hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mi...@apache.org
Subject [11/51] [partial] hbase git commit: Published site at 3bac31b2a49bca153df3b47a198667828b61f36e.
Date Sun, 29 Nov 2015 21:17:24 GMT
http://git-wip-us.apache.org/repos/asf/hbase/blob/ef7355e1/devapidocs/src-html/org/apache/hadoop/hbase/security/visibility/VisibilityController.DeleteVersionVisibilityExpressionFilter.html
----------------------------------------------------------------------
diff --git a/devapidocs/src-html/org/apache/hadoop/hbase/security/visibility/VisibilityController.DeleteVersionVisibilityExpressionFilter.html b/devapidocs/src-html/org/apache/hadoop/hbase/security/visibility/VisibilityController.DeleteVersionVisibilityExpressionFilter.html
index 24b3b3b..b62ac0c 100644
--- a/devapidocs/src-html/org/apache/hadoop/hbase/security/visibility/VisibilityController.DeleteVersionVisibilityExpressionFilter.html
+++ b/devapidocs/src-html/org/apache/hadoop/hbase/security/visibility/VisibilityController.DeleteVersionVisibilityExpressionFilter.html
@@ -458,666 +458,664 @@
 <span class="sourceLineNo">450</span>   * Checks whether cell contains any tag with type as VISIBILITY_TAG_TYPE. This<a name="line.450"></a>
 <span class="sourceLineNo">451</span>   * tag type is reserved and should not be explicitly set by user.<a name="line.451"></a>
 <span class="sourceLineNo">452</span>   *<a name="line.452"></a>
-<span class="sourceLineNo">453</span>   * @param cell<a name="line.453"></a>
-<span class="sourceLineNo">454</span>   *          - the cell under consideration<a name="line.454"></a>
-<span class="sourceLineNo">455</span>   * @param pair - an optional pair of type &lt;Boolean, Tag&gt; which would be reused<a name="line.455"></a>
-<span class="sourceLineNo">456</span>   *               if already set and new one will be created if null is passed<a name="line.456"></a>
-<span class="sourceLineNo">457</span>   * @return a pair&lt;Boolean, Tag&gt; - if the boolean is false then it indicates<a name="line.457"></a>
-<span class="sourceLineNo">458</span>   *         that the cell has a RESERVERD_VIS_TAG and with boolean as true, not<a name="line.458"></a>
-<span class="sourceLineNo">459</span>   *         null tag indicates that a string modified tag was found.<a name="line.459"></a>
-<span class="sourceLineNo">460</span>   */<a name="line.460"></a>
-<span class="sourceLineNo">461</span>  private Pair&lt;Boolean, Tag&gt; checkForReservedVisibilityTagPresence(Cell cell,<a name="line.461"></a>
-<span class="sourceLineNo">462</span>      Pair&lt;Boolean, Tag&gt; pair) throws IOException {<a name="line.462"></a>
-<span class="sourceLineNo">463</span>    if (pair == null) {<a name="line.463"></a>
-<span class="sourceLineNo">464</span>      pair = new Pair&lt;Boolean, Tag&gt;(false, null);<a name="line.464"></a>
-<span class="sourceLineNo">465</span>    } else {<a name="line.465"></a>
-<span class="sourceLineNo">466</span>      pair.setFirst(false);<a name="line.466"></a>
-<span class="sourceLineNo">467</span>      pair.setSecond(null);<a name="line.467"></a>
-<span class="sourceLineNo">468</span>    }<a name="line.468"></a>
-<span class="sourceLineNo">469</span>    // Bypass this check when the operation is done by a system/super user.<a name="line.469"></a>
-<span class="sourceLineNo">470</span>    // This is done because, while Replication, the Cells coming to the peer cluster with reserved<a name="line.470"></a>
-<span class="sourceLineNo">471</span>    // typed tags and this is fine and should get added to the peer cluster table<a name="line.471"></a>
-<span class="sourceLineNo">472</span>    if (isSystemOrSuperUser()) {<a name="line.472"></a>
