You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by gi...@apache.org on 2018/12/08 14:51:22 UTC
[08/29] hbase-site git commit: Published site at
79d90c87b5bc6d4aa50e6edc52a3f20da708ee29.
http://git-wip-us.apache.org/repos/asf/hbase-site/blob/3defc75b/devapidocs/src-html/org/apache/hadoop/hbase/security/visibility/VisibilityController.html
----------------------------------------------------------------------
diff --git a/devapidocs/src-html/org/apache/hadoop/hbase/security/visibility/VisibilityController.html b/devapidocs/src-html/org/apache/hadoop/hbase/security/visibility/VisibilityController.html
index 2fd8fae..536220f 100644
--- a/devapidocs/src-html/org/apache/hadoop/hbase/security/visibility/VisibilityController.html
+++ b/devapidocs/src-html/org/apache/hadoop/hbase/security/visibility/VisibilityController.html
@@ -234,851 +234,852 @@
<span class="sourceLineNo">226</span> }<a name="line.226"></a>
<span class="sourceLineNo">227</span><a name="line.227"></a>
<span class="sourceLineNo">228</span> @Override<a name="line.228"></a>
-<span class="sourceLineNo">229</span> public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> ctx, TableName tableName,<a name="line.229"></a>
-<span class="sourceLineNo">230</span> TableDescriptor currentDescriptor, TableDescriptor newDescriptor) throws IOException {<a name="line.230"></a>
-<span class="sourceLineNo">231</span> if (!authorizationEnabled) {<a name="line.231"></a>
-<span class="sourceLineNo">232</span> return;<a name="line.232"></a>
-<span class="sourceLineNo">233</span> }<a name="line.233"></a>
-<span class="sourceLineNo">234</span> if (LABELS_TABLE_NAME.equals(tableName)) {<a name="line.234"></a>
-<span class="sourceLineNo">235</span> throw new ConstraintException("Cannot alter " + LABELS_TABLE_NAME);<a name="line.235"></a>
+<span class="sourceLineNo">229</span> public TableDescriptor preModifyTable(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.229"></a>
+<span class="sourceLineNo">230</span> TableName tableName, TableDescriptor currentDescriptor, TableDescriptor newDescriptor)<a name="line.230"></a>
+<span class="sourceLineNo">231</span> throws IOException {<a name="line.231"></a>
+<span class="sourceLineNo">232</span> if (authorizationEnabled) {<a name="line.232"></a>
+<span class="sourceLineNo">233</span> if (LABELS_TABLE_NAME.equals(tableName)) {<a name="line.233"></a>
+<span class="sourceLineNo">234</span> throw new ConstraintException("Cannot alter " + LABELS_TABLE_NAME);<a name="line.234"></a>
+<span class="sourceLineNo">235</span> }<a name="line.235"></a>
<span class="sourceLineNo">236</span> }<a name="line.236"></a>
-<span class="sourceLineNo">237</span> }<a name="line.237"></a>
-<span class="sourceLineNo">238</span><a name="line.238"></a>
-<span class="sourceLineNo">239</span> @Override<a name="line.239"></a>
-<span class="sourceLineNo">240</span> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> ctx, TableName tableName)<a name="line.240"></a>
-<span class="sourceLineNo">241</span> throws IOException {<a name="line.241"></a>
-<span class="sourceLineNo">242</span> if (!authorizationEnabled) {<a name="line.242"></a>
-<span class="sourceLineNo">243</span> return;<a name="line.243"></a>
-<span class="sourceLineNo">244</span> }<a name="line.244"></a>
-<span class="sourceLineNo">245</span> if (LABELS_TABLE_NAME.equals(tableName)) {<a name="line.245"></a>
-<span class="sourceLineNo">246</span> throw new ConstraintException("Cannot disable " + LABELS_TABLE_NAME);<a name="line.246"></a>
-<span class="sourceLineNo">247</span> }<a name="line.247"></a>
-<span class="sourceLineNo">248</span> }<a name="line.248"></a>
-<span class="sourceLineNo">249</span><a name="line.249"></a>
-<span class="sourceLineNo">250</span> /****************************** Region related hooks ******************************/<a name="line.250"></a>
-<span class="sourceLineNo">251</span><a name="line.251"></a>
-<span class="sourceLineNo">252</span> @Override<a name="line.252"></a>
-<span class="sourceLineNo">253</span> public void postOpen(ObserverContext<RegionCoprocessorEnvironment> e) {<a name="line.253"></a>
-<span class="sourceLineNo">254</span> // Read the entire labels table and populate the zk<a name="line.254"></a>
-<span class="sourceLineNo">255</span> if (e.getEnvironment().getRegion().getRegionInfo().getTable().equals(LABELS_TABLE_NAME)) {<a name="line.255"></a>
-<span class="sourceLineNo">256</span> this.labelsRegion = true;<a name="line.256"></a>
-<span class="sourceLineNo">257</span> synchronized (this) {<a name="line.257"></a>
-<span class="sourceLineNo">258</span> this.accessControllerAvailable = CoprocessorHost.getLoadedCoprocessors()<a name="line.258"></a>
-<span class="sourceLineNo">259</span> .contains(AccessController.class.getName());<a name="line.259"></a>
-<span class="sourceLineNo">260</span> }<a name="line.260"></a>
-<span class="sourceLineNo">261</span> initVisibilityLabelService(e.getEnvironment());<a name="line.261"></a>
-<span class="sourceLineNo">262</span> } else {<a name="line.262"></a>
-<span class="sourceLineNo">263</span> checkAuths = e.getEnvironment().getConfiguration()<a name="line.263"></a>
-<span class="sourceLineNo">264</span> .getBoolean(VisibilityConstants.CHECK_AUTHS_FOR_MUTATION, false);<a name="line.264"></a>
-<span class="sourceLineNo">265</span> initVisibilityLabelService(e.getEnvironment());<a name="line.265"></a>
-<span class="sourceLineNo">266</span> }<a name="line.266"></a>
-<span class="sourceLineNo">267</span> }<a name="line.267"></a>
-<span class="sourceLineNo">268</span><a name="line.268"></a>
-<span class="sourceLineNo">269</span> private void initVisibilityLabelService(RegionCoprocessorEnvironment env) {<a name="line.269"></a>
-<span class="sourceLineNo">270</span> try {<a name="line.270"></a>
-<span class="sourceLineNo">271</span> this.visibilityLabelService.init(env);<a name="line.271"></a>
-<span class="sourceLineNo">272</span> this.initialized = true;<a name="line.272"></a>
-<span class="sourceLineNo">273</span> } catch (IOException ioe) {<a name="line.273"></a>
-<span class="sourceLineNo">274</span> LOG.error("Error while initializing VisibilityLabelService..", ioe);<a name="line.274"></a>
-<span class="sourceLineNo">275</span> throw new RuntimeException(ioe);<a name="line.275"></a>
-<span class="sourceLineNo">276</span> }<a name="line.276"></a>
-<span class="sourceLineNo">277</span> }<a name="line.277"></a>
-<span class="sourceLineNo">278</span><a name="line.278"></a>
-<span class="sourceLineNo">279</span> @Override<a name="line.279"></a>
-<span class="sourceLineNo">280</span> public void postSetSplitOrMergeEnabled(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.280"></a>
-<span class="sourceLineNo">281</span> final boolean newValue, final MasterSwitchType switchType) throws IOException {<a name="line.281"></a>
-<span class="sourceLineNo">282</span> }<a name="line.282"></a>
-<span class="sourceLineNo">283</span><a name="line.283"></a>
-<span class="sourceLineNo">284</span> @Override<a name="line.284"></a>
-<span class="sourceLineNo">285</span> public void preBatchMutate(ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.285"></a>
-<span class="sourceLineNo">286</span> MiniBatchOperationInProgress<Mutation> miniBatchOp) throws IOException {<a name="line.286"></a>
-<span class="sourceLineNo">287</span> if (c.getEnvironment().getRegion().getRegionInfo().getTable().isSystemTable()) {<a name="line.287"></a>
-<span class="sourceLineNo">288</span> return;<a name="line.288"></a>
-<span class="sourceLineNo">289</span> }<a name="line.289"></a>
-<span class="sourceLineNo">290</span> // TODO this can be made as a global LRU cache at HRS level?<a name="line.290"></a>
-<span class="sourceLineNo">291</span> Map<String, List<Tag>> labelCache = new HashMap<>();<a name="line.291"></a>
-<span class="sourceLineNo">292</span> for (int i = 0; i < miniBatchOp.size(); i++) {<a name="line.292"></a>
-<span class="sourceLineNo">293</span> Mutation m = miniBatchOp.getOperation(i);<a name="line.293"></a>
-<span class="sourceLineNo">294</span> CellVisibility cellVisibility = null;<a name="line.294"></a>
-<span class="sourceLineNo">295</span> try {<a name="line.295"></a>
-<span class="sourceLineNo">296</span> cellVisibility = m.getCellVisibility();<a name="line.296"></a>
-<span class="sourceLineNo">297</span> } catch (DeserializationException de) {<a name="line.297"></a>
-<span class="sourceLineNo">298</span> miniBatchOp.setOperationStatus(i,<a name="line.298"></a>
-<span class="sourceLineNo">299</span> new OperationStatus(SANITY_CHECK_FAILURE, de.getMessage()));<a name="line.299"></a>
-<span class="sourceLineNo">300</span> continue;<a name="line.300"></a>
-<span class="sourceLineNo">301</span> }<a name="line.301"></a>
-<span class="sourceLineNo">302</span> boolean sanityFailure = false;<a name="line.302"></a>
-<span class="sourceLineNo">303</span> boolean modifiedTagFound = false;<a name="line.303"></a>
-<span class="sourceLineNo">304</span> Pair<Boolean, Tag> pair = new Pair<>(false, null);<a name="line.304"></a>
-<span class="sourceLineNo">305</span> for (CellScanner cellScanner = m.cellScanner(); cellScanner.advance();) {<a name="line.305"></a>
-<span class="sourceLineNo">306</span> pair = checkForReservedVisibilityTagPresence(cellScanner.current(), pair);<a name="line.306"></a>
-<span class="sourceLineNo">307</span> if (!pair.getFirst()) {<a name="line.307"></a>
-<span class="sourceLineNo">308</span> // Don't disallow reserved tags if authorization is disabled<a name="line.308"></a>
-<span class="sourceLineNo">309</span> if (authorizationEnabled) {<a name="line.309"></a>
-<span class="sourceLineNo">310</span> miniBatchOp.setOperationStatus(i, new OperationStatus(SANITY_CHECK_FAILURE,<a name="line.310"></a>
-<span class="sourceLineNo">311</span> "Mutation contains cell with reserved type tag"));<a name="line.311"></a>
-<span class="sourceLineNo">312</span> sanityFailure = true;<a name="line.312"></a>
-<span class="sourceLineNo">313</span> }<a name="line.313"></a>
-<span class="sourceLineNo">314</span> break;<a name="line.314"></a>
-<span class="sourceLineNo">315</span> } else {<a name="line.315"></a>
-<span class="sourceLineNo">316</span> // Indicates that the cell has a the tag which was modified in the src replication cluster<a name="line.316"></a>
-<span class="sourceLineNo">317</span> Tag tag = pair.getSecond();<a name="line.317"></a>
-<span class="sourceLineNo">318</span> if (cellVisibility == null && tag != null) {<a name="line.318"></a>
