Google Git
Sign in
apache / hbase-site / 0082cda45f48d1755543336c908ec6d80d4ec0a9 / . / devapidocs / src-html / org / apache / hadoop / hbase / security / visibility / VisibilityController.html
blob: 21739f3e7f255c09f430a1736681392874138731 [file] [log] [blame]
<!DOCTYPE HTML>
<html lang="en">
<head>
<!-- Generated by javadoc (17) -->
<title>Source code</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="source: package: org.apache.hadoop.hbase.security.visibility, class: VisibilityController">
<meta name="generator" content="javadoc/SourceToHTMLConverter">
<link rel="stylesheet" type="text/css" href="../../../../../../../stylesheet.css" title="Style">
</head>
<body class="source-page">
<main role="main">
<div class="source-container">
<pre><span class="source-line-no">001</span><span id="line-1">/*</span>
<span class="source-line-no">002</span><span id="line-2"> * Licensed to the Apache Software Foundation (ASF) under one</span>
<span class="source-line-no">003</span><span id="line-3"> * or more contributor license agreements. See the NOTICE file</span>
<span class="source-line-no">004</span><span id="line-4"> * distributed with this work for additional information</span>
<span class="source-line-no">005</span><span id="line-5"> * regarding copyright ownership. The ASF licenses this file</span>
<span class="source-line-no">006</span><span id="line-6"> * to you under the Apache License, Version 2.0 (the</span>
<span class="source-line-no">007</span><span id="line-7"> * "License"); you may not use this file except in compliance</span>
<span class="source-line-no">008</span><span id="line-8"> * with the License. You may obtain a copy of the License at</span>
<span class="source-line-no">009</span><span id="line-9"> *</span>
<span class="source-line-no">010</span><span id="line-10"> * http://www.apache.org/licenses/LICENSE-2.0</span>
<span class="source-line-no">011</span><span id="line-11"> *</span>
<span class="source-line-no">012</span><span id="line-12"> * Unless required by applicable law or agreed to in writing, software</span>
<span class="source-line-no">013</span><span id="line-13"> * distributed under the License is distributed on an "AS IS" BASIS,</span>
<span class="source-line-no">014</span><span id="line-14"> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.</span>
<span class="source-line-no">015</span><span id="line-15"> * See the License for the specific language governing permissions and</span>
<span class="source-line-no">016</span><span id="line-16"> * limitations under the License.</span>
<span class="source-line-no">017</span><span id="line-17"> */</span>
<span class="source-line-no">018</span><span id="line-18">package org.apache.hadoop.hbase.security.visibility;</span>
<span class="source-line-no">019</span><span id="line-19"></span>
<span class="source-line-no">020</span><span id="line-20">import static org.apache.hadoop.hbase.HConstants.OperationStatusCode.SANITY_CHECK_FAILURE;</span>
<span class="source-line-no">021</span><span id="line-21">import static org.apache.hadoop.hbase.HConstants.OperationStatusCode.SUCCESS;</span>
<span class="source-line-no">022</span><span id="line-22">import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_FAMILY;</span>
<span class="source-line-no">023</span><span id="line-23">import static org.apache.hadoop.hbase.security.visibility.VisibilityConstants.LABELS_TABLE_NAME;</span>
<span class="source-line-no">024</span><span id="line-24"></span>
<span class="source-line-no">025</span><span id="line-25">import java.io.IOException;</span>
<span class="source-line-no">026</span><span id="line-26">import java.net.InetAddress;</span>
<span class="source-line-no">027</span><span id="line-27">import java.util.ArrayList;</span>
<span class="source-line-no">028</span><span id="line-28">import java.util.Collections;</span>
<span class="source-line-no">029</span><span id="line-29">import java.util.HashMap;</span>
<span class="source-line-no">030</span><span id="line-30">import java.util.Iterator;</span>
<span class="source-line-no">031</span><span id="line-31">import java.util.List;</span>
<span class="source-line-no">032</span><span id="line-32">import java.util.Map;</span>
<span class="source-line-no">033</span><span id="line-33">import java.util.Objects;</span>
<span class="source-line-no">034</span><span id="line-34">import java.util.Optional;</span>
<span class="source-line-no">035</span><span id="line-35">import org.apache.hadoop.conf.Configuration;</span>
<span class="source-line-no">036</span><span id="line-36">import org.apache.hadoop.hbase.AuthUtil;</span>
<span class="source-line-no">037</span><span id="line-37">import org.apache.hadoop.hbase.Cell;</span>
<span class="source-line-no">038</span><span id="line-38">import org.apache.hadoop.hbase.CoprocessorEnvironment;</span>
<span class="source-line-no">039</span><span id="line-39">import org.apache.hadoop.hbase.DoNotRetryIOException;</span>
<span class="source-line-no">040</span><span id="line-40">import org.apache.hadoop.hbase.ExtendedCell;</span>
<span class="source-line-no">041</span><span id="line-41">import org.apache.hadoop.hbase.ExtendedCellScanner;</span>
<span class="source-line-no">042</span><span id="line-42">import org.apache.hadoop.hbase.HBaseInterfaceAudience;</span>
<span class="source-line-no">043</span><span id="line-43">import org.apache.hadoop.hbase.PrivateCellUtil;</span>
<span class="source-line-no">044</span><span id="line-44">import org.apache.hadoop.hbase.TableName;</span>
<span class="source-line-no">045</span><span id="line-45">import org.apache.hadoop.hbase.Tag;</span>
<span class="source-line-no">046</span><span id="line-46">import org.apache.hadoop.hbase.TagType;</span>
<span class="source-line-no">047</span><span id="line-47">import org.apache.hadoop.hbase.client.Admin;</span>
<span class="source-line-no">048</span><span id="line-48">import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder;</span>
<span class="source-line-no">049</span><span id="line-49">import org.apache.hadoop.hbase.client.Delete;</span>
<span class="source-line-no">050</span><span id="line-50">import org.apache.hadoop.hbase.client.Get;</span>
<span class="source-line-no">051</span><span id="line-51">import org.apache.hadoop.hbase.client.MasterSwitchType;</span>
<span class="source-line-no">052</span><span id="line-52">import org.apache.hadoop.hbase.client.Mutation;</span>
<span class="source-line-no">053</span><span id="line-53">import org.apache.hadoop.hbase.client.Put;</span>
<span class="source-line-no">054</span><span id="line-54">import org.apache.hadoop.hbase.client.Result;</span>
<span class="source-line-no">055</span><span id="line-55">import org.apache.hadoop.hbase.client.Scan;</span>
<span class="source-line-no">056</span><span id="line-56">import org.apache.hadoop.hbase.client.TableDescriptor;</span>
<span class="source-line-no">057</span><span id="line-57">import org.apache.hadoop.hbase.client.TableDescriptorBuilder;</span>
<span class="source-line-no">058</span><span id="line-58">import org.apache.hadoop.hbase.constraint.ConstraintException;</span>
<span class="source-line-no">059</span><span id="line-59">import org.apache.hadoop.hbase.coprocessor.CoprocessorException;</span>
<span class="source-line-no">060</span><span id="line-60">import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;</span>
<span class="source-line-no">061</span><span id="line-61">import org.apache.hadoop.hbase.coprocessor.CoreCoprocessor;</span>
<span class="source-line-no">062</span><span id="line-62">import org.apache.hadoop.hbase.coprocessor.MasterCoprocessor;</span>
<span class="source-line-no">063</span><span id="line-63">import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;</span>
<span class="source-line-no">064</span><span id="line-64">import org.apache.hadoop.hbase.coprocessor.MasterObserver;</span>
<span class="source-line-no">065</span><span id="line-65">import org.apache.hadoop.hbase.coprocessor.ObserverContext;</span>
<span class="source-line-no">066</span><span id="line-66">import org.apache.hadoop.hbase.coprocessor.RegionCoprocessor;</span>
<span class="source-line-no">067</span><span id="line-67">import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;</span>
<span class="source-line-no">068</span><span id="line-68">import org.apache.hadoop.hbase.coprocessor.RegionObserver;</span>
<span class="source-line-no">069</span><span id="line-69">import org.apache.hadoop.hbase.exceptions.DeserializationException;</span>
<span class="source-line-no">070</span><span id="line-70">import org.apache.hadoop.hbase.filter.Filter;</span>
<span class="source-line-no">071</span><span id="line-71">import org.apache.hadoop.hbase.filter.FilterBase;</span>
<span class="source-line-no">072</span><span id="line-72">import org.apache.hadoop.hbase.filter.FilterList;</span>
<span class="source-line-no">073</span><span id="line-73">import org.apache.hadoop.hbase.io.hfile.HFile;</span>
<span class="source-line-no">074</span><span id="line-74">import org.apache.hadoop.hbase.ipc.CoprocessorRpcUtils;</span>
<span class="source-line-no">075</span><span id="line-75">import org.apache.hadoop.hbase.ipc.RpcServer;</span>
<span class="source-line-no">076</span><span id="line-76">import org.apache.hadoop.hbase.regionserver.BloomType;</span>
<span class="source-line-no">077</span><span id="line-77">import org.apache.hadoop.hbase.regionserver.DisabledRegionSplitPolicy;</span>
<span class="source-line-no">078</span><span id="line-78">import org.apache.hadoop.hbase.regionserver.InternalScanner;</span>
<span class="source-line-no">079</span><span id="line-79">import org.apache.hadoop.hbase.regionserver.MiniBatchOperationInProgress;</span>
<span class="source-line-no">080</span><span id="line-80">import org.apache.hadoop.hbase.regionserver.OperationStatus;</span>
<span class="source-line-no">081</span><span id="line-81">import org.apache.hadoop.hbase.regionserver.Region;</span>
<span class="source-line-no">082</span><span id="line-82">import org.apache.hadoop.hbase.regionserver.RegionScanner;</span>
<span class="source-line-no">083</span><span id="line-83">import org.apache.hadoop.hbase.regionserver.querymatcher.DeleteTracker;</span>
<span class="source-line-no">084</span><span id="line-84">import org.apache.hadoop.hbase.security.AccessDeniedException;</span>
<span class="source-line-no">085</span><span id="line-85">import org.apache.hadoop.hbase.security.Superusers;</span>
<span class="source-line-no">086</span><span id="line-86">import org.apache.hadoop.hbase.security.User;</span>
<span class="source-line-no">087</span><span id="line-87">import org.apache.hadoop.hbase.security.access.AccessChecker;</span>
<span class="source-line-no">088</span><span id="line-88">import org.apache.hadoop.hbase.security.access.AccessController;</span>
<span class="source-line-no">089</span><span id="line-89">import org.apache.hadoop.hbase.util.Bytes;</span>
<span class="source-line-no">090</span><span id="line-90">import org.apache.hadoop.hbase.util.Pair;</span>
<span class="source-line-no">091</span><span id="line-91">import org.apache.hadoop.util.StringUtils;</span>
<span class="source-line-no">092</span><span id="line-92">import org.apache.yetus.audience.InterfaceAudience;</span>
<span class="source-line-no">093</span><span id="line-93">import org.slf4j.Logger;</span>
<span class="source-line-no">094</span><span id="line-94">import org.slf4j.LoggerFactory;</span>
<span class="source-line-no">095</span><span id="line-95"></span>
<span class="source-line-no">096</span><span id="line-96">import org.apache.hbase.thirdparty.com.google.common.collect.Lists;</span>
<span class="source-line-no">097</span><span id="line-97">import org.apache.hbase.thirdparty.com.google.common.collect.MapMaker;</span>
<span class="source-line-no">098</span><span id="line-98">import org.apache.hbase.thirdparty.com.google.protobuf.ByteString;</span>
<span class="source-line-no">099</span><span id="line-99">import org.apache.hbase.thirdparty.com.google.protobuf.RpcCallback;</span>
<span class="source-line-no">100</span><span id="line-100">import org.apache.hbase.thirdparty.com.google.protobuf.RpcController;</span>
<span class="source-line-no">101</span><span id="line-101">import org.apache.hbase.thirdparty.com.google.protobuf.Service;</span>
<span class="source-line-no">102</span><span id="line-102"></span>
<span class="source-line-no">103</span><span id="line-103">import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos.RegionActionResult;</span>
<span class="source-line-no">104</span><span id="line-104">import org.apache.hadoop.hbase.shaded.protobuf.generated.HBaseProtos.NameBytesPair;</span>
<span class="source-line-no">105</span><span id="line-105">import org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos;</span>
<span class="source-line-no">106</span><span id="line-106">import org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.GetAuthsRequest;</span>
<span class="source-line-no">107</span><span id="line-107">import org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.GetAuthsResponse;</span>
<span class="source-line-no">108</span><span id="line-108">import org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.ListLabelsRequest;</span>
<span class="source-line-no">109</span><span id="line-109">import org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.ListLabelsResponse;</span>
<span class="source-line-no">110</span><span id="line-110">import org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.SetAuthsRequest;</span>