-<span class="sourceLineNo">473</span>      // Does the cell contain special tag which indicates that the replicated<a name="line.473"></a>
-<span class="sourceLineNo">474</span>      // cell visiblilty tags<a name="line.474"></a>
-<span class="sourceLineNo">475</span>      // have been modified<a name="line.475"></a>
-<span class="sourceLineNo">476</span>      Tag modifiedTag = null;<a name="line.476"></a>
-<span class="sourceLineNo">477</span>      if (cell.getTagsLength() &gt; 0) {<a name="line.477"></a>
-<span class="sourceLineNo">478</span>        Iterator&lt;Tag&gt; tagsIterator = CellUtil.tagsIterator(cell.getTagsArray(),<a name="line.478"></a>
-<span class="sourceLineNo">479</span>            cell.getTagsOffset(), cell.getTagsLength());<a name="line.479"></a>
-<span class="sourceLineNo">480</span>        while (tagsIterator.hasNext()) {<a name="line.480"></a>
-<span class="sourceLineNo">481</span>          Tag tag = tagsIterator.next();<a name="line.481"></a>
-<span class="sourceLineNo">482</span>          if (tag.getType() == TagType.STRING_VIS_TAG_TYPE) {<a name="line.482"></a>
-<span class="sourceLineNo">483</span>            modifiedTag = tag;<a name="line.483"></a>
-<span class="sourceLineNo">484</span>            break;<a name="line.484"></a>
-<span class="sourceLineNo">485</span>          }<a name="line.485"></a>
-<span class="sourceLineNo">486</span>        }<a name="line.486"></a>
-<span class="sourceLineNo">487</span>      }<a name="line.487"></a>
-<span class="sourceLineNo">488</span>      pair.setFirst(true);<a name="line.488"></a>
-<span class="sourceLineNo">489</span>      pair.setSecond(modifiedTag);<a name="line.489"></a>
-<span class="sourceLineNo">490</span>      return pair;<a name="line.490"></a>
-<span class="sourceLineNo">491</span>    }<a name="line.491"></a>
-<span class="sourceLineNo">492</span>    if (cell.getTagsLength() &gt; 0) {<a name="line.492"></a>
-<span class="sourceLineNo">493</span>      Iterator&lt;Tag&gt; tagsItr = CellUtil.tagsIterator(cell.getTagsArray(), cell.getTagsOffset(),<a name="line.493"></a>
-<span class="sourceLineNo">494</span>          cell.getTagsLength());<a name="line.494"></a>
-<span class="sourceLineNo">495</span>      while (tagsItr.hasNext()) {<a name="line.495"></a>
-<span class="sourceLineNo">496</span>        if (RESERVED_VIS_TAG_TYPES.contains(tagsItr.next().getType())) {<a name="line.496"></a>
-<span class="sourceLineNo">497</span>          return pair;<a name="line.497"></a>
-<span class="sourceLineNo">498</span>        }<a name="line.498"></a>
-<span class="sourceLineNo">499</span>      }<a name="line.499"></a>
-<span class="sourceLineNo">500</span>    }<a name="line.500"></a>
-<span class="sourceLineNo">501</span>    pair.setFirst(true);<a name="line.501"></a>
-<span class="sourceLineNo">502</span>    return pair;<a name="line.502"></a>
-<span class="sourceLineNo">503</span>  }<a name="line.503"></a>
-<span class="sourceLineNo">504</span><a name="line.504"></a>
-<span class="sourceLineNo">505</span>  /**<a name="line.505"></a>
-<span class="sourceLineNo">506</span>   * Checks whether cell contains any tag with type as VISIBILITY_TAG_TYPE. This<a name="line.506"></a>
-<span class="sourceLineNo">507</span>   * tag type is reserved and should not be explicitly set by user. There are<a name="line.507"></a>
-<span class="sourceLineNo">508</span>   * two versions of this method one that accepts pair and other without pair.<a name="line.508"></a>
-<span class="sourceLineNo">509</span>   * In case of preAppend and preIncrement the additional operations are not<a name="line.509"></a>
