java source code of RangerHiveAuthorizer

ranger-master
- plugin-kudu
  - src
    - main
      - java
        org
        apache
        ranger
        services
        kudu
        RangerServiceKudu.java
  - pom.xml
  - .gitignore
- NOTICE.txt
- embeddedwebserver
  - src
    - main
      - java
        org
        apache
        ranger
        server
        tomcat
        ElasticSearchIndexBootStrapper.java
        EmbeddedServer.java
        EmbeddedServerUtil.java
        SolrCollectionBootstrapper.java
        StopEmbeddedServer.java
  - pom.xml
  - scripts
    - ranger-admin-initd
    - ranger-admin-services.sh
    - stop-ranger-admin.sh
    - start-ranger-admin.sh
  - .gitignore
- agents-audit
  - src
    - main
      - resources
        META-INF
        persistence.xml
      - java
        org
        apache
        ranger
        audit
        dao
        DaoManagerBase.java
        BaseDao.java
        DaoManager.java
        AuthzAuditEventDao.java
        utils
        RollingTimeUtil.java
        SolrAppUtil.java
        InMemoryJAASConfiguration.java
        provider
        kafka
        KafkaAuditProvider.java
        BaseAuditHandler.java
        AsyncAuditProvider.java
        LogDestination.java
        MiscUtil.java
        Log4jAuditProvider.java
        AuditProviderFactory.java
        AuditHandler.java
        DummyAuditProvider.java
        LocalFileLogBuffer.java
        hdfs
        HdfsLogDestination.java
        HdfsAuditProvider.java
        Log4jTracer.java
        MultiDestAuditProvider.java
        DbAuditProvider.java
        StandAloneAuditProviderFactory.java
        solr
        SolrAuditProvider.java
        AuditMessageException.java
        LogBuffer.java
        DebugTracer.java
        AuditFileCacheProvider.java
        BufferedAuditProvider.java
        entity
        AuthzAuditEventDbObj.java
        destination
        ElasticSearchAuditDestination.java
        AuditDestination.java
        SolrAuditDestination.java
        FileAuditDestination.java
        Log4JAuditDestination.java
        DBAuditDestination.java
        HDFSAuditDestination.java
        test
        TestEvents.java
        model
        AuditEventBase.java
        EnumRepositoryType.java
        AuthzAuditEvent.java
        queue
        AuditQueue.java
        AuditFileCacheProviderSpool.java
        AuditSummaryQueue.java
        AuditBatchQueue.java
        AuditFileSpool.java
        AuditAsyncQueue.java
  - pom.xml
  - .gitignore
- hbase-agent
  - src
    - main
      - java
        org
        apache
        ranger
        services
        hbase
        client
        HBaseClient.java
        HBaseResourceMgr.java
        HBaseConnectionMgr.java
        RangerServiceHBase.java
        authorization
        hbase
        HbaseUserUtils.java
        HbaseUserUtilsImpl.java
        HbaseAuthUtils.java
        ColumnIterator.java
        HbaseAuditHandler.java
        HbaseAuthUtilsImpl.java
        RangerAuthorizationCoprocessor.java
        HbaseAuditHandlerImpl.java
        AuthorizationSession.java
        RangerAuthorizationFilter.java
        HbaseFactory.java
        RangerHBaseResource.java
    - test
      - resources
        log4j.properties
        ranger-hbase-security.xml
        hbase-policies-tag.json
        hbase-policies.json
        policyengine
        test_policyengine_hbase.json
      - java
        org
        apache
        ranger
        services
        hbase
        TestRangerServiceHBase.java
        authorization
        hbase
        RangerAuthorizationFilterTest.java
        RangerAuthorizationCoprocessorTest.java
        HbaseAuthUtilsImplTest.java
        ColumnIteratorTest.java
        HBaseRangerAuthorizationTest.java
        AuthorizationSessionTest.java
        RangerAdminClientImpl.java
        TestPolicyEngine.java
  - disable-conf
    - hbase-site-changes.cfg
  - pom.xml
  - scripts
    - uninstall.sh
    - install.properties
    - install.sh
  - .gitignore
  - conf
    - hbase-site-changes.cfg
    - ranger-hbase-security.xml
    - ranger-hbase-audit.xml
    - ranger-policymgr-ssl-changes.cfg
    - ranger-hbase-audit-changes.cfg
    - ranger-policymgr-ssl.xml
    - ranger-hbase-security-changes.cfg
- release-build.xml
- unixauthservice
  - src
    - main
      - resources
        log4j.properties
      - java
        org
        apache
        ranger
        authentication
        UnixAuthenticationService.java
        PasswordValidator.java
  - pom.xml
  - scripts
    - initd
    - stop.sh
    - templates
      - installprop2xml.properties
      - ranger-ugsync-template.xml
    - set_globals.sh
    - updatepolicymgrpassword.sh
    - install.properties
    - setup.py
    - ranger-usersync-services.sh
    - start.sh
    - updatepolicymgrpassword.py
    - update_property.py
    - setup.sh
  - conf.dist
    - log4j.properties
    - ranger-ugsync-default.xml
    - jaas.conf
    - log4j.xml
  - .gitignore
- ranger-tools
  - src
    - main
      - java
        org
        apache
        ranger
        policyengine
        RangerResourceDeserializer.java
        PerfTestOptions.java
        PerfTestEngine.java
        RangerPluginPerfTester.java
        RangerAccessRequestDeserializer.java
        PerfTestClient.java
        CommandLineParser.java
        perftest
        v2
        RangerPolicyFactory.java
        RangerPolicyenginePerfTester.java
    - test
      - resources
        log4j.properties
        testdata
        test_servicetags_hive.json
        test_requests_hive.json
        test_servicepolicies_hive.json
        single-request-template.json
        performance-chart.template
        single-policy-template.json
        test_modules.txt
        ranger-config.xml
        commandline
      - java
        org
        apache
        ranger
        policyengine
        PerfTesterTest.java
        RangerPolicyEnginePerformanceTest.java
  - pom.xml
  - testdata
    - test_requests_hive.json
    - test_modules.txt
    - ranger-config.xml
  - scripts
    - summary.awk
    - ranger-plugin-perftester.sh
    - README.txt
    - ranger-perftester.sh
  - .gitignore
  - conf
    - log4j.properties
- unixauthnative
  - src
    - main
      - c
        credValidator.c
  - pom.xml
  - .gitignore
- ranger-examples
  - pom.xml
  - README.txt
  - distro
    - src
      - main
        assembly
        plugin-sampleapp.xml
        sampleapp.xml
    - pom.xml
    - .gitignore
  - plugin-sampleapp
    - src
      - main
        java
        org
        apache
        ranger
        examples
        sampleapp
        IAuthorizer.java
        RangerAuthorizer.java
    - pom.xml
    - .gitignore
    - conf
      - ranger-sampleapp-security.xml
      - ranger-policymgr-ssl.xml
      - ranger-sampleapp-audit.xml
  - sampleapp
    - src
      - main
        java
        org
        apache
        ranger
        examples
        sampleapp
        SampleApp.java
        DefaultAuthorizer.java
        IAuthorizer.java
    - pom.xml
    - scripts
      - run-sampleapp.sh
    - .gitignore
    - conf
      - log4j.xml
  - conditions-enrichers
    - src
      - main
        java
        org
        apache
        ranger
        plugin
        contextenricher
        RangerSampleCountryProvider.java
        RangerSampleProjectProvider.java
        conditionevaluator
        RangerSampleSimpleMatcher.java
        RangerPolicyConditionSampleSimpleMatcher.java
      - test
        java
        org
        apache
        ranger
        plugin
        conditionevaluator
        RangerSampleSimpleMatcherTest.java
    - pom.xml
    - .gitignore
  - dev-support
    - findbugsIncludeFile.xml
    - ranger-pmd-ruleset.xml
  - .gitignore
- kms
  - src
    - main
      - resources
        mini-kms-acls-default.xml
        log4j-kmsaudit.properties
        log4j.properties
        META-INF
        services
        org.apache.hadoop.crypto.key.KeyProviderFactory
        persistence.xml
        kms_jpa_named_queries.xml
        WEB-INF
        web.xml
      - java
        org
        apache
        hadoop
        crypto
        key
        kms
        server
        KMSAuditLogger.java
        KMSWebApp.java
        KMSACLsType.java
        KMSJSONReader.java
        KMS.java
        KMSConfiguration.java
        KMSACLs.java
        KMSMetricUtil.java
        KMSAuthenticationFilter.java
        KMSAudit.java
        KeyAuthorizationKeyProvider.java
        KMSExceptionsProvider.java
        KMSJSONWriter.java
        KMSServerJSONUtils.java
        KMSJMXServlet.java
        EagerKeyGeneratorKeyProviderCryptoExtension.java
        SimpleKMSAuditLogger.java
        KMSMDCFilter.java
        RangerHSM.java
        DB2HSMMKUtil.java
        RangerKeyVaultKeyGenerator.java
        JKS2RangerUtil.java
        HSM2DBMKUtil.java
        RangerSafenetKeySecure.java
        RangerKeyStoreProvider.java
        ConsoleUtil.java
        KeySecureToRangerDBMKUtil.java
        VerifyIsDBMasterkeyCorrect.java
        RangerMasterKey.java
        RangerKeyStore.java
        VerifyIsHSMMasterkeyCorrect.java
        DBToAzureKeyVault.java
        Ranger2JKSUtil.java
        DBToKeySecure.java
        AzureKeyVaultClientAuthenticator.java
        RangerKMSDB.java
        RangerKMSMKI.java
        ranger
        kms
        dao
        DaoManagerBase.java
        RangerKMSDao.java
        BaseDao.java
        DaoManager.java
        RangerMasterKeyDao.java
        biz
        RangerKMSStartUp.java
        entity
        XXDBBase.java
        XXRangerMasterKey.java
        XXRangerKeyStore.java
      - webapp
        WEB-INF
        web.xml
    - test
      - resources
        kms
        dbks-site.xml
        kms-site.xml
      - java
        org
        apache
        hadoop
        crypto
        key
        kms
        TestRangerKeyStore.java
        server
        TestKMSACLs.java
        DerbyTestUtils.java
        RangerKeyStoreProviderTest.java
        TestKMSAudit.java
        RangerMasterKeyTest.java
        TestKeyAuthorizationKeyProvider.java
  - pom.xml
  - config
    - webserver
      - ranger-kms-site.xml
    - kms-webapp
      - dbks-site.xml
      - kms-log4j.properties
      - kms-site.xml
  - scripts
    - ranger-kms-initd
    - VerifyIsDBMasterkeyCorrect.sh
    - dba_script.py
    - db_setup.py
    - db
      - sqlserver
        kms_core_db_sqlserver.sql
      - sqlanywhere
        kms_core_db_sqlanywhere.sql
      - oracle
        kms_core_db_oracle.sql
      - mysql
        kms_core_db.sql
      - postgres
        kms_core_db_postgres.sql
    - KEYSECUREMKTOKMSDB.sh
    - DBMKTOKEYSECURE.sh
    - install.properties
    - importJCEKSKeys.sh
    - HSMMK2DB.sh
    - VerifyIsHSMMasterkeyCorrect.sh
    - DBMKTOAZUREKEYVAULT.sh
    - ranger-kms
    - exportKeysToJCEKS.sh
    - update_property.py
    - DBMK2HSM.sh
    - setup.sh
  - dev-support
    - findbugsExcludeFile.xml
  - .gitignore
- ranger-atlas-plugin-shim
  - src
    - main
      - java
        org
        apache
        ranger
        authorization
        atlas
        authorizer
        RangerAtlasAuthorizer.java
  - pom.xml
  - .gitignore
- plugin-atlas
  - src
    - main
      - java
        org
        apache
        ranger
        services
        atlas
        json
        model
        ResourceTermResponse.java
        ResourceOperationResponse.java
        ResourceTypeResponse.java
        ResourceTaxonomyResponse.java
        ResourceEntityResponse.java
        RangerServiceAtlas.java
        authorization
        atlas
        authorizer
        RangerAtlasAuthorizer.java
    - test
      - resource
        log4j.properties
  - pom.xml
  - template
    - configuration.xml
  - scripts
    - install.properties
  - .gitignore
  - conf
    - ranger-atlas-security.xml
    - ranger-atlas-audit-changes.cfg
    - ranger-policymgr-ssl-changes.cfg
    - ranger-atlas-audit.xml
    - ranger-policymgr-ssl.xml
    - ranger-atlas-security-changes.cfg
- ranger-knox-plugin-shim
  - src
    - main
      - resources
        META-INF
        services
        org.apache.knox.gateway.deploy.ProviderDeploymentContributor
      - java
        com
        xasecure
        pdp
        knox
        filter
        XASecurePDPKnoxFilter.java
        org
        apache
        ranger
        authorization
        knox
        deploy
        RangerPDPKnoxDeploymentContributor.java
        RangerPDPKnoxFilter.java
  - pom.xml
  - .gitignore
- plugin-solr
  - src
    - main
      - java
        org
        apache
        ranger
        services
        solr
        RangerServiceSolr.java
        client
        ServiceSolrConnectionMgr.java
        ServiceSolrClient.java
        authorization
        solr
        authorizer
        SubsetQueryPlugin.java
        RangerSolrAuthorizer.java
        RangerSolrAuditHandler.java
        FieldToAttributeMapping.java
  - pom.xml
  - scripts
    - install.properties
  - .gitignore
  - conf
    - ranger-solr-audit.xml
    - ranger-policymgr-ssl-changes.cfg
    - ranger-solr-security.xml
    - ranger-policymgr-ssl.xml
    - ranger-solr-security-changes.cfg
    - ranger-solr-audit-changes.cfg
- hive-agent
  - src
    - main
      - java
        com
        xasecure
        authorization
        hive
        authorizer
        XaSecureHiveAuthorizerFactory.java
        org
        apache
        ranger
        services
        hive
        client
        HiveConnectionMgr.java
        HiveResourceMgr.java
        HiveClient.java
        RangerServiceHive.java
        authorization
        hive
        constants
        RangerHiveConstants.java
        authorizer
        RangerHiveResourceACLs.java
        RangerHiveAuthorizerBase.java
        RangerHiveAccessRequest.java
        RangerHiveAuditHandler.java
        RangerHiveResource.java
        RangerHiveAuthorizer.java
        RangerHiveAuthorizerFactory.java
        RangerHivePolicyProvider.java
    - test
      - resources
        log4j.properties
        ranger-hive-security.xml
        hive-policies.json
        hive-policies-tag.json
        wordcount.txt
      - java
        org
        apache
        ranger
        services
        hive
        TestAllHiveOperationInRanger.java
        HIVERangerAuthorizerTest.java
        RangerHiveOperationType.java
        RangerAdminClientImpl.java
  - disable-conf
    - hiveserver2-site-changes.cfg
  - pom.xml
  - template
    - configuration.xml
  - scripts
    - uninstall.sh
    - install.properties
    - install.sh
  - .gitignore
  - conf
    - ranger-hive-audit.xml
    - ranger-hive-security.xml
    - hiveserver2-site-changes.cfg
    - ranger-policymgr-ssl-changes.cfg
    - ranger-hive-audit-changes.cfg
    - ranger-policymgr-ssl.xml
    - ranger-hive-security-changes.cfg
- agents-cred
  - src
    - main
      - java
        org
        apache
        ranger
        authorization
        hadoop
        utils
        RangerCredentialProvider.java
    - test
      - resources
        log4j.properties
      - java
        org
        apache
        ranger
        authorization
        hadoop
        utils
        RangerCredentialProviderTest.java
  - pom.xml
  - .gitignore
- plugin-schema-registry
  - src
    - main
      - java
        org
        apache
        ranger
        services
        schema
        registry
        client
        AutocompletionAgent.java
        connection
        DefaultSchemaRegistryClient.java
        ISchemaRegistryClient.java
        util
        SecurityUtils.java
        SchemaRegistryResourceMgr.java
        RangerServiceSchemaRegistry.java
    - test
      - resources
        truststore.jks
        keystore.jks
        ssl-schema-registry.yaml
        schema-text3.avcs
        ssl-schema-registry-client.yaml
      - java
        org
        apache
        ranger
        services
        schema
        registry
        client
        SchemaRegistryResourceMgrTest.java
        util
        AcceptAllHostnameVerifier.java
        TestAutocompletionAgent.java
        DefaultSchemaRegistryClientForTesting.java
        connection
        DefaultSchemaRegistryClientTest.java
        util
        SecurityUtilsTest.java
        AutocompletionAgentTest.java
  - pom.xml
  - .gitignore
- storm-agent
  - src
    - main
      - java
        org
        apache
        ranger
        services
        storm
        client
        StormConnectionMgr.java
        StormClient.java
        StormResourceMgr.java
        json
        model
        Topology.java
        TopologyListResponse.java
        RangerServiceStorm.java
        authorization
        storm
        StormRangerPlugin.java
        authorizer
        RangerStormAuthorizer.java
    - test
      - resources
        storm-policies-tag.json
        ranger-storm-security.xml
        storm.yaml
        storm-policies.json
        words.txt
      - java
        org
        apache
        ranger
        authorization
        storm
        StormRangerAuthorizerTest.java
        WordSpout.java
        RangerAdminClientImpl.java
        WordCounterBolt.java
  - pom.xml
  - scripts
    - uninstall.sh
    - install.properties
    - install.sh
  - .gitignore
  - conf
    - ranger-storm-audit.xml
    - ranger-storm-security.xml
    - ranger-policymgr-ssl-changes.cfg
    - ranger-policymgr-ssl.xml
    - ranger-storm-audit-changes.cfg
    - ranger-storm-security-changes.cfg
- pom.xml
- plugin-kafka
  - src
    - main
      - java
        org
        apache
        ranger
        services
        kafka
        RangerServiceKafka.java
        client
        ServiceKafkaConnectionMgr.java
        ServiceKafkaClient.java
        authorization
        kafka
        authorizer
        RangerKafkaAuthorizer.java
        RangerKafkaAuditHandler.java
    - test
      - resources
        kafka_kerberos.jaas
        log4j.properties
        kafka_plain.jaas
        kafka-policies.json
        kafka-policies-tag.json
        ranger-kafka-security.xml
      - java
        org
        apache
        ranger
        authorization
        kafka
        authorizer
        KafkaRangerTopicCreationTest.java
        KafkaRangerAuthorizerSASLSSLTest.java
        KafkaRangerAuthorizerGSSTest.java
        RangerAdminClientImpl.java
        KafkaRangerAuthorizerTest.java
        KafkaTestUtils.java
  - pom.xml
  - scripts
    - install.properties
  - .gitignore
  - conf
    - ranger-kafka-audit-changes.cfg
    - ranger-kafka-audit.xml
    - ranger-policymgr-ssl-changes.cfg
    - ranger-policymgr-ssl.xml
    - ranger-kafka-security.xml
    - kafka-ranger-env.sh
    - ranger-kafka-security-changes.cfg
- ranger-hbase-plugin-shim
  - src
    - main
      - test
        org
        apache
        hadoop
        hbase
        security
        access
        RangerAccessControlListsTest.java
      - java
        com
        xasecure
        authorization
        hbase
        XaSecureAuthorizationCoprocessor.java
        org
        apache
        hadoop
        hbase
        security
        access
        RangerAccessControlLists.java
        ranger
        authorization
        hbase
        RangerAuthorizationCoprocessor.java
  - pom.xml
  - .gitignore
- unixauthpam
  - src
    - main
      - c
        pamCredValidator.c
  - pom.xml
  - .gitignore
- ranger-storm-plugin-shim
  - src
    - main
      - java
        com
        xasecure
        authorization
        storm
        authorizer
        XaSecureStormAuthorizer.java
        org
        apache
        ranger
        authorization
        storm
        authorizer
        RangerStormAuthorizer.java
  - pom.xml
  - .gitignore
- ranger-kylin-plugin-shim
  - src
    - main
      - java
        org
        apache
        ranger
        authorization
        kylin
        authorizer
        RangerKylinAuthorizer.java
  - pom.xml
  - .gitignore
- migration-util
  - ambari2.1-hdp2.3-ranger0.50
    - bin
      - ranger_admin_install.properties
      - import_ranger_to_ambari.py
    - doc
      - README.TXT
  - ambari2.0-hdp2.2-ranger0.40
    - bin
      - ranger_admin_install.properties
      - import_ranger_to_ambari.py
    - doc
      - README.TXT
- ranger-hive-plugin-shim
  - src
    - main
      - java
        com
        xasecure
        authorization
        hive
        authorizer
        XaSecureHiveAuthorizerFactory.java
        org
        apache
        ranger
        authorization
        hive
        authorizer
        RangerHiveAuthorizerFactory.java
  - pom.xml
  - .gitignore
- ranger-kms-plugin-shim
  - src
    - main
      - java
        org
        apache
        ranger
        authorization
        kms
        authorizer
        RangerKmsAuthorizer.java
  - pom.xml
  - .gitignore
- ranger-plugin-classloader
  - src
    - main
      - java
        org
        apache
        ranger
        plugin
        classloader
        RangerPluginClassLoader.java
        RangerPluginClassLoaderUtil.java
    - test
      - java
        org
        apache
        ranger
        plugin
        classloader
        test
        Impl
        TestPrint.java
        TestChildFistClassLoader.java
        TestPluginImpl.java
        TestPrintParent.java
        TestPlugin.java
  - pom.xml
  - .gitignore
- README.txt
- ranger-util
  - src
    - main
      - java
        org
        apache
        ranger
        common
        RangerVersionInfo.java
        RangerVersionAnnotation.java
    - scripts
      - saveVersion.py
    - .gitignore
  - pom.xml
  - .gitignore
- ranger-sqoop-plugin-shim
  - src
    - main
      - java
        org
        apache
        ranger
        authorization
        sqoop
        authorizer
        RangerSqoopAuthorizer.java
  - pom.xml
  - .gitignore
- plugin-nifi
  - src
    - main
      - java
        org
        apache
        ranger
        services
        nifi
        client
        NiFiAuthType.java
        NiFiConfigs.java
        NiFiClient.java
        NiFiConnectionMgr.java
        RangerServiceNiFi.java
    - test
      - java
        org
        apache
        ranger
        services
        nifi
        client
        TestNiFiConnectionMgr.java
        TestNiFiClient.java
  - pom.xml
  - .gitignore
- .gitattributes
- security-admin
  - src
    - main
      - resources
        internationalization
        messages_zh_CN.properties
        messages_uk_UA.properties
        messages_es_ES.properties
        messages_pt_BR.properties
        messages_pl.properties
        messages_lt.properties
        messages_it.properties
        messages.properties
        messages_de.properties
        messages_pt_PT.properties
        messages_fr.properties
        messages_ko_KR.properties
        messages_cs_CZ.properties
        META-INF
        persistence.xml
        infinispan-cache-config.xml
        jpa_named_queries.xml
        db_message_bundle.properties
        resourcenamemap.properties
        conf.dist
        ranger-admin-default-site.xml
        security-applicationContext.xml
        ranger-admin-site.xml
        log4jdbc.properties
      - java
        org
        apache
        ranger
        security
        web
        authentication
        RangerSessionFixationProtectionStrategy.java
        CustomLogoutSuccessHandler.java
        RangerAuthFailureHandler.java
        RangerAuthSuccessHandler.java
        RangerAuthenticationEntryPoint.java
        filter
        RangerSecurityContextFormationFilter.java
        RangerSSOAuthenticationFilter.java
        RangerKrbFilter.java
        SSOAuthenticationProperties.java
        SSOAuthentication.java
        RangerUsernamePasswordAuthenticationFilter.java
        RangerKRBAuthenticationFilter.java
        MyRememberMeFilter.java
        RangerCSRFPreventionFilter.java
        standalone
        StandaloneSecurityHandler.java
        context
        RangerAdminOpContext.java
        RangerAPIMapping.java
        RangerSecurityContext.java
        RangerAPIList.java
        RangerContextHolder.java
        RangerPreAuthSecurityHandler.java
        handler
        RangerDomainObjectSecurityHandler.java
        RangerAuthenticationProvider.java
        Permission.java
        listener
        SpringEventListener.java
        RangerHttpSessionListener.java
        patch
        PatchTagModulePermission_J10005.java
        PatchForPrestoToSupportPresto333_J10038.java
        PatchForAtlasResourceAndAccessTypeUpdate_J10016.java
        PatchForHiveServiceDefUpdate_J10030.java
        PatchForHiveServiceDefUpdate_J10007.java
        PatchForUpdatingPolicyJson_J10019.java
        PatchGrantAuditPermissionToKeyRoleUser_J10014.java
        PatchForKafkaServiceDefUpdate_J10015.java
        PatchForMigratingRangerServiceResource_J10037.java
        PatchPermissionModel_J10003.java
        PatchForTagServiceDefUpdate_J10008.java
        PatchAssignSecurityZonePersmissionToAdmin_J10026.java
        PatchForHiveServiceDefUpdate_J10006.java
        cliutil
        ChangeUserNameUtil.java
        UpdateUserAndGroupNamesInJson.java
        MetricUtil.java
        ChangePasswordUtil.java
        XXTrxLogUpdateUtil.java
        DbToSolrMigrationUtil.java
        RoleBasedUserSearchUtil.java
        PatchForServiceVersionInfo_J10004.java
        BaseLoader.java
        PatchForKafkaServiceDefUpdate_J10025.java
        PatchMigration_J10002.java
        PatchForUpdatingTagsJson_J10020.java
        PatchForAllServiceDefUpdateForResourceSpecificAccesses_J10012.java
        PatchPasswordEncryption_J10001.java
        PatchForXGlobalState_J10036.java
        PatchForKafkaServiceDefUpdate_J10033.java
        PatchForHiveServiceDefUpdate_J10010.java
        PatchForHBaseServiceDefUpdate_J10035.java
        PatchForAtlasServiceDefUpdate_J10013.java
        PatchForNifiResourceUpdateExclude_J10011.java
        PatchForHiveServiceDefUpdate_J10027.java
        PatchForHiveServiceDefUpdate_J10017.java
        PatchForHiveServiceDefUpdate_J10009.java
        PatchForTagServiceDefUpdate_J10028.java
        PatchForAtlasToAddEntityLabelAndBusinessMetadata_J10034.java
        entity
        XXServiceResourceElement.java
        XXPolicyRefGroup.java
        XXServiceDef.java
        XXSecurityZoneRefResource.java
        XXPolicyRefUser.java
        XXSecurityZoneRefGroup.java
        XXPolicyRefCondition.java
        XXUserPermission.java
        XXPolicyLabelMap.java
        XXPolicyChangeLog.java
        XXPolicyConditionDef.java
        XXTagResourceMap.java
        XXContextEnricherDef.java
        XXPolicyWithAssignedId.java
        XXPolicyResourceMap.java
        XXTagDef.java
        XXAccessAudit.java
        XXDBBase.java
        XXServiceDefWithAssignedId.java
        XXServiceResourceElementValue.java
        XXPolicyRefResource.java
        XXAccessAuditV5.java
        XXRoleRefRole.java
        XXRoleBase.java
        XXServiceBase.java
        XXPolicyItemCondition.java
        XXDataMaskTypeDef.java
        XXSecurityZoneBase.java
        XXPermMap.java
        XXServiceVersionInfo.java
        XXSecurityZone.java
        XXTagChangeLog.java
        XXPolicyRefAccessType.java
        XXPolicyItemGroupPerm.java
        XXSecurityZoneRefTagService.java
        XXServiceConfigMap.java
        XXAccessTypeDefGrants.java
        XXServiceResource.java
        XXPolicyItemAccess.java
        XXPolicyItemRowFilterInfo.java
        XXServiceConfigDef.java
        XXSecurityZoneRefUser.java
        XXAccessTypeDef.java
        XXAccessAuditBase.java
        XXAccessAuditV4.java
        XXResource.java
        XXTag.java
        XXPolicyRefDataMaskType.java
        XXRole.java
        XXServiceWithAssignedId.java
        XXAuthSession.java
        XXSecurityZoneRefService.java
        XXGroupUser.java
        XXServiceDefBase.java
        XXPolicyExportAudit.java
        XXUgsyncAuditInfo.java
        XXPolicy.java
        view
        VXXTrxLog.java
        XXResourceDef.java
        XXGroup.java
        XXCredentialStore.java
        XXAuditMap.java
        XXPolicyResource.java
        XXPluginInfo.java
        XXEnumElementDef.java
        XXTagAttributeDef.java
        XXGlobalStateBase.java
        XXGroupGroup.java
        XXModuleDef.java
        XXRoleRefUser.java
        XXPolicyItemDataMaskInfo.java
        XXGroupPermission.java
        XXTrxLog.java
        XXDataHist.java
        XXPolicyRefRole.java
        XXPolicyItem.java
        XXEnumDef.java
        XXPolicyItemUserPerm.java
        XXRoleRefGroup.java
        XXAsset.java
        XXPortalUserRole.java
        XXPortalUser.java
        XXPolicyBase.java
        XXTagAttribute.java
        XXPolicyLabel.java
        XXGlobalState.java
        XXService.java
        XXUser.java
        db
        XXGlobalStateDao.java
        XXAssetDao.java
        XXPolicyLabelDao.java
        XXAuthSessionDao.java
        XXRoleRefRoleDao.java
        RangerDaoManagerBase.java
        XXGroupGroupDao.java
        XXResourceDefDao.java
        XXAccessTypeDefDao.java
        XXPolicyResourceDao.java
        XXAuditMapDao.java
        XXModuleDefDao.java
        XXContextEnricherDefDao.java
        XXServiceConfigMapDao.java
        XXGroupDao.java
        XXPolicyRefGroupDao.java
        XXPolicyChangeLogDao.java
        XXPolicyExportAuditDao.java
        XXTagAttributeDefDao.java
        XXServiceResourceElementValueDao.java
        XXSecurityZoneRefTagServiceDao.java
        XXPolicyItemUserPermDao.java
        XXRoleRefGroupDao.java
        XXTagAttributeDao.java
        XXGroupPermissionDao.java
        XXServiceWithAssignedIdDao.java
        XXPolicyItemConditionDao.java
        XXPolicyItemDataMaskInfoDao.java
        XXSecurityZoneRefResourceDao.java
        XXPolicyItemRowFilterInfoDao.java
        XXPolicyRefResourceDao.java
        XXUgsyncAuditInfoDao.java
        XXUserDao.java
        XXDBBaseDao.java
        XXPolicyItemAccessDao.java
        XXAccessTypeDefGrantsDao.java
        XXServiceConfigDefDao.java
        XXTagDao.java
        RangerDaoManager.java
        XXPolicyRefAccessTypeDao.java
        XXDataHistDao.java
        XXEnumElementDefDao.java
        XXServiceResourceDao.java
        XXDataMaskTypeDefDao.java
        XXCredentialStoreDao.java
        XXPolicyDao.java
        XXGroupUserDao.java
        XXSecurityZoneDao.java
        XXPluginInfoDao.java
        XXSecurityZoneRefServiceDao.java
        XXServiceDefWithAssignedIdDao.java
        XXRoleRefUserDao.java
        XXTagDefDao.java
        XXPolicyItemGroupPermDao.java
        XXTagResourceMapDao.java
        XXUserPermissionDao.java
        XXServiceResourceElementDao.java
        XXSecurityZoneRefGroupDao.java
        XXServiceDao.java
        XXPolicyRefConditionDao.java
        XXResourceDao.java
        XXServiceDefDao.java
        XXPolicyRefRoleDao.java
        XXTrxLogDao.java
        XXRoleDao.java
        XXTagChangeLogDao.java
        XXPolicyLabelMapDao.java
        XXPolicyItemDao.java
        XXPermMapDao.java
        XXServiceVersionInfoDao.java
        XXPortalUserRoleDao.java
        XXPolicyConditionDefDao.java
        XXSecurityZoneRefUserDao.java
        XXPolicyRefUserDao.java
        XXPortalUserDao.java
        XXEnumDefDao.java
        XXPolicyResourceMapDao.java
        XXAccessAuditDao.java
        XXPolicyWithAssignedIdDao.java
        XXPolicyRefDataMaskTypeDao.java
        authentication
        unix
        jaas
        RoleUserAuthorityGranter.java
        elasticsearch
        ElasticSearchMgr.java
        ElasticSearchAccessAuditsService.java
        ElasticSearchUtil.java
        credentialapi
        CredentialReader.java
        common
        ContextUtil.java
        SearchValue.java
        StringUtil.java
        TimedEventUtil.java
        RangerValidatorFactory.java
        db
        RangerTransactionSynchronizationAdapter.java
        BaseDao.java
        JPABeanCallbacks.java
        MyCallBack.java
        XMLPropertiesUtil.java
        RangerConstants.java
        UserSessionBase.java
        RangerSearchUtil.java
        RangerJAXBContextResolver.java
        SearchUtil.java
        RangerCommonEnums.java
        SearchField.java
        HTTPUtil.java
        ServiceUtil.java
        GUIDUtil.java
        ErrorMessageUtil.java
        SortField.java
        SearchGroup.java
        RangerServicePoliciesCache.java
        JSONUtil.java
        AppConstants.java
        MapUtil.java
        SearchCriteria.java
        TimedExecutor.java
        RequestContext.java
        DateUtil.java
        view
        VList.java
        VTrxLogAttr.java
        ViewBaseBean.java
        VEnum.java
        VEnumElement.java
        RangerFactory.java