-<span class="sourceLineNo">319</span> // May need to store only the first one<a name="line.319"></a>
-<span class="sourceLineNo">320</span> cellVisibility = new CellVisibility(Tag.getValueAsString(tag));<a name="line.320"></a>
-<span class="sourceLineNo">321</span> modifiedTagFound = true;<a name="line.321"></a>
-<span class="sourceLineNo">322</span> }<a name="line.322"></a>
-<span class="sourceLineNo">323</span> }<a name="line.323"></a>
-<span class="sourceLineNo">324</span> }<a name="line.324"></a>
-<span class="sourceLineNo">325</span> if (!sanityFailure) {<a name="line.325"></a>
-<span class="sourceLineNo">326</span> if (cellVisibility != null) {<a name="line.326"></a>
-<span class="sourceLineNo">327</span> String labelsExp = cellVisibility.getExpression();<a name="line.327"></a>
-<span class="sourceLineNo">328</span> List<Tag> visibilityTags = labelCache.get(labelsExp);<a name="line.328"></a>
-<span class="sourceLineNo">329</span> if (visibilityTags == null) {<a name="line.329"></a>
-<span class="sourceLineNo">330</span> // Don't check user auths for labels with Mutations when the user is super user<a name="line.330"></a>
-<span class="sourceLineNo">331</span> boolean authCheck = authorizationEnabled && checkAuths && !(isSystemOrSuperUser());<a name="line.331"></a>
-<span class="sourceLineNo">332</span> try {<a name="line.332"></a>
-<span class="sourceLineNo">333</span> visibilityTags = this.visibilityLabelService.createVisibilityExpTags(labelsExp, true,<a name="line.333"></a>
-<span class="sourceLineNo">334</span> authCheck);<a name="line.334"></a>
-<span class="sourceLineNo">335</span> } catch (InvalidLabelException e) {<a name="line.335"></a>
-<span class="sourceLineNo">336</span> miniBatchOp.setOperationStatus(i,<a name="line.336"></a>
-<span class="sourceLineNo">337</span> new OperationStatus(SANITY_CHECK_FAILURE, e.getMessage()));<a name="line.337"></a>
-<span class="sourceLineNo">338</span> }<a name="line.338"></a>
-<span class="sourceLineNo">339</span> if (visibilityTags != null) {<a name="line.339"></a>
-<span class="sourceLineNo">340</span> labelCache.put(labelsExp, visibilityTags);<a name="line.340"></a>
-<span class="sourceLineNo">341</span> }<a name="line.341"></a>
-<span class="sourceLineNo">342</span> }<a name="line.342"></a>
-<span class="sourceLineNo">343</span> if (visibilityTags != null) {<a name="line.343"></a>
-<span class="sourceLineNo">344</span> List<Cell> updatedCells = new ArrayList<>();<a name="line.344"></a>
-<span class="sourceLineNo">345</span> for (CellScanner cellScanner = m.cellScanner(); cellScanner.advance();) {<a name="line.345"></a>
-<span class="sourceLineNo">346</span> Cell cell = cellScanner.current();<a name="line.346"></a>
-<span class="sourceLineNo">347</span> List<Tag> tags = PrivateCellUtil.getTags(cell);<a name="line.347"></a>
-<span class="sourceLineNo">348</span> if (modifiedTagFound) {<a name="line.348"></a>
-<span class="sourceLineNo">349</span> // Rewrite the tags by removing the modified tags.<a name="line.349"></a>
-<span class="sourceLineNo">350</span> removeReplicationVisibilityTag(tags);<a name="line.350"></a>
-<span class="sourceLineNo">351</span> }<a name="line.351"></a>
-<span class="sourceLineNo">352</span> tags.addAll(visibilityTags);<a name="line.352"></a>
-<span class="sourceLineNo">353</span> Cell updatedCell = PrivateCellUtil.createCell(cell, tags);<a name="line.353"></a>
-<span class="sourceLineNo">354</span> updatedCells.add(updatedCell);<a name="line.354"></a>
-<span class="sourceLineNo">355</span> }<a name="line.355"></a>
-<span class="sourceLineNo">356</span> m.getFamilyCellMap().clear();<a name="line.356"></a>
-<span class="sourceLineNo">357</span> // Clear and add new Cells to the Mutation.<a name="line.357"></a>
-<span class="sourceLineNo">358</span> for (Cell cell : updatedCells) {<a name="line.358"></a>
-<span class="sourceLineNo">359</span> if (m instanceof Put) {<a name="line.359"></a>
-<span class="sourceLineNo">360</span> Put p = (Put) m;<a name="line.360"></a>
-<span class="sourceLineNo">361</span> p.add(cell);<a name="line.361"></a>
-<span class="sourceLineNo">362</span> } else if (m instanceof Delete) {<a name="line.362"></a>
-<span class="sourceLineNo">363</span> Delete d = (Delete) m;<a name="line.363"></a>
-<span class="sourceLineNo">364</span> d.add(cell);<a name="line.364"></a>
-<span class="sourceLineNo">365</span> }<a name="line.365"></a>
-<span class="sourceLineNo">366</span> }<a name="line.366"></a>
-<span class="sourceLineNo">367</span> }<a name="line.367"></a>
-<span class="sourceLineNo">368</span> }<a name="line.368"></a>
-<span class="sourceLineNo">369</span> }<a name="line.369"></a>
-<span class="sourceLineNo">370</span> }<a name="line.370"></a>
-<span class="sourceLineNo">371</span> }<a name="line.371"></a>
-<span class="sourceLineNo">372</span><a name="line.372"></a>
-<span class="sourceLineNo">373</span> @Override<a name="line.373"></a>
-<span class="sourceLineNo">374</span> public void prePrepareTimeStampForDeleteVersion(<a name="line.374"></a>
-<span class="sourceLineNo">375</span> ObserverContext<RegionCoprocessorEnvironment> ctx, Mutation delete, Cell cell,<a name="line.375"></a>
-<span class="sourceLineNo">376</span> byte[] byteNow, Get get) throws IOException {<a name="line.376"></a>
-<span class="sourceLineNo">377</span> // Nothing to do if we are not filtering by visibility<a name="line.377"></a>
-<span class="sourceLineNo">378</span> if (!authorizationEnabled) {<a name="line.378"></a>
-<span class="sourceLineNo">379</span> return;<a name="line.379"></a>
-<span class="sourceLineNo">380</span> }<a name="line.380"></a>
-<span class="sourceLineNo">381</span><a name="line.381"></a>
-<span class="sourceLineNo">382</span> CellVisibility cellVisibility = null;<a name="line.382"></a>
-<span class="sourceLineNo">383</span> try {<a name="line.383"></a>
-<span class="sourceLineNo">384</span> cellVisibility = delete.getCellVisibility();<a name="line.384"></a>
-<span class="sourceLineNo">385</span> } catch (DeserializationException de) {<a name="line.385"></a>
-<span class="sourceLineNo">386</span> throw new IOException("Invalid cell visibility specified " + delete, de);<a name="line.386"></a>
-<span class="sourceLineNo">387</span> }<a name="line.387"></a>
-<span class="sourceLineNo">388</span> // The check for checkForReservedVisibilityTagPresence happens in preBatchMutate happens.<a name="line.388"></a>
-<span class="sourceLineNo">389</span> // It happens for every mutation and that would be enough.<a name="line.389"></a>
-<span class="sourceLineNo">390</span> List<Tag> visibilityTags = new ArrayList<>();<a name="line.390"></a>
-<span class="sourceLineNo">391</span> if (cellVisibility != null) {<a name="line.391"></a>
-<span class="sourceLineNo">392</span> String labelsExp = cellVisibility.getExpression();<a name="line.392"></a>
-<span class="sourceLineNo">393</span> try {<a name="line.393"></a>
-<span class="sourceLineNo">394</span> visibilityTags = this.visibilityLabelService.createVisibilityExpTags(labelsExp, false,<a name="line.394"></a>
-<span class="sourceLineNo">395</span> false);<a name="line.395"></a>
-<span class="sourceLineNo">396</span> } catch (InvalidLabelException e) {<a name="line.396"></a>
-<span class="sourceLineNo">397</span> throw new IOException("Invalid cell visibility specified " + labelsExp, e);<a name="line.397"></a>
-<span class="sourceLineNo">398</span> }<a name="line.398"></a>
-<span class="sourceLineNo">399</span> }<a name="line.399"></a>
-<span class="sourceLineNo">400</span> get.setFilter(new DeleteVersionVisibilityExpressionFilter(visibilityTags,<a name="line.400"></a>
-<span class="sourceLineNo">401</span> VisibilityConstants.SORTED_ORDINAL_SERIALIZATION_FORMAT));<a name="line.401"></a>
-<span class="sourceLineNo">402</span> List<Cell> result = ctx.getEnvironment().getRegion().get(get, false);<a name="line.402"></a>
-<span class="sourceLineNo">403</span><a name="line.403"></a>
-<span class="sourceLineNo">404</span> if (result.size() < get.getMaxVersions()) {<a name="line.404"></a>
-<span class="sourceLineNo">405</span> // Nothing to delete<a name="line.405"></a>
-<span class="sourceLineNo">406</span> PrivateCellUtil.updateLatestStamp(cell, byteNow);<a name="line.406"></a>
-<span class="sourceLineNo">407</span> return;<a name="line.407"></a>
-<span class="sourceLineNo">408</span> }<a name="line.408"></a>
-<span class="sourceLineNo">409</span> if (result.size() > get.getMaxVersions()) {<a name="line.409"></a>
-<span class="sourceLineNo">410</span> throw new RuntimeException("Unexpected size: " + result.size()<a name="line.410"></a>
-<span class="sourceLineNo">411</span> + ". Results more than the max versions obtained.");<a name="line.411"></a>
-<span class="sourceLineNo">412</span> }<a name="line.412"></a>
-<span class="sourceLineNo">413</span> Cell getCell = result.get(get.getMaxVersions() - 1);<a name="line.413"></a>
-<span class="sourceLineNo">414</span> PrivateCellUtil.setTimestamp(cell, getCell.getTimestamp());<a name="line.414"></a>
-<span class="sourceLineNo">415</span><a name="line.415"></a>
-<span class="sourceLineNo">416</span> // We are bypassing here because in the HRegion.updateDeleteLatestVersionTimeStamp we would<a name="line.416"></a>
-<span class="sourceLineNo">417</span> // update with the current timestamp after again doing a get. As the hook as already determined<a name="line.417"></a>
-<span class="sourceLineNo">418</span> // the needed timestamp we need to bypass here.<a name="line.418"></a>
-<span class="sourceLineNo">419</span> // TODO : See if HRegion.updateDeleteLatestVersionTimeStamp() could be<a name="line.419"></a>
-<span class="sourceLineNo">420</span> // called only if the hook is not called.<a name="line.420"></a>
-<span class="sourceLineNo">421</span> ctx.bypass();<a name="line.421"></a>
-<span class="sourceLineNo">422</span> }<a name="line.422"></a>
-<span class="sourceLineNo">423</span><a name="line.423"></a>
-<span class="sourceLineNo">424</span> /**<a name="line.424"></a>
-<span class="sourceLineNo">425</span> * Checks whether cell contains any tag with type as VISIBILITY_TAG_TYPE. This<a name="line.425"></a>
-<span class="sourceLineNo">426</span> * tag type is reserved and should not be explicitly set by user.<a name="line.426"></a>
-<span class="sourceLineNo">427</span> *<a name="line.427"></a>
-<span class="sourceLineNo">428</span> * @param cell The cell under consideration<a name="line.428"></a>
-<span class="sourceLineNo">429</span> * @param pair An optional pair of type {@code <Boolean, Tag>} which would be reused if already<a name="line.429"></a>