-<span class="sourceLineNo">510</span>   * needed like checking for STRING_VIS_TAG_TYPE and hence the API without pair<a name="line.510"></a>
-<span class="sourceLineNo">511</span>   * could be used.<a name="line.511"></a>
-<span class="sourceLineNo">512</span>   *<a name="line.512"></a>
-<span class="sourceLineNo">513</span>   * @param cell<a name="line.513"></a>
-<span class="sourceLineNo">514</span>   * @throws IOException<a name="line.514"></a>
-<span class="sourceLineNo">515</span>   */<a name="line.515"></a>
-<span class="sourceLineNo">516</span>  private boolean checkForReservedVisibilityTagPresence(Cell cell) throws IOException {<a name="line.516"></a>
-<span class="sourceLineNo">517</span>    // Bypass this check when the operation is done by a system/super user.<a name="line.517"></a>
-<span class="sourceLineNo">518</span>    // This is done because, while Replication, the Cells coming to the peer<a name="line.518"></a>
-<span class="sourceLineNo">519</span>    // cluster with reserved<a name="line.519"></a>
-<span class="sourceLineNo">520</span>    // typed tags and this is fine and should get added to the peer cluster<a name="line.520"></a>
-<span class="sourceLineNo">521</span>    // table<a name="line.521"></a>
-<span class="sourceLineNo">522</span>    if (isSystemOrSuperUser()) {<a name="line.522"></a>
-<span class="sourceLineNo">523</span>      return true;<a name="line.523"></a>
-<span class="sourceLineNo">524</span>    }<a name="line.524"></a>
-<span class="sourceLineNo">525</span>    if (cell.getTagsLength() &gt; 0) {<a name="line.525"></a>
-<span class="sourceLineNo">526</span>      Iterator&lt;Tag&gt; tagsItr = CellUtil.tagsIterator(cell.getTagsArray(), cell.getTagsOffset(),<a name="line.526"></a>
-<span class="sourceLineNo">527</span>          cell.getTagsLength());<a name="line.527"></a>
-<span class="sourceLineNo">528</span>      while (tagsItr.hasNext()) {<a name="line.528"></a>
-<span class="sourceLineNo">529</span>        if (RESERVED_VIS_TAG_TYPES.contains(tagsItr.next().getType())) {<a name="line.529"></a>
-<span class="sourceLineNo">530</span>          return false;<a name="line.530"></a>
-<span class="sourceLineNo">531</span>        }<a name="line.531"></a>
-<span class="sourceLineNo">532</span>      }<a name="line.532"></a>
-<span class="sourceLineNo">533</span>    }<a name="line.533"></a>
-<span class="sourceLineNo">534</span>    return true;<a name="line.534"></a>
-<span class="sourceLineNo">535</span>  }<a name="line.535"></a>
-<span class="sourceLineNo">536</span><a name="line.536"></a>
-<span class="sourceLineNo">537</span>  private void removeReplicationVisibilityTag(List&lt;Tag&gt; tags) throws IOException {<a name="line.537"></a>
-<span class="sourceLineNo">538</span>    Iterator&lt;Tag&gt; iterator = tags.iterator();<a name="line.538"></a>
-<span class="sourceLineNo">539</span>    while (iterator.hasNext()) {<a name="line.539"></a>
-<span class="sourceLineNo">540</span>      Tag tag = iterator.next();<a name="line.540"></a>
-<span class="sourceLineNo">541</span>      if (tag.getType() == TagType.STRING_VIS_TAG_TYPE) {<a name="line.541"></a>
-<span class="sourceLineNo">542</span>        iterator.remove();<a name="line.542"></a>
-<span class="sourceLineNo">543</span>        break;<a name="line.543"></a>
-<span class="sourceLineNo">544</span>      }<a name="line.544"></a>
-<span class="sourceLineNo">545</span>    }<a name="line.545"></a>
-<span class="sourceLineNo">546</span>  }<a name="line.546"></a>
-<span class="sourceLineNo">547</span><a name="line.547"></a>
-<span class="sourceLineNo">548</span>  @Override<a name="line.548"></a>