<span class="source-line-no">111</span><span id="line-111">import org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.VisibilityLabel;</span>
<span class="source-line-no">112</span><span id="line-112">import org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsRequest;</span>
<span class="source-line-no">113</span><span id="line-113">import org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsResponse;</span>
<span class="source-line-no">114</span><span id="line-114">import org.apache.hadoop.hbase.shaded.protobuf.generated.VisibilityLabelsProtos.VisibilityLabelsService;</span>
<span class="source-line-no">115</span><span id="line-115"></span>
<span class="source-line-no">116</span><span id="line-116">/**</span>
<span class="source-line-no">117</span><span id="line-117"> * Coprocessor that has both the MasterObserver and RegionObserver implemented that supports in</span>
<span class="source-line-no">118</span><span id="line-118"> * visibility labels</span>
<span class="source-line-no">119</span><span id="line-119"> */</span>
<span class="source-line-no">120</span><span id="line-120">@CoreCoprocessor</span>
<span class="source-line-no">121</span><span id="line-121">@InterfaceAudience.LimitedPrivate(HBaseInterfaceAudience.CONFIG)</span>
<span class="source-line-no">122</span><span id="line-122">// TODO: break out Observer functions into separate class/sub-class.</span>
<span class="source-line-no">123</span><span id="line-123">public class VisibilityController implements MasterCoprocessor, RegionCoprocessor,</span>
<span class="source-line-no">124</span><span id="line-124"> VisibilityLabelsService.Interface, MasterObserver, RegionObserver {</span>
<span class="source-line-no">125</span><span id="line-125"></span>
<span class="source-line-no">126</span><span id="line-126"> private static final Logger LOG = LoggerFactory.getLogger(VisibilityController.class);</span>
<span class="source-line-no">127</span><span id="line-127"> private static final Logger AUDITLOG =</span>
<span class="source-line-no">128</span><span id="line-128"> LoggerFactory.getLogger("SecurityLogger." + VisibilityController.class.getName());</span>
<span class="source-line-no">129</span><span id="line-129"> // flags if we are running on a region of the 'labels' table</span>
<span class="source-line-no">130</span><span id="line-130"> private boolean labelsRegion = false;</span>
<span class="source-line-no">131</span><span id="line-131"> // Flag denoting whether AcessController is available or not.</span>
<span class="source-line-no">132</span><span id="line-132"> private boolean accessControllerAvailable = false;</span>
<span class="source-line-no">133</span><span id="line-133"> private Configuration conf;</span>
<span class="source-line-no">134</span><span id="line-134"> private volatile boolean initialized = false;</span>
<span class="source-line-no">135</span><span id="line-135"> private boolean checkAuths = false;</span>
<span class="source-line-no">136</span><span id="line-136"> /** Mapping of scanner instances to the user who created them */</span>
<span class="source-line-no">137</span><span id="line-137"> private Map&lt;InternalScanner, String&gt; scannerOwners = new MapMaker().weakKeys().makeMap();</span>
<span class="source-line-no">138</span><span id="line-138"></span>
<span class="source-line-no">139</span><span id="line-139"> private VisibilityLabelService visibilityLabelService;</span>
<span class="source-line-no">140</span><span id="line-140"></span>
<span class="source-line-no">141</span><span id="line-141"> /**</span>
<span class="source-line-no">142</span><span id="line-142"> * if we are active, usually false, only true if "hbase.security.authorization" has been set to</span>
<span class="source-line-no">143</span><span id="line-143"> * true in site configuration</span>
<span class="source-line-no">144</span><span id="line-144"> */</span>
<span class="source-line-no">145</span><span id="line-145"> boolean authorizationEnabled;</span>
<span class="source-line-no">146</span><span id="line-146"></span>
<span class="source-line-no">147</span><span id="line-147"> // Add to this list if there are any reserved tag types</span>
<span class="source-line-no">148</span><span id="line-148"> private static ArrayList&lt;Byte&gt; RESERVED_VIS_TAG_TYPES = new ArrayList&lt;&gt;();</span>
<span class="source-line-no">149</span><span id="line-149"> static {</span>
<span class="source-line-no">150</span><span id="line-150"> RESERVED_VIS_TAG_TYPES.add(TagType.VISIBILITY_TAG_TYPE);</span>
<span class="source-line-no">151</span><span id="line-151"> RESERVED_VIS_TAG_TYPES.add(TagType.VISIBILITY_EXP_SERIALIZATION_FORMAT_TAG_TYPE);</span>
<span class="source-line-no">152</span><span id="line-152"> RESERVED_VIS_TAG_TYPES.add(TagType.STRING_VIS_TAG_TYPE);</span>
<span class="source-line-no">153</span><span id="line-153"> }</span>
<span class="source-line-no">154</span><span id="line-154"></span>
<span class="source-line-no">155</span><span id="line-155"> public static boolean isCellAuthorizationSupported(Configuration conf) {</span>
<span class="source-line-no">156</span><span id="line-156"> return AccessChecker.isAuthorizationSupported(conf);</span>
<span class="source-line-no">157</span><span id="line-157"> }</span>
<span class="source-line-no">158</span><span id="line-158"></span>
<span class="source-line-no">159</span><span id="line-159"> @Override</span>
<span class="source-line-no">160</span><span id="line-160"> public void start(CoprocessorEnvironment env) throws IOException {</span>
<span class="source-line-no">161</span><span id="line-161"> this.conf = env.getConfiguration();</span>
<span class="source-line-no">162</span><span id="line-162"></span>
<span class="source-line-no">163</span><span id="line-163"> authorizationEnabled = AccessChecker.isAuthorizationSupported(conf);</span>
<span class="source-line-no">164</span><span id="line-164"> if (!authorizationEnabled) {</span>
<span class="source-line-no">165</span><span id="line-165"> LOG.warn("The VisibilityController has been loaded with authorization checks disabled.");</span>
<span class="source-line-no">166</span><span id="line-166"> }</span>
<span class="source-line-no">167</span><span id="line-167"></span>
<span class="source-line-no">168</span><span id="line-168"> if (HFile.getFormatVersion(conf) &lt; HFile.MIN_FORMAT_VERSION_WITH_TAGS) {</span>
<span class="source-line-no">169</span><span id="line-169"> throw new RuntimeException("A minimum HFile version of " + HFile.MIN_FORMAT_VERSION_WITH_TAGS</span>
<span class="source-line-no">170</span><span id="line-170"> + " is required to persist visibility labels. Consider setting " + HFile.FORMAT_VERSION_KEY</span>
<span class="source-line-no">171</span><span id="line-171"> + " accordingly.");</span>
<span class="source-line-no">172</span><span id="line-172"> }</span>
<span class="source-line-no">173</span><span id="line-173"></span>
<span class="source-line-no">174</span><span id="line-174"> // Do not create for master CPs</span>
<span class="source-line-no">175</span><span id="line-175"> if (!(env instanceof MasterCoprocessorEnvironment)) {</span>
<span class="source-line-no">176</span><span id="line-176"> visibilityLabelService =</span>
<span class="source-line-no">177</span><span id="line-177"> VisibilityLabelServiceManager.getInstance().getVisibilityLabelService(this.conf);</span>
<span class="source-line-no">178</span><span id="line-178"> }</span>
<span class="source-line-no">179</span><span id="line-179"> }</span>
<span class="source-line-no">180</span><span id="line-180"></span>
<span class="source-line-no">181</span><span id="line-181"> @Override</span>
<span class="source-line-no">182</span><span id="line-182"> public void stop(CoprocessorEnvironment env) throws IOException {</span>
<span class="source-line-no">183</span><span id="line-183"></span>
<span class="source-line-no">184</span><span id="line-184"> }</span>
<span class="source-line-no">185</span><span id="line-185"></span>
<span class="source-line-no">186</span><span id="line-186"> /**************************** Observer/Service Getters ************************************/</span>
<span class="source-line-no">187</span><span id="line-187"> @Override</span>
<span class="source-line-no">188</span><span id="line-188"> public Optional&lt;RegionObserver&gt; getRegionObserver() {</span>
<span class="source-line-no">189</span><span id="line-189"> return Optional.of(this);</span>
<span class="source-line-no">190</span><span id="line-190"> }</span>
<span class="source-line-no">191</span><span id="line-191"></span>
<span class="source-line-no">192</span><span id="line-192"> @Override</span>
<span class="source-line-no">193</span><span id="line-193"> public Optional&lt;MasterObserver&gt; getMasterObserver() {</span>
<span class="source-line-no">194</span><span id="line-194"> return Optional.of(this);</span>
<span class="source-line-no">195</span><span id="line-195"> }</span>
<span class="source-line-no">196</span><span id="line-196"></span>
<span class="source-line-no">197</span><span id="line-197"> @Override</span>
<span class="source-line-no">198</span><span id="line-198"> public Iterable&lt;Service&gt; getServices() {</span>
<span class="source-line-no">199</span><span id="line-199"> return Collections</span>
<span class="source-line-no">200</span><span id="line-200"> .singleton(VisibilityLabelsProtos.VisibilityLabelsService.newReflectiveService(this));</span>
<span class="source-line-no">201</span><span id="line-201"> }</span>
<span class="source-line-no">202</span><span id="line-202"></span>
<span class="source-line-no">203</span><span id="line-203"> /********************************* Master related hooks **********************************/</span>
<span class="source-line-no">204</span><span id="line-204"></span>
<span class="source-line-no">205</span><span id="line-205"> @Override</span>
<span class="source-line-no">206</span><span id="line-206"> public void postStartMaster(ObserverContext&lt;MasterCoprocessorEnvironment&gt; ctx)</span>
<span class="source-line-no">207</span><span id="line-207"> throws IOException {</span>
<span class="source-line-no">208</span><span id="line-208"> // Need to create the new system table for labels here</span>
<span class="source-line-no">209</span><span id="line-209"> try (Admin admin = ctx.getEnvironment().getConnection().getAdmin()) {</span>
<span class="source-line-no">210</span><span id="line-210"> if (!admin.tableExists(LABELS_TABLE_NAME)) {</span>
<span class="source-line-no">211</span><span id="line-211"> // We will cache all the labels. No need of normal table block cache.</span>
<span class="source-line-no">212</span><span id="line-212"> // Let the "labels" table having only one region always. We are not expecting too many</span>
<span class="source-line-no">213</span><span id="line-213"> // labels in the system.</span>
<span class="source-line-no">214</span><span id="line-214"> TableDescriptor tableDescriptor = TableDescriptorBuilder.newBuilder(LABELS_TABLE_NAME)</span>
<span class="source-line-no">215</span><span id="line-215"> .setColumnFamily(ColumnFamilyDescriptorBuilder.newBuilder(LABELS_TABLE_FAMILY)</span>
<span class="source-line-no">216</span><span id="line-216"> .setBloomFilterType(BloomType.NONE).setBlockCacheEnabled(false).build())</span>
<span class="source-line-no">217</span><span id="line-217"> .setValue(TableDescriptorBuilder.SPLIT_POLICY, DisabledRegionSplitPolicy.class.getName())</span>
<span class="source-line-no">218</span><span id="line-218"> .build();</span>
<span class="source-line-no">219</span><span id="line-219"></span>
<span class="source-line-no">220</span><span id="line-220"> admin.createTable(tableDescriptor);</span>
<span class="source-line-no">221</span><span id="line-221"> }</span>
<span class="source-line-no">222</span><span id="line-222"> }</span>
<span class="source-line-no">223</span><span id="line-223"> }</span>
<span class="source-line-no">224</span><span id="line-224"></span>
<span class="source-line-no">225</span><span id="line-225"> @Override</span>
<span class="source-line-no">226</span><span id="line-226"> public TableDescriptor preModifyTable(ObserverContext&lt;MasterCoprocessorEnvironment&gt; ctx,</span>
<span class="source-line-no">227</span><span id="line-227"> TableName tableName, TableDescriptor currentDescriptor, TableDescriptor newDescriptor)</span>
<span class="source-line-no">228</span><span id="line-228"> throws IOException {</span>
<span class="source-line-no">229</span><span id="line-229"> if (authorizationEnabled) {</span>
<span class="source-line-no">230</span><span id="line-230"> if (LABELS_TABLE_NAME.equals(tableName)) {</span>
<span class="source-line-no">231</span><span id="line-231"> throw new ConstraintException("Cannot alter " + LABELS_TABLE_NAME);</span>
<span class="source-line-no">232</span><span id="line-232"> }</span>
<span class="source-line-no">233</span><span id="line-233"> }</span>
<span class="source-line-no">234</span><span id="line-234"> return newDescriptor;</span>
<span class="source-line-no">235</span><span id="line-235"> }</span>
<span class="source-line-no">236</span><span id="line-236"></span>
<span class="source-line-no">237</span><span id="line-237"> @Override</span>
<span class="source-line-no">238</span><span id="line-238"> public void preDisableTable(ObserverContext&lt;MasterCoprocessorEnvironment&gt; ctx,</span>
<span class="source-line-no">239</span><span id="line-239"> TableName tableName) throws IOException {</span>
<span class="source-line-no">240</span><span id="line-240"> if (!authorizationEnabled) {</span>