-<span class="sourceLineNo">430</span> * set and new one will be created if NULL is passed<a name="line.430"></a>
-<span class="sourceLineNo">431</span> * @return If the boolean is false then it indicates that the cell has a RESERVERD_VIS_TAG and<a name="line.431"></a>
-<span class="sourceLineNo">432</span> * with boolean as true, not null tag indicates that a string modified tag was found.<a name="line.432"></a>
-<span class="sourceLineNo">433</span> */<a name="line.433"></a>
-<span class="sourceLineNo">434</span> private Pair<Boolean, Tag> checkForReservedVisibilityTagPresence(Cell cell,<a name="line.434"></a>
-<span class="sourceLineNo">435</span> Pair<Boolean, Tag> pair) throws IOException {<a name="line.435"></a>
-<span class="sourceLineNo">436</span> if (pair == null) {<a name="line.436"></a>
-<span class="sourceLineNo">437</span> pair = new Pair<>(false, null);<a name="line.437"></a>
-<span class="sourceLineNo">438</span> } else {<a name="line.438"></a>
-<span class="sourceLineNo">439</span> pair.setFirst(false);<a name="line.439"></a>
-<span class="sourceLineNo">440</span> pair.setSecond(null);<a name="line.440"></a>
-<span class="sourceLineNo">441</span> }<a name="line.441"></a>
-<span class="sourceLineNo">442</span> // Bypass this check when the operation is done by a system/super user.<a name="line.442"></a>
-<span class="sourceLineNo">443</span> // This is done because, while Replication, the Cells coming to the peer cluster with reserved<a name="line.443"></a>
-<span class="sourceLineNo">444</span> // typed tags and this is fine and should get added to the peer cluster table<a name="line.444"></a>
-<span class="sourceLineNo">445</span> if (isSystemOrSuperUser()) {<a name="line.445"></a>
-<span class="sourceLineNo">446</span> // Does the cell contain special tag which indicates that the replicated<a name="line.446"></a>
-<span class="sourceLineNo">447</span> // cell visiblilty tags<a name="line.447"></a>
-<span class="sourceLineNo">448</span> // have been modified<a name="line.448"></a>
-<span class="sourceLineNo">449</span> Tag modifiedTag = null;<a name="line.449"></a>
-<span class="sourceLineNo">450</span> Iterator<Tag> tagsIterator = PrivateCellUtil.tagsIterator(cell);<a name="line.450"></a>
-<span class="sourceLineNo">451</span> while (tagsIterator.hasNext()) {<a name="line.451"></a>
-<span class="sourceLineNo">452</span> Tag tag = tagsIterator.next();<a name="line.452"></a>
-<span class="sourceLineNo">453</span> if (tag.getType() == TagType.STRING_VIS_TAG_TYPE) {<a name="line.453"></a>
-<span class="sourceLineNo">454</span> modifiedTag = tag;<a name="line.454"></a>
-<span class="sourceLineNo">455</span> break;<a name="line.455"></a>
-<span class="sourceLineNo">456</span> }<a name="line.456"></a>
-<span class="sourceLineNo">457</span> }<a name="line.457"></a>
-<span class="sourceLineNo">458</span> pair.setFirst(true);<a name="line.458"></a>
-<span class="sourceLineNo">459</span> pair.setSecond(modifiedTag);<a name="line.459"></a>
-<span class="sourceLineNo">460</span> return pair;<a name="line.460"></a>
-<span class="sourceLineNo">461</span> }<a name="line.461"></a>
-<span class="sourceLineNo">462</span> Iterator<Tag> tagsItr = PrivateCellUtil.tagsIterator(cell);<a name="line.462"></a>
-<span class="sourceLineNo">463</span> while (tagsItr.hasNext()) {<a name="line.463"></a>
-<span class="sourceLineNo">464</span> if (RESERVED_VIS_TAG_TYPES.contains(tagsItr.next().getType())) {<a name="line.464"></a>
-<span class="sourceLineNo">465</span> return pair;<a name="line.465"></a>
-<span class="sourceLineNo">466</span> }<a name="line.466"></a>
-<span class="sourceLineNo">467</span> }<a name="line.467"></a>
-<span class="sourceLineNo">468</span> pair.setFirst(true);<a name="line.468"></a>
-<span class="sourceLineNo">469</span> return pair;<a name="line.469"></a>
-<span class="sourceLineNo">470</span> }<a name="line.470"></a>
-<span class="sourceLineNo">471</span><a name="line.471"></a>
-<span class="sourceLineNo">472</span> /**<a name="line.472"></a>
-<span class="sourceLineNo">473</span> * Checks whether cell contains any tag with type as VISIBILITY_TAG_TYPE. This<a name="line.473"></a>
-<span class="sourceLineNo">474</span> * tag type is reserved and should not be explicitly set by user. There are<a name="line.474"></a>
-<span class="sourceLineNo">475</span> * two versions of this method one that accepts pair and other without pair.<a name="line.475"></a>
-<span class="sourceLineNo">476</span> * In case of preAppend and preIncrement the additional operations are not<a name="line.476"></a>
-<span class="sourceLineNo">477</span> * needed like checking for STRING_VIS_TAG_TYPE and hence the API without pair<a name="line.477"></a>
-<span class="sourceLineNo">478</span> * could be used.<a name="line.478"></a>
-<span class="sourceLineNo">479</span> *<a name="line.479"></a>
-<span class="sourceLineNo">480</span> * @param cell<a name="line.480"></a>
-<span class="sourceLineNo">481</span> * @throws IOException<a name="line.481"></a>
-<span class="sourceLineNo">482</span> */<a name="line.482"></a>
-<span class="sourceLineNo">483</span> private boolean checkForReservedVisibilityTagPresence(Cell cell) throws IOException {<a name="line.483"></a>
-<span class="sourceLineNo">484</span> // Bypass this check when the operation is done by a system/super user.<a name="line.484"></a>
-<span class="sourceLineNo">485</span> // This is done because, while Replication, the Cells coming to the peer<a name="line.485"></a>
-<span class="sourceLineNo">486</span> // cluster with reserved<a name="line.486"></a>
-<span class="sourceLineNo">487</span> // typed tags and this is fine and should get added to the peer cluster<a name="line.487"></a>
-<span class="sourceLineNo">488</span> // table<a name="line.488"></a>
-<span class="sourceLineNo">489</span> if (isSystemOrSuperUser()) {<a name="line.489"></a>
-<span class="sourceLineNo">490</span> return true;<a name="line.490"></a>
-<span class="sourceLineNo">491</span> }<a name="line.491"></a>
-<span class="sourceLineNo">492</span> Iterator<Tag> tagsItr = PrivateCellUtil.tagsIterator(cell);<a name="line.492"></a>
-<span class="sourceLineNo">493</span> while (tagsItr.hasNext()) {<a name="line.493"></a>
-<span class="sourceLineNo">494</span> if (RESERVED_VIS_TAG_TYPES.contains(tagsItr.next().getType())) {<a name="line.494"></a>
-<span class="sourceLineNo">495</span> return false;<a name="line.495"></a>
-<span class="sourceLineNo">496</span> }<a name="line.496"></a>
-<span class="sourceLineNo">497</span> }<a name="line.497"></a>
-<span class="sourceLineNo">498</span> return true;<a name="line.498"></a>
-<span class="sourceLineNo">499</span> }<a name="line.499"></a>
-<span class="sourceLineNo">500</span><a name="line.500"></a>
-<span class="sourceLineNo">501</span> private void removeReplicationVisibilityTag(List<Tag> tags) throws IOException {<a name="line.501"></a>
-<span class="sourceLineNo">502</span> Iterator<Tag> iterator = tags.iterator();<a name="line.502"></a>
-<span class="sourceLineNo">503</span> while (iterator.hasNext()) {<a name="line.503"></a>
-<span class="sourceLineNo">504</span> Tag tag = iterator.next();<a name="line.504"></a>
-<span class="sourceLineNo">505</span> if (tag.getType() == TagType.STRING_VIS_TAG_TYPE) {<a name="line.505"></a>
-<span class="sourceLineNo">506</span> iterator.remove();<a name="line.506"></a>
-<span class="sourceLineNo">507</span> break;<a name="line.507"></a>
-<span class="sourceLineNo">508</span> }<a name="line.508"></a>
-<span class="sourceLineNo">509</span> }<a name="line.509"></a>
-<span class="sourceLineNo">510</span> }<a name="line.510"></a>
-<span class="sourceLineNo">511</span><a name="line.511"></a>
-<span class="sourceLineNo">512</span> @Override<a name="line.512"></a>
-<span class="sourceLineNo">513</span> public void preScannerOpen(ObserverContext<RegionCoprocessorEnvironment> e, Scan scan)<a name="line.513"></a>
-<span class="sourceLineNo">514</span> throws IOException {<a name="line.514"></a>
-<span class="sourceLineNo">515</span> if (!initialized) {<a name="line.515"></a>
-<span class="sourceLineNo">516</span> throw new VisibilityControllerNotReadyException("VisibilityController not yet initialized!");<a name="line.516"></a>
-<span class="sourceLineNo">517</span> }<a name="line.517"></a>
-<span class="sourceLineNo">518</span> // Nothing to do if authorization is not enabled<a name="line.518"></a>
-<span class="sourceLineNo">519</span> if (!authorizationEnabled) {<a name="line.519"></a>
-<span class="sourceLineNo">520</span> return;<a name="line.520"></a>
-<span class="sourceLineNo">521</span> }<a name="line.521"></a>
-<span class="sourceLineNo">522</span> Region region = e.getEnvironment().getRegion();<a name="line.522"></a>
-<span class="sourceLineNo">523</span> Authorizations authorizations = null;<a name="line.523"></a>
-<span class="sourceLineNo">524</span> try {<a name="line.524"></a>
-<span class="sourceLineNo">525</span> authorizations = scan.getAuthorizations();<a name="line.525"></a>
-<span class="sourceLineNo">526</span> } catch (DeserializationException de) {<a name="line.526"></a>
-<span class="sourceLineNo">527</span> throw new IOException(de);<a name="line.527"></a>
-<span class="sourceLineNo">528</span> }<a name="line.528"></a>
-<span class="sourceLineNo">529</span> if (authorizations == null) {<a name="line.529"></a>
-<span class="sourceLineNo">530</span> // No Authorizations present for this scan/Get!<a name="line.530"></a>
-<span class="sourceLineNo">531</span> // In case of system tables other than "labels" just scan with out visibility check and<a name="line.531"></a>
-<span class="sourceLineNo">532</span> // filtering. Checking visibility labels for META and NAMESPACE table is not needed.<a name="line.532"></a>
-<span class="sourceLineNo">533</span> TableName table = region.getRegionInfo().getTable();<a name="line.533"></a>
-<span class="sourceLineNo">534</span> if (table.isSystemTable() && !table.equals(LABELS_TABLE_NAME)) {<a name="line.534"></a>
-<span class="sourceLineNo">535</span> return;<a name="line.535"></a>
-<span class="sourceLineNo">536</span> }<a name="line.536"></a>
-<span class="sourceLineNo">537</span> }<a name="line.537"></a>
-<span class="sourceLineNo">538</span><a name="line.538"></a>
-<span class="sourceLineNo">539</span> Filter visibilityLabelFilter = VisibilityUtils.createVisibilityLabelFilter(region,<a name="line.539"></a>
-<span class="sourceLineNo">540</span> authorizations);<a name="line.540"></a>