-<span class="sourceLineNo">549</span>  public RegionScanner preScannerOpen(ObserverContext&lt;RegionCoprocessorEnvironment&gt; e, Scan scan,<a name="line.549"></a>
-<span class="sourceLineNo">550</span>      RegionScanner s) throws IOException {<a name="line.550"></a>
-<span class="sourceLineNo">551</span>    if (!initialized) {<a name="line.551"></a>
-<span class="sourceLineNo">552</span>      throw new VisibilityControllerNotReadyException("VisibilityController not yet initialized!");<a name="line.552"></a>
-<span class="sourceLineNo">553</span>    }<a name="line.553"></a>
-<span class="sourceLineNo">554</span>    // Nothing to do if authorization is not enabled<a name="line.554"></a>
-<span class="sourceLineNo">555</span>    if (!authorizationEnabled) {<a name="line.555"></a>
-<span class="sourceLineNo">556</span>      return s;<a name="line.556"></a>
-<span class="sourceLineNo">557</span>    }<a name="line.557"></a>
-<span class="sourceLineNo">558</span>    Region region = e.getEnvironment().getRegion();<a name="line.558"></a>
-<span class="sourceLineNo">559</span>    Authorizations authorizations = null;<a name="line.559"></a>
-<span class="sourceLineNo">560</span>    try {<a name="line.560"></a>
-<span class="sourceLineNo">561</span>      authorizations = scan.getAuthorizations();<a name="line.561"></a>
-<span class="sourceLineNo">562</span>    } catch (DeserializationException de) {<a name="line.562"></a>
-<span class="sourceLineNo">563</span>      throw new IOException(de);<a name="line.563"></a>
-<span class="sourceLineNo">564</span>    }<a name="line.564"></a>
-<span class="sourceLineNo">565</span>    if (authorizations == null) {<a name="line.565"></a>
-<span class="sourceLineNo">566</span>      // No Authorizations present for this scan/Get!<a name="line.566"></a>
-<span class="sourceLineNo">567</span>      // In case of system tables other than "labels" just scan with out visibility check and<a name="line.567"></a>
-<span class="sourceLineNo">568</span>      // filtering. Checking visibility labels for META and NAMESPACE table is not needed.<a name="line.568"></a>
-<span class="sourceLineNo">569</span>      TableName table = region.getRegionInfo().getTable();<a name="line.569"></a>
-<span class="sourceLineNo">570</span>      if (table.isSystemTable() &amp;&amp; !table.equals(LABELS_TABLE_NAME)) {<a name="line.570"></a>
-<span class="sourceLineNo">571</span>        return s;<a name="line.571"></a>
-<span class="sourceLineNo">572</span>      }<a name="line.572"></a>
-<span class="sourceLineNo">573</span>    }<a name="line.573"></a>
-<span class="sourceLineNo">574</span><a name="line.574"></a>
-<span class="sourceLineNo">575</span>    Filter visibilityLabelFilter = VisibilityUtils.createVisibilityLabelFilter(region,<a name="line.575"></a>
-<span class="sourceLineNo">576</span>        authorizations);<a name="line.576"></a>
-<span class="sourceLineNo">577</span>    if (visibilityLabelFilter != null) {<a name="line.577"></a>
-<span class="sourceLineNo">578</span>      Filter filter = scan.getFilter();<a name="line.578"></a>
-<span class="sourceLineNo">579</span>      if (filter != null) {<a name="line.579"></a>
-<span class="sourceLineNo">580</span>        scan.setFilter(new FilterList(filter, visibilityLabelFilter));<a name="line.580"></a>
-<span class="sourceLineNo">581</span>      } else {<a name="line.581"></a>
-<span class="sourceLineNo">582</span>        scan.setFilter(visibilityLabelFilter);<a name="line.582"></a>
-<span class="sourceLineNo">583</span>      }<a name="line.583"></a>
-<span class="sourceLineNo">584</span>    }<a name="line.584"></a>