        RangerProperties.java
        PropertiesUtil.java
        RESTErrorUtil.java
        TimedExecutorConfigurator.java
        MessageEnums.java
        annotation
        RangerAnnotationRestAPI.java
        RangerAnnotationJSMgrName.java
        RangerAnnotationClassName.java
        RangerServiceTagsCache.java
        RangerAdminTagEnricher.java
        RangerUserStoreCache.java
        RangerRoleCache.java
        RangerConfigUtil.java
        util
        RangerMetricsUtil.java
        RangerEnumUtil.java
        RangerRestUtil.java
        RestUtil.java
        CLIUtil.java
        service
        XModuleDefServiceBase.java
        XAccessAuditServiceBase.java
        XPermMapService.java
        UserService.java
        UserServiceBase.java
        XAssetServiceBase.java
        XPolicyExportAuditServiceBase.java
        RangerPluginInfoService.java
        RangerServiceResourceService.java
        XUgsyncAuditInfoServiceBase.java
        XUgsyncAuditInfoService.java
        RangerServiceServiceBase.java
        XAccessAuditService.java
        PublicAPIServiceBase.java
        XGroupUserService.java
        RangerRoleService.java
        XGroupGroupService.java
        RangerTagDefServiceBase.java
        AbstractBaseResourceService.java
        AuthSessionService.java
        RangerTagDefService.java
        XCredentialStoreService.java
        RangerPolicyWithAssignedIdService.java
        XPolicyExportAuditService.java
        XResourceService.java
        XPortalUserService.java
        RangerPolicyService.java
        RangerTagResourceMapServiceBase.java
        XGroupPermissionServiceBase.java
        XRepositoryService.java
        RangerPluginActivityLogger.java
        XAssetService.java
        XUserService.java
        RangerSecurityZoneServiceBase.java
        XGroupUserServiceBase.java
        XUserServiceBase.java
        XPolicyService.java
        RangerPolicyServiceBase.java
        XPermMapServiceBase.java
        XTrxLogService.java
        XGroupGroupServiceBase.java
        XAuditMapServiceBase.java
        XTrxLogServiceBase.java
        RangerServiceService.java
        XGroupPermissionService.java
        RangerPolicyLabelsService.java
        RangerServiceWithAssignedIdService.java
        XUserPermissionService.java
        RangerServiceResourceServiceBase.java
        RangerTagService.java
        RangerAuditFields.java
        XResourceServiceBase.java
        XUserPermissionServiceBase.java
        RangerDataHistService.java
        XCredentialStoreServiceBase.java
        RangerTagResourceMapService.java
        RangerTagServiceBase.java
        RangerBaseModelService.java
        RangerPolicyLabelHelper.java
        filter
        RangerRESTAPIFilter.java
        XModuleDefService.java
        RangerSecurityZoneServiceService.java
        RangerTransactionService.java
        XGroupServiceBase.java
        XGroupService.java
        XPortalUserServiceBase.java
        RangerServiceDefWithAssignedIdService.java
        RangerRoleServiceBase.java
        RangerServiceDefService.java
        XAuditMapService.java
        RangerServiceDefServiceBase.java
        view
        VXResource.java
        VXLong.java
        VXKmsKeyList.java
        RangerPluginInfoList.java
        RangerSecurityZoneList.java
        RangerServiceList.java
        VXModuleDefList.java
        VXUserGroupInfo.java
        VXString.java
        VXMetricServiceCount.java
        VXUnixSyncSourceInfo.java
        VXKmsKey.java
        VXTrxLogList.java
        RangerRoleList.java
        VXAsset.java
        VXPolicyList.java
        VXMetricPolicyWithServiceNameCount.java
        VXPasswordChange.java
        VXStringList.java
        VXCredentialStore.java
        VXMetricUserGroupCount.java
        VXUserPermission.java
        VXPortalUser.java
        RangerPolicyList.java
        VXPolicyLabel.java
        VXGroupGroupList.java
        VXDataObject.java
        VXPermObjList.java
        VXAuthSession.java
        VXResourceList.java
        VXPermMap.java
        VXMetricAuditDetailsCount.java
        VXUserList.java
        VXAuditMapList.java
        VXMetricPolicyCount.java
        VXPermMapList.java
        VXAssetList.java
        VXFileSyncSourceInfo.java
        VXRepositoryList.java
        VXPolicyExportAuditList.java
        VXUgsyncAuditInfoList.java
        VXPolicyLabelList.java
        VXPolicyExportAudit.java
        VXUserPermissionList.java
        VXPortalUserList.java
        VXResponse.java
        VXUgsyncAuditInfo.java
        RangerServiceDefList.java
        VXAccessAudit.java
        VXPermObj.java
        VXGroupPermissionList.java
        VXGroupUserInfo.java
        VXAuditRecord.java
        VXLdapSyncSourceInfo.java
        VXUser.java
        VXAuditMap.java
        VXMessage.java
        VXModuleDef.java
        VXGroupUser.java
        VXAccessAuditList.java
        VXTrxLog.java
        VXGroupGroup.java
        VXMetricServiceNameCount.java
        VXGroup.java
        VXMetricContextEnricher.java
        VXCredentialStoreList.java
        VXGroupList.java
        VXAuditRecordList.java
        VXPolicy.java
        VXGroupUserList.java
        RangerExportPolicyList.java
        VXGroupPermission.java
        VXAuthSessionList.java
        VXRepository.java
        AccessAuditsService.java
        biz
        RangerBizUtil.java
        ServiceMgr.java
        AssetMgr.java
        RangerPolicyRetriever.java
        RoleRefUpdater.java
        RangerPolicyAdminCacheForEngineOptions.java
        XAuditMgr.java
        AssetMgrBase.java
        RangerPolicyAdmin.java
        TagDBStore.java
        RangerPolicyAdminCache.java
        SessionMgr.java
        RoleDBStore.java
        KmsKeyMgr.java
        SecurityZoneRefUpdater.java
        XUserMgrBase.java
        BaseMgr.java
        RangerPolicyAdminImpl.java
        XUserMgr.java
        RangerTagDBRetriever.java
        UserMgr.java
        SecurityZoneDBStore.java
        UserMgrBase.java
        XAuditMgrBase.java
        PolicyRefUpdater.java
        solr
        SolrAccessAuditsService.java
        SolrMgr.java
        SolrUtil.java
        json
        JsonDateSerializer.java
        Folder.java
        rest
        SecurityZoneREST.java
        RoleREST.java
        MetricsREST.java
        XAuditREST.java
        TagREST.java
        XUserREST.java
        ServiceRESTUtil.java
        ServiceTagsProcessor.java
        AssetREST.java
        PublicAPIs.java
        ServiceREST.java
        TagRESTConstants.java
        PublicAPIsv2.java
        XKeyREST.java
        UserREST.java
      - webapp
        robots.txt
        libs
        fsOverrides
        BBFOverrides.js
        bower
        bootstrap
        js
        bootstrap.min.js
        bootstrap.js
        underscore-amd
        js
        underscore-min.js
        underscore.js
        backbone.babysitter
        js
        backbone.babysitter.min.js
        backbone.babysitter.js
        backbone-pageable
        js
        backbone-pageable.min.js
        backbone-pageable.js
        bootbox
        js
        bootbox.js
        backgrid-filter
        js
        backgrid-filter.js
        css
        backgrid-filter.css
        require-handlebars-plugin
        js
        Handlebars.js
        hbs.js
        i18nprecompile.js
        backgrid-paginator
        js
        backgrid-paginator.js
        css
        backgrid-paginator.css
        backbone.wreqr
        js
        backbone.wreqr.js
        backbone.wreqr.min.js
        tag-it
        js
        tag-it.min.js
        tag-it.js
        css
        jquery.tagit.css
        backbone
        js
        backbone.js
        backbone-min.js
        bootstrap-notify
        js
        bootstrap-notify.js
        css
        bootstrap-notify.css
        backbone.localstorage
        backbone.localStorage.js
        backbone-amd
        js
        backbone.js
        backbone-min.js
        esprima
        esprima.js
        jquery
        js
        jquery-3.4.1.min.js
        jquery-toggles
        js
        toggles.min.js
        css
        toggles.css
        backbone.marionette
        js
        backbone.marionette.min.js
        backbone.marionette.js
        x-editable
        img
        js
        css
        bootstrap-editable.css
        backbone.bootstrap-modal
        js
        backbone.bootstrap-modal.js
        backbone-forms
        js
        backbone-forms.min.js
        old.js
        list.min.js
        list.js
        backbone-forms.js
        bootstrap.js
        css
        bootstrap.css
        select2
        select2.js
        select2-spinner.gif
        select2.css
        globalize
        .npmignore
        lib
        globalize.js
        .bower.json
        .gitignore
        underscore
        js
        underscore-min.js
        underscore.js
        moment
        js
        moment-timezone-with-data.min.js
        requirejs
        js
        require.js
        other
        backgrid
        backgrid.js
        backgrid.css
        jquery-ui
        js
        css
        jquery-ui.min.css
        images
        animated-overlay.gif
        jquery-ui.css
        datepicker
        less
        datepicker.less
        js
        bootstrap-datepicker.js
        css
        datepicker.css
        jquery-cookie
        js
        bower.json
        cookie.jquery.json
        package.json
        jquery.cookie.js
        bootstrap-datetimepicker
        js
        bootstrap-datetimepicker.min.js
        css
        bootstrap-datetimepicker.min.css
        visualsearch
        images
        embed
        icons
        .bower.json
        js
        visualsearch.js
        css
        icons.css
        workspace.css
        backbone.fetch-cache.js
        images
        blank.gif
        loading.gif
        favicon.ico
        blockLoading.gif
        templates
        kms
        KmsTableLayout_tmpl.html
        KmsKeyCreate_tmpl.html
        KmsKeyForm_tmpl.html
        reports
        AuditLayout_tmpl.html
        UserSyncInfo_tmpl.html
        UserUpdateOperationDiff_tmpl.html
        PlugableServicePolicyDeleteDiff_tmpl.html
        RoleOperationDiff_tmpl.html
        GroupOperationDiff_tmpl.html
        AssetOperationDiff_tmpl.html
        RoleUpdateOperationDiff_tmpl.html
        AuditAccessLogDetail_tmpl.html
        UserAccessLayout_tmpl.html
        AssetUpdateOperationDiff_tmpl.html
        UserOperationDiff_tmpl.html
        ZoneOperationDiff_tmpl.html
        LoginSessionDetail_tmpl.html
        ZoneUpdateOperationDiff_tmpl.html
        PlugableServicePolicyUpdateDiff_tmpl.html
        GroupUpdateOperationDiff_tmpl.html
        PlugableServicePolicyDiff_tmpl.html
        policies
        RangerPolicyTableLayout_tmpl.html
        RangerPolicyCreate_tmpl.html
        PolicyTimeItem_tmpl.html
        RangerPolicyForm_tmpl.html
        RangerPolicyRO_tmpl.html
        PolicyConditionsItem_tmpl.html
        PermissionItem.html
        PolicyTimeList_tmpl.html
        PermissionList.html
        user
        UserProfileForm_tmpl.html
        UserProfile_tmpl.html
        security_zone
        ZoneAdministration_tmpl.html
        SecurityZone_tmpl.html
        ZoneResourceForm_tmpl.html
        ZoneResourceItem_tmpl.html
        ZoneResourceList_tmpl.html
        ZoneResources_tmpl.html
        ZoneCreateForm_tmpl.html
        ZoneCreate_tmpl.html
        ZoneResourcesForm_tmpl.html
        helpers
        XAHelpers.js
        common
        loading_tmpl.html
        ProfileBar_tmpl.html
        breadcrumbs.html
        ErrorView_tmpl.html
        uploadservicepolicy_tmpl.html
        UserPermissionItem.html
        Footer_tmpl.html
        AddGroup_tmpl.html
        TopNav_tmpl.html
        XATableLayout_tmpl.html
        ServiceManagerLayout_tmpl.html
        ServiceManagerSidebarLayout_tmpl.html
        downloadservicepolicy_tmpl.html
        UserPermissionList.html
        ServiceMappingItem.html
        service
        ConfigurationItem_tmpl.html
        ConfigurationList_tmpl.html
        ServiceForm_tmpl.html
        RangerServiceViewDetail_tmpl.html
        ServiceTableLayout_tmpl.html
        ServiceCreate_tmpl.html
        users
        RoleCreate_tmpl.html
        RoleForm_tmpl.html
        UserTableLayout_tmpl.html
        UserInfo_tmpl.html
        GroupCreate_tmpl.html
        GroupForm_tmpl.html
        UserForm_tmpl.html
        UserCreate_tmpl.html
        AddUserOrGroupsItem_tmpl.html
        AddUserOrGroupsList_tmpl.html
        permissions
        ModulePermsTableLayout_tmpl.html
        ModulePermissionForm_tmpl.html
        ModulePermissionCreate_tmpl.html
        dashboard
        DashboardLayout_tmpl.html
        package-lock.json
        .htaccess
        404.html
        META-INF
        scheduler-applicationContext.xml
        context.xml
        asynctask-applicationContext.xml
        applicationContext.xml
        contextXML
        unix_security_settings.xml
        ldap_security_settings.xml
        ad_bean_settings.xml
        ldap_bean_settings.xml
        ad_security_settings.xml
        unix_bean_settings.xml
        MANIFEST.MF
        fonts
        fontawesome
        fontawesome-webfont.woff
        fontawesome-webfont.eot
        FontAwesome.otf
        fontawesome-webfont.ttf
        fontawesome-webfont.svg
        fontopensans
        open-sans-600.woff
        open-sans-300.woff
        open-sans-600i.woff
        open-sans-400.woff
        README.txt
        open-sans-300i.woff
        open-sans-700i.woff
        open-sans-700.woff
        open-sans-400i.woff
        fontapachecomponent
        apache_component_font.ttf
        apache_component_font.woff
        apache_component_font.eot
        apache_component_font.svg
        WEB-INF
        log4j.properties
        db_patch.log4j.xml
        log4j.xml
        log4j.dev.xml
        web.xml
        package.json
        scripts
        utils
        XAGlobals.js
        XAEnums.js
        XALangSupport.js
        XAUtils.js
        XAViewUtils.js
        views
        UploadServicePolicy.js
        DownloadServicePolicy.js
        kms
        KMSTableLayout.js
        KmsKeyForm.js
        KmsKeyCreate.js
        reports
        LoginSessionDetail.js
        OperationDiffDetail.js
        AuditLayout.js
        UserAccessLayout.js
        AuditAccessLogDetailView.js
        PlugableServiceDiffDetail.js
        policies
        PolicyTimeList.js
        RangerPolicyRO.js
        PermissionList.js
        RangerPolicyForm.js
        RangerPolicyConditions.js
        RangerPolicyCreate.js
        NRangerPolicyTableLayout.js
        RangerPolicyTableLayout.js
        user
        UserProfileForm.js
        UserProfile.js
        security_zone
        ZoneResourceForm.js
        ZoneAdministration.js
        ZoneCreate.js
        zoneResource.js
        ZoneCreateForm.js
        SecurityZone.js
        policymanager
        NServiceLayout.js
        ServiceLayout.js
        ServiceLayoutSidebar.js
        common
        Footer.js
        ErrorView.js
        UserPermissionList.js
        XABackgrid.js
        XATableLayout.js
        TopNav.js
        CustomSubgrid.js
        Spinner.js
        AddGroup.js
        ProfileBar.js
        DashboardLayout.js
        BreadCrumbs.js
        service
        RangerServiceViewDetail.js
        ServiceForm.js
        ServiceCreate.js
        ConfigurationList.js
        users
        AddUsersOrGroupsList.js
        GroupForm.js
        UserInfo.js
        GroupCreate.js
        UserCreate.js
        UserForm.js
        RoleForm.js
        RoleCreate.js
        UserTableLayout.js
        permissions
        ModulePermissionCreate.js
        ModulePermsTableLayout.js
        ModulePermissionForm.js
        Main.js
        models
        VXPasswordChange.js
        UserPermission.js
        VXPortalUser.js
        VXUser.js
        RangerService.js
        RangerPolicy.js
        XABaseModel.js
        VXPolicyExportAudit.js
        VAppState.js
        VXResource.js
        VXPermMap.js
        VXAccessAudit.js
        VXAsset.js
        VXModuleDef.js
        BackboneFormDataType.js
        VXAuditMap.js
        RangerServiceDef.js
        VXKmsKey.js
        VXAuthSession.js
        VXGroup.js
        RangerZone.js
        VXTrxLog.js
        RangerPolicyResource.js
        VXRole.js
        collection_bases
        RangerPolicyListBase.js
        UserPermissionListBase.js
        VXUserListBase.js
        VXRoleListBase.js
        VXAuditMapListBase.js
        RangerZoneListBase.js
        VXPolicyExportAuditListBase.js
        VXAccessAuditListBase.js
        VXGroupListBase.js
        RangerServiceListBase.js
        VXPermMapListBase.js
        VXModuleDefListBase.js
        VXTrxLogListBase.js
        VXAssetListBase.js
        VXPortalUserListBase.js
        VXKmsKeyListBase.js
        VXResourceListBase.js
        RangerServiceDefListBase.js
        RangerPolicyResourceListBase.js
        VXAuthSessionListBase.js
        prelogin
        XAPrelogin.js
        communicator.js
        controllers
        Controller.js
        NController.js
        RegionManager.js
        App.js
        collections
        XABaseCollection.js
        VXModuleDefList.js
        VXAuditMapList.js
        UserPermissionList.js
        VXResourceList.js
        VXAccessAuditList.js
        VXGroupList.js
        RangerPolicyList.js
        VXKmsKeyList.js
        VXAssetList.js
        RangerServiceDefList.js
        VXPortalUserList.js
        VXPermMapList.js
        VXUserList.js
        RangerPolicyResourceList.js
        VXRoleList.js
        RangerServiceList.js
        VXTrxLogList.js
        VXAuthSessionList.js
        RangerZoneList.js
        VXPolicyExportAuditList.js
        routers
        Router.js
        mgrs
        SessionMgr.js
        modules
        RestCsrf.js
        XALinks.js
        Vent.js
        XAOverrides.js
        globalize
        message
        en.js
        model_bases
        RangerServiceBase.js
        RangerServiceDefBase.js
        VXModuleDefBase.js
        VXRoleBase.js
        RangerPolicyBase.js
        VXTrxLogBase.js
        VXPortalUserBase.js
        RangerZoneBase.js
        VXAuditMapBase.js
        VXPermMapBase.js
        VXUserBase.js
        VXPolicyExportAuditBase.js
        VXAuthSessionBase.js
        VXPasswordChangeBase.js
        VXAssetBase.js
        VXGroupBase.js
        VXKmsKeyBase.js
        VXResourceBase.js
        VXAccessAuditBase.js
        UserPermissionBase.js
        RangerPolicyResourceBase.js
        Init.js
        styles
        app-font.css
        bootstrap.min.css
        bootstrap.css
        xa.css
        login.jsp
        index.html
        minify.build.js
    - test
      - resources
        admin
        service-defs
        test-hdfs-servicedef.json
        test-hbase-servicedef.json
        test-tag-servicedef.json
        test-hive-servicedef.json
        log4j.xml
        biz
        test_policydb_hdfs.json
        test_policydb_hive.json
      - javascript
        karma-common.conf.js
        package-lock.json
        test-main.js
        karma-dev.conf.js
        karma-prd.conf.js
        package.json
        tests
        main-test.js
      - java
        org
        apache
        ranger
        security
        web
        filter
        TestRangerCSRFPreventionFilter.java
        patch
        cliutil
        TestRoleBasedUserSearchUtil.java
        audit
        TestAuditQueue.java
        TestConsumer.java
        elasticsearch
        ElasticSearchAccessAuditsServiceTest.java
        common
        TestStringUtil.java
        TestDateUtil.java
        TestTimedExecutor.java
        TestServiceUtil.java
        TestContextUtil.java
        TestRangerConfigUtil.java
        TestPropertiesUtil.java
        TestJSONUtil.java
        util
        BaseTest.java
        TestRangerEnumUtil.java
        service
        TestRangerPluginActivityLogger.java
        TestRangerServiceDefServiceBase.java
        TestXAccessAuditService.java
        TestRangerTagService.java
        TestAuthSessionService.java
        TestRangerPolicyService.java
        TestRangerServiceDefService.java
        TestRangerTagResourceMapService.java
        TestRangerServiceWithAssignedIdService.java
        PasswordComparisonAuthenticator.java
        TestRangerServiceService.java
        TestXGroupService.java
        TestXAuditMapService.java
        TestXAssetService.java
        TestRangerServiceServiceBase.java
        TestXPermMapService.java
        TestRangerTagDefService.java
        TestUserService.java
        TestRangerAuditFields.java
        TestRangerTagDefServiceBase.java
        TestRangerTransactionService.java
        TestXGroupPermissionService.java
        filter
        TestRangerRESTAPIFilter.java
        TestRangerDataHistService.java
        TestXGroupUserService.java
        TestRangerPolicyServiceBase.java
        biz
        TestServiceDBStore.java
        TestRangerBizUtil.java
        TestSecurityZoneDBStore.java
        TestXUserMgr.java
        TestUserMgr.java
        TestPolicyDb.java
        rest
        importPolicy
        import_policy_test_file.json
        TestServiceTagProcessor.java
        TestSecurityZoneREST.java
        TestPublicAPIs.java
        TestTagREST.java
        TestServiceREST.java
        TestPublicAPIsv2.java
        TestXAuditREST.java
        TestXUserREST.java
        TestXKeyREST.java
        TestUserREST.java
        TestAssetREST.java
    - bin
      - service_start.py
      - ranger_usersync.py
      - install.properties
      - ranger_install.py
  - db
    - sqlserver
      - create_dbversion_catalog.sql
      - optimized
        current
        ranger_core_db_sqlserver.sql
      - xa_audit_db_sqlserver.sql
      - patches
        046-insert-statename-in-x-ranger-global-state.sql
        035-update-schema-for-x-policy.sql
        027-sortorder-column-size.sql
        026-add-column-in-x_policy_export_audit.sql
        047-sortorder-column-size.sql
        043-add-tag-change-log-table.sql
        audit
        017-add-new-column-to-store-tags.sql
        016-updated-schema-for-tag-based-policy.sql
        029-add-unique-constraint-on-table-x_group.sql
        040-modify-unique-constraint-on-policy-table.sql
        031-create-schema-for-usersync-audit-info.sql
        037-create-security-zone-schema.sql
        024-sortorder-column-size.sql
        030-policy-labels-schema.sql
        018-createtagsyncuser.sql
        042-add-index-on-xdatahist-table.sql
        036-denormalize-tag-tables.sql
        041-create-role-schema.sql
        033-add-unique-constraint-on-table-x_policy.sql
        020-datamask-policy.sql
        038-add-policy-change-log-table.sql
        025-create-schema-for-plugin-info.sql
        028-delete-xgroup-duplicate-references.sql
        023-add-unique-constraint-on-table-x_user.sql
        044-add-role-version-in-serviceVersionInfo.sql
        045-add-displayName-col-in-x_service_def_and_x_service.sql
        022-split-service-table.sql
        019-create-indexes.sql
        021-update-tag-for-owner.sql
        039-add-column-version-in-x_policy_export_audit.sql
        032-add-options-to-policy-and-tag-for-time-based-processing.sql
      - xa_core_db_sqlserver.sql
    - sqlanywhere
      - create_dbversion_catalog.sql
      - xa_core_db_sqlanywhere.sql
      - xa_audit_db_sqlanywhere.sql
      - optimized
        current
        ranger_core_db_sqlanywhere.sql
      - patches
        046-insert-statename-in-x-ranger-global-state.sql
        035-update-schema-for-x-policy.sql
        027-sortorder-column-size.sql
        026-add-column-in-x_policy_export_audit.sql
        047-sortorder-column-size.sql
        043-add-tag-change-log-table.sql
        audit
        017-add-new-column-to-store-tags.sql
        016-updated-schema-for-tag-based-policy.sql
        029-add-unique-constraint-on-table-x_group.sql
        040-modify-unique-constraint-on-policy-table.sql
        031-create-schema-for-usersync-audit-info.sql
        037-create-security-zone-schema.sql
        024-sortorder-column-size.sql
        030-policy-labels-schema.sql
        018-createtagsyncuser.sql
        042-add-index-on-xdatahist-table.sql
        036-denormalize-tag-tables.sql
        041-create-role-schema.sql
        033-add-unique-constraint-on-table-x_policy.sql
        020-datamask-policy.sql
        038-add-policy-change-log-table.sql
        025-create-schema-for-plugin-info.sql
        028-delete-xgroup-duplicate-references.sql
        023-add-unique-constraint-on-table-x_user.sql
        044-add-role-version-in-serviceVersionInfo.sql
        045-add-displayName-col-in-x_service_def_and_x_service.sql
        022-split-service-table.sql
        019-create-indexes.sql
        021-update-tag-for-owner.sql
        039-add-column-version-in-x_policy_export_audit.sql
        032-add-options-to-policy-and-tag-for-time-based-processing.sql
    - oracle
      - xa_audit_db_oracle.sql
      - create_dbversion_catalog.sql
      - reset_audit_db_oracle.sql
      - xa_core_db_oracle.sql
      - optimized
        current
        ranger_core_db_oracle.sql
      - patches
        046-insert-statename-in-x-ranger-global-state.sql
        035-update-schema-for-x-policy.sql
        027-sortorder-column-size.sql
        026-add-column-in-x_policy_export_audit.sql
        009-updated_schema.sql
        010-users-and-groups-visibility.sql
        047-sortorder-column-size.sql
        043-add-tag-change-log-table.sql
        001-groupsource.sql
        audit
        011-auditcolumnssize.sql
        017-add-new-column-to-store-tags.sql
        015-auditlogaggregation.sql
        006-createdefaultpublicgroup.sql
        016-updated-schema-for-tag-based-policy.sql
        029-add-unique-constraint-on-table-x_group.sql
        040-modify-unique-constraint-on-policy-table.sql
        031-create-schema-for-usersync-audit-info.sql
        037-create-security-zone-schema.sql
        024-sortorder-column-size.sql
        013-permissionmodel.sql
        030-policy-labels-schema.sql
        014-createkeyadmin.sql
        018-createtagsyncuser.sql
        012-createusersyncuser.sql
        042-add-index-on-xdatahist-table.sql
        036-denormalize-tag-tables.sql
        041-create-role-schema.sql
        033-add-unique-constraint-on-table-x_policy.sql
        020-datamask-policy.sql
        038-add-policy-change-log-table.sql
        025-create-schema-for-plugin-info.sql
        028-delete-xgroup-duplicate-references.sql
        023-add-unique-constraint-on-table-x_user.sql
        003-knoxrepo.sql
        044-add-role-version-in-serviceVersionInfo.sql
        045-add-displayName-col-in-x_service_def_and_x_service.sql
        022-split-service-table.sql
        019-create-indexes.sql
        021-update-tag-for-owner.sql
        002-policyname.sql
        039-add-column-version-in-x_policy_export_audit.sql
        032-add-options-to-policy-and-tag-for-time-based-processing.sql
      - reset_core_db_oracle.sql
    - mysql
      - xa_audit_db.sql
      - reset_audit_mysql.sh
      - create_dbversion_catalog.sql
      - init
        reset_db_with_seed.sh
        create_dev_backup_mysql.sh
        create_xa_core_db.sh
        mysql_seed_data.sql
        backup_mysql_db.sh
        create_dev_backup_mysql_loaded.sh
        schema_mysql.sql
        reset_db.sh
      - xa_db.sql
      - reset_core_mysql.sh
      - reset_asset.sql
      - xa_core_db.sql
      - create_dev_user.sh
      - optimized
        current
        ranger_core_db_mysql.sql
      - create_dev_user.sql
      - patches
        046-insert-statename-in-x-ranger-global-state.sql
        007-updateBlankPolicyName.sql
        035-update-schema-for-x-policy.sql
        027-sortorder-column-size.sql
        026-add-column-in-x_policy_export_audit.sql
        008-removeTrailingSlash.sql
        004-assetconfigsize.sql
        009-updated_schema.sql
        010-users-and-groups-visibility.sql
        047-sortorder-column-size.sql
        043-add-tag-change-log-table.sql
        001-groupsource.sql
        audit
        011-auditcolumnssize.sql
        017-add-new-column-to-store-tags.sql
        015-auditlogaggregation.sql
        006-createdefaultpublicgroup.sql
        016-updated-schema-for-tag-based-policy.sql
        029-add-unique-constraint-on-table-x_group.sql
        040-modify-unique-constraint-on-policy-table.sql
        031-create-schema-for-usersync-audit-info.sql
        037-create-security-zone-schema.sql
        024-sortorder-column-size.sql
        013-permissionmodel.sql
        030-policy-labels-schema.sql
        014-createkeyadmin.sql
        018-createtagsyncuser.sql
        012-createusersyncuser.sql
        042-add-index-on-xdatahist-table.sql
        005-xtrxlogcolumnsize.sql
        034-x_data_histContentSize.sql
        036-denormalize-tag-tables.sql
        041-create-role-schema.sql
        033-add-unique-constraint-on-table-x_policy.sql
        020-datamask-policy.sql
        038-add-policy-change-log-table.sql
        025-create-schema-for-plugin-info.sql
        028-delete-xgroup-duplicate-references.sql
        023-add-unique-constraint-on-table-x_user.sql
        003-knoxrepo.sql
        044-add-role-version-in-serviceVersionInfo.sql
        045-add-displayName-col-in-x_service_def_and_x_service.sql
        022-split-service-table.sql
        019-create-indexes.sql
        021-update-tag-for-owner.sql
        002-policyname.sql
        039-add-column-version-in-x_policy_export_audit.sql
        032-add-options-to-policy-and-tag-for-time-based-processing.sql
      - resetdb_dev_mysql.sh
      - xa_db_bare.sql
    - postgres
      - xa_audit_db_postgres.sql
      - create_dbversion_catalog.sql
      - xa_core_db_postgres.sql
      - optimized
        current
        ranger_core_db_postgres.sql
      - patches
        046-insert-statename-in-x-ranger-global-state.sql
        035-update-schema-for-x-policy.sql
        027-sortorder-column-size.sql
        026-add-column-in-x_policy_export_audit.sql
        047-sortorder-column-size.sql
        043-add-tag-change-log-table.sql
        audit
        017-add-new-column-to-store-tags.sql
        016-updated-schema-for-tag-based-policy.sql
        029-add-unique-constraint-on-table-x_group.sql
        040-modify-unique-constraint-on-policy-table.sql
        031-create-schema-for-usersync-audit-info.sql
        037-create-security-zone-schema.sql
        024-sortorder-column-size.sql
        030-policy-labels-schema.sql
        018-createtagsyncuser.sql
        042-add-index-on-xdatahist-table.sql
        036-denormalize-tag-tables.sql
        041-create-role-schema.sql
        033-add-unique-constraint-on-table-x_policy.sql
        020-datamask-policy.sql
        038-add-policy-change-log-table.sql
        025-create-schema-for-plugin-info.sql
        028-delete-xgroup-duplicate-references.sql
        023-add-unique-constraint-on-table-x_user.sql
        044-add-role-version-in-serviceVersionInfo.sql
        045-add-displayName-col-in-x_service_def_and_x_service.sql
        022-split-service-table.sql
        019-create-indexes.sql
        021-update-tag-for-owner.sql
        039-add-column-version-in-x_policy_export_audit.sql
        032-add-options-to-policy-and-tag-for-time-based-processing.sql
  - pom.xml
  - scripts
    - upgrade.sh
    - rolebasedusersearchutil.py
    - deleteUserGroupUtil.py
    - dba_script.py
    - db_setup.py
    - ranger_credential_helper.py
    - changepasswordutil.py
    - restrict_permissions.py
    - updateUserAndGroupNamesInJson.py
    - set_globals.sh
    - install.properties
    - changeusernameutil.py
    - setup_authentication.sh
    - ranger-admin-site-template.xml
    - update_property.py
    - upgrade_admin.py
    - setup.sh
  - .gitignore
  - contrib
    - elasticsearch_for_audit_setup
      - create_index.sh
      - install_es.sh
      - README.txt
      - enable_auth.sh
      - conf
        ranger_es_schema.json
    - audit_hdfs_folders
      - create_hdfs_folders_for_audit_secure.sh
      - create_hdfs_folders_for_audit_non_secure.sh
    - solr_for_audit_setup
      - resources
        log4j.properties.j2
      - solr_standalone
        solr.xml
        ranger_audits
        core.properties.j2
        scripts
        start_solr.sh.j2
        solr.sh.j2
        solr.in.sh.j2
        stop_solr.sh.j2
      - README.txt
      - install.properties
      - solr_cloud
        solr.xml.j2
        scripts