-<span class="sourceLineNo">541</span> if (visibilityLabelFilter != null) {<a name="line.541"></a>
-<span class="sourceLineNo">542</span> Filter filter = scan.getFilter();<a name="line.542"></a>
-<span class="sourceLineNo">543</span> if (filter != null) {<a name="line.543"></a>
-<span class="sourceLineNo">544</span> scan.setFilter(new FilterList(filter, visibilityLabelFilter));<a name="line.544"></a>
-<span class="sourceLineNo">545</span> } else {<a name="line.545"></a>
-<span class="sourceLineNo">546</span> scan.setFilter(visibilityLabelFilter);<a name="line.546"></a>
-<span class="sourceLineNo">547</span> }<a name="line.547"></a>
-<span class="sourceLineNo">548</span> }<a name="line.548"></a>
-<span class="sourceLineNo">549</span> }<a name="line.549"></a>
-<span class="sourceLineNo">550</span><a name="line.550"></a>
-<span class="sourceLineNo">551</span> @Override<a name="line.551"></a>
-<span class="sourceLineNo">552</span> public DeleteTracker postInstantiateDeleteTracker(<a name="line.552"></a>
-<span class="sourceLineNo">553</span> ObserverContext<RegionCoprocessorEnvironment> ctx, DeleteTracker delTracker)<a name="line.553"></a>
-<span class="sourceLineNo">554</span> throws IOException {<a name="line.554"></a>
-<span class="sourceLineNo">555</span> // Nothing to do if we are not filtering by visibility<a name="line.555"></a>
-<span class="sourceLineNo">556</span> if (!authorizationEnabled) {<a name="line.556"></a>
-<span class="sourceLineNo">557</span> return delTracker;<a name="line.557"></a>
-<span class="sourceLineNo">558</span> }<a name="line.558"></a>
-<span class="sourceLineNo">559</span> Region region = ctx.getEnvironment().getRegion();<a name="line.559"></a>
-<span class="sourceLineNo">560</span> TableName table = region.getRegionInfo().getTable();<a name="line.560"></a>
-<span class="sourceLineNo">561</span> if (table.isSystemTable()) {<a name="line.561"></a>
-<span class="sourceLineNo">562</span> return delTracker;<a name="line.562"></a>
-<span class="sourceLineNo">563</span> }<a name="line.563"></a>
-<span class="sourceLineNo">564</span> // We are creating a new type of delete tracker here which is able to track<a name="line.564"></a>
-<span class="sourceLineNo">565</span> // the timestamps and also the<a name="line.565"></a>
-<span class="sourceLineNo">566</span> // visibility tags per cell. The covering cells are determined not only<a name="line.566"></a>
-<span class="sourceLineNo">567</span> // based on the delete type and ts<a name="line.567"></a>
-<span class="sourceLineNo">568</span> // but also on the visibility expression matching.<a name="line.568"></a>
-<span class="sourceLineNo">569</span> return new VisibilityScanDeleteTracker(delTracker.getCellComparator());<a name="line.569"></a>
-<span class="sourceLineNo">570</span> }<a name="line.570"></a>
-<span class="sourceLineNo">571</span><a name="line.571"></a>
-<span class="sourceLineNo">572</span> @Override<a name="line.572"></a>
-<span class="sourceLineNo">573</span> public RegionScanner postScannerOpen(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.573"></a>
-<span class="sourceLineNo">574</span> final Scan scan, final RegionScanner s) throws IOException {<a name="line.574"></a>
-<span class="sourceLineNo">575</span> User user = VisibilityUtils.getActiveUser();<a name="line.575"></a>
-<span class="sourceLineNo">576</span> if (user != null && user.getShortName() != null) {<a name="line.576"></a>
-<span class="sourceLineNo">577</span> scannerOwners.put(s, user.getShortName());<a name="line.577"></a>
-<span class="sourceLineNo">578</span> }<a name="line.578"></a>
-<span class="sourceLineNo">579</span> return s;<a name="line.579"></a>
-<span class="sourceLineNo">580</span> }<a name="line.580"></a>
-<span class="sourceLineNo">581</span><a name="line.581"></a>
-<span class="sourceLineNo">582</span> @Override<a name="line.582"></a>
-<span class="sourceLineNo">583</span> public boolean preScannerNext(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.583"></a>
-<span class="sourceLineNo">584</span> final InternalScanner s, final List<Result> result, final int limit, final boolean hasNext)<a name="line.584"></a>
-<span class="sourceLineNo">585</span> throws IOException {<a name="line.585"></a>
-<span class="sourceLineNo">586</span> requireScannerOwner(s);<a name="line.586"></a>
-<span class="sourceLineNo">587</span> return hasNext;<a name="line.587"></a>
-<span class="sourceLineNo">588</span> }<a name="line.588"></a>
-<span class="sourceLineNo">589</span><a name="line.589"></a>
-<span class="sourceLineNo">590</span> @Override<a name="line.590"></a>
-<span class="sourceLineNo">591</span> public void preScannerClose(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.591"></a>
-<span class="sourceLineNo">592</span> final InternalScanner s) throws IOException {<a name="line.592"></a>
-<span class="sourceLineNo">593</span> requireScannerOwner(s);<a name="line.593"></a>
-<span class="sourceLineNo">594</span> }<a name="line.594"></a>
-<span class="sourceLineNo">595</span><a name="line.595"></a>
-<span class="sourceLineNo">596</span> @Override<a name="line.596"></a>
-<span class="sourceLineNo">597</span> public void postScannerClose(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.597"></a>
-<span class="sourceLineNo">598</span> final InternalScanner s) throws IOException {<a name="line.598"></a>
-<span class="sourceLineNo">599</span> // clean up any associated owner mapping<a name="line.599"></a>
-<span class="sourceLineNo">600</span> scannerOwners.remove(s);<a name="line.600"></a>
-<span class="sourceLineNo">601</span> }<a name="line.601"></a>
-<span class="sourceLineNo">602</span><a name="line.602"></a>
-<span class="sourceLineNo">603</span> /**<a name="line.603"></a>
-<span class="sourceLineNo">604</span> * Verify, when servicing an RPC, that the caller is the scanner owner. If so, we assume that<a name="line.604"></a>
-<span class="sourceLineNo">605</span> * access control is correctly enforced based on the checks performed in preScannerOpen()<a name="line.605"></a>
-<span class="sourceLineNo">606</span> */<a name="line.606"></a>
-<span class="sourceLineNo">607</span> private void requireScannerOwner(InternalScanner s) throws AccessDeniedException {<a name="line.607"></a>
-<span class="sourceLineNo">608</span> if (!RpcServer.isInRpcCallContext())<a name="line.608"></a>
-<span class="sourceLineNo">609</span> return;<a name="line.609"></a>
-<span class="sourceLineNo">610</span> String requestUName = RpcServer.getRequestUserName().orElse(null);<a name="line.610"></a>
-<span class="sourceLineNo">611</span> String owner = scannerOwners.get(s);<a name="line.611"></a>
-<span class="sourceLineNo">612</span> if (authorizationEnabled && owner != null && !owner.equals(requestUName)) {<a name="line.612"></a>
-<span class="sourceLineNo">613</span> throw new AccessDeniedException("User '" + requestUName + "' is not the scanner owner!");<a name="line.613"></a>
-<span class="sourceLineNo">614</span> }<a name="line.614"></a>
-<span class="sourceLineNo">615</span> }<a name="line.615"></a>
-<span class="sourceLineNo">616</span><a name="line.616"></a>
-<span class="sourceLineNo">617</span> @Override<a name="line.617"></a>
-<span class="sourceLineNo">618</span> public void preGetOp(ObserverContext<RegionCoprocessorEnvironment> e, Get get,<a name="line.618"></a>
-<span class="sourceLineNo">619</span> List<Cell> results) throws IOException {<a name="line.619"></a>
-<span class="sourceLineNo">620</span> if (!initialized) {<a name="line.620"></a>
-<span class="sourceLineNo">621</span> throw new VisibilityControllerNotReadyException("VisibilityController not yet initialized");<a name="line.621"></a>
-<span class="sourceLineNo">622</span> }<a name="line.622"></a>
-<span class="sourceLineNo">623</span> // Nothing useful to do if authorization is not enabled<a name="line.623"></a>
-<span class="sourceLineNo">624</span> if (!authorizationEnabled) {<a name="line.624"></a>
-<span class="sourceLineNo">625</span> return;<a name="line.625"></a>
-<span class="sourceLineNo">626</span> }<a name="line.626"></a>
-<span class="sourceLineNo">627</span> Region region = e.getEnvironment().getRegion();<a name="line.627"></a>
-<span class="sourceLineNo">628</span> Authorizations authorizations = null;<a name="line.628"></a>
-<span class="sourceLineNo">629</span> try {<a name="line.629"></a>
-<span class="sourceLineNo">630</span> authorizations = get.getAuthorizations();<a name="line.630"></a>
-<span class="sourceLineNo">631</span> } catch (DeserializationException de) {<a name="line.631"></a>
-<span class="sourceLineNo">632</span> throw new IOException(de);<a name="line.632"></a>
-<span class="sourceLineNo">633</span> }<a name="line.633"></a>
-<span class="sourceLineNo">634</span> if (authorizations == null) {<a name="line.634"></a>
-<span class="sourceLineNo">635</span> // No Authorizations present for this scan/Get!<a name="line.635"></a>
-<span class="sourceLineNo">636</span> // In case of system tables other than "labels" just scan with out visibility check and<a name="line.636"></a>
-<span class="sourceLineNo">637</span> // filtering. Checking visibility labels for META and NAMESPACE table is not needed.<a name="line.637"></a>
-<span class="sourceLineNo">638</span> TableName table = region.getRegionInfo().getTable();<a name="line.638"></a>
-<span class="sourceLineNo">639</span> if (table.isSystemTable() && !table.equals(LABELS_TABLE_NAME)) {<a name="line.639"></a>
-<span class="sourceLineNo">640</span> return;<a name="line.640"></a>
-<span class="sourceLineNo">641</span> }<a name="line.641"></a>
-<span class="sourceLineNo">642</span> }<a name="line.642"></a>
-<span class="sourceLineNo">643</span> Filter visibilityLabelFilter = VisibilityUtils.createVisibilityLabelFilter(e.getEnvironment()<a name="line.643"></a>
-<span class="sourceLineNo">644</span> .getRegion(), authorizations);<a name="line.644"></a>
-<span class="sourceLineNo">645</span> if (visibilityLabelFilter != null) {<a name="line.645"></a>
-<span class="sourceLineNo">646</span> Filter filter = get.getFilter();<a name="line.646"></a>
-<span class="sourceLineNo">647</span> if (filter != null) {<a name="line.647"></a>
-<span class="sourceLineNo">648</span> get.setFilter(new FilterList(filter, visibilityLabelFilter));<a name="line.648"></a>
-<span class="sourceLineNo">649</span> } else {<a name="line.649"></a>
-<span class="sourceLineNo">650</span> get.setFilter(visibilityLabelFilter);<a name="line.650"></a>
-<span class="sourceLineNo">651</span> }<a name="line.651"></a>