<span class="source-line-no">241</span><span id="line-241"> return;</span>
<span class="source-line-no">242</span><span id="line-242"> }</span>
<span class="source-line-no">243</span><span id="line-243"> if (LABELS_TABLE_NAME.equals(tableName)) {</span>
<span class="source-line-no">244</span><span id="line-244"> throw new ConstraintException("Cannot disable " + LABELS_TABLE_NAME);</span>
<span class="source-line-no">245</span><span id="line-245"> }</span>
<span class="source-line-no">246</span><span id="line-246"> }</span>
<span class="source-line-no">247</span><span id="line-247"></span>
<span class="source-line-no">248</span><span id="line-248"> /****************************** Region related hooks ******************************/</span>
<span class="source-line-no">249</span><span id="line-249"></span>
<span class="source-line-no">250</span><span id="line-250"> @Override</span>
<span class="source-line-no">251</span><span id="line-251"> public void postOpen(ObserverContext&lt;RegionCoprocessorEnvironment&gt; e) {</span>
<span class="source-line-no">252</span><span id="line-252"> // Read the entire labels table and populate the zk</span>
<span class="source-line-no">253</span><span id="line-253"> if (e.getEnvironment().getRegion().getRegionInfo().getTable().equals(LABELS_TABLE_NAME)) {</span>
<span class="source-line-no">254</span><span id="line-254"> this.labelsRegion = true;</span>
<span class="source-line-no">255</span><span id="line-255"> synchronized (this) {</span>
<span class="source-line-no">256</span><span id="line-256"> this.accessControllerAvailable =</span>
<span class="source-line-no">257</span><span id="line-257"> CoprocessorHost.getLoadedCoprocessors().contains(AccessController.class.getName());</span>
<span class="source-line-no">258</span><span id="line-258"> }</span>
<span class="source-line-no">259</span><span id="line-259"> initVisibilityLabelService(e.getEnvironment());</span>
<span class="source-line-no">260</span><span id="line-260"> } else {</span>
<span class="source-line-no">261</span><span id="line-261"> checkAuths = e.getEnvironment().getConfiguration()</span>
<span class="source-line-no">262</span><span id="line-262"> .getBoolean(VisibilityConstants.CHECK_AUTHS_FOR_MUTATION, false);</span>
<span class="source-line-no">263</span><span id="line-263"> initVisibilityLabelService(e.getEnvironment());</span>
<span class="source-line-no">264</span><span id="line-264"> }</span>
<span class="source-line-no">265</span><span id="line-265"> }</span>
<span class="source-line-no">266</span><span id="line-266"></span>
<span class="source-line-no">267</span><span id="line-267"> private void initVisibilityLabelService(RegionCoprocessorEnvironment env) {</span>
<span class="source-line-no">268</span><span id="line-268"> try {</span>
<span class="source-line-no">269</span><span id="line-269"> this.visibilityLabelService.init(env);</span>
<span class="source-line-no">270</span><span id="line-270"> this.initialized = true;</span>
<span class="source-line-no">271</span><span id="line-271"> } catch (IOException ioe) {</span>
<span class="source-line-no">272</span><span id="line-272"> LOG.error("Error while initializing VisibilityLabelService..", ioe);</span>
<span class="source-line-no">273</span><span id="line-273"> throw new RuntimeException(ioe);</span>
<span class="source-line-no">274</span><span id="line-274"> }</span>
<span class="source-line-no">275</span><span id="line-275"> }</span>
<span class="source-line-no">276</span><span id="line-276"></span>
<span class="source-line-no">277</span><span id="line-277"> @Override</span>
<span class="source-line-no">278</span><span id="line-278"> public void postSetSplitOrMergeEnabled(final ObserverContext&lt;MasterCoprocessorEnvironment&gt; ctx,</span>
<span class="source-line-no">279</span><span id="line-279"> final boolean newValue, final MasterSwitchType switchType) throws IOException {</span>
<span class="source-line-no">280</span><span id="line-280"> }</span>
<span class="source-line-no">281</span><span id="line-281"></span>
<span class="source-line-no">282</span><span id="line-282"> @Override</span>
<span class="source-line-no">283</span><span id="line-283"> public void preBatchMutate(ObserverContext&lt;RegionCoprocessorEnvironment&gt; c,</span>
<span class="source-line-no">284</span><span id="line-284"> MiniBatchOperationInProgress&lt;Mutation&gt; miniBatchOp) throws IOException {</span>
<span class="source-line-no">285</span><span id="line-285"> if (c.getEnvironment().getRegion().getRegionInfo().getTable().isSystemTable()) {</span>
<span class="source-line-no">286</span><span id="line-286"> return;</span>
<span class="source-line-no">287</span><span id="line-287"> }</span>
<span class="source-line-no">288</span><span id="line-288"> // TODO this can be made as a global LRU cache at HRS level?</span>
<span class="source-line-no">289</span><span id="line-289"> Map&lt;String, List&lt;Tag&gt;&gt; labelCache = new HashMap&lt;&gt;();</span>
<span class="source-line-no">290</span><span id="line-290"> for (int i = 0; i &lt; miniBatchOp.size(); i++) {</span>
<span class="source-line-no">291</span><span id="line-291"> Mutation m = miniBatchOp.getOperation(i);</span>
<span class="source-line-no">292</span><span id="line-292"> CellVisibility cellVisibility = null;</span>
<span class="source-line-no">293</span><span id="line-293"> try {</span>
<span class="source-line-no">294</span><span id="line-294"> cellVisibility = m.getCellVisibility();</span>
<span class="source-line-no">295</span><span id="line-295"> } catch (DeserializationException de) {</span>
<span class="source-line-no">296</span><span id="line-296"> miniBatchOp.setOperationStatus(i,</span>
<span class="source-line-no">297</span><span id="line-297"> new OperationStatus(SANITY_CHECK_FAILURE, de.getMessage()));</span>
<span class="source-line-no">298</span><span id="line-298"> continue;</span>
<span class="source-line-no">299</span><span id="line-299"> }</span>
<span class="source-line-no">300</span><span id="line-300"> boolean sanityFailure = false;</span>
<span class="source-line-no">301</span><span id="line-301"> boolean modifiedTagFound = false;</span>
<span class="source-line-no">302</span><span id="line-302"> Pair&lt;Boolean, Tag&gt; pair = new Pair&lt;&gt;(false, null);</span>
<span class="source-line-no">303</span><span id="line-303"> for (ExtendedCellScanner cellScanner = m.cellScanner(); cellScanner.advance();) {</span>
<span class="source-line-no">304</span><span id="line-304"> ExtendedCell cell = cellScanner.current();</span>
<span class="source-line-no">305</span><span id="line-305"> pair = checkForReservedVisibilityTagPresence(cell, pair);</span>
<span class="source-line-no">306</span><span id="line-306"> if (!pair.getFirst()) {</span>
<span class="source-line-no">307</span><span id="line-307"> // Don't disallow reserved tags if authorization is disabled</span>
<span class="source-line-no">308</span><span id="line-308"> if (authorizationEnabled) {</span>
<span class="source-line-no">309</span><span id="line-309"> miniBatchOp.setOperationStatus(i, new OperationStatus(SANITY_CHECK_FAILURE,</span>
<span class="source-line-no">310</span><span id="line-310"> "Mutation contains cell with reserved type tag"));</span>
<span class="source-line-no">311</span><span id="line-311"> sanityFailure = true;</span>
<span class="source-line-no">312</span><span id="line-312"> }</span>
<span class="source-line-no">313</span><span id="line-313"> break;</span>
<span class="source-line-no">314</span><span id="line-314"> } else {</span>
<span class="source-line-no">315</span><span id="line-315"> // Indicates that the cell has a the tag which was modified in the src replication cluster</span>
<span class="source-line-no">316</span><span id="line-316"> Tag tag = pair.getSecond();</span>
<span class="source-line-no">317</span><span id="line-317"> if (cellVisibility == null &amp;&amp; tag != null) {</span>
<span class="source-line-no">318</span><span id="line-318"> // May need to store only the first one</span>
<span class="source-line-no">319</span><span id="line-319"> cellVisibility = new CellVisibility(Tag.getValueAsString(tag));</span>
<span class="source-line-no">320</span><span id="line-320"> modifiedTagFound = true;</span>
<span class="source-line-no">321</span><span id="line-321"> }</span>
<span class="source-line-no">322</span><span id="line-322"> }</span>
<span class="source-line-no">323</span><span id="line-323"> }</span>
<span class="source-line-no">324</span><span id="line-324"> if (!sanityFailure &amp;&amp; (m instanceof Put || m instanceof Delete)) {</span>
<span class="source-line-no">325</span><span id="line-325"> if (cellVisibility != null) {</span>
<span class="source-line-no">326</span><span id="line-326"> String labelsExp = cellVisibility.getExpression();</span>
<span class="source-line-no">327</span><span id="line-327"> List&lt;Tag&gt; visibilityTags = labelCache.get(labelsExp);</span>
<span class="source-line-no">328</span><span id="line-328"> if (visibilityTags == null) {</span>
<span class="source-line-no">329</span><span id="line-329"> // Don't check user auths for labels with Mutations when the user is super user</span>
<span class="source-line-no">330</span><span id="line-330"> boolean authCheck = authorizationEnabled &amp;&amp; checkAuths &amp;&amp; !(isSystemOrSuperUser());</span>
<span class="source-line-no">331</span><span id="line-331"> try {</span>
<span class="source-line-no">332</span><span id="line-332"> visibilityTags =</span>
<span class="source-line-no">333</span><span id="line-333"> this.visibilityLabelService.createVisibilityExpTags(labelsExp, true, authCheck);</span>
<span class="source-line-no">334</span><span id="line-334"> } catch (InvalidLabelException e) {</span>
<span class="source-line-no">335</span><span id="line-335"> miniBatchOp.setOperationStatus(i,</span>
<span class="source-line-no">336</span><span id="line-336"> new OperationStatus(SANITY_CHECK_FAILURE, e.getMessage()));</span>
<span class="source-line-no">337</span><span id="line-337"> }</span>
<span class="source-line-no">338</span><span id="line-338"> if (visibilityTags != null) {</span>
<span class="source-line-no">339</span><span id="line-339"> labelCache.put(labelsExp, visibilityTags);</span>
<span class="source-line-no">340</span><span id="line-340"> }</span>
<span class="source-line-no">341</span><span id="line-341"> }</span>
<span class="source-line-no">342</span><span id="line-342"> if (visibilityTags != null) {</span>
<span class="source-line-no">343</span><span id="line-343"> List&lt;ExtendedCell&gt; updatedCells = new ArrayList&lt;&gt;();</span>
<span class="source-line-no">344</span><span id="line-344"> for (ExtendedCellScanner cellScanner = m.cellScanner(); cellScanner.advance();) {</span>
<span class="source-line-no">345</span><span id="line-345"> ExtendedCell cell = cellScanner.current();</span>
<span class="source-line-no">346</span><span id="line-346"> List&lt;Tag&gt; tags = PrivateCellUtil.getTags(cell);</span>
<span class="source-line-no">347</span><span id="line-347"> if (modifiedTagFound) {</span>
<span class="source-line-no">348</span><span id="line-348"> // Rewrite the tags by removing the modified tags.</span>
<span class="source-line-no">349</span><span id="line-349"> removeReplicationVisibilityTag(tags);</span>
<span class="source-line-no">350</span><span id="line-350"> }</span>
<span class="source-line-no">351</span><span id="line-351"> tags.addAll(visibilityTags);</span>
<span class="source-line-no">352</span><span id="line-352"> ExtendedCell updatedCell = PrivateCellUtil.createCell(cell, tags);</span>
<span class="source-line-no">353</span><span id="line-353"> updatedCells.add(updatedCell);</span>
<span class="source-line-no">354</span><span id="line-354"> }</span>
<span class="source-line-no">355</span><span id="line-355"> m.getFamilyCellMap().clear();</span>
<span class="source-line-no">356</span><span id="line-356"> // Clear and add new Cells to the Mutation.</span>
<span class="source-line-no">357</span><span id="line-357"> for (ExtendedCell cell : updatedCells) {</span>
<span class="source-line-no">358</span><span id="line-358"> if (m instanceof Put) {</span>
<span class="source-line-no">359</span><span id="line-359"> Put p = (Put) m;</span>
<span class="source-line-no">360</span><span id="line-360"> p.add(cell);</span>
<span class="source-line-no">361</span><span id="line-361"> } else {</span>
<span class="source-line-no">362</span><span id="line-362"> Delete d = (Delete) m;</span>
<span class="source-line-no">363</span><span id="line-363"> d.add(cell);</span>
<span class="source-line-no">364</span><span id="line-364"> }</span>
<span class="source-line-no">365</span><span id="line-365"> }</span>
<span class="source-line-no">366</span><span id="line-366"> }</span>
<span class="source-line-no">367</span><span id="line-367"> }</span>
<span class="source-line-no">368</span><span id="line-368"> }</span>
<span class="source-line-no">369</span><span id="line-369"> }</span>
<span class="source-line-no">370</span><span id="line-370"> }</span>
<span class="source-line-no">371</span><span id="line-371"></span>
<span class="source-line-no">372</span><span id="line-372"> @Override</span>
<span class="source-line-no">373</span><span id="line-373"> public void prePrepareTimeStampForDeleteVersion(ObserverContext&lt;RegionCoprocessorEnvironment&gt; ctx,</span>
<span class="source-line-no">374</span><span id="line-374"> Mutation delete, Cell cell, byte[] byteNow, Get get) throws IOException {</span>
