sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/service/model/MSentryGMPrivilege.java - incubator-sentry - Git at Google

 /**
 vim  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.apache.sentry.provider.db.service.model;

 import static org.apache.sentry.provider.common.ProviderConstants.AUTHORIZABLE_JOINER;
 import static org.apache.sentry.provider.common.ProviderConstants.KV_JOINER;

 import java.lang.reflect.Field;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Set;

 import javax.jdo.annotations.PersistenceCapable;
 import org.apache.sentry.core.common.Authorizable;
 import org.apache.sentry.core.model.db.AccessConstants;

 import com.google.common.base.Strings;
 import com.google.common.collect.Lists;

 /**
  * Database backed Sentry Generic Privilege for new authorization Model
  * Any changes to this object
  * require re-running the maven build so DN an re-enhance.
  */
 @PersistenceCapable
 public class MSentryGMPrivilege {
   private static final String PREFIX_RESOURCE_NAME = "resourceName";
   private static final String PREFIX_RESOURCE_TYPE = "resourceType";
   private static final String NULL_COL = "__NULL__";
   private static final String SERVICE_SCOPE = "Server";
   private static final int AUTHORIZABLE_LEVEL = 4;
   /**
    * The authorizable List has been stored into resourceName and resourceField columns
    * We assume that the generic model privilege for any component(hive/impala or solr) doesn't exceed four level.
    * This generic model privilege currently can support maximum 4 level.
    **/
   private String resourceName0 = NULL_COL;
   private String resourceType0 = NULL_COL;
   private String resourceName1 = NULL_COL;
   private String resourceType1 = NULL_COL;
   private String resourceName2 = NULL_COL;
   private String resourceType2 = NULL_COL;
   private String resourceName3 = NULL_COL;
   private String resourceType3 = NULL_COL;

   private String serviceName;
   private String componentName;
   private String action;
   private String scope;

   private Boolean grantOption = false;
   // roles this privilege is a part of
   private Set<MSentryRole> roles;
   private long createTime;

   public MSentryGMPrivilege() {
     this.roles = new HashSet<MSentryRole>();
   }

   public MSentryGMPrivilege(String componentName, String serviceName,
                                  List<? extends Authorizable> authorizables,
                                  String action, Boolean grantOption) {
     this.componentName = componentName;
     this.serviceName = serviceName;
     this.action = action;
     this.grantOption = grantOption;
     this.roles = new HashSet<MSentryRole>();
     this.createTime = System.currentTimeMillis();
     setAuthorizables(authorizables);
   }

   public MSentryGMPrivilege(MSentryGMPrivilege copy) {
     this.action = copy.action;
     this.componentName = copy.componentName;
     this.serviceName = copy.serviceName;
     this.grantOption = copy.grantOption;
     this.scope = copy.scope;
     this.createTime = copy.createTime;
     setAuthorizables(copy.getAuthorizables());
     this.roles = new HashSet<MSentryRole>();
     for (MSentryRole role : copy.roles) {
       roles.add(role);
     }
   }

   public String getServiceName() {
     return serviceName;
   }

   public void setServiceName(String serviceName) {
     this.serviceName = serviceName;
   }

   public String getComponentName() {
     return componentName;
   }

   public void setComponentName(String componentName) {
     this.componentName = componentName;
   }

   public String getAction() {
     return action;
   }

   public void setAction(String action) {
     this.action = action;
   }

   public Boolean getGrantOption() {
     return grantOption;
   }

   public void setGrantOption(Boolean grantOption) {
     this.grantOption = grantOption;
   }

   public Set<MSentryRole> getRoles() {
     return roles;
   }

   public void setRoles(Set<MSentryRole> roles) {
     this.roles = roles;
   }

   public long getCreateTime() {
     return createTime;
   }

   public void setCreateTime(long createTime) {
     this.createTime = createTime;
   }

   public String getScope() {
     return scope;
   }

   public List<? extends Authorizable> getAuthorizables() {
     List<Authorizable> authorizables = Lists.newArrayList();
     //construct atuhorizable lists
     for (int i = 0; i < AUTHORIZABLE_LEVEL; i++) {
       final String resourceName = (String) getField(this, PREFIX_RESOURCE_NAME + String.valueOf(i));
       final String resourceTYpe = (String) getField(this, PREFIX_RESOURCE_TYPE + String.valueOf(i));

       if (notNULL(resourceName) && notNULL(resourceTYpe)) {
         authorizables.add(new Authorizable() {
           @Override
           public String getTypeName() {
             return resourceTYpe;
           }
           @Override
           public String getName() {
             return resourceName;
           }
         });
       }
     }
     return authorizables;
   }