-<span class="sourceLineNo">585</span>    return s;<a name="line.585"></a>
-<span class="sourceLineNo">586</span>  }<a name="line.586"></a>
-<span class="sourceLineNo">587</span><a name="line.587"></a>
-<span class="sourceLineNo">588</span>  @Override<a name="line.588"></a>
-<span class="sourceLineNo">589</span>  public DeleteTracker postInstantiateDeleteTracker(<a name="line.589"></a>
-<span class="sourceLineNo">590</span>      ObserverContext&lt;RegionCoprocessorEnvironment&gt; ctx, DeleteTracker delTracker)<a name="line.590"></a>
-<span class="sourceLineNo">591</span>      throws IOException {<a name="line.591"></a>
-<span class="sourceLineNo">592</span>    // Nothing to do if we are not filtering by visibility<a name="line.592"></a>
-<span class="sourceLineNo">593</span>    if (!authorizationEnabled) {<a name="line.593"></a>
-<span class="sourceLineNo">594</span>      return delTracker;<a name="line.594"></a>
-<span class="sourceLineNo">595</span>    }<a name="line.595"></a>
-<span class="sourceLineNo">596</span>    Region region = ctx.getEnvironment().getRegion();<a name="line.596"></a>
-<span class="sourceLineNo">597</span>    TableName table = region.getRegionInfo().getTable();<a name="line.597"></a>
-<span class="sourceLineNo">598</span>    if (table.isSystemTable()) {<a name="line.598"></a>
-<span class="sourceLineNo">599</span>      return delTracker;<a name="line.599"></a>
-<span class="sourceLineNo">600</span>    }<a name="line.600"></a>
-<span class="sourceLineNo">601</span>    // We are creating a new type of delete tracker here which is able to track<a name="line.601"></a>
-<span class="sourceLineNo">602</span>    // the timestamps and also the<a name="line.602"></a>
-<span class="sourceLineNo">603</span>    // visibility tags per cell. The covering cells are determined not only<a name="line.603"></a>
-<span class="sourceLineNo">604</span>    // based on the delete type and ts<a name="line.604"></a>
-<span class="sourceLineNo">605</span>    // but also on the visibility expression matching.<a name="line.605"></a>
-<span class="sourceLineNo">606</span>    return new VisibilityScanDeleteTracker();<a name="line.606"></a>
-<span class="sourceLineNo">607</span>  }<a name="line.607"></a>
-<span class="sourceLineNo">608</span><a name="line.608"></a>
-<span class="sourceLineNo">609</span>  @Override<a name="line.609"></a>
-<span class="sourceLineNo">610</span>  public RegionScanner postScannerOpen(final ObserverContext&lt;RegionCoprocessorEnvironment&gt; c,<a name="line.610"></a>
-<span class="sourceLineNo">611</span>      final Scan scan, final RegionScanner s) throws IOException {<a name="line.611"></a>
-<span class="sourceLineNo">612</span>    User user = VisibilityUtils.getActiveUser();<a name="line.612"></a>
-<span class="sourceLineNo">613</span>    if (user != null &amp;&amp; user.getShortName() != null) {<a name="line.613"></a>
-<span class="sourceLineNo">614</span>      scannerOwners.put(s, user.getShortName());<a name="line.614"></a>
-<span class="sourceLineNo">615</span>    }<a name="line.615"></a>
-<span class="sourceLineNo">616</span>    return s;<a name="line.616"></a>
-<span class="sourceLineNo">617</span>  }<a name="line.617"></a>
-<span class="sourceLineNo">618</span><a name="line.618"></a>
-<span class="sourceLineNo">619</span>  @Override<a name="line.619"></a>
-<span class="sourceLineNo">620</span>  public boolean preScannerNext(final ObserverContext&lt;RegionCoprocessorEnvironment&gt; c,<a name="line.620"></a>
-<span class="sourceLineNo">621</span>      final InternalScanner s, final List&lt;Result&gt; result, final int limit, final boolean hasNext)<a name="line.621"></a>