<span class="source-line-no">375</span><span id="line-375"> // Nothing to do if we are not filtering by visibility</span>
<span class="source-line-no">376</span><span id="line-376"> if (!authorizationEnabled) {</span>
<span class="source-line-no">377</span><span id="line-377"> return;</span>
<span class="source-line-no">378</span><span id="line-378"> }</span>
<span class="source-line-no">379</span><span id="line-379"></span>
<span class="source-line-no">380</span><span id="line-380"> CellVisibility cellVisibility = null;</span>
<span class="source-line-no">381</span><span id="line-381"> try {</span>
<span class="source-line-no">382</span><span id="line-382"> cellVisibility = delete.getCellVisibility();</span>
<span class="source-line-no">383</span><span id="line-383"> } catch (DeserializationException de) {</span>
<span class="source-line-no">384</span><span id="line-384"> throw new IOException("Invalid cell visibility specified " + delete, de);</span>
<span class="source-line-no">385</span><span id="line-385"> }</span>
<span class="source-line-no">386</span><span id="line-386"> // The check for checkForReservedVisibilityTagPresence happens in preBatchMutate happens.</span>
<span class="source-line-no">387</span><span id="line-387"> // It happens for every mutation and that would be enough.</span>
<span class="source-line-no">388</span><span id="line-388"> List&lt;Tag&gt; visibilityTags = new ArrayList&lt;&gt;();</span>
<span class="source-line-no">389</span><span id="line-389"> if (cellVisibility != null) {</span>
<span class="source-line-no">390</span><span id="line-390"> String labelsExp = cellVisibility.getExpression();</span>
<span class="source-line-no">391</span><span id="line-391"> try {</span>
<span class="source-line-no">392</span><span id="line-392"> visibilityTags =</span>
<span class="source-line-no">393</span><span id="line-393"> this.visibilityLabelService.createVisibilityExpTags(labelsExp, false, false);</span>
<span class="source-line-no">394</span><span id="line-394"> } catch (InvalidLabelException e) {</span>
<span class="source-line-no">395</span><span id="line-395"> throw new IOException("Invalid cell visibility specified " + labelsExp, e);</span>
<span class="source-line-no">396</span><span id="line-396"> }</span>
<span class="source-line-no">397</span><span id="line-397"> }</span>
<span class="source-line-no">398</span><span id="line-398"> get.setFilter(new DeleteVersionVisibilityExpressionFilter(visibilityTags,</span>
<span class="source-line-no">399</span><span id="line-399"> VisibilityConstants.SORTED_ORDINAL_SERIALIZATION_FORMAT));</span>
<span class="source-line-no">400</span><span id="line-400"> try (RegionScanner scanner = ctx.getEnvironment().getRegion().getScanner(new Scan(get))) {</span>
<span class="source-line-no">401</span><span id="line-401"> // NOTE: Please don't use HRegion.get() instead,</span>
<span class="source-line-no">402</span><span id="line-402"> // because it will copy cells to heap. See HBASE-26036</span>
<span class="source-line-no">403</span><span id="line-403"> List&lt;Cell&gt; result = new ArrayList&lt;&gt;();</span>
<span class="source-line-no">404</span><span id="line-404"> scanner.next(result);</span>
<span class="source-line-no">405</span><span id="line-405"></span>
<span class="source-line-no">406</span><span id="line-406"> if (result.size() &lt; get.getMaxVersions()) {</span>
<span class="source-line-no">407</span><span id="line-407"> // Nothing to delete</span>
<span class="source-line-no">408</span><span id="line-408"> PrivateCellUtil.updateLatestStamp(cell, byteNow);</span>
<span class="source-line-no">409</span><span id="line-409"> return;</span>
<span class="source-line-no">410</span><span id="line-410"> }</span>
<span class="source-line-no">411</span><span id="line-411"> if (result.size() &gt; get.getMaxVersions()) {</span>
<span class="source-line-no">412</span><span id="line-412"> throw new RuntimeException(</span>
<span class="source-line-no">413</span><span id="line-413"> "Unexpected size: " + result.size() + ". Results more than the max versions obtained.");</span>
<span class="source-line-no">414</span><span id="line-414"> }</span>
<span class="source-line-no">415</span><span id="line-415"> Cell getCell = result.get(get.getMaxVersions() - 1);</span>
<span class="source-line-no">416</span><span id="line-416"> PrivateCellUtil.setTimestamp(cell, getCell.getTimestamp());</span>
<span class="source-line-no">417</span><span id="line-417"> }</span>
<span class="source-line-no">418</span><span id="line-418"> // We are bypassing here because in the HRegion.updateDeleteLatestVersionTimeStamp we would</span>
<span class="source-line-no">419</span><span id="line-419"> // update with the current timestamp after again doing a get. As the hook as already determined</span>
<span class="source-line-no">420</span><span id="line-420"> // the needed timestamp we need to bypass here.</span>
<span class="source-line-no">421</span><span id="line-421"> // TODO : See if HRegion.updateDeleteLatestVersionTimeStamp() could be</span>
<span class="source-line-no">422</span><span id="line-422"> // called only if the hook is not called.</span>
<span class="source-line-no">423</span><span id="line-423"> ctx.bypass();</span>
<span class="source-line-no">424</span><span id="line-424"> }</span>
<span class="source-line-no">425</span><span id="line-425"></span>
<span class="source-line-no">426</span><span id="line-426"> /**</span>
<span class="source-line-no">427</span><span id="line-427"> * Checks whether cell contains any tag with type as VISIBILITY_TAG_TYPE. This tag type is</span>
<span class="source-line-no">428</span><span id="line-428"> * reserved and should not be explicitly set by user.</span>
<span class="source-line-no">429</span><span id="line-429"> * @param cell The cell under consideration</span>
<span class="source-line-no">430</span><span id="line-430"> * @param pair An optional pair of type {@code &lt;Boolean, Tag&gt;} which would be reused if already</span>
<span class="source-line-no">431</span><span id="line-431"> * set and new one will be created if NULL is passed</span>
<span class="source-line-no">432</span><span id="line-432"> * @return If the boolean is false then it indicates that the cell has a RESERVERD_VIS_TAG and</span>
<span class="source-line-no">433</span><span id="line-433"> * with boolean as true, not null tag indicates that a string modified tag was found.</span>
<span class="source-line-no">434</span><span id="line-434"> */</span>
<span class="source-line-no">435</span><span id="line-435"> private Pair&lt;Boolean, Tag&gt; checkForReservedVisibilityTagPresence(ExtendedCell cell,</span>
<span class="source-line-no">436</span><span id="line-436"> Pair&lt;Boolean, Tag&gt; pair) throws IOException {</span>
<span class="source-line-no">437</span><span id="line-437"> if (pair == null) {</span>
<span class="source-line-no">438</span><span id="line-438"> pair = new Pair&lt;&gt;(false, null);</span>
<span class="source-line-no">439</span><span id="line-439"> } else {</span>
<span class="source-line-no">440</span><span id="line-440"> pair.setFirst(false);</span>
<span class="source-line-no">441</span><span id="line-441"> pair.setSecond(null);</span>
<span class="source-line-no">442</span><span id="line-442"> }</span>
<span class="source-line-no">443</span><span id="line-443"> // Bypass this check when the operation is done by a system/super user.</span>
<span class="source-line-no">444</span><span id="line-444"> // This is done because, while Replication, the Cells coming to the peer cluster with reserved</span>
<span class="source-line-no">445</span><span id="line-445"> // typed tags and this is fine and should get added to the peer cluster table</span>
<span class="source-line-no">446</span><span id="line-446"> if (isSystemOrSuperUser()) {</span>
<span class="source-line-no">447</span><span id="line-447"> // Does the cell contain special tag which indicates that the replicated</span>
<span class="source-line-no">448</span><span id="line-448"> // cell visiblilty tags</span>
<span class="source-line-no">449</span><span id="line-449"> // have been modified</span>
<span class="source-line-no">450</span><span id="line-450"> Tag modifiedTag = null;</span>
<span class="source-line-no">451</span><span id="line-451"> Iterator&lt;Tag&gt; tagsIterator = PrivateCellUtil.tagsIterator(cell);</span>
<span class="source-line-no">452</span><span id="line-452"> while (tagsIterator.hasNext()) {</span>
<span class="source-line-no">453</span><span id="line-453"> Tag tag = tagsIterator.next();</span>
<span class="source-line-no">454</span><span id="line-454"> if (tag.getType() == TagType.STRING_VIS_TAG_TYPE) {</span>
<span class="source-line-no">455</span><span id="line-455"> modifiedTag = tag;</span>
<span class="source-line-no">456</span><span id="line-456"> break;</span>
<span class="source-line-no">457</span><span id="line-457"> }</span>
<span class="source-line-no">458</span><span id="line-458"> }</span>
<span class="source-line-no">459</span><span id="line-459"> pair.setFirst(true);</span>
<span class="source-line-no">460</span><span id="line-460"> pair.setSecond(modifiedTag);</span>
<span class="source-line-no">461</span><span id="line-461"> return pair;</span>
<span class="source-line-no">462</span><span id="line-462"> }</span>
<span class="source-line-no">463</span><span id="line-463"> Iterator&lt;Tag&gt; tagsItr = PrivateCellUtil.tagsIterator(cell);</span>
<span class="source-line-no">464</span><span id="line-464"> while (tagsItr.hasNext()) {</span>
<span class="source-line-no">465</span><span id="line-465"> if (RESERVED_VIS_TAG_TYPES.contains(tagsItr.next().getType())) {</span>
<span class="source-line-no">466</span><span id="line-466"> return pair;</span>
<span class="source-line-no">467</span><span id="line-467"> }</span>
<span class="source-line-no">468</span><span id="line-468"> }</span>
<span class="source-line-no">469</span><span id="line-469"> pair.setFirst(true);</span>
<span class="source-line-no">470</span><span id="line-470"> return pair;</span>
<span class="source-line-no">471</span><span id="line-471"> }</span>
<span class="source-line-no">472</span><span id="line-472"></span>
<span class="source-line-no">473</span><span id="line-473"> private void removeReplicationVisibilityTag(List&lt;Tag&gt; tags) throws IOException {</span>
<span class="source-line-no">474</span><span id="line-474"> Iterator&lt;Tag&gt; iterator = tags.iterator();</span>
<span class="source-line-no">475</span><span id="line-475"> while (iterator.hasNext()) {</span>
<span class="source-line-no">476</span><span id="line-476"> Tag tag = iterator.next();</span>
<span class="source-line-no">477</span><span id="line-477"> if (tag.getType() == TagType.STRING_VIS_TAG_TYPE) {</span>
<span class="source-line-no">478</span><span id="line-478"> iterator.remove();</span>
<span class="source-line-no">479</span><span id="line-479"> break;</span>
<span class="source-line-no">480</span><span id="line-480"> }</span>
<span class="source-line-no">481</span><span id="line-481"> }</span>
<span class="source-line-no">482</span><span id="line-482"> }</span>
<span class="source-line-no">483</span><span id="line-483"></span>
<span class="source-line-no">484</span><span id="line-484"> @Override</span>
<span class="source-line-no">485</span><span id="line-485"> public void preScannerOpen(ObserverContext&lt;RegionCoprocessorEnvironment&gt; e, Scan scan)</span>
<span class="source-line-no">486</span><span id="line-486"> throws IOException {</span>
<span class="source-line-no">487</span><span id="line-487"> if (!initialized) {</span>
<span class="source-line-no">488</span><span id="line-488"> throw new VisibilityControllerNotReadyException("VisibilityController not yet initialized!");</span>
<span class="source-line-no">489</span><span id="line-489"> }</span>
<span class="source-line-no">490</span><span id="line-490"> // Nothing to do if authorization is not enabled</span>
<span class="source-line-no">491</span><span id="line-491"> if (!authorizationEnabled) {</span>
<span class="source-line-no">492</span><span id="line-492"> return;</span>
<span class="source-line-no">493</span><span id="line-493"> }</span>
<span class="source-line-no">494</span><span id="line-494"> Region region = e.getEnvironment().getRegion();</span>
<span class="source-line-no">495</span><span id="line-495"> Authorizations authorizations = null;</span>
<span class="source-line-no">496</span><span id="line-496"> try {</span>
<span class="source-line-no">497</span><span id="line-497"> authorizations = scan.getAuthorizations();</span>
<span class="source-line-no">498</span><span id="line-498"> } catch (DeserializationException de) {</span>
<span class="source-line-no">499</span><span id="line-499"> throw new IOException(de);</span>
<span class="source-line-no">500</span><span id="line-500"> }</span>
<span class="source-line-no">501</span><span id="line-501"> if (authorizations == null) {</span>
<span class="source-line-no">502</span><span id="line-502"> // No Authorizations present for this scan/Get!</span>
<span class="source-line-no">503</span><span id="line-503"> // In case of system tables other than "labels" just scan with out visibility check and</span>
<span class="source-line-no">504</span><span id="line-504"> // filtering. Checking visibility labels for META and NAMESPACE table is not needed.</span>
<span class="source-line-no">505</span><span id="line-505"> TableName table = region.getRegionInfo().getTable();</span>
