You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by gi...@apache.org on 2018/05/29 14:48:22 UTC
[16/28] hbase-site git commit: Published site at
42be553433775c5985f6c68f8178e51afb0a402e.
http://git-wip-us.apache.org/repos/asf/hbase-site/blob/b1ff7c99/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessController.OpType.html
----------------------------------------------------------------------
diff --git a/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessController.OpType.html b/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessController.OpType.html
index 7149b2e..d7e2bf4 100644
--- a/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessController.OpType.html
+++ b/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessController.OpType.html
@@ -977,24 +977,24 @@
<span class="sourceLineNo">969</span><a name="line.969"></a>
<span class="sourceLineNo">970</span> @Override<a name="line.970"></a>
<span class="sourceLineNo">971</span> public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName,<a name="line.971"></a>
-<span class="sourceLineNo">972</span> TableDescriptor htd) throws IOException {<a name="line.972"></a>
+<span class="sourceLineNo">972</span> TableDescriptor currentDesc, TableDescriptor newDesc) throws IOException {<a name="line.972"></a>
<span class="sourceLineNo">973</span> // TODO: potentially check if this is a add/modify/delete column operation<a name="line.973"></a>
<span class="sourceLineNo">974</span> requirePermission(c, "modifyTable",<a name="line.974"></a>
<span class="sourceLineNo">975</span> tableName, null, null, Action.ADMIN, Action.CREATE);<a name="line.975"></a>
<span class="sourceLineNo">976</span> }<a name="line.976"></a>
<span class="sourceLineNo">977</span><a name="line.977"></a>
<span class="sourceLineNo">978</span> @Override<a name="line.978"></a>
-<span class="sourceLineNo">979</span> public void postModifyTable(ObserverContext<MasterCoprocessorEnvironment> c,<a name="line.979"></a>
-<span class="sourceLineNo">980</span> TableName tableName, final TableDescriptor htd) throws IOException {<a name="line.980"></a>
+<span class="sourceLineNo">979</span> public void postModifyTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName,<a name="line.979"></a>
+<span class="sourceLineNo">980</span> TableDescriptor oldDesc, TableDescriptor currentDesc) throws IOException {<a name="line.980"></a>
<span class="sourceLineNo">981</span> final Configuration conf = c.getEnvironment().getConfiguration();<a name="line.981"></a>
<span class="sourceLineNo">982</span> // default the table owner to current user, if not specified.<a name="line.982"></a>
-<span class="sourceLineNo">983</span> final String owner = (htd.getOwnerString() != null) ? htd.getOwnerString() :<a name="line.983"></a>
+<span class="sourceLineNo">983</span> final String owner = (currentDesc.getOwnerString() != null) ? currentDesc.getOwnerString() :<a name="line.983"></a>
<span class="sourceLineNo">984</span> getActiveUser(c).getShortName();<a name="line.984"></a>
<span class="sourceLineNo">985</span> User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {<a name="line.985"></a>
<span class="sourceLineNo">986</span> @Override<a name="line.986"></a>
<span class="sourceLineNo">987</span> public Void run() throws Exception {<a name="line.987"></a>
<span class="sourceLineNo">988</span> UserPermission userperm = new UserPermission(Bytes.toBytes(owner),<a name="line.988"></a>
-<span class="sourceLineNo">989</span> htd.getTableName(), null, Action.values());<a name="line.989"></a>
+<span class="sourceLineNo">989</span> currentDesc.getTableName(), null, Action.values());<a name="line.989"></a>
<span class="sourceLineNo">990</span> try (Table table = c.getEnvironment().getConnection().<a name="line.990"></a>
<span class="sourceLineNo">991</span> getTable(AccessControlLists.ACL_TABLE_NAME)) {<a name="line.991"></a>
<span class="sourceLineNo">992</span> AccessControlLists.addUserPermission(conf, userperm, table);<a name="line.992"></a>
@@ -1241,1361 +1241,1359 @@
<span class="sourceLineNo">1233</span><a name="line.1233"></a>
<span class="sourceLineNo">1234</span> @Override<a name="line.1234"></a>
<span class="sourceLineNo">1235</span> public void preModifyNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1235"></a>
-<span class="sourceLineNo">1236</span> NamespaceDescriptor ns) throws IOException {<a name="line.1236"></a>
+<span class="sourceLineNo">1236</span> NamespaceDescriptor currentNsDesc, NamespaceDescriptor newNsDesc) throws IOException {<a name="line.1236"></a>
<span class="sourceLineNo">1237</span> // We require only global permission so that<a name="line.1237"></a>
<span class="sourceLineNo">1238</span> // a user with NS admin cannot altering namespace configurations. i.e. namespace quota<a name="line.1238"></a>
-<span class="sourceLineNo">1239</span> requireGlobalPermission(ctx, "modifyNamespace",<a name="line.1239"></a>
-<span class="sourceLineNo">1240</span> Action.ADMIN, ns.getName());<a name="line.1240"></a>
-<span class="sourceLineNo">1241</span> }<a name="line.1241"></a>
-<span class="sourceLineNo">1242</span><a name="line.1242"></a>
-<span class="sourceLineNo">1243</span> @Override<a name="line.1243"></a>
-<span class="sourceLineNo">1244</span> public void preGetNamespaceDescriptor(ObserverContext<MasterCoprocessorEnvironment> ctx, String namespace)<a name="line.1244"></a>
-<span class="sourceLineNo">1245</span> throws IOException {<a name="line.1245"></a>
-<span class="sourceLineNo">1246</span> requireNamespacePermission(ctx, "getNamespaceDescriptor",<a name="line.1246"></a>
-<span class="sourceLineNo">1247</span> namespace, Action.ADMIN);<a name="line.1247"></a>
-<span class="sourceLineNo">1248</span> }<a name="line.1248"></a>
-<span class="sourceLineNo">1249</span><a name="line.1249"></a>
-<span class="sourceLineNo">1250</span> @Override<a name="line.1250"></a>
-<span class="sourceLineNo">1251</span> public void postListNamespaceDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1251"></a>
-<span class="sourceLineNo">1252</span> List<NamespaceDescriptor> descriptors) throws IOException {<a name="line.1252"></a>
-<span class="sourceLineNo">1253</span> // Retains only those which passes authorization checks, as the checks weren't done as part<a name="line.1253"></a>
-<span class="sourceLineNo">1254</span> // of preGetTableDescriptors.<a name="line.1254"></a>
-<span class="sourceLineNo">1255</span> Iterator<NamespaceDescriptor> itr = descriptors.iterator();<a name="line.1255"></a>
-<span class="sourceLineNo">1256</span> User user = getActiveUser(ctx);<a name="line.1256"></a>
-<span class="sourceLineNo">1257</span> while (itr.hasNext()) {<a name="line.1257"></a>
-<span class="sourceLineNo">1258</span> NamespaceDescriptor desc = itr.next();<a name="line.1258"></a>
-<span class="sourceLineNo">1259</span> try {<a name="line.1259"></a>
-<span class="sourceLineNo">1260</span> accessChecker.requireNamespacePermission(user, "listNamespaces",<a name="line.1260"></a>
-<span class="sourceLineNo">1261</span> desc.getName(), Action.ADMIN);<a name="line.1261"></a>
-<span class="sourceLineNo">1262</span> } catch (AccessDeniedException e) {<a name="line.1262"></a>
-<span class="sourceLineNo">1263</span> itr.remove();<a name="line.1263"></a>
-<span class="sourceLineNo">1264</span> }<a name="line.1264"></a>
-<span class="sourceLineNo">1265</span> }<a name="line.1265"></a>
-<span class="sourceLineNo">1266</span> }<a name="line.1266"></a>
-<span class="sourceLineNo">1267</span><a name="line.1267"></a>
-<span class="sourceLineNo">1268</span> @Override<a name="line.1268"></a>
-<span class="sourceLineNo">1269</span> public void preTableFlush(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1269"></a>
-<span class="sourceLineNo">1270</span> final TableName tableName) throws IOException {<a name="line.1270"></a>
-<span class="sourceLineNo">1271</span> // Move this ACL check to MasterFlushTableProcedureManager#checkPermissions as part of AC<a name="line.1271"></a>
-<span class="sourceLineNo">1272</span> // deprecation.<a name="line.1272"></a>
-<span class="sourceLineNo">1273</span> requirePermission(ctx, "flushTable", tableName,<a name="line.1273"></a>
-<span class="sourceLineNo">1274</span> null, null, Action.ADMIN, Action.CREATE);<a name="line.1274"></a>
-<span class="sourceLineNo">1275</span> }<a name="line.1275"></a>
-<span class="sourceLineNo">1276</span><a name="line.1276"></a>
-<span class="sourceLineNo">1277</span> @Override<a name="line.1277"></a>
-<span class="sourceLineNo">1278</span> public void preSplitRegion(<a name="line.1278"></a>
-<span class="sourceLineNo">1279</span> final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1279"></a>
-<span class="sourceLineNo">1280</span> final TableName tableName,<a name="line.1280"></a>
-<span class="sourceLineNo">1281</span> final byte[] splitRow) throws IOException {<a name="line.1281"></a>
-<span class="sourceLineNo">1282</span> requirePermission(ctx, "split", tableName,<a name="line.1282"></a>
-<span class="sourceLineNo">1283</span> null, null, Action.ADMIN);<a name="line.1283"></a>
-<span class="sourceLineNo">1284</span> }<a name="line.1284"></a>
-<span class="sourceLineNo">1285</span><a name="line.1285"></a>
-<span class="sourceLineNo">1286</span> @Override<a name="line.1286"></a>
-<span class="sourceLineNo">1287</span> public void preClearDeadServers(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.1287"></a>
-<span class="sourceLineNo">1288</span> throws IOException {<a name="line.1288"></a>
-<span class="sourceLineNo">1289</span> requirePermission(ctx, "clearDeadServers", Action.ADMIN);<a name="line.1289"></a>
-<span class="sourceLineNo">1290</span> }<a name="line.1290"></a>
-<span class="sourceLineNo">1291</span><a name="line.1291"></a>
-<span class="sourceLineNo">1292</span> @Override<a name="line.1292"></a>
-<span class="sourceLineNo">1293</span> public void preDecommissionRegionServers(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1293"></a>
-<span class="sourceLineNo">1294</span> List<ServerName> servers, boolean offload) throws IOException {<a name="line.1294"></a>
-<span class="sourceLineNo">1295</span> requirePermission(ctx, "decommissionRegionServers", Action.ADMIN);<a name="line.1295"></a>
-<span class="sourceLineNo">1296</span> }<a name="line.1296"></a>
-<span class="sourceLineNo">1297</span><a name="line.1297"></a>
-<span class="sourceLineNo">1298</span> @Override<a name="line.1298"></a>
-<span class="sourceLineNo">1299</span> public void preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.1299"></a>
-<span class="sourceLineNo">1300</span> throws IOException {<a name="line.1300"></a>
-<span class="sourceLineNo">1301</span> requirePermission(ctx, "listDecommissionedRegionServers",<a name="line.1301"></a>
-<span class="sourceLineNo">1302</span> Action.ADMIN);<a name="line.1302"></a>
-<span class="sourceLineNo">1303</span> }<a name="line.1303"></a>
-<span class="sourceLineNo">1304</span><a name="line.1304"></a>
-<span class="sourceLineNo">1305</span> @Override<a name="line.1305"></a>
-<span class="sourceLineNo">1306</span> public void preRecommissionRegionServer(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1306"></a>
-<span class="sourceLineNo">1307</span> ServerName server, List<byte[]> encodedRegionNames) throws IOException {<a name="line.1307"></a>
-<span class="sourceLineNo">1308</span> requirePermission(ctx, "recommissionRegionServers", Action.ADMIN);<a name="line.1308"></a>
-<span class="sourceLineNo">1309</span> }<a name="line.1309"></a>
-<span class="sourceLineNo">1310</span><a name="line.1310"></a>
-<span class="sourceLineNo">1311</span> @Override<a name="line.1311"></a>
-<span class="sourceLineNo">1312</span> public void preMoveServersAndTables(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1312"></a>
-<span class="sourceLineNo">1313</span> Set<Address> servers, Set<TableName> tables, String targetGroup) throws IOException {<a name="line.1313"></a>
-<span class="sourceLineNo">1314</span> requirePermission(ctx, "moveServersAndTables", Action.ADMIN);<a name="line.1314"></a>
-<span class="sourceLineNo">1315</span> }<a name="line.1315"></a>
-<span class="sourceLineNo">1316</span><a name="line.1316"></a>
-<span class="sourceLineNo">1317</span> @Override<a name="line.1317"></a>
-<span class="sourceLineNo">1318</span> public void preMoveServers(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1318"></a>
-<span class="sourceLineNo">1319</span> Set<Address> servers, String targetGroup) throws IOException {<a name="line.1319"></a>
-<span class="sourceLineNo">1320</span> requirePermission(ctx, "moveServers", Action.ADMIN);<a name="line.1320"></a>
-<span class="sourceLineNo">1321</span> }<a name="line.1321"></a>
-<span class="sourceLineNo">1322</span><a name="line.1322"></a>
-<span class="sourceLineNo">1323</span> @Override<a name="line.1323"></a>
-<span class="sourceLineNo">1324</span> public void preMoveTables(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1324"></a>
-<span class="sourceLineNo">1325</span> Set<TableName> tables, String targetGroup) throws IOException {<a name="line.1325"></a>
-<span class="sourceLineNo">1326</span> requirePermission(ctx, "moveTables", Action.ADMIN);<a name="line.1326"></a>
-<span class="sourceLineNo">1327</span> }<a name="line.1327"></a>
-<span class="sourceLineNo">1328</span><a name="line.1328"></a>
-<span class="sourceLineNo">1329</span> @Override<a name="line.1329"></a>
-<span class="sourceLineNo">1330</span> public void preAddRSGroup(final ObserverContext<MasterCoprocessorEnvironment> ctx, String name)<a name="line.1330"></a>
-<span class="sourceLineNo">1331</span> throws IOException {<a name="line.1331"></a>
-<span class="sourceLineNo">1332</span> requirePermission(ctx, "addRSGroup", Action.ADMIN);<a name="line.1332"></a>
-<span class="sourceLineNo">1333</span> }<a name="line.1333"></a>
-<span class="sourceLineNo">1334</span><a name="line.1334"></a>
-<span class="sourceLineNo">1335</span> @Override<a name="line.1335"></a>
-<span class="sourceLineNo">1336</span> public void preRemoveRSGroup(final ObserverContext<MasterCoprocessorEnvironment> ctx, String name)<a name="line.1336"></a>
-<span class="sourceLineNo">1337</span> throws IOException {<a name="line.1337"></a>
-<span class="sourceLineNo">1338</span> requirePermission(ctx, "removeRSGroup", Action.ADMIN);<a name="line.1338"></a>
-<span class="sourceLineNo">1339</span> }<a name="line.1339"></a>
-<span class="sourceLineNo">1340</span><a name="line.1340"></a>
-<span class="sourceLineNo">1341</span> @Override<a name="line.1341"></a>
-<span class="sourceLineNo">1342</span> public void preBalanceRSGroup(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1342"></a>
-<span class="sourceLineNo">1343</span> String groupName) throws IOException {<a name="line.1343"></a>
-<span class="sourceLineNo">1344</span> requirePermission(ctx, "balanceRSGroup", Action.ADMIN);<a name="line.1344"></a>
-<span class="sourceLineNo">1345</span> }<a name="line.1345"></a>
-<span class="sourceLineNo">1346</span><a name="line.1346"></a>
-<span class="sourceLineNo">1347</span> @Override<a name="line.1347"></a>
-<span class="sourceLineNo">1348</span> public void preRemoveServers(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1348"></a>
-<span class="sourceLineNo">1349</span> Set<Address> servers) throws IOException {<a name="line.1349"></a>
-<span class="sourceLineNo">1350</span> requirePermission(ctx, "removeServers", Action.ADMIN);<a name="line.1350"></a>
-<span class="sourceLineNo">1351</span> }<a name="line.1351"></a>
+<span class="sourceLineNo">1239</span> requireGlobalPermission(ctx, "modifyNamespace", Action.ADMIN, newNsDesc.getName());<a name="line.1239"></a>
+<span class="sourceLineNo">1240</span> }<a name="line.1240"></a>
+<span class="sourceLineNo">1241</span><a name="line.1241"></a>
+<span class="sourceLineNo">1242</span> @Override<a name="line.1242"></a>
+<span class="sourceLineNo">1243</span> public void preGetNamespaceDescriptor(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1243"></a>
+<span class="sourceLineNo">1244</span> String namespace) throws IOException {<a name="line.1244"></a>
+<span class="sourceLineNo">1245</span> requireNamespacePermission(ctx, "getNamespaceDescriptor", namespace, Action.ADMIN);<a name="line.1245"></a>
+<span class="sourceLineNo">1246</span> }<a name="line.1246"></a>
+<span class="sourceLineNo">1247</span><a name="line.1247"></a>
+<span class="sourceLineNo">1248</span> @Override<a name="line.1248"></a>
+<span class="sourceLineNo">1249</span> public void postListNamespaceDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1249"></a>
+<span class="sourceLineNo">1250</span> List<NamespaceDescriptor> descriptors) throws IOException {<a name="line.1250"></a>
+<span class="sourceLineNo">1251</span> // Retains only those which passes authorization checks, as the checks weren't done as part<a name="line.1251"></a>
+<span class="sourceLineNo">1252</span> // of preGetTableDescriptors.<a name="line.1252"></a>
+<span class="sourceLineNo">1253</span> Iterator<NamespaceDescriptor> itr = descriptors.iterator();<a name="line.1253"></a>
+<span class="sourceLineNo">1254</span> User user = getActiveUser(ctx);<a name="line.1254"></a>
+<span class="sourceLineNo">1255</span> while (itr.hasNext()) {<a name="line.1255"></a>
+<span class="sourceLineNo">1256</span> NamespaceDescriptor desc = itr.next();<a name="line.1256"></a>
+<span class="sourceLineNo">1257</span> try {<a name="line.1257"></a>
+<span class="sourceLineNo">1258</span> accessChecker.requireNamespacePermission(user, "listNamespaces",<a name="line.1258"></a>
+<span class="sourceLineNo">1259</span> desc.getName(), Action.ADMIN);<a name="line.1259"></a>
+<span class="sourceLineNo">1260</span> } catch (AccessDeniedException e) {<a name="line.1260"></a>
+<span class="sourceLineNo">1261</span> itr.remove();<a name="line.1261"></a>
+<span class="sourceLineNo">1262</span> }<a name="line.1262"></a>
+<span class="sourceLineNo">1263</span> }<a name="line.1263"></a>
+<span class="sourceLineNo">1264</span> }<a name="line.1264"></a>
+<span class="sourceLineNo">1265</span><a name="line.1265"></a>
+<span class="sourceLineNo">1266</span> @Override<a name="line.1266"></a>
+<span class="sourceLineNo">1267</span> public void preTableFlush(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1267"></a>
+<span class="sourceLineNo">1268</span> final TableName tableName) throws IOException {<a name="line.1268"></a>
+<span class="sourceLineNo">1269</span> // Move this ACL check to MasterFlushTableProcedureManager#checkPermissions as part of AC<a name="line.1269"></a>
+<span class="sourceLineNo">1270</span> // deprecation.<a name="line.1270"></a>
+<span class="sourceLineNo">1271</span> requirePermission(ctx, "flushTable", tableName,<a name="line.1271"></a>
+<span class="sourceLineNo">1272</span> null, null, Action.ADMIN, Action.CREATE);<a name="line.1272"></a>
+<span class="sourceLineNo">1273</span> }<a name="line.1273"></a>
+<span class="sourceLineNo">1274</span><a name="line.1274"></a>
+<span class="sourceLineNo">1275</span> @Override<a name="line.1275"></a>
+<span class="sourceLineNo">1276</span> public void preSplitRegion(<a name="line.1276"></a>
+<span class="sourceLineNo">1277</span> final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1277"></a>
+<span class="sourceLineNo">1278</span> final TableName tableName,<a name="line.1278"></a>
+<span class="sourceLineNo">1279</span> final byte[] splitRow) throws IOException {<a name="line.1279"></a>
+<span class="sourceLineNo">1280</span> requirePermission(ctx, "split", tableName,<a name="line.1280"></a>
+<span class="sourceLineNo">1281</span> null, null, Action.ADMIN);<a name="line.1281"></a>
+<span class="sourceLineNo">1282</span> }<a name="line.1282"></a>
+<span class="sourceLineNo">1283</span><a name="line.1283"></a>
+<span class="sourceLineNo">1284</span> @Override<a name="line.1284"></a>
+<span class="sourceLineNo">1285</span> public void preClearDeadServers(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.1285"></a>
+<span class="sourceLineNo">1286</span> throws IOException {<a name="line.1286"></a>
+<span class="sourceLineNo">1287</span> requirePermission(ctx, "clearDeadServers", Action.ADMIN);<a name="line.1287"></a>
+<span class="sourceLineNo">1288</span> }<a name="line.1288"></a>
+<span class="sourceLineNo">1289</span><a name="line.1289"></a>
+<span class="sourceLineNo">1290</span> @Override<a name="line.1290"></a>
+<span class="sourceLineNo">1291</span> public void preDecommissionRegionServers(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1291"></a>
+<span class="sourceLineNo">1292</span> List<ServerName> servers, boolean offload) throws IOException {<a name="line.1292"></a>
+<span class="sourceLineNo">1293</span> requirePermission(ctx, "decommissionRegionServers", Action.ADMIN);<a name="line.1293"></a>
+<span class="sourceLineNo">1294</span> }<a name="line.1294"></a>
+<span class="sourceLineNo">1295</span><a name="line.1295"></a>
+<span class="sourceLineNo">1296</span> @Override<a name="line.1296"></a>
+<span class="sourceLineNo">1297</span> public void preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.1297"></a>
+<span class="sourceLineNo">1298</span> throws IOException {<a name="line.1298"></a>
+<span class="sourceLineNo">1299</span> requirePermission(ctx, "listDecommissionedRegionServers",<a name="line.1299"></a>
+<span class="sourceLineNo">1300</span> Action.ADMIN);<a name="line.1300"></a>
+<span class="sourceLineNo">1301</span> }<a name="line.1301"></a>
+<span class="sourceLineNo">1302</span><a name="line.1302"></a>
+<span class="sourceLineNo">1303</span> @Override<a name="line.1303"></a>
+<span class="sourceLineNo">1304</span> public void preRecommissionRegionServer(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1304"></a>
+<span class="sourceLineNo">1305</span> ServerName server, List<byte[]> encodedRegionNames) throws IOException {<a name="line.1305"></a>
+<span class="sourceLineNo">1306</span> requirePermission(ctx, "recommissionRegionServers", Action.ADMIN);<a name="line.1306"></a>
+<span class="sourceLineNo">1307</span> }<a name="line.1307"></a>
+<span class="sourceLineNo">1308</span><a name="line.1308"></a>
+<span class="sourceLineNo">1309</span> @Override<a name="line.1309"></a>
+<span class="sourceLineNo">1310</span> public void preMoveServersAndTables(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1310"></a>
+<span class="sourceLineNo">1311</span> Set<Address> servers, Set<TableName> tables, String targetGroup) throws IOException {<a name="line.1311"></a>
+<span class="sourceLineNo">1312</span> requirePermission(ctx, "moveServersAndTables", Action.ADMIN);<a name="line.1312"></a>
+<span class="sourceLineNo">1313</span> }<a name="line.1313"></a>
+<span class="sourceLineNo">1314</span><a name="line.1314"></a>
+<span class="sourceLineNo">1315</span> @Override<a name="line.1315"></a>
+<span class="sourceLineNo">1316</span> public void preMoveServers(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1316"></a>
+<span class="sourceLineNo">1317</span> Set<Address> servers, String targetGroup) throws IOException {<a name="line.1317"></a>
+<span class="sourceLineNo">1318</span> requirePermission(ctx, "moveServers", Action.ADMIN);<a name="line.1318"></a>
+<span class="sourceLineNo">1319</span> }<a name="line.1319"></a>
+<span class="sourceLineNo">1320</span><a name="line.1320"></a>
+<span class="sourceLineNo">1321</span> @Override<a name="line.1321"></a>
+<span class="sourceLineNo">1322</span> public void preMoveTables(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1322"></a>
+<span class="sourceLineNo">1323</span> Set<TableName> tables, String targetGroup) throws IOException {<a name="line.1323"></a>
+<span class="sourceLineNo">1324</span> requirePermission(ctx, "moveTables", Action.ADMIN);<a name="line.1324"></a>
+<span class="sourceLineNo">1325</span> }<a name="line.1325"></a>
+<span class="sourceLineNo">1326</span><a name="line.1326"></a>
+<span class="sourceLineNo">1327</span> @Override<a name="line.1327"></a>
+<span class="sourceLineNo">1328</span> public void preAddRSGroup(final ObserverContext<MasterCoprocessorEnvironment> ctx, String name)<a name="line.1328"></a>
+<span class="sourceLineNo">1329</span> throws IOException {<a name="line.1329"></a>
+<span class="sourceLineNo">1330</span> requirePermission(ctx, "addRSGroup", Action.ADMIN);<a name="line.1330"></a>
+<span class="sourceLineNo">1331</span> }<a name="line.1331"></a>
+<span class="sourceLineNo">1332</span><a name="line.1332"></a>
+<span class="sourceLineNo">1333</span> @Override<a name="line.1333"></a>
+<span class="sourceLineNo">1334</span> public void preRemoveRSGroup(final ObserverContext<MasterCoprocessorEnvironment> ctx, String name)<a name="line.1334"></a>
+<span class="sourceLineNo">1335</span> throws IOException {<a name="line.1335"></a>
+<span class="sourceLineNo">1336</span> requirePermission(ctx, "removeRSGroup", Action.ADMIN);<a name="line.1336"></a>
+<span class="sourceLineNo">1337</span> }<a name="line.1337"></a>
+<span class="sourceLineNo">1338</span><a name="line.1338"></a>
+<span class="sourceLineNo">1339</span> @Override<a name="line.1339"></a>
+<span class="sourceLineNo">1340</span> public void preBalanceRSGroup(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1340"></a>
+<span class="sourceLineNo">1341</span> String groupName) throws IOException {<a name="line.1341"></a>
+<span class="sourceLineNo">1342</span> requirePermission(ctx, "balanceRSGroup", Action.ADMIN);<a name="line.1342"></a>
+<span class="sourceLineNo">1343</span> }<a name="line.1343"></a>
+<span class="sourceLineNo">1344</span><a name="line.1344"></a>
+<span class="sourceLineNo">1345</span> @Override<a name="line.1345"></a>
+<span class="sourceLineNo">1346</span> public void preRemoveServers(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1346"></a>
+<span class="sourceLineNo">1347</span> Set<Address> servers) throws IOException {<a name="line.1347"></a>
+<span class="sourceLineNo">1348</span> requirePermission(ctx, "removeServers", Action.ADMIN);<a name="line.1348"></a>
+<span class="sourceLineNo">1349</span> }<a name="line.1349"></a>
+<span class="sourceLineNo">1350</span><a name="line.1350"></a>
+<span class="sourceLineNo">1351</span> /* ---- RegionObserver implementation ---- */<a name="line.1351"></a>
<span class="sourceLineNo">1352</span><a name="line.1352"></a>
-<span class="sourceLineNo">1353</span> /* ---- RegionObserver implementation ---- */<a name="line.1353"></a>
-<span class="sourceLineNo">1354</span><a name="line.1354"></a>
-<span class="sourceLineNo">1355</span> @Override<a name="line.1355"></a>
-<span class="sourceLineNo">1356</span> public void preOpen(ObserverContext<RegionCoprocessorEnvironment> c)<a name="line.1356"></a>
-<span class="sourceLineNo">1357</span> throws IOException {<a name="line.1357"></a>
-<span class="sourceLineNo">1358</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1358"></a>
-<span class="sourceLineNo">1359</span> final Region region = env.getRegion();<a name="line.1359"></a>
-<span class="sourceLineNo">1360</span> if (region == null) {<a name="line.1360"></a>
-<span class="sourceLineNo">1361</span> LOG.error("NULL region from RegionCoprocessorEnvironment in preOpen()");<a name="line.1361"></a>
-<span class="sourceLineNo">1362</span> } else {<a name="line.1362"></a>
-<span class="sourceLineNo">1363</span> RegionInfo regionInfo = region.getRegionInfo();<a name="line.1363"></a>
-<span class="sourceLineNo">1364</span> if (regionInfo.getTable().isSystemTable()) {<a name="line.1364"></a>
-<span class="sourceLineNo">1365</span> checkSystemOrSuperUser(getActiveUser(c));<a name="line.1365"></a>
-<span class="sourceLineNo">1366</span> } else {<a name="line.1366"></a>
-<span class="sourceLineNo">1367</span> requirePermission(c, "preOpen", Action.ADMIN);<a name="line.1367"></a>
-<span class="sourceLineNo">1368</span> }<a name="line.1368"></a>
-<span class="sourceLineNo">1369</span> }<a name="line.1369"></a>
-<span class="sourceLineNo">1370</span> }<a name="line.1370"></a>
-<span class="sourceLineNo">1371</span><a name="line.1371"></a>
-<span class="sourceLineNo">1372</span> @Override<a name="line.1372"></a>
-<span class="sourceLineNo">1373</span> public void postOpen(ObserverContext<RegionCoprocessorEnvironment> c) {<a name="line.1373"></a>
-<span class="sourceLineNo">1374</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1374"></a>
-<span class="sourceLineNo">1375</span> final Region region = env.getRegion();<a name="line.1375"></a>
-<span class="sourceLineNo">1376</span> if (region == null) {<a name="line.1376"></a>
-<span class="sourceLineNo">1377</span> LOG.error("NULL region from RegionCoprocessorEnvironment in postOpen()");<a name="line.1377"></a>
-<span class="sourceLineNo">1378</span> return;<a name="line.1378"></a>
-<span class="sourceLineNo">1379</span> }<a name="line.1379"></a>
-<span class="sourceLineNo">1380</span> if (AccessControlLists.isAclRegion(region)) {<a name="line.1380"></a>
-<span class="sourceLineNo">1381</span> aclRegion = true;<a name="line.1381"></a>
-<span class="sourceLineNo">1382</span> try {<a name="line.1382"></a>
-<span class="sourceLineNo">1383</span> initialize(env);<a name="line.1383"></a>
-<span class="sourceLineNo">1384</span> } catch (IOException ex) {<a name="line.1384"></a>
-<span class="sourceLineNo">1385</span> // if we can't obtain permissions, it's better to fail<a name="line.1385"></a>
-<span class="sourceLineNo">1386</span> // than perform checks incorrectly<a name="line.1386"></a>
-<span class="sourceLineNo">1387</span> throw new RuntimeException("Failed to initialize permissions cache", ex);<a name="line.1387"></a>
-<span class="sourceLineNo">1388</span> }<a name="line.1388"></a>
-<span class="sourceLineNo">1389</span> } else {<a name="line.1389"></a>
-<span class="sourceLineNo">1390</span> initialized = true;<a name="line.1390"></a>
-<span class="sourceLineNo">1391</span> }<a name="line.1391"></a>
-<span class="sourceLineNo">1392</span> }<a name="line.1392"></a>
-<span class="sourceLineNo">1393</span><a name="line.1393"></a>
-<span class="sourceLineNo">1394</span> @Override<a name="line.1394"></a>
-<span class="sourceLineNo">1395</span> public void preFlush(ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1395"></a>
-<span class="sourceLineNo">1396</span> FlushLifeCycleTracker tracker) throws IOException {<a name="line.1396"></a>
-<span class="sourceLineNo">1397</span> requirePermission(c, "flush", getTableName(c.getEnvironment()),<a name="line.1397"></a>
-<span class="sourceLineNo">1398</span> null, null, Action.ADMIN, Action.CREATE);<a name="line.1398"></a>
-<span class="sourceLineNo">1399</span> }<a name="line.1399"></a>
-<span class="sourceLineNo">1400</span><a name="line.1400"></a>
-<span class="sourceLineNo">1401</span> @Override<a name="line.1401"></a>
-<span class="sourceLineNo">1402</span> public InternalScanner preCompact(ObserverContext<RegionCoprocessorEnvironment> c, Store store,<a name="line.1402"></a>
-<span class="sourceLineNo">1403</span> InternalScanner scanner, ScanType scanType, CompactionLifeCycleTracker tracker,<a name="line.1403"></a>
-<span class="sourceLineNo">1404</span> CompactionRequest request) throws IOException {<a name="line.1404"></a>
-<span class="sourceLineNo">1405</span> requirePermission(c, "compact", getTableName(c.getEnvironment()),<a name="line.1405"></a>
-<span class="sourceLineNo">1406</span> null, null, Action.ADMIN, Action.CREATE);<a name="line.1406"></a>
-<span class="sourceLineNo">1407</span> return scanner;<a name="line.1407"></a>
-<span class="sourceLineNo">1408</span> }<a name="line.1408"></a>
-<span class="sourceLineNo">1409</span><a name="line.1409"></a>
-<span class="sourceLineNo">1410</span> private void internalPreRead(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1410"></a>
-<span class="sourceLineNo">1411</span> final Query query, OpType opType) throws IOException {<a name="line.1411"></a>
-<span class="sourceLineNo">1412</span> Filter filter = query.getFilter();<a name="line.1412"></a>
-<span class="sourceLineNo">1413</span> // Don't wrap an AccessControlFilter<a name="line.1413"></a>
-<span class="sourceLineNo">1414</span> if (filter != null && filter instanceof AccessControlFilter) {<a name="line.1414"></a>
-<span class="sourceLineNo">1415</span> return;<a name="line.1415"></a>
-<span class="sourceLineNo">1416</span> }<a name="line.1416"></a>
-<span class="sourceLineNo">1417</span> User user = getActiveUser(c);<a name="line.1417"></a>
-<span class="sourceLineNo">1418</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1418"></a>
-<span class="sourceLineNo">1419</span> Map<byte[],? extends Collection<byte[]>> families = null;<a name="line.1419"></a>
-<span class="sourceLineNo">1420</span> switch (opType) {<a name="line.1420"></a>
-<span class="sourceLineNo">1421</span> case GET:<a name="line.1421"></a>
-<span class="sourceLineNo">1422</span> case EXISTS:<a name="line.1422"></a>
-<span class="sourceLineNo">1423</span> families = ((Get)query).getFamilyMap();<a name="line.1423"></a>
-<span class="sourceLineNo">1424</span> break;<a name="line.1424"></a>
-<span class="sourceLineNo">1425</span> case SCAN:<a name="line.1425"></a>
-<span class="sourceLineNo">1426</span> families = ((Scan)query).getFamilyMap();<a name="line.1426"></a>
-<span class="sourceLineNo">1427</span> break;<a name="line.1427"></a>
-<span class="sourceLineNo">1428</span> default:<a name="line.1428"></a>
-<span class="sourceLineNo">1429</span> throw new RuntimeException("Unhandled operation " + opType);<a name="line.1429"></a>
-<span class="sourceLineNo">1430</span> }<a name="line.1430"></a>
-<span class="sourceLineNo">1431</span> AuthResult authResult = permissionGranted(opType, user, env, families, Action.READ);<a name="line.1431"></a>
-<span class="sourceLineNo">1432</span> Region region = getRegion(env);<a name="line.1432"></a>
-<span class="sourceLineNo">1433</span> TableName table = getTableName(region);<a name="line.1433"></a>
-<span class="sourceLineNo">1434</span> Map<ByteRange, Integer> cfVsMaxVersions = Maps.newHashMap();<a name="line.1434"></a>
-<span class="sourceLineNo">1435</span> for (ColumnFamilyDescriptor hcd : region.getTableDescriptor().getColumnFamilies()) {<a name="line.1435"></a>
-<span class="sourceLineNo">1436</span> cfVsMaxVersions.put(new SimpleMutableByteRange(hcd.getName()), hcd.getMaxVersions());<a name="line.1436"></a>
-<span class="sourceLineNo">1437</span> }<a name="line.1437"></a>
-<span class="sourceLineNo">1438</span> if (!authResult.isAllowed()) {<a name="line.1438"></a>
-<span class="sourceLineNo">1439</span> if (!cellFeaturesEnabled || compatibleEarlyTermination) {<a name="line.1439"></a>
-<span class="sourceLineNo">1440</span> // Old behavior: Scan with only qualifier checks if we have partial<a name="line.1440"></a>
-<span class="sourceLineNo">1441</span> // permission. Backwards compatible behavior is to throw an<a name="line.1441"></a>
-<span class="sourceLineNo">1442</span> // AccessDeniedException immediately if there are no grants for table<a name="line.1442"></a>
-<span class="sourceLineNo">1443</span> // or CF or CF+qual. Only proceed with an injected filter if there are<a name="line.1443"></a>
-<span class="sourceLineNo">1444</span> // grants for qualifiers. Otherwise we will fall through below and log<a name="line.1444"></a>
-<span class="sourceLineNo">1445</span> // the result and throw an ADE. We may end up checking qualifier<a name="line.1445"></a>
-<span class="sourceLineNo">1446</span> // grants three times (permissionGranted above, here, and in the<a name="line.1446"></a>
-<span class="sourceLineNo">1447</span> // filter) but that's the price of backwards compatibility.<a name="line.1447"></a>
-<span class="sourceLineNo">1448</span> if (hasFamilyQualifierPermission(user, Action.READ, env, families)) {<a name="line.1448"></a>
-<span class="sourceLineNo">1449</span> authResult.setAllowed(true);<a name="line.1449"></a>
-<span class="sourceLineNo">1450</span> authResult.setReason("Access allowed with filter");<a name="line.1450"></a>
-<span class="sourceLineNo">1451</span> // Only wrap the filter if we are enforcing authorizations<a name="line.1451"></a>
-<span class="sourceLineNo">1452</span> if (authorizationEnabled) {<a name="line.1452"></a>
-<span class="sourceLineNo">1453</span> Filter ourFilter = new AccessControlFilter(getAuthManager(), user, table,<a name="line.1453"></a>
-<span class="sourceLineNo">1454</span> AccessControlFilter.Strategy.CHECK_TABLE_AND_CF_ONLY,<a name="line.1454"></a>
-<span class="sourceLineNo">1455</span> cfVsMaxVersions);<a name="line.1455"></a>
-<span class="sourceLineNo">1456</span> // wrap any existing filter<a name="line.1456"></a>
-<span class="sourceLineNo">1457</span> if (filter != null) {<a name="line.1457"></a>
-<span class="sourceLineNo">1458</span> ourFilter = new FilterList(FilterList.Operator.MUST_PASS_ALL,<a name="line.1458"></a>
-<span class="sourceLineNo">1459</span> Lists.newArrayList(ourFilter, filter));<a name="line.1459"></a>
-<span class="sourceLineNo">1460</span> }<a name="line.1460"></a>
-<span class="sourceLineNo">1461</span> switch (opType) {<a name="line.1461"></a>
-<span class="sourceLineNo">1462</span> case GET:<a name="line.1462"></a>
-<span class="sourceLineNo">1463</span> case EXISTS:<a name="line.1463"></a>
-<span class="sourceLineNo">1464</span> ((Get)query).setFilter(ourFilter);<a name="line.1464"></a>
-<span class="sourceLineNo">1465</span> break;<a name="line.1465"></a>
-<span class="sourceLineNo">1466</span> case SCAN:<a name="line.1466"></a>
-<span class="sourceLineNo">1467</span> ((Scan)query).setFilter(ourFilter);<a name="line.1467"></a>
-<span class="sourceLineNo">1468</span> break;<a name="line.1468"></a>
-<span class="sourceLineNo">1469</span> default:<a name="line.1469"></a>
-<span class="sourceLineNo">1470</span> throw new RuntimeException("Unhandled operation " + opType);<a name="line.1470"></a>
-<span class="sourceLineNo">1471</span> }<a name="line.1471"></a>
-<span class="sourceLineNo">1472</span> }<a name="line.1472"></a>
-<span class="sourceLineNo">1473</span> }<a name="line.1473"></a>
-<span class="sourceLineNo">1474</span> } else {<a name="line.1474"></a>
-<span class="sourceLineNo">1475</span> // New behavior: Any access we might be granted is more fine-grained<a name="line.1475"></a>
-<span class="sourceLineNo">1476</span> // than whole table or CF. Simply inject a filter and return what is<a name="line.1476"></a>
-<span class="sourceLineNo">1477</span> // allowed. We will not throw an AccessDeniedException. This is a<a name="line.1477"></a>
-<span class="sourceLineNo">1478</span> // behavioral change since 0.96.<a name="line.1478"></a>
-<span class="sourceLineNo">1479</span> authResult.setAllowed(true);<a name="line.1479"></a>
-<span class="sourceLineNo">1480</span> authResult.setReason("Access allowed with filter");<a name="line.1480"></a>
-<span class="sourceLineNo">1481</span> // Only wrap the filter if we are enforcing authorizations<a name="line.1481"></a>
-<span class="sourceLineNo">1482</span> if (authorizationEnabled) {<a name="line.1482"></a>
-<span class="sourceLineNo">1483</span> Filter ourFilter = new AccessControlFilter(getAuthManager(), user, table,<a name="line.1483"></a>
-<span class="sourceLineNo">1484</span> AccessControlFilter.Strategy.CHECK_CELL_DEFAULT, cfVsMaxVersions);<a name="line.1484"></a>
-<span class="sourceLineNo">1485</span> // wrap any existing filter<a name="line.1485"></a>
-<span class="sourceLineNo">1486</span> if (filter != null) {<a name="line.1486"></a>
-<span class="sourceLineNo">1487</span> ourFilter = new FilterList(FilterList.Operator.MUST_PASS_ALL,<a name="line.1487"></a>
-<span class="sourceLineNo">1488</span> Lists.newArrayList(ourFilter, filter));<a name="line.1488"></a>
-<span class="sourceLineNo">1489</span> }<a name="line.1489"></a>
-<span class="sourceLineNo">1490</span> switch (opType) {<a name="line.1490"></a>
-<span class="sourceLineNo">1491</span> case GET:<a name="line.1491"></a>
-<span class="sourceLineNo">1492</span> case EXISTS:<a name="line.1492"></a>
-<span class="sourceLineNo">1493</span> ((Get)query).setFilter(ourFilter);<a name="line.1493"></a>
-<span class="sourceLineNo">1494</span> break;<a name="line.1494"></a>
-<span class="sourceLineNo">1495</span> case SCAN:<a name="line.1495"></a>
-<span class="sourceLineNo">1496</span> ((Scan)query).setFilter(ourFilter);<a name="line.1496"></a>
-<span class="sourceLineNo">1497</span> break;<a name="line.1497"></a>
-<span class="sourceLineNo">1498</span> default:<a name="line.1498"></a>
-<span class="sourceLineNo">1499</span> throw new RuntimeException("Unhandled operation " + opType);<a name="line.1499"></a>
-<span class="sourceLineNo">1500</span> }<a name="line.1500"></a>
-<span class="sourceLineNo">1501</span> }<a name="line.1501"></a>
-<span class="sourceLineNo">1502</span> }<a name="line.1502"></a>
-<span class="sourceLineNo">1503</span> }<a name="line.1503"></a>
-<span class="sourceLineNo">1504</span><a name="line.1504"></a>
-<span class="sourceLineNo">1505</span> AccessChecker.logResult(authResult);<a name="line.1505"></a>
-<span class="sourceLineNo">1506</span> if (authorizationEnabled && !authResult.isAllowed()) {<a name="line.1506"></a>
-<span class="sourceLineNo">1507</span> throw new AccessDeniedException("Insufficient permissions for user '"<a name="line.1507"></a>
-<span class="sourceLineNo">1508</span> + (user != null ? user.getShortName() : "null")<a name="line.1508"></a>
-<span class="sourceLineNo">1509</span> + "' (table=" + table + ", action=READ)");<a name="line.1509"></a>
-<span class="sourceLineNo">1510</span> }<a name="line.1510"></a>
-<span class="sourceLineNo">1511</span> }<a name="line.1511"></a>
-<span class="sourceLineNo">1512</span><a name="line.1512"></a>
-<span class="sourceLineNo">1513</span> @Override<a name="line.1513"></a>
-<span class="sourceLineNo">1514</span> public void preGetOp(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1514"></a>
-<span class="sourceLineNo">1515</span> final Get get, final List<Cell> result) throws IOException {<a name="line.1515"></a>
-<span class="sourceLineNo">1516</span> internalPreRead(c, get, OpType.GET);<a name="line.1516"></a>
-<span class="sourceLineNo">1517</span> }<a name="line.1517"></a>
-<span class="sourceLineNo">1518</span><a name="line.1518"></a>
-<span class="sourceLineNo">1519</span> @Override<a name="line.1519"></a>
-<span class="sourceLineNo">1520</span> public boolean preExists(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1520"></a>
-<span class="sourceLineNo">1521</span> final Get get, final boolean exists) throws IOException {<a name="line.1521"></a>
-<span class="sourceLineNo">1522</span> internalPreRead(c, get, OpType.EXISTS);<a name="line.1522"></a>
-<span class="sourceLineNo">1523</span> return exists;<a name="line.1523"></a>
-<span class="sourceLineNo">1524</span> }<a name="line.1524"></a>
-<span class="sourceLineNo">1525</span><a name="line.1525"></a>
-<span class="sourceLineNo">1526</span> @Override<a name="line.1526"></a>
-<span class="sourceLineNo">1527</span> public void prePut(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1527"></a>
-<span class="sourceLineNo">1528</span> final Put put, final WALEdit edit, final Durability durability)<a name="line.1528"></a>
-<span class="sourceLineNo">1529</span> throws IOException {<a name="line.1529"></a>
-<span class="sourceLineNo">1530</span> User user = getActiveUser(c);<a name="line.1530"></a>
-<span class="sourceLineNo">1531</span> checkForReservedTagPresence(user, put);<a name="line.1531"></a>
-<span class="sourceLineNo">1532</span><a name="line.1532"></a>
-<span class="sourceLineNo">1533</span> // Require WRITE permission to the table, CF, or top visible value, if any.<a name="line.1533"></a>
-<span class="sourceLineNo">1534</span> // NOTE: We don't need to check the permissions for any earlier Puts<a name="line.1534"></a>
-<span class="sourceLineNo">1535</span> // because we treat the ACLs in each Put as timestamped like any other<a name="line.1535"></a>
-<span class="sourceLineNo">1536</span> // HBase value. A new ACL in a new Put applies to that Put. It doesn't<a name="line.1536"></a>
-<span class="sourceLineNo">1537</span> // change the ACL of any previous Put. This allows simple evolution of<a name="line.1537"></a>
-<span class="sourceLineNo">1538</span> // security policy over time without requiring expensive updates.<a name="line.1538"></a>
-<span class="sourceLineNo">1539</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1539"></a>
-<span class="sourceLineNo">1540</span> Map<byte[],? extends Collection<Cell>> families = put.getFamilyCellMap();<a name="line.1540"></a>
-<span class="sourceLineNo">1541</span> AuthResult authResult = permissionGranted(OpType.PUT,<a name="line.1541"></a>
-<span class="sourceLineNo">1542</span> user, env, families, Action.WRITE);<a name="line.1542"></a>
-<span class="sourceLineNo">1543</span> AccessChecker.logResult(authResult);<a name="line.1543"></a>
-<span class="sourceLineNo">1544</span> if (!authResult.isAllowed()) {<a name="line.1544"></a>
-<span class="sourceLineNo">1545</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1545"></a>
-<span class="sourceLineNo">1546</span> put.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1546"></a>
-<span class="sourceLineNo">1547</span> } else if (authorizationEnabled) {<a name="line.1547"></a>
-<span class="sourceLineNo">1548</span> throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());<a name="line.1548"></a>
-<span class="sourceLineNo">1549</span> }<a name="line.1549"></a>
-<span class="sourceLineNo">1550</span> }<a name="line.1550"></a>
-<span class="sourceLineNo">1551</span><a name="line.1551"></a>
-<span class="sourceLineNo">1552</span> // Add cell ACLs from the operation to the cells themselves<a name="line.1552"></a>
-<span class="sourceLineNo">1553</span> byte[] bytes = put.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);<a name="line.1553"></a>
-<span class="sourceLineNo">1554</span> if (bytes != null) {<a name="line.1554"></a>
-<span class="sourceLineNo">1555</span> if (cellFeaturesEnabled) {<a name="line.1555"></a>
-<span class="sourceLineNo">1556</span> addCellPermissions(bytes, put.getFamilyCellMap());<a name="line.1556"></a>
-<span class="sourceLineNo">1557</span> } else {<a name="line.1557"></a>
-<span class="sourceLineNo">1558</span> throw new DoNotRetryIOException("Cell ACLs cannot be persisted");<a name="line.1558"></a>
-<span class="sourceLineNo">1559</span> }<a name="line.1559"></a>
-<span class="sourceLineNo">1560</span> }<a name="line.1560"></a>
-<span class="sourceLineNo">1561</span> }<a name="line.1561"></a>
-<span class="sourceLineNo">1562</span><a name="line.1562"></a>
-<span class="sourceLineNo">1563</span> @Override<a name="line.1563"></a>
-<span class="sourceLineNo">1564</span> public void postPut(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1564"></a>
-<span class="sourceLineNo">1565</span> final Put put, final WALEdit edit, final Durability durability) {<a name="line.1565"></a>
-<span class="sourceLineNo">1566</span> if (aclRegion) {<a name="line.1566"></a>
-<span class="sourceLineNo">1567</span> updateACL(c.getEnvironment(), put.getFamilyCellMap());<a name="line.1567"></a>
-<span class="sourceLineNo">1568</span> }<a name="line.1568"></a>
-<span class="sourceLineNo">1569</span> }<a name="line.1569"></a>
-<span class="sourceLineNo">1570</span><a name="line.1570"></a>
-<span class="sourceLineNo">1571</span> @Override<a name="line.1571"></a>
-<span class="sourceLineNo">1572</span> public void preDelete(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1572"></a>
-<span class="sourceLineNo">1573</span> final Delete delete, final WALEdit edit, final Durability durability)<a name="line.1573"></a>
-<span class="sourceLineNo">1574</span> throws IOException {<a name="line.1574"></a>
-<span class="sourceLineNo">1575</span> // An ACL on a delete is useless, we shouldn't allow it<a name="line.1575"></a>
-<span class="sourceLineNo">1576</span> if (delete.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL) != null) {<a name="line.1576"></a>
-<span class="sourceLineNo">1577</span> throw new DoNotRetryIOException("ACL on delete has no effect: " + delete.toString());<a name="line.1577"></a>
-<span class="sourceLineNo">1578</span> }<a name="line.1578"></a>
-<span class="sourceLineNo">1579</span> // Require WRITE permissions on all cells covered by the delete. Unlike<a name="line.1579"></a>
-<span class="sourceLineNo">1580</span> // for Puts we need to check all visible prior versions, because a major<a name="line.1580"></a>
-<span class="sourceLineNo">1581</span> // compaction could remove them. If the user doesn't have permission to<a name="line.1581"></a>
-<span class="sourceLineNo">1582</span> // overwrite any of the visible versions ('visible' defined as not covered<a name="line.1582"></a>
-<span class="sourceLineNo">1583</span> // by a tombstone already) then we have to disallow this operation.<a name="line.1583"></a>
-<span class="sourceLineNo">1584</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1584"></a>
-<span class="sourceLineNo">1585</span> Map<byte[],? extends Collection<Cell>> families = delete.getFamilyCellMap();<a name="line.1585"></a>
-<span class="sourceLineNo">1586</span> User user = getActiveUser(c);<a name="line.1586"></a>
-<span class="sourceLineNo">1587</span> AuthResult authResult = permissionGranted(OpType.DELETE,<a name="line.1587"></a>
-<span class="sourceLineNo">1588</span> user, env, families, Action.WRITE);<a name="line.1588"></a>
-<span class="sourceLineNo">1589</span> AccessChecker.logResult(authResult);<a name="line.1589"></a>
-<span class="sourceLineNo">1590</span> if (!authResult.isAllowed()) {<a name="line.1590"></a>
-<span class="sourceLineNo">1591</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1591"></a>
-<span class="sourceLineNo">1592</span> delete.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1592"></a>
-<span class="sourceLineNo">1593</span> } else if (authorizationEnabled) {<a name="line.1593"></a>
-<span class="sourceLineNo">1594</span> throw new AccessDeniedException("Insufficient permissions " +<a name="line.1594"></a>
-<span class="sourceLineNo">1595</span> authResult.toContextString());<a name="line.1595"></a>
-<span class="sourceLineNo">1596</span> }<a name="line.1596"></a>
-<span class="sourceLineNo">1597</span> }<a name="line.1597"></a>
-<span class="sourceLineNo">1598</span> }<a name="line.1598"></a>
-<span class="sourceLineNo">1599</span><a name="line.1599"></a>
-<span class="sourceLineNo">1600</span> @Override<a name="line.1600"></a>
-<span class="sourceLineNo">1601</span> public void preBatchMutate(ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1601"></a>
-<span class="sourceLineNo">1602</span> MiniBatchOperationInProgress<Mutation> miniBatchOp) throws IOException {<a name="line.1602"></a>
-<span class="sourceLineNo">1603</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1603"></a>
-<span class="sourceLineNo">1604</span> TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();<a name="line.1604"></a>
-<span class="sourceLineNo">1605</span> User user = getActiveUser(c);<a name="line.1605"></a>
-<span class="sourceLineNo">1606</span> for (int i = 0; i < miniBatchOp.size(); i++) {<a name="line.1606"></a>
-<span class="sourceLineNo">1607</span> Mutation m = miniBatchOp.getOperation(i);<a name="line.1607"></a>
-<span class="sourceLineNo">1608</span> if (m.getAttribute(CHECK_COVERING_PERM) != null) {<a name="line.1608"></a>
-<span class="sourceLineNo">1609</span> // We have a failure with table, cf and q perm checks and now giving a chance for cell<a name="line.1609"></a>
-<span class="sourceLineNo">1610</span> // perm check<a name="line.1610"></a>
-<span class="sourceLineNo">1611</span> OpType opType;<a name="line.1611"></a>
-<span class="sourceLineNo">1612</span> if (m instanceof Put) {<a name="line.1612"></a>
-<span class="sourceLineNo">1613</span> checkForReservedTagPresence(user, m);<a name="line.1613"></a>
-<span class="sourceLineNo">1614</span> opType = OpType.PUT;<a name="line.1614"></a>
-<span class="sourceLineNo">1615</span> } else {<a name="line.1615"></a>
-<span class="sourceLineNo">1616</span> opType = OpType.DELETE;<a name="line.1616"></a>
-<span class="sourceLineNo">1617</span> }<a name="line.1617"></a>
-<span class="sourceLineNo">1618</span> AuthResult authResult = null;<a name="line.1618"></a>
-<span class="sourceLineNo">1619</span> if (checkCoveringPermission(user, opType, c.getEnvironment(), m.getRow(),<a name="line.1619"></a>
-<span class="sourceLineNo">1620</span> m.getFamilyCellMap(), m.getTimestamp(), Action.WRITE)) {<a name="line.1620"></a>
-<span class="sourceLineNo">1621</span> authResult = AuthResult.allow(opType.toString(), "Covering cell set",<a name="line.1621"></a>
-<span class="sourceLineNo">1622</span> user, Action.WRITE, table, m.getFamilyCellMap());<a name="line.1622"></a>
-<span class="sourceLineNo">1623</span> } else {<a name="line.1623"></a>
-<span class="sourceLineNo">1624</span> authResult = AuthResult.deny(opType.toString(), "Covering cell set",<a name="line.1624"></a>
-<span class="sourceLineNo">1625</span> user, Action.WRITE, table, m.getFamilyCellMap());<a name="line.1625"></a>
-<span class="sourceLineNo">1626</span> }<a name="line.1626"></a>
-<span class="sourceLineNo">1627</span> AccessChecker.logResult(authResult);<a name="line.1627"></a>
-<span class="sourceLineNo">1628</span> if (authorizationEnabled && !authResult.isAllowed()) {<a name="line.1628"></a>
-<span class="sourceLineNo">1629</span> throw new AccessDeniedException("Insufficient permissions "<a name="line.1629"></a>
-<span class="sourceLineNo">1630</span> + authResult.toContextString());<a name="line.1630"></a>
-<span class="sourceLineNo">1631</span> }<a name="line.1631"></a>
-<span class="sourceLineNo">1632</span> }<a name="line.1632"></a>
-<span class="sourceLineNo">1633</span> }<a name="line.1633"></a>
-<span class="sourceLineNo">1634</span> }<a name="line.1634"></a>
-<span class="sourceLineNo">1635</span> }<a name="line.1635"></a>
-<span class="sourceLineNo">1636</span><a name="line.1636"></a>
-<span class="sourceLineNo">1637</span> @Override<a name="line.1637"></a>
-<span class="sourceLineNo">1638</span> public void postDelete(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1638"></a>
-<span class="sourceLineNo">1639</span> final Delete delete, final WALEdit edit, final Durability durability)<a name="line.1639"></a>
-<span class="sourceLineNo">1640</span> throws IOException {<a name="line.1640"></a>
-<span class="sourceLineNo">1641</span> if (aclRegion) {<a name="line.1641"></a>
-<span class="sourceLineNo">1642</span> updateACL(c.getEnvironment(), delete.getFamilyCellMap());<a name="line.1642"></a>
-<span class="sourceLineNo">1643</span> }<a name="line.1643"></a>
-<span class="sourceLineNo">1644</span> }<a name="line.1644"></a>
-<span class="sourceLineNo">1645</span><a name="line.1645"></a>
-<span class="sourceLineNo">1646</span> @Override<a name="line.1646"></a>
-<span class="sourceLineNo">1647</span> public boolean preCheckAndPut(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1647"></a>
-<span class="sourceLineNo">1648</span> final byte [] row, final byte [] family, final byte [] qualifier,<a name="line.1648"></a>
-<span class="sourceLineNo">1649</span> final CompareOperator op,<a name="line.1649"></a>
-<span class="sourceLineNo">1650</span> final ByteArrayComparable comparator, final Put put,<a name="line.1650"></a>
-<span class="sourceLineNo">1651</span> final boolean result) throws IOException {<a name="line.1651"></a>
-<span class="sourceLineNo">1652</span> User user = getActiveUser(c);<a name="line.1652"></a>
-<span class="sourceLineNo">1653</span> checkForReservedTagPresence(user, put);<a name="line.1653"></a>
-<span class="sourceLineNo">1654</span><a name="line.1654"></a>
-<span class="sourceLineNo">1655</span> // Require READ and WRITE permissions on the table, CF, and KV to update<a name="line.1655"></a>
-<span class="sourceLineNo">1656</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1656"></a>
-<span class="sourceLineNo">1657</span> Map<byte[],? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);<a name="line.1657"></a>
-<span class="sourceLineNo">1658</span> AuthResult authResult = permissionGranted(OpType.CHECK_AND_PUT,<a name="line.1658"></a>
-<span class="sourceLineNo">1659</span> user, env, families, Action.READ, Action.WRITE);<a name="line.1659"></a>
-<span class="sourceLineNo">1660</span> AccessChecker.logResult(authResult);<a name="line.1660"></a>
-<span class="sourceLineNo">1661</span> if (!authResult.isAllowed()) {<a name="line.1661"></a>
-<span class="sourceLineNo">1662</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1662"></a>
-<span class="sourceLineNo">1663</span> put.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1663"></a>
-<span class="sourceLineNo">1664</span> } else if (authorizationEnabled) {<a name="line.1664"></a>
-<span class="sourceLineNo">1665</span> throw new AccessDeniedException("Insufficient permissions " +<a name="line.1665"></a>
-<span class="sourceLineNo">1666</span> authResult.toContextString());<a name="line.1666"></a>
-<span class="sourceLineNo">1667</span> }<a name="line.1667"></a>
-<span class="sourceLineNo">1668</span> }<a name="line.1668"></a>
-<span class="sourceLineNo">1669</span><a name="line.1669"></a>
-<span class="sourceLineNo">1670</span> byte[] bytes = put.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);<a name="line.1670"></a>
-<span class="sourceLineNo">1671</span> if (bytes != null) {<a name="line.1671"></a>
-<span class="sourceLineNo">1672</span> if (cellFeaturesEnabled) {<a name="line.1672"></a>
-<span class="sourceLineNo">1673</span> addCellPermissions(bytes, put.getFamilyCellMap());<a name="line.1673"></a>
-<span class="sourceLineNo">1674</span> } else {<a name="line.1674"></a>
-<span class="sourceLineNo">1675</span> throw new DoNotRetryIOException("Cell ACLs cannot be persisted");<a name="line.1675"></a>
-<span class="sourceLineNo">1676</span> }<a name="line.1676"></a>
-<span class="sourceLineNo">1677</span> }<a name="line.1677"></a>
-<span class="sourceLineNo">1678</span> return result;<a name="line.1678"></a>
-<span class="sourceLineNo">1679</span> }<a name="line.1679"></a>
-<span class="sourceLineNo">1680</span><a name="line.1680"></a>
-<span class="sourceLineNo">1681</span> @Override<a name="line.1681"></a>
-<span class="sourceLineNo">1682</span> public boolean preCheckAndPutAfterRowLock(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1682"></a>
-<span class="sourceLineNo">1683</span> final byte[] row, final byte[] family, final byte[] qualifier,<a name="line.1683"></a>
-<span class="sourceLineNo">1684</span> final CompareOperator opp, final ByteArrayComparable comparator, final Put put,<a name="line.1684"></a>
-<span class="sourceLineNo">1685</span> final boolean result) throws IOException {<a name="line.1685"></a>
-<span class="sourceLineNo">1686</span> if (put.getAttribute(CHECK_COVERING_PERM) != null) {<a name="line.1686"></a>
-<span class="sourceLineNo">1687</span> // We had failure with table, cf and q perm checks and now giving a chance for cell<a name="line.1687"></a>
-<span class="sourceLineNo">1688</span> // perm check<a name="line.1688"></a>
-<span class="sourceLineNo">1689</span> TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();<a name="line.1689"></a>
-<span class="sourceLineNo">1690</span> Map<byte[], ? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);<a name="line.1690"></a>
-<span class="sourceLineNo">1691</span> AuthResult authResult = null;<a name="line.1691"></a>
-<span class="sourceLineNo">1692</span> User user = getActiveUser(c);<a name="line.1692"></a>
-<span class="sourceLineNo">1693</span> if (checkCoveringPermission(user, OpType.CHECK_AND_PUT, c.getEnvironment(), row, families,<a name="line.1693"></a>
-<span class="sourceLineNo">1694</span> HConstants.LATEST_TIMESTAMP, Action.READ)) {<a name="line.1694"></a>
-<span class="sourceLineNo">1695</span> authResult = AuthResult.allow(OpType.CHECK_AND_PUT.toString(),<a name="line.1695"></a>
-<span class="sourceLineNo">1696</span> "Covering cell set", user, Action.READ, table, families);<a name="line.1696"></a>
-<span class="sourceLineNo">1697</span> } else {<a name="line.1697"></a>
-<span class="sourceLineNo">1698</span> authResult = AuthResult.deny(OpType.CHECK_AND_PUT.toString(),<a name="line.1698"></a>
-<span class="sourceLineNo">1699</span> "Covering cell set", user, Action.READ, table, families);<a name="line.1699"></a>
-<span class="sourceLineNo">1700</span> }<a name="line.1700"></a>
-<span class="sourceLineNo">1701</span> AccessChecker.logResult(authResult);<a name="line.1701"></a>
-<span class="sourceLineNo">1702</span> if (authorizationEnabled && !authResult.isAllowed()) {<a name="line.1702"></a>
-<span class="sourceLineNo">1703</span> throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());<a name="line.1703"></a>
-<span class="sourceLineNo">1704</span> }<a name="line.1704"></a>
-<span class="sourceLineNo">1705</span> }<a name="line.1705"></a>
-<span class="sourceLineNo">1706</span> return result;<a name="line.1706"></a>
-<span class="sourceLineNo">1707</span> }<a name="line.1707"></a>
-<span class="sourceLineNo">1708</span><a name="line.1708"></a>
-<span class="sourceLineNo">1709</span> @Override<a name="line.1709"></a>
-<span class="sourceLineNo">1710</span> public boolean preCheckAndDelete(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1710"></a>
-<span class="sourceLineNo">1711</span> final byte [] row, final byte [] family, final byte [] qualifier,<a name="line.1711"></a>
-<span class="sourceLineNo">1712</span> final CompareOperator op,<a name="line.1712"></a>
-<span class="sourceLineNo">1713</span> final ByteArrayComparable comparator, final Delete delete,<a name="line.1713"></a>
-<span class="sourceLineNo">1714</span> final boolean result) throws IOException {<a name="line.1714"></a>
-<span class="sourceLineNo">1715</span> // An ACL on a delete is useless, we shouldn't allow it<a name="line.1715"></a>
-<span class="sourceLineNo">1716</span> if (delete.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL) != null) {<a name="line.1716"></a>
-<span class="sourceLineNo">1717</span> throw new DoNotRetryIOException("ACL on checkAndDelete has no effect: " +<a name="line.1717"></a>
-<span class="sourceLineNo">1718</span> delete.toString());<a name="line.1718"></a>
-<span class="sourceLineNo">1719</span> }<a name="line.1719"></a>
-<span class="sourceLineNo">1720</span> // Require READ and WRITE permissions on the table, CF, and the KV covered<a name="line.1720"></a>
-<span class="sourceLineNo">1721</span> // by the delete<a name="line.1721"></a>
-<span class="sourceLineNo">1722</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1722"></a>
-<span class="sourceLineNo">1723</span> Map<byte[],? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);<a name="line.1723"></a>
-<span class="sourceLineNo">1724</span> User user = getActiveUser(c);<a name="line.1724"></a>
-<span class="sourceLineNo">1725</span> AuthResult authResult = permissionGranted(<a name="line.1725"></a>
-<span class="sourceLineNo">1726</span> OpType.CHECK_AND_DELETE, user, env, families, Action.READ, Action.WRITE);<a name="line.1726"></a>
-<span class="sourceLineNo">1727</span> AccessChecker.logResult(authResult);<a name="line.1727"></a>
-<span class="sourceLineNo">1728</span> if (!authResult.isAllowed()) {<a name="line.1728"></a>
-<span class="sourceLineNo">1729</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1729"></a>
-<span class="sourceLineNo">1730</span> delete.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1730"></a>
-<span class="sourceLineNo">1731</span> } else if (authorizationEnabled) {<a name="line.1731"></a>
-<span class="sourceLineNo">1732</span> throw new AccessDeniedException("Insufficient permissions " +<a name="line.1732"></a>
-<span class="sourceLineNo">1733</span> authResult.toContextString());<a name="line.1733"></a>
-<span class="sourceLineNo">1734</span> }<a name="line.1734"></a>
-<span class="sourceLineNo">1735</span> }<a name="line.1735"></a>
-<span class="sourceLineNo">1736</span> return result;<a name="line.1736"></a>
-<span class="sourceLineNo">1737</span> }<a name="line.1737"></a>
-<span class="sourceLineNo">1738</span><a name="line.1738"></a>
-<span class="sourceLineNo">1739</span> @Override<a name="line.1739"></a>
-<span class="sourceLineNo">1740</span> public boolean preCheckAndDeleteAfterRowLock(<a name="line.1740"></a>
-<span class="sourceLineNo">1741</span> final ObserverContext<RegionCoprocessorEnvironment> c, final byte[] row,<a name="line.1741"></a>
-<span class="sourceLineNo">1742</span> final byte[] family, final byte[] qualifier, final CompareOperator op,<a name="line.1742"></a>
-<span class="sourceLineNo">1743</span> final ByteArrayComparable comparator, final Delete delete, final boolean result)<a name="line.1743"></a>
-<span class="sourceLineNo">1744</span> throws IOException {<a name="line.1744"></a>
-<span class="sourceLineNo">1745</span> if (delete.getAttribute(CHECK_COVERING_PERM) != null) {<a name="line.1745"></a>
-<span class="sourceLineNo">1746</span> // We had failure with table, cf and q perm checks and now giving a chance for cell<a name="line.1746"></a>
-<span class="sourceLineNo">1747</span> // perm check<a name="line.1747"></a>
-<span class="sourceLineNo">1748</span> TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();<a name="line.1748"></a>
-<span class="sourceLineNo">1749</span> Map<byte[], ? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);<a name="line.1749"></a>
-<span class="sourceLineNo">1750</span> AuthResult authResult = null;<a name="line.1750"></a>
-<span class="sourceLineNo">1751</span> User user = getActiveUser(c);<a name="line.1751"></a>
-<span class="sourceLineNo">1752</span> if (checkCoveringPermission(user, OpType.CHECK_AND_DELETE, c.getEnvironment(),<a name="line.1752"></a>
-<span class="sourceLineNo">1753</span> row, families, HConstants.LATEST_TIMESTAMP, Action.READ)) {<a name="line.1753"></a>
-<span class="sourceLineNo">1754</span> authResult = AuthResult.allow(OpType.CHECK_AND_DELETE.toString(),<a name="line.1754"></a>
-<span class="sourceLineNo">1755</span> "Covering cell set", user, Action.READ, table, families);<a name="line.1755"></a>
-<span class="sourceLineNo">1756</span> } else {<a name="line.1756"></a>
-<span class="sourceLineNo">1757</span> authResult = AuthResult.deny(OpType.CHECK_AND_DELETE.toString(),<a name="line.1757"></a>
-<span class="sourceLineNo">1758</span> "Covering cell set", user, Action.READ, table, families);<a name="line.1758"></a>
-<span class="sourceLineNo">1759</span> }<a name="line.1759"></a>
-<span class="sourceLineNo">1760</span> AccessChecker.logResult(authResult);<a name="line.1760"></a>
-<span class="sourceLineNo">1761</span> if (authorizationEnabled && !authResult.isAllowed()) {<a name="line.1761"></a>
-<span class="sourceLineNo">1762</span> throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());<a name="line.1762"></a>
-<span class="sourceLineNo">1763</span> }<a name="line.1763"></a>
-<span class="sourceLineNo">1764</span> }<a name="line.1764"></a>
-<span class="sourceLineNo">1765</span> return result;<a name="line.1765"></a>
-<span class="sourceLineNo">1766</span> }<a name="line.1766"></a>
-<span class="sourceLineNo">1767</span><a name="line.1767"></a>
-<span class="sourceLineNo">1768</span> @Override<a name="line.1768"></a>
-<span class="sourceLineNo">1769</span> public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> c, Append append)<a name="line.1769"></a>
-<span class="sourceLineNo">1770</span> throws IOException {<a name="line.1770"></a>
-<span class="sourceLineNo">1771</span> User user = getActiveUser(c);<a name="line.1771"></a>
-<span class="sourceLineNo">1772</span> checkForReservedTagPresence(user, append);<a name="line.1772"></a>
-<span class="sourceLineNo">1773</span><a name="line.1773"></a>
-<span class="sourceLineNo">1774</span> // Require WRITE permission to the table, CF, and the KV to be appended<a name="line.1774"></a>
-<span class="sourceLineNo">1775</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1775"></a>
-<span class="sourceLineNo">1776</span> Map<byte[],? extends Collection<Cell>> families = append.getFamilyCellMap();<a name="line.1776"></a>
-<span class="sourceLineNo">1777</span> AuthResult authResult = permissionGranted(OpType.APPEND, user,<a name="line.1777"></a>
-<span class="sourceLineNo">1778</span> env, families, Action.WRITE);<a name="line.1778"></a>
-<span class="sourceLineNo">1779</span> AccessChecker.logResult(authResult);<a name="line.1779"></a>
-<span class="sourceLineNo">1780</span> if (!authResult.isAllowed()) {<a name="line.1780"></a>
-<span class="sourceLineNo">1781</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1781"></a>
-<span class="sourceLineNo">1782</span> append.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1782"></a>
-<span class="sourceLineNo">1783</span> } else if (authorizationEnabled) {<a name="line.1783"></a>
-<span class="sourceLineNo">1784</span> throw new AccessDeniedException("Insufficient permissions " +<a name="line.1784"></a>
-<span class="sourceLineNo">1785</span> authResult.toContextString());<a name="line.1785"></a>
-<span class="sourceLineNo">1786</span> }<a name="line.1786"></a>
-<span class="sourceLineNo">1787</span> }<a name="line.1787"></a>
-<span class="sourceLineNo">1788</span><a name="line.1788"></a>
-<span class="sourceLineNo">1789</span> byte[] bytes = append.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);<a name="line.1789"></a>
-<span class="sourceLineNo">1790</span> if (bytes != null) {<a name="line.1790"></a>
-<span class="sourceLineNo">1791</span> if (cellFeaturesEnabled) {<a name="line.1791"></a>
-<span class="sourceLineNo">1792</span> addCellPermissions(bytes, append.getFamilyCellMap());<a name="line.1792"></a>
-<span class="sourceLineNo">1793</span> } else {<a name="line.1793"></a>
-<span class="sourceLineNo">1794</span> throw new DoNotRetryIOException("Cell ACLs cannot be persisted");<a name="line.1794"></a>
-<span class="sourceLineNo">1795</span> }<a name="line.1795"></a>
-<span class="sourceLineNo">1796</span> }<a name="line.1796"></a>
-<span class="sourceLineNo">1797</span><a name="line.1797"></a>
-<span class="sourceLineNo">1798</span> return null;<a name="line.1798"></a>
-<span class="sourceLineNo">1799</span> }<a name="line.1799"></a>
-<span class="sourceLineNo">1800</span><a name="line.1800"></a>
-<span class="sourceLineNo">1801</span> @Override<a name="line.1801"></a>
-<span class="sourceLineNo">1802</span> public Result preAppendAfterRowLock(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1802"></a>
-<span class="sourceLineNo">1803</span> final Append append) throws IOException {<a name="line.1803"></a>
-<span class="sourceLineNo">1804</span> if (append.getAttribute(CHECK_COVERING_PERM) != null) {<a name="line.1804"></a>
-<span class="sourceLineNo">1805</span> // We had failure with table, cf and q perm checks and now giving a chance for cell<a name="line.1805"></a>
-<span class="sourceLineNo">1806</span> // perm check<a name="line.1806"></a>
-<span class="sourceLineNo">1807</span> TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();<a name="line.1807"></a>
-<span class="sourceLineNo">1808</span> AuthResult authResult = null;<a name="line.1808"></a>
-<span class="sourceLineNo">1809</span> User user = getActiveUser(c);<a name="line.1809"></a>
-<span class="sourceLineNo">1810</span> if (checkCoveringPermission(user, OpType.APPEND, c.getEnvironment(), append.getRow(),<a name="line.1810"></a>
-<span class="sourceLineNo">1811</span> append.getFamilyCellMap(), append.getTimeRange().getMax(), Action.WRITE)) {<a name="line.1811"></a>
-<span class="sourceLineNo">1812</span> authResult = AuthResult.allow(OpType.APPEND.toString(),<a name="line.1812"></a>
-<span class="sourceLineNo">1813</span> "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());<a name="line.1813"></a>
-<span class="sourceLineNo">1814</span> } else {<a name="line.1814"></a>
-<span class="sourceLineNo">1815</span> authResult = AuthResult.deny(OpType.APPEND.toString(),<a name="line.1815"></a>
-<span class="sourceLineNo">1816</span> "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());<a name="line.1816"></a>
-<span class="sourceLineNo">1817</span> }<a name="line.1817"></a>
-<span class="sourceLineNo">1818</span> AccessChecker.logResult(authResult);<a name="line.1818"></a>
-<span class="sourceLineNo">1819</span> if (authorizationEnabled && !authResult.isAllowed()) {<a name="line.1819"></a>
-<span class="sourceLineNo">1820</span> throw new AccessDeniedException("Insufficient permissions " +<a name="line.1820"></a>
-<span class="sourceLineNo">1821</span> authResult.toContextString());<a name="line.1821"></a>
-<span class="sourceLineNo">1822</span> }<a name="line.1822"></a>
-<span class="sourceLineNo">1823</span> }<a name="line.1823"></a>
-<span class="sourceLineNo">1824</span> return null;<a name="line.1824"></a>
-<span class="sourceLineNo">1825</span> }<a name="line.1825"></a>
-<span class="sourceLineNo">1826</span><a name="line.1826"></a>
-<span class="sourceLineNo">1827</span> @Override<a name="line.1827"></a>
-<span class="sourceLineNo">1828</span> public Result preIncrement(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1828"></a>
-<span class="sourceLineNo">1829</span> final Increment increment)<a name="line.1829"></a>
-<span class="sourceLineNo">1830</span> throws IOException {<a name="line.1830"></a>
-<span class="sourceLineNo">1831</span> User user = getActiveUser(c);<a name="line.1831"></a>
-<span class="sourceLineNo">1832</span> checkForReservedTagPresence(user, increment);<a name="line.1832"></a>
-<span class="sourceLineNo">1833</span><a name="line.1833"></a>
-<span class="sourceLineNo">1834</span> // Require WRITE permission to the table, CF, and the KV to be replaced by<a name="line.1834"></a>
-<span class="sourceLineNo">1835</span> // the incremented value<a name="line.1835"></a>
-<span class="sourceLineNo">1836</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1836"></a>
-<span class="sourceLineNo">1837</span> Map<byte[],? extends Collection<Cell>> families = increment.getFamilyCellMap();<a name="line.1837"></a>
-<span class="sourceLineNo">1838</span> AuthResult authResult = permissionGranted(OpType.INCREMENT,<a name="line.1838"></a>
-<span class="sourceLineNo">1839</span> user, env, families, Action.WRITE);<a name="line.1839"></a>
-<span class="sourceLineNo">1840</span> AccessChecker.logResult(authResult);<a name="line.1840"></a>
-<span class="sourceLineNo">1841</span> if (!authResult.isAllowed()) {<a name="line.1841"></a>
-<span class="sourceLineNo">1842</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1842"></a>
-<span class="sourceLineNo">1843</span> increment.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1843"></a>
-<span class="sourceLineNo">1844</span> } else if (authorizationEnabled) {<a name="line.1844"></a>
-<span class="sourceLineNo">1845</span> throw new AccessDeniedException("Insufficient permissions " +<a name="line.1845"></a>
-<span class="sourceLineNo">1846</span> authResult.toContextString());<a name="line.1846"></a>
-<span class="sourceLineNo">1847</span> }<a name="line.1847"></a>
-<span class="sourceLineNo">1848</span> }<a name="line.1848"></a>
-<span class="sourceLineNo">1849</span><a name="line.1849"></a>
-<span class="sourceLineNo">1850</span> byte[] bytes = increment.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);<a name="line.1850"></a>
-<span class="sourceLineNo">1851</span> if (bytes != null) {<a name="line.1851"></a>
-<span class="sourceLineNo">1852</span> if (cellFeaturesEnabled) {<a name="line.1852"></a>
-<span class="sourceLineNo">1853</span> addCellPermissions(bytes, increment.getFamilyCellMap());<a name="line.1853"></a>
-<span class="sourceLineNo">1854</span> } else {<a name="line.1854"></a>
-<span class="sourceLineNo">1855</span> throw new DoNotRetryIOException("Cell ACLs cannot be persisted");<a name="line.1855"></a>
-<span class="sourceLineNo">1856</span> }<a name="line.1856"></a>
-<span class="sourceLineNo">1857</span> }<a name="line.1857"></a>
-<span class="sourceLineNo">1858</span><a name="line.1858"></a>
-<span class="sourceLineNo">1859</span> return null;<a name="line.1859"></a>
-<span class="sourceLineNo">1860</span> }<a name="line.1860"></a>
-<span class="sourceLineNo">1861</span><a name="line.1861"></a>
-<span class="sourceLineNo">1862</span> @Override<a name="line.1862"></a>
-<span class="sourceLineNo">1863</span> public Result preIncrementAfterRowLock(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1863"></a>
-<span class="sourceLineNo">1864</span> final Increment increment) throws IOException {<a name="line.1864"></a>
-<span class="sourceLineNo">1865</span> if (increment.getAttribute(CHECK_COVERING_PERM) != null) {<a name="line.1865"></a>
-<span class="sourceLineNo">1866</span> // We had failure with table, cf and q perm checks and now giving a chance for cell<a name="line.1866"></a>
-<span class="sourceLineNo">1867</span> // perm check<a name="line.1867"></a>
-<span class="sourceLineNo">1868</span> TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();<a name="line.1868"></a>
-<span class="sourceLineNo">1869</span> AuthResult authResult = null;<a name="line.1869"></a>
-<span class="sourceLineNo">1870</span> User user = getActiveUser(c);<a name="line.1870"></a>
-<span class="sourceLineNo">1871</span> if (checkCoveringPermission(user, OpType.INCREMENT, c.getEnvironment(), increment.getRow(),<a name="line.1871"></a>
-<span class="sourceLineNo">1872</span> increment.getFamilyCellMap(), increment.getTimeRange().getMax(), Action.WRITE)) {<a name="line.1872"></a>
-<span class="sourceLineNo">1873</span> authResult = AuthResult.allow(OpType.INCREMENT.toString(), "Covering cell set",<a name="line.1873"></a>
-<span class="sourceLineNo">1874</span> user, Action.WRITE, table, increment.getFamilyCellMap());<a name="line.1874"></a>
-<span class="sourceLineNo">1875</span> } else {<a name="line.1875"></a>
-<span class="sourceLineNo">1876</span> authResult = AuthResult.deny(OpType.INCREMENT.toString(), "Covering cell set",<a name="line.1876"></a>
-<span class="sourceLineNo">1877</span> user, Action.WRITE, table, increment.getFamilyCellMap());<a name="line.1877"></a>
-<span class="sourceLineNo">1878</span> }<a name="line.1878"></a>
-<span class="sourceLineNo">1879</span> AccessChecker.logResult(authResult);<a name="line.1879"></a>
-<span class="sourceLineNo">1880</span> if (authorizationEnabled && !authResult.isAllowed()) {<a name="line.1880"></a>
-<span class="sourceLineNo">1881</span> throw new AccessDeniedException("Insufficient permissions " +<a name="line.1881"></a>
-<span class="sourceLineNo">1882</span> authResult.toContextString());<a name="line.1882"></a>
-<span class="sourceLineNo">1883</span> }<a name="line.1883"></a>
-<span class="sourceLineNo">1884</span> }<a name="line.1884"></a>
-<span class="sourceLineNo">1885</span> return null;<a name="line.1885"></a>
-<span class="sourceLineNo">1886</span> }<a name="line.1886"></a>
-<span class="sourceLineNo">1887</span><a name="line.1887"></a>
-<span class="sourceLineNo">1888</span> @Override<a name="line.1888"></a>
-<span class="sourceLineNo">1889</span> public Cell postMutationBeforeWAL(ObserverContext<RegionCoprocessorEnvironment> ctx,<a name="line.1889"></a>
-<span class="sourceLineNo">1890</span> MutationType opType, Mutation mutation, Cell oldCell, Cell newCell) throws IOException {<a name="line.1890"></a>
-<span class="sourceLineNo">1891</span> // If the HFile version is insufficient to persist tags, we won't have any<a name="line.1891"></a>
-<span class="sourceLineNo">1892</span> // work to do here<a name="line.1892"></a>
-<span class="sourceLineNo">1893</span> if (!cellFeaturesEnabled) {<a name="line.1893"></a>
-<span class="sourceLineNo">1894</span> return newCell;<a name="line.1894"></a>
-<span class="sourceLineNo">1895</span> }<a name="line.1895"></a>
-<span class="sourceLineNo">1896</span><a name="line.1896"></a>
-<span class="sourceLineNo">1897</span> // Collect any ACLs from the old cell<a name="line.1897"></a>
-<span class="sourceLineNo">1898</span> List<Tag> tags = Lists.newArrayList();<a name="line.1898"></a>
-<span class="sourceLineNo">1899</span> List<Tag> aclTags = Lists.newArrayList();<a name="line.1899"></a>
-<span class="sourceLineNo">1900</span> ListMultimap<String,Permission> perms = ArrayListMultimap.create();<a name="line.1900"></a>
-<span class="sourceLineNo">1901</span> if (oldCell != null) {<a name="line.1901"></a>
-<span class="sourceLineNo">1902</span> Iterator<Tag> tagIterator = PrivateCellUtil.tagsIterator(oldCell);<a name="line.1902"></a>
-<span class="sourceLineNo">1903</span> while (tagIterator.hasNext()) {<a name="line.1903"></a>
-<span class="sourceLineNo">1904</span> Tag tag = tagIterator.next();<a name="line.1904"></a>
-<span class="sourceLineNo">1905</span> if (tag.getType() != AccessControlLists.ACL_TAG_TYPE) {<a name="line.1905"></a>
-<span class="sourceLineNo">1906</span> // Not an ACL tag, just carry it through<a name="line.1906"></a>
-<span class="sourceLineNo">1907</span> if (LOG.isTraceEnabled()) {<a name="line.1907"></a>
-<span class="sourceLineNo">1908</span> LOG.trace("Carrying forward tag from " + oldCell + ": type " + tag.getType()<a name="line.1908"></a>
-<span class="sourceLineNo">1909</span> + " length " + tag.getValueLength());<a name="line.1909"></a>
-<span class="sourceLineNo">1910</span> }<a name="line.1910"></a>
-<span class="sourceLineNo">1911</span> tags.add(tag);<a name="line.1911"></a>
-<span class="sourceLineNo">1912</span> } else {<a name="line.1912"></a>
-<span class="sourceLineNo">1913</span> aclTags.add(tag);<a name="line.1913"></a>
-<span class="sourceLineNo">1914</span> }<a name="line.1914"></a>
-<span class="sourceLineNo">1915</span> }<a name="line.1915"></a>
-<span class="sourceLineNo">1916</span> }<a name="line.1916"></a>
-<span class="sourceLineNo">1917</span><a name="line.1917"></a>
-<span class="sourceLineNo">1918</span> // Do we have an ACL on the operation?<a name="line.1918"></a>
-<span class="sourceLineNo">1919</span> byte[] aclBytes = mutation.getACL();<a name="line.1919"></a>
-<span class="sourceLineNo">1920</span> if (aclBytes != null) {<a name="line.1920"></a>
-<span class="sourceLineNo">1921</span> // Yes, use it<a name="line.1921"></a>
-<span class="sourceLineNo">1922</span> tags.add(new ArrayBackedTag(AccessControlLists.ACL_TAG_TYPE, aclBytes));<a name="line.1922"></a>
-<span class="sourceLineNo">1923</span> } else {<a name="line.1923"></a>
-<span class="sourceLineNo">1924</span> // No, use what we carried forward<a name="line.1924"></a>
-<span class="sourceLineNo">1925</span> if (perms != null) {<a name="line.1925"></a>
-<span class="sourceLineNo">1926</span> // TODO: If we collected ACLs from more than one tag we may have a<a name="line.1926"></a>
-<span class="sourceLineNo">1927</span> // List<Permission> of size > 1, this can be collapsed into a single<a name="line.1927"></a>
-<span class="sourceLineNo">1928</span> // Permission<a name="line.1928"></a>
-<span class="sourceLineNo">1929</span> if (LOG.isTraceEnabled()) {<a name="line.1929"></a>
-<span class="sourceLineNo">1930</span> LOG.trace("Carrying forward ACLs from " + oldCell + ": " + perms);<a name="line.1930"></a>
-<span class="sourceLineNo">1931</span> }<a name="line.1931"></a>
-<span class="sourceLineNo">1932</span> tags.addAll(aclTags);<a name="line.1932"></a>
-<span cla
<TRUNCATED>