   /**
    * Only allow strict hierarchies. That is, can level =1 be not null when level = 0 is null
    * @param authorizables
    */
   public void setAuthorizables(List<? extends Authorizable> authorizables) {
     if ((authorizables == null) || (authorizables.isEmpty())) {
       //service scope
       scope = SERVICE_SCOPE;
       return;
     }
     if (authorizables.size() > AUTHORIZABLE_LEVEL) {
       throw new IllegalStateException("This generic privilege model only supports maximum 4 level.");
     }

     for (int i = 0; i < authorizables.size(); i++) {
       Authorizable authorizable = authorizables.get(i);
       if (authorizable == null) {
         String msg = String.format("The authorizable can't be null. Please check authorizables[%d]:", i);
         throw new IllegalStateException(msg);
       }
       String resourceName = authorizable.getName();
       String resourceTYpe = authorizable.getTypeName();
       if (isNULL(resourceName) || isNULL(resourceTYpe)) {
         String msg = String.format("The name and type of authorizable can't be empty or null.Please check authorizables[%d]", i);
         throw new IllegalStateException(msg);
       }
       setField(this, PREFIX_RESOURCE_NAME + String.valueOf(i), toNULLCol(resourceName));
       setField(this, PREFIX_RESOURCE_TYPE + String.valueOf(i), toNULLCol(resourceTYpe));
       scope = resourceTYpe;
     }
   }

   public void appendRole(MSentryRole role) {
     if (roles.add(role)) {
       role.appendGMPrivilege(this);
     }
   }

   public void removeRole(MSentryRole role) {
     if(roles.remove(role)) {
       role.removeGMPrivilege(this);
     }
   }

   @Override
   public int hashCode() {
     final int prime = 31;
     int result = 1;
     result = prime * result + ((action == null) ? 0 : action.hashCode());
     result = prime * result + ((componentName == null) ? 0 : componentName.hashCode());
     result = prime * result + ((serviceName == null) ? 0 : serviceName.hashCode());
     result = prime * result + ((grantOption == null) ? 0 : grantOption.hashCode());
     result = prime * result + ((scope == null) ? 0 : scope.hashCode());

     for (Authorizable authorizable : getAuthorizables()) {
       result = prime * result + authorizable.getName().hashCode();
       result = prime * result + authorizable.getTypeName().hashCode();
     }

     return result;
   }

   @Override
   public String toString() {
     List<String> unifiedNames = Lists.newArrayList();
     for (Authorizable auth : getAuthorizables()) {
       unifiedNames.add(KV_JOINER.join(auth.getTypeName(),auth.getName()));
     }

     return "MSentryGMPrivilege ["
         + "serverName=" + serviceName + ", componentName=" + componentName
         + ", authorizables=" + AUTHORIZABLE_JOINER.join(unifiedNames)+ ", scope=" + scope
         + ", action=" + action + ", roles=[...]"  + ", createTime="
         + createTime + ", grantOption=" + grantOption +"]";
   }

   @Override
   public boolean equals(Object obj) {
       if (this == obj)
           return true;
       if (obj == null)
           return false;
       if (getClass() != obj.getClass())
           return false;
       MSentryGMPrivilege other = (MSentryGMPrivilege) obj;
       if (action == null) {
           if (other.action != null)
               return false;
       } else if (!action.equalsIgnoreCase(other.action))
           return false;
       if (scope == null) {
         if (other.scope != null)
             return false;
       } else if (!scope.equals(other.scope))
         return false;
       if (serviceName == null) {
           if (other.serviceName != null)
               return false;
       } else if (!serviceName.equals(other.serviceName))
           return false;
       if (componentName == null) {
           if (other.componentName != null)
               return false;
       } else if (!componentName.equals(other.componentName))
           return false;
       if (grantOption == null) {
         if (other.grantOption != null)
           return false;
       } else if (!grantOption.equals(other.grantOption))
         return false;