-<span class="sourceLineNo">652</span> }<a name="line.652"></a>
-<span class="sourceLineNo">653</span> }<a name="line.653"></a>
-<span class="sourceLineNo">654</span><a name="line.654"></a>
-<span class="sourceLineNo">655</span> private boolean isSystemOrSuperUser() throws IOException {<a name="line.655"></a>
-<span class="sourceLineNo">656</span> return Superusers.isSuperUser(VisibilityUtils.getActiveUser());<a name="line.656"></a>
-<span class="sourceLineNo">657</span> }<a name="line.657"></a>
-<span class="sourceLineNo">658</span><a name="line.658"></a>
-<span class="sourceLineNo">659</span> @Override<a name="line.659"></a>
-<span class="sourceLineNo">660</span> public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> e, Append append)<a name="line.660"></a>
-<span class="sourceLineNo">661</span> throws IOException {<a name="line.661"></a>
-<span class="sourceLineNo">662</span> // If authorization is not enabled, we don't care about reserved tags<a name="line.662"></a>
-<span class="sourceLineNo">663</span> if (!authorizationEnabled) {<a name="line.663"></a>
-<span class="sourceLineNo">664</span> return null;<a name="line.664"></a>
-<span class="sourceLineNo">665</span> }<a name="line.665"></a>
-<span class="sourceLineNo">666</span> for (CellScanner cellScanner = append.cellScanner(); cellScanner.advance();) {<a name="line.666"></a>
-<span class="sourceLineNo">667</span> if (!checkForReservedVisibilityTagPresence(cellScanner.current())) {<a name="line.667"></a>
-<span class="sourceLineNo">668</span> throw new FailedSanityCheckException("Append contains cell with reserved type tag");<a name="line.668"></a>
-<span class="sourceLineNo">669</span> }<a name="line.669"></a>
-<span class="sourceLineNo">670</span> }<a name="line.670"></a>
-<span class="sourceLineNo">671</span> return null;<a name="line.671"></a>
-<span class="sourceLineNo">672</span> }<a name="line.672"></a>
-<span class="sourceLineNo">673</span><a name="line.673"></a>
-<span class="sourceLineNo">674</span> @Override<a name="line.674"></a>
-<span class="sourceLineNo">675</span> public Result preIncrement(ObserverContext<RegionCoprocessorEnvironment> e, Increment increment)<a name="line.675"></a>
-<span class="sourceLineNo">676</span> throws IOException {<a name="line.676"></a>
-<span class="sourceLineNo">677</span> // If authorization is not enabled, we don't care about reserved tags<a name="line.677"></a>
-<span class="sourceLineNo">678</span> if (!authorizationEnabled) {<a name="line.678"></a>
-<span class="sourceLineNo">679</span> return null;<a name="line.679"></a>
-<span class="sourceLineNo">680</span> }<a name="line.680"></a>
-<span class="sourceLineNo">681</span> for (CellScanner cellScanner = increment.cellScanner(); cellScanner.advance();) {<a name="line.681"></a>
-<span class="sourceLineNo">682</span> if (!checkForReservedVisibilityTagPresence(cellScanner.current())) {<a name="line.682"></a>
-<span class="sourceLineNo">683</span> throw new FailedSanityCheckException("Increment contains cell with reserved type tag");<a name="line.683"></a>
-<span class="sourceLineNo">684</span> }<a name="line.684"></a>
-<span class="sourceLineNo">685</span> }<a name="line.685"></a>
-<span class="sourceLineNo">686</span> return null;<a name="line.686"></a>
-<span class="sourceLineNo">687</span> }<a name="line.687"></a>
-<span class="sourceLineNo">688</span><a name="line.688"></a>
-<span class="sourceLineNo">689</span> @Override<a name="line.689"></a>
-<span class="sourceLineNo">690</span> public Cell postMutationBeforeWAL(ObserverContext<RegionCoprocessorEnvironment> ctx,<a name="line.690"></a>
-<span class="sourceLineNo">691</span> MutationType opType, Mutation mutation, Cell oldCell, Cell newCell) throws IOException {<a name="line.691"></a>
-<span class="sourceLineNo">692</span> List<Tag> tags = Lists.newArrayList();<a name="line.692"></a>
-<span class="sourceLineNo">693</span> CellVisibility cellVisibility = null;<a name="line.693"></a>
-<span class="sourceLineNo">694</span> try {<a name="line.694"></a>
-<span class="sourceLineNo">695</span> cellVisibility = mutation.getCellVisibility();<a name="line.695"></a>
-<span class="sourceLineNo">696</span> } catch (DeserializationException e) {<a name="line.696"></a>
-<span class="sourceLineNo">697</span> throw new IOException(e);<a name="line.697"></a>
-<span class="sourceLineNo">698</span> }<a name="line.698"></a>
-<span class="sourceLineNo">699</span> if (cellVisibility == null) {<a name="line.699"></a>
-<span class="sourceLineNo">700</span> return newCell;<a name="line.700"></a>
-<span class="sourceLineNo">701</span> }<a name="line.701"></a>
-<span class="sourceLineNo">702</span> // Prepend new visibility tags to a new list of tags for the cell<a name="line.702"></a>
-<span class="sourceLineNo">703</span> // Don't check user auths for labels with Mutations when the user is super user<a name="line.703"></a>
-<span class="sourceLineNo">704</span> boolean authCheck = authorizationEnabled && checkAuths && !(isSystemOrSuperUser());<a name="line.704"></a>
-<span class="sourceLineNo">705</span> tags.addAll(this.visibilityLabelService.createVisibilityExpTags(cellVisibility.getExpression(),<a name="line.705"></a>
-<span class="sourceLineNo">706</span> true, authCheck));<a name="line.706"></a>
-<span class="sourceLineNo">707</span> // Carry forward all other tags<a name="line.707"></a>
-<span class="sourceLineNo">708</span> Iterator<Tag> tagsItr = PrivateCellUtil.tagsIterator(newCell);<a name="line.708"></a>
-<span class="sourceLineNo">709</span> while (tagsItr.hasNext()) {<a name="line.709"></a>
-<span class="sourceLineNo">710</span> Tag tag = tagsItr.next();<a name="line.710"></a>
-<span class="sourceLineNo">711</span> if (tag.getType() != TagType.VISIBILITY_TAG_TYPE<a name="line.711"></a>
-<span class="sourceLineNo">712</span> && tag.getType() != TagType.VISIBILITY_EXP_SERIALIZATION_FORMAT_TAG_TYPE) {<a name="line.712"></a>
-<span class="sourceLineNo">713</span> tags.add(tag);<a name="line.713"></a>
-<span class="sourceLineNo">714</span> }<a name="line.714"></a>
-<span class="sourceLineNo">715</span> }<a name="line.715"></a>
-<span class="sourceLineNo">716</span><a name="line.716"></a>
-<span class="sourceLineNo">717</span> Cell rewriteCell = PrivateCellUtil.createCell(newCell, tags);<a name="line.717"></a>
-<span class="sourceLineNo">718</span> return rewriteCell;<a name="line.718"></a>
-<span class="sourceLineNo">719</span> }<a name="line.719"></a>
-<span class="sourceLineNo">720</span><a name="line.720"></a>
-<span class="sourceLineNo">721</span> @Override<a name="line.721"></a>
-<span class="sourceLineNo">722</span> public boolean postScannerFilterRow(final ObserverContext<RegionCoprocessorEnvironment> e,<a name="line.722"></a>
-<span class="sourceLineNo">723</span> final InternalScanner s, final Cell curRowCell, final boolean hasMore) throws IOException {<a name="line.723"></a>
-<span class="sourceLineNo">724</span> // 'default' in RegionObserver might do unnecessary copy for Off heap backed Cells.<a name="line.724"></a>
-<span class="sourceLineNo">725</span> return hasMore;<a name="line.725"></a>
-<span class="sourceLineNo">726</span> }<a name="line.726"></a>
-<span class="sourceLineNo">727</span><a name="line.727"></a>
-<span class="sourceLineNo">728</span> /****************************** VisibilityEndpoint service related methods ******************************/<a name="line.728"></a>
-<span class="sourceLineNo">729</span> @Override<a name="line.729"></a>
-<span class="sourceLineNo">730</span> public synchronized void addLabels(RpcController controller, VisibilityLabelsRequest request,<a name="line.730"></a>
-<span class="sourceLineNo">731</span> RpcCallback<VisibilityLabelsResponse> done) {<a name="line.731"></a>
-<span class="sourceLineNo">732</span> VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();<a name="line.732"></a>
-<span class="sourceLineNo">733</span> List<VisibilityLabel> visLabels = request.getVisLabelList();<a name="line.733"></a>
-<span class="sourceLineNo">734</span> if (!initialized) {<a name="line.734"></a>
-<span class="sourceLineNo">735</span> setExceptionResults(visLabels.size(),<a name="line.735"></a>
-<span class="sourceLineNo">736</span> new VisibilityControllerNotReadyException("VisibilityController not yet initialized!"),<a name="line.736"></a>
-<span class="sourceLineNo">737</span> response);<a name="line.737"></a>
-<span class="sourceLineNo">738</span> } else {<a name="line.738"></a>
-<span class="sourceLineNo">739</span> List<byte[]> labels = new ArrayList<>(visLabels.size());<a name="line.739"></a>
-<span class="sourceLineNo">740</span> try {<a name="line.740"></a>
-<span class="sourceLineNo">741</span> if (authorizationEnabled) {<a name="line.741"></a>
-<span class="sourceLineNo">742</span> checkCallingUserAuth();<a name="line.742"></a>
-<span class="sourceLineNo">743</span> }<a name="line.743"></a>
-<span class="sourceLineNo">744</span> RegionActionResult successResult = RegionActionResult.newBuilder().build();<a name="line.744"></a>
-<span class="sourceLineNo">745</span> for (VisibilityLabel visLabel : visLabels) {<a name="line.745"></a>
-<span class="sourceLineNo">746</span> byte[] label = visLabel.getLabel().toByteArray();<a name="line.746"></a>
-<span class="sourceLineNo">747</span> labels.add(label);<a name="line.747"></a>
-<span class="sourceLineNo">748</span> response.addResult(successResult); // Just mark as success. Later it will get reset<a name="line.748"></a>
-<span class="sourceLineNo">749</span> // based on the result from<a name="line.749"></a>
-<span class="sourceLineNo">750</span> // visibilityLabelService.addLabels ()<a name="line.750"></a>
-<span class="sourceLineNo">751</span> }<a name="line.751"></a>
-<span class="sourceLineNo">752</span> if (!labels.isEmpty()) {<a name="line.752"></a>
-<span class="sourceLineNo">753</span> OperationStatus[] opStatus = this.visibilityLabelService.addLabels(labels);<a name="line.753"></a>
-<span class="sourceLineNo">754</span> logResult(true, "addLabels", "Adding labels allowed", null, labels, null);<a name="line.754"></a>
-<span class="sourceLineNo">755</span> int i = 0;<a name="line.755"></a>
-<span class="sourceLineNo">756</span> for (OperationStatus status : opStatus) {<a name="line.756"></a>
-<span class="sourceLineNo">757</span> while (!Objects.equals(response.getResult(i), successResult)) {<a name="line.757"></a>
-<span class="sourceLineNo">758</span> i++;<a name="line.758"></a>
-<span class="sourceLineNo">759</span> }<a name="line.759"></a>