-<span class="sourceLineNo">622</span>      throws IOException {<a name="line.622"></a>
-<span class="sourceLineNo">623</span>    requireScannerOwner(s);<a name="line.623"></a>
-<span class="sourceLineNo">624</span>    return hasNext;<a name="line.624"></a>
-<span class="sourceLineNo">625</span>  }<a name="line.625"></a>
-<span class="sourceLineNo">626</span><a name="line.626"></a>
-<span class="sourceLineNo">627</span>  @Override<a name="line.627"></a>
-<span class="sourceLineNo">628</span>  public void preScannerClose(final ObserverContext&lt;RegionCoprocessorEnvironment&gt; c,<a name="line.628"></a>
-<span class="sourceLineNo">629</span>      final InternalScanner s) throws IOException {<a name="line.629"></a>
-<span class="sourceLineNo">630</span>    requireScannerOwner(s);<a name="line.630"></a>
-<span class="sourceLineNo">631</span>  }<a name="line.631"></a>
-<span class="sourceLineNo">632</span><a name="line.632"></a>
-<span class="sourceLineNo">633</span>  @Override<a name="line.633"></a>
-<span class="sourceLineNo">634</span>  public void postScannerClose(final ObserverContext&lt;RegionCoprocessorEnvironment&gt; c,<a name="line.634"></a>
-<span class="sourceLineNo">635</span>      final InternalScanner s) throws IOException {<a name="line.635"></a>
-<span class="sourceLineNo">636</span>    // clean up any associated owner mapping<a name="line.636"></a>
-<span class="sourceLineNo">637</span>    scannerOwners.remove(s);<a name="line.637"></a>
-<span class="sourceLineNo">638</span>  }<a name="line.638"></a>
-<span class="sourceLineNo">639</span><a name="line.639"></a>
-<span class="sourceLineNo">640</span>  /**<a name="line.640"></a>
-<span class="sourceLineNo">641</span>   * Verify, when servicing an RPC, that the caller is the scanner owner. If so, we assume that<a name="line.641"></a>
-<span class="sourceLineNo">642</span>   * access control is correctly enforced based on the checks performed in preScannerOpen()<a name="line.642"></a>
-<span class="sourceLineNo">643</span>   */<a name="line.643"></a>
-<span class="sourceLineNo">644</span>  private void requireScannerOwner(InternalScanner s) throws AccessDeniedException {<a name="line.644"></a>
-<span class="sourceLineNo">645</span>    if (!RpcServer.isInRpcCallContext())<a name="line.645"></a>
-<span class="sourceLineNo">646</span>      return;<a name="line.646"></a>
-<span class="sourceLineNo">647</span>    String requestUName = RpcServer.getRequestUserName();<a name="line.647"></a>
-<span class="sourceLineNo">648</span>    String owner = scannerOwners.get(s);<a name="line.648"></a>
-<span class="sourceLineNo">649</span>    if (authorizationEnabled &amp;&amp; owner != null &amp;&amp; !owner.equals(requestUName)) {<a name="line.649"></a>
-<span class="sourceLineNo">650</span>      throw new AccessDeniedException("User '" + requestUName + "' is not the scanner owner!");<a name="line.650"></a>
-<span class="sourceLineNo">651</span>    }<a name="line.651"></a>
-<span class="sourceLineNo">652</span>  }<a name="line.652"></a>
-<span class="sourceLineNo">653</span><a name="line.653"></a>
-<span class="sourceLineNo">654</span>  @Override<a name="line.654"></a>
-<span class="sourceLineNo">655</span>  public void preGetOp(ObserverContext&lt;RegionCoprocessorEnvironment&gt; e, Get get,<a name="line.655"></a>
-<span class="sourceLineNo">656</span>      List&lt;Cell&gt; results) throws IOException {<a name="line.656"></a>
-<span class="sourceLineNo">657</span>    if (!initialized) {<a name="line.657"></a>
-<span class="sourceLineNo">658</span>      throw new VisibilityControllerNotReadyException("VisibilityController not yet initialized");<a name="line.658"></a>
-<span class="sourceLineNo">659</span>    }<a name="line.659"></a>
-<span class="sourceLineNo">660</span>    // Nothing useful to do if authorization is not enabled<a name="line.660"></a>
-<span class="sourceLineNo">661</span>    if (!authorizationEnabled) {<a name="line.661"></a>
-<span class="sourceLineNo">662</span>      return;<a name="line.662"></a>
-<span class="sourceLineNo">663</span>    }<a name="line.663"></a>
-<span class="sourceLineNo">664</span>    Region region = e.getEnvironment().getRegion();<a name="line.664"></a>
-<span class="sourceLineNo">665</span>    Authorizations authorizations = null;<a name="line.665"></a>
-<span class="sourceLineNo">666</span>    try {<a name="line.666"></a>
-<span class="sourceLineNo">667</span>      authorizations = get.getAuthorizations();<a name="line.667"></a>
-<span class="sourceLineNo">668</span>    } catch (DeserializationException de) {<a name="line.668"></a>
-<span class="sourceLineNo">669</span>      throw new IOException(de);<a name="line.669"></a>
-<span class="sourceLineNo">670</span>    }<a name="line.670"></a>
-<span class="sourceLineNo">671</span>    if (authorizations == null) {<a name="line.671"></a>
-<span class="sourceLineNo">672</span>      // No Authorizations present for this scan/Get!<a name="line.672"></a>
-<span class="sourceLineNo">673</span>      // In case of system tables other than "labels" just scan with out visibility check and<a name="line.673"></a>
-<span class="sourceLineNo">674</span>      // filtering. Checking visibility labels for META and NAMESPACE table is not needed.<a name="line.674"></a>
-<span class="sourceLineNo">675</span>      TableName table = region.getRegionInfo().getTable();<a name="line.675"></a>
-<span class="sourceLineNo">676</span>      if (table.isSystemTable() &amp;&amp; !table.equals(LABELS_TABLE_NAME)) {<a name="line.676"></a>
-<span class="sourceLineNo">677</span>        return;<a name="line.677"></a>
-<span class="sourceLineNo">678</span>      }<a name="line.678"></a>
-<span class="sourceLineNo">679</span>    }<a name="line.679"></a>
-<span class="sourceLineNo">680</span>    Filter visibilityLabelFilter = VisibilityUtils.createVisibilityLabelFilter(e.getEnvironment()<a name="line.680"></a>
-<span class="sourceLineNo">681</span>        .getRegion(), authorizations);<a name="line.681"></a>
-<span class="sourceLineNo">682</span>    if (visibilityLabelFilter != null) {<a name="line.682"></a>
-<span class="sourceLineNo">683</span>      Filter filter = get.getFilter();<a name="line.683"></a>
-<span class="sourceLineNo">684</span>      if (filter != null) {<a name="line.684"></a>
-<span class="sourceLineNo">685</span>        get.setFilter(new FilterList(filter, visibilityLabelFilter));<a name="line.685"></a>
-<span class="sourceLineNo">686</span>      } else {<a name="line.686"></a>
-<span class="sourceLineNo">687</span>        get.setFilter(visibilityLabelFilter);<a name="line.687"></a>
-<span class="sourceLineNo">688</span>      }<a name="line.688"></a>
-<span class="sourceLineNo">689</span>    }<a name="line.689"></a>
-<span class="sourceLineNo">690</span>  }<a name="line.690"></a>
-<span class="sourceLineNo">691</span><a name="line.691"></a>
-<span class="sourceLineNo">692</span>  private boolean isSystemOrSuperUser() throws IOException {<a name="line.692"></a>
-<span class="sourceLineNo">693</span>    return Superusers.isSuperUser(VisibilityUtils.getActiveUser());<a name="line.693"></a>
-<span class="sourceLineNo">694</span>  }<a name="line.694"></a>
-<span class="sourceLineNo">695</span><a name="line.695"></a>
-<span class="sourceLineNo">696</span>  @Override<a name="line.696"></a>