       List<? extends Authorizable> authorizables = getAuthorizables();
       List<? extends Authorizable> other_authorizables = other.getAuthorizables();

       if (authorizables.size() != other_authorizables.size()) {
         return false;
       }
       for (int i = 0; i < authorizables.size(); i++) {
         String o1 = KV_JOINER.join(authorizables.get(i).getTypeName(),
                                          authorizables.get(i).getName());
         String o2 = KV_JOINER.join(other_authorizables.get(i).getTypeName(),
             other_authorizables.get(i).getName());
         if (!o1.equals(o2)) {
           return false;
         }
       }
       return true;
   }

   /**
    * Return true if this privilege implies request privilege
    * Otherwise, return false
    * @param other, other privilege
    */
   public boolean implies(MSentryGMPrivilege request) {
     //component check
     if (!componentName.equals(request.getComponentName())) {
       return false;
     }
     //service check
     if (!serviceName.equals(request.getServiceName())) {
       return false;
     }
     // check action implies
     if (!action.equalsIgnoreCase(AccessConstants.ALL)
         && !action.equalsIgnoreCase(request.getAction())
         && !action.equalsIgnoreCase(AccessConstants.ACTION_ALL)) {
       return false;
     }
     //check authorizable list implies
     Iterator<? extends Authorizable> existIterator = getAuthorizables().iterator();
     Iterator<? extends Authorizable> requestIterator = request.getAuthorizables().iterator();
     while (existIterator.hasNext() && requestIterator.hasNext()) {
       Authorizable existAuth = existIterator.next();
       Authorizable requestAuth = requestIterator.next();
       //check authorizable type
       if (!existAuth.getTypeName().equals(requestAuth.getTypeName())) {
         return false;
       }
       //check authorizable name
       if (!existAuth.getName().equals(requestAuth.getName())) {
         /**The persistent authorizable isn't equal the request authorizable
         * but the following situations are pass check
         * The name of persistent authorizable is ALL or "*"
         */
         if (existAuth.getName().equalsIgnoreCase(AccessConstants.ACTION_ALL)
             || existAuth.getName().equalsIgnoreCase(AccessConstants.ALL)) {
           continue;
         } else {
           return false;
         }
       }
     }

     if ( (!existIterator.hasNext()) && (!requestIterator.hasNext()) ){
       /**
        * The persistent privilege has the same authorizables size as the requested privilege
        * The check is pass
        */
       return true;

     } else if (existIterator.hasNext()) {
       /**
        * The persistent privilege has much more authorizables than request privilege,so its scope is less
        * than the requested privilege.
        * There is a situation that the check is pass, the name of the exceeding authorizables is ALL or "*".
        * Take the Solr for example,the exist privilege is collection=c1->field=*->action=query
        * the request privilege is collection=c1->action=query, the check is pass
        */
       while (existIterator.hasNext()) {
         Authorizable existAuthorizable = existIterator.next();
         if (existAuthorizable.getName().equalsIgnoreCase(AccessConstants.ALL)
             || existAuthorizable.getName().equalsIgnoreCase(AccessConstants.ACTION_ALL)) {
           continue;
         } else {
           return false;
         }
       }
     } else {
       /**
        * The requested privilege has much more authorizables than persistent privilege, so its scope is less
        * than the persistent privilege
        * The check is pass
        */
       return true;
     }

     return true;
   }

   public static String toNULLCol(String col) {
     return Strings.isNullOrEmpty(col) ? NULL_COL : col;
   }

   public static boolean notNULL(String s) {
     return !(Strings.isNullOrEmpty(s) || NULL_COL.equals(s));
   }

   public static boolean isNULL(String s) {
     return !notNULL(s);
   }

   public static <T> void setField(Object obj, String fieldName, T fieldValue) {
     try {
       Class<?> clazz = obj.getClass();
       Field field=clazz.getDeclaredField(fieldName);
       field.setAccessible(true);
       field.set(obj, fieldValue);
     } catch (Exception e) {
       throw new RuntimeException("setField error: " + e.getMessage(), e);
     }
   }