<span class="source-line-no">506</span><span id="line-506"> if (table.isSystemTable() &amp;&amp; !table.equals(LABELS_TABLE_NAME)) {</span>
<span class="source-line-no">507</span><span id="line-507"> return;</span>
<span class="source-line-no">508</span><span id="line-508"> }</span>
<span class="source-line-no">509</span><span id="line-509"> }</span>
<span class="source-line-no">510</span><span id="line-510"></span>
<span class="source-line-no">511</span><span id="line-511"> Filter visibilityLabelFilter =</span>
<span class="source-line-no">512</span><span id="line-512"> VisibilityUtils.createVisibilityLabelFilter(region, authorizations);</span>
<span class="source-line-no">513</span><span id="line-513"> if (visibilityLabelFilter != null) {</span>
<span class="source-line-no">514</span><span id="line-514"> Filter filter = scan.getFilter();</span>
<span class="source-line-no">515</span><span id="line-515"> if (filter != null) {</span>
<span class="source-line-no">516</span><span id="line-516"> scan.setFilter(new FilterList(filter, visibilityLabelFilter));</span>
<span class="source-line-no">517</span><span id="line-517"> } else {</span>
<span class="source-line-no">518</span><span id="line-518"> scan.setFilter(visibilityLabelFilter);</span>
<span class="source-line-no">519</span><span id="line-519"> }</span>
<span class="source-line-no">520</span><span id="line-520"> }</span>
<span class="source-line-no">521</span><span id="line-521"> }</span>
<span class="source-line-no">522</span><span id="line-522"></span>
<span class="source-line-no">523</span><span id="line-523"> @Override</span>
<span class="source-line-no">524</span><span id="line-524"> public DeleteTracker postInstantiateDeleteTracker(</span>
<span class="source-line-no">525</span><span id="line-525"> ObserverContext&lt;RegionCoprocessorEnvironment&gt; ctx, DeleteTracker delTracker)</span>
<span class="source-line-no">526</span><span id="line-526"> throws IOException {</span>
<span class="source-line-no">527</span><span id="line-527"> // Nothing to do if we are not filtering by visibility</span>
<span class="source-line-no">528</span><span id="line-528"> if (!authorizationEnabled) {</span>
<span class="source-line-no">529</span><span id="line-529"> return delTracker;</span>
<span class="source-line-no">530</span><span id="line-530"> }</span>
<span class="source-line-no">531</span><span id="line-531"> Region region = ctx.getEnvironment().getRegion();</span>
<span class="source-line-no">532</span><span id="line-532"> TableName table = region.getRegionInfo().getTable();</span>
<span class="source-line-no">533</span><span id="line-533"> if (table.isSystemTable()) {</span>
<span class="source-line-no">534</span><span id="line-534"> return delTracker;</span>
<span class="source-line-no">535</span><span id="line-535"> }</span>
<span class="source-line-no">536</span><span id="line-536"> // We are creating a new type of delete tracker here which is able to track</span>
<span class="source-line-no">537</span><span id="line-537"> // the timestamps and also the</span>
<span class="source-line-no">538</span><span id="line-538"> // visibility tags per cell. The covering cells are determined not only</span>
<span class="source-line-no">539</span><span id="line-539"> // based on the delete type and ts</span>
<span class="source-line-no">540</span><span id="line-540"> // but also on the visibility expression matching.</span>
<span class="source-line-no">541</span><span id="line-541"> return new VisibilityScanDeleteTracker(delTracker.getCellComparator());</span>
<span class="source-line-no">542</span><span id="line-542"> }</span>
<span class="source-line-no">543</span><span id="line-543"></span>
<span class="source-line-no">544</span><span id="line-544"> @Override</span>
<span class="source-line-no">545</span><span id="line-545"> public RegionScanner postScannerOpen(final ObserverContext&lt;RegionCoprocessorEnvironment&gt; c,</span>
<span class="source-line-no">546</span><span id="line-546"> final Scan scan, final RegionScanner s) throws IOException {</span>
<span class="source-line-no">547</span><span id="line-547"> User user = VisibilityUtils.getActiveUser();</span>
<span class="source-line-no">548</span><span id="line-548"> if (user != null &amp;&amp; user.getShortName() != null) {</span>
<span class="source-line-no">549</span><span id="line-549"> scannerOwners.put(s, user.getShortName());</span>
<span class="source-line-no">550</span><span id="line-550"> }</span>
<span class="source-line-no">551</span><span id="line-551"> return s;</span>
<span class="source-line-no">552</span><span id="line-552"> }</span>
<span class="source-line-no">553</span><span id="line-553"></span>
<span class="source-line-no">554</span><span id="line-554"> @Override</span>
<span class="source-line-no">555</span><span id="line-555"> public boolean preScannerNext(final ObserverContext&lt;RegionCoprocessorEnvironment&gt; c,</span>
<span class="source-line-no">556</span><span id="line-556"> final InternalScanner s, final List&lt;Result&gt; result, final int limit, final boolean hasNext)</span>
<span class="source-line-no">557</span><span id="line-557"> throws IOException {</span>
<span class="source-line-no">558</span><span id="line-558"> requireScannerOwner(s);</span>
<span class="source-line-no">559</span><span id="line-559"> return hasNext;</span>
<span class="source-line-no">560</span><span id="line-560"> }</span>
<span class="source-line-no">561</span><span id="line-561"></span>
<span class="source-line-no">562</span><span id="line-562"> @Override</span>
<span class="source-line-no">563</span><span id="line-563"> public void preScannerClose(final ObserverContext&lt;RegionCoprocessorEnvironment&gt; c,</span>
<span class="source-line-no">564</span><span id="line-564"> final InternalScanner s) throws IOException {</span>
<span class="source-line-no">565</span><span id="line-565"> requireScannerOwner(s);</span>
<span class="source-line-no">566</span><span id="line-566"> }</span>
<span class="source-line-no">567</span><span id="line-567"></span>
<span class="source-line-no">568</span><span id="line-568"> @Override</span>
<span class="source-line-no">569</span><span id="line-569"> public void postScannerClose(final ObserverContext&lt;RegionCoprocessorEnvironment&gt; c,</span>
<span class="source-line-no">570</span><span id="line-570"> final InternalScanner s) throws IOException {</span>
<span class="source-line-no">571</span><span id="line-571"> // clean up any associated owner mapping</span>
<span class="source-line-no">572</span><span id="line-572"> scannerOwners.remove(s);</span>
<span class="source-line-no">573</span><span id="line-573"> }</span>
<span class="source-line-no">574</span><span id="line-574"></span>
<span class="source-line-no">575</span><span id="line-575"> /**</span>
<span class="source-line-no">576</span><span id="line-576"> * Verify, when servicing an RPC, that the caller is the scanner owner. If so, we assume that</span>
<span class="source-line-no">577</span><span id="line-577"> * access control is correctly enforced based on the checks performed in preScannerOpen()</span>
<span class="source-line-no">578</span><span id="line-578"> */</span>
<span class="source-line-no">579</span><span id="line-579"> private void requireScannerOwner(InternalScanner s) throws AccessDeniedException {</span>
<span class="source-line-no">580</span><span id="line-580"> if (!RpcServer.isInRpcCallContext()) return;</span>
<span class="source-line-no">581</span><span id="line-581"> String requestUName = RpcServer.getRequestUserName().orElse(null);</span>
<span class="source-line-no">582</span><span id="line-582"> String owner = scannerOwners.get(s);</span>
<span class="source-line-no">583</span><span id="line-583"> if (authorizationEnabled &amp;&amp; owner != null &amp;&amp; !owner.equals(requestUName)) {</span>
<span class="source-line-no">584</span><span id="line-584"> throw new AccessDeniedException("User '" + requestUName + "' is not the scanner owner!");</span>
<span class="source-line-no">585</span><span id="line-585"> }</span>
<span class="source-line-no">586</span><span id="line-586"> }</span>
<span class="source-line-no">587</span><span id="line-587"></span>
<span class="source-line-no">588</span><span id="line-588"> @Override</span>
<span class="source-line-no">589</span><span id="line-589"> public void preGetOp(ObserverContext&lt;RegionCoprocessorEnvironment&gt; e, Get get, List&lt;Cell&gt; results)</span>
<span class="source-line-no">590</span><span id="line-590"> throws IOException {</span>
<span class="source-line-no">591</span><span id="line-591"> if (!initialized) {</span>
<span class="source-line-no">592</span><span id="line-592"> throw new VisibilityControllerNotReadyException("VisibilityController not yet initialized");</span>
<span class="source-line-no">593</span><span id="line-593"> }</span>
<span class="source-line-no">594</span><span id="line-594"> // Nothing useful to do if authorization is not enabled</span>
<span class="source-line-no">595</span><span id="line-595"> if (!authorizationEnabled) {</span>
<span class="source-line-no">596</span><span id="line-596"> return;</span>
<span class="source-line-no">597</span><span id="line-597"> }</span>
<span class="source-line-no">598</span><span id="line-598"> Region region = e.getEnvironment().getRegion();</span>
<span class="source-line-no">599</span><span id="line-599"> Authorizations authorizations = null;</span>
<span class="source-line-no">600</span><span id="line-600"> try {</span>
<span class="source-line-no">601</span><span id="line-601"> authorizations = get.getAuthorizations();</span>
<span class="source-line-no">602</span><span id="line-602"> } catch (DeserializationException de) {</span>
<span class="source-line-no">603</span><span id="line-603"> throw new IOException(de);</span>
<span class="source-line-no">604</span><span id="line-604"> }</span>
<span class="source-line-no">605</span><span id="line-605"> if (authorizations == null) {</span>
<span class="source-line-no">606</span><span id="line-606"> // No Authorizations present for this scan/Get!</span>
<span class="source-line-no">607</span><span id="line-607"> // In case of system tables other than "labels" just scan with out visibility check and</span>
<span class="source-line-no">608</span><span id="line-608"> // filtering. Checking visibility labels for META and NAMESPACE table is not needed.</span>
<span class="source-line-no">609</span><span id="line-609"> TableName table = region.getRegionInfo().getTable();</span>
<span class="source-line-no">610</span><span id="line-610"> if (table.isSystemTable() &amp;&amp; !table.equals(LABELS_TABLE_NAME)) {</span>
<span class="source-line-no">611</span><span id="line-611"> return;</span>
<span class="source-line-no">612</span><span id="line-612"> }</span>
<span class="source-line-no">613</span><span id="line-613"> }</span>
<span class="source-line-no">614</span><span id="line-614"> Filter visibilityLabelFilter =</span>
<span class="source-line-no">615</span><span id="line-615"> VisibilityUtils.createVisibilityLabelFilter(e.getEnvironment().getRegion(), authorizations);</span>
<span class="source-line-no">616</span><span id="line-616"> if (visibilityLabelFilter != null) {</span>
<span class="source-line-no">617</span><span id="line-617"> Filter filter = get.getFilter();</span>
<span class="source-line-no">618</span><span id="line-618"> if (filter != null) {</span>
<span class="source-line-no">619</span><span id="line-619"> get.setFilter(new FilterList(filter, visibilityLabelFilter));</span>
<span class="source-line-no">620</span><span id="line-620"> } else {</span>
<span class="source-line-no">621</span><span id="line-621"> get.setFilter(visibilityLabelFilter);</span>
<span class="source-line-no">622</span><span id="line-622"> }</span>
<span class="source-line-no">623</span><span id="line-623"> }</span>
<span class="source-line-no">624</span><span id="line-624"> }</span>
<span class="source-line-no">625</span><span id="line-625"></span>
<span class="source-line-no">626</span><span id="line-626"> private boolean isSystemOrSuperUser() throws IOException {</span>
<span class="source-line-no">627</span><span id="line-627"> return Superusers.isSuperUser(VisibilityUtils.getActiveUser());</span>
<span class="source-line-no">628</span><span id="line-628"> }</span>
<span class="source-line-no">629</span><span id="line-629"></span>
<span class="source-line-no">630</span><span id="line-630"> @Override</span>
<span class="source-line-no">631</span><span id="line-631"> public List&lt;Pair&lt;Cell, Cell&gt;&gt; postIncrementBeforeWAL(</span>
<span class="source-line-no">632</span><span id="line-632"> ObserverContext&lt;RegionCoprocessorEnvironment&gt; ctx, Mutation mutation,</span>
<span class="source-line-no">633</span><span id="line-633"> List&lt;Pair&lt;Cell, Cell&gt;&gt; cellPairs) throws IOException {</span>
<span class="source-line-no">634</span><span id="line-634"> List&lt;Pair&lt;Cell, Cell&gt;&gt; resultPairs = new ArrayList&lt;&gt;(cellPairs.size());</span>
<span class="source-line-no">635</span><span id="line-635"> for (Pair&lt;Cell, Cell&gt; pair : cellPairs) {</span>
<span class="source-line-no">636</span><span id="line-636"> resultPairs.add(new Pair&lt;&gt;(pair.getFirst(),</span>
<span class="source-line-no">637</span><span id="line-637"> createNewCellWithTags(mutation, (ExtendedCell) pair.getSecond())));</span>
<span class="source-line-no">638</span><span id="line-638"> }</span>
<span class="source-line-no">639</span><span id="line-639"> return resultPairs;</span>
<span class="source-line-no">640</span><span id="line-640"> }</span>
<span class="source-line-no">641</span><span id="line-641"></span>
<span class="source-line-no">642</span><span id="line-642"> @Override</span>
<span class="source-line-no">643</span><span id="line-643"> public List&lt;Pair&lt;Cell, Cell&gt;&gt; postAppendBeforeWAL(</span>
<span class="source-line-no">644</span><span id="line-644"> ObserverContext&lt;RegionCoprocessorEnvironment&gt; ctx, Mutation mutation,</span>
<span class="source-line-no">645</span><span id="line-645"> List&lt;Pair&lt;Cell, Cell&gt;&gt; cellPairs) throws IOException {</span>
<span class="source-line-no">646</span><span id="line-646"> List&lt;Pair&lt;Cell, Cell&gt;&gt; resultPairs = new ArrayList&lt;&gt;(cellPairs.size());</span>
<span class="source-line-no">647</span><span id="line-647"> for (Pair&lt;Cell, Cell&gt; pair : cellPairs) {</span>
<span class="source-line-no">648</span><span id="line-648"> resultPairs.add(new Pair&lt;&gt;(pair.getFirst(),</span>
<span class="source-line-no">649</span><span id="line-649"> createNewCellWithTags(mutation, (ExtendedCell) pair.getSecond())));</span>
<span class="source-line-no">650</span><span id="line-650"> }</span>
<span class="source-line-no">651</span><span id="line-651"> return resultPairs;</span>
<span class="source-line-no">652</span><span id="line-652"> }</span>
<span class="source-line-no">653</span><span id="line-653"></span>
<span class="source-line-no">654</span><span id="line-654"> private Cell createNewCellWithTags(Mutation mutation, ExtendedCell newCell) throws IOException {</span>
<span class="source-line-no">655</span><span id="line-655"> List&lt;Tag&gt; tags = Lists.newArrayList();</span>
<span class="source-line-no">656</span><span id="line-656"> CellVisibility cellVisibility = null;</span>
<span class="source-line-no">657</span><span id="line-657"> try {</span>
<span class="source-line-no">658</span><span id="line-658"> cellVisibility = mutation.getCellVisibility();</span>
<span class="source-line-no">659</span><span id="line-659"> } catch (DeserializationException e) {</span>
<span class="source-line-no">660</span><span id="line-660"> throw new IOException(e);</span>
<span class="source-line-no">661</span><span id="line-661"> }</span>
<span class="source-line-no">662</span><span id="line-662"> if (cellVisibility == null) {</span>
<span class="source-line-no">663</span><span id="line-663"> return newCell;</span>
<span class="source-line-no">664</span><span id="line-664"> }</span>
<span class="source-line-no">665</span><span id="line-665"> // Prepend new visibility tags to a new list of tags for the cell</span>
<span class="source-line-no">666</span><span id="line-666"> // Don't check user auths for labels with Mutations when the user is super user</span>
<span class="source-line-no">667</span><span id="line-667"> boolean authCheck = authorizationEnabled &amp;&amp; checkAuths &amp;&amp; !(isSystemOrSuperUser());</span>
<span class="source-line-no">668</span><span id="line-668"> tags.addAll(this.visibilityLabelService.createVisibilityExpTags(cellVisibility.getExpression(),</span>
<span class="source-line-no">669</span><span id="line-669"> true, authCheck));</span>
<span class="source-line-no">670</span><span id="line-670"> // Carry forward all other tags</span>
<span class="source-line-no">671</span><span id="line-671"> Iterator&lt;Tag&gt; tagsItr = PrivateCellUtil.tagsIterator(newCell);</span>
<span class="source-line-no">672</span><span id="line-672"> while (tagsItr.hasNext()) {</span>
<span class="source-line-no">673</span><span id="line-673"> Tag tag = tagsItr.next();</span>
<span class="source-line-no">674</span><span id="line-674"> if (</span>
<span class="source-line-no">675</span><span id="line-675"> tag.getType() != TagType.VISIBILITY_TAG_TYPE</span>
<span class="source-line-no">676</span><span id="line-676"> &amp;&amp; tag.getType() != TagType.VISIBILITY_EXP_SERIALIZATION_FORMAT_TAG_TYPE</span>
<span class="source-line-no">677</span><span id="line-677"> ) {</span>
<span class="source-line-no">678</span><span id="line-678"> tags.add(tag);</span>
<span class="source-line-no">679</span><span id="line-679"> }</span>
<span class="source-line-no">680</span><span id="line-680"> }</span>
<span class="source-line-no">681</span><span id="line-681"></span>
<span class="source-line-no">682</span><span id="line-682"> return PrivateCellUtil.createCell(newCell, tags);</span>
<span class="source-line-no">683</span><span id="line-683"> }</span>
<span class="source-line-no">684</span><span id="line-684"></span>
<span class="source-line-no">685</span><span id="line-685"> /******************************</span>
<span class="source-line-no">686</span><span id="line-686"> * VisibilityEndpoint service related methods</span>
<span class="source-line-no">687</span><span id="line-687"> ******************************/</span>
<span class="source-line-no">688</span><span id="line-688"> @Override</span>
<span class="source-line-no">689</span><span id="line-689"> public synchronized void addLabels(RpcController controller, VisibilityLabelsRequest request,</span>
<span class="source-line-no">690</span><span id="line-690"> RpcCallback&lt;VisibilityLabelsResponse&gt; done) {</span>
<span class="source-line-no">691</span><span id="line-691"> VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();</span>
<span class="source-line-no">692</span><span id="line-692"> List&lt;VisibilityLabel&gt; visLabels = request.getVisLabelList();</span>
<span class="source-line-no">693</span><span id="line-693"> if (!initialized) {</span>
<span class="source-line-no">694</span><span id="line-694"> setExceptionResults(visLabels.size(),</span>
<span class="source-line-no">695</span><span id="line-695"> new VisibilityControllerNotReadyException("VisibilityController not yet initialized!"),</span>
<span class="source-line-no">696</span><span id="line-696"> response);</span>
<span class="source-line-no">697</span><span id="line-697"> } else {</span>
<span class="source-line-no">698</span><span id="line-698"> List&lt;byte[]&gt; labels = new ArrayList&lt;&gt;(visLabels.size());</span>
<span class="source-line-no">699</span><span id="line-699"> try {</span>
<span class="source-line-no">700</span><span id="line-700"> if (authorizationEnabled) {</span>
<span class="source-line-no">701</span><span id="line-701"> checkCallingUserAuth();</span>
<span class="source-line-no">702</span><span id="line-702"> }</span>
<span class="source-line-no">703</span><span id="line-703"> RegionActionResult successResult = RegionActionResult.newBuilder().build();</span>
<span class="source-line-no">704</span><span id="line-704"> for (VisibilityLabel visLabel : visLabels) {</span>
<span class="source-line-no">705</span><span id="line-705"> byte[] label = visLabel.getLabel().toByteArray();</span>
<span class="source-line-no">706</span><span id="line-706"> labels.add(label);</span>
<span class="source-line-no">707</span><span id="line-707"> response.addResult(successResult); // Just mark as success. Later it will get reset</span>
<span class="source-line-no">708</span><span id="line-708"> // based on the result from</span>
<span class="source-line-no">709</span><span id="line-709"> // visibilityLabelService.addLabels ()</span>
<span class="source-line-no">710</span><span id="line-710"> }</span>
<span class="source-line-no">711</span><span id="line-711"> if (!labels.isEmpty()) {</span>
<span class="source-line-no">712</span><span id="line-712"> OperationStatus[] opStatus = this.visibilityLabelService.addLabels(labels);</span>
<span class="source-line-no">713</span><span id="line-713"> logResult(true, "addLabels", "Adding labels allowed", null, labels, null);</span>
<span class="source-line-no">714</span><span id="line-714"> int i = 0;</span>
<span class="source-line-no">715</span><span id="line-715"> for (OperationStatus status : opStatus) {</span>
<span class="source-line-no">716</span><span id="line-716"> while (!Objects.equals(response.getResult(i), successResult)) {</span>
<span class="source-line-no">717</span><span id="line-717"> i++;</span>
<span class="source-line-no">718</span><span id="line-718"> }</span>
<span class="source-line-no">719</span><span id="line-719"> if (status.getOperationStatusCode() != SUCCESS) {</span>
<span class="source-line-no">720</span><span id="line-720"> RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();</span>
<span class="source-line-no">721</span><span id="line-721"> failureResultBuilder</span>
<span class="source-line-no">722</span><span id="line-722"> .setException(buildException(new DoNotRetryIOException(status.getExceptionMsg())));</span>
<span class="source-line-no">723</span><span id="line-723"> response.setResult(i, failureResultBuilder.build());</span>
<span class="source-line-no">724</span><span id="line-724"> }</span>
<span class="source-line-no">725</span><span id="line-725"> i++;</span>
<span class="source-line-no">726</span><span id="line-726"> }</span>
<span class="source-line-no">727</span><span id="line-727"> }</span>
<span class="source-line-no">728</span><span id="line-728"> } catch (AccessDeniedException e) {</span>
<span class="source-line-no">729</span><span id="line-729"> logResult(false, "addLabels", e.getMessage(), null, labels, null);</span>
<span class="source-line-no">730</span><span id="line-730"> LOG.error("User is not having required permissions to add labels", e);</span>
<span class="source-line-no">731</span><span id="line-731"> setExceptionResults(visLabels.size(), e, response);</span>
<span class="source-line-no">732</span><span id="line-732"> } catch (IOException e) {</span>
<span class="source-line-no">733</span><span id="line-733"> LOG.error(e.toString(), e);</span>
<span class="source-line-no">734</span><span id="line-734"> setExceptionResults(visLabels.size(), e, response);</span>
<span class="source-line-no">735</span><span id="line-735"> }</span>
<span class="source-line-no">736</span><span id="line-736"> }</span>
<span class="source-line-no">737</span><span id="line-737"> done.run(response.build());</span>
<span class="source-line-no">738</span><span id="line-738"> }</span>
<span class="source-line-no">739</span><span id="line-739"></span>
<span class="source-line-no">740</span><span id="line-740"> private void setExceptionResults(int size, IOException e,</span>
<span class="source-line-no">741</span><span id="line-741"> VisibilityLabelsResponse.Builder response) {</span>
<span class="source-line-no">742</span><span id="line-742"> RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();</span>
<span class="source-line-no">743</span><span id="line-743"> failureResultBuilder.setException(buildException(e));</span>
<span class="source-line-no">744</span><span id="line-744"> RegionActionResult failureResult = failureResultBuilder.build();</span>
<span class="source-line-no">745</span><span id="line-745"> for (int i = 0; i &lt; size; i++) {</span>
<span class="source-line-no">746</span><span id="line-746"> response.addResult(i, failureResult);</span>
<span class="source-line-no">747</span><span id="line-747"> }</span>
<span class="source-line-no">748</span><span id="line-748"> }</span>
<span class="source-line-no">749</span><span id="line-749"></span>
<span class="source-line-no">750</span><span id="line-750"> @Override</span>
<span class="source-line-no">751</span><span id="line-751"> public synchronized void setAuths(RpcController controller, SetAuthsRequest request,</span>
<span class="source-line-no">752</span><span id="line-752"> RpcCallback&lt;VisibilityLabelsResponse&gt; done) {</span>
<span class="source-line-no">753</span><span id="line-753"> VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();</span>
<span class="source-line-no">754</span><span id="line-754"> List&lt;ByteString&gt; auths = request.getAuthList();</span>
<span class="source-line-no">755</span><span id="line-755"> if (!initialized) {</span>
<span class="source-line-no">756</span><span id="line-756"> setExceptionResults(auths.size(),</span>
<span class="source-line-no">757</span><span id="line-757"> new VisibilityControllerNotReadyException("VisibilityController not yet initialized!"),</span>
<span class="source-line-no">758</span><span id="line-758"> response);</span>
<span class="source-line-no">759</span><span id="line-759"> } else {</span>
<span class="source-line-no">760</span><span id="line-760"> byte[] user = request.getUser().toByteArray();</span>
<span class="source-line-no">761</span><span id="line-761"> List&lt;byte[]&gt; labelAuths = new ArrayList&lt;&gt;(auths.size());</span>
<span class="source-line-no">762</span><span id="line-762"> try {</span>
<span class="source-line-no">763</span><span id="line-763"> if (authorizationEnabled) {</span>
<span class="source-line-no">764</span><span id="line-764"> checkCallingUserAuth();</span>
<span class="source-line-no">765</span><span id="line-765"> }</span>
<span class="source-line-no">766</span><span id="line-766"> for (ByteString authBS : auths) {</span>
<span class="source-line-no">767</span><span id="line-767"> labelAuths.add(authBS.toByteArray());</span>
<span class="source-line-no">768</span><span id="line-768"> }</span>
<span class="source-line-no">769</span><span id="line-769"> OperationStatus[] opStatus = this.visibilityLabelService.setAuths(user, labelAuths);</span>
<span class="source-line-no">770</span><span id="line-770"> logResult(true, "setAuths", "Setting authorization for labels allowed", user, labelAuths,</span>
<span class="source-line-no">771</span><span id="line-771"> null);</span>
<span class="source-line-no">772</span><span id="line-772"> RegionActionResult successResult = RegionActionResult.newBuilder().build();</span>
<span class="source-line-no">773</span><span id="line-773"> for (OperationStatus status : opStatus) {</span>
<span class="source-line-no">774</span><span id="line-774"> if (status.getOperationStatusCode() == SUCCESS) {</span>
<span class="source-line-no">775</span><span id="line-775"> response.addResult(successResult);</span>
<span class="source-line-no">776</span><span id="line-776"> } else {</span>
<span class="source-line-no">777</span><span id="line-777"> RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();</span>
<span class="source-line-no">778</span><span id="line-778"> failureResultBuilder</span>
<span class="source-line-no">779</span><span id="line-779"> .setException(buildException(new DoNotRetryIOException(status.getExceptionMsg())));</span>
<span class="source-line-no">780</span><span id="line-780"> response.addResult(failureResultBuilder.build());</span>
<span class="source-line-no">781</span><span id="line-781"> }</span>
<span class="source-line-no">782</span><span id="line-782"> }</span>
<span class="source-line-no">783</span><span id="line-783"> } catch (AccessDeniedException e) {</span>
<span class="source-line-no">784</span><span id="line-784"> logResult(false, "setAuths", e.getMessage(), user, labelAuths, null);</span>
<span class="source-line-no">785</span><span id="line-785"> LOG.error("User is not having required permissions to set authorization", e);</span>
<span class="source-line-no">786</span><span id="line-786"> setExceptionResults(auths.size(), e, response);</span>
<span class="source-line-no">787</span><span id="line-787"> } catch (IOException e) {</span>
<span class="source-line-no">788</span><span id="line-788"> LOG.error(e.toString(), e);</span>
<span class="source-line-no">789</span><span id="line-789"> setExceptionResults(auths.size(), e, response);</span>
<span class="source-line-no">790</span><span id="line-790"> }</span>
<span class="source-line-no">791</span><span id="line-791"> }</span>
<span class="source-line-no">792</span><span id="line-792"> done.run(response.build());</span>
<span class="source-line-no">793</span><span id="line-793"> }</span>
<span class="source-line-no">794</span><span id="line-794"></span>
<span class="source-line-no">795</span><span id="line-795"> private void logResult(boolean isAllowed, String request, String reason, byte[] user,</span>
<span class="source-line-no">796</span><span id="line-796"> List&lt;byte[]&gt; labelAuths, String regex) {</span>
<span class="source-line-no">797</span><span id="line-797"> if (AUDITLOG.isTraceEnabled()) {</span>
<span class="source-line-no">798</span><span id="line-798"> // This is more duplicated code!</span>
<span class="source-line-no">799</span><span id="line-799"> List&lt;String&gt; labelAuthsStr = new ArrayList&lt;&gt;();</span>
<span class="source-line-no">800</span><span id="line-800"> if (labelAuths != null) {</span>
<span class="source-line-no">801</span><span id="line-801"> int labelAuthsSize = labelAuths.size();</span>
<span class="source-line-no">802</span><span id="line-802"> labelAuthsStr = new ArrayList&lt;&gt;(labelAuthsSize);</span>
<span class="source-line-no">803</span><span id="line-803"> for (int i = 0; i &lt; labelAuthsSize; i++) {</span>
<span class="source-line-no">804</span><span id="line-804"> labelAuthsStr.add(Bytes.toString(labelAuths.get(i)));</span>
<span class="source-line-no">805</span><span id="line-805"> }</span>
<span class="source-line-no">806</span><span id="line-806"> }</span>
<span class="source-line-no">807</span><span id="line-807"></span>
<span class="source-line-no">808</span><span id="line-808"> User requestingUser = null;</span>
<span class="source-line-no">809</span><span id="line-809"> try {</span>
<span class="source-line-no">810</span><span id="line-810"> requestingUser = VisibilityUtils.getActiveUser();</span>
<span class="source-line-no">811</span><span id="line-811"> } catch (IOException e) {</span>
<span class="source-line-no">812</span><span id="line-812"> LOG.warn("Failed to get active system user.");</span>
<span class="source-line-no">813</span><span id="line-813"> LOG.debug("Details on failure to get active system user.", e);</span>
<span class="source-line-no">814</span><span id="line-814"> }</span>
<span class="source-line-no">815</span><span id="line-815"> AUDITLOG.trace("Access " + (isAllowed ? "allowed" : "denied") + " for user "</span>
<span class="source-line-no">816</span><span id="line-816"> + (requestingUser != null ? requestingUser.getShortName() : "UNKNOWN") + "; reason: "</span>
<span class="source-line-no">817</span><span id="line-817"> + reason + "; remote address: "</span>
<span class="source-line-no">818</span><span id="line-818"> + RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("") + "; request: "</span>
<span class="source-line-no">819</span><span id="line-819"> + request + "; user: " + (user != null ? Bytes.toShort(user) : "null") + "; labels: "</span>
<span class="source-line-no">820</span><span id="line-820"> + labelAuthsStr + "; regex: " + regex);</span>
<span class="source-line-no">821</span><span id="line-821"> }</span>
<span class="source-line-no">822</span><span id="line-822"> }</span>
<span class="source-line-no">823</span><span id="line-823"></span>
<span class="source-line-no">824</span><span id="line-824"> @Override</span>
<span class="source-line-no">825</span><span id="line-825"> public synchronized void getAuths(RpcController controller, GetAuthsRequest request,</span>
<span class="source-line-no">826</span><span id="line-826"> RpcCallback&lt;GetAuthsResponse&gt; done) {</span>
<span class="source-line-no">827</span><span id="line-827"> GetAuthsResponse.Builder response = GetAuthsResponse.newBuilder();</span>
<span class="source-line-no">828</span><span id="line-828"> if (!initialized) {</span>
<span class="source-line-no">829</span><span id="line-829"> controller.setFailed("VisibilityController not yet initialized");</span>
<span class="source-line-no">830</span><span id="line-830"> } else {</span>
<span class="source-line-no">831</span><span id="line-831"> byte[] user = request.getUser().toByteArray();</span>
<span class="source-line-no">832</span><span id="line-832"> List&lt;String&gt; labels = null;</span>
<span class="source-line-no">833</span><span id="line-833"> try {</span>
<span class="source-line-no">834</span><span id="line-834"> // We do ACL check here as we create scanner directly on region. It will not make calls to</span>
<span class="source-line-no">835</span><span id="line-835"> // AccessController CP methods.</span>
<span class="source-line-no">836</span><span id="line-836"> if (authorizationEnabled &amp;&amp; accessControllerAvailable &amp;&amp; !isSystemOrSuperUser()) {</span>
<span class="source-line-no">837</span><span id="line-837"> User requestingUser = VisibilityUtils.getActiveUser();</span>
<span class="source-line-no">838</span><span id="line-838"> throw new AccessDeniedException(</span>
<span class="source-line-no">839</span><span id="line-839"> "User '" + (requestingUser != null ? requestingUser.getShortName() : "null")</span>
<span class="source-line-no">840</span><span id="line-840"> + "' is not authorized to perform this action.");</span>
<span class="source-line-no">841</span><span id="line-841"> }</span>
<span class="source-line-no">842</span><span id="line-842"> if (AuthUtil.isGroupPrincipal(Bytes.toString(user))) {</span>
<span class="source-line-no">843</span><span id="line-843"> String group = AuthUtil.getGroupName(Bytes.toString(user));</span>
<span class="source-line-no">844</span><span id="line-844"> labels = this.visibilityLabelService.getGroupAuths(new String[] { group }, false);</span>
<span class="source-line-no">845</span><span id="line-845"> } else {</span>
<span class="source-line-no">846</span><span id="line-846"> labels = this.visibilityLabelService.getUserAuths(user, false);</span>
<span class="source-line-no">847</span><span id="line-847"> }</span>
<span class="source-line-no">848</span><span id="line-848"> logResult(true, "getAuths", "Get authorizations for user allowed", user, null, null);</span>
<span class="source-line-no">849</span><span id="line-849"> } catch (AccessDeniedException e) {</span>
<span class="source-line-no">850</span><span id="line-850"> logResult(false, "getAuths", e.getMessage(), user, null, null);</span>
<span class="source-line-no">851</span><span id="line-851"> CoprocessorRpcUtils.setControllerException(controller, e);</span>
<span class="source-line-no">852</span><span id="line-852"> } catch (IOException e) {</span>
<span class="source-line-no">853</span><span id="line-853"> CoprocessorRpcUtils.setControllerException(controller, e);</span>
<span class="source-line-no">854</span><span id="line-854"> }</span>
<span class="source-line-no">855</span><span id="line-855"> response.setUser(request.getUser());</span>
<span class="source-line-no">856</span><span id="line-856"> if (labels != null) {</span>
<span class="source-line-no">857</span><span id="line-857"> for (String label : labels) {</span>
<span class="source-line-no">858</span><span id="line-858"> response.addAuth(ByteString.copyFrom(Bytes.toBytes(label)));</span>
<span class="source-line-no">859</span><span id="line-859"> }</span>
<span class="source-line-no">860</span><span id="line-860"> }</span>
<span class="source-line-no">861</span><span id="line-861"> }</span>
<span class="source-line-no">862</span><span id="line-862"> done.run(response.build());</span>
<span class="source-line-no">863</span><span id="line-863"> }</span>
<span class="source-line-no">864</span><span id="line-864"></span>
<span class="source-line-no">865</span><span id="line-865"> @Override</span>
<span class="source-line-no">866</span><span id="line-866"> public synchronized void clearAuths(RpcController controller, SetAuthsRequest request,</span>
<span class="source-line-no">867</span><span id="line-867"> RpcCallback&lt;VisibilityLabelsResponse&gt; done) {</span>
<span class="source-line-no">868</span><span id="line-868"> VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();</span>
<span class="source-line-no">869</span><span id="line-869"> List&lt;ByteString&gt; auths = request.getAuthList();</span>
<span class="source-line-no">870</span><span id="line-870"> if (!initialized) {</span>
<span class="source-line-no">871</span><span id="line-871"> setExceptionResults(auths.size(),</span>
<span class="source-line-no">872</span><span id="line-872"> new CoprocessorException("VisibilityController not yet initialized"), response);</span>
<span class="source-line-no">873</span><span id="line-873"> } else {</span>
<span class="source-line-no">874</span><span id="line-874"> byte[] requestUser = request.getUser().toByteArray();</span>
<span class="source-line-no">875</span><span id="line-875"> List&lt;byte[]&gt; labelAuths = new ArrayList&lt;&gt;(auths.size());</span>
<span class="source-line-no">876</span><span id="line-876"> try {</span>
<span class="source-line-no">877</span><span id="line-877"> // When AC is ON, do AC based user auth check</span>
<span class="source-line-no">878</span><span id="line-878"> if (authorizationEnabled &amp;&amp; accessControllerAvailable &amp;&amp; !isSystemOrSuperUser()) {</span>
<span class="source-line-no">879</span><span id="line-879"> User user = VisibilityUtils.getActiveUser();</span>
<span class="source-line-no">880</span><span id="line-880"> throw new AccessDeniedException("User '" + (user != null ? user.getShortName() : "null")</span>
<span class="source-line-no">881</span><span id="line-881"> + " is not authorized to perform this action.");</span>
<span class="source-line-no">882</span><span id="line-882"> }</span>
<span class="source-line-no">883</span><span id="line-883"> if (authorizationEnabled) {</span>
<span class="source-line-no">884</span><span id="line-884"> checkCallingUserAuth(); // When AC is not in place the calling user should have</span>
<span class="source-line-no">885</span><span id="line-885"> // SYSTEM_LABEL auth to do this action.</span>
<span class="source-line-no">886</span><span id="line-886"> }</span>
<span class="source-line-no">887</span><span id="line-887"> for (ByteString authBS : auths) {</span>
<span class="source-line-no">888</span><span id="line-888"> labelAuths.add(authBS.toByteArray());</span>
<span class="source-line-no">889</span><span id="line-889"> }</span>
<span class="source-line-no">890</span><span id="line-890"></span>
<span class="source-line-no">891</span><span id="line-891"> OperationStatus[] opStatus =</span>
<span class="source-line-no">892</span><span id="line-892"> this.visibilityLabelService.clearAuths(requestUser, labelAuths);</span>
<span class="source-line-no">893</span><span id="line-893"> logResult(true, "clearAuths", "Removing authorization for labels allowed", requestUser,</span>
<span class="source-line-no">894</span><span id="line-894"> labelAuths, null);</span>
<span class="source-line-no">895</span><span id="line-895"> RegionActionResult successResult = RegionActionResult.newBuilder().build();</span>
<span class="source-line-no">896</span><span id="line-896"> for (OperationStatus status : opStatus) {</span>
<span class="source-line-no">897</span><span id="line-897"> if (status.getOperationStatusCode() == SUCCESS) {</span>
<span class="source-line-no">898</span><span id="line-898"> response.addResult(successResult);</span>
<span class="source-line-no">899</span><span id="line-899"> } else {</span>
<span class="source-line-no">900</span><span id="line-900"> RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();</span>
<span class="source-line-no">901</span><span id="line-901"> failureResultBuilder</span>
<span class="source-line-no">902</span><span id="line-902"> .setException(buildException(new DoNotRetryIOException(status.getExceptionMsg())));</span>
<span class="source-line-no">903</span><span id="line-903"> response.addResult(failureResultBuilder.build());</span>
<span class="source-line-no">904</span><span id="line-904"> }</span>
<span class="source-line-no">905</span><span id="line-905"> }</span>
<span class="source-line-no">906</span><span id="line-906"> } catch (AccessDeniedException e) {</span>
<span class="source-line-no">907</span><span id="line-907"> logResult(false, "clearAuths", e.getMessage(), requestUser, labelAuths, null);</span>
<span class="source-line-no">908</span><span id="line-908"> LOG.error("User is not having required permissions to clear authorization", e);</span>
<span class="source-line-no">909</span><span id="line-909"> setExceptionResults(auths.size(), e, response);</span>
<span class="source-line-no">910</span><span id="line-910"> } catch (IOException e) {</span>
<span class="source-line-no">911</span><span id="line-911"> LOG.error(e.toString(), e);</span>
<span class="source-line-no">912</span><span id="line-912"> setExceptionResults(auths.size(), e, response);</span>
<span class="source-line-no">913</span><span id="line-913"> }</span>
<span class="source-line-no">914</span><span id="line-914"> }</span>
<span class="source-line-no">915</span><span id="line-915"> done.run(response.build());</span>
<span class="source-line-no">916</span><span id="line-916"> }</span>
<span class="source-line-no">917</span><span id="line-917"></span>
<span class="source-line-no">918</span><span id="line-918"> @Override</span>
<span class="source-line-no">919</span><span id="line-919"> public synchronized void listLabels(RpcController controller, ListLabelsRequest request,</span>
<span class="source-line-no">920</span><span id="line-920"> RpcCallback&lt;ListLabelsResponse&gt; done) {</span>
<span class="source-line-no">921</span><span id="line-921"> ListLabelsResponse.Builder response = ListLabelsResponse.newBuilder();</span>
<span class="source-line-no">922</span><span id="line-922"> if (!initialized) {</span>
<span class="source-line-no">923</span><span id="line-923"> controller.setFailed("VisibilityController not yet initialized");</span>
<span class="source-line-no">924</span><span id="line-924"> } else {</span>
<span class="source-line-no">925</span><span id="line-925"> List&lt;String&gt; labels = null;</span>
<span class="source-line-no">926</span><span id="line-926"> String regex = request.hasRegex() ? request.getRegex() : null;</span>
<span class="source-line-no">927</span><span id="line-927"> try {</span>
<span class="source-line-no">928</span><span id="line-928"> // We do ACL check here as we create scanner directly on region. It will not make calls to</span>
<span class="source-line-no">929</span><span id="line-929"> // AccessController CP methods.</span>
<span class="source-line-no">930</span><span id="line-930"> if (authorizationEnabled &amp;&amp; accessControllerAvailable &amp;&amp; !isSystemOrSuperUser()) {</span>
<span class="source-line-no">931</span><span id="line-931"> User requestingUser = VisibilityUtils.getActiveUser();</span>
<span class="source-line-no">932</span><span id="line-932"> throw new AccessDeniedException(</span>
<span class="source-line-no">933</span><span id="line-933"> "User '" + (requestingUser != null ? requestingUser.getShortName() : "null")</span>
<span class="source-line-no">934</span><span id="line-934"> + "' is not authorized to perform this action.");</span>
<span class="source-line-no">935</span><span id="line-935"> }</span>
<span class="source-line-no">936</span><span id="line-936"> labels = this.visibilityLabelService.listLabels(regex);</span>
<span class="source-line-no">937</span><span id="line-937"> logResult(true, "listLabels", "Listing labels allowed", null, null, regex);</span>
<span class="source-line-no">938</span><span id="line-938"> } catch (AccessDeniedException e) {</span>
<span class="source-line-no">939</span><span id="line-939"> logResult(false, "listLabels", e.getMessage(), null, null, regex);</span>
<span class="source-line-no">940</span><span id="line-940"> CoprocessorRpcUtils.setControllerException(controller, e);</span>
<span class="source-line-no">941</span><span id="line-941"> } catch (IOException e) {</span>
<span class="source-line-no">942</span><span id="line-942"> CoprocessorRpcUtils.setControllerException(controller, e);</span>
<span class="source-line-no">943</span><span id="line-943"> }</span>
<span class="source-line-no">944</span><span id="line-944"> if (labels != null &amp;&amp; !labels.isEmpty()) {</span>
<span class="source-line-no">945</span><span id="line-945"> for (String label : labels) {</span>
<span class="source-line-no">946</span><span id="line-946"> response.addLabel(ByteString.copyFrom(Bytes.toBytes(label)));</span>
<span class="source-line-no">947</span><span id="line-947"> }</span>
<span class="source-line-no">948</span><span id="line-948"> }</span>
<span class="source-line-no">949</span><span id="line-949"> }</span>
<span class="source-line-no">950</span><span id="line-950"> done.run(response.build());</span>
<span class="source-line-no">951</span><span id="line-951"> }</span>
<span class="source-line-no">952</span><span id="line-952"></span>
<span class="source-line-no">953</span><span id="line-953"> private void checkCallingUserAuth() throws IOException {</span>
<span class="source-line-no">954</span><span id="line-954"> if (!authorizationEnabled) { // Redundant, but just in case</span>
<span class="source-line-no">955</span><span id="line-955"> return;</span>
<span class="source-line-no">956</span><span id="line-956"> }</span>
<span class="source-line-no">957</span><span id="line-957"> if (!accessControllerAvailable) {</span>
<span class="source-line-no">958</span><span id="line-958"> User user = VisibilityUtils.getActiveUser();</span>
<span class="source-line-no">959</span><span id="line-959"> if (user == null) {</span>
<span class="source-line-no">960</span><span id="line-960"> throw new IOException("Unable to retrieve calling user");</span>
<span class="source-line-no">961</span><span id="line-961"> }</span>
<span class="source-line-no">962</span><span id="line-962"> if (!(this.visibilityLabelService.havingSystemAuth(user))) {</span>
<span class="source-line-no">963</span><span id="line-963"> throw new AccessDeniedException(</span>
<span class="source-line-no">964</span><span id="line-964"> "User '" + user.getShortName() + "' is not authorized to perform this action.");</span>
<span class="source-line-no">965</span><span id="line-965"> }</span>
<span class="source-line-no">966</span><span id="line-966"> }</span>
<span class="source-line-no">967</span><span id="line-967"> }</span>
<span class="source-line-no">968</span><span id="line-968"></span>
<span class="source-line-no">969</span><span id="line-969"> private static class DeleteVersionVisibilityExpressionFilter extends FilterBase {</span>
<span class="source-line-no">970</span><span id="line-970"> private List&lt;Tag&gt; deleteCellVisTags;</span>
<span class="source-line-no">971</span><span id="line-971"> private Byte deleteCellVisTagsFormat;</span>
<span class="source-line-no">972</span><span id="line-972"></span>
<span class="source-line-no">973</span><span id="line-973"> public DeleteVersionVisibilityExpressionFilter(List&lt;Tag&gt; deleteCellVisTags,</span>
<span class="source-line-no">974</span><span id="line-974"> Byte deleteCellVisTagsFormat) {</span>
<span class="source-line-no">975</span><span id="line-975"> this.deleteCellVisTags = deleteCellVisTags;</span>
<span class="source-line-no">976</span><span id="line-976"> this.deleteCellVisTagsFormat = deleteCellVisTagsFormat;</span>
<span class="source-line-no">977</span><span id="line-977"> }</span>
<span class="source-line-no">978</span><span id="line-978"></span>
<span class="source-line-no">979</span><span id="line-979"> @Override</span>
<span class="source-line-no">980</span><span id="line-980"> public boolean filterRowKey(Cell cell) throws IOException {</span>
<span class="source-line-no">981</span><span id="line-981"> // Impl in FilterBase might do unnecessary copy for Off heap backed Cells.</span>
<span class="source-line-no">982</span><span id="line-982"> return false;</span>
<span class="source-line-no">983</span><span id="line-983"> }</span>
<span class="source-line-no">984</span><span id="line-984"></span>
<span class="source-line-no">985</span><span id="line-985"> @Override</span>
<span class="source-line-no">986</span><span id="line-986"> public ReturnCode filterCell(final Cell cell) throws IOException {</span>
<span class="source-line-no">987</span><span id="line-987"> List&lt;Tag&gt; putVisTags = new ArrayList&lt;&gt;();</span>
<span class="source-line-no">988</span><span id="line-988"> Byte putCellVisTagsFormat = null;</span>
<span class="source-line-no">989</span><span id="line-989"> if (cell instanceof ExtendedCell) {</span>
<span class="source-line-no">990</span><span id="line-990"> putCellVisTagsFormat =</span>
<span class="source-line-no">991</span><span id="line-991"> VisibilityUtils.extractVisibilityTags((ExtendedCell) cell, putVisTags);</span>
<span class="source-line-no">992</span><span id="line-992"> }</span>
<span class="source-line-no">993</span><span id="line-993"></span>
<span class="source-line-no">994</span><span id="line-994"> if (putVisTags.isEmpty() &amp;&amp; deleteCellVisTags.isEmpty()) {</span>
<span class="source-line-no">995</span><span id="line-995"> // Early out if there are no tags in the cell</span>
<span class="source-line-no">996</span><span id="line-996"> return ReturnCode.INCLUDE;</span>
<span class="source-line-no">997</span><span id="line-997"> }</span>
<span class="source-line-no">998</span><span id="line-998"> boolean matchFound =</span>
<span class="source-line-no">999</span><span id="line-999"> VisibilityLabelServiceManager.getInstance().getVisibilityLabelService().matchVisibility(</span>
<span class="source-line-no">1000</span><span id="line-1000"> putVisTags, putCellVisTagsFormat, deleteCellVisTags, deleteCellVisTagsFormat);</span>
<span class="source-line-no">1001</span><span id="line-1001"> return matchFound ? ReturnCode.INCLUDE : ReturnCode.SKIP;</span>
<span class="source-line-no">1002</span><span id="line-1002"> }</span>
<span class="source-line-no">1003</span><span id="line-1003"></span>
<span class="source-line-no">1004</span><span id="line-1004"> @Override</span>
<span class="source-line-no">1005</span><span id="line-1005"> public boolean equals(Object obj) {</span>
<span class="source-line-no">1006</span><span id="line-1006"> if (!(obj instanceof DeleteVersionVisibilityExpressionFilter)) {</span>
<span class="source-line-no">1007</span><span id="line-1007"> return false;</span>
<span class="source-line-no">1008</span><span id="line-1008"> }</span>
<span class="source-line-no">1009</span><span id="line-1009"> if (this == obj) {</span>
<span class="source-line-no">1010</span><span id="line-1010"> return true;</span>
<span class="source-line-no">1011</span><span id="line-1011"> }</span>
<span class="source-line-no">1012</span><span id="line-1012"> DeleteVersionVisibilityExpressionFilter f = (DeleteVersionVisibilityExpressionFilter) obj;</span>
<span class="source-line-no">1013</span><span id="line-1013"> return this.deleteCellVisTags.equals(f.deleteCellVisTags)</span>
<span class="source-line-no">1014</span><span id="line-1014"> &amp;&amp; this.deleteCellVisTagsFormat.equals(f.deleteCellVisTagsFormat);</span>
<span class="source-line-no">1015</span><span id="line-1015"> }</span>
<span class="source-line-no">1016</span><span id="line-1016"></span>
<span class="source-line-no">1017</span><span id="line-1017"> @Override</span>
<span class="source-line-no">1018</span><span id="line-1018"> public int hashCode() {</span>
<span class="source-line-no">1019</span><span id="line-1019"> return Objects.hash(this.deleteCellVisTags, this.deleteCellVisTagsFormat);</span>
<span class="source-line-no">1020</span><span id="line-1020"> }</span>
<span class="source-line-no">1021</span><span id="line-1021"> }</span>
<span class="source-line-no">1022</span><span id="line-1022"></span>
<span class="source-line-no">1023</span><span id="line-1023"> /** Returns NameValuePair of the exception name to stringified version os exception. */</span>
<span class="source-line-no">1024</span><span id="line-1024"> // Copied from ResponseConverter and made private. Only used in here.</span>
<span class="source-line-no">1025</span><span id="line-1025"> private static NameBytesPair buildException(final Throwable t) {</span>
<span class="source-line-no">1026</span><span id="line-1026"> NameBytesPair.Builder parameterBuilder = NameBytesPair.newBuilder();</span>
<span class="source-line-no">1027</span><span id="line-1027"> parameterBuilder.setName(t.getClass().getName());</span>
<span class="source-line-no">1028</span><span id="line-1028"> parameterBuilder.setValue(ByteString.copyFromUtf8(StringUtils.stringifyException(t)));</span>
<span class="source-line-no">1029</span><span id="line-1029"> return parameterBuilder.build();</span>
<span class="source-line-no">1030</span><span id="line-1030"> }</span>
<span class="source-line-no">1031</span><span id="line-1031">}</span>
</pre>
</div>
</main>
</body>
</html>