-<span class="sourceLineNo">760</span> if (status.getOperationStatusCode() != SUCCESS) {<a name="line.760"></a>
-<span class="sourceLineNo">761</span> RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();<a name="line.761"></a>
-<span class="sourceLineNo">762</span> failureResultBuilder.setException(buildException(new DoNotRetryIOException(<a name="line.762"></a>
-<span class="sourceLineNo">763</span> status.getExceptionMsg())));<a name="line.763"></a>
-<span class="sourceLineNo">764</span> response.setResult(i, failureResultBuilder.build());<a name="line.764"></a>
-<span class="sourceLineNo">765</span> }<a name="line.765"></a>
-<span class="sourceLineNo">766</span> i++;<a name="line.766"></a>
-<span class="sourceLineNo">767</span> }<a name="line.767"></a>
-<span class="sourceLineNo">768</span> }<a name="line.768"></a>
-<span class="sourceLineNo">769</span> } catch (AccessDeniedException e) {<a name="line.769"></a>
-<span class="sourceLineNo">770</span> logResult(false, "addLabels", e.getMessage(), null, labels, null);<a name="line.770"></a>
-<span class="sourceLineNo">771</span> LOG.error("User is not having required permissions to add labels", e);<a name="line.771"></a>
-<span class="sourceLineNo">772</span> setExceptionResults(visLabels.size(), e, response);<a name="line.772"></a>
-<span class="sourceLineNo">773</span> } catch (IOException e) {<a name="line.773"></a>
-<span class="sourceLineNo">774</span> LOG.error(e.toString(), e);<a name="line.774"></a>
-<span class="sourceLineNo">775</span> setExceptionResults(visLabels.size(), e, response);<a name="line.775"></a>
-<span class="sourceLineNo">776</span> }<a name="line.776"></a>
-<span class="sourceLineNo">777</span> }<a name="line.777"></a>
-<span class="sourceLineNo">778</span> done.run(response.build());<a name="line.778"></a>
-<span class="sourceLineNo">779</span> }<a name="line.779"></a>
-<span class="sourceLineNo">780</span><a name="line.780"></a>
-<span class="sourceLineNo">781</span> private void setExceptionResults(int size, IOException e,<a name="line.781"></a>
-<span class="sourceLineNo">782</span> VisibilityLabelsResponse.Builder response) {<a name="line.782"></a>
-<span class="sourceLineNo">783</span> RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();<a name="line.783"></a>
-<span class="sourceLineNo">784</span> failureResultBuilder.setException(buildException(e));<a name="line.784"></a>
-<span class="sourceLineNo">785</span> RegionActionResult failureResult = failureResultBuilder.build();<a name="line.785"></a>
-<span class="sourceLineNo">786</span> for (int i = 0; i < size; i++) {<a name="line.786"></a>
-<span class="sourceLineNo">787</span> response.addResult(i, failureResult);<a name="line.787"></a>
-<span class="sourceLineNo">788</span> }<a name="line.788"></a>
-<span class="sourceLineNo">789</span> }<a name="line.789"></a>
-<span class="sourceLineNo">790</span><a name="line.790"></a>
-<span class="sourceLineNo">791</span> @Override<a name="line.791"></a>
-<span class="sourceLineNo">792</span> public synchronized void setAuths(RpcController controller, SetAuthsRequest request,<a name="line.792"></a>
-<span class="sourceLineNo">793</span> RpcCallback<VisibilityLabelsResponse> done) {<a name="line.793"></a>
-<span class="sourceLineNo">794</span> VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();<a name="line.794"></a>
-<span class="sourceLineNo">795</span> List<ByteString> auths = request.getAuthList();<a name="line.795"></a>
-<span class="sourceLineNo">796</span> if (!initialized) {<a name="line.796"></a>
-<span class="sourceLineNo">797</span> setExceptionResults(auths.size(),<a name="line.797"></a>
-<span class="sourceLineNo">798</span> new VisibilityControllerNotReadyException("VisibilityController not yet initialized!"),<a name="line.798"></a>
-<span class="sourceLineNo">799</span> response);<a name="line.799"></a>
-<span class="sourceLineNo">800</span> } else {<a name="line.800"></a>
-<span class="sourceLineNo">801</span> byte[] user = request.getUser().toByteArray();<a name="line.801"></a>
-<span class="sourceLineNo">802</span> List<byte[]> labelAuths = new ArrayList<>(auths.size());<a name="line.802"></a>
-<span class="sourceLineNo">803</span> try {<a name="line.803"></a>
-<span class="sourceLineNo">804</span> if (authorizationEnabled) {<a name="line.804"></a>
-<span class="sourceLineNo">805</span> checkCallingUserAuth();<a name="line.805"></a>
-<span class="sourceLineNo">806</span> }<a name="line.806"></a>
-<span class="sourceLineNo">807</span> for (ByteString authBS : auths) {<a name="line.807"></a>
-<span class="sourceLineNo">808</span> labelAuths.add(authBS.toByteArray());<a name="line.808"></a>
-<span class="sourceLineNo">809</span> }<a name="line.809"></a>
-<span class="sourceLineNo">810</span> OperationStatus[] opStatus = this.visibilityLabelService.setAuths(user, labelAuths);<a name="line.810"></a>
-<span class="sourceLineNo">811</span> logResult(true, "setAuths", "Setting authorization for labels allowed", user, labelAuths,<a name="line.811"></a>
-<span class="sourceLineNo">812</span> null);<a name="line.812"></a>
-<span class="sourceLineNo">813</span> RegionActionResult successResult = RegionActionResult.newBuilder().build();<a name="line.813"></a>
-<span class="sourceLineNo">814</span> for (OperationStatus status : opStatus) {<a name="line.814"></a>
-<span class="sourceLineNo">815</span> if (status.getOperationStatusCode() == SUCCESS) {<a name="line.815"></a>
-<span class="sourceLineNo">816</span> response.addResult(successResult);<a name="line.816"></a>
-<span class="sourceLineNo">817</span> } else {<a name="line.817"></a>
-<span class="sourceLineNo">818</span> RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();<a name="line.818"></a>
-<span class="sourceLineNo">819</span> failureResultBuilder.setException(buildException(new DoNotRetryIOException(<a name="line.819"></a>
-<span class="sourceLineNo">820</span> status.getExceptionMsg())));<a name="line.820"></a>
-<span class="sourceLineNo">821</span> response.addResult(failureResultBuilder.build());<a name="line.821"></a>
-<span class="sourceLineNo">822</span> }<a name="line.822"></a>
-<span class="sourceLineNo">823</span> }<a name="line.823"></a>
-<span class="sourceLineNo">824</span> } catch (AccessDeniedException e) {<a name="line.824"></a>
-<span class="sourceLineNo">825</span> logResult(false, "setAuths", e.getMessage(), user, labelAuths, null);<a name="line.825"></a>
-<span class="sourceLineNo">826</span> LOG.error("User is not having required permissions to set authorization", e);<a name="line.826"></a>
-<span class="sourceLineNo">827</span> setExceptionResults(auths.size(), e, response);<a name="line.827"></a>
-<span class="sourceLineNo">828</span> } catch (IOException e) {<a name="line.828"></a>
-<span class="sourceLineNo">829</span> LOG.error(e.toString(), e);<a name="line.829"></a>
-<span class="sourceLineNo">830</span> setExceptionResults(auths.size(), e, response);<a name="line.830"></a>
-<span class="sourceLineNo">831</span> }<a name="line.831"></a>
-<span class="sourceLineNo">832</span> }<a name="line.832"></a>
-<span class="sourceLineNo">833</span> done.run(response.build());<a name="line.833"></a>
-<span class="sourceLineNo">834</span> }<a name="line.834"></a>
-<span class="sourceLineNo">835</span><a name="line.835"></a>
-<span class="sourceLineNo">836</span> private void logResult(boolean isAllowed, String request, String reason, byte[] user,<a name="line.836"></a>
-<span class="sourceLineNo">837</span> List<byte[]> labelAuths, String regex) {<a name="line.837"></a>
-<span class="sourceLineNo">838</span> if (AUDITLOG.isTraceEnabled()) {<a name="line.838"></a>
-<span class="sourceLineNo">839</span> // This is more duplicated code!<a name="line.839"></a>
-<span class="sourceLineNo">840</span> List<String> labelAuthsStr = new ArrayList<>();<a name="line.840"></a>
-<span class="sourceLineNo">841</span> if (labelAuths != null) {<a name="line.841"></a>
-<span class="sourceLineNo">842</span> int labelAuthsSize = labelAuths.size();<a name="line.842"></a>
-<span class="sourceLineNo">843</span> labelAuthsStr = new ArrayList<>(labelAuthsSize);<a name="line.843"></a>
-<span class="sourceLineNo">844</span> for (int i = 0; i < labelAuthsSize; i++) {<a name="line.844"></a>
-<span class="sourceLineNo">845</span> labelAuthsStr.add(Bytes.toString(labelAuths.get(i)));<a name="line.845"></a>
-<span class="sourceLineNo">846</span> }<a name="line.846"></a>
-<span class="sourceLineNo">847</span> }<a name="line.847"></a>
-<span class="sourceLineNo">848</span><a name="line.848"></a>
-<span class="sourceLineNo">849</span> User requestingUser = null;<a name="line.849"></a>
-<span class="sourceLineNo">850</span> try {<a name="line.850"></a>
-<span class="sourceLineNo">851</span> requestingUser = VisibilityUtils.getActiveUser();<a name="line.851"></a>
-<span class="sourceLineNo">852</span> } catch (IOException e) {<a name="line.852"></a>
-<span class="sourceLineNo">853</span> LOG.warn("Failed to get active system user.");<a name="line.853"></a>
-<span class="sourceLineNo">854</span> LOG.debug("Details on failure to get active system user.", e);<a name="line.854"></a>
-<span class="sourceLineNo">855</span> }<a name="line.855"></a>
-<span class="sourceLineNo">856</span> AUDITLOG.trace("Access " + (isAllowed ? "allowed" : "denied") + " for user " +<a name="line.856"></a>
-<span class="sourceLineNo">857</span> (requestingUser != null ? requestingUser.getShortName() : "UNKNOWN") + "; reason: " +<a name="line.857"></a>
-<span class="sourceLineNo">858</span> reason + "; remote address: " +<a name="line.858"></a>
-<span class="sourceLineNo">859</span> RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("") + "; request: " +<a name="line.859"></a>
-<span class="sourceLineNo">860</span> request + "; user: " + (user != null ? Bytes.toShort(user) : "null") + "; labels: " +<a name="line.860"></a>
-<span class="sourceLineNo">861</span> labelAuthsStr + "; regex: " + regex);<a name="line.861"></a>
-<span class="sourceLineNo">862</span> }<a name="line.862"></a>
-<span class="sourceLineNo">863</span> }<a name="line.863"></a>
-<span class="sourceLineNo">864</span><a name="line.864"></a>
-<span class="sourceLineNo">865</span> @Override<a name="line.865"></a>
-<span class="sourceLineNo">866</span> public synchronized void getAuths(RpcController controller, GetAuthsRequest request,<a name="line.866"></a>
-<span class="sourceLineNo">867</span> RpcCallback<GetAuthsResponse> done) {<a name="line.867"></a>
-<span class="sourceLineNo">868</span> GetAuthsResponse.Builder response = GetAuthsResponse.newBuilder();<a name="line.868"></a>
-<span class="sourceLineNo">869</span> if (!initialized) {<a name="line.869"></a>
-<span class="sourceLineNo">870</span> controller.setFailed("VisibilityController not yet initialized");<a name="line.870"></a>
-<span class="sourceLineNo">871</span> } else {<a name="line.871"></a>
-<span class="sourceLineNo">872</span> byte[] user = request.getUser().toByteArray();<a name="line.872"></a>
-<span class="sourceLineNo">873</span> List<String> labels = null;<a name="line.873"></a>
-<span class="sourceLineNo">874</span> try {<a name="line.874"></a>
-<span class="sourceLineNo">875</span> // We do ACL check here as we create scanner directly on region. It will not make calls to<a name="line.875"></a>
-<span class="sourceLineNo">876</span> // AccessController CP methods.<a name="line.876"></a>
-<span class="sourceLineNo">877</span> if (authorizationEnabled && accessControllerAvailable && !isSystemOrSuperUser()) {<a name="line.877"></a>
-<span class="sourceLineNo">878</span> User requestingUser = VisibilityUtils.getActiveUser();<a name="line.878"></a>
-<span class="sourceLineNo">879</span> throw new AccessDeniedException("User '"<a name="line.879"></a>
-<span class="sourceLineNo">880</span> + (requestingUser != null ? requestingUser.getShortName() : "null")<a name="line.880"></a>
-<span class="sourceLineNo">881</span> + "' is not authorized to perform this action.");<a name="line.881"></a>
-<span class="sourceLineNo">882</span> }<a name="line.882"></a>
-<span class="sourceLineNo">883</span> if (AuthUtil.isGroupPrincipal(Bytes.toString(user))) {<a name="line.883"></a>
-<span class="sourceLineNo">884</span> String group = AuthUtil.getGroupName(Bytes.toString(user));<a name="line.884"></a>
-<span class="sourceLineNo">885</span> labels = this.visibilityLabelService.getGroupAuths(new String[]{group}, false);<a name="line.885"></a>
-<span class="sourceLineNo">886</span> }<a name="line.886"></a>
-<span class="sourceLineNo">887</span> else {<a name="line.887"></a>
-<span class="sourceLineNo">888</span> labels = this.visibilityLabelService.getUserAuths(user, false);<a name="line.888"></a>
-<span class="sourceLineNo">889</span> }<a name="line.889"></a>
-<span class="sourceLineNo">890</span> logResult(true, "getAuths", "Get authorizations for user allowed", user, null, null);<a name="line.890"></a>
-<span class="sourceLineNo">891</span> } catch (AccessDeniedException e) {<a name="line.891"></a>
-<span class="sourceLineNo">892</span> logResult(false, "getAuths", e.getMessage(), user, null, null);<a name="line.892"></a>
-<span class="sourceLineNo">893</span> CoprocessorRpcUtils.setControllerException(controller, e);<a name="line.893"></a>
-<span class="sourceLineNo">894</span> } catch (IOException e) {<a name="line.894"></a>
-<span class="sourceLineNo">895</span> CoprocessorRpcUtils.setControllerException(controller, e);<a name="line.895"></a>
-<span class="sourceLineNo">896</span> }<a name="line.896"></a>
-<span class="sourceLineNo">897</span> response.setUser(request.getUser());<a name="line.897"></a>
-<span class="sourceLineNo">898</span> if (labels != null) {<a name="line.898"></a>
-<span class="sourceLineNo">899</span> for (String label : labels) {<a name="line.899"></a>
-<span class="sourceLineNo">900</span> response.addAuth(ByteString.copyFrom(Bytes.toBytes(label)));<a name="line.900"></a>
-<span class="sourceLineNo">901</span> }<a name="line.901"></a>
-<span class="sourceLineNo">902</span> }<a name="line.902"></a>
-<span class="sourceLineNo">903</span> }<a name="line.903"></a>
-<span class="sourceLineNo">904</span> done.run(response.build());<a name="line.904"></a>
-<span class="sourceLineNo">905</span> }<a name="line.905"></a>
-<span class="sourceLineNo">906</span><a name="line.906"></a>
-<span class="sourceLineNo">907</span> @Override<a name="line.907"></a>
-<span class="sourceLineNo">908</span> public synchronized void clearAuths(RpcController controller, SetAuthsRequest request,<a name="line.908"></a>
-<span class="sourceLineNo">909</span> RpcCallback<VisibilityLabelsResponse> done) {<a name="line.909"></a>
-<span class="sourceLineNo">910</span> VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();<a name="line.910"></a>
-<span class="sourceLineNo">911</span> List<ByteString> auths = request.getAuthList();<a name="line.911"></a>
-<span class="sourceLineNo">912</span> if (!initialized) {<a name="line.912"></a>
-<span class="sourceLineNo">913</span> setExceptionResults(auths.size(), new CoprocessorException(<a name="line.913"></a>
-<span class="sourceLineNo">914</span> "VisibilityController not yet initialized"), response);<a name="line.914"></a>
-<span class="sourceLineNo">915</span> } else {<a name="line.915"></a>
-<span class="sourceLineNo">916</span> byte[] requestUser = request.getUser().toByteArray();<a name="line.916"></a>
-<span class="sourceLineNo">917</span> List<byte[]> labelAuths = new ArrayList<>(auths.size());<a name="line.917"></a>
-<span class="sourceLineNo">918</span> try {<a name="line.918"></a>
-<span class="sourceLineNo">919</span> // When AC is ON, do AC based user auth check<a name="line.919"></a>
-<span class="sourceLineNo">920</span> if (authorizationEnabled && accessControllerAvailable && !isSystemOrSuperUser()) {<a name="line.920"></a>
-<span class="sourceLineNo">921</span> User user = VisibilityUtils.getActiveUser();<a name="line.921"></a>
-<span class="sourceLineNo">922</span> throw new AccessDeniedException("User '" + (user != null ? user.getShortName() : "null")<a name="line.922"></a>
-<span class="sourceLineNo">923</span> + " is not authorized to perform this action.");<a name="line.923"></a>
-<span class="sourceLineNo">924</span> }<a name="line.924"></a>
-<span class="sourceLineNo">925</span> if (authorizationEnabled) {<a name="line.925"></a>
-<span class="sourceLineNo">926</span> checkCallingUserAuth(); // When AC is not in place the calling user should have<a name="line.926"></a>
-<span class="sourceLineNo">927</span> // SYSTEM_LABEL auth to do this action.<a name="line.927"></a>
-<span class="sourceLineNo">928</span> }<a name="line.928"></a>
-<span class="sourceLineNo">929</span> for (ByteString authBS : auths) {<a name="line.929"></a>
-<span class="sourceLineNo">930</span> labelAuths.add(authBS.toByteArray());<a name="line.930"></a>
-<span class="sourceLineNo">931</span> }<a name="line.931"></a>
-<span class="sourceLineNo">932</span><a name="line.932"></a>
-<span class="sourceLineNo">933</span> OperationStatus[] opStatus =<a name="line.933"></a>
-<span class="sourceLineNo">934</span> this.visibilityLabelService.clearAuths(requestUser, labelAuths);<a name="line.934"></a>
-<span class="sourceLineNo">935</span> logResult(true, "clearAuths", "Removing authorization for labels allowed", requestUser,<a name="line.935"></a>
-<span class="sourceLineNo">936</span> labelAuths, null);<a name="line.936"></a>
-<span class="sourceLineNo">937</span> RegionActionResult successResult = RegionActionResult.newBuilder().build();<a name="line.937"></a>
-<span class="sourceLineNo">938</span> for (OperationStatus status : opStatus) {<a name="line.938"></a>
-<span class="sourceLineNo">939</span> if (status.getOperationStatusCode() == SUCCESS) {<a name="line.939"></a>
-<span class="sourceLineNo">940</span> response.addResult(successResult);<a name="line.940"></a>
-<span class="sourceLineNo">941</span> } else {<a name="line.941"></a>
-<span class="sourceLineNo">942</span> RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();<a name="line.942"></a>
-<span class="sourceLineNo">943</span> failureResultBuilder.setException(buildException(new DoNotRetryIOException(<a name="line.943"></a>
-<span class="sourceLineNo">944</span> status.getExceptionMsg())));<a name="line.944"></a>
-<span class="sourceLineNo">945</span> response.addResult(failureResultBuilder.build());<a name="line.945"></a>
-<span class="sourceLineNo">946</span> }<a name="line.946"></a>
-<span class="sourceLineNo">947</span> }<a name="line.947"></a>
-<span class="sourceLineNo">948</span> } catch (AccessDeniedException e) {<a name="line.948"></a>
-<span class="sourceLineNo">949</span> logResult(false, "clearAuths", e.getMessage(), requestUser, labelAuths, null);<a name="line.949"></a>
-<span class="sourceLineNo">950</span> LOG.error("User is not having required permissions to clear authorization", e);<a name="line.950"></a>
-<span class="sourceLineNo">951</span> setExceptionResults(auths.size(), e, response);<a name="line.951"></a>
-<span class="sourceLineNo">952</span> } catch (IOException e) {<a name="line.952"></a>
-<span class="sourceLineNo">953</span> LOG.error(e.toString(), e);<a name="line.953"></a>
-<span class="sourceLineNo">954</span> setExceptionResults(auths.size(), e, response);<a name="line.954"></a>
-<span class="sourceLineNo">955</span> }<a name="line.955"></a>
-<span class="sourceLineNo">956</span> }<a name="line.956"></a>
-<span class="sourceLineNo">957</span> done.run(response.build());<a name="line.957"></a>
-<span class="sourceLineNo">958</span> }<a name="line.958"></a>
-<span class="sourceLineNo">959</span><a name="line.959"></a>
-<span class="sourceLineNo">960</span> @Override<a name="line.960"></a>
-<span class="sourceLineNo">961</span> public synchronized void listLabels(RpcController controller, ListLabelsRequest request,<a name="line.961"></a>
-<span class="sourceLineNo">962</span> RpcCallback<ListLabelsResponse> done) {<a name="line.962"></a>
-<span class="sourceLineNo">963</span> ListLabelsResponse.Builder response = ListLabelsResponse.newBuilder();<a name="line.963"></a>
-<span class="sourceLineNo">964</span> if (!initialized) {<a name="line.964"></a>
-<span class="sourceLineNo">965</span> controller.setFailed("VisibilityController not yet initialized");<a name="line.965"></a>
-<span class="sourceLineNo">966</span> } else {<a name="line.966"></a>
-<span class="sourceLineNo">967</span> List<String> labels = null;<a name="line.967"></a>
-<span class="sourceLineNo">968</span> String regex = request.hasRegex() ? request.getRegex() : null;<a name="line.968"></a>
-<span class="sourceLineNo">969</span> try {<a name="line.969"></a>
-<span class="sourceLineNo">970</span> // We do ACL check here as we create scanner directly on region. It will not make calls to<a name="line.970"></a>
-<span class="sourceLineNo">971</span> // AccessController CP methods.<a name="line.971"></a>
-<span class="sourceLineNo">972</span> if (authorizationEnabled && accessControllerAvailable && !isSystemOrSuperUser()) {<a name="line.972"></a>
-<span class="sourceLineNo">973</span> User requestingUser = VisibilityUtils.getActiveUser();<a name="line.973"></a>
-<span class="sourceLineNo">974</span> throw new AccessDeniedException("User '"<a name="line.974"></a>
-<span class="sourceLineNo">975</span> + (requestingUser != null ? requestingUser.getShortName() : "null")<a name="line.975"></a>
-<span class="sourceLineNo">976</span> + "' is not authorized to perform this action.");<a name="line.976"></a>
-<span class="sourceLineNo">977</span> }<a name="line.977"></a>
-<span class="sourceLineNo">978</span> labels = this.visibilityLabelService.listLabels(regex);<a name="line.978"></a>
-<span class="sourceLineNo">979</span> logResult(false, "listLabels", "Listing labels allowed", null, null, regex);<a name="line.979"></a>
-<span class="sourceLineNo">980</span> } catch (AccessDeniedException e) {<a name="line.980"></a>
-<span class="sourceLineNo">981</span> logResult(false, "listLabels", e.getMessage(), null, null, regex);<a name="line.981"></a>
-<span class="sourceLineNo">982</span> CoprocessorRpcUtils.setControllerException(controller, e);<a name="line.982"></a>
-<span class="sourceLineNo">983</span> } catch (IOException e) {<a name="line.983"></a>
-<span class="sourceLineNo">984</span> CoprocessorRpcUtils.setControllerException(controller, e);<a name="line.984"></a>
-<span class="sourceLineNo">985</span> }<a name="line.985"></a>
-<span class="sourceLineNo">986</span> if (labels != null && !labels.isEmpty()) {<a name="line.986"></a>
-<span class="sourceLineNo">987</span> for (String label : labels) {<a name="line.987"></a>
-<span class="sourceLineNo">988</span> response.addLabel(ByteString.copyFrom(Bytes.toBytes(label)));<a name="line.988"></a>
-<span class="sourceLineNo">989</span> }<a name="line.989"></a>
-<span class="sourceLineNo">990</span> }<a name="line.990"></a>
-<span class="sourceLineNo">991</span> }<a name="line.991"></a>
-<span class="sourceLineNo">992</span> done.run(response.build());<a name="line.992"></a>
-<span class="sourceLineNo">993</span> }<a name="line.993"></a>
-<span class="sourceLineNo">994</span><a name="line.994"></a>
-<span class="sourceLineNo">995</span> private void checkCallingUserAuth() throws IOException {<a name="line.995"></a>
-<span class="sourceLineNo">996</span> if (!authorizationEnabled) { // Redundant, but just in case<a name="line.996"></a>
-<span class="sourceLineNo">997</span> return;<a name="line.997"></a>
-<span class="sourceLineNo">998</span> }<a name="line.998"></a>
-<span class="sourceLineNo">999</span> if (!accessControllerAvailable) {<a name="line.999"></a>
-<span class="sourceLineNo">1000</span> User user = VisibilityUtils.getActiveUser();<a name="line.1000"></a>
-<span class="sourceLineNo">1001</span> if (user == null) {<a name="line.1001"></a>
-<span class="sourceLineNo">1002</span> throw new IOException("Unable to retrieve calling user");<a name="line.1002"></a>
-<span class="sourceLineNo">1003</span> }<a name="line.1003"></a>
-<span class="sourceLineNo">1004</span> if (!(this.visibilityLabelService.havingSystemAuth(user))) {<a name="line.1004"></a>
-<span class="sourceLineNo">1005</span> throw new AccessDeniedException("User '" + user.getShortName()<a name="line.1005"></a>
-<span class="sourceLineNo">1006</span> + "' is not authorized to perform this action.");<a name="line.1006"></a>
-<span class="sourceLineNo">1007</span> }<a name="line.1007"></a>
-<span class="sourceLineNo">1008</span> }<a name="line.1008"></a>
-<span class="sourceLineNo">1009</span> }<a name="line.1009"></a>
-<span class="sourceLineNo">1010</span><a name="line.1010"></a>
-<span class="sourceLineNo">1011</span> private static class DeleteVersionVisibilityExpressionFilter extends FilterBase {<a name="line.1011"></a>
-<span class="sourceLineNo">1012</span> private List<Tag> deleteCellVisTags;<a name="line.1012"></a>
-<span class="sourceLineNo">1013</span> private Byte deleteCellVisTagsFormat;<a name="line.1013"></a>
-<span class="sourceLineNo">1014</span><a name="line.1014"></a>
-<span class="sourceLineNo">1015</span> public DeleteVersionVisibilityExpressionFilter(List<Tag> deleteCellVisTags,<a name="line.1015"></a>
-<span class="sourceLineNo">1016</span> Byte deleteCellVisTagsFormat) {<a name="line.1016"></a>
-<span class="sourceLineNo">1017</span> this.deleteCellVisTags = deleteCellVisTags;<a name="line.1017"></a>
-<span class="sourceLineNo">1018</span> this.deleteCellVisTagsFormat = deleteCellVisTagsFormat;<a name="line.1018"></a>
-<span class="sourceLineNo">1019</span> }<a name="line.1019"></a>
-<span class="sourceLineNo">1020</span><a name="line.1020"></a>
-<span class="sourceLineNo">1021</span> @Override<a name="line.1021"></a>
-<span class="sourceLineNo">1022</span> public boolean filterRowKey(Cell cell) throws IOException {<a name="line.1022"></a>
-<span class="sourceLineNo">1023</span> // Impl in FilterBase might do unnecessary copy for Off heap backed Cells.<a name="line.1023"></a>
-<span class="sourceLineNo">1024</span> return false;<a name="line.1024"></a>
-<span class="sourceLineNo">1025</span> }<a name="line.1025"></a>
-<span class="sourceLineNo">1026</span><a name="line.1026"></a>
-<span class="sourceLineNo">1027</span> @Override<a name="line.1027"></a>
-<span class="sourceLineNo">1028</span> public ReturnCode filterCell(final Cell cell) throws IOException {<a name="line.1028"></a>
-<span class="sourceLineNo">1029</span> List<Tag> putVisTags = new ArrayList<>();<a name="line.1029"></a>
-<span class="sourceLineNo">1030</span> Byte putCellVisTagsFormat = VisibilityUtils.extractVisibilityTags(cell, putVisTags);<a name="line.1030"></a>
-<span class="sourceLineNo">1031</span> if (putVisTags.isEmpty() && deleteCellVisTags.isEmpty()) {<a name="line.1031"></a>
-<span class="sourceLineNo">1032</span> // Early out if there are no tags in the cell<a name="line.1032"></a>
-<span class="sourceLineNo">1033</span> return ReturnCode.INCLUDE;<a name="line.1033"></a>
-<span class="sourceLineNo">1034</span> }<a name="line.1034"></a>
-<span class="sourceLineNo">1035</span> boolean matchFound = VisibilityLabelServiceManager<a name="line.1035"></a>
-<span class="sourceLineNo">1036</span> .getInstance().getVisibilityLabelService()<a name="line.1036"></a>
-<span class="sourceLineNo">1037</span> .matchVisibility(putVisTags, putCellVisTagsFormat, deleteCellVisTags,<a name="line.1037"></a>
-<span class="sourceLineNo">1038</span> deleteCellVisTagsFormat);<a name="line.1038"></a>
-<span class="sourceLineNo">1039</span> return matchFound ? ReturnCode.INCLUDE : ReturnCode.SKIP;<a name="line.1039"></a>
-<span class="sourceLineNo">1040</span> }<a name="line.1040"></a>
-<span class="sourceLineNo">1041</span><a name="line.1041"></a>
-<span class="sourceLineNo">1042</span> @Override<a name="line.1042"></a>
-<span class="sourceLineNo">1043</span> public boolean equals(Object obj) {<a name="line.1043"></a>
-<span class="sourceLineNo">1044</span> if (!(obj instanceof DeleteVersionVisibilityExpressionFilter)) {<a name="line.1044"></a>
-<span class="sourceLineNo">1045</span> return false;<a name="line.1045"></a>
-<span class="sourceLineNo">1046</span> }<a name="line.1046"></a>
-<span class="sourceLineNo">1047</span> if (this == obj){<a name="line.1047"></a>
-<span class="sourceLineNo">1048</span> return true;<a name="line.1048"></a>
-<span class="sourceLineNo">1049</span> }<a name="line.1049"></a>
-<span class="sourceLineNo">1050</span> DeleteVersionVisibilityExpressionFilter f = (DeleteVersionVisibilityExpressionFilter)obj;<a name="line.1050"></a>
-<span class="sourceLineNo">1051</span> return this.deleteCellVisTags.equals(f.deleteCellVisTags) &&<a name="line.1051"></a>
-<span class="sourceLineNo">1052</span> this.deleteCellVisTagsFormat.equals(f.deleteCellVisTagsFormat);<a name="line.1052"></a>
-<span class="sourceLineNo">1053</span> }<a name="line.1053"></a>
-<span class="sourceLineNo">1054</span><a name="line.1054"></a>
-<span class="sourceLineNo">1055</span> @Override<a name="line.1055"></a>
-<span class="sourceLineNo">1056</span> public int hashCode() {<a name="line.1056"></a>
-<span class="sourceLineNo">1057</span> return Objects.hash(this.deleteCellVisTags, this.deleteCellVisTagsFormat);<a name="line.1057"></a>
-<span class="sourceLineNo">1058</span> }<a name="line.1058"></a>
-<span class="sourceLineNo">1059</span> }<a name="line.1059"></a>
-<span class="sourceLineNo">1060</span><a name="line.1060"></a>
-<span class="sourceLineNo">1061</span> /**<a name="line.1061"></a>
-<span class="sourceLineNo">1062</span> * @param t<a name="line.1062"></a>
-<span class="sourceLineNo">1063</span> * @return NameValuePair of the exception name to stringified version os exception.<a name="line.1063"></a>
-<span class="sourceLineNo">1064</span> */<a name="line.1064"></a>
-<span class="sourceLineNo">1065</span> // Copied from ResponseConverter and made private. Only used in here.<a name="line.1065"></a>
-<span class="sourceLineNo">1066</span> private static NameBytesPair buildException(final Throwable t) {<a name="line.1066"></a>
-<span class="sourceLineNo">1067</span> NameBytesPair.Builder parameterBuilder = NameBytesPair.newBuilder();<a name="line.1067"></a>
-<span class="sourceLineNo">1068</span> parameterBuilder.setName(t.getClass().getName());<a name="line.1068"></a>
-<span class="sourceLineNo">1069</span> parameterBuilder.setValue(<a name="line.1069"></a>
-<span class="sourceLineNo">1070</span> ByteString.copyFromUtf8(StringUtils.stringifyException(t)));<a name="line.1070"></a>
-<span class="sourceLineNo">1071</span> return parameterBuilder.build();<a name="line.1071"></a>
-<span class="sourceLineNo">1072</span> }<a name="line.1072"></a>
-<span class="sourceLineNo">1073</span>}<a name="line.1073"></a>
+<span class="sourceLineNo">237</span> return newDescriptor;<a name="line.237"></a>
+<span class="sourceLineNo">238</span> }<a name="line.238"></a>
+<span class="sourceLineNo">239</span><a name="line.239"></a>
+<span class="sourceLineNo">240</span> @Override<a name="line.240"></a>
+<span class="sourceLineNo">241</span> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> ctx, TableName tableName)<a name="line.241"></a>
+<span class="sourceLineNo">242</span> throws IOException {<a name="line.242"></a>
+<span class="sourceLineNo">243</span> if (!authorizationEnabled) {<a name="line.243"></a>
+<span class="sourceLineNo">244</span> return;<a name="line.244"></a>
+<span class="sourceLineNo">245</span> }<a name="line.245"></a>
+<span class="sourceLineNo">246</span> if (LABEL
<TRUNCATED>