   @SuppressWarnings("unchecked")
   public static <T> T getField(Object obj, String fieldName) {
     try {
       Class<?> clazz = obj.getClass();
       Field field=clazz.getDeclaredField(fieldName);
       field.setAccessible(true);
       return (T)field.get(obj);
     } catch (Exception e) {
       throw new RuntimeException("getField error: " + e.getMessage(), e);
     }
   }

   /**
    * return the query to execute in JDO for search the given privilege
    * @param privilege
    * @return query
    */
   public static String toQuery(MSentryGMPrivilege privilege) {
     StringBuilder query = new StringBuilder();
     query.append("serviceName == \"" + toNULLCol(privilege.getServiceName()) + "\" ");
     query.append("&& componentName == \"" + toNULLCol(privilege.getComponentName()) + "\" ");
     query.append("&& scope == \"" + toNULLCol(privilege.getScope()) + "\" ");
     query.append("&& action == \"" + toNULLCol(privilege.getAction()) + "\"");
     if (privilege.getGrantOption() == null) {
       query.append("&& this.grantOption == null ");
     } else if (privilege.getGrantOption()) {
       query.append("&& grantOption ");
     } else {
       query.append("&& !grantOption ");
     }
     List<? extends Authorizable> authorizables = privilege.getAuthorizables();
     for (int i = 0; i < AUTHORIZABLE_LEVEL; i++) {
       String resourceName = PREFIX_RESOURCE_NAME + String.valueOf(i);
       String resourceType = PREFIX_RESOURCE_TYPE + String.valueOf(i);

       if (i >= authorizables.size()) {
         query.append("&& " + resourceName + " == \"" + NULL_COL + "\" ");
         query.append("&& " + resourceType + " == \"" + NULL_COL + "\" ");
       } else {
         query.append("&& " + resourceName + " == \"" + authorizables.get(i).getName() + "\" ");
         query.append("&& " + resourceType + " == \"" + authorizables.get(i).getTypeName() + "\" ");
       }
     }
     return query.toString();
   }

   /**
    * Get the query to execute in the JDO deducing privileges include the scope of according to the given privilege
    * The query was used in three privilege operations:
    * 1.revoking privilege
    * 2.renaming privilege
    * 3.dropping privilege
    * Take the Solr for example, if there exists three privileges such as p1:Collection=c1->action=query,
    * p2:Collection=c1->Field=f1->action=query and p3:Collection=c1->Field=f2->action=query.
    * When the revoking operation happens, the request privilege is p4:Collection=c1->action=query.
    * The result is that not only p1 should be revoked, but also p2 and p3 should be revoked together.
    * So the populateIncludePrivilegesQuery should be Collection=c1
    * @param privilege
    * @return query
    */
   public static String populateIncludePrivilegesQuery(MSentryGMPrivilege privilege) {
     StringBuilder query = new StringBuilder();
     query.append("serviceName == \"" + toNULLCol(privilege.getServiceName()) + "\" ");
     query.append("&& componentName == \"" + toNULLCol(privilege.getComponentName()) + "\" ");
     List<? extends Authorizable> authorizables = privilege.getAuthorizables();
     for (int i= 0 ; i < authorizables.size(); i++) {
       String resourceName = PREFIX_RESOURCE_NAME + String.valueOf(i);
       String resourceType = PREFIX_RESOURCE_TYPE + String.valueOf(i);
       query.append("&& " + resourceName + " == \"" + authorizables.get(i).getName() + "\" ");
       query.append("&& " + resourceType + " == \"" + authorizables.get(i).getTypeName() + "\" ");
     }
     return query.toString();
   }
 }
	/**
	vim * Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/
	package org.apache.sentry.provider.db.service.model;

	import static org.apache.sentry.provider.common.ProviderConstants.AUTHORIZABLE_JOINER;
	import static org.apache.sentry.provider.common.ProviderConstants.KV_JOINER;

	import java.lang.reflect.Field;
	import java.util.Arrays;
	import java.util.HashSet;
	import java.util.Iterator;
	import java.util.List;
	import java.util.Set;

	import javax.jdo.annotations.PersistenceCapable;
	import org.apache.sentry.core.common.Authorizable;
	import org.apache.sentry.core.model.db.AccessConstants;

	import com.google.common.base.Strings;
	import com.google.common.collect.Lists;

	/**
	* Database backed Sentry Generic Privilege for new authorization Model
	* Any changes to this object
	* require re-running the maven build so DN an re-enhance.
	*/
	@PersistenceCapable
	public class MSentryGMPrivilege {
	private static final String PREFIX_RESOURCE_NAME = "resourceName";
	private static final String PREFIX_RESOURCE_TYPE = "resourceType";
	private static final String NULL_COL = "__NULL__";
	private static final String SERVICE_SCOPE = "Server";
	private static final int AUTHORIZABLE_LEVEL = 4;
	/**
	* The authorizable List has been stored into resourceName and resourceField columns
	* We assume that the generic model privilege for any component(hive/impala or solr) doesn't exceed four level.
	* This generic model privilege currently can support maximum 4 level.
	**/
	private String resourceName0 = NULL_COL;
	private String resourceType0 = NULL_COL;
	private String resourceName1 = NULL_COL;
	private String resourceType1 = NULL_COL;
	private String resourceName2 = NULL_COL;
	private String resourceType2 = NULL_COL;
	private String resourceName3 = NULL_COL;
	private String resourceType3 = NULL_COL;

	private String serviceName;
	private String componentName;
	private String action;
	private String scope;

	private Boolean grantOption = false;
	// roles this privilege is a part of
	private Set<MSentryRole> roles;
	private long createTime;

	public MSentryGMPrivilege() {
	this.roles = new HashSet<MSentryRole>();
	}

	public MSentryGMPrivilege(String componentName, String serviceName,
	List<? extends Authorizable> authorizables,
	String action, Boolean grantOption) {
	this.componentName = componentName;
	this.serviceName = serviceName;
	this.action = action;
	this.grantOption = grantOption;
	this.roles = new HashSet<MSentryRole>();
	this.createTime = System.currentTimeMillis();
	setAuthorizables(authorizables);
	}

	public MSentryGMPrivilege(MSentryGMPrivilege copy) {
	this.action = copy.action;
	this.componentName = copy.componentName;
	this.serviceName = copy.serviceName;
	this.grantOption = copy.grantOption;
	this.scope = copy.scope;
	this.createTime = copy.createTime;
	setAuthorizables(copy.getAuthorizables());
	this.roles = new HashSet<MSentryRole>();
	for (MSentryRole role : copy.roles) {
	roles.add(role);
	}
	}

	public String getServiceName() {
	return serviceName;
	}

	public void setServiceName(String serviceName) {
	this.serviceName = serviceName;
	}

	public String getComponentName() {
	return componentName;
	}

	public void setComponentName(String componentName) {
	this.componentName = componentName;
	}

	public String getAction() {
	return action;
	}

	public void setAction(String action) {
	this.action = action;
	}

	public Boolean getGrantOption() {
	return grantOption;
	}

	public void setGrantOption(Boolean grantOption) {
	this.grantOption = grantOption;
	}

	public Set<MSentryRole> getRoles() {
	return roles;
	}

	public void setRoles(Set<MSentryRole> roles) {
	this.roles = roles;
	}

	public long getCreateTime() {
	return createTime;
	}

	public void setCreateTime(long createTime) {
	this.createTime = createTime;
	}

	public String getScope() {
	return scope;
	}

	public List<? extends Authorizable> getAuthorizables() {
	List<Authorizable> authorizables = Lists.newArrayList();
	//construct atuhorizable lists
	for (int i = 0; i < AUTHORIZABLE_LEVEL; i++) {
	final String resourceName = (String) getField(this, PREFIX_RESOURCE_NAME + String.valueOf(i));
	final String resourceTYpe = (String) getField(this, PREFIX_RESOURCE_TYPE + String.valueOf(i));

	if (notNULL(resourceName) && notNULL(resourceTYpe)) {
	authorizables.add(new Authorizable() {
	@Override
	public String getTypeName() {
	return resourceTYpe;
	}
	@Override
	public String getName() {
	return resourceName;
	}
	});
	}
	}
	return authorizables;
	}

	/**
	* Only allow strict hierarchies. That is, can level =1 be not null when level = 0 is null
	* @param authorizables
	*/
	public void setAuthorizables(List<? extends Authorizable> authorizables) {
	if ((authorizables == null) \|\| (authorizables.isEmpty())) {
	//service scope
	scope = SERVICE_SCOPE;
	return;
	}
	if (authorizables.size() > AUTHORIZABLE_LEVEL) {
	throw new IllegalStateException("This generic privilege model only supports maximum 4 level.");
	}

	for (int i = 0; i < authorizables.size(); i++) {
	Authorizable authorizable = authorizables.get(i);
	if (authorizable == null) {
	String msg = String.format("The authorizable can't be null. Please check authorizables[%d]:", i);
	throw new IllegalStateException(msg);
	}
	String resourceName = authorizable.getName();
	String resourceTYpe = authorizable.getTypeName();
	if (isNULL(resourceName) \|\| isNULL(resourceTYpe)) {
	String msg = String.format("The name and type of authorizable can't be empty or null.Please check authorizables[%d]", i);
	throw new IllegalStateException(msg);
	}
	setField(this, PREFIX_RESOURCE_NAME + String.valueOf(i), toNULLCol(resourceName));
	setField(this, PREFIX_RESOURCE_TYPE + String.valueOf(i), toNULLCol(resourceTYpe));
	scope = resourceTYpe;
	}
	}

	public void appendRole(MSentryRole role) {
	if (roles.add(role)) {
	role.appendGMPrivilege(this);
	}
	}

	public void removeRole(MSentryRole role) {
	if(roles.remove(role)) {
	role.removeGMPrivilege(this);
	}
	}

	@Override
	public int hashCode() {
	final int prime = 31;
	int result = 1;
	result = prime * result + ((action == null) ? 0 : action.hashCode());
	result = prime * result + ((componentName == null) ? 0 : componentName.hashCode());
	result = prime * result + ((serviceName == null) ? 0 : serviceName.hashCode());
	result = prime * result + ((grantOption == null) ? 0 : grantOption.hashCode());
	result = prime * result + ((scope == null) ? 0 : scope.hashCode());

	for (Authorizable authorizable : getAuthorizables()) {
	result = prime * result + authorizable.getName().hashCode();
	result = prime * result + authorizable.getTypeName().hashCode();
	}

	return result;
	}

	@Override
	public String toString() {
	List<String> unifiedNames = Lists.newArrayList();
	for (Authorizable auth : getAuthorizables()) {
	unifiedNames.add(KV_JOINER.join(auth.getTypeName(),auth.getName()));
	}

	return "MSentryGMPrivilege ["
	+ "serverName=" + serviceName + ", componentName=" + componentName
	+ ", authorizables=" + AUTHORIZABLE_JOINER.join(unifiedNames)+ ", scope=" + scope
	+ ", action=" + action + ", roles=[...]" + ", createTime="
	+ createTime + ", grantOption=" + grantOption +"]";
	}

	@Override
	public boolean equals(Object obj) {
	if (this == obj)
	return true;
	if (obj == null)
	return false;
	if (getClass() != obj.getClass())
	return false;
	MSentryGMPrivilege other = (MSentryGMPrivilege) obj;
	if (action == null) {
	if (other.action != null)
	return false;
	} else if (!action.equalsIgnoreCase(other.action))
	return false;
	if (scope == null) {
	if (other.scope != null)
	return false;
	} else if (!scope.equals(other.scope))
	return false;
	if (serviceName == null) {
	if (other.serviceName != null)
	return false;
	} else if (!serviceName.equals(other.serviceName))
	return false;
	if (componentName == null) {
	if (other.componentName != null)
	return false;
	} else if (!componentName.equals(other.componentName))
	return false;
	if (grantOption == null) {
	if (other.grantOption != null)
	return false;
	} else if (!grantOption.equals(other.grantOption))
	return false;

	List<? extends Authorizable> authorizables = getAuthorizables();
	List<? extends Authorizable> other_authorizables = other.getAuthorizables();

	if (authorizables.size() != other_authorizables.size()) {
	return false;
	}
	for (int i = 0; i < authorizables.size(); i++) {
	String o1 = KV_JOINER.join(authorizables.get(i).getTypeName(),
	authorizables.get(i).getName());
	String o2 = KV_JOINER.join(other_authorizables.get(i).getTypeName(),
	other_authorizables.get(i).getName());
	if (!o1.equals(o2)) {
	return false;
	}
	}
	return true;
	}

	/**
	* Return true if this privilege implies request privilege
	* Otherwise, return false
	* @param other, other privilege
	*/
	public boolean implies(MSentryGMPrivilege request) {
	//component check
	if (!componentName.equals(request.getComponentName())) {
	return false;
	}
	//service check
	if (!serviceName.equals(request.getServiceName())) {
	return false;
	}
	// check action implies
	if (!action.equalsIgnoreCase(AccessConstants.ALL)
	&& !action.equalsIgnoreCase(request.getAction())
	&& !action.equalsIgnoreCase(AccessConstants.ACTION_ALL)) {
	return false;
	}
	//check authorizable list implies
	Iterator<? extends Authorizable> existIterator = getAuthorizables().iterator();
	Iterator<? extends Authorizable> requestIterator = request.getAuthorizables().iterator();
	while (existIterator.hasNext() && requestIterator.hasNext()) {
	Authorizable existAuth = existIterator.next();
	Authorizable requestAuth = requestIterator.next();
	//check authorizable type
	if (!existAuth.getTypeName().equals(requestAuth.getTypeName())) {
	return false;
	}
	//check authorizable name
	if (!existAuth.getName().equals(requestAuth.getName())) {
	/**The persistent authorizable isn't equal the request authorizable
	* but the following situations are pass check
	* The name of persistent authorizable is ALL or "*"
	*/
	if (existAuth.getName().equalsIgnoreCase(AccessConstants.ACTION_ALL)
	\|\| existAuth.getName().equalsIgnoreCase(AccessConstants.ALL)) {
	continue;
	} else {
	return false;
	}
	}
	}

	if ( (!existIterator.hasNext()) && (!requestIterator.hasNext()) ){
	/**
	* The persistent privilege has the same authorizables size as the requested privilege
	* The check is pass
	*/
	return true;

	} else if (existIterator.hasNext()) {
	/**
	* The persistent privilege has much more authorizables than request privilege,so its scope is less
	* than the requested privilege.
	* There is a situation that the check is pass, the name of the exceeding authorizables is ALL or "*".
	* Take the Solr for example,the exist privilege is collection=c1->field=*->action=query
	* the request privilege is collection=c1->action=query, the check is pass
	*/
	while (existIterator.hasNext()) {
	Authorizable existAuthorizable = existIterator.next();
	if (existAuthorizable.getName().equalsIgnoreCase(AccessConstants.ALL)
	\|\| existAuthorizable.getName().equalsIgnoreCase(AccessConstants.ACTION_ALL)) {
	continue;
	} else {
	return false;
	}
	}
	} else {
	/**
	* The requested privilege has much more authorizables than persistent privilege, so its scope is less
	* than the persistent privilege
	* The check is pass
	*/
	return true;
	}

	return true;
	}

	public static String toNULLCol(String col) {
	return Strings.isNullOrEmpty(col) ? NULL_COL : col;
	}

	public static boolean notNULL(String s) {
	return !(Strings.isNullOrEmpty(s) \|\| NULL_COL.equals(s));
	}

	public static boolean isNULL(String s) {
	return !notNULL(s);
	}

	public static <T> void setField(Object obj, String fieldName, T fieldValue) {
	try {
	Class<?> clazz = obj.getClass();
	Field field=clazz.getDeclaredField(fieldName);
	field.setAccessible(true);
	field.set(obj, fieldValue);
	} catch (Exception e) {
	throw new RuntimeException("setField error: " + e.getMessage(), e);
	}
	}

	@SuppressWarnings("unchecked")
	public static <T> T getField(Object obj, String fieldName) {
	try {
	Class<?> clazz = obj.getClass();
	Field field=clazz.getDeclaredField(fieldName);
	field.setAccessible(true);
	return (T)field.get(obj);
	} catch (Exception e) {
	throw new RuntimeException("getField error: " + e.getMessage(), e);
	}
	}

	/**
	* return the query to execute in JDO for search the given privilege
	* @param privilege
	* @return query
	*/
	public static String toQuery(MSentryGMPrivilege privilege) {
	StringBuilder query = new StringBuilder();
	query.append("serviceName == \"" + toNULLCol(privilege.getServiceName()) + "\" ");
	query.append("&& componentName == \"" + toNULLCol(privilege.getComponentName()) + "\" ");
	query.append("&& scope == \"" + toNULLCol(privilege.getScope()) + "\" ");
	query.append("&& action == \"" + toNULLCol(privilege.getAction()) + "\"");
	if (privilege.getGrantOption() == null) {
	query.append("&& this.grantOption == null ");
	} else if (privilege.getGrantOption()) {
	query.append("&& grantOption ");
	} else {
	query.append("&& !grantOption ");
	}
	List<? extends Authorizable> authorizables = privilege.getAuthorizables();
	for (int i = 0; i < AUTHORIZABLE_LEVEL; i++) {
	String resourceName = PREFIX_RESOURCE_NAME + String.valueOf(i);
	String resourceType = PREFIX_RESOURCE_TYPE + String.valueOf(i);

	if (i >= authorizables.size()) {
	query.append("&& " + resourceName + " == \"" + NULL_COL + "\" ");
	query.append("&& " + resourceType + " == \"" + NULL_COL + "\" ");
	} else {
	query.append("&& " + resourceName + " == \"" + authorizables.get(i).getName() + "\" ");
	query.append("&& " + resourceType + " == \"" + authorizables.get(i).getTypeName() + "\" ");
	}
	}
	return query.toString();
	}

	/**
	* Get the query to execute in the JDO deducing privileges include the scope of according to the given privilege
	* The query was used in three privilege operations:
	* 1.revoking privilege
	* 2.renaming privilege
	* 3.dropping privilege
	* Take the Solr for example, if there exists three privileges such as p1:Collection=c1->action=query,
	* p2:Collection=c1->Field=f1->action=query and p3:Collection=c1->Field=f2->action=query.
	* When the revoking operation happens, the request privilege is p4:Collection=c1->action=query.
	* The result is that not only p1 should be revoked, but also p2 and p3 should be revoked together.
	* So the populateIncludePrivilegesQuery should be Collection=c1
	* @param privilege
	* @return query
	*/
	public static String populateIncludePrivilegesQuery(MSentryGMPrivilege privilege) {
	StringBuilder query = new StringBuilder();
	query.append("serviceName == \"" + toNULLCol(privilege.getServiceName()) + "\" ");
	query.append("&& componentName == \"" + toNULLCol(privilege.getComponentName()) + "\" ");
	List<? extends Authorizable> authorizables = privilege.getAuthorizables();
	for (int i= 0 ; i < authorizables.size(); i++) {
	String resourceName = PREFIX_RESOURCE_NAME + String.valueOf(i);
	String resourceType = PREFIX_RESOURCE_TYPE + String.valueOf(i);
	query.append("&& " + resourceName + " == \"" + authorizables.get(i).getName() + "\" ");
	query.append("&& " + resourceType + " == \"" + authorizables.get(i).getTypeName() + "\" ");
	}
	return query.toString();
	}
	}