthorizable).contains(
+            newSentryPrivilege("database", "db1", "t2", "*")));
+    assertTrue("User1 should have ALL privileges in db1.t3",
+        returnedResp.getPrivilegesMapByAuth().get(requestedAuthorizable).contains(
+            newSentryPrivilege("database", "db1", "t3", "*")));
+  }
+
+  private TListSentryPrivilegesByAuthUserRequest newAuthRequest(
+      String requestorUser, Set<TSentryAuthorizable> authorizables, String user) {
+    TListSentryPrivilegesByAuthUserRequest request =
+        new TListSentryPrivilegesByAuthUserRequest();
+    request.setRequestorUserName(requestorUser);
+    request.setAuthorizableSet(authorizables);
+    request.setUser(user);
+    return request;
+  }
+
   private TListSentryPrivilegesRequest newPrivilegesRequest(String requestorUser, String principalName, TSentryAuthorizable authorizable) {
     TListSentryPrivilegesRequest request = new TListSentryPrivilegesRequest();
     request.setRequestorUserName(requestorUser);


Mime
View raw message