-<span class="sourceLineNo">697</span>  public Result preAppend(ObserverContext&lt;RegionCoprocessorEnvironment&gt; e, Append append)<a name="line.697"></a>
-<span class="sourceLineNo">698</span>      throws IOException {<a name="line.698"></a>
-<span class="sourceLineNo">699</span>    // If authorization is not enabled, we don't care about reserved tags<a name="line.699"></a>
-<span class="sourceLineNo">700</span>    if (!authorizationEnabled) {<a name="line.700"></a>
-<span class="sourceLineNo">701</span>      return null;<a name="line.701"></a>
-<span class="sourceLineNo">702</span>    }<a name="line.702"></a>
-<span class="sourceLineNo">703</span>    for (CellScanner cellScanner = append.cellScanner(); cellScanner.advance();) {<a name="line.703"></a>
-<span class="sourceLineNo">704</span>      if (!checkForReservedVisibilityTagPresence(cellScanner.current())) {<a name="line.704"></a>
-<span class="sourceLineNo">705</span>        throw new FailedSanityCheckException("Append contains cell with reserved type tag");<a name="line.705"></a>
-<span class="sourceLineNo">706</span>      }<a name="line.706"></a>
-<span class="sourceLineNo">707</span>    }<a name="line.707"></a>
-<span class="sourceLineNo">708</span>    return null;<a name="line.708"></a>
-<span class="sourceLineNo">709</span>  }<a name="line.709"></a>
-<span class="sourceLineNo">710</span><a name="line.710"></a>
-<span class="sourceLineNo">711</span>  @Override<a name="line.711"></a>
-<span class="sourceLineNo">712</span>  public Result preIncrement(ObserverContext&lt;RegionCoprocessorEnvironment&gt; e, Increment increment)<a name="line.712"></a>
-<span class="sourceLineNo">713</span>      throws IOException {<a name="line.713"></a>
-<span class="sourceLineNo">714</span>    // If authorization is not enabled, we don't care about reserved tags<a name="line.714"></a>
-<span class="sourceLineNo">715</span>    if (!authorizationEnabled) {<a name="line.715"></a>
-<span class="sourceLineNo">716</span>      return null;<a name="line.716"></a>
-<span class="sourceLineNo">717</span>    }<a name="line.717"></a>
-<span class="sourceLineNo">718</span>    for (CellScanner cellScanner = increment.cellScanner(); cellScanner.advance();) {<a name="line.718"></a>
-<span class="sourceLineNo">719</span>      if (!checkForReservedVisibilityTagPresence(cellScanner.current())) {<a name="line.719"></a>
-<span class="sourceLineNo">720</span>        throw new FailedSanityCheckException("Increment contains cell with reserved type tag");<a name="line.720"></a>
-<span class="sourceLineNo">721</span>      }<a name="line.721"></a>
-<span class="sourceLineNo">722</span>    }<a name="line.722"></a>
-<span class="sourceLineNo">723</span>    return null;<a name="line.723"></a>
-<span class="sourceLineNo">724</span>  }<a name="line.724"></a>
-<span class="sourceLineNo">725</span><a name="line.725"></a>
-<span class="sourceLineNo">726</span>  @Override<a name="line.726"></a>
-<span class="sourceLineNo">727</span>  public Cell postMutationBeforeWAL(ObserverContext&lt;RegionCoprocessorEnvironment&gt; ctx,<a name="line.727"></a>
-<span class="sourceLineNo">728</span>      MutationType opType, Mutation mutation, Cell oldCell, Cell newCell) throws IOException {<a name="line.728"></a>
-<span class="sourceLineNo">729</span>    List&lt;Tag&gt; tags = Lists.newArrayList();<a name="line.729"></a>
-<span class="sourceLineNo">730</span>    CellVisibility cellVisibility = null;<a name="line.730"></a>
-<span class="sourceLineNo">731</span>    try {<a name="line.731"></a>
-<span class="sourceLineNo">732</span>      cellVisibility = mutation.getCellVