You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by gi...@apache.org on 2018/12/08 14:51:26 UTC
[12/29] hbase-site git commit: Published site at
79d90c87b5bc6d4aa50e6edc52a3f20da708ee29.
http://git-wip-us.apache.org/repos/asf/hbase-site/blob/3defc75b/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessController.OpType.html
----------------------------------------------------------------------
diff --git a/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessController.OpType.html b/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessController.OpType.html
index 16eebff..70b9ecb 100644
--- a/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessController.OpType.html
+++ b/devapidocs/src-html/org/apache/hadoop/hbase/security/access/AccessController.OpType.html
@@ -978,1678 +978,1679 @@
<span class="sourceLineNo">970</span> }<a name="line.970"></a>
<span class="sourceLineNo">971</span><a name="line.971"></a>
<span class="sourceLineNo">972</span> @Override<a name="line.972"></a>
-<span class="sourceLineNo">973</span> public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName,<a name="line.973"></a>
-<span class="sourceLineNo">974</span> TableDescriptor currentDesc, TableDescriptor newDesc) throws IOException {<a name="line.974"></a>
-<span class="sourceLineNo">975</span> // TODO: potentially check if this is a add/modify/delete column operation<a name="line.975"></a>
-<span class="sourceLineNo">976</span> requirePermission(c, "modifyTable",<a name="line.976"></a>
-<span class="sourceLineNo">977</span> tableName, null, null, Action.ADMIN, Action.CREATE);<a name="line.977"></a>
-<span class="sourceLineNo">978</span> }<a name="line.978"></a>
-<span class="sourceLineNo">979</span><a name="line.979"></a>
-<span class="sourceLineNo">980</span> @Override<a name="line.980"></a>
-<span class="sourceLineNo">981</span> public void postModifyTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName,<a name="line.981"></a>
-<span class="sourceLineNo">982</span> TableDescriptor oldDesc, TableDescriptor currentDesc) throws IOException {<a name="line.982"></a>
-<span class="sourceLineNo">983</span> final Configuration conf = c.getEnvironment().getConfiguration();<a name="line.983"></a>
-<span class="sourceLineNo">984</span> // default the table owner to current user, if not specified.<a name="line.984"></a>
-<span class="sourceLineNo">985</span> final String owner = (currentDesc.getOwnerString() != null) ? currentDesc.getOwnerString() :<a name="line.985"></a>
-<span class="sourceLineNo">986</span> getActiveUser(c).getShortName();<a name="line.986"></a>
-<span class="sourceLineNo">987</span> User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {<a name="line.987"></a>
-<span class="sourceLineNo">988</span> @Override<a name="line.988"></a>
-<span class="sourceLineNo">989</span> public Void run() throws Exception {<a name="line.989"></a>
-<span class="sourceLineNo">990</span> UserPermission userperm = new UserPermission(owner,<a name="line.990"></a>
-<span class="sourceLineNo">991</span> currentDesc.getTableName(), Action.values());<a name="line.991"></a>
-<span class="sourceLineNo">992</span> try (Table table = c.getEnvironment().getConnection().<a name="line.992"></a>
-<span class="sourceLineNo">993</span> getTable(AccessControlLists.ACL_TABLE_NAME)) {<a name="line.993"></a>
-<span class="sourceLineNo">994</span> AccessControlLists.addUserPermission(conf, userperm, table);<a name="line.994"></a>
-<span class="sourceLineNo">995</span> }<a name="line.995"></a>
-<span class="sourceLineNo">996</span> return null;<a name="line.996"></a>
-<span class="sourceLineNo">997</span> }<a name="line.997"></a>
-<span class="sourceLineNo">998</span> });<a name="line.998"></a>
-<span class="sourceLineNo">999</span> }<a name="line.999"></a>
-<span class="sourceLineNo">1000</span><a name="line.1000"></a>
-<span class="sourceLineNo">1001</span> @Override<a name="line.1001"></a>
-<span class="sourceLineNo">1002</span> public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName)<a name="line.1002"></a>
-<span class="sourceLineNo">1003</span> throws IOException {<a name="line.1003"></a>
-<span class="sourceLineNo">1004</span> requirePermission(c, "enableTable",<a name="line.1004"></a>
-<span class="sourceLineNo">1005</span> tableName, null, null, Action.ADMIN, Action.CREATE);<a name="line.1005"></a>
-<span class="sourceLineNo">1006</span> }<a name="line.1006"></a>
-<span class="sourceLineNo">1007</span><a name="line.1007"></a>
-<span class="sourceLineNo">1008</span> @Override<a name="line.1008"></a>
-<span class="sourceLineNo">1009</span> public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName)<a name="line.1009"></a>
-<span class="sourceLineNo">1010</span> throws IOException {<a name="line.1010"></a>
-<span class="sourceLineNo">1011</span> if (Bytes.equals(tableName.getName(), AccessControlLists.ACL_GLOBAL_NAME)) {<a name="line.1011"></a>
-<span class="sourceLineNo">1012</span> // We have to unconditionally disallow disable of the ACL table when we are installed,<a name="line.1012"></a>
-<span class="sourceLineNo">1013</span> // even if not enforcing authorizations. We are still allowing grants and revocations,<a name="line.1013"></a>
-<span class="sourceLineNo">1014</span> // checking permissions and logging audit messages, etc. If the ACL table is not<a name="line.1014"></a>
-<span class="sourceLineNo">1015</span> // available we will fail random actions all over the place.<a name="line.1015"></a>
-<span class="sourceLineNo">1016</span> throw new AccessDeniedException("Not allowed to disable "<a name="line.1016"></a>
-<span class="sourceLineNo">1017</span> + AccessControlLists.ACL_TABLE_NAME + " table with AccessController installed");<a name="line.1017"></a>
-<span class="sourceLineNo">1018</span> }<a name="line.1018"></a>
-<span class="sourceLineNo">1019</span> requirePermission(c, "disableTable",<a name="line.1019"></a>
-<span class="sourceLineNo">1020</span> tableName, null, null, Action.ADMIN, Action.CREATE);<a name="line.1020"></a>
-<span class="sourceLineNo">1021</span> }<a name="line.1021"></a>
-<span class="sourceLineNo">1022</span><a name="line.1022"></a>
-<span class="sourceLineNo">1023</span> @Override<a name="line.1023"></a>
-<span class="sourceLineNo">1024</span> public void preAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1024"></a>
-<span class="sourceLineNo">1025</span> final long procId) throws IOException {<a name="line.1025"></a>
-<span class="sourceLineNo">1026</span> requirePermission(ctx, "abortProcedure", Action.ADMIN);<a name="line.1026"></a>
-<span class="sourceLineNo">1027</span> }<a name="line.1027"></a>
-<span class="sourceLineNo">1028</span><a name="line.1028"></a>
-<span class="sourceLineNo">1029</span> @Override<a name="line.1029"></a>
-<span class="sourceLineNo">1030</span> public void postAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.1030"></a>
-<span class="sourceLineNo">1031</span> throws IOException {<a name="line.1031"></a>
-<span class="sourceLineNo">1032</span> // There is nothing to do at this time after the procedure abort request was sent.<a name="line.1032"></a>
-<span class="sourceLineNo">1033</span> }<a name="line.1033"></a>
-<span class="sourceLineNo">1034</span><a name="line.1034"></a>
-<span class="sourceLineNo">1035</span> @Override<a name="line.1035"></a>
-<span class="sourceLineNo">1036</span> public void preGetProcedures(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.1036"></a>
-<span class="sourceLineNo">1037</span> throws IOException {<a name="line.1037"></a>
-<span class="sourceLineNo">1038</span> requirePermission(ctx, "getProcedure", Action.ADMIN);<a name="line.1038"></a>
-<span class="sourceLineNo">1039</span> }<a name="line.1039"></a>
-<span class="sourceLineNo">1040</span><a name="line.1040"></a>
-<span class="sourceLineNo">1041</span> @Override<a name="line.1041"></a>
-<span class="sourceLineNo">1042</span> public void preGetLocks(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.1042"></a>
-<span class="sourceLineNo">1043</span> throws IOException {<a name="line.1043"></a>
-<span class="sourceLineNo">1044</span> User user = getActiveUser(ctx);<a name="line.1044"></a>
-<span class="sourceLineNo">1045</span> accessChecker.requirePermission(user, "getLocks", null, Action.ADMIN);<a name="line.1045"></a>
-<span class="sourceLineNo">1046</span> }<a name="line.1046"></a>
-<span class="sourceLineNo">1047</span><a name="line.1047"></a>
-<span class="sourceLineNo">1048</span> @Override<a name="line.1048"></a>
-<span class="sourceLineNo">1049</span> public void preMove(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo region,<a name="line.1049"></a>
-<span class="sourceLineNo">1050</span> ServerName srcServer, ServerName destServer) throws IOException {<a name="line.1050"></a>
-<span class="sourceLineNo">1051</span> requirePermission(c, "move",<a name="line.1051"></a>
-<span class="sourceLineNo">1052</span> region.getTable(), null, null, Action.ADMIN);<a name="line.1052"></a>
-<span class="sourceLineNo">1053</span> }<a name="line.1053"></a>
-<span class="sourceLineNo">1054</span><a name="line.1054"></a>
-<span class="sourceLineNo">1055</span> @Override<a name="line.1055"></a>
-<span class="sourceLineNo">1056</span> public void preAssign(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo regionInfo)<a name="line.1056"></a>
-<span class="sourceLineNo">1057</span> throws IOException {<a name="line.1057"></a>
-<span class="sourceLineNo">1058</span> requirePermission(c, "assign",<a name="line.1058"></a>
-<span class="sourceLineNo">1059</span> regionInfo.getTable(), null, null, Action.ADMIN);<a name="line.1059"></a>
-<span class="sourceLineNo">1060</span> }<a name="line.1060"></a>
-<span class="sourceLineNo">1061</span><a name="line.1061"></a>
-<span class="sourceLineNo">1062</span> @Override<a name="line.1062"></a>
-<span class="sourceLineNo">1063</span> public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo regionInfo,<a name="line.1063"></a>
-<span class="sourceLineNo">1064</span> boolean force) throws IOException {<a name="line.1064"></a>
-<span class="sourceLineNo">1065</span> requirePermission(c, "unassign",<a name="line.1065"></a>
-<span class="sourceLineNo">1066</span> regionInfo.getTable(), null, null, Action.ADMIN);<a name="line.1066"></a>
-<span class="sourceLineNo">1067</span> }<a name="line.1067"></a>
-<span class="sourceLineNo">1068</span><a name="line.1068"></a>
-<span class="sourceLineNo">1069</span> @Override<a name="line.1069"></a>
-<span class="sourceLineNo">1070</span> public void preRegionOffline(ObserverContext<MasterCoprocessorEnvironment> c,<a name="line.1070"></a>
-<span class="sourceLineNo">1071</span> RegionInfo regionInfo) throws IOException {<a name="line.1071"></a>
-<span class="sourceLineNo">1072</span> requirePermission(c, "regionOffline",<a name="line.1072"></a>
-<span class="sourceLineNo">1073</span> regionInfo.getTable(), null, null, Action.ADMIN);<a name="line.1073"></a>
-<span class="sourceLineNo">1074</span> }<a name="line.1074"></a>
-<span class="sourceLineNo">1075</span><a name="line.1075"></a>
-<span class="sourceLineNo">1076</span> @Override<a name="line.1076"></a>
-<span class="sourceLineNo">1077</span> public void preSetSplitOrMergeEnabled(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1077"></a>
-<span class="sourceLineNo">1078</span> final boolean newValue, final MasterSwitchType switchType) throws IOException {<a name="line.1078"></a>
-<span class="sourceLineNo">1079</span> requirePermission(ctx, "setSplitOrMergeEnabled",<a name="line.1079"></a>
-<span class="sourceLineNo">1080</span> Action.ADMIN);<a name="line.1080"></a>
-<span class="sourceLineNo">1081</span> }<a name="line.1081"></a>
-<span class="sourceLineNo">1082</span><a name="line.1082"></a>
-<span class="sourceLineNo">1083</span> @Override<a name="line.1083"></a>
-<span class="sourceLineNo">1084</span> public void preBalance(ObserverContext<MasterCoprocessorEnvironment> c)<a name="line.1084"></a>
-<span class="sourceLineNo">1085</span> throws IOException {<a name="line.1085"></a>
-<span class="sourceLineNo">1086</span> requirePermission(c, "balance", Action.ADMIN);<a name="line.1086"></a>
-<span class="sourceLineNo">1087</span> }<a name="line.1087"></a>
-<span class="sourceLineNo">1088</span><a name="line.1088"></a>
-<span class="sourceLineNo">1089</span> @Override<a name="line.1089"></a>
-<span class="sourceLineNo">1090</span> public void preBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> c,<a name="line.1090"></a>
-<span class="sourceLineNo">1091</span> boolean newValue) throws IOException {<a name="line.1091"></a>
-<span class="sourceLineNo">1092</span> requirePermission(c, "balanceSwitch", Action.ADMIN);<a name="line.1092"></a>
-<span class="sourceLineNo">1093</span> }<a name="line.1093"></a>
-<span class="sourceLineNo">1094</span><a name="line.1094"></a>
-<span class="sourceLineNo">1095</span> @Override<a name="line.1095"></a>
-<span class="sourceLineNo">1096</span> public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> c)<a name="line.1096"></a>
-<span class="sourceLineNo">1097</span> throws IOException {<a name="line.1097"></a>
-<span class="sourceLineNo">1098</span> requirePermission(c, "shutdown", Action.ADMIN);<a name="line.1098"></a>
-<span class="sourceLineNo">1099</span> }<a name="line.1099"></a>
-<span class="sourceLineNo">1100</span><a name="line.1100"></a>
-<span class="sourceLineNo">1101</span> @Override<a name="line.1101"></a>
-<span class="sourceLineNo">1102</span> public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c)<a name="line.1102"></a>
-<span class="sourceLineNo">1103</span> throws IOException {<a name="line.1103"></a>
-<span class="sourceLineNo">1104</span> requirePermission(c, "stopMaster", Action.ADMIN);<a name="line.1104"></a>
-<span class="sourceLineNo">1105</span> }<a name="line.1105"></a>
-<span class="sourceLineNo">1106</span><a name="line.1106"></a>
-<span class="sourceLineNo">1107</span> @Override<a name="line.1107"></a>
-<span class="sourceLineNo">1108</span> public void postStartMaster(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.1108"></a>
-<span class="sourceLineNo">1109</span> throws IOException {<a name="line.1109"></a>
-<span class="sourceLineNo">1110</span> try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {<a name="line.1110"></a>
-<span class="sourceLineNo">1111</span> if (!admin.tableExists(AccessControlLists.ACL_TABLE_NAME)) {<a name="line.1111"></a>
-<span class="sourceLineNo">1112</span> createACLTable(admin);<a name="line.1112"></a>
-<span class="sourceLineNo">1113</span> } else {<a name="line.1113"></a>
-<span class="sourceLineNo">1114</span> this.aclTabAvailable = true;<a name="line.1114"></a>
-<span class="sourceLineNo">1115</span> }<a name="line.1115"></a>
-<span class="sourceLineNo">1116</span> }<a name="line.1116"></a>
-<span class="sourceLineNo">1117</span> }<a name="line.1117"></a>
-<span class="sourceLineNo">1118</span> /**<a name="line.1118"></a>
-<span class="sourceLineNo">1119</span> * Create the ACL table<a name="line.1119"></a>
-<span class="sourceLineNo">1120</span> * @throws IOException<a name="line.1120"></a>
-<span class="sourceLineNo">1121</span> */<a name="line.1121"></a>
-<span class="sourceLineNo">1122</span> private static void createACLTable(Admin admin) throws IOException {<a name="line.1122"></a>
-<span class="sourceLineNo">1123</span> /** Table descriptor for ACL table */<a name="line.1123"></a>
-<span class="sourceLineNo">1124</span> ColumnFamilyDescriptor cfd =<a name="line.1124"></a>
-<span class="sourceLineNo">1125</span> ColumnFamilyDescriptorBuilder.newBuilder(AccessControlLists.ACL_LIST_FAMILY).<a name="line.1125"></a>
-<span class="sourceLineNo">1126</span> setMaxVersions(1).<a name="line.1126"></a>
-<span class="sourceLineNo">1127</span> setInMemory(true).<a name="line.1127"></a>
-<span class="sourceLineNo">1128</span> setBlockCacheEnabled(true).<a name="line.1128"></a>
-<span class="sourceLineNo">1129</span> setBlocksize(8 * 1024).<a name="line.1129"></a>
-<span class="sourceLineNo">1130</span> setBloomFilterType(BloomType.NONE).<a name="line.1130"></a>
-<span class="sourceLineNo">1131</span> setScope(HConstants.REPLICATION_SCOPE_LOCAL).build();<a name="line.1131"></a>
-<span class="sourceLineNo">1132</span> TableDescriptor td =<a name="line.1132"></a>
-<span class="sourceLineNo">1133</span> TableDescriptorBuilder.newBuilder(AccessControlLists.ACL_TABLE_NAME).<a name="line.1133"></a>
-<span class="sourceLineNo">1134</span> setColumnFamily(cfd).build();<a name="line.1134"></a>
-<span class="sourceLineNo">1135</span> admin.createTable(td);<a name="line.1135"></a>
-<span class="sourceLineNo">1136</span> }<a name="line.1136"></a>
-<span class="sourceLineNo">1137</span><a name="line.1137"></a>
-<span class="sourceLineNo">1138</span> @Override<a name="line.1138"></a>
-<span class="sourceLineNo">1139</span> public void preSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1139"></a>
-<span class="sourceLineNo">1140</span> final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor)<a name="line.1140"></a>
-<span class="sourceLineNo">1141</span> throws IOException {<a name="line.1141"></a>
-<span class="sourceLineNo">1142</span> // Move this ACL check to SnapshotManager#checkPermissions as part of AC deprecation.<a name="line.1142"></a>
-<span class="sourceLineNo">1143</span> requirePermission(ctx, "snapshot " + snapshot.getName(),<a name="line.1143"></a>
-<span class="sourceLineNo">1144</span> hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN);<a name="line.1144"></a>
-<span class="sourceLineNo">1145</span> }<a name="line.1145"></a>
-<span class="sourceLineNo">1146</span><a name="line.1146"></a>
-<span class="sourceLineNo">1147</span> @Override<a name="line.1147"></a>
-<span class="sourceLineNo">1148</span> public void preListSnapshot(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1148"></a>
-<span class="sourceLineNo">1149</span> final SnapshotDescription snapshot) throws IOException {<a name="line.1149"></a>
-<span class="sourceLineNo">1150</span> User user = getActiveUser(ctx);<a name="line.1150"></a>
-<span class="sourceLineNo">1151</span> if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {<a name="line.1151"></a>
-<span class="sourceLineNo">1152</span> // list it, if user is the owner of snapshot<a name="line.1152"></a>
-<span class="sourceLineNo">1153</span> AuthResult result = AuthResult.allow("listSnapshot " + snapshot.getName(),<a name="line.1153"></a>
-<span class="sourceLineNo">1154</span> "Snapshot owner check allowed", user, null, null, null);<a name="line.1154"></a>
-<span class="sourceLineNo">1155</span> AccessChecker.logResult(result);<a name="line.1155"></a>
-<span class="sourceLineNo">1156</span> } else {<a name="line.1156"></a>
-<span class="sourceLineNo">1157</span> accessChecker.requirePermission(user, "listSnapshot " + snapshot.getName(), null,<a name="line.1157"></a>
-<span class="sourceLineNo">1158</span> Action.ADMIN);<a name="line.1158"></a>
-<span class="sourceLineNo">1159</span> }<a name="line.1159"></a>
-<span class="sourceLineNo">1160</span> }<a name="line.1160"></a>
-<span class="sourceLineNo">1161</span><a name="line.1161"></a>
-<span class="sourceLineNo">1162</span> @Override<a name="line.1162"></a>
-<span class="sourceLineNo">1163</span> public void preCloneSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1163"></a>
-<span class="sourceLineNo">1164</span> final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor)<a name="line.1164"></a>
-<span class="sourceLineNo">1165</span> throws IOException {<a name="line.1165"></a>
-<span class="sourceLineNo">1166</span> User user = getActiveUser(ctx);<a name="line.1166"></a>
-<span class="sourceLineNo">1167</span> if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)<a name="line.1167"></a>
-<span class="sourceLineNo">1168</span> && hTableDescriptor.getTableName().getNameAsString().equals(snapshot.getTable())) {<a name="line.1168"></a>
-<span class="sourceLineNo">1169</span> // Snapshot owner is allowed to create a table with the same name as the snapshot he took<a name="line.1169"></a>
-<span class="sourceLineNo">1170</span> AuthResult result = AuthResult.allow("cloneSnapshot " + snapshot.getName(),<a name="line.1170"></a>
-<span class="sourceLineNo">1171</span> "Snapshot owner check allowed", user, null, hTableDescriptor.getTableName(), null);<a name="line.1171"></a>
-<span class="sourceLineNo">1172</span> AccessChecker.logResult(result);<a name="line.1172"></a>
-<span class="sourceLineNo">1173</span> } else {<a name="line.1173"></a>
-<span class="sourceLineNo">1174</span> accessChecker.requirePermission(user, "cloneSnapshot " + snapshot.getName(), null,<a name="line.1174"></a>
-<span class="sourceLineNo">1175</span> Action.ADMIN);<a name="line.1175"></a>
-<span class="sourceLineNo">1176</span> }<a name="line.1176"></a>
-<span class="sourceLineNo">1177</span> }<a name="line.1177"></a>
-<span class="sourceLineNo">1178</span><a name="line.1178"></a>
-<span class="sourceLineNo">1179</span> @Override<a name="line.1179"></a>
-<span class="sourceLineNo">1180</span> public void preRestoreSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1180"></a>
-<span class="sourceLineNo">1181</span> final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor)<a name="line.1181"></a>
-<span class="sourceLineNo">1182</span> throws IOException {<a name="line.1182"></a>
-<span class="sourceLineNo">1183</span> User user = getActiveUser(ctx);<a name="line.1183"></a>
-<span class="sourceLineNo">1184</span> if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {<a name="line.1184"></a>
-<span class="sourceLineNo">1185</span> accessChecker.requirePermission(user, "restoreSnapshot " + snapshot.getName(),<a name="line.1185"></a>
-<span class="sourceLineNo">1186</span> hTableDescriptor.getTableName(), null, null, null, Permission.Action.ADMIN);<a name="line.1186"></a>
-<span class="sourceLineNo">1187</span> } else {<a name="line.1187"></a>
-<span class="sourceLineNo">1188</span> accessChecker.requirePermission(user, "restoreSnapshot " + snapshot.getName(), null,<a name="line.1188"></a>
-<span class="sourceLineNo">1189</span> Action.ADMIN);<a name="line.1189"></a>
-<span class="sourceLineNo">1190</span> }<a name="line.1190"></a>
-<span class="sourceLineNo">1191</span> }<a name="line.1191"></a>
-<span class="sourceLineNo">1192</span><a name="line.1192"></a>
-<span class="sourceLineNo">1193</span> @Override<a name="line.1193"></a>
-<span class="sourceLineNo">1194</span> public void preDeleteSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1194"></a>
-<span class="sourceLineNo">1195</span> final SnapshotDescription snapshot) throws IOException {<a name="line.1195"></a>
-<span class="sourceLineNo">1196</span> User user = getActiveUser(ctx);<a name="line.1196"></a>
-<span class="sourceLineNo">1197</span> if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {<a name="line.1197"></a>
-<span class="sourceLineNo">1198</span> // Snapshot owner is allowed to delete the snapshot<a name="line.1198"></a>
-<span class="sourceLineNo">1199</span> AuthResult result = AuthResult.allow("deleteSnapshot " + snapshot.getName(),<a name="line.1199"></a>
-<span class="sourceLineNo">1200</span> "Snapshot owner check allowed", user, null, null, null);<a name="line.1200"></a>
-<span class="sourceLineNo">1201</span> AccessChecker.logResult(result);<a name="line.1201"></a>
-<span class="sourceLineNo">1202</span> } else {<a name="line.1202"></a>
-<span class="sourceLineNo">1203</span> accessChecker.requirePermission(user, "deleteSnapshot " + snapshot.getName(), null,<a name="line.1203"></a>
-<span class="sourceLineNo">1204</span> Action.ADMIN);<a name="line.1204"></a>
-<span class="sourceLineNo">1205</span> }<a name="line.1205"></a>
-<span class="sourceLineNo">1206</span> }<a name="line.1206"></a>
-<span class="sourceLineNo">1207</span><a name="line.1207"></a>
-<span class="sourceLineNo">1208</span> @Override<a name="line.1208"></a>
-<span class="sourceLineNo">1209</span> public void preCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1209"></a>
-<span class="sourceLineNo">1210</span> NamespaceDescriptor ns) throws IOException {<a name="line.1210"></a>
-<span class="sourceLineNo">1211</span> requireGlobalPermission(ctx, "createNamespace",<a name="line.1211"></a>
-<span class="sourceLineNo">1212</span> Action.ADMIN, ns.getName());<a name="line.1212"></a>
-<span class="sourceLineNo">1213</span> }<a name="line.1213"></a>
-<span class="sourceLineNo">1214</span><a name="line.1214"></a>
-<span class="sourceLineNo">1215</span> @Override<a name="line.1215"></a>
-<span class="sourceLineNo">1216</span> public void preDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx, String namespace)<a name="line.1216"></a>
-<span class="sourceLineNo">1217</span> throws IOException {<a name="line.1217"></a>
-<span class="sourceLineNo">1218</span> requireGlobalPermission(ctx, "deleteNamespace",<a name="line.1218"></a>
-<span class="sourceLineNo">1219</span> Action.ADMIN, namespace);<a name="line.1219"></a>
-<span class="sourceLineNo">1220</span> }<a name="line.1220"></a>
-<span class="sourceLineNo">1221</span><a name="line.1221"></a>
-<span class="sourceLineNo">1222</span> @Override<a name="line.1222"></a>
-<span class="sourceLineNo">1223</span> public void postDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1223"></a>
-<span class="sourceLineNo">1224</span> final String namespace) throws IOException {<a name="line.1224"></a>
-<span class="sourceLineNo">1225</span> final Configuration conf = ctx.getEnvironment().getConfiguration();<a name="line.1225"></a>
-<span class="sourceLineNo">1226</span> User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {<a name="line.1226"></a>
-<span class="sourceLineNo">1227</span> @Override<a name="line.1227"></a>
-<span class="sourceLineNo">1228</span> public Void run() throws Exception {<a name="line.1228"></a>
-<span class="sourceLineNo">1229</span> try (Table table = ctx.getEnvironment().getConnection().<a name="line.1229"></a>
-<span class="sourceLineNo">1230</span> getTable(AccessControlLists.ACL_TABLE_NAME)) {<a name="line.1230"></a>
-<span class="sourceLineNo">1231</span> AccessControlLists.removeNamespacePermissions(conf, namespace, table);<a name="line.1231"></a>
-<span class="sourceLineNo">1232</span> }<a name="line.1232"></a>
-<span class="sourceLineNo">1233</span> return null;<a name="line.1233"></a>
-<span class="sourceLineNo">1234</span> }<a name="line.1234"></a>
-<span class="sourceLineNo">1235</span> });<a name="line.1235"></a>
-<span class="sourceLineNo">1236</span> getAuthManager().getZKPermissionWatcher().deleteNamespaceACLNode(namespace);<a name="line.1236"></a>
-<span class="sourceLineNo">1237</span> LOG.info(namespace + " entry deleted in " + AccessControlLists.ACL_TABLE_NAME + " table.");<a name="line.1237"></a>
-<span class="sourceLineNo">1238</span> }<a name="line.1238"></a>
-<span class="sourceLineNo">1239</span><a name="line.1239"></a>
-<span class="sourceLineNo">1240</span> @Override<a name="line.1240"></a>
-<span class="sourceLineNo">1241</span> public void preModifyNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1241"></a>
-<span class="sourceLineNo">1242</span> NamespaceDescriptor currentNsDesc, NamespaceDescriptor newNsDesc) throws IOException {<a name="line.1242"></a>
-<span class="sourceLineNo">1243</span> // We require only global permission so that<a name="line.1243"></a>
-<span class="sourceLineNo">1244</span> // a user with NS admin cannot altering namespace configurations. i.e. namespace quota<a name="line.1244"></a>
-<span class="sourceLineNo">1245</span> requireGlobalPermission(ctx, "modifyNamespace", Action.ADMIN, newNsDesc.getName());<a name="line.1245"></a>
-<span class="sourceLineNo">1246</span> }<a name="line.1246"></a>
-<span class="sourceLineNo">1247</span><a name="line.1247"></a>
-<span class="sourceLineNo">1248</span> @Override<a name="line.1248"></a>
-<span class="sourceLineNo">1249</span> public void preGetNamespaceDescriptor(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1249"></a>
-<span class="sourceLineNo">1250</span> String namespace) throws IOException {<a name="line.1250"></a>
-<span class="sourceLineNo">1251</span> requireNamespacePermission(ctx, "getNamespaceDescriptor", namespace, Action.ADMIN);<a name="line.1251"></a>
-<span class="sourceLineNo">1252</span> }<a name="line.1252"></a>
-<span class="sourceLineNo">1253</span><a name="line.1253"></a>
-<span class="sourceLineNo">1254</span> @Override<a name="line.1254"></a>
-<span class="sourceLineNo">1255</span> public void postListNamespaceDescriptors(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1255"></a>
-<span class="sourceLineNo">1256</span> List<NamespaceDescriptor> descriptors) throws IOException {<a name="line.1256"></a>
-<span class="sourceLineNo">1257</span> // Retains only those which passes authorization checks, as the checks weren't done as part<a name="line.1257"></a>
-<span class="sourceLineNo">1258</span> // of preGetTableDescriptors.<a name="line.1258"></a>
-<span class="sourceLineNo">1259</span> Iterator<NamespaceDescriptor> itr = descriptors.iterator();<a name="line.1259"></a>
-<span class="sourceLineNo">1260</span> User user = getActiveUser(ctx);<a name="line.1260"></a>
-<span class="sourceLineNo">1261</span> while (itr.hasNext()) {<a name="line.1261"></a>
-<span class="sourceLineNo">1262</span> NamespaceDescriptor desc = itr.next();<a name="line.1262"></a>
-<span class="sourceLineNo">1263</span> try {<a name="line.1263"></a>
-<span class="sourceLineNo">1264</span> accessChecker.requireNamespacePermission(user, "listNamespaces", desc.getName(), null,<a name="line.1264"></a>
-<span class="sourceLineNo">1265</span> Action.ADMIN);<a name="line.1265"></a>
-<span class="sourceLineNo">1266</span> } catch (AccessDeniedException e) {<a name="line.1266"></a>
-<span class="sourceLineNo">1267</span> itr.remove();<a name="line.1267"></a>
-<span class="sourceLineNo">1268</span> }<a name="line.1268"></a>
-<span class="sourceLineNo">1269</span> }<a name="line.1269"></a>
-<span class="sourceLineNo">1270</span> }<a name="line.1270"></a>
-<span class="sourceLineNo">1271</span><a name="line.1271"></a>
-<span class="sourceLineNo">1272</span> @Override<a name="line.1272"></a>
-<span class="sourceLineNo">1273</span> public void preTableFlush(final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1273"></a>
-<span class="sourceLineNo">1274</span> final TableName tableName) throws IOException {<a name="line.1274"></a>
-<span class="sourceLineNo">1275</span> // Move this ACL check to MasterFlushTableProcedureManager#checkPermissions as part of AC<a name="line.1275"></a>
-<span class="sourceLineNo">1276</span> // deprecation.<a name="line.1276"></a>
-<span class="sourceLineNo">1277</span> requirePermission(ctx, "flushTable", tableName,<a name="line.1277"></a>
-<span class="sourceLineNo">1278</span> null, null, Action.ADMIN, Action.CREATE);<a name="line.1278"></a>
-<span class="sourceLineNo">1279</span> }<a name="line.1279"></a>
-<span class="sourceLineNo">1280</span><a name="line.1280"></a>
-<span class="sourceLineNo">1281</span> @Override<a name="line.1281"></a>
-<span class="sourceLineNo">1282</span> public void preSplitRegion(<a name="line.1282"></a>
-<span class="sourceLineNo">1283</span> final ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1283"></a>
-<span class="sourceLineNo">1284</span> final TableName tableName,<a name="line.1284"></a>
-<span class="sourceLineNo">1285</span> final byte[] splitRow) throws IOException {<a name="line.1285"></a>
-<span class="sourceLineNo">1286</span> requirePermission(ctx, "split", tableName,<a name="line.1286"></a>
-<span class="sourceLineNo">1287</span> null, null, Action.ADMIN);<a name="line.1287"></a>
-<span class="sourceLineNo">1288</span> }<a name="line.1288"></a>
-<span class="sourceLineNo">1289</span><a name="line.1289"></a>
-<span class="sourceLineNo">1290</span> @Override<a name="line.1290"></a>
-<span class="sourceLineNo">1291</span> public void preClearDeadServers(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.1291"></a>
-<span class="sourceLineNo">1292</span> throws IOException {<a name="line.1292"></a>
-<span class="sourceLineNo">1293</span> requirePermission(ctx, "clearDeadServers", Action.ADMIN);<a name="line.1293"></a>
-<span class="sourceLineNo">1294</span> }<a name="line.1294"></a>
-<span class="sourceLineNo">1295</span><a name="line.1295"></a>
-<span class="sourceLineNo">1296</span> @Override<a name="line.1296"></a>
-<span class="sourceLineNo">1297</span> public void preDecommissionRegionServers(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1297"></a>
-<span class="sourceLineNo">1298</span> List<ServerName> servers, boolean offload) throws IOException {<a name="line.1298"></a>
-<span class="sourceLineNo">1299</span> requirePermission(ctx, "decommissionRegionServers", Action.ADMIN);<a name="line.1299"></a>
-<span class="sourceLineNo">1300</span> }<a name="line.1300"></a>
-<span class="sourceLineNo">1301</span><a name="line.1301"></a>
-<span class="sourceLineNo">1302</span> @Override<a name="line.1302"></a>
-<span class="sourceLineNo">1303</span> public void preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment> ctx)<a name="line.1303"></a>
-<span class="sourceLineNo">1304</span> throws IOException {<a name="line.1304"></a>
-<span class="sourceLineNo">1305</span> requirePermission(ctx, "listDecommissionedRegionServers",<a name="line.1305"></a>
-<span class="sourceLineNo">1306</span> Action.ADMIN);<a name="line.1306"></a>
-<span class="sourceLineNo">1307</span> }<a name="line.1307"></a>
-<span class="sourceLineNo">1308</span><a name="line.1308"></a>
-<span class="sourceLineNo">1309</span> @Override<a name="line.1309"></a>
-<span class="sourceLineNo">1310</span> public void preRecommissionRegionServer(ObserverContext<MasterCoprocessorEnvironment> ctx,<a name="line.1310"></a>
-<span class="sourceLineNo">1311</span> ServerName server, List<byte[]> encodedRegionNames) throws IOException {<a name="line.1311"></a>
-<span class="sourceLineNo">1312</span> requirePermission(ctx, "recommissionRegionServers", Action.ADMIN);<a name="line.1312"></a>
-<span class="sourceLineNo">1313</span> }<a name="line.1313"></a>
-<span class="sourceLineNo">1314</span><a name="line.1314"></a>
-<span class="sourceLineNo">1315</span> /* ---- RegionObserver implementation ---- */<a name="line.1315"></a>
-<span class="sourceLineNo">1316</span><a name="line.1316"></a>
-<span class="sourceLineNo">1317</span> @Override<a name="line.1317"></a>
-<span class="sourceLineNo">1318</span> public void preOpen(ObserverContext<RegionCoprocessorEnvironment> c)<a name="line.1318"></a>
-<span class="sourceLineNo">1319</span> throws IOException {<a name="line.1319"></a>
-<span class="sourceLineNo">1320</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1320"></a>
-<span class="sourceLineNo">1321</span> final Region region = env.getRegion();<a name="line.1321"></a>
-<span class="sourceLineNo">1322</span> if (region == null) {<a name="line.1322"></a>
-<span class="sourceLineNo">1323</span> LOG.error("NULL region from RegionCoprocessorEnvironment in preOpen()");<a name="line.1323"></a>
-<span class="sourceLineNo">1324</span> } else {<a name="line.1324"></a>
-<span class="sourceLineNo">1325</span> RegionInfo regionInfo = region.getRegionInfo();<a name="line.1325"></a>
-<span class="sourceLineNo">1326</span> if (regionInfo.getTable().isSystemTable()) {<a name="line.1326"></a>
-<span class="sourceLineNo">1327</span> checkSystemOrSuperUser(getActiveUser(c));<a name="line.1327"></a>
-<span class="sourceLineNo">1328</span> } else {<a name="line.1328"></a>
-<span class="sourceLineNo">1329</span> requirePermission(c, "preOpen", Action.ADMIN);<a name="line.1329"></a>
-<span class="sourceLineNo">1330</span> }<a name="line.1330"></a>
-<span class="sourceLineNo">1331</span> }<a name="line.1331"></a>
-<span class="sourceLineNo">1332</span> }<a name="line.1332"></a>
-<span class="sourceLineNo">1333</span><a name="line.1333"></a>
-<span class="sourceLineNo">1334</span> @Override<a name="line.1334"></a>
-<span class="sourceLineNo">1335</span> public void postOpen(ObserverContext<RegionCoprocessorEnvironment> c) {<a name="line.1335"></a>
-<span class="sourceLineNo">1336</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1336"></a>
-<span class="sourceLineNo">1337</span> final Region region = env.getRegion();<a name="line.1337"></a>
-<span class="sourceLineNo">1338</span> if (region == null) {<a name="line.1338"></a>
-<span class="sourceLineNo">1339</span> LOG.error("NULL region from RegionCoprocessorEnvironment in postOpen()");<a name="line.1339"></a>
-<span class="sourceLineNo">1340</span> return;<a name="line.1340"></a>
-<span class="sourceLineNo">1341</span> }<a name="line.1341"></a>
-<span class="sourceLineNo">1342</span> if (AccessControlLists.isAclRegion(region)) {<a name="line.1342"></a>
-<span class="sourceLineNo">1343</span> aclRegion = true;<a name="line.1343"></a>
-<span class="sourceLineNo">1344</span> try {<a name="line.1344"></a>
-<span class="sourceLineNo">1345</span> initialize(env);<a name="line.1345"></a>
-<span class="sourceLineNo">1346</span> } catch (IOException ex) {<a name="line.1346"></a>
-<span class="sourceLineNo">1347</span> // if we can't obtain permissions, it's better to fail<a name="line.1347"></a>
-<span class="sourceLineNo">1348</span> // than perform checks incorrectly<a name="line.1348"></a>
-<span class="sourceLineNo">1349</span> throw new RuntimeException("Failed to initialize permissions cache", ex);<a name="line.1349"></a>
-<span class="sourceLineNo">1350</span> }<a name="line.1350"></a>
-<span class="sourceLineNo">1351</span> } else {<a name="line.1351"></a>
-<span class="sourceLineNo">1352</span> initialized = true;<a name="line.1352"></a>
-<span class="sourceLineNo">1353</span> }<a name="line.1353"></a>
-<span class="sourceLineNo">1354</span> }<a name="line.1354"></a>
-<span class="sourceLineNo">1355</span><a name="line.1355"></a>
-<span class="sourceLineNo">1356</span> @Override<a name="line.1356"></a>
-<span class="sourceLineNo">1357</span> public void preFlush(ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1357"></a>
-<span class="sourceLineNo">1358</span> FlushLifeCycleTracker tracker) throws IOException {<a name="line.1358"></a>
-<span class="sourceLineNo">1359</span> requirePermission(c, "flush", getTableName(c.getEnvironment()),<a name="line.1359"></a>
-<span class="sourceLineNo">1360</span> null, null, Action.ADMIN, Action.CREATE);<a name="line.1360"></a>
-<span class="sourceLineNo">1361</span> }<a name="line.1361"></a>
-<span class="sourceLineNo">1362</span><a name="line.1362"></a>
-<span class="sourceLineNo">1363</span> @Override<a name="line.1363"></a>
-<span class="sourceLineNo">1364</span> public InternalScanner preCompact(ObserverContext<RegionCoprocessorEnvironment> c, Store store,<a name="line.1364"></a>
-<span class="sourceLineNo">1365</span> InternalScanner scanner, ScanType scanType, CompactionLifeCycleTracker tracker,<a name="line.1365"></a>
-<span class="sourceLineNo">1366</span> CompactionRequest request) throws IOException {<a name="line.1366"></a>
-<span class="sourceLineNo">1367</span> requirePermission(c, "compact", getTableName(c.getEnvironment()),<a name="line.1367"></a>
-<span class="sourceLineNo">1368</span> null, null, Action.ADMIN, Action.CREATE);<a name="line.1368"></a>
-<span class="sourceLineNo">1369</span> return scanner;<a name="line.1369"></a>
-<span class="sourceLineNo">1370</span> }<a name="line.1370"></a>
-<span class="sourceLineNo">1371</span><a name="line.1371"></a>
-<span class="sourceLineNo">1372</span> private void internalPreRead(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1372"></a>
-<span class="sourceLineNo">1373</span> final Query query, OpType opType) throws IOException {<a name="line.1373"></a>
-<span class="sourceLineNo">1374</span> Filter filter = query.getFilter();<a name="line.1374"></a>
-<span class="sourceLineNo">1375</span> // Don't wrap an AccessControlFilter<a name="line.1375"></a>
-<span class="sourceLineNo">1376</span> if (filter != null && filter instanceof AccessControlFilter) {<a name="line.1376"></a>
-<span class="sourceLineNo">1377</span> return;<a name="line.1377"></a>
-<span class="sourceLineNo">1378</span> }<a name="line.1378"></a>
-<span class="sourceLineNo">1379</span> User user = getActiveUser(c);<a name="line.1379"></a>
-<span class="sourceLineNo">1380</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1380"></a>
-<span class="sourceLineNo">1381</span> Map<byte[],? extends Collection<byte[]>> families = null;<a name="line.1381"></a>
-<span class="sourceLineNo">1382</span> switch (opType) {<a name="line.1382"></a>
-<span class="sourceLineNo">1383</span> case GET:<a name="line.1383"></a>
-<span class="sourceLineNo">1384</span> case EXISTS:<a name="line.1384"></a>
-<span class="sourceLineNo">1385</span> families = ((Get)query).getFamilyMap();<a name="line.1385"></a>
-<span class="sourceLineNo">1386</span> break;<a name="line.1386"></a>
-<span class="sourceLineNo">1387</span> case SCAN:<a name="line.1387"></a>
-<span class="sourceLineNo">1388</span> families = ((Scan)query).getFamilyMap();<a name="line.1388"></a>
-<span class="sourceLineNo">1389</span> break;<a name="line.1389"></a>
-<span class="sourceLineNo">1390</span> default:<a name="line.1390"></a>
-<span class="sourceLineNo">1391</span> throw new RuntimeException("Unhandled operation " + opType);<a name="line.1391"></a>
-<span class="sourceLineNo">1392</span> }<a name="line.1392"></a>
-<span class="sourceLineNo">1393</span> AuthResult authResult = permissionGranted(opType, user, env, families, Action.READ);<a name="line.1393"></a>
-<span class="sourceLineNo">1394</span> Region region = getRegion(env);<a name="line.1394"></a>
-<span class="sourceLineNo">1395</span> TableName table = getTableName(region);<a name="line.1395"></a>
-<span class="sourceLineNo">1396</span> Map<ByteRange, Integer> cfVsMaxVersions = Maps.newHashMap();<a name="line.1396"></a>
-<span class="sourceLineNo">1397</span> for (ColumnFamilyDescriptor hcd : region.getTableDescriptor().getColumnFamilies()) {<a name="line.1397"></a>
-<span class="sourceLineNo">1398</span> cfVsMaxVersions.put(new SimpleMutableByteRange(hcd.getName()), hcd.getMaxVersions());<a name="line.1398"></a>
-<span class="sourceLineNo">1399</span> }<a name="line.1399"></a>
-<span class="sourceLineNo">1400</span> if (!authResult.isAllowed()) {<a name="line.1400"></a>
-<span class="sourceLineNo">1401</span> if (!cellFeaturesEnabled || compatibleEarlyTermination) {<a name="line.1401"></a>
-<span class="sourceLineNo">1402</span> // Old behavior: Scan with only qualifier checks if we have partial<a name="line.1402"></a>
-<span class="sourceLineNo">1403</span> // permission. Backwards compatible behavior is to throw an<a name="line.1403"></a>
-<span class="sourceLineNo">1404</span> // AccessDeniedException immediately if there are no grants for table<a name="line.1404"></a>
-<span class="sourceLineNo">1405</span> // or CF or CF+qual. Only proceed with an injected filter if there are<a name="line.1405"></a>
-<span class="sourceLineNo">1406</span> // grants for qualifiers. Otherwise we will fall through below and log<a name="line.1406"></a>
-<span class="sourceLineNo">1407</span> // the result and throw an ADE. We may end up checking qualifier<a name="line.1407"></a>
-<span class="sourceLineNo">1408</span> // grants three times (permissionGranted above, here, and in the<a name="line.1408"></a>
-<span class="sourceLineNo">1409</span> // filter) but that's the price of backwards compatibility.<a name="line.1409"></a>
-<span class="sourceLineNo">1410</span> if (hasFamilyQualifierPermission(user, Action.READ, env, families)) {<a name="line.1410"></a>
-<span class="sourceLineNo">1411</span> authResult.setAllowed(true);<a name="line.1411"></a>
-<span class="sourceLineNo">1412</span> authResult.setReason("Access allowed with filter");<a name="line.1412"></a>
-<span class="sourceLineNo">1413</span> // Only wrap the filter if we are enforcing authorizations<a name="line.1413"></a>
-<span class="sourceLineNo">1414</span> if (authorizationEnabled) {<a name="line.1414"></a>
-<span class="sourceLineNo">1415</span> Filter ourFilter = new AccessControlFilter(getAuthManager(), user, table,<a name="line.1415"></a>
-<span class="sourceLineNo">1416</span> AccessControlFilter.Strategy.CHECK_TABLE_AND_CF_ONLY,<a name="line.1416"></a>
-<span class="sourceLineNo">1417</span> cfVsMaxVersions);<a name="line.1417"></a>
-<span class="sourceLineNo">1418</span> // wrap any existing filter<a name="line.1418"></a>
-<span class="sourceLineNo">1419</span> if (filter != null) {<a name="line.1419"></a>
-<span class="sourceLineNo">1420</span> ourFilter = new FilterList(FilterList.Operator.MUST_PASS_ALL,<a name="line.1420"></a>
-<span class="sourceLineNo">1421</span> Lists.newArrayList(ourFilter, filter));<a name="line.1421"></a>
-<span class="sourceLineNo">1422</span> }<a name="line.1422"></a>
-<span class="sourceLineNo">1423</span> switch (opType) {<a name="line.1423"></a>
-<span class="sourceLineNo">1424</span> case GET:<a name="line.1424"></a>
-<span class="sourceLineNo">1425</span> case EXISTS:<a name="line.1425"></a>
-<span class="sourceLineNo">1426</span> ((Get)query).setFilter(ourFilter);<a name="line.1426"></a>
-<span class="sourceLineNo">1427</span> break;<a name="line.1427"></a>
-<span class="sourceLineNo">1428</span> case SCAN:<a name="line.1428"></a>
-<span class="sourceLineNo">1429</span> ((Scan)query).setFilter(ourFilter);<a name="line.1429"></a>
-<span class="sourceLineNo">1430</span> break;<a name="line.1430"></a>
-<span class="sourceLineNo">1431</span> default:<a name="line.1431"></a>
-<span class="sourceLineNo">1432</span> throw new RuntimeException("Unhandled operation " + opType);<a name="line.1432"></a>
-<span class="sourceLineNo">1433</span> }<a name="line.1433"></a>
-<span class="sourceLineNo">1434</span> }<a name="line.1434"></a>
-<span class="sourceLineNo">1435</span> }<a name="line.1435"></a>
-<span class="sourceLineNo">1436</span> } else {<a name="line.1436"></a>
-<span class="sourceLineNo">1437</span> // New behavior: Any access we might be granted is more fine-grained<a name="line.1437"></a>
-<span class="sourceLineNo">1438</span> // than whole table or CF. Simply inject a filter and return what is<a name="line.1438"></a>
-<span class="sourceLineNo">1439</span> // allowed. We will not throw an AccessDeniedException. This is a<a name="line.1439"></a>
-<span class="sourceLineNo">1440</span> // behavioral change since 0.96.<a name="line.1440"></a>
-<span class="sourceLineNo">1441</span> authResult.setAllowed(true);<a name="line.1441"></a>
-<span class="sourceLineNo">1442</span> authResult.setReason("Access allowed with filter");<a name="line.1442"></a>
-<span class="sourceLineNo">1443</span> // Only wrap the filter if we are enforcing authorizations<a name="line.1443"></a>
-<span class="sourceLineNo">1444</span> if (authorizationEnabled) {<a name="line.1444"></a>
-<span class="sourceLineNo">1445</span> Filter ourFilter = new AccessControlFilter(getAuthManager(), user, table,<a name="line.1445"></a>
-<span class="sourceLineNo">1446</span> AccessControlFilter.Strategy.CHECK_CELL_DEFAULT, cfVsMaxVersions);<a name="line.1446"></a>
-<span class="sourceLineNo">1447</span> // wrap any existing filter<a name="line.1447"></a>
-<span class="sourceLineNo">1448</span> if (filter != null) {<a name="line.1448"></a>
-<span class="sourceLineNo">1449</span> ourFilter = new FilterList(FilterList.Operator.MUST_PASS_ALL,<a name="line.1449"></a>
-<span class="sourceLineNo">1450</span> Lists.newArrayList(ourFilter, filter));<a name="line.1450"></a>
-<span class="sourceLineNo">1451</span> }<a name="line.1451"></a>
-<span class="sourceLineNo">1452</span> switch (opType) {<a name="line.1452"></a>
-<span class="sourceLineNo">1453</span> case GET:<a name="line.1453"></a>
-<span class="sourceLineNo">1454</span> case EXISTS:<a name="line.1454"></a>
-<span class="sourceLineNo">1455</span> ((Get)query).setFilter(ourFilter);<a name="line.1455"></a>
-<span class="sourceLineNo">1456</span> break;<a name="line.1456"></a>
-<span class="sourceLineNo">1457</span> case SCAN:<a name="line.1457"></a>
-<span class="sourceLineNo">1458</span> ((Scan)query).setFilter(ourFilter);<a name="line.1458"></a>
-<span class="sourceLineNo">1459</span> break;<a name="line.1459"></a>
-<span class="sourceLineNo">1460</span> default:<a name="line.1460"></a>
-<span class="sourceLineNo">1461</span> throw new RuntimeException("Unhandled operation " + opType);<a name="line.1461"></a>
-<span class="sourceLineNo">1462</span> }<a name="line.1462"></a>
-<span class="sourceLineNo">1463</span> }<a name="line.1463"></a>
-<span class="sourceLineNo">1464</span> }<a name="line.1464"></a>
-<span class="sourceLineNo">1465</span> }<a name="line.1465"></a>
-<span class="sourceLineNo">1466</span><a name="line.1466"></a>
-<span class="sourceLineNo">1467</span> AccessChecker.logResult(authResult);<a name="line.1467"></a>
-<span class="sourceLineNo">1468</span> if (authorizationEnabled && !authResult.isAllowed()) {<a name="line.1468"></a>
-<span class="sourceLineNo">1469</span> throw new AccessDeniedException("Insufficient permissions for user '"<a name="line.1469"></a>
-<span class="sourceLineNo">1470</span> + (user != null ? user.getShortName() : "null")<a name="line.1470"></a>
-<span class="sourceLineNo">1471</span> + "' (table=" + table + ", action=READ)");<a name="line.1471"></a>
-<span class="sourceLineNo">1472</span> }<a name="line.1472"></a>
-<span class="sourceLineNo">1473</span> }<a name="line.1473"></a>
-<span class="sourceLineNo">1474</span><a name="line.1474"></a>
-<span class="sourceLineNo">1475</span> @Override<a name="line.1475"></a>
-<span class="sourceLineNo">1476</span> public void preGetOp(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1476"></a>
-<span class="sourceLineNo">1477</span> final Get get, final List<Cell> result) throws IOException {<a name="line.1477"></a>
-<span class="sourceLineNo">1478</span> internalPreRead(c, get, OpType.GET);<a name="line.1478"></a>
-<span class="sourceLineNo">1479</span> }<a name="line.1479"></a>
-<span class="sourceLineNo">1480</span><a name="line.1480"></a>
-<span class="sourceLineNo">1481</span> @Override<a name="line.1481"></a>
-<span class="sourceLineNo">1482</span> public boolean preExists(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1482"></a>
-<span class="sourceLineNo">1483</span> final Get get, final boolean exists) throws IOException {<a name="line.1483"></a>
-<span class="sourceLineNo">1484</span> internalPreRead(c, get, OpType.EXISTS);<a name="line.1484"></a>
-<span class="sourceLineNo">1485</span> return exists;<a name="line.1485"></a>
-<span class="sourceLineNo">1486</span> }<a name="line.1486"></a>
-<span class="sourceLineNo">1487</span><a name="line.1487"></a>
-<span class="sourceLineNo">1488</span> @Override<a name="line.1488"></a>
-<span class="sourceLineNo">1489</span> public void prePut(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1489"></a>
-<span class="sourceLineNo">1490</span> final Put put, final WALEdit edit, final Durability durability)<a name="line.1490"></a>
-<span class="sourceLineNo">1491</span> throws IOException {<a name="line.1491"></a>
-<span class="sourceLineNo">1492</span> User user = getActiveUser(c);<a name="line.1492"></a>
-<span class="sourceLineNo">1493</span> checkForReservedTagPresence(user, put);<a name="line.1493"></a>
-<span class="sourceLineNo">1494</span><a name="line.1494"></a>
-<span class="sourceLineNo">1495</span> // Require WRITE permission to the table, CF, or top visible value, if any.<a name="line.1495"></a>
-<span class="sourceLineNo">1496</span> // NOTE: We don't need to check the permissions for any earlier Puts<a name="line.1496"></a>
-<span class="sourceLineNo">1497</span> // because we treat the ACLs in each Put as timestamped like any other<a name="line.1497"></a>
-<span class="sourceLineNo">1498</span> // HBase value. A new ACL in a new Put applies to that Put. It doesn't<a name="line.1498"></a>
-<span class="sourceLineNo">1499</span> // change the ACL of any previous Put. This allows simple evolution of<a name="line.1499"></a>
-<span class="sourceLineNo">1500</span> // security policy over time without requiring expensive updates.<a name="line.1500"></a>
-<span class="sourceLineNo">1501</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1501"></a>
-<span class="sourceLineNo">1502</span> Map<byte[],? extends Collection<Cell>> families = put.getFamilyCellMap();<a name="line.1502"></a>
-<span class="sourceLineNo">1503</span> AuthResult authResult = permissionGranted(OpType.PUT,<a name="line.1503"></a>
-<span class="sourceLineNo">1504</span> user, env, families, Action.WRITE);<a name="line.1504"></a>
-<span class="sourceLineNo">1505</span> AccessChecker.logResult(authResult);<a name="line.1505"></a>
-<span class="sourceLineNo">1506</span> if (!authResult.isAllowed()) {<a name="line.1506"></a>
-<span class="sourceLineNo">1507</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1507"></a>
-<span class="sourceLineNo">1508</span> put.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1508"></a>
-<span class="sourceLineNo">1509</span> } else if (authorizationEnabled) {<a name="line.1509"></a>
-<span class="sourceLineNo">1510</span> throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());<a name="line.1510"></a>
-<span class="sourceLineNo">1511</span> }<a name="line.1511"></a>
-<span class="sourceLineNo">1512</span> }<a name="line.1512"></a>
-<span class="sourceLineNo">1513</span><a name="line.1513"></a>
-<span class="sourceLineNo">1514</span> // Add cell ACLs from the operation to the cells themselves<a name="line.1514"></a>
-<span class="sourceLineNo">1515</span> byte[] bytes = put.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);<a name="line.1515"></a>
-<span class="sourceLineNo">1516</span> if (bytes != null) {<a name="line.1516"></a>
-<span class="sourceLineNo">1517</span> if (cellFeaturesEnabled) {<a name="line.1517"></a>
-<span class="sourceLineNo">1518</span> addCellPermissions(bytes, put.getFamilyCellMap());<a name="line.1518"></a>
-<span class="sourceLineNo">1519</span> } else {<a name="line.1519"></a>
-<span class="sourceLineNo">1520</span> throw new DoNotRetryIOException("Cell ACLs cannot be persisted");<a name="line.1520"></a>
-<span class="sourceLineNo">1521</span> }<a name="line.1521"></a>
-<span class="sourceLineNo">1522</span> }<a name="line.1522"></a>
-<span class="sourceLineNo">1523</span> }<a name="line.1523"></a>
-<span class="sourceLineNo">1524</span><a name="line.1524"></a>
-<span class="sourceLineNo">1525</span> @Override<a name="line.1525"></a>
-<span class="sourceLineNo">1526</span> public void postPut(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1526"></a>
-<span class="sourceLineNo">1527</span> final Put put, final WALEdit edit, final Durability durability) {<a name="line.1527"></a>
-<span class="sourceLineNo">1528</span> if (aclRegion) {<a name="line.1528"></a>
-<span class="sourceLineNo">1529</span> updateACL(c.getEnvironment(), put.getFamilyCellMap());<a name="line.1529"></a>
-<span class="sourceLineNo">1530</span> }<a name="line.1530"></a>
-<span class="sourceLineNo">1531</span> }<a name="line.1531"></a>
-<span class="sourceLineNo">1532</span><a name="line.1532"></a>
-<span class="sourceLineNo">1533</span> @Override<a name="line.1533"></a>
-<span class="sourceLineNo">1534</span> public void preDelete(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1534"></a>
-<span class="sourceLineNo">1535</span> final Delete delete, final WALEdit edit, final Durability durability)<a name="line.1535"></a>
-<span class="sourceLineNo">1536</span> throws IOException {<a name="line.1536"></a>
-<span class="sourceLineNo">1537</span> // An ACL on a delete is useless, we shouldn't allow it<a name="line.1537"></a>
-<span class="sourceLineNo">1538</span> if (delete.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL) != null) {<a name="line.1538"></a>
-<span class="sourceLineNo">1539</span> throw new DoNotRetryIOException("ACL on delete has no effect: " + delete.toString());<a name="line.1539"></a>
-<span class="sourceLineNo">1540</span> }<a name="line.1540"></a>
-<span class="sourceLineNo">1541</span> // Require WRITE permissions on all cells covered by the delete. Unlike<a name="line.1541"></a>
-<span class="sourceLineNo">1542</span> // for Puts we need to check all visible prior versions, because a major<a name="line.1542"></a>
-<span class="sourceLineNo">1543</span> // compaction could remove them. If the user doesn't have permission to<a name="line.1543"></a>
-<span class="sourceLineNo">1544</span> // overwrite any of the visible versions ('visible' defined as not covered<a name="line.1544"></a>
-<span class="sourceLineNo">1545</span> // by a tombstone already) then we have to disallow this operation.<a name="line.1545"></a>
-<span class="sourceLineNo">1546</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1546"></a>
-<span class="sourceLineNo">1547</span> Map<byte[],? extends Collection<Cell>> families = delete.getFamilyCellMap();<a name="line.1547"></a>
-<span class="sourceLineNo">1548</span> User user = getActiveUser(c);<a name="line.1548"></a>
-<span class="sourceLineNo">1549</span> AuthResult authResult = permissionGranted(OpType.DELETE,<a name="line.1549"></a>
-<span class="sourceLineNo">1550</span> user, env, families, Action.WRITE);<a name="line.1550"></a>
-<span class="sourceLineNo">1551</span> AccessChecker.logResult(authResult);<a name="line.1551"></a>
-<span class="sourceLineNo">1552</span> if (!authResult.isAllowed()) {<a name="line.1552"></a>
-<span class="sourceLineNo">1553</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1553"></a>
-<span class="sourceLineNo">1554</span> delete.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1554"></a>
-<span class="sourceLineNo">1555</span> } else if (authorizationEnabled) {<a name="line.1555"></a>
-<span class="sourceLineNo">1556</span> throw new AccessDeniedException("Insufficient permissions " +<a name="line.1556"></a>
-<span class="sourceLineNo">1557</span> authResult.toContextString());<a name="line.1557"></a>
-<span class="sourceLineNo">1558</span> }<a name="line.1558"></a>
-<span class="sourceLineNo">1559</span> }<a name="line.1559"></a>
-<span class="sourceLineNo">1560</span> }<a name="line.1560"></a>
-<span class="sourceLineNo">1561</span><a name="line.1561"></a>
-<span class="sourceLineNo">1562</span> @Override<a name="line.1562"></a>
-<span class="sourceLineNo">1563</span> public void preBatchMutate(ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1563"></a>
-<span class="sourceLineNo">1564</span> MiniBatchOperationInProgress<Mutation> miniBatchOp) throws IOException {<a name="line.1564"></a>
-<span class="sourceLineNo">1565</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1565"></a>
-<span class="sourceLineNo">1566</span> TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();<a name="line.1566"></a>
-<span class="sourceLineNo">1567</span> User user = getActiveUser(c);<a name="line.1567"></a>
-<span class="sourceLineNo">1568</span> for (int i = 0; i < miniBatchOp.size(); i++) {<a name="line.1568"></a>
-<span class="sourceLineNo">1569</span> Mutation m = miniBatchOp.getOperation(i);<a name="line.1569"></a>
-<span class="sourceLineNo">1570</span> if (m.getAttribute(CHECK_COVERING_PERM) != null) {<a name="line.1570"></a>
-<span class="sourceLineNo">1571</span> // We have a failure with table, cf and q perm checks and now giving a chance for cell<a name="line.1571"></a>
-<span class="sourceLineNo">1572</span> // perm check<a name="line.1572"></a>
-<span class="sourceLineNo">1573</span> OpType opType;<a name="line.1573"></a>
-<span class="sourceLineNo">1574</span> if (m instanceof Put) {<a name="line.1574"></a>
-<span class="sourceLineNo">1575</span> checkForReservedTagPresence(user, m);<a name="line.1575"></a>
-<span class="sourceLineNo">1576</span> opType = OpType.PUT;<a name="line.1576"></a>
-<span class="sourceLineNo">1577</span> } else {<a name="line.1577"></a>
-<span class="sourceLineNo">1578</span> opType = OpType.DELETE;<a name="line.1578"></a>
-<span class="sourceLineNo">1579</span> }<a name="line.1579"></a>
-<span class="sourceLineNo">1580</span> AuthResult authResult = null;<a name="line.1580"></a>
-<span class="sourceLineNo">1581</span> if (checkCoveringPermission(user, opType, c.getEnvironment(), m.getRow(),<a name="line.1581"></a>
-<span class="sourceLineNo">1582</span> m.getFamilyCellMap(), m.getTimestamp(), Action.WRITE)) {<a name="line.1582"></a>
-<span class="sourceLineNo">1583</span> authResult = AuthResult.allow(opType.toString(), "Covering cell set",<a name="line.1583"></a>
-<span class="sourceLineNo">1584</span> user, Action.WRITE, table, m.getFamilyCellMap());<a name="line.1584"></a>
-<span class="sourceLineNo">1585</span> } else {<a name="line.1585"></a>
-<span class="sourceLineNo">1586</span> authResult = AuthResult.deny(opType.toString(), "Covering cell set",<a name="line.1586"></a>
-<span class="sourceLineNo">1587</span> user, Action.WRITE, table, m.getFamilyCellMap());<a name="line.1587"></a>
-<span class="sourceLineNo">1588</span> }<a name="line.1588"></a>
-<span class="sourceLineNo">1589</span> AccessChecker.logResult(authResult);<a name="line.1589"></a>
-<span class="sourceLineNo">1590</span> if (authorizationEnabled && !authResult.isAllowed()) {<a name="line.1590"></a>
-<span class="sourceLineNo">1591</span> throw new AccessDeniedException("Insufficient permissions "<a name="line.1591"></a>
-<span class="sourceLineNo">1592</span> + authResult.toContextString());<a name="line.1592"></a>
-<span class="sourceLineNo">1593</span> }<a name="line.1593"></a>
-<span class="sourceLineNo">1594</span> }<a name="line.1594"></a>
-<span class="sourceLineNo">1595</span> }<a name="line.1595"></a>
-<span class="sourceLineNo">1596</span> }<a name="line.1596"></a>
-<span class="sourceLineNo">1597</span> }<a name="line.1597"></a>
-<span class="sourceLineNo">1598</span><a name="line.1598"></a>
-<span class="sourceLineNo">1599</span> @Override<a name="line.1599"></a>
-<span class="sourceLineNo">1600</span> public void postDelete(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1600"></a>
-<span class="sourceLineNo">1601</span> final Delete delete, final WALEdit edit, final Durability durability)<a name="line.1601"></a>
-<span class="sourceLineNo">1602</span> throws IOException {<a name="line.1602"></a>
-<span class="sourceLineNo">1603</span> if (aclRegion) {<a name="line.1603"></a>
-<span class="sourceLineNo">1604</span> updateACL(c.getEnvironment(), delete.getFamilyCellMap());<a name="line.1604"></a>
-<span class="sourceLineNo">1605</span> }<a name="line.1605"></a>
-<span class="sourceLineNo">1606</span> }<a name="line.1606"></a>
-<span class="sourceLineNo">1607</span><a name="line.1607"></a>
-<span class="sourceLineNo">1608</span> @Override<a name="line.1608"></a>
-<span class="sourceLineNo">1609</span> public boolean preCheckAndPut(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1609"></a>
-<span class="sourceLineNo">1610</span> final byte [] row, final byte [] family, final byte [] qualifier,<a name="line.1610"></a>
-<span class="sourceLineNo">1611</span> final CompareOperator op,<a name="line.1611"></a>
-<span class="sourceLineNo">1612</span> final ByteArrayComparable comparator, final Put put,<a name="line.1612"></a>
-<span class="sourceLineNo">1613</span> final boolean result) throws IOException {<a name="line.1613"></a>
-<span class="sourceLineNo">1614</span> User user = getActiveUser(c);<a name="line.1614"></a>
-<span class="sourceLineNo">1615</span> checkForReservedTagPresence(user, put);<a name="line.1615"></a>
-<span class="sourceLineNo">1616</span><a name="line.1616"></a>
-<span class="sourceLineNo">1617</span> // Require READ and WRITE permissions on the table, CF, and KV to update<a name="line.1617"></a>
-<span class="sourceLineNo">1618</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1618"></a>
-<span class="sourceLineNo">1619</span> Map<byte[],? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);<a name="line.1619"></a>
-<span class="sourceLineNo">1620</span> AuthResult authResult = permissionGranted(OpType.CHECK_AND_PUT,<a name="line.1620"></a>
-<span class="sourceLineNo">1621</span> user, env, families, Action.READ, Action.WRITE);<a name="line.1621"></a>
-<span class="sourceLineNo">1622</span> AccessChecker.logResult(authResult);<a name="line.1622"></a>
-<span class="sourceLineNo">1623</span> if (!authResult.isAllowed()) {<a name="line.1623"></a>
-<span class="sourceLineNo">1624</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1624"></a>
-<span class="sourceLineNo">1625</span> put.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1625"></a>
-<span class="sourceLineNo">1626</span> } else if (authorizationEnabled) {<a name="line.1626"></a>
-<span class="sourceLineNo">1627</span> throw new AccessDeniedException("Insufficient permissions " +<a name="line.1627"></a>
-<span class="sourceLineNo">1628</span> authResult.toContextString());<a name="line.1628"></a>
-<span class="sourceLineNo">1629</span> }<a name="line.1629"></a>
-<span class="sourceLineNo">1630</span> }<a name="line.1630"></a>
-<span class="sourceLineNo">1631</span><a name="line.1631"></a>
-<span class="sourceLineNo">1632</span> byte[] bytes = put.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);<a name="line.1632"></a>
-<span class="sourceLineNo">1633</span> if (bytes != null) {<a name="line.1633"></a>
-<span class="sourceLineNo">1634</span> if (cellFeaturesEnabled) {<a name="line.1634"></a>
-<span class="sourceLineNo">1635</span> addCellPermissions(bytes, put.getFamilyCellMap());<a name="line.1635"></a>
-<span class="sourceLineNo">1636</span> } else {<a name="line.1636"></a>
-<span class="sourceLineNo">1637</span> throw new DoNotRetryIOException("Cell ACLs cannot be persisted");<a name="line.1637"></a>
-<span class="sourceLineNo">1638</span> }<a name="line.1638"></a>
-<span class="sourceLineNo">1639</span> }<a name="line.1639"></a>
-<span class="sourceLineNo">1640</span> return result;<a name="line.1640"></a>
-<span class="sourceLineNo">1641</span> }<a name="line.1641"></a>
-<span class="sourceLineNo">1642</span><a name="line.1642"></a>
-<span class="sourceLineNo">1643</span> @Override<a name="line.1643"></a>
-<span class="sourceLineNo">1644</span> public boolean preCheckAndPutAfterRowLock(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1644"></a>
-<span class="sourceLineNo">1645</span> final byte[] row, final byte[] family, final byte[] qualifier,<a name="line.1645"></a>
-<span class="sourceLineNo">1646</span> final CompareOperator opp, final ByteArrayComparable comparator, final Put put,<a name="line.1646"></a>
-<span class="sourceLineNo">1647</span> final boolean result) throws IOException {<a name="line.1647"></a>
-<span class="sourceLineNo">1648</span> if (put.getAttribute(CHECK_COVERING_PERM) != null) {<a name="line.1648"></a>
-<span class="sourceLineNo">1649</span> // We had failure with table, cf and q perm checks and now giving a chance for cell<a name="line.1649"></a>
-<span class="sourceLineNo">1650</span> // perm check<a name="line.1650"></a>
-<span class="sourceLineNo">1651</span> TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();<a name="line.1651"></a>
-<span class="sourceLineNo">1652</span> Map<byte[], ? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);<a name="line.1652"></a>
-<span class="sourceLineNo">1653</span> AuthResult authResult = null;<a name="line.1653"></a>
-<span class="sourceLineNo">1654</span> User user = getActiveUser(c);<a name="line.1654"></a>
-<span class="sourceLineNo">1655</span> if (checkCoveringPermission(user, OpType.CHECK_AND_PUT, c.getEnvironment(), row, families,<a name="line.1655"></a>
-<span class="sourceLineNo">1656</span> HConstants.LATEST_TIMESTAMP, Action.READ)) {<a name="line.1656"></a>
-<span class="sourceLineNo">1657</span> authResult = AuthResult.allow(OpType.CHECK_AND_PUT.toString(),<a name="line.1657"></a>
-<span class="sourceLineNo">1658</span> "Covering cell set", user, Action.READ, table, families);<a name="line.1658"></a>
-<span class="sourceLineNo">1659</span> } else {<a name="line.1659"></a>
-<span class="sourceLineNo">1660</span> authResult = AuthResult.deny(OpType.CHECK_AND_PUT.toString(),<a name="line.1660"></a>
-<span class="sourceLineNo">1661</span> "Covering cell set", user, Action.READ, table, families);<a name="line.1661"></a>
-<span class="sourceLineNo">1662</span> }<a name="line.1662"></a>
-<span class="sourceLineNo">1663</span> AccessChecker.logResult(authResult);<a name="line.1663"></a>
-<span class="sourceLineNo">1664</span> if (authorizationEnabled && !authResult.isAllowed()) {<a name="line.1664"></a>
-<span class="sourceLineNo">1665</span> throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());<a name="line.1665"></a>
-<span class="sourceLineNo">1666</span> }<a name="line.1666"></a>
-<span class="sourceLineNo">1667</span> }<a name="line.1667"></a>
-<span class="sourceLineNo">1668</span> return result;<a name="line.1668"></a>
-<span class="sourceLineNo">1669</span> }<a name="line.1669"></a>
-<span class="sourceLineNo">1670</span><a name="line.1670"></a>
-<span class="sourceLineNo">1671</span> @Override<a name="line.1671"></a>
-<span class="sourceLineNo">1672</span> public boolean preCheckAndDelete(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1672"></a>
-<span class="sourceLineNo">1673</span> final byte [] row, final byte [] family, final byte [] qualifier,<a name="line.1673"></a>
-<span class="sourceLineNo">1674</span> final CompareOperator op,<a name="line.1674"></a>
-<span class="sourceLineNo">1675</span> final ByteArrayComparable comparator, final Delete delete,<a name="line.1675"></a>
-<span class="sourceLineNo">1676</span> final boolean result) throws IOException {<a name="line.1676"></a>
-<span class="sourceLineNo">1677</span> // An ACL on a delete is useless, we shouldn't allow it<a name="line.1677"></a>
-<span class="sourceLineNo">1678</span> if (delete.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL) != null) {<a name="line.1678"></a>
-<span class="sourceLineNo">1679</span> throw new DoNotRetryIOException("ACL on checkAndDelete has no effect: " +<a name="line.1679"></a>
-<span class="sourceLineNo">1680</span> delete.toString());<a name="line.1680"></a>
-<span class="sourceLineNo">1681</span> }<a name="line.1681"></a>
-<span class="sourceLineNo">1682</span> // Require READ and WRITE permissions on the table, CF, and the KV covered<a name="line.1682"></a>
-<span class="sourceLineNo">1683</span> // by the delete<a name="line.1683"></a>
-<span class="sourceLineNo">1684</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1684"></a>
-<span class="sourceLineNo">1685</span> Map<byte[],? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);<a name="line.1685"></a>
-<span class="sourceLineNo">1686</span> User user = getActiveUser(c);<a name="line.1686"></a>
-<span class="sourceLineNo">1687</span> AuthResult authResult = permissionGranted(<a name="line.1687"></a>
-<span class="sourceLineNo">1688</span> OpType.CHECK_AND_DELETE, user, env, families, Action.READ, Action.WRITE);<a name="line.1688"></a>
-<span class="sourceLineNo">1689</span> AccessChecker.logResult(authResult);<a name="line.1689"></a>
-<span class="sourceLineNo">1690</span> if (!authResult.isAllowed()) {<a name="line.1690"></a>
-<span class="sourceLineNo">1691</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1691"></a>
-<span class="sourceLineNo">1692</span> delete.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1692"></a>
-<span class="sourceLineNo">1693</span> } else if (authorizationEnabled) {<a name="line.1693"></a>
-<span class="sourceLineNo">1694</span> throw new AccessDeniedException("Insufficient permissions " +<a name="line.1694"></a>
-<span class="sourceLineNo">1695</span> authResult.toContextString());<a name="line.1695"></a>
-<span class="sourceLineNo">1696</span> }<a name="line.1696"></a>
-<span class="sourceLineNo">1697</span> }<a name="line.1697"></a>
-<span class="sourceLineNo">1698</span> return result;<a name="line.1698"></a>
-<span class="sourceLineNo">1699</span> }<a name="line.1699"></a>
-<span class="sourceLineNo">1700</span><a name="line.1700"></a>
-<span class="sourceLineNo">1701</span> @Override<a name="line.1701"></a>
-<span class="sourceLineNo">1702</span> public boolean preCheckAndDeleteAfterRowLock(<a name="line.1702"></a>
-<span class="sourceLineNo">1703</span> final ObserverContext<RegionCoprocessorEnvironment> c, final byte[] row,<a name="line.1703"></a>
-<span class="sourceLineNo">1704</span> final byte[] family, final byte[] qualifier, final CompareOperator op,<a name="line.1704"></a>
-<span class="sourceLineNo">1705</span> final ByteArrayComparable comparator, final Delete delete, final boolean result)<a name="line.1705"></a>
-<span class="sourceLineNo">1706</span> throws IOException {<a name="line.1706"></a>
-<span class="sourceLineNo">1707</span> if (delete.getAttribute(CHECK_COVERING_PERM) != null) {<a name="line.1707"></a>
-<span class="sourceLineNo">1708</span> // We had failure with table, cf and q perm checks and now giving a chance for cell<a name="line.1708"></a>
-<span class="sourceLineNo">1709</span> // perm check<a name="line.1709"></a>
-<span class="sourceLineNo">1710</span> TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();<a name="line.1710"></a>
-<span class="sourceLineNo">1711</span> Map<byte[], ? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);<a name="line.1711"></a>
-<span class="sourceLineNo">1712</span> AuthResult authResult = null;<a name="line.1712"></a>
-<span class="sourceLineNo">1713</span> User user = getActiveUser(c);<a name="line.1713"></a>
-<span class="sourceLineNo">1714</span> if (checkCoveringPermission(user, OpType.CHECK_AND_DELETE, c.getEnvironment(),<a name="line.1714"></a>
-<span class="sourceLineNo">1715</span> row, families, HConstants.LATEST_TIMESTAMP, Action.READ)) {<a name="line.1715"></a>
-<span class="sourceLineNo">1716</span> authResult = AuthResult.allow(OpType.CHECK_AND_DELETE.toString(),<a name="line.1716"></a>
-<span class="sourceLineNo">1717</span> "Covering cell set", user, Action.READ, table, families);<a name="line.1717"></a>
-<span class="sourceLineNo">1718</span> } else {<a name="line.1718"></a>
-<span class="sourceLineNo">1719</span> authResult = AuthResult.deny(OpType.CHECK_AND_DELETE.toString(),<a name="line.1719"></a>
-<span class="sourceLineNo">1720</span> "Covering cell set", user, Action.READ, table, families);<a name="line.1720"></a>
-<span class="sourceLineNo">1721</span> }<a name="line.1721"></a>
-<span class="sourceLineNo">1722</span> AccessChecker.logResult(authResult);<a name="line.1722"></a>
-<span class="sourceLineNo">1723</span> if (authorizationEnabled && !authResult.isAllowed()) {<a name="line.1723"></a>
-<span class="sourceLineNo">1724</span> throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());<a name="line.1724"></a>
-<span class="sourceLineNo">1725</span> }<a name="line.1725"></a>
-<span class="sourceLineNo">1726</span> }<a name="line.1726"></a>
-<span class="sourceLineNo">1727</span> return result;<a name="line.1727"></a>
-<span class="sourceLineNo">1728</span> }<a name="line.1728"></a>
-<span class="sourceLineNo">1729</span><a name="line.1729"></a>
-<span class="sourceLineNo">1730</span> @Override<a name="line.1730"></a>
-<span class="sourceLineNo">1731</span> public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> c, Append append)<a name="line.1731"></a>
-<span class="sourceLineNo">1732</span> throws IOException {<a name="line.1732"></a>
-<span class="sourceLineNo">1733</span> User user = getActiveUser(c);<a name="line.1733"></a>
-<span class="sourceLineNo">1734</span> checkForReservedTagPresence(user, append);<a name="line.1734"></a>
-<span class="sourceLineNo">1735</span><a name="line.1735"></a>
-<span class="sourceLineNo">1736</span> // Require WRITE permission to the table, CF, and the KV to be appended<a name="line.1736"></a>
-<span class="sourceLineNo">1737</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1737"></a>
-<span class="sourceLineNo">1738</span> Map<byte[],? extends Collection<Cell>> families = append.getFamilyCellMap();<a name="line.1738"></a>
-<span class="sourceLineNo">1739</span> AuthResult authResult = permissionGranted(OpType.APPEND, user,<a name="line.1739"></a>
-<span class="sourceLineNo">1740</span> env, families, Action.WRITE);<a name="line.1740"></a>
-<span class="sourceLineNo">1741</span> AccessChecker.logResult(authResult);<a name="line.1741"></a>
-<span class="sourceLineNo">1742</span> if (!authResult.isAllowed()) {<a name="line.1742"></a>
-<span class="sourceLineNo">1743</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1743"></a>
-<span class="sourceLineNo">1744</span> append.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1744"></a>
-<span class="sourceLineNo">1745</span> } else if (authorizationEnabled) {<a name="line.1745"></a>
-<span class="sourceLineNo">1746</span> throw new AccessDeniedException("Insufficient permissions " +<a name="line.1746"></a>
-<span class="sourceLineNo">1747</span> authResult.toContextString());<a name="line.1747"></a>
-<span class="sourceLineNo">1748</span> }<a name="line.1748"></a>
-<span class="sourceLineNo">1749</span> }<a name="line.1749"></a>
-<span class="sourceLineNo">1750</span><a name="line.1750"></a>
-<span class="sourceLineNo">1751</span> byte[] bytes = append.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);<a name="line.1751"></a>
-<span class="sourceLineNo">1752</span> if (bytes != null) {<a name="line.1752"></a>
-<span class="sourceLineNo">1753</span> if (cellFeaturesEnabled) {<a name="line.1753"></a>
-<span class="sourceLineNo">1754</span> addCellPermissions(bytes, append.getFamilyCellMap());<a name="line.1754"></a>
-<span class="sourceLineNo">1755</span> } else {<a name="line.1755"></a>
-<span class="sourceLineNo">1756</span> throw new DoNotRetryIOException("Cell ACLs cannot be persisted");<a name="line.1756"></a>
-<span class="sourceLineNo">1757</span> }<a name="line.1757"></a>
-<span class="sourceLineNo">1758</span> }<a name="line.1758"></a>
-<span class="sourceLineNo">1759</span><a name="line.1759"></a>
-<span class="sourceLineNo">1760</span> return null;<a name="line.1760"></a>
-<span class="sourceLineNo">1761</span> }<a name="line.1761"></a>
-<span class="sourceLineNo">1762</span><a name="line.1762"></a>
-<span class="sourceLineNo">1763</span> @Override<a name="line.1763"></a>
-<span class="sourceLineNo">1764</span> public Result preAppendAfterRowLock(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1764"></a>
-<span class="sourceLineNo">1765</span> final Append append) throws IOException {<a name="line.1765"></a>
-<span class="sourceLineNo">1766</span> if (append.getAttribute(CHECK_COVERING_PERM) != null) {<a name="line.1766"></a>
-<span class="sourceLineNo">1767</span> // We had failure with table, cf and q perm checks and now giving a chance for cell<a name="line.1767"></a>
-<span class="sourceLineNo">1768</span> // perm check<a name="line.1768"></a>
-<span class="sourceLineNo">1769</span> TableName table = c.getEnvironment().getRegion().getRegionInfo().getTable();<a name="line.1769"></a>
-<span class="sourceLineNo">1770</span> AuthResult authResult = null;<a name="line.1770"></a>
-<span class="sourceLineNo">1771</span> User user = getActiveUser(c);<a name="line.1771"></a>
-<span class="sourceLineNo">1772</span> if (checkCoveringPermission(user, OpType.APPEND, c.getEnvironment(), append.getRow(),<a name="line.1772"></a>
-<span class="sourceLineNo">1773</span> append.getFamilyCellMap(), append.getTimeRange().getMax(), Action.WRITE)) {<a name="line.1773"></a>
-<span class="sourceLineNo">1774</span> authResult = AuthResult.allow(OpType.APPEND.toString(),<a name="line.1774"></a>
-<span class="sourceLineNo">1775</span> "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());<a name="line.1775"></a>
-<span class="sourceLineNo">1776</span> } else {<a name="line.1776"></a>
-<span class="sourceLineNo">1777</span> authResult = AuthResult.deny(OpType.APPEND.toString(),<a name="line.1777"></a>
-<span class="sourceLineNo">1778</span> "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());<a name="line.1778"></a>
-<span class="sourceLineNo">1779</span> }<a name="line.1779"></a>
-<span class="sourceLineNo">1780</span> AccessChecker.logResult(authResult);<a name="line.1780"></a>
-<span class="sourceLineNo">1781</span> if (authorizationEnabled && !authResult.isAllowed()) {<a name="line.1781"></a>
-<span class="sourceLineNo">1782</span> throw new AccessDeniedException("Insufficient permissions " +<a name="line.1782"></a>
-<span class="sourceLineNo">1783</span> authResult.toContextString());<a name="line.1783"></a>
-<span class="sourceLineNo">1784</span> }<a name="line.1784"></a>
-<span class="sourceLineNo">1785</span> }<a name="line.1785"></a>
-<span class="sourceLineNo">1786</span> return null;<a name="line.1786"></a>
-<span class="sourceLineNo">1787</span> }<a name="line.1787"></a>
-<span class="sourceLineNo">1788</span><a name="line.1788"></a>
-<span class="sourceLineNo">1789</span> @Override<a name="line.1789"></a>
-<span class="sourceLineNo">1790</span> public Result preIncrement(final ObserverContext<RegionCoprocessorEnvironment> c,<a name="line.1790"></a>
-<span class="sourceLineNo">1791</span> final Increment increment)<a name="line.1791"></a>
-<span class="sourceLineNo">1792</span> throws IOException {<a name="line.1792"></a>
-<span class="sourceLineNo">1793</span> User user = getActiveUser(c);<a name="line.1793"></a>
-<span class="sourceLineNo">1794</span> checkForReservedTagPresence(user, increment);<a name="line.1794"></a>
-<span class="sourceLineNo">1795</span><a name="line.1795"></a>
-<span class="sourceLineNo">1796</span> // Require WRITE permission to the table, CF, and the KV to be replaced by<a name="line.1796"></a>
-<span class="sourceLineNo">1797</span> // the incremented value<a name="line.1797"></a>
-<span class="sourceLineNo">1798</span> RegionCoprocessorEnvironment env = c.getEnvironment();<a name="line.1798"></a>
-<span class="sourceLineNo">1799</span> Map<byte[],? extends Collection<Cell>> families = increment.getFamilyCellMap();<a name="line.1799"></a>
-<span class="sourceLineNo">1800</span> AuthResult authResult = permissionGranted(OpType.INCREMENT,<a name="line.1800"></a>
-<span class="sourceLineNo">1801</span> user, env, families, Action.WRITE);<a name="line.1801"></a>
-<span class="sourceLineNo">1802</span> AccessChecker.logResult(authResult);<a name="line.1802"></a>
-<span class="sourceLineNo">1803</span> if (!authResult.isAllowed()) {<a name="line.1803"></a>
-<span class="sourceLineNo">1804</span> if (cellFeaturesEnabled && !compatibleEarlyTermination) {<a name="line.1804"></a>
-<span class="sourceLineNo">1805</span> increment.setAttribute(CHECK_COVERING_PERM, TRUE);<a name="line.1805"></a>
-<span class="sourceLineNo">1806</span> } else if (authorizationEnabled) {<a name="line.1806"></a>
-<span class="sourceLineNo">1807</span> throw new AccessDeniedException("Insufficient permissions " +<a name="line.1807"></a>
-<span class="sourceLineNo">1808</span> authResult.toContextString());<a name="line.1808"></a>
-<span class="sourceLineNo">1809</span> }<a name="line.1809"></a>
-<span class="sourceLineNo">1810</span> }<a name="line.1810"></a>
-<span class="sourceLineNo">1811</span><a name="line.1811"></a>
-<span class="sourceLineNo">1812</span> byte[] bytes = increment.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);<a name="line.1812"></a>
-<span class="sourceLineNo">1813</span> if (bytes != null) {<a name="line.1813"></a>
-<span class="sourceLineNo">1814</span> if (cellFeat
<TRUNCATED>