        add_ranger_audits_conf_to_zk.sh.j2
        create_ranger_audits_collection.sh.j2
        start_solr.sh.j2
        solr.sh.j2
        solr.in.sh.j2
        stop_solr.sh.j2
      - conf
        solrconfig.xml.j2
        admin-extra.html
        admin-extra.menu-top.html
        managed-schema
        solrconfig.xml
        admin-extra.menu-bottom.html
        elevate.xml
      - setup.sh
- enunciate.xml
- plugin-presto
  - src
    - main
      - java
        org
        apache
        ranger
        services
        presto
        client
        PrestoClient.java
        PrestoResourceManager.java
        PrestoConnectionManager.java
        RangerServicePresto.java
        authorization
        presto
        authorizer
        RangerSystemAccessControl.java
    - test
      - resources
        ranger-presto-security.xml
        log4j.properties
        presto-policies.json
      - java
        org
        apache
        ranger
        authorization
        presto
        authorizer
        RangerSystemAccessControlTest.java
        RangerAdminClientImpl.java
  - pom.xml
  - scripts
    - install.properties
  - .gitignore
  - conf
    - ranger-presto-audit-changes.cfg
    - ranger-presto-security.xml
    - ranger-presto-security-changes.cfg
    - ranger-policymgr-ssl-changes.cfg
    - ranger-presto-audit.xml
    - ranger-policymgr-ssl.xml
- jisql
  - src
    - main
      - java
        org
        apache
        util
        sql
        Jisql.java
        MaskingThread.java
        MySQLPLRunner.java
        outputformatter
        CSVFormatter.java
        DefaultFormatter.java
        JisqlFormatter.java
        XMLFormatter.java
  - pom.xml
  - .gitignore
- ranger-hdfs-plugin-shim
  - src
    - main
      - java
        org
        apache
        ranger
        authorization
        hadoop
        RangerHdfsAuthorizer.java
  - pom.xml
  - .gitignore
- knox-agent
  - src
    - main
      - java
        org
        apache
        ranger
        services
        knox
        client
        KnoxConnectionMgr.java
        KnoxClient.java
        KnoxResourceMgr.java
        RangerServiceKnox.java
        admin
        client
        RangerAdminJersey2RESTClient.java
        authorization
        knox
        KnoxRangerPlugin.java
        RangerPDPKnoxFilter.java
    - test
      - resources
        webhbase-table-list.xml
        knox-policies.json
        ranger-knox-security.xml
        log4j.properties
        query_response.xml
        cluster-configuration.json
        webhdfs-liststatus-test.json
        users.ldif
      - java
        org
        apache
        ranger
        services
        knox
        KnoxRangerTest.java
        RangerAdminClientImpl.java
  - pom.xml
  - scripts
    - uninstall.sh
    - install.properties
    - install.sh
  - .gitignore
  - conf
    - ranger-knox-security.xml
    - ranger-knox-audit.xml
    - ranger-policymgr-ssl-changes.cfg
    - ranger-knox-security-changes.cfg
    - ranger-policymgr-ssl.xml
    - ranger-knox-audit-changes.cfg
- plugin-kms
  - src
    - main
      - java
        org
        apache
        ranger
        services
        kms
        client
        KMSResourceMgr.java
        KMSClient.java
        json
        model
        KMSSchedulerResponse.java
        KMSConnectionMgr.java
        RangerServiceKMS.java
        authorization
        kms
        authorizer
        RangerKmsAuthorizer.java
    - test
      - resources
        kms
        dbks-site.xml
        kms-log4j.properties
        kms-site.xml
        kms-policies.json
        ranger-kms-security.xml
      - java
        org
        apache
        ranger
        authorization
        kms
        authorizer
        DerbyTestUtils.java
        RangerAdminClientImpl.java
        RangerKmsAuthorizerTest.java
  - pom.xml
  - scripts
    - enable-kms-plugin.sh
  - bin
    - .gitignore
  - .gitignore
  - conf
    - ranger-kms-audit-changes.cfg
    - ranger-policymgr-ssl-changes.cfg
    - ranger-kms-audit.xml
    - ranger-kms-security.xml
    - ranger-policymgr-ssl.xml
    - ranger-kms-security-changes.cfg
- ranger-ozone-plugin-shim
  - src
    - main
      - java
        org
        apache
        ranger
        authorization
        ozone
        authorizer
        RangerOzoneAuthorizer.java
  - pom.xml
  - .gitignore
- ranger-kafka-plugin-shim
  - src
    - main
      - java
        org
        apache
        ranger
        authorization
        kafka
        authorizer
        RangerKafkaAuthorizer.java
  - pom.xml
  - .gitignore
- ranger-elasticsearch-plugin-shim
  - src
    - main
      - java
        org
        apache
        ranger
        authorization
        elasticsearch
        plugin
        utils
        RequestUtils.java
        RangerElasticsearchPlugin.java
        authc
        user
        UsernamePasswordToken.java
        action
        filter
        RangerSecurityActionFilter.java
        rest
        filter
        RangerSecurityRestFilter.java
        authorizer
        RangerElasticsearchAuthorizer.java
        RangerElasticsearchAccessControl.java
  - pom.xml
  - .gitignore
  - conf
    - plugin-descriptor.properties
    - plugin-security.policy
- ugsync
  - src
    - main
      - java
        org
        apache
        ranger
        ldapusersync
        process
        PolicyMgrUserGroupBuilder.java
        LdapDeltaUserGroupBuilder.java
        LdapPolicyMgrUserGroupBuilder.java
        CustomSSLSocketFactory.java
        LdapUserGroupBuilder.java
        usergroupsync
        RegEx.java
        Mapper.java
        UserGroupSync.java
        AbstractMapper.java
        UserGroupSource.java
        AbstractUserGroupSource.java
        UserSyncMetricsProducer.java
        UserGroupSink.java
        unixusersync
        config
        UserGroupSyncConfig.java
        process
        PolicyMgrUserGroupBuilder.java
        FileSourceUserGroupBuilder.java
        RangerUgSyncRESTClient.java
        UnixUserGroupBuilder.java
        poc
        RangerJSONParser.java
        RangerClientUserGroupMapping.java
        RangerUserGroupMapping.java
        InvalidUserException.java
        ListUserTest.java
        RestClientPost.java
        InvalidGroupException.java
        ListRangerUserGroup.java
        ListRangerUser.java
        ListUserGroupTest.java
        model
        FileSyncSourceInfo.java
        XGroupInfo.java
        XUserGroupInfo.java
        LdapSyncSourceInfo.java
        UgsyncAuditInfo.java
        MUserInfo.java
        UnixSyncSourceInfo.java
        GroupUserInfo.java
        XUserInfo.java
        UserGroupList.java
        UserGroupInfo.java
        GetXUserGroupListResponse.java
        GetXGroupListResponse.java
        GetXUserListResponse.java
    - test
      - resources
        usergroups.csv
        usergroups-other-delim.csv
        groupFile.txt
        ranger-ugsync-site.xml
        passwordFile.txt
        usergroups.json
        ADSchema.ldif
        usergroups-dns.csv
      - java
        org
        apache
        ranger
        usergroupsync
        PolicyMgrUserGroupBuilderTest.java
        TestRegEx.java
        TestLdapUserGroup.java
        LdapPolicyMgrUserGroupBuilderTest.java
        unixusersync
        process
        TestFileSourceUserGroupBuilder.java
        TestUnixUserGroupBuilder.java
  - pom.xml
  - ldapconfigchecktool
    - ldapconfigcheck
      - src
        main
        java
        org
        apache
        ranger
        ldapconfigcheck
        AuthenticationCheck.java
        LdapConfigCheckMain.java
        LdapConfig.java
        UserSync.java
        CommandLineOptions.java
      - pom.xml
      - scripts
        run.sh
      - .gitignore
      - conf
        input.properties
  - .gitignore
  - filesourceusersynctool
    - run-filesource-usersync.sh
- ranger-yarn-plugin-shim
  - src
    - main
      - java
        org
        apache
        ranger
        authorization
        yarn
        authorizer
        RangerYarnAuthorizer.java
  - pom.xml
  - .gitignore
- distro
  - src
    - main
      - assembly
        plugin-presto.xml
        plugin-kms.xml
        admin-web.xml
        plugin-schema-registry.xml
        plugin-atlas.xml
        ranger-tools.xml
        kms.xml
        plugin-kafka.xml
        plugin-sqoop.xml
        hbase-agent.xml
        hdfs-agent.xml
        knox-agent.xml
        plugin-elasticsearch.xml
        usersync.xml
        solr_audit_conf.xml
        hive-agent.xml
        tagsync.xml
        plugin-solr.xml
        storm-agent.xml
        ranger-src.xml
        migration-util.xml
        plugin-ozone.xml
        plugin-kylin.xml
        plugin-yarn.xml
  - pom.xml
  - .gitignore
- tagsync
  - src
    - main
      - resources
        ranger-tagsync-default.xml
        ranger-tagsync-site.xml
        etc
        ranger
        data
        tags.json
      - java
        org
        apache
        ranger
        tagsync
        source
        atlas
        AtlasResourceMapper.java
        AtlasNotificationMapper.java
        AtlasResourceMapperUtil.java
        AtlasAdlsResourceMapper.java
        AtlasKafkaResourceMapper.java
        AtlasStormResourceMapper.java
        AtlasHiveResourceMapper.java
        EntityNotificationWrapper.java
        AtlasHbaseResourceMapper.java
        AtlasHdfsResourceMapper.java
        AtlasTagSource.java
        file
        FileTagSource.java
        atlasrest
        AtlasRESTTagSource.java
        RangerAtlasEntity.java
        RangerAtlasEntityWithTags.java
        sink
        tagadmin
        TagAdminRESTSink.java
        process
        TagSyncConfig.java
        TagSyncMetricsProducer.java
        TagSynchronizer.java
        model
        TagSource.java
        AbstractTagSource.java
        TagSink.java
    - test
      - resources
        log4j.properties
      - java
        org
        apache
        ranger
        tagsync
        process
        TestTagSynchronizer.java
        TestAdlsResourceMapper.java
        TestHiveResourceMapper.java
        TestKafkaResourceMapper.java
        TestHdfsResourceMapper.java
        TestHbaseResourceMapper.java
  - samples
    - tags.json
  - pom.xml
  - scripts
    - ranger-tagsync-upload.sh
    - install.properties
    - ranger-tagsync-services.sh
    - setup.py
    - updatetagadminpassword.py
    - ranger-tagsync.sh
    - update_property.py
    - setup.sh
  - conf.dist
    - log4j.properties
    - ranger-tagsync-env-setup-hadoop-home.sh
    - log4j.xml
  - .gitignore
  - conf
    - templates
      - installprop2xml.properties
      - ranger-tagsync-template.xml
- agents-installer
  - src
    - main
      - java
        org
        apache
        ranger
        utils
        install
        XmlConfigChanger.java
  - pom.xml
  - .gitignore
- plugin-nifi-registry
  - src
    - main
      - java
        org
        apache
        ranger
        services
        nifi
        registry
        client
        NiFiRegistryConnectionMgr.java
        NiFiRegistryAuthType.java
        NiFiRegistryConfigs.java
        NiFiRegistryClient.java
        RangerServiceNiFiRegistry.java
    - test
      - resources
        resources-response.json
      - java
        org
        apache
        ranger
        services
        nifi
        registry
        client
        TestNiFiRegistryClient.java
        TestNiFiRegistryConnectionMgr.java
  - pom.xml
  - .gitignore
- plugin-ozone
  - src
    - main
      - java
        org
        apache
        ranger
        services
        ozone
        client
        OzoneConnectionMgr.java
        OzoneResourceMgr.java
        OzoneClient.java
        RangerServiceOzone.java
        authorization
        ozone
        authorizer
        RangerOzoneAuthorizer.java
  - pom.xml
  - scripts
    - install.properties
  - .gitignore
  - conf
    - ranger-ozone-security.xml
    - ranger-policymgr-ssl-changes.cfg
    - ranger-ozone-audit-changes.cfg
    - ranger-policymgr-ssl.xml
    - ozone-ranger-env.sh
    - ranger-ozone-audit.xml
    - ranger-ozone-security-changes.cfg
- agents-common
  - src
    - main
      - resources
        service-defs
        ranger-servicedef-nifi-registry.json
        ranger-servicedef-hive.json
        ranger-servicedef-nifi.json
        ranger-servicedef-presto.json
        ranger-servicedef-yarn.json
        ranger-servicedef-elasticsearch.json
        ranger-servicedef-kudu.json
        ranger-servicedef-abfs.json
        ranger-servicedef-tag.json
        ranger-servicedef-solr.json
        ranger-servicedef-hdfs.json
        ranger-servicedef-storm.json
        ranger-servicedef-atlas.json
        ranger-servicedef-kms.json
        ranger-servicedef-knox.json
        ranger-servicedef-kylin.json
        ranger-servicedef-hbase.json
        ranger-servicedef-wasb.json
        ranger-servicedef-schema-registry.json
        ranger-servicedef-kafka.json
        ranger-servicedef-sqoop.json
        ranger-servicedef-ozone.json
        resourcenamemap.properties
        etc
        ranger
        geo
        geo_long.txt
        geo.txt
      - java
        org
        apache
        hadoop
        security
        KrbPasswordSaverLoginModule.java
        SecureClientLogin.java
        ranger
        services
        tag
        RangerServiceTag.java
        plugin
        policyresourcematcher
        RangerPolicyResourceEvaluator.java
        RangerPolicyResourceMatcher.java
        RangerDefaultPolicyResourceMatcher.java
        client
        BaseClient.java
        HadoopConfigHolder.java
        HadoopException.java
        contextenricher
        RangerAdminTagRetriever.java
        RangerFileBasedGeolocationProvider.java
        RangerContextEnricher.java
        RangerUserStoreRetriever.java
        RangerTagRetriever.java
        RangerAbstractGeolocationProvider.java
        RangerTagForEval.java
        RangerServiceResourceMatcher.java
        RangerAbstractContextEnricher.java
        RangerTagEnricher.java
        RangerUserStoreEnricher.java
        RangerUserStoreRefresher.java
        RangerFileBasedTagRetriever.java
        RangerAdminUserStoreRetriever.java
        audit
        RangerMultiResourceAuditHandler.java
        RangerDefaultAuditHandler.java
        geo
        BinarySearchTree.java
        RangerGeolocationData.java
        RangerGeolocationDatabase.java
        RangeChecker.java
        ValueProcessor.java
        GeolocationMetadata.java
        ValuePrinter.java
        util
        SearchFilter.java
        ServiceTags.java
        RangerPerfCollectorTracer.java
        RangerMetricsUtil.java
        RangerRolesProvider.java
        RangerRoles.java
        RangerPerfTracerFactory.java
        RangerUserStoreUtil.java
        RangerRequestedResources.java
        TimedEventUtil.java
        RangerUserStore.java
        DownloadTrigger.java
        GrantRevokeRequest.java
        PolicyRefresher.java
        RangerRESTUtils.java
        StringTokenReplacer.java
        XMLUtils.java
        KeySearchFilter.java
        RangerObjectFactory.java
        RangerPerfTracer.java
        RangerServiceNotFoundException.java
        RangerAccessRequestUtil.java
        GrantRevokeRoleRequest.java
        RangerCommonConstants.java
        RangerRESTClient.java
        RangerPluginCapability.java
        PasswordUtils.java
        RangerPolicyDeltaUtil.java
        DownloaderTask.java
        PerfDataRecorder.java
        URLEncoderUtil.java
        RangerServiceTagsDeltaUtil.java
        ServicePolicies.java
        ServiceDefUtil.java
        JsonUtilsV2.java
        RangerSslHelper.java
        RangerRolesUtil.java
        store
        EmbeddedServiceDefsUtil.java
        SecurityZoneStore.java
        ServicePredicateUtil.java
        PList.java
        ServiceStore.java
        TagPredicateUtil.java
        GeolocationStore.java
        TagValidator.java
        RolePredicateUtil.java
        AbstractPredicateUtil.java
        AbstractTagStore.java
        AbstractServiceStore.java
        file
        GeolocationFileStore.java
        RoleStore.java
        TagStore.java
        RangerServiceResourceSignature.java
        SecurityZonePredicateUtil.java
        service
        RangerDefaultService.java
        RangerBaseService.java
        RangerAuthContext.java
        RangerBasePlugin.java
        RangerAuthContextListener.java
        RangerDefaultRequestProcessor.java
        ResourceLookupContext.java
        resourcematcher
        RangerAbstractResourceMatcher.java
        RangerResourceMatcher.java
        ScheduledTimeExactMatcher.java
        RangerDefaultResourceMatcher.java
        ScheduledTimeRangeMatcher.java
        RangerURLResourceMatcher.java
        ScheduledTimeAlwaysMatcher.java
        RangerPathResourceMatcher.java
        ScheduledTimeMatcher.java
        ResourceMatcher.java
        policyevaluator
        RangerDefaultPolicyEvaluator.java
        RangerOptimizedPolicyEvaluator.java
        RangerDefaultRowFilterPolicyItemEvaluator.java
        RangerDefaultDataMaskPolicyItemEvaluator.java
        RangerCachedPolicyEvaluator.java
        RangerDefaultPolicyItemEvaluator.java
        RangerRowFilterPolicyItemEvaluator.java
        RangerPolicyItemEvaluator.java
        RangerAbstractPolicyItemEvaluator.java
        RangerDataMaskPolicyItemEvaluator.java
        RangerAbstractPolicyEvaluator.java
        RangerPolicyEvaluator.java
        RangerValidityScheduleEvaluator.java
        RangerCustomConditionEvaluator.java
        model
        RangerTagDef.java
        RangerServiceResource.java
        RangerTagResourceMap.java
        RangerValiditySchedule.java
        RangerPolicyDelta.java
        RangerValidityRecurrence.java
        RangerPluginInfo.java
        RangerBaseModelObject.java
        RangerPolicy.java
        RangerPolicyResourceSignature.java
        RangerServiceDef.java
        RangerSecurityZone.java
        RangerTag.java
        validation
        RangerSecurityZoneValidator.java
        RangerServiceDefValidator.java
        ValidationFailureDetails.java
        RangerRoleValidator.java
        RangerServiceValidator.java
        RangerValidator.java
        RangerZoneResourceMatcher.java
        ValidationFailureDetailsBuilder.java
        RangerPolicyValidator.java
        RangerValidityScheduleValidator.java
        RangerServiceDefHelper.java
        UserInfo.java
        RangerService.java
        GroupInfo.java
        RangerRole.java
        RangerMetrics.java
        conditionevaluator
        RangerHiveResourcesNotAccessedTogetherCondition.java
        RangerAnyOfExpectedTagsPresentConditionEvaluator.java
        RangerContextAttributeValueInCondition.java
        RangerScriptTemplateConditionEvaluator.java
        RangerAbstractConditionEvaluator.java
        RangerTagsAllPresentConditionEvaluator.java
        RangerScriptConditionEvaluator.java
        RangerConditionEvaluator.java
        RangerAccessedNotFromClusterCondition.java
        RangerScriptExecutionContext.java
        RangerNoneOfExpectedTagsPresentConditionEvaluator.java
        RangerContextAttributeValueNotInCondition.java
        RangerHiveResourcesAccessedTogetherCondition.java
        RangerAccessedNotFromClusterTypeCondition.java
        RangerIpMatcher.java
        RangerAccessedFromClusterTypeCondition.java
        RangerAccessedFromClusterCondition.java
        RangerTimeOfDayMatcher.java
        errors
        ValidationErrorCode.java
        policyengine
        RangerAccessRequestReadOnly.java
        RangerResourceACLs.java
        RangerAccessResult.java
        RangerTagAccessRequest.java
        RangerResourceTrie.java
        RangerMutableResource.java
        RangerAccessResourceReadOnly.java
        RangerTagResource.java
        RangerAccessResultProcessor.java
        RangerAccessRequestImpl.java
        RangerPolicyEngineImpl.java
        PolicyEngine.java
        RangerPluginContext.java
        RangerAccessRequestProcessor.java
        CacheMap.java
        RangerAccessRequest.java
        RangerResourceAccessInfo.java
        RangerPolicyEngineOptions.java
        RangerAccessResourceImpl.java
        RangerAccessResource.java
        RangerPolicyRepository.java
        RangerPolicyEngine.java
        PolicyEvaluatorForTag.java
        admin
        client
        AbstractRangerAdminClient.java
        RangerAdminClient.java
        datatype
        GrantRevokeData.java
        RESTResponse.java
        RangerAdminRESTClient.java
        authorization
        utils
        StringUtil.java
        JsonUtils.java
        hadoop
        config
        RangerConfiguration.java
        RangerPluginConfig.java
        RangerAuditConfig.java
        RangerLegacyConfigBuilder.java
        RangerConfigConstants.java
        RangerAdminConfig.java
        constants
        RangerHadoopConstants.java
    - test
      - resources
        policycondition
        test_multitag_policycondition-hive.json
        admin
        service-defs
        test-hdfs-servicedef.json
        test-hbase-servicedef.json
        test-tag-servicedef.json
        test-hive-servicedef.json
        contextenricher
        test_tagenricher_hive.json
        log4j.xml
        resourcematcher
        test_resourcematcher_dynamic.json
        test_defaultpolicyresourcematcher_for_hdfs_policy.json
        test_resourcematcher_wildcards_as_delimiters.json
        test_defaultpolicyresourcematcher.json
        test_defaultpolicyresourcematcher_for_hive_policy.json
        test_resourcematcher_default.json
        test_resourcematcher_path.json
        policyengine
        test_policyengine_with_roles.json
        test_policyengine_hbase_namespace.json
        test_policyengine_temporary.json
        test_policyengine_hive_with_partial_resource_policies.json
        test_policyengine_resource_access_info.json
        comparison
        fail
        otherServicePolicies.json
        otherServiceTags.json
        myServicePolicies.json
        myServiceTags.json
        success
        otherServicePolicies.json
        myServicePolicies.json
        test_compare_policyengines.json
        plugin
        test_auth_context.json
        test_plugin_capability.json
        resourceTags.json
        userText.txt
        test_policyengine_atlas.json
        test_policyengine_hdfs_resourcespec.json
        test_policyengine_hdfs_noaudit.json
        validityscheduler
        test-validity-schedules-invalid.json
        test-validity-schedules-valid-and-applicable.json
        test-validity-schedules-valid.json
        test_policyengine_hive.json
        test_policyengine_descendant_tags.json
        test_policyengine_owner.json
        test_policyengine_hdfs.json
        ACLResourceTags.json
        test_policyengine_policylevel_conditions.json
        test_policyengine_hive_default_policies.json
        test_policyengine_hbase.json
        test_policyengine_hbase_multiple_matching_policies.json
        test_policyengine_geo.json
        resourceTags.json
        test_policyengine_tag_hdfs.json
        test_policyengine_hive_mask_filter.json
        test_policyengine_hive_incremental_add.json
        test_policyengine_tag_hive_for_show_databases.json
        test_policyengine_tag_hive.json
        descendant_tags.json
        test_policyengine_hdfs_allaudit.json
        test_policyengine_super_user_groups.json
        test_policyengine_hive_incremental_delete.json
        test_policyengine_hive_mutex_conditions.json
        test_policyengine_tag_hive_filebased.json
        test_policyengine_tag_hive_mask.json
        test_policyengine_hdfs_zones.json
        test_policyengine_conditions.json
        test_policyengine_hive_incremental_update.json
        resourceTags_for_show_databases.json
        test_policyengine_audit_exclude_users_groups_roles.json
        test_aclprovider_default.json
        test_policyengine_priority.json
      - java
        org
        apache
        ranger
        plugin
        contextenricher
        TestTagEnricher.java
        util
        PasswordUtilsTest.java
        resourcematcher
        TestResourceMatcher.java
        RangerPathResourceMatcherTest.java
        RangerDefaultResourceMatcherTest.java
        RangerAbstractResourceMatcherTest.java
        TestDefaultPolicyResourceMatcher.java
        RangerURLResourceMatcherTest.java
        TestDefaultPolicyResourceMatcherForPolicy.java
        policyevaluator
        RangerDefaultPolicyEvaluatorTest.java
        model
        validation
        RangerSecurityZoneValidatorTest.java
        ValidationTestUtils.java
        TestDirectedGraph.java
        TestRangerServiceDefHelper.java
        TestRangerServiceDefValidator.java
        TestRangerValidator.java
        TestRangerPolicyValidator.java
        TestRangerServiceValidator.java
        TestRangerPolicy.java
        TestRangerPolicyResourceSignature.java
        conditionevaluator
        RangerCustomConditionMatcherTest.java
        RangerSimpleMatcher.java
        RangerTimeOfDayMatcherTest.java
        RangerIpMatcherTest.java
        errors
        TestValidationErrorCode.java
        policyengine
        TestCacheMap.java
        TestProjectProvider.java
        TestRangerPluginCapability.java
        TestPolicyACLs.java
        TestPolicyEngineComparison.java
        TestRangerAuthContext.java
        TestPolicyEngine.java
  - pom.xml
  - scripts
    - enable-agent.sh
    - upgrade-plugin.sh
    - upgrade-plugin.py
  - .gitignore
  - conf
    - log4j.properties
- ranger-presto-plugin-shim
  - src
    - main
      - resources
        META-INF
        services
        io.prestosql.spi.Plugin
      - java
        org
        apache
        ranger
        authorization
        presto
        authorizer
        RangerSystemAccessControl.java
        RangerSystemAccessControlFactory.java
        RangerConfig.java
        PrestoRangerPlugin.java
  - pom.xml
  - .gitignore
- plugin-sqoop
  - src
    - main
      - java
        org
        apache
        ranger
        services
        sqoop
        client
        SqoopClient.java
        json
        model
        SqoopLinksResponse.java
        SqoopConnectorsResponse.java
        SqoopJobsResponse.java
        SqoopJobResponse.java
        SqoopLinkResponse.java
        SqoopConnectorResponse.java
        SqoopResourceMgr.java
        RangerServiceSqoop.java
        authorization
        sqoop
        authorizer
        RangerSqoopAuthorizer.java
    - test
      - resources
        sqoop.properties
        ranger-sqoop-security.xml
        log4j.properties
        sqoop-policies.json
        sqoop_bootstrap.properties
      - java
        org
        apache
        ranger
        authorization
        sqoop
        authorizer
        RangerSqoopAuthorizerTest.java
        RangerAdminClientImpl.java
  - pom.xml
  - scripts
    - install.properties
  - .gitignore
  - conf
    - ranger-sqoop-audit.xml
    - ranger-sqoop-security.xml
    - ranger-sqoop-audit-changes.cfg
    - ranger-policymgr-ssl-changes.cfg
    - ranger-sqoop-security-changes.cfg
    - ranger-policymgr-ssl.xml
- .travis.yml
- ranger-solr-plugin-shim
  - src
    - main
      - java
        org
        apache
        ranger
        authorization
        solr
        authorizer
        RangerSolrAuthorizer.java
  - pom.xml
  - .gitignore
- DISCLAIMER.txt
- plugin-kylin
  - src
    - main
      - java
        org
        apache
        ranger
        services
        kylin
        RangerServiceKylin.java
        client
        KylinResourceMgr.java
        KylinClient.java
        json
        model
        KylinProjectResponse.java
        authorization
        kylin
        authorizer
        RangerKylinAuthorizer.java
    - test
      - resources
        log4j.properties
        kylin-policies.json
        ranger-kylin-security.xml
        applicationContext.xml
        kylinSecurity.xml
        kylin.properties
      - java
        org
        apache
        ranger
        authorization
        kylin
        authorizer
        RangerKylinAuthorizerTest.java
        RangerAdminClientImpl.java
  - pom.xml
  - scripts
    - install.properties
  - .gitignore
  - conf
    - ranger-policymgr-ssl-changes.cfg
    - ranger-kylin-security.xml
    - ranger-kylin-audit.xml
    - ranger-policymgr-ssl.xml
    - ranger-kylin-audit-changes.cfg
    - ranger-kylin-security-changes.cfg
- hdfs-agent
  - src
    - main
      - resources
        META-INF
        MANIFEST.MF
      - java
        org
        apache
        ranger
        services
        hdfs
        RangerServiceHdfs.java
        client
        HdfsResourceMgr.java
        HdfsClient.java
        HdfsConnectionMgr.java
        authorization
        hadoop
        HDFSAccessVerifier.java
        exceptions
        RangerAccessControlException.java
        RangerHdfsAuthorizer.java
    - test
      - resources
        log4j.properties
        hdfs-policies-tag.json
        hdfs-policies.json
        ranger-hdfs-security.xml
        hdfs_version_3.0
        hdfs-policies-tag.json
        hdfs-policies.json
      - java
        org
        apache
        ranger
        services
        hdfs
        RangerHdfsAuthorizerTest.java
        HDFSRangerTest.java
        client
        HdfsClientTest.java
        RangerAdminClientImpl.java
  - disable-conf
    - hdfs-site-changes.cfg
  - pom.xml
  - scripts
    - uninstall.sh
    - install.properties
    - install.sh
  - .gitignore
  - conf
    - ranger-hdfs-audit-changes.cfg
    - hdfs-site-changes.cfg
    - ranger-policymgr-ssl-changes.cfg
    - ranger-policymgr-ssl.xml
    - ranger-hdfs-security.xml
    - ranger-hdfs-audit.xml
    - ranger-hdfs-security-changes.cfg
- build_ranger_using_docker.sh
- dev-support
  - test-patch.sh
  - checkstyle.xml
  - checkstyle-suppressions.xml
  - findbugsIncludeFile.xml
  - ranger-pmd-ruleset.xml
  - smart-apply-patch.sh
- credentialbuilder
  - src
    - main
      - java
        org
        apache
        ranger
        credentialapi
        buildks.java
        CredentialReader.java
    - test
      - java
        org
        apache
        ranger
        credentialapi
        Testbuildks.java
        TestCredentialReader.java
  - pom.xml
  - .gitignore
- plugin-elasticsearch
  - src
    - main
      - java
        org
        apache
        ranger
        services
        elasticsearch
        client
        ElasticsearchResourceMgr.java
        ElasticsearchClient.java
        privilege
        IndexPrivilegeUtils.java
        IndexPrivilege.java
        RangerServiceElasticsearch.java
        authorization
        elasticsearch
        authorizer
        RangerElasticsearchAuthorizer.java
  - pom.xml
  - scripts
    - install.properties
  - .gitignore
  - conf
    - ranger-policymgr-ssl-changes.cfg
    - ranger-elasticsearch-audit.xml
    - ranger-elasticsearch-security.xml
    - ranger-policymgr-ssl.xml
    - ranger-elasticsearch-security-changes.cfg
    - ranger-elasticsearch-audit-changes.cfg
- .gitignore
- docs
  - src
    - site
      - resources
        logo
        ranger.jpg
      - xdoc
        download.xml
        quick_start_guide.xml
      - site.xml
      - apt
        index.apt.vm
      - fml
        faq.fml
  - DEPENDENCIES
  - pom.xml
  - LICENSE
  - README.txt
  - NOTICE
  - .gitignore
- LICENSE.txt
- unixauthclient
  - src
    - main
      - java
        org
        apache
        ranger
        authentication
        unix
        jaas
        RemoteUnixLoginModule.java
        UnixUserPrincipal.java
        UnixGroupPrincipal.java
        PamPrincipal.java
        PamLoginModule.java
        ConsolePromptCallbackHandler.java
        UsernamePasswordCallbackHandler.java
    - test
      - com
        xasecure
        test
        authentication
        UnixAuthenticationTester.java
  - pom.xml
  - .gitignore
- plugin-yarn
  - src
    - main
      - java
        org
        apache
        ranger
        services
        yarn
        client
        YarnConnectionMgr.java
        YarnClient.java
        YarnResourceMgr.java
        json
        model
        YarnSchedulerResponse.java
        RangerServiceYarn.java
        authorization
        yarn
        authorizer
        RangerYarnAuthorizer.java
  - disable-conf
    - yarn-site-changes.cfg
  - pom.xml
  - scripts
    - install.properties
  - .gitignore
  - conf
    - ranger-yarn-security.xml
    - ranger-yarn-audit-changes.cfg
    - ranger-policymgr-ssl-changes.cfg
    - yarn-site-changes.cfg
    - ranger-yarn-audit.xml
    - ranger-policymgr-ssl.xml
    - ranger-yarn-security-changes.cfg
- .project

/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */

package org.apache.ranger.authorization.hive.authorizer;

import java.net.InetAddress;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;

import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.fs.FileStatus;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.hive.common.FileUtils;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
import org.apache.hadoop.hive.ql.metadata.HiveException;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePolicyProvider;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivObjectActionType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject.HivePrivilegeObjectType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveResourceACLs;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.hadoop.ipc.Server;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.authorization.hadoop.constants.RangerHadoopConstants;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerRole;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.model.RangerServiceDef.RangerDataMaskTypeDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerPolicyEngine;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.GrantRevokeRoleRequest;

import com.google.common.collect.Sets;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.RangerRequestedResources;

public class RangerHiveAuthorizer extends RangerHiveAuthorizerBase {
	private static final Log LOG = LogFactory.getLog(RangerHiveAuthorizer.class);

	private static final Log PERF_HIVEAUTH_REQUEST_LOG = RangerPerfTracer.getPerfLogger("hiveauth.request");

	private static final char COLUMN_SEP = ',';

	private static final String HIVE_CONF_VAR_QUERY_STRING = "hive.query.string";

	private static final String DEFAULT_RANGER_POLICY_GRANTOR = "ranger";

	private static volatile RangerHivePlugin hivePlugin = null;

	private static final String ROLE_ALL = "ALL", ROLE_DEFAULT = "DEFAULT", ROLE_NONE = "NONE";
	private static final String ROLE_ADMIN = "admin";

	private static final String CMD_CREATE_ROLE        = "create role %s";
	private static final String CMD_DROP_ROLE          = "drop role %s";
	private static final String CMD_SHOW_ROLES         = "show roles";
	private static final String CMD_SHOW_ROLE_GRANT    = "show role grant %s %s";
	private static final String CMD_SHOW_PRINCIPALS    = "show principals %s";
	private static final String CMD_GRANT_ROLE         = "grant role %s to %s ";
	private static final String CMD_REVOKE_ROLE        = "revoke role %s from %s";

	private static final Set<String> RESERVED_ROLE_NAMES;

	static {
		Set<String> roleNames = new HashSet<>();

		roleNames.add(ROLE_ALL);
		roleNames.add(ROLE_DEFAULT);
		roleNames.add(ROLE_NONE);

		RESERVED_ROLE_NAMES = Collections.unmodifiableSet(roleNames);
	}

	private String currentUserName;
	private Set<String> currentRoles;
	private String adminRole;

	public RangerHiveAuthorizer(HiveMetastoreClientFactory metastoreClientFactory,
								  HiveConf                   hiveConf,
								  HiveAuthenticationProvider hiveAuthenticator,
								  HiveAuthzSessionContext    sessionContext) {
		super(metastoreClientFactory, hiveConf, hiveAuthenticator, sessionContext);

		LOG.debug("RangerHiveAuthorizer.RangerHiveAuthorizer()");

		RangerHivePlugin plugin = hivePlugin;
		
		if(plugin == null) {
			synchronized(RangerHiveAuthorizer.class) {
				plugin = hivePlugin;

				if(plugin == null) {
					String appType = "unknown";

					if(sessionContext != null) {
						switch(sessionContext.getClientType()) {
							case HIVECLI:
								appType = "hiveCLI";
							break;

							case HIVESERVER2:
								appType = "hiveServer2";
							break;

							/*
							case HIVEMETASTORE:
								appType = "hiveMetastore";
								break;

							case OTHER:
								appType = "other";
								break;

							 */
						}
					}

					plugin = new RangerHivePlugin(appType);
					plugin.init();

					hivePlugin = plugin;
				}
			}
		}
	}

	@Override
	public HivePolicyProvider getHivePolicyProvider() throws HiveAuthzPluginException {
		if (hivePlugin == null) {
			throw new HiveAuthzPluginException();
		}
		RangerHivePolicyProvider policyProvider = new RangerHivePolicyProvider(hivePlugin);

		return policyProvider;
	}

	@Override
	public void createRole(String roleName, HivePrincipal adminGrantor)
			throws HiveAuthzPluginException, HiveAccessControlException {
		if(LOG.isDebugEnabled()) {
			LOG.debug(" ==> RangerHiveAuthorizer.createRole()");
		}
		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
		String currentUserName = getGrantorUsername(adminGrantor);
		List<String> roleNames     = Arrays.asList(roleName);
		List<String> userNames     = Arrays.asList(currentUserName);
		boolean		 result		   = false;

		if (RESERVED_ROLE_NAMES.contains(roleName.trim().toUpperCase())) {
			throw new HiveAuthzPluginException("Role name cannot be one of the reserved roles: " +
					RESERVED_ROLE_NAMES);
		}

		try {
			RangerRole role  = new RangerRole();
			role.setName(roleName);
			role.setCreatedByUser(currentUserName);
			role.setCreatedBy(currentUserName);
			role.setUpdatedBy(currentUserName);
			//Add grantor as the member to this role with grant option.
			RangerRole.RoleMember userMember = new RangerRole.RoleMember(currentUserName, true);
			List<RangerRole.RoleMember> userMemberList = new ArrayList<>();
			userMemberList.add(userMember);
			role.setUsers(userMemberList);
			RangerRole ret = hivePlugin.createRole(role, auditHandler);
			if(LOG.isDebugEnabled()) {
				LOG.debug("<== createRole(): " + ret);
			}
			result = true;
		} catch(Exception excp) {
			throw new HiveAccessControlException(excp);
		} finally {
			RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.CREATEROLE, HiveAccessType.CREATE, roleNames, result);
			auditHandler.processResult(accessResult);
			auditHandler.flushAudit();
		}
	}

	@Override
	public void dropRole(String roleName)
			throws HiveAuthzPluginException, HiveAccessControlException {
		if(LOG.isDebugEnabled()) {
			LOG.debug("RangerHiveAuthorizer.dropRole()");
		}

		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

		UserGroupInformation ugi       = getCurrentUserGroupInfo();
		boolean	             result    = false;
		List<String>	     roleNames = Arrays.asList(roleName);

		if(ugi == null) {
			throw new HiveAccessControlException("Permission denied: user information not available");
		}

		if (RESERVED_ROLE_NAMES.contains(roleName.trim().toUpperCase())) {
			throw new HiveAuthzPluginException("Role name cannot be one of the reserved roles: " +
					RESERVED_ROLE_NAMES);
		}

		String currentUserName = ugi.getShortUserName();
		List<String> userNames = Arrays.asList(currentUserName);

		try {
			if(LOG.isDebugEnabled()) {
				LOG.debug("<== dropRole(): " + roleName);
			}
			hivePlugin.dropRole(currentUserName, roleName, auditHandler);
			result = true;
		} catch(Exception excp) {
			throw new HiveAccessControlException(excp);
		} finally {
			RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.DROPROLE, HiveAccessType.DROP, roleNames, result);
			auditHandler.processResult(accessResult);
			auditHandler.flushAudit();
		}

	}

	@Override
	public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
		if (LOG.isDebugEnabled()) {
			LOG.debug("RangerHiveAuthorizer.getCurrentRoleNames()");
		}
		UserGroupInformation ugi = getCurrentUserGroupInfo();
		boolean result = false;
		if (ugi == null) {
			throw new HiveAuthzPluginException("User information not available");
		}
		List<String> ret = new ArrayList<String>();
		String user = ugi.getShortUserName();
		List<String> userNames = Arrays.asList(user);
		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
		try {
			if (LOG.isDebugEnabled()) {
				LOG.debug("<== getCurrentRoleNames() for user " + user);
			}
			for (String role : getCurrentRoles()) {
				ret.add(role);
			}
			result = true;
		} catch (Exception excp) {
			throw new HiveAuthzPluginException(excp);
		} finally {
			RangerAccessResult accessResult = createAuditEvent(hivePlugin, user, userNames,
					HiveOperationType.SHOW_ROLES, HiveAccessType.SELECT, ret, result);
			auditHandler.processResult(accessResult);
			auditHandler.flushAudit();
		}
		return ret;
	}

	private void initUserRoles() {
		if (LOG.isDebugEnabled()) {
			LOG.debug(" ==> RangerHiveAuthorizer.initUserRoles()");
		}
		// from SQLStdHiveAccessController.initUserRoles()
		// to aid in testing through .q files, authenticator is passed as argument to
		// the interface. this helps in being able to switch the user within a session.
		// so we need to check if the user has changed
		String newUserName = getHiveAuthenticator().getUserName();
		if (Objects.equals(currentUserName, newUserName)) {
			// no need to (re-)initialize the currentUserName, currentRoles fields
			return;
		}
		this.currentUserName = newUserName;
		try {
			currentRoles = getCurrentRoleNamesFromRanger();
		} catch (HiveAuthzPluginException e) {
			LOG.error("Error while fetching roles from ranger for user : " + currentUserName, e);
		}
		LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles);
	}

	private Set<String> getCurrentRoles() {
		// from SQLStdHiveAccessController.getCurrentRoles()
		initUserRoles();
		return currentRoles;
	}

	private Set<String> getCurrentRoleNamesFromRanger() throws HiveAuthzPluginException {
		if (LOG.isDebugEnabled()) {
			LOG.debug("RangerHiveAuthorizer.getCurrentRoleNamesFromRanger()");
		}
		UserGroupInformation ugi = getCurrentUserGroupInfo();

		if (ugi == null) {
			throw new HiveAuthzPluginException("User information not available");
		}
		Set<String> ret = new HashSet<String>();
		String user = ugi.getShortUserName();

		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
		try {
			if (LOG.isDebugEnabled()) {
				LOG.debug("<== getCurrentRoleNamesFromRanger() for user " + user);
			}
			Set<String> userRoles = new HashSet<String>(hivePlugin.getUserRoles(user, auditHandler));
			for (String role : userRoles) {
				if (!ROLE_ADMIN.equalsIgnoreCase(role)) {
					ret.add(role);
				} else {
					this.adminRole = role;
				}
			}
		} catch (Exception excp) {
			throw new HiveAuthzPluginException(excp);
		} finally {
			auditHandler.flushAudit();
		}
		if (LOG.isDebugEnabled()) {
			LOG.debug("<== RangerHiveAuthorizer.getCurrentRoleNamesFromRanger() for user " + user);
		}
		return ret;
	}

	@Override
	public void setCurrentRole(String roleName) throws HiveAccessControlException, HiveAuthzPluginException {
		// from SQLStdHiveAccessController.setCurrentRole()
		initUserRoles();
		if (ROLE_NONE.equalsIgnoreCase(roleName)) {
			// for set role NONE, clear all roles for current session.
			currentRoles.clear();
			return;
		}
		if (ROLE_ALL.equalsIgnoreCase(roleName)) {
			// for set role ALL, reset roles to default roles.
			currentRoles.clear();
			currentRoles.addAll(getCurrentRoleNamesFromRanger());
			return;
		}
		for (String role : getCurrentRoleNamesFromRanger()) {
			// set to one of the roles user belongs to.
			if (role.equalsIgnoreCase(roleName)) {
				currentRoles.clear();
				currentRoles.add(role);
				return;
			}
		}
		// set to ADMIN role, if user belongs there.
		if (ROLE_ADMIN.equalsIgnoreCase(roleName) && null != this.adminRole) {
			currentRoles.clear();
			currentRoles.add(adminRole);
			return;
		}
		LOG.info("Current user : " + currentUserName + ", Current Roles : " + currentRoles);
		// If we are here it means, user is requesting a role he doesn't belong to.
		throw new HiveAccessControlException(currentUserName + " doesn't belong to role " + roleName);
	}

	@Override
	public List<String> getAllRoles()
			throws HiveAuthzPluginException, HiveAccessControlException {
		LOG.debug("RangerHiveAuthorizer.getAllRoles()");
		boolean	               result       = false;
		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
		UserGroupInformation ugi = getCurrentUserGroupInfo();

		if(ugi == null) {
			throw new HiveAccessControlException("Permission denied: user information not available");
		}
		List<String> ret = null;

		String currentUserName = ugi.getShortUserName();
		List<String> userNames = Arrays.asList(currentUserName);

		try {
			if(LOG.isDebugEnabled()) {
				LOG.debug("<== getAllRoles()");
			}

			ret = hivePlugin.getAllRoles(ugi.getShortUserName(), auditHandler);
			result = true;

		} catch(Exception excp) {
			throw new HiveAuthzPluginException(excp);
		} finally {
			RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.SHOW_ROLES, HiveAccessType.SELECT, null, result);
			auditHandler.processResult(accessResult);
			auditHandler.flushAudit();
		}

		return ret;
	}

	@Override
	public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String roleName)
			throws HiveAuthzPluginException, HiveAccessControlException {
		LOG.debug("RangerHiveAuthorizer.getPrincipalGrantInfoForRole()");
		boolean	               result       = false;
		List<String>	       roleNames    = Arrays.asList(roleName);
		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
		UserGroupInformation ugi = getCurrentUserGroupInfo();

		if(ugi == null) {
			throw new HiveAccessControlException("Permission denied: user information not available");
		}
		List<HiveRoleGrant> ret = new ArrayList<>();

		String currentUserName = ugi.getShortUserName();
		List<String> userNames = Arrays.asList(currentUserName);

		try {
			RangerRole role = hivePlugin.getRole(ugi.getShortUserName(), roleName, auditHandler);

			for (RangerRole.RoleMember roleMember : role.getRoles()) {
				HiveRoleGrant hiveRoleGrant = new HiveRoleGrant();
				hiveRoleGrant.setGrantOption(roleMember.getIsAdmin());
				hiveRoleGrant.setGrantor(role.getCreatedByUser());
				hiveRoleGrant.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
				hiveRoleGrant.setPrincipalName(roleMember.getName());
				hiveRoleGrant.setPrincipalType(HivePrincipal.HivePrincipalType.ROLE.toString());
				hiveRoleGrant.setGrantTime((int) (role.getUpdateTime().getTime()/1000));
				ret.add(hiveRoleGrant);
			}

			for (RangerRole.RoleMember group : role.getGroups()) {
				HiveRoleGrant hiveRoleGrant = new HiveRoleGrant();
				hiveRoleGrant.setGrantOption(group.getIsAdmin());
				hiveRoleGrant.setGrantor(role.getCreatedByUser());
				hiveRoleGrant.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
				hiveRoleGrant.setPrincipalName(group.getName());
				hiveRoleGrant.setPrincipalType(HivePrincipal.HivePrincipalType.GROUP.toString());
				hiveRoleGrant.setGrantTime((int) (role.getUpdateTime().getTime()/1000));
				ret.add(hiveRoleGrant);
			}

			for (RangerRole.RoleMember user : role.getUsers()) {
				HiveRoleGrant hiveRoleGrant = new HiveRoleGrant();
				hiveRoleGrant.setGrantOption(user.getIsAdmin());
				hiveRoleGrant.setGrantor(role.getCreatedByUser());
				hiveRoleGrant.setGrantorType(HivePrincipal.HivePrincipalType.USER.name());
				hiveRoleGrant.setPrincipalName(user.getName());
				hiveRoleGrant.setPrincipalType(HivePrincipal.HivePrincipalType.USER.toString());
				hiveRoleGrant.setGrantTime((int) (role.getUpdateTime().getTime()/1000));
				ret.add(hiveRoleGrant);
			}
			result = true;
			if(LOG.isDebugEnabled()) {
				LOG.debug("<== getPrincipalGrantInfoForRole() for role " + role);
			}

		} catch(Exception excp) {
			throw new HiveAuthzPluginException(excp);
		} finally {
			RangerAccessResult accessResult = createAuditEvent(hivePlugin, currentUserName, userNames, HiveOperationType.SHOW_ROLE_PRINCIPALS, HiveAccessType.SELECT, roleNames, result);
			auditHandler.processResult(accessResult);
			auditHandler.flushAudit();
		}

		return ret;
	}

	@Override
	public void grantRole(List<HivePrincipal> hivePrincipals, List<String> roles,
						  boolean grantOption, HivePrincipal grantorPrinc)
			throws HiveAuthzPluginException, HiveAccessControlException {
		LOG.debug("RangerHiveAuthorizerBase.grantRole()");

		boolean	               result       = false;
		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();
		String 				   username     = getGrantorUsername(grantorPrinc);
		List<String> 		   principals   = new ArrayList<>();
		try {
			GrantRevokeRoleRequest request  = new GrantRevokeRoleRequest();
			request.setGrantor(username);
			request.setGrantorGroups(getGrantorGroupNames(grantorPrinc));
			Set<String> userList = new HashSet<>();
			Set<String> roleList = new HashSet<>();
			Set<String> groupList = new HashSet<>();
			for(HivePrincipal principal : hivePrincipals) {
				String  name = null;
				switch(principal.getType()) {
					case USER:
						name = principal.getName();
						userList.add(name);
						principals.add("USER " + name);
						break;

					case GROUP:
						name = principal.getName();
						groupList.add(name);
						principals.add("GROUP " + name);
						break;

					case ROLE:
						name = principal.getName();
						roleList.add(name);
						principals.add("ROLE "+ name);
						break;

					case UNKNOWN:
						break;
				}
			}
			request.setUsers(userList);
			request.setGroups(groupList);
			request.setRoles(roleList);
			request.setGrantOption(grantOption);
			request.setTargetRoles(new HashSet<>(roles));
			SessionState ss = SessionState.get();
			if(ss != null) {
				request.setClientIPAddress(ss.getUserIpAddress());
				request.setSessionId(ss.getSessionId());

				HiveConf hiveConf = ss.getConf();

				if(hiveConf != null) {
					request.setRequestData(hiveConf.get(HIVE_CONF_VAR_QUERY_STRING));
				}
			}

			HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
			if(sessionContext != null) {
				request.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString());
			}


			hivePlugin.grantRole(request, auditHandler);
			result = true;
		} catch(Exception excp) {
			throw new HiveAccessControlException(excp);
		} finally {
			RangerAccessResult accessResult = createAuditEvent(hivePlugin, username, principals, HiveOperationType.GRANT_ROLE, HiveAccessType.ALTER, roles, result);
			auditHandler.processResult(accessResult);
			auditHandler.flushAudit();
		}
	}

	@Override
	public void revokeRole(List<HivePrincipal> hivePrincipals, List<String> roles,
						   boolean grantOption, HivePrincipal grantorPrinc)
			throws HiveAuthzPluginException, HiveAccessControlException {
		LOG.debug("RangerHiveAuthorizerBase.revokeRole()");

		boolean result = false;

		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

		String 		  grantorUserName = getGrantorUsername(grantorPrinc);
		List<String>  principals      = new ArrayList<>();

		try {
			GrantRevokeRoleRequest request  = new GrantRevokeRoleRequest();
			request.setGrantor(grantorUserName);
			request.setGrantorGroups(getGrantorGroupNames(grantorPrinc));
			Set<String> userList = new HashSet<>();
			Set<String> roleList = new HashSet<>();
			Set<String> groupList = new HashSet<>();
			for(HivePrincipal principal : hivePrincipals) {
				String principalName = null;
				switch(principal.getType()) {
					case USER:
						principalName = principal.getName();
						userList.add(principalName);
						principals.add("USER " + principalName);
						break;

					case GROUP:
						principalName = principal.getName();
						groupList.add(principalName);
						principals.add("GROUP " + principalName);
						break;
					case ROLE:
						principalName = principal.getName();
						roleList.add(principalName);
						principals.add("ROLE " + principalName);
						break;

					case UNKNOWN:
						break;
				}
			}

			request.setUsers(userList);
			request.setGroups(groupList);
			request.setRoles(roleList);
			request.setGrantOption(grantOption);
			request.setTargetRoles(new HashSet<>(roles));
			SessionState ss = SessionState.get();
			if(ss != null) {
				request.setClientIPAddress(ss.getUserIpAddress());
				request.setSessionId(ss.getSessionId());

				HiveConf hiveConf = ss.getConf();

				if(hiveConf != null) {
					request.setRequestData(hiveConf.get(HIVE_CONF_VAR_QUERY_STRING));
				}
			}

			HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
			if(sessionContext != null) {
				request.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString());
			}

			LOG.info("revokeRole(): " + request);
			if(LOG.isDebugEnabled()) {
				LOG.debug("revokeRole(): " + request);
			}
			hivePlugin.revokeRole(request, auditHandler);
			result = true;
		} catch(Exception excp) {
			throw new HiveAccessControlException(excp);
		} finally {
			RangerAccessResult accessResult = createAuditEvent(hivePlugin, grantorUserName, principals, HiveOperationType.REVOKE_ROLE, HiveAccessType.ALTER, roles, result);
			auditHandler.processResult(accessResult);
			auditHandler.flushAudit();
		}
	}

	/**
	 * Grant privileges for principals on the object
	 * @param hivePrincipals
	 * @param hivePrivileges
	 * @param hivePrivObject
	 * @param grantorPrincipal
	 * @param grantOption
	 * @throws HiveAuthzPluginException
	 * @throws HiveAccessControlException
	 */
	@Override
	public void grantPrivileges(List<HivePrincipal> hivePrincipals,
								List<HivePrivilege> hivePrivileges,
								HivePrivilegeObject hivePrivObject,
								HivePrincipal       grantorPrincipal,
								boolean             grantOption)
										throws HiveAuthzPluginException, HiveAccessControlException {
		if (LOG.isDebugEnabled()) {
				LOG.debug("grantPrivileges() => HivePrivilegeObject:" + toString(hivePrivObject, new StringBuilder()) + "grantorPrincipal: " + grantorPrincipal + "hivePrincipals" + hivePrincipals + "hivePrivileges" + hivePrivileges);
		}

		if(! RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke) {
			throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control.");
		}

		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

		try {
			List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject));
			RangerHiveResource resource = getHiveResource(HiveOperationType.GRANT_PRIVILEGE, hivePrivObject, null, outputs);
			GrantRevokeRequest request  = createGrantRevokeData(resource, hivePrincipals, hivePrivileges, grantorPrincipal, grantOption);

			LOG.info("grantPrivileges(): " + request);
			if(LOG.isDebugEnabled()) {
				LOG.debug("grantPrivileges(): " + request);
			}

			hivePlugin.grantAccess(request, auditHandler);
		} catch(Exception excp) {
			throw new HiveAccessControlException(excp);
		} finally {
			auditHandler.flushAudit();
		}
	}

	/**
	 * Revoke privileges for principals on the object
	 * @param hivePrincipals
	 * @param hivePrivileges
	 * @param hivePrivObject
	 * @param grantorPrincipal
	 * @param grantOption
	 * @throws HiveAuthzPluginException
	 * @throws HiveAccessControlException
	 */
	@Override
	public void revokePrivileges(List<HivePrincipal> hivePrincipals,
								 List<HivePrivilege> hivePrivileges,
								 HivePrivilegeObject hivePrivObject,
								 HivePrincipal       grantorPrincipal,
								 boolean             grantOption)
										 throws HiveAuthzPluginException, HiveAccessControlException {
		if(! RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke) {
			throw new HiveAuthzPluginException("GRANT/REVOKE not supported in Ranger HiveAuthorizer. Please use Ranger Security Admin to setup access control.");
		}

		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

		try {
			List<HivePrivilegeObject> outputs = new ArrayList<>(Arrays.asList(hivePrivObject));
			RangerHiveResource resource = getHiveResource(HiveOperationType.REVOKE_PRIVILEGE, hivePrivObject, null, outputs);
			GrantRevokeRequest request  = createGrantRevokeData(resource, hivePrincipals, hivePrivileges, grantorPrincipal, grantOption);

			LOG.info("revokePrivileges(): " + request);
			if(LOG.isDebugEnabled()) {
				LOG.debug("revokePrivileges(): " + request);
			}

			hivePlugin.revokeAccess(request, auditHandler);
		} catch(Exception excp) {
			throw new HiveAccessControlException(excp);
		} finally {
			auditHandler.flushAudit();
		}
	}

	/**
	 * Check if user has privileges to do this action on these objects
	 * @param hiveOpType
	 * @param inputHObjs
	 * @param outputHObjs
	 * @param context
	 * @throws HiveAuthzPluginException
	 * @throws HiveAccessControlException
	 */
	@Override
	public void checkPrivileges(HiveOperationType         hiveOpType,
								List<HivePrivilegeObject> inputHObjs,
							    List<HivePrivilegeObject> outputHObjs,
							    HiveAuthzContext          context)
		      throws HiveAuthzPluginException, HiveAccessControlException {
		UserGroupInformation ugi = getCurrentUserGroupInfo();

		if(ugi == null) {
			throw new HiveAccessControlException("Permission denied: user information not available");
		}

		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

		RangerPerfTracer perf = null;

		try {
			HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
			String                  user           = ugi.getShortUserName();
			Set<String>             groups         = Sets.newHashSet(ugi.getGroupNames());
			Set<String>             roles          = getCurrentRoles();

			if(LOG.isDebugEnabled()) {
				LOG.debug(toString(hiveOpType, inputHObjs, outputHObjs, context, sessionContext));
			}

			if(hiveOpType == HiveOperationType.DFS) {
				handleDfsCommand(hiveOpType, inputHObjs, user, auditHandler);

				return;
			}

			if(RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) {
				perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.checkPrivileges(hiveOpType=" + hiveOpType + ")");
			}

			List<RangerHiveAccessRequest> requests = new ArrayList<RangerHiveAccessRequest>();

			if(!CollectionUtils.isEmpty(inputHObjs)) {
				for(HivePrivilegeObject hiveObj : inputHObjs) {
					RangerHiveResource resource = getHiveResource(hiveOpType, hiveObj, inputHObjs, outputHObjs);

					if (resource == null) { // possible if input object/object is of a kind that we don't currently authorize
						continue;
					}

					String 	path         		= hiveObj.getObjectName();
					HiveObjectType hiveObjType  = resource.getObjectType();

					if(hiveObjType == HiveObjectType.URI && isPathInFSScheme(path)) {
						FsAction permission = getURIAccessType(hiveOpType);

						if(!isURIAccessAllowed(user, permission, path, getHiveConf())) {
							throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user, permission.name(), path));
						}

						continue;
					}

					HiveAccessType accessType = getAccessType(hiveObj, hiveOpType, hiveObjType, true);

					if(accessType == HiveAccessType.NONE) {
						continue;
					}

					if(!existsByResourceAndAccessType(requests, resource, accessType)) {
						RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, hiveOpType, accessType, context, sessionContext);
						requests.add(request);
					}
				}
			} else {
				// this should happen only for SHOWDATABASES
				if (hiveOpType == HiveOperationType.SHOWDATABASES) {
					RangerHiveResource resource = new RangerHiveResource(HiveObjectType.DATABASE, null);
					RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, hiveOpType.name(), HiveAccessType.USE, context, sessionContext);
					requests.add(request);
				} else if ( hiveOpType ==  HiveOperationType.REPLDUMP) {
					// This happens when REPL DUMP command with null inputHObjs is sent in checkPrivileges()
					// following parsing is done for Audit info
					RangerHiveResource resource  = null;
					HiveObj hiveObj  = new HiveObj(context);
					String dbName    = hiveObj.getDatabaseName();
					String tableName = hiveObj.getTableName();
					LOG.debug("Database: " + dbName + " Table: " + tableName);
					if (!StringUtil.isEmpty(tableName)) {
						resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, tableName);
					} else {
						resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName, null);
					}
					//
					RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, hiveOpType.name(), HiveAccessType.REPLADMIN, context, sessionContext);
					requests.add(request);
				} else {
					if (LOG.isDebugEnabled()) {
						LOG.debug("RangerHiveAuthorizer.checkPrivileges: Unexpected operation type[" + hiveOpType + "] received with empty input objects list!");
					}
				}
			}

			if(!CollectionUtils.isEmpty(outputHObjs)) {
				for(HivePrivilegeObject hiveObj : outputHObjs) {
					RangerHiveResource resource = getHiveResource(hiveOpType, hiveObj, inputHObjs, outputHObjs);

					if (resource == null) { // possible if input object/object is of a kind that we don't currently authorize
						continue;
					}

					String   path       = hiveObj.getObjectName();
					HiveObjectType hiveObjType  = resource.getObjectType();

					if(hiveObjType == HiveObjectType.URI  && isPathInFSScheme(path)) {
						FsAction permission = getURIAccessType(hiveOpType);

		                if(!isURIAccessAllowed(user, permission, path, getHiveConf())) {
		    				throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]", user, permission.name(), path));
		                }

						continue;
					}

					HiveAccessType accessType = getAccessType(hiveObj, hiveOpType, hiveObjType, false);

					if(accessType == HiveAccessType.NONE) {
						continue;
					}

					if(!existsByResourceAndAccessType(requests, resource, accessType)) {
						RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, hiveOpType, accessType, context, sessionContext);

						requests.add(request);
					}
				}
			} else {
				if (hiveOpType == HiveOperationType.REPLLOAD) {
					// This happens when REPL LOAD command with null inputHObjs is sent in checkPrivileges()
					// following parsing is done for Audit info
					RangerHiveResource resource = null;
					HiveObj hiveObj = new HiveObj(context);
					String dbName = hiveObj.getDatabaseName();
					String tableName = hiveObj.getTableName();
					LOG.debug("Database: " + dbName + " Table: " + tableName);
					if (!StringUtil.isEmpty(tableName)) {
						resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, tableName);
					} else {
						resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName, null);
					}
					RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, hiveOpType.name(), HiveAccessType.REPLADMIN, context, sessionContext);
					requests.add(request);
				}
			}

			buildRequestContextWithAllAccessedResources(requests);

			for(RangerHiveAccessRequest request : requests) {
				if (LOG.isDebugEnabled()) {
					LOG.debug("request: " + request);
				}
				RangerHiveResource resource = (RangerHiveResource)request.getResource();
				RangerAccessResult result   = null;

				if(resource.getObjectType() == HiveObjectType.COLUMN && StringUtils.contains(resource.getColumn(), COLUMN_SEP)) {
					List<RangerAccessRequest> colRequests = new ArrayList<RangerAccessRequest>();

					String[] columns = StringUtils.split(resource.getColumn(), COLUMN_SEP);

					// in case of multiple columns, original request is not sent to the plugin; hence service-def will not be set
					resource.setServiceDef(hivePlugin.getServiceDef());

					for(String column : columns) {
						if (column != null) {
							column = column.trim();
						}
						if(StringUtils.isBlank(column)) {
							continue;
						}

						RangerHiveResource colResource = new RangerHiveResource(HiveObjectType.COLUMN, resource.getDatabase(), resource.getTable(), column);
						colResource.setOwnerUser(resource.getOwnerUser());

						RangerHiveAccessRequest colRequest = request.copy();
						colRequest.setResource(colResource);

						colRequests.add(colRequest);
					}

					Collection<RangerAccessResult> colResults = hivePlugin.isAccessAllowed(colRequests, auditHandler);

					if(colResults != null) {
						for(RangerAccessResult colResult : colResults) {
							result = colResult;

							if(result != null && !result.getIsAllowed()) {
								break;
							}
						}
					}
				} else {
					result = hivePlugin.isAccessAllowed(request, auditHandler);
				}

				if((result == null || result.getIsAllowed()) && isBlockAccessIfRowfilterColumnMaskSpecified(hiveOpType, request)) {
					// check if row-filtering is applicable for the table/view being accessed
					HiveAccessType     savedAccessType = request.getHiveAccessType();
					RangerHiveResource tblResource     = new RangerHiveResource(HiveObjectType.TABLE, resource.getDatabase(), resource.getTable());

					request.setHiveAccessType(HiveAccessType.SELECT); // filtering/masking policies are defined only for SELECT
					request.setResource(tblResource);

					RangerAccessResult rowFilterResult = getRowFilterResult(request);

					if (isRowFilterEnabled(rowFilterResult)) {
						if(result == null) {
							result = new RangerAccessResult(RangerPolicy.POLICY_TYPE_ACCESS, rowFilterResult.getServiceName(), rowFilterResult.getServiceDef(), request);
						}

						result.setIsAllowed(false);
						result.setPolicyId(rowFilterResult.getPolicyId());
						result.setReason("User does not have access to all rows of the table");
					} else {
						// check if masking is enabled for any column in the table/view
						request.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS);

						RangerAccessResult dataMaskResult = getDataMaskResult(request);

						if (isDataMaskEnabled(dataMaskResult)) {
							if(result == null) {
								result = new RangerAccessResult(RangerPolicy.POLICY_TYPE_ACCESS, dataMaskResult.getServiceName(), dataMaskResult.getServiceDef(), request);
							}

							result.setIsAllowed(false);
							result.setPolicyId(dataMaskResult.getPolicyId());
							result.setReason("User does not have access to unmasked column values");
						}
					}

					request.setHiveAccessType(savedAccessType);
					request.setResource(resource);

					if(result != null && !result.getIsAllowed()) {
						auditHandler.processResult(result);
					}
				}

				if(result == null || !result.getIsAllowed()) {
					String path = resource.getAsString();
					path = (path == null) ? "Unknown resource!!" : buildPathForException(path, hiveOpType);
					throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have [%s] privilege on [%s]",
														 user, request.getHiveAccessType().name(), path));
				}
			}
		} finally {
			auditHandler.flushAudit();
			RangerPerfTracer.log(perf);
		}
	}

	/**
	 * Check if user has privileges to do this action on these objects
	 * @param objs
	 * @param context
	 * @throws HiveAuthzPluginException
	 * @throws HiveAccessControlException
	 */
    // Commented out to avoid build errors until this interface is stable in Hive Branch
	// @Override
	public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> objs,
														  HiveAuthzContext          context)
		      throws HiveAuthzPluginException, HiveAccessControlException {
		
		if (LOG.isDebugEnabled()) {
			LOG.debug(String.format("==> filterListCmdObjects(%s, %s)", objs, context));
		}

		RangerPerfTracer perf = null;

		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

		if(RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) {
			perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.filterListCmdObjects()");
		}

		List<HivePrivilegeObject> ret = null;

		// bail out early if nothing is there to validate!
		if (objs == null) {
			LOG.debug("filterListCmdObjects: meta objects list was null!");
		} else if (objs.isEmpty()) {
			LOG.debug("filterListCmdObjects: meta objects list was empty!");
			ret = objs;
		} else if (getCurrentUserGroupInfo() == null) {
			/*
			 * This is null for metastore and there doesn't seem to be a way to tell if one is running as metastore or hiveserver2!
			 */
			LOG.warn("filterListCmdObjects: user information not available");
			ret = objs;
		} else {
			if (LOG.isDebugEnabled()) {
				LOG.debug("filterListCmdObjects: number of input objects[" + objs.size() + "]");
			}
			// get user/group info
			UserGroupInformation ugi = getCurrentUserGroupInfo(); // we know this can't be null since we checked it above!
			HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
			String user = ugi.getShortUserName();
			Set<String> groups = Sets.newHashSet(ugi.getGroupNames());
			Set<String> roles  = getCurrentRoles();
			if (LOG.isDebugEnabled()) {
				LOG.debug(String.format("filterListCmdObjects: user[%s], groups%s", user, groups));
			}
			
			if (ret == null) { // if we got any items to filter then we can't return back a null.  We must return back a list even if its empty.
				ret = new ArrayList<HivePrivilegeObject>(objs.size());
			}
			for (HivePrivilegeObject privilegeObject : objs) {
				if (LOG.isDebugEnabled()) {
					HivePrivObjectActionType actionType = privilegeObject.getActionType();
					HivePrivilegeObjectType objectType = privilegeObject.getType();
					String objectName = privilegeObject.getObjectName();
					String dbName = privilegeObject.getDbname();
					List<String> columns = privilegeObject.getColumns();
					List<String> partitionKeys = privilegeObject.getPartKeys();
					String commandString = context == null ? null : context.getCommandString();
					String ipAddress = context == null ? null : context.getIpAddress();

					final String format = "filterListCmdObjects: actionType[%s], objectType[%s], objectName[%s], dbName[%s], columns[%s], partitionKeys[%s]; context: commandString[%s], ipAddress[%s]";
					LOG.debug(String.format(format, actionType, objectType, objectName, dbName, columns, partitionKeys, commandString, ipAddress));
				}
				
				RangerHiveResource resource = createHiveResourceForFiltering(privilegeObject);
				if (resource == null) {
					LOG.error("filterListCmdObjects: RangerHiveResource returned by createHiveResource is null");
				} else {
					RangerHiveAccessRequest request = new RangerHiveAccessRequest(resource, user, groups, roles, context, sessionContext);
					RangerAccessResult result = hivePlugin.isAccessAllowed(request, auditHandler);
					if (result == null) {
						LOG.error("filterListCmdObjects: Internal error: null RangerAccessResult object received back from isAccessAllowed()!");
					} else if (!result.getIsAllowed()) {
						if (!LOG.isDebugEnabled()) {
							String path = resource.getAsString();
							LOG.debug(String.format("filterListCmdObjects: Permission denied: user [%s] does not have [%s] privilege on [%s]. resource[%s], request[%s], result[%s]",
									user, request.getHiveAccessType().name(), path, resource, request, result));
						}
					} else {
						if (LOG.isDebugEnabled()) {
							LOG.debug(String.format("filterListCmdObjects: access allowed. resource[%s], request[%s], result[%s]", resource, request, result));
						}
						ret.add(privilegeObject);
					}
				}
			}
		}

		auditHandler.flushAudit();

		RangerPerfTracer.log(perf);

		if (LOG.isDebugEnabled()) {
			int count = ret == null ? 0 : ret.size();
			LOG.debug(String.format("<== filterListCmdObjects: count[%d], ret[%s]", count, ret));
		}
		return ret;
	}

	@Override
	public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext queryContext, List<HivePrivilegeObject> hiveObjs) throws SemanticException {
		List<HivePrivilegeObject> ret = new ArrayList<HivePrivilegeObject>();

		if(LOG.isDebugEnabled()) {
			LOG.debug("==> applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + ")");
		}

		RangerPerfTracer perf = null;

		if(RangerPerfTracer.isPerfTraceEnabled(PERF_HIVEAUTH_REQUEST_LOG)) {
			perf = RangerPerfTracer.getPerfTracer(PERF_HIVEAUTH_REQUEST_LOG, "RangerHiveAuthorizer.applyRowFilterAndColumnMasking()");
		}

		if(CollectionUtils.isNotEmpty(hiveObjs)) {
			for (HivePrivilegeObject hiveObj : hiveObjs) {
				HivePrivilegeObjectType hiveObjType = hiveObj.getType();

				if(hiveObjType == null) {
					hiveObjType = HivePrivilegeObjectType.TABLE_OR_VIEW;
				}

				if(LOG.isDebugEnabled()) {
					LOG.debug("applyRowFilterAndColumnMasking(hiveObjType=" + hiveObjType + ")");
				}

				boolean needToTransform = false;

				if (hiveObjType == HivePrivilegeObjectType.TABLE_OR_VIEW) {
					String database = hiveObj.getDbname();
					String table    = hiveObj.getObjectName();

					String rowFilterExpr = getRowFilterExpression(queryContext, database, table);

					if (StringUtils.isNotBlank(rowFilterExpr)) {
						if(LOG.isDebugEnabled()) {
							LOG.debug("rowFilter(database=" + database + ", table=" + table + "): " + rowFilterExpr);
						}

						hiveObj.setRowFilterExpression(rowFilterExpr);
						needToTransform = true;
					}

					if (CollectionUtils.isNotEmpty(hiveObj.getColumns())) {
						List<String> columnTransformers = new ArrayList<String>();

						for (String column : hiveObj.getColumns()) {
							boolean isColumnTransformed = addCellValueTransformerAndCheckIfTransformed(queryContext, database, table, column, columnTransformers);

							if(LOG.isDebugEnabled()) {
								LOG.debug("addCellValueTransformerAndCheckIfTransformed(database=" + database + ", table=" + table + ", column=" + column + "): " + isColumnTransformed);
							}

							needToTransform = needToTransform || isColumnTransformed;
						}

						hiveObj.setCellValueTransformers(columnTransformers);
					}
				}

				if (needToTransform) {
					ret.add(hiveObj);
				}
			}
		}

		RangerPerfTracer.log(perf);

		if(LOG.isDebugEnabled()) {
			LOG.debug("<== applyRowFilterAndColumnMasking(" + queryContext + ", objCount=" + hiveObjs.size() + "): retCount=" + ret.size());
		}

		return ret;
	}

	@Override
	public boolean needTransform() {
		return true; // TODO: derive from the policies
	}

	private RangerAccessResult getDataMaskResult(RangerHiveAccessRequest request) {
		if(LOG.isDebugEnabled()) {
			LOG.debug("==> getDataMaskResult(request=" + request + ")");
		}

		RangerAccessResult ret = hivePlugin.evalDataMaskPolicies(request, null);

		if(LOG.isDebugEnabled()) {
			LOG.debug("<== getDataMaskResult(request=" + request + "): ret=" + ret);
		}

		return ret;
	}

	private RangerAccessResult getRowFilterResult(RangerHiveAccessRequest request) {
		if(LOG.isDebugEnabled()) {
			LOG.debug("==> getRowFilterResult(request=" + request + ")");
		}

		RangerAccessResult ret = hivePlugin.evalRowFilterPolicies(request, null);

		if(LOG.isDebugEnabled()) {
			LOG.debug("<== getRowFilterResult(request=" + request + "): ret=" + ret);
		}

		return ret;
	}

	private boolean isDataMaskEnabled(RangerAccessResult result) {
		return result != null && result.isMaskEnabled();
	}

	private boolean isRowFilterEnabled(RangerAccessResult result) {
		return result != null && result.isRowFilterEnabled() && StringUtils.isNotEmpty(result.getFilterExpr());
	}

	private String getRowFilterExpression(HiveAuthzContext context, String databaseName, String tableOrViewName) throws SemanticException {
		UserGroupInformation ugi = getCurrentUserGroupInfo();

		if(ugi == null) {
			throw new SemanticException("user information not available");
		}

		if(LOG.isDebugEnabled()) {
			LOG.debug("==> getRowFilterExpression(" + databaseName + ", " + tableOrViewName + ")");
		}

		String ret = null;

		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

		try {
			HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
			String                  user           = ugi.getShortUserName();
			Set<String>             groups         = Sets.newHashSet(ugi.getGroupNames());
			Set<String>             roles          = getCurrentRoles();
			HiveObjectType          objectType     = HiveObjectType.TABLE;
			RangerHiveResource      resource       = new RangerHiveResource(objectType, databaseName, tableOrViewName);
			RangerHiveAccessRequest request        = new RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(), HiveAccessType.SELECT, context, sessionContext);

			RangerAccessResult result = hivePlugin.evalRowFilterPolicies(request, auditHandler);

			if(isRowFilterEnabled(result)) {
				ret = result.getFilterExpr();
			}
		} finally {
			auditHandler.flushAudit();
		}

		if(LOG.isDebugEnabled()) {
			LOG.debug("<== getRowFilterExpression(" + databaseName + ", " + tableOrViewName + "): " + ret);
		}

		return ret;
	}

	private boolean addCellValueTransformerAndCheckIfTransformed(HiveAuthzContext context, String databaseName, String tableOrViewName, String columnName, List<String> columnTransformers) throws SemanticException {
		UserGroupInformation ugi = getCurrentUserGroupInfo();

		if(ugi == null) {
			throw new SemanticException("user information not available");
		}

		if(LOG.isDebugEnabled()) {
			LOG.debug("==> addCellValueTransformerAndCheckIfTransformed(" + databaseName + ", " + tableOrViewName + ", " + columnName + ")");
		}

		boolean ret = false;
		String columnTransformer = columnName;

		RangerHiveAuditHandler auditHandler = new RangerHiveAuditHandler();

		try {
			HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
			String                  user           = ugi.getShortUserName();
			Set<String>             groups         = Sets.newHashSet(ugi.getGroupNames());
			Set<String>             roles          = getCurrentRoles();
			HiveObjectType          objectType     = HiveObjectType.COLUMN;
			RangerHiveResource      resource       = new RangerHiveResource(objectType, databaseName, tableOrViewName, columnName);
			RangerHiveAccessRequest request        = new RangerHiveAccessRequest(resource, user, groups, roles, objectType.name(), HiveAccessType.SELECT, context, sessionContext);

			RangerAccessResult result = hivePlugin.evalDataMaskPolicies(request, auditHandler);

			ret = isDataMaskEnabled(result);

			if(ret) {
				String                maskType    = result.getMaskType();
				RangerDataMaskTypeDef maskTypeDef = result.getMaskTypeDef();
				String transformer	= null;
				if (maskTypeDef != null) {
					transformer = maskTypeDef.getTransformer();
				}

				if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_NULL)) {
					columnTransformer = "NULL";
				} else if(StringUtils.equalsIgnoreCase(maskType, RangerPolicy.MASK_TYPE_CUSTOM)) {
					String maskedValue = result.getMaskedValue();

					if(maskedValue == null) {
						columnTransformer = "NULL";
					} else {
						columnTransformer = maskedValue.replace("{col}", columnName);
					}

				} else if(StringUtils.isNotEmpty(transformer)) {
					columnTransformer = transformer.replace("{col}", columnName);
				}

				/*
				String maskCondition = result.getMaskCondition();

				if(StringUtils.isNotEmpty(maskCondition)) {
					ret = "if(" + maskCondition + ", " + ret + ", " + columnName + ")";
				}
				*/
			}
		} finally {
			auditHandler.flushAudit();
		}

		columnTransformers.add(columnTransformer);

		if(LOG.isDebugEnabled()) {
			LOG.debug("<== addCellValueTransformerAndCheckIfTransformed(" + databaseName + ", " + tableOrViewName + ", " + columnName + "): " + ret);
		}

		return ret;
	}

	static RangerHiveResource createHiveResourceForFiltering(HivePrivilegeObject privilegeObject) {
		RangerHiveResource resource = null;

		HivePrivilegeObjectType objectType = privilegeObject.getType();

		switch(objectType) {
			case DATABASE:
			case TABLE_OR_VIEW:
				resource = createHiveResource(privilegeObject);
				break;
			default:
				LOG.warn("RangerHiveAuthorizer.getHiveResourceForFiltering: unexpected objectType:" + objectType);
		}

		return resource;
	}

	static RangerHiveResource createHiveResource(HivePrivilegeObject privilegeObject) {
		RangerHiveResource resource = null;

		HivePrivilegeObjectType objectType = privilegeObject.getType();
		String objectName = privilegeObject.getObjectName();
		String dbName = privilegeObject.getDbname();

		switch(objectType) {
			case DATABASE:
				resource = new RangerHiveResource(HiveObjectType.DATABASE, dbName);
				break;
			case TABLE_OR_VIEW:
				resource = new RangerHiveResource(HiveObjectType.TABLE, dbName, objectName);
				//resource.setOwnerUser(privilegeObject.getOwnerName());
				break;
			case COLUMN:
				List<String> columns = privilegeObject.getColumns();
				int numOfColumns = columns == null ? 0 : columns.size();
				if (numOfColumns == 1) {
					resource = new RangerHiveResource(HiveObjectType.COLUMN, dbName, objectName, columns.get(0));
					//resource.setOwnerUser(privilegeObject.getOwnerName());
				} else {
					LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected number of columns requested:" + numOfColumns + ", objectType:" + objectType);
				}
				break;
			default:
				LOG.warn("RangerHiveAuthorizer.getHiveResource: unexpected objectType:" + objectType);
		}

		if (resource != null) {
			resource.setServiceDef(hivePlugin == null ? null : hivePlugin.getServiceDef());
		}

		return resource;
	}


	private RangerHiveResource getHiveResource(HiveOperationType   hiveOpType,
											   HivePrivilegeObject hiveObj,
											   List<HivePrivilegeObject> inputs,
											   List<HivePrivilegeObject> outputs) {
		RangerHiveResource ret = null;

		HiveObjectType objectType = getObjectType(hiveObj, hiveOpType);

		switch(objectType) {
			case DATABASE:
				ret = new RangerHiveResource(objectType, hiveObj.getDbname());
				/*
				if (!isCreateOperation(hiveOpType)) {
					ret.setOwnerUser(hiveObj.getOwnerName());
				}

				 */
			break;
	
			case TABLE:
			case VIEW:
			case FUNCTION:
				ret = new RangerHiveResource(objectType, hiveObj.getDbname(), hiveObj.getObjectName());
				// To suppress PMD violations
				if (LOG.isDebugEnabled()) {
					LOG.debug("Size of inputs = [" + (CollectionUtils.isNotEmpty(inputs) ? inputs.size() : 0) +
							", Size of outputs = [" + (CollectionUtils.isNotEmpty(outputs) ? outputs.size() : 0) + "]");
				}

				/*
				String ownerName = hiveObj.getOwnerName();

				if (isCreateOperation(hiveOpType)) {
					HivePrivilegeObject dbObject = getDatabaseObject(hiveObj.getDbname(), inputs, outputs);
					if (dbObject != null) {
						ownerName = dbObject.getOwnerName();
					}
				}

				ret.setOwnerUser(ownerName);

				 */

			break;

			case PARTITION:
			case INDEX:
				ret = new RangerHiveResource(objectType, hiveObj.getDbname(), hiveObj.getObjectName());
			break;
	
			case COLUMN:
				ret = new RangerHiveResource(objectType, hiveObj.getDbname(), hiveObj.getObjectName(), StringUtils.join(hiveObj.getColumns(), COLUMN_SEP));
				//ret.setOwnerUser(hiveObj.getOwnerName());
			break;

            case URI:
			case SERVICE_NAME:
				ret = new RangerHiveResource(objectType, hiveObj.getObjectName());
            break;

			case GLOBAL:
				ret = new RangerHiveResource(objectType,hiveObj.getObjectName());
			break;

			case NONE:
			break;
		}

		if (ret != null) {
			ret.setServiceDef(hivePlugin == null ? null : hivePlugin.getServiceDef());
		}

		return ret;
	}

	/*
	private boolean isCreateOperation(HiveOperationType hiveOpType){
		boolean ret = false;
		switch (hiveOpType) {
			case CREATETABLE:
			case CREATEVIEW:
			case CREATETABLE_AS_SELECT:
			case CREATE_MATERIALIZED_VIEW:
			case CREATEFUNCTION:
				ret = true;
			break;
		}
		return ret;
	}

	private HivePrivilegeObject getDatabaseObject(String dbName, List<HivePrivilegeObject> inputs, List<HivePrivilegeObject> outputs) {
		HivePrivilegeObject ret = null;

		if (CollectionUtils.isNotEmpty(outputs)) {
			for (HivePrivilegeObject hiveOutPrivObj : outputs) {
				if (hiveOutPrivObj.getType() == HivePrivilegeObjectType.DATABASE
						&& dbName.equalsIgnoreCase(hiveOutPrivObj.getDbname())) {
					ret = hiveOutPrivObj;
				}
			}
		}

		if (ret == null && CollectionUtils.isNotEmpty(inputs)) {
			for (HivePrivilegeObject hiveInPrivObj : inputs) {
				if (hiveInPrivObj.getType() == HivePrivilegeObjectType.DATABASE
						&& dbName.equalsIgnoreCase(hiveInPrivObj.getDbname())) {
					ret = hiveInPrivObj;
				}
			}
		}

		return ret;
	}
	
	 */

	private HiveObjectType getObjectType(HivePrivilegeObject hiveObj, HiveOperationType hiveOpType) {
		HiveObjectType objType = HiveObjectType.NONE;
		String hiveOpTypeName  = hiveOpType.name().toLowerCase();

		if (hiveObj.getType() == null) {
			return HiveObjectType.DATABASE;
		}

		switch(hiveObj.getType()) {
			case DATABASE:
				objType = HiveObjectType.DATABASE;
			break;

			case PARTITION:
				objType = HiveObjectType.PARTITION;
			break;

			case TABLE_OR_VIEW:
				if(hiveOpTypeName.contains("index")) {
					objType = HiveObjectType.INDEX;
				} else if(! StringUtil.isEmpty(hiveObj.getColumns())) {
					objType = HiveObjectType.COLUMN;
				} else if(hiveOpTypeName.contains("view")) {
					objType = HiveObjectType.VIEW;
				} else {
					objType = HiveObjectType.TABLE;
				}
			break;

			case FUNCTION:
				objType = HiveObjectType.FUNCTION;
				if (isTempUDFOperation(hiveOpTypeName, hiveObj)) {
					objType = HiveObjectType.GLOBAL;
				}
			break;

			case DFS_URI:
			case LOCAL_URI:
                objType = HiveObjectType.URI;
            break;

			case COMMAND_PARAMS:
			case GLOBAL:
				if ( "add".equals(hiveOpTypeName) || "compile".equals(hiveOpTypeName)) {
					objType = HiveObjectType.GLOBAL;
				}
			break;

			case SERVICE_NAME:
				objType = HiveObjectType.SERVICE_NAME;
			break;

			case COLUMN:
				// Thejas: this value is unused in Hive; the case should not be hit.
			break;
		}

		return objType;
	}

	private HiveAccessType getAccessType(HivePrivilegeObject hiveObj, HiveOperationType hiveOpType, HiveObjectType hiveObjectType, boolean isInput) {
		HiveAccessType           accessType       = HiveAccessType.NONE;
		HivePrivObjectActionType objectActionType = hiveObj.getActionType();

		// This is for S3 read operation
		if (hiveObjectType == HiveObjectType.URI && isInput ) {
			accessType = HiveAccessType.READ;
			return accessType;
		}
		// This is for S3 write
		if (hiveObjectType == HiveObjectType.URI && !isInput ) {
			accessType = HiveAccessType.WRITE;
			return accessType;
		}

		switch(objectActionType) {
			case INSERT:
			case INSERT_OVERWRITE:
			case UPDATE:
			case DELETE:
				accessType = HiveAccessType.UPDATE;
			break;
			case OTHER:
			switch(hiveOpType) {
				case CREATEDATABASE:
					if(hiveObj.getType() == HivePrivilegeObjectType.DATABASE) {
						accessType = HiveAccessType.CREATE;
					}
				break;

				case CREATEFUNCTION:
					if(hiveObj.getType() == HivePrivilegeObjectType.FUNCTION) {
						accessType = HiveAccessType.CREATE;
					}
					if(hiveObjectType == HiveObjectType.GLOBAL ) {
						accessType = HiveAccessType.TEMPUDFADMIN;
					}
				break;

				case CREATETABLE:
				case CREATEVIEW:
				case CREATETABLE_AS_SELECT:
				case CREATE_MATERIALIZED_VIEW:
					if(hiveObj.getType() == HivePrivilegeObjectType.TABLE_OR_VIEW) {
						accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.CREATE;
					}
				break;

				case ALTERDATABASE:
				case ALTERDATABASE_LOCATION:
				case ALTERDATABASE_OWNER:
				case ALTERINDEX_PROPS:
				case ALTERINDEX_REBUILD:
				case ALTERPARTITION_BUCKETNUM:
				case ALTERPARTITION_FILEFORMAT:
				case ALTERPARTITION_LOCATION:
				case ALTERPARTITION_MERGEFILES:
				case ALTERPARTITION_PROTECTMODE:
				case ALTERPARTITION_SERDEPROPERTIES:
				case ALTERPARTITION_SERIALIZER:
				case ALTERTABLE_ADDCOLS:
				case ALTERTABLE_ADDPARTS:
				case ALTERTABLE_ARCHIVE:
				case ALTERTABLE_BUCKETNUM:
				case ALTERTABLE_CLUSTER_SORT:
				case ALTERTABLE_COMPACT:
				case ALTERTABLE_DROPPARTS:
				case ALTERTABLE_DROPCONSTRAINT:
				case ALTERTABLE_ADDCONSTRAINT:
				case ALTERTABLE_FILEFORMAT:
				case ALTERTABLE_LOCATION:
				case ALTERTABLE_MERGEFILES:
				case ALTERTABLE_PARTCOLTYPE:
				case ALTERTABLE_PROPERTIES:
				case ALTERTABLE_PROTECTMODE:
				case ALTERTABLE_RENAME:
				case ALTERTABLE_RENAMECOL:
				case ALTERTABLE_RENAMEPART:
				case ALTERTABLE_REPLACECOLS:
				case ALTERTABLE_SERDEPROPERTIES:
				case ALTERTABLE_SERIALIZER:
				case ALTERTABLE_SKEWED:
				case ALTERTABLE_TOUCH:
				case ALTERTABLE_UNARCHIVE:
				case ALTERTABLE_UPDATEPARTSTATS:
				case ALTERTABLE_UPDATETABLESTATS:
				case ALTERTABLE_UPDATECOLUMNS:
				case ALTERTBLPART_SKEWED_LOCATION:
				case ALTERVIEW_AS:
				case ALTERVIEW_PROPERTIES:
				case ALTERVIEW_RENAME:
				case DROPVIEW_PROPERTIES:
				case MSCK:
					accessType = HiveAccessType.ALTER;
				break;

				case DROPFUNCTION:
				case DROPINDEX:
				case DROPTABLE:
				case DROPVIEW:
				case DROP_MATERIALIZED_VIEW:
				case DROPDATABASE:
					accessType = HiveAccessType.DROP;
				break;

				case CREATEINDEX:
					accessType = HiveAccessType.INDEX;
				break;

				case IMPORT:
					/*
					This can happen during hive IMPORT command IFF a table is also being created as part of IMPORT.
					If so then
					- this would appear in the outputHObjs, i.e. accessType == false
					- user then must have CREATE permission on the database

					During IMPORT command it is not possible for a database to be in inputHObj list. Thus returning SELECT
					when accessType==true is never expected to be hit in practice.
					 */
					accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.CREATE;
					break;

				case EXPORT:
				case LOAD:
					accessType = isInput ? HiveAccessType.SELECT : HiveAccessType.UPDATE;
				break;

				case LOCKDB:
				case LOCKTABLE:
				case UNLOCKDB:
				case UNLOCKTABLE:
					accessType = HiveAccessType.LOCK;
				break;

				/*
				 * SELECT access is done for many of these metadata operations since hive does not call back for filtering.
				 * Overtime these should move to _any/USE access (as hive adds support for filtering).
				 */
				case QUERY:
				case SHOW_TABLESTATUS:
				case SHOW_CREATETABLE:
				case SHOWINDEXES:
				case SHOWPARTITIONS:
				case SHOW_TBLPROPERTIES:
				case ANALYZE_TABLE:
					accessType = HiveAccessType.SELECT;
				break;

				case SHOWCOLUMNS:
				case DESCTABLE:
					switch (StringUtil.toLower(hivePlugin.DescribeShowTableAuth)){
						case "show-allowed":
							// This is not implemented so defaulting to current behaviour of blocking describe/show columns not to show any columns.
							// This has to be implemented when hive provides the necessary filterListCmdObjects for
							// SELECT/SHOWCOLUMS/DESCTABLE to filter the columns based on access provided in ranger.
						case "none":
						case "":
							accessType = HiveAccessType.SELECT;
							break;
						case "show-all":
							accessType = HiveAccessType.USE;
							break;
					}
				break;

				// any access done for metadata access of actions that have support from hive for filtering
				case SHOWDATABASES:
				case SWITCHDATABASE:
				case DESCDATABASE:
				case SHOWTABLES:
				case SHOWVIEWS:
					accessType = HiveAccessType.USE;
				break;

				case TRUNCATETABLE:
					accessType = HiveAccessType.UPDATE;
				break;

				case GRANT_PRIVILEGE:
				case REVOKE_PRIVILEGE:
					accessType = HiveAccessType.NONE; // access check will be performed at the ranger-admin side
				break;

				case REPLDUMP:
				case REPLLOAD:
				case REPLSTATUS:
					accessType = HiveAccessType.REPLADMIN;
				break;

				case KILL_QUERY:
				case CREATE_RESOURCEPLAN:
				case SHOW_RESOURCEPLAN:
				case ALTER_RESOURCEPLAN:
				case DROP_RESOURCEPLAN:
				case CREATE_TRIGGER:
				case ALTER_TRIGGER:
				case DROP_TRIGGER:
				case CREATE_POOL:
				case ALTER_POOL:
				case DROP_POOL:
				case CREATE_MAPPING:
				case ALTER_MAPPING:
				case DROP_MAPPING:
				case LLAP_CACHE_PURGE:
				case LLAP_CLUSTER_INFO:
					accessType = HiveAccessType.SERVICEADMIN;
				break;

				case ADD:
				case COMPILE:
					accessType = HiveAccessType.TEMPUDFADMIN;
				break;

				case DELETE:
				case CREATEMACRO:
				case CREATEROLE:
				case DESCFUNCTION:
				case DFS:
				case DROPMACRO:
				case DROPROLE:
				case EXPLAIN:
				case GRANT_ROLE:
				case REVOKE_ROLE:
				case RESET:
				case SET:
				case SHOWCONF:
				case SHOWFUNCTIONS:
				case SHOWLOCKS:
				case SHOW_COMPACTIONS:
				case SHOW_GRANT:
				case SHOW_ROLES:
				case SHOW_ROLE_GRANT:
				case SHOW_ROLE_PRINCIPALS:
				case SHOW_TRANSACTIONS:
				break;
			}
			break;
		}
		
		return accessType;
	}

	private FsAction getURIAccessType(HiveOperationType hiveOpType) {
		FsAction ret = FsAction.NONE;

		switch(hiveOpType) {
			case LOAD:
			case IMPORT:
				ret = FsAction.READ;
			break;

			case EXPORT:
				ret = FsAction.WRITE;
			break;

			case CREATEDATABASE:
			case CREATETABLE:
			case CREATETABLE_AS_SELECT:
			case ALTERDATABASE:
			case ALTERDATABASE_LOCATION:
			case ALTERDATABASE_OWNER:
			case ALTERTABLE_ADDCOLS:
			case ALTERTABLE_REPLACECOLS:
			case ALTERTABLE_RENAMECOL:
			case ALTERTABLE_RENAMEPART:
			case ALTERTABLE_RENAME:
			case ALTERTABLE_DROPPARTS:
			case ALTERTABLE_ADDPARTS:
			case ALTERTABLE_TOUCH:
			case ALTERTABLE_ARCHIVE:
			case ALTERTABLE_UNARCHIVE:
			case ALTERTABLE_PROPERTIES:
			case ALTERTABLE_SERIALIZER:
			case ALTERTABLE_PARTCOLTYPE:
			case ALTERTABLE_DROPCONSTRAINT:
			case ALTERTABLE_ADDCONSTRAINT:
			case ALTERTABLE_SERDEPROPERTIES:
			case ALTERTABLE_CLUSTER_SORT:
			case ALTERTABLE_BUCKETNUM:
			case ALTERTABLE_UPDATETABLESTATS:
			case ALTERTABLE_UPDATEPARTSTATS:
			case ALTERTABLE_UPDATECOLUMNS:
			case ALTERTABLE_PROTECTMODE:
			case ALTERTABLE_FILEFORMAT:
			case ALTERTABLE_LOCATION:
			case ALTERINDEX_PROPS:
			case ALTERTABLE_MERGEFILES:
			case ALTERTABLE_SKEWED:
			case ALTERTABLE_COMPACT:
			case ALTERTABLE_EXCHANGEPARTITION:
			case ALTERPARTITION_SERIALIZER:
			case ALTERPARTITION_SERDEPROPERTIES:
			case ALTERPARTITION_BUCKETNUM:
			case ALTERPARTITION_PROTECTMODE:
			case ALTERPARTITION_FILEFORMAT:
			case ALTERPARTITION_LOCATION:
			case ALTERPARTITION_MERGEFILES:
			case ALTERTBLPART_SKEWED_LOCATION:
			case ALTERTABLE_OWNER:
			case QUERY:
				ret = FsAction.ALL;
				break;

			case EXPLAIN:
			case DROPDATABASE:
			case SWITCHDATABASE:
			case LOCKDB:
			case UNLOCKDB:
			case DROPTABLE:
			case DESCTABLE:
			case DESCFUNCTION:
			case MSCK:
			case ANALYZE_TABLE:
			case CACHE_METADATA:
			case SHOWDATABASES:
			case SHOWTABLES:
			case SHOWCOLUMNS:
			case SHOW_TABLESTATUS:
			case SHOW_TBLPROPERTIES:
			case SHOW_CREATEDATABASE:
			case SHOW_CREATETABLE:
			case SHOWFUNCTIONS:
			case SHOWVIEWS:
			case SHOWINDEXES:
			case SHOWPARTITIONS:
			case SHOWLOCKS:
			case SHOWCONF:
			case CREATEFUNCTION:
			case DROPFUNCTION:
			case RELOADFUNCTION:
			case CREATEMACRO:
			case DROPMACRO:
			case CREATEVIEW:
			case DROPVIEW:
			case CREATE_MATERIALIZED_VIEW:
			case CREATEINDEX:
			case DROPINDEX:
			case ALTERINDEX_REBUILD:
			case ALTERVIEW_PROPERTIES:
			case DROPVIEW_PROPERTIES:
			case DROP_MATERIALIZED_VIEW:
			case LOCKTABLE:
			case UNLOCKTABLE:
			case CREATEROLE:
			case DROPROLE:
			case GRANT_PRIVILEGE:
			case REVOKE_PRIVILEGE:
			case SHOW_GRANT:
			case GRANT_ROLE:
			case REVOKE_ROLE:
			case SHOW_ROLES:
			case SHOW_ROLE_GRANT:
			case SHOW_ROLE_PRINCIPALS:
			case TRUNCATETABLE:
			case DESCDATABASE:
			case ALTERVIEW_RENAME:
			case ALTERVIEW_AS:
			case SHOW_COMPACTIONS:
			case SHOW_TRANSACTIONS:
			case ABORT_TRANSACTIONS:
			case SET:
			case RESET:
			case DFS:
			case ADD:
			case DELETE:
			case COMPILE:
			case START_TRANSACTION:
			case COMMIT:
			case ROLLBACK:
			case SET_AUTOCOMMIT:
			case GET_CATALOGS:
			case GET_COLUMNS:
			case GET_FUNCTIONS:
			case GET_SCHEMAS:
			case GET_TABLES:
			case GET_TABLETYPES:
			case GET_TYPEINFO:
			case REPLDUMP:
			case REPLLOAD:
			case REPLSTATUS:
			case KILL_QUERY:
			case LLAP_CACHE_PURGE:
			case LLAP_CLUSTER_INFO:
			case CREATE_RESOURCEPLAN:
			case SHOW_RESOURCEPLAN:
			case ALTER_RESOURCEPLAN:
			case DROP_RESOURCEPLAN:
			case CREATE_TRIGGER:
			case ALTER_TRIGGER:
			case DROP_TRIGGER:
			case CREATE_POOL:
			case ALTER_POOL:
			case DROP_POOL:
			case CREATE_MAPPING:
			case ALTER_MAPPING:
			case DROP_MAPPING:
				break;
		}

		return ret;
	}

	private String buildPathForException(String path, HiveOperationType hiveOpType) {
		String ret  	= path;
		int endIndex 	= 0;
		switch(hiveOpType) {
			case DESCTABLE:
				ret = path + "/*";
				break;
			case QUERY:
				try {
					endIndex = StringUtils.ordinalIndexOf(path, "/", 2);
					ret = path.substring(0,endIndex) + "/*";
				} catch( Exception e) {
					//omit and return the path.Log error only in debug.
					if(LOG.isDebugEnabled()) {
						LOG.debug("RangerHiveAuthorizer.buildPathForException(): Error while creating exception message ", e);
					}
				}
				break;
		}
		return ret;
	}

    private boolean isURIAccessAllowed(String userName, FsAction action, String uri, HiveConf conf) {
        boolean ret = false;

        if(action == FsAction.NONE) {
            ret = true;
        } else {
            try {
                Path       filePath   = new Path(uri);
                FileSystem fs         = FileSystem.get(filePath.toUri(), conf);
                FileStatus[] filestat = fs.globStatus(filePath);

                if(filestat != null && filestat.length > 0) {
                    boolean isDenied = false;

                    for(FileStatus file : filestat) {
                        if (FileUtils.isOwnerOfFileHierarchy(fs, file, userName) ||
							FileUtils.isActionPermittedForFileHierarchy(fs, file, userName, action)) {
								continue;
						} else {
							isDenied = true;
							break;
						}
                     }
                     ret = !isDenied;
                } else { // if given path does not exist then check for parent
                    FileStatus file = FileUtils.getPathOrParentThatExists(fs, filePath);

                    FileUtils.checkFileAccessWithImpersonation(fs, file, action, userName);
                    ret = true;
                }
            } catch(Exception excp) {
				ret = false;
                LOG.error("Error getting permissions for " + uri, excp);
            }
        }

        return ret;
    }

	private boolean isPathInFSScheme(String uri) {
		// This is to find if HIVE URI operation done is for hdfs,file scheme
		// else it may be for s3 which needs another set of authorization calls.
		boolean ret = false;
		String[] fsScheme = hivePlugin.getFSScheme();
		if (fsScheme != null) {
			for (String scheme : fsScheme) {
				if (!uri.isEmpty() && uri.startsWith(scheme)) {
					ret = true;
					break;
				}
			}
		}
		return ret;
	}


	private void handleDfsCommand(HiveOperationType         hiveOpType,
								  List<HivePrivilegeObject> inputHObjs,
								  String                    user,
								  RangerHiveAuditHandler    auditHandler)
	      throws HiveAuthzPluginException, HiveAccessControlException {

		String dfsCommandParams = null;

		if(inputHObjs != null) {
			for(HivePrivilegeObject hiveObj : inputHObjs) {
				if(hiveObj.getType() == HivePrivilegeObjectType.COMMAND_PARAMS) {
					dfsCommandParams = StringUtil.toString(hiveObj.getCommandParams());

					if(! StringUtil.isEmpty(dfsCommandParams)) {
						break;
					}
				}
			}
		}

		int    serviceType = -1;
		String serviceName = null;

		if(hivePlugin != null) {
			serviceType = hivePlugin.getServiceDefId();
			serviceName = hivePlugin.getServiceName();
		}

		auditHandler.logAuditEventForDfs(user, dfsCommandParams, false, serviceType, serviceName);

		throw new HiveAccessControlException(String.format("Permission denied: user [%s] does not have privilege for [%s] command",
											 user, hiveOpType.name()));
	}

	private boolean existsByResourceAndAccessType(Collection<RangerHiveAccessRequest> requests, RangerHiveResource resource, HiveAccessType accessType) {
		boolean ret = false;

		if(requests != null && resource != null) {
			for(RangerHiveAccessRequest request : requests) {
				if(request.getHiveAccessType() == accessType && request.getResource().equals(resource)) {
					ret = true;

					break;
				}
			}
		}

		return ret;
	}

	private String getGrantorUsername(HivePrincipal grantorPrincipal) {
		String grantor = grantorPrincipal != null ? grantorPrincipal.getName() : null;

		if(StringUtil.isEmpty(grantor)) {
			UserGroupInformation ugi = this.getCurrentUserGroupInfo();

			grantor = ugi != null ? ugi.getShortUserName() : null;
		}

		return grantor;
	}

	private Set<String> getGrantorGroupNames(HivePrincipal grantorPrincipal) {
		Set<String> ret = null;

		String grantor = grantorPrincipal != null ? grantorPrincipal.getName() : null;

		UserGroupInformation ugi = StringUtil.isEmpty(grantor) ? this.getCurrentUserGroupInfo() : UserGroupInformation.createRemoteUser(grantor);

		String[] groups = ugi != null ? ugi.getGroupNames() : null;

		if (groups != null && groups.length > 0) {
			ret = new HashSet<>(Arrays.asList(groups));
		}

		return ret;
	}

	private GrantRevokeRequest createGrantRevokeData(RangerHiveResource  resource,
													 List<HivePrincipal> hivePrincipals,
													 List<HivePrivilege> hivePrivileges,
													 HivePrincipal       grantorPrincipal,
													 boolean             grantOption)
														  throws HiveAccessControlException {
		if(resource == null ||
		  ! (   resource.getObjectType() == HiveObjectType.DATABASE
		     || resource.getObjectType() == HiveObjectType.TABLE
		     || resource.getObjectType() == HiveObjectType.VIEW
		     || resource.getObjectType() == HiveObjectType.COLUMN
		   )
		  ) {
			throw new HiveAccessControlException("grant/revoke: unexpected object type '" + (resource == null ? null : resource.getObjectType().name()));
		}

		GrantRevokeRequest ret = new GrantRevokeRequest();

		ret.setGrantor(getGrantorUsername(grantorPrincipal));
		ret.setGrantorGroups(getGrantorGroupNames(grantorPrincipal));
		ret.setDelegateAdmin(grantOption ? Boolean.TRUE : Boolean.FALSE);
		ret.setEnableAudit(Boolean.TRUE);
		ret.setReplaceExistingPermissions(Boolean.FALSE);

		String database = StringUtils.isEmpty(resource.getDatabase()) ? "*" : resource.getDatabase();
		String table    = StringUtils.isEmpty(resource.getTable()) ? "*" : resource.getTable();
		String column   = StringUtils.isEmpty(resource.getColumn()) ? "*" : resource.getColumn();

		Map<String, String> mapResource = new HashMap<String, String>();
		mapResource.put(RangerHiveResource.KEY_DATABASE, database);
		mapResource.put(RangerHiveResource.KEY_TABLE, table);
		mapResource.put(RangerHiveResource.KEY_COLUMN, column);
		ret.setOwnerUser(resource.getOwnerUser());
		ret.setResource(mapResource);

		SessionState ss = SessionState.get();
		if(ss != null) {
			ret.setClientIPAddress(ss.getUserIpAddress());
			ret.setSessionId(ss.getSessionId());

			HiveConf hiveConf = ss.getConf();

			if(hiveConf != null) {
				ret.setRequestData(hiveConf.get(HIVE_CONF_VAR_QUERY_STRING));
			}
		}

		HiveAuthzSessionContext sessionContext = getHiveAuthzSessionContext();
		if(sessionContext != null) {
			ret.setClientType(sessionContext.getClientType() == null ? null : sessionContext.getClientType().toString());
		}

		for(HivePrincipal principal : hivePrincipals) {
			switch(principal.getType()) {
				case USER:
					ret.getUsers().add(principal.getName());
				break;

				case GROUP:
					ret.getGroups().add(principal.getName());
					break;

				case ROLE:
					ret.getRoles().add(principal.getName());
					break;

				case UNKNOWN:
				break;
			}
		}

		for(HivePrivilege privilege : hivePrivileges) {
			String privName = privilege.getName();
			
			if(StringUtils.equalsIgnoreCase(privName, HiveAccessType.ALL.name()) ||
			   StringUtils.equalsIgnoreCase(privName, HiveAccessType.ALTER.name()) ||
			   StringUtils.equalsIgnoreCase(privName, HiveAccessType.CREATE.name()) ||
			   StringUtils.equalsIgnoreCase(privName, HiveAccessType.DROP.name()) ||
			   StringUtils.equalsIgnoreCase(privName, HiveAccessType.INDEX.name()) ||
			   StringUtils.equalsIgnoreCase(privName, HiveAccessType.LOCK.name()) ||
			   StringUtils.equalsIgnoreCase(privName, HiveAccessType.SELECT.name()) ||
			   StringUtils.equalsIgnoreCase(privName, HiveAccessType.UPDATE.name())) {
				ret.getAccessTypes().add(privName.toLowerCase());
			} else if (StringUtils.equalsIgnoreCase(privName, "Insert") ||
							StringUtils.equalsIgnoreCase(privName, "Delete")) {
				// Mapping Insert/Delete to Update
				ret.getAccessTypes().add(HiveAccessType.UPDATE.name().toLowerCase());
			} else {
				LOG.warn("grant/revoke: unexpected privilege type '" + privName + "'. Ignored");
			}
		}

		return ret;
	}

	@Override
	public List<HivePrivilegeInfo> showPrivileges(HivePrincipal principal,
												  HivePrivilegeObject privObj) throws HiveAuthzPluginException {
		List<HivePrivilegeInfo> ret;

		if (LOG.isDebugEnabled()) {
			LOG.debug("==> RangerHiveAuthorizer.showPrivileges ==>  principal: " +  principal+ "HivePrivilegeObject : " + privObj.getObjectName());
		}

		if ( hivePlugin == null) {
			new HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges error: hivePlugin is null");
		}

		try {
			HiveObjectRef msObjRef = AuthorizationUtils.getThriftHiveObjectRef(privObj);

			if (msObjRef.getObjectName() == null) {
				throw new HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges() only supports SHOW PRIVILEGES for Hive resources and not user level");
			}

			ret = getHivePrivilegeInfos(principal, privObj);

		} catch (Exception e) {
			LOG.error("RangerHiveAuthorizer.showPrivileges() error", e);
			throw new HiveAuthzPluginException("RangerHiveAuthorizer.showPrivileges() error: " + e.getMessage(), e);
		}

		if (LOG.isDebugEnabled()) {
			LOG.debug("<== RangerHiveAuthorizer.showPrivileges() Result: " + ret);
		}

		return ret;
	}

	private HivePrivilegeObjectType getPluginPrivilegeObjType(
			org.apache.hadoop.hive.metastore.api.HiveObjectType objectType) {
		switch (objectType) {
		case DATABASE:
			return HivePrivilegeObjectType.DATABASE;
		case TABLE:
			return HivePrivilegeObjectType.TABLE_OR_VIEW;
		default:
			throw new AssertionError("Unexpected object type " + objectType);
		}
	}

	static HiveObjectRef getThriftHiveObjectRef(HivePrivilegeObject privObj)
			throws HiveAuthzPluginException {
		try {
			return AuthorizationUtils.getThriftHiveObjectRef(privObj);
		} catch (HiveException e) {
			throw new HiveAuthzPluginException(e);
		}
	}

	private RangerRequestedResources buildRequestContextWithAllAccessedResources(List<RangerHiveAccessRequest> requests) {

		RangerRequestedResources requestedResources = new RangerRequestedResources();

		for (RangerHiveAccessRequest request : requests) {
			// Build list of all things requested and put it in the context of each request
			RangerAccessRequestUtil.setRequestedResourcesInContext(request.getContext(), requestedResources);

			RangerHiveResource resource = (RangerHiveResource) request.getResource();

			if (resource.getObjectType() == HiveObjectType.COLUMN && StringUtils.contains(resource.getColumn(), COLUMN_SEP)) {

				String[] columns = StringUtils.split(resource.getColumn(), COLUMN_SEP);

				// in case of multiple columns, original request is not sent to the plugin; hence service-def will not be set
				resource.setServiceDef(hivePlugin.getServiceDef());

				for (String column : columns) {
					if (column != null) {
						column = column.trim();
					}
					if (StringUtils.isBlank(column)) {
						continue;
					}

					RangerHiveResource colResource = new RangerHiveResource(HiveObjectType.COLUMN, resource.getDatabase(), resource.getTable(), column);
					colResource.setOwnerUser(resource.getOwnerUser());
					colResource.setServiceDef(hivePlugin.getServiceDef());

					requestedResources.addRequestedResource(colResource);

				}
			} else {
				resource.setServiceDef(hivePlugin.getServiceDef());
				requestedResources.addRequestedResource(resource);
			}
		}

		if (LOG.isDebugEnabled()) {
			LOG.debug("RangerHiveAuthorizer.buildRequestContextWithAllAccessedResources() - " + requestedResources);
		}

		return requestedResources;
	}

	private boolean isBlockAccessIfRowfilterColumnMaskSpecified(HiveOperationType hiveOpType, RangerHiveAccessRequest request) {
		boolean            ret      = false;
		RangerHiveResource resource = (RangerHiveResource)request.getResource();
		HiveObjectType     objType  = resource.getObjectType();

		if(objType == HiveObjectType.TABLE || objType == HiveObjectType.VIEW || objType == HiveObjectType.COLUMN) {
			ret = hiveOpType == HiveOperationType.EXPORT;

			if(!ret) {
				if (request.getHiveAccessType() == HiveAccessType.UPDATE && hivePlugin.BlockUpdateIfRowfilterColumnMaskSpecified) {
					ret = true;
				}
			}
		}

		if(LOG.isDebugEnabled()) {
			LOG.debug("isBlockAccessIfRowfilterColumnMaskSpecified(" + hiveOpType + ", " + request + "): " + ret);
		}

		return ret;
	}

	private boolean isTempUDFOperation(String hiveOpTypeName, HivePrivilegeObject hiveObj) {
		boolean ret = false;
		if ((hiveOpTypeName.contains("createfunction") || hiveOpTypeName.contains("dropfunction")) &&
				StringUtils.isEmpty(hiveObj.getDbname())) {
			// This happens for temp udf function and will use
			// global resource policy in ranger for auth
			ret = true;
		}
		return ret;
	}

	private List<HivePrivilegeInfo> getHivePrivilegeInfos(HivePrincipal principal, HivePrivilegeObject privObj) throws HiveAuthzPluginException {
		List<HivePrivilegeInfo> ret = new ArrayList<>();
		HivePrivilegeObject.HivePrivilegeObjectType objectType = null;
		Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> userPermissions  = null;
		Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> groupPermissions = null;
		Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> rolePermissions = null;

		String 		 		dbName	= null;
		String		 	 objectName = null;
		String		 	 columnName	= null;
		List<String> 	 partValues = null;

		try {
			HiveObjectRef msObjRef = AuthorizationUtils.getThriftHiveObjectRef(privObj);

			if (msObjRef != null) {
				HivePrivilegeObject hivePrivilegeObject = null;

				if (msObjRef.getObjectName() != null) {
					// when resource is specified in the show grants, acl will be for that resource / user / groups
					objectType = getPluginPrivilegeObjType(msObjRef.getObjectType());
					dbName = msObjRef.getDbName();
					objectName = msObjRef.getObjectName();
					columnName = (msObjRef.getColumnName() == null) ? new String() : msObjRef.getColumnName();
					partValues = (msObjRef.getPartValues() == null) ? new ArrayList<>() : msObjRef.getPartValues();
					hivePrivilegeObject = new HivePrivilegeObject(objectType, dbName, objectName);

					RangerResourceACLs rangerResourceACLs = getRangerResourceACLs(hivePrivilegeObject);

					if (rangerResourceACLs != null) {
						Map<String, Map<String, RangerResourceACLs.AccessResult>>  userRangerACLs = rangerResourceACLs.getUserACLs();
						Map<String, Map<String, RangerResourceACLs.AccessResult>> groupRangerACLs = rangerResourceACLs.getGroupACLs();
						Map<String, Map<String, RangerResourceACLs.AccessResult>> roleRangerACLs = rangerResourceACLs.getRoleACLs();
						userPermissions  = convertRangerACLsToHiveACLs(userRangerACLs);
						groupPermissions = convertRangerACLsToHiveACLs(groupRangerACLs);
						rolePermissions = convertRangerACLsToHiveACLs(roleRangerACLs);

						if (principal != null) {
							if (principal.getType() == HivePrincipal.HivePrincipalType.USER) {
								String user = principal.getName();
								Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> userACLs = userPermissions.get(user);
								if (userACLs != null) {
									Map<String, RangerResourceACLs.AccessResult> userAccessResult = userRangerACLs.get(user);
									for (HiveResourceACLs.Privilege userACL : userACLs.keySet()) {
										RangerPolicy policy = getRangerPolicy(userAccessResult, userACL.name());
										if (policy != null) {
											String aclname = getPermission(userACL, userAccessResult, policy);
											HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
											ret.add(privilegeInfo);
										}
									}
								}

								Set<String> groups = getPrincipalGroup(user);
								for(String group : groups) {
									Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> groupACLs = groupPermissions.get(group);
									if (groupACLs != null) {
										Map<String, RangerResourceACLs.AccessResult> groupAccessResult = groupRangerACLs.get(group);
										for (HiveResourceACLs.Privilege groupACL : groupACLs.keySet()) {
											RangerPolicy policy = getRangerPolicy(groupAccessResult, groupACL.name());
											if (policy != null) {
												String aclname = getPermission(groupACL, groupAccessResult, policy);
												HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
												ret.add(privilegeInfo);
											}
										}
									}
								}
							} else if (principal.getType() == HivePrincipal.HivePrincipalType.ROLE){
								String role = principal.getName();
								Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> roleACLs = rolePermissions.get(role);
								if (roleACLs != null) {
									Map<String, RangerResourceACLs.AccessResult> roleAccessResult = roleRangerACLs.get(role);
									for (HiveResourceACLs.Privilege roleACL : roleACLs.keySet()) {
										RangerPolicy policy = getRangerPolicy(roleAccessResult, roleACL.name());
										if (policy != null) {
											String aclname = getPermission(roleACL, roleAccessResult, policy);
											HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(principal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
											ret.add(privilegeInfo);
										}
									}
								}

							}
						} else {
							// Request is for all the ACLs on a resource
							for (String user : userRangerACLs.keySet()) {
								HivePrincipal hivePrincipal = new HivePrincipal(user, HivePrincipal.HivePrincipalType.USER);
								Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> userACLs = userPermissions.get(user);

								if (userACLs != null) {
									Map<String, RangerResourceACLs.AccessResult> userAccessResult = userRangerACLs.get(user);
									for (HiveResourceACLs.Privilege userACL : userACLs.keySet()) {
										RangerPolicy policy = getRangerPolicy(userAccessResult, userACL.name());
										if (policy != null) {
											String aclname = getPermission(userACL, userAccessResult, policy);
											HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
											ret.add(privilegeInfo);
										}
									}
								}
							}

							for (String group : groupRangerACLs.keySet()) {
								HivePrincipal hivePrincipal = new HivePrincipal(group, HivePrincipal.HivePrincipalType.GROUP);
								Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> groupACLs = groupPermissions.get(group);
								if (groupACLs != null) {
									Map<String, RangerResourceACLs.AccessResult> groupAccessResult = groupRangerACLs.get(group);
									for (HiveResourceACLs.Privilege groupACL : groupACLs.keySet()) {
										RangerPolicy policy = getRangerPolicy(groupAccessResult, groupACL.name());
										if (policy != null) {
											String aclname = getPermission(groupACL, groupAccessResult, policy);
											HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
											ret.add(privilegeInfo);
										}
									}
								}
							}

							for (String role : roleRangerACLs.keySet()) {
								HivePrincipal hivePrincipal = new HivePrincipal(role, HivePrincipal.HivePrincipalType.ROLE);
								Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> roleACLs = rolePermissions.get(role);
								if (roleACLs != null) {
									Map<String, RangerResourceACLs.AccessResult> roleAccessResult = roleRangerACLs.get(role);
									for (HiveResourceACLs.Privilege roleACL : roleACLs.keySet()) {
										RangerPolicy policy = getRangerPolicy(roleAccessResult, roleACL.name());
										if (policy != null) {
											String aclname = getPermission(roleACL, roleAccessResult, policy);
											HivePrivilegeInfo privilegeInfo = createHivePrivilegeInfo(hivePrincipal, objectType, dbName, objectName, columnName, partValues, aclname, policy);
											ret.add(privilegeInfo);
										}
									}
								}
							}
						}
					}
				}
			}
		} catch (Exception e) {
			throw new HiveAuthzPluginException("hive showPrivileges" + ": " + e.getMessage(), e);
		}
		return ret;
	}

	private RangerPolicy getRangerPolicy(Map<String, RangerResourceACLs.AccessResult> accessResults, String rangerACL){
		RangerPolicy ret = null;
		if (MapUtils.isNotEmpty(accessResults)) {
			RangerResourceACLs.AccessResult accessResult = accessResults.get(rangerACL.toLowerCase());
			if (accessResult != null) {
				ret = accessResult.getPolicy();
			}
		}
		return ret;
	}

	private HivePrivilegeInfo createHivePrivilegeInfo(HivePrincipal hivePrincipal,
													  HivePrivilegeObject.HivePrivilegeObjectType objectType,
													  String dbName,
													  String objectName,
													  String columnName,
													  List<String> partValues,
													  String aclName,
													  RangerPolicy policy) {
		HivePrivilegeInfo ret = null;
		int     creationDate  = 0;
		boolean delegateAdmin = false;

		for (RangerPolicy.RangerPolicyItem policyItem : policy.getPolicyItems()) {
			List<RangerPolicy.RangerPolicyItemAccess> policyItemAccesses = policyItem.getAccesses();
			List<String> users = policyItem.getUsers();
			List<String> groups = policyItem.getGroups();
			List<String> accessTypes = new ArrayList<>();

			for (RangerPolicy.RangerPolicyItemAccess policyItemAccess : policyItemAccesses) {
				accessTypes.add(policyItemAccess.getType());
			}

			if (accessTypes.contains(aclName.toLowerCase()) && (users.contains(hivePrincipal.getName())
					|| groups.contains(hivePrincipal.getName()))) {
				creationDate = (policy.getCreateTime() == null) ? creationDate : (int) (policy.getCreateTime().getTime()/1000);
				delegateAdmin = (policyItem.getDelegateAdmin() == null) ? delegateAdmin : policyItem.getDelegateAdmin().booleanValue();
			}
		}

		HivePrincipal grantorPrincipal = new HivePrincipal(DEFAULT_RANGER_POLICY_GRANTOR, HivePrincipal.HivePrincipalType.USER);
		HivePrivilegeObject privilegeObject = new HivePrivilegeObject(objectType, dbName, objectName, partValues, columnName);
		HivePrivilege privilege = new HivePrivilege(aclName, null);
		ret = new HivePrivilegeInfo(hivePrincipal, privilege, privilegeObject, grantorPrincipal, delegateAdmin, creationDate);

		return ret;
	}

	private Set<String> getPrincipalGroup(String user) {
		Set<String> 		 groups = null;
		UserGroupInformation    ugi = UserGroupInformation.createRemoteUser(user);
		groups = Sets.newHashSet(ugi.getGroupNames());
		return groups;
	}

	private RangerResourceACLs getRangerResourceACLs(HivePrivilegeObject hiveObject) {

		RangerResourceACLs ret = null;

		if (LOG.isDebugEnabled()) {
			LOG.debug("==> RangerHivePolicyProvider.getRangerResourceACLs:[" + hiveObject + "]");
		}

		RangerHiveResource hiveResource = RangerHiveAuthorizer.createHiveResource(hiveObject);
		RangerAccessRequestImpl request = new RangerAccessRequestImpl(hiveResource, RangerPolicyEngine.ANY_ACCESS, null, null, null);

		ret = hivePlugin.getResourceACLs(request);

		if (LOG.isDebugEnabled()) {
			LOG.debug("<== RangerHivePolicyProvider.getRangerResourceACLs:[" + hiveObject + "], Computed ACLS:[" + ret + "]");
		}

		return ret;
	}

	private Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> convertRangerACLsToHiveACLs(Map<String, Map<String, RangerResourceACLs.AccessResult>> rangerACLs) {

		Map<String, Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult>> ret = new HashMap<>();

		if (MapUtils.isNotEmpty(rangerACLs)) {
			Set<String> hivePrivileges = new HashSet<>();
			for (HiveResourceACLs.Privilege privilege : HiveResourceACLs.Privilege.values()) {
				hivePrivileges.add(privilege.name().toLowerCase());
			}

			for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry : rangerACLs.entrySet()) {

				Map<HiveResourceACLs.Privilege, HiveResourceACLs.AccessResult> permissions = new HashMap<>();
				ret.put(entry.getKey(), permissions);

				for (Map.Entry<String, RangerResourceACLs.AccessResult> permission : entry.getValue().entrySet()) {

					if (hivePrivileges.contains(permission.getKey())) {
						HiveResourceACLs.Privilege privilege = HiveResourceACLs.Privilege.valueOf(StringUtils.upperCase(permission.getKey()));
						HiveResourceACLs.AccessResult accessResult;
						int rangerResultValue = permission.getValue().getResult();

						if (rangerResultValue == RangerPolicyEvaluator.ACCESS_ALLOWED) {
							accessResult = HiveResourceACLs.AccessResult.ALLOWED;
						} else if (rangerResultValue == RangerPolicyEvaluator.ACCESS_DENIED) {
							accessResult = HiveResourceACLs.AccessResult.NOT_ALLOWED;
						} else if (rangerResultValue == RangerPolicyEvaluator.ACCESS_CONDITIONAL) {
							accessResult = HiveResourceACLs.AccessResult.CONDITIONAL_ALLOWED;
						} else {
							// Should not get here
							accessResult = HiveResourceACLs.AccessResult.NOT_ALLOWED;
						}
						permissions.put(privilege, accessResult);
					}
				}
			}
		}
		return ret;
	}

	private String getPermission(HiveResourceACLs.Privilege acl, Map<String, RangerResourceACLs.AccessResult> accessResultMap, RangerPolicy policy ) {
		String aclname = acl.name();
		int aclResult = checkACLIsAllowed(acl, accessResultMap);
		if (aclResult > RangerPolicyEvaluator.ACCESS_DENIED) {
			// Other than denied ACLs are considered
			if (policy != null) {
				if (aclResult == RangerPolicyEvaluator.ACCESS_UNDETERMINED)  {
					aclname = aclname + " " + "(ACCESS_UNDETERMINED)";
				} else if (aclResult == RangerPolicyEvaluator.ACCESS_CONDITIONAL) {
					aclname = aclname + " " + "(ACCESS_CONDITIONAL)";
				}
			}
		}
		return aclname;
	}

	private int checkACLIsAllowed(HiveResourceACLs.Privilege acl, Map<String, RangerResourceACLs.AccessResult> accessResultMap ) {
		int result = -1;
		String  aclName = acl.name().toLowerCase();
		RangerResourceACLs.AccessResult accessResult = accessResultMap.get(aclName);
		if (accessResult != null) {
			result = accessResult.getResult();
		}
		return result;
	}

	private String toString(HiveOperationType         hiveOpType,
							List<HivePrivilegeObject> inputHObjs,
							List<HivePrivilegeObject> outputHObjs,
							HiveAuthzContext          context,
							HiveAuthzSessionContext   sessionContext) {
		StringBuilder sb = new StringBuilder();
		
		sb.append("'checkPrivileges':{");
		sb.append("'hiveOpType':").append(hiveOpType);

		sb.append(", 'inputHObjs':[");
		toString(inputHObjs, sb);
		sb.append("]");

		sb.append(", 'outputHObjs':[");
		toString(outputHObjs, sb);
		sb.append("]");

		sb.append(", 'context':{");
		sb.append("'clientType':").append(sessionContext == null ? null : sessionContext.getClientType());
		sb.append(", 'commandString':").append(context == null ? "null" : context.getCommandString());
		sb.append(", 'ipAddress':").append(context == null ? "null" : context.getIpAddress());
		sb.append(", 'forwardedAddresses':").append(context == null ? "null" : StringUtils.join(context.getForwardedAddresses(), ", "));
		sb.append(", 'sessionString':").append(sessionContext == null ? "null" : sessionContext.getSessionString());
		sb.append("}");

		sb.append(", 'user':").append(this.getCurrentUserGroupInfo().getUserName());
		sb.append(", 'groups':[").append(StringUtil.toString(this.getCurrentUserGroupInfo().getGroupNames())).append("]");
		sb.append("}");

		return sb.toString();
	}

	private StringBuilder toString(List<HivePrivilegeObject> privObjs, StringBuilder sb) {
		if(privObjs != null && privObjs.size() > 0) {
			toString(privObjs.get(0), sb);
			for(int i = 1; i < privObjs.size(); i++) {
				sb.append(",");
				toString(privObjs.get(i), sb);
			}
		}
		
		return sb;
	}

	private StringBuilder toString(HivePrivilegeObject privObj, StringBuilder sb) {
		sb.append("'HivePrivilegeObject':{");
		sb.append("'type':").append(privObj.getType().toString());
		sb.append(", 'dbName':").append(privObj.getDbname());
		sb.append(", 'objectType':").append(privObj.getType());
		sb.append(", 'objectName':").append(privObj.getObjectName());
		sb.append(", 'columns':[").append(StringUtil.toString(privObj.getColumns())).append("]");
		sb.append(", 'partKeys':[").append(StringUtil.toString(privObj.getPartKeys())).append("]");
		sb.append(", 'commandParams':[").append(StringUtil.toString(privObj.getCommandParams())).append("]");
		sb.append(", 'actionType':").append(privObj.getActionType().toString());
		//sb.append(", 'owner':").append(privObj.getOwnerName());
		sb.append("}");

		return sb;
	}

	private RangerAccessResult createAuditEvent(RangerHivePlugin hivePlugin, String userOrGrantor, List<String> roleUsers, HiveOperationType hiveOperationType, HiveAccessType accessType, List<String> roleNames, boolean result) {
		RangerHiveAccessRequest	rangerHiveAccessRequest	= createRangerHiveAccessRequest(userOrGrantor, roleUsers, hiveOperationType, accessType, roleNames);
		RangerAccessResult		accessResult 			= createRangerHiveAccessResult(hivePlugin, userOrGrantor, rangerHiveAccessRequest, result);
		return accessResult;
	}

	private RangerHiveAccessRequest createRangerHiveAccessRequest(String userOrGrantor, List<String> roleUsers, HiveOperationType hiveOperationType, HiveAccessType accessType, List<String> roleNames) {
		RangerHiveAccessRequest ret = null;

		HiveAuthzContext.Builder builder	   = new HiveAuthzContext.Builder();
		String					 roleNameStr   = createRoleString(roleNames);
		String 					 userNameStr   = createUserString(roleUsers);
		String					 commandString = getCommandString(hiveOperationType, userNameStr, roleNameStr);
		String 					 cmdStr		   = (commandString != null) ? commandString : StringUtils.EMPTY;
		builder.setCommandString(cmdStr);
		HiveAuthzContext 		hiveAuthzContext = builder.build();

		RangerHiveResource rangerHiveResource	= new RangerHiveResource(HiveObjectType.GLOBAL,"*");
		ret = new RangerHiveAccessRequest(rangerHiveResource, userOrGrantor, null, null, hiveOperationType, accessType, hiveAuthzContext, null);
		ret.setClusterName(hivePlugin.getClusterName());
		ret.setAction(hiveOperationType.name());
		ret.setClientIPAddress(getRemoteIp());
		ret.setRemoteIPAddress(getRemoteIp());

		return ret;
	}

	private RangerAccessResult createRangerHiveAccessResult(RangerHivePlugin hivePlugin, String userOrGrantor, RangerHiveAccessRequest rangerHiveAccessRequest, boolean result) {
		RangerAccessResult ret = null;

		String				serviceName	= hivePlugin.getServiceName();
		RangerServiceDef    serviceDef	= hivePlugin.getServiceDef();
		String				reason		= String.format("%s is not an Admin", userOrGrantor);
		if (result) {
			reason = String.format("%s is Admin", userOrGrantor);
		}
		ret = new RangerAccessResult(RangerPolicy.POLICY_TYPE_ACCESS, serviceName, serviceDef, rangerHiveAccessRequest);
		ret.setIsAccessDetermined(true);
		ret.setIsAudited(true);
		ret.setIsAllowed(result);
		ret.setAuditPolicyId(-1);
		ret.setPolicyId(-1);
		ret.setPolicyPriority(RangerPolicy.POLICY_PRIORITY_NORMAL);
		ret.setZoneName(null);
		ret.setPolicyVersion(null);
		ret.setReason(reason);
		ret.setAdditionalInfo(MapUtils.EMPTY_MAP);

		return ret;
	}

	private String getCommandString(HiveOperationType hiveOperationType, String user, String roleName) {
		String ret = StringUtils.EMPTY;

		switch (hiveOperationType) {
			case CREATEROLE:
				ret = String.format(CMD_CREATE_ROLE, roleName);
				break;
			case DROPROLE:
				ret = String.format(CMD_DROP_ROLE, roleName);
				break;
			case SHOW_ROLES:
				ret = CMD_SHOW_ROLES;
				break;
			case SHOW_ROLE_GRANT:
				ret = String.format(CMD_SHOW_ROLE_GRANT, user);
				break;
			case SHOW_ROLE_PRINCIPALS:
				ret = String.format(CMD_SHOW_PRINCIPALS, roleName);
				break;
			case GRANT_ROLE:
				ret = String.format(CMD_GRANT_ROLE, roleName, user);
				break;
			case REVOKE_ROLE:
				ret = String.format(CMD_REVOKE_ROLE, user, roleName);
				break;
		}

		return ret;
	}

	private String createRoleString(List<String> roleNames) {
		String ret = null;

		if (CollectionUtils.isEmpty(roleNames)) {
			ret = StringUtils.EMPTY;
		} else {
			if (roleNames.size() > 1) {
				ret = StringUtils.join(roleNames,",");
			} else {
				ret = roleNames.get(0);
			}
		}

		return ret;
	}

	private String createUserString (List<String> userNames) {
		String ret = null;

		if (CollectionUtils.isEmpty(userNames)) {
			ret = StringUtils.EMPTY;
		} else {
			if (userNames.size() > 1) {
				ret = StringUtils.join(userNames,",");
			} else {
				ret = userNames.get(0);
			}
		}

		return ret;
	}


	private static String getRemoteIp() {
		String ret = null;
		InetAddress ip = Server.getRemoteIp();
		if (ip != null) {
			ret = ip.getHostAddress();
		}
		return ret;
	}
}

enum HiveObjectType { NONE, DATABASE, TABLE, VIEW, PARTITION, INDEX, COLUMN, FUNCTION, URI, SERVICE_NAME, GLOBAL };
enum HiveAccessType { NONE, CREATE, ALTER, DROP, INDEX, LOCK, SELECT, UPDATE, USE, READ, WRITE, ALL, REPLADMIN, SERVICEADMIN, TEMPUDFADMIN };

class HiveObj {
	String databaseName;
	String tableName;

	HiveObj(HiveAuthzContext context) {
	 fetchHiveObj(context);
	}

	public String getDatabaseName() {
		return databaseName;
	}

	public String getTableName() {
		return tableName;
	}

	private void fetchHiveObj(HiveAuthzContext context) {
		if (context != null) {
			String cmdString = context.getCommandString();
			if (cmdString != null) {
				String[] cmd = cmdString.trim().split("\\s+");
				if (!ArrayUtils.isEmpty(cmd) && cmd.length > 2) {
					String dbName = cmd[2];
					if (dbName.contains(".")) {
						String[] result = splitDBName(dbName);
						databaseName = result[0];
						tableName = result[1];
					} else {
						databaseName = dbName;
						tableName = null;
					}
				}
			}
		}
	}

	private String[] splitDBName(String dbName) {
		String[] ret = null;
		ret = dbName.split("\\.");
		return ret;
	}
}

class RangerHivePlugin extends RangerBasePlugin {
	public static boolean UpdateXaPoliciesOnGrantRevoke = RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE;
	public static boolean BlockUpdateIfRowfilterColumnMaskSpecified = RangerHadoopConstants.HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_DEFAULT_VALUE;
	public static String DescribeShowTableAuth = RangerHadoopConstants.HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP_DEFAULT_VALUE;

	private static String RANGER_PLUGIN_HIVE_ULRAUTH_FILESYSTEM_SCHEMES = "ranger.plugin.hive.urlauth.filesystem.schemes";
	private static String RANGER_PLUGIN_HIVE_ULRAUTH_FILESYSTEM_SCHEMES_DEFAULT = "hdfs:,file:";
	private static String FILESYSTEM_SCHEMES_SEPARATOR_CHAR = ",";
	private String[] fsScheme = null;

	public RangerHivePlugin(String appType) {
		super("hive", appType);
	}

	@Override
	public void init() {
		super.init();

		RangerHivePlugin.UpdateXaPoliciesOnGrantRevoke = getConfig().getBoolean(RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_PROP, RangerHadoopConstants.HIVE_UPDATE_RANGER_POLICIES_ON_GRANT_REVOKE_DEFAULT_VALUE);
		RangerHivePlugin.BlockUpdateIfRowfilterColumnMaskSpecified = getConfig().getBoolean(RangerHadoopConstants.HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_PROP, RangerHadoopConstants.HIVE_BLOCK_UPDATE_IF_ROWFILTER_COLUMNMASK_SPECIFIED_DEFAULT_VALUE);
		RangerHivePlugin.DescribeShowTableAuth = getConfig().get(RangerHadoopConstants.HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP, RangerHadoopConstants.HIVE_DESCRIBE_TABLE_SHOW_COLUMNS_AUTH_OPTION_PROP_DEFAULT_VALUE);

		String fsSchemesString = getConfig().get(RANGER_PLUGIN_HIVE_ULRAUTH_FILESYSTEM_SCHEMES, RANGER_PLUGIN_HIVE_ULRAUTH_FILESYSTEM_SCHEMES_DEFAULT);
		fsScheme = StringUtils.split(fsSchemesString, FILESYSTEM_SCHEMES_SEPARATOR_CHAR);

		if (fsScheme != null) {
			for (int i = 0; i < fsScheme.length; i++) {
				fsScheme[i] = fsScheme[i].trim();
			}
		}
	}

	public String[] getFSScheme() {
		return fsScheme;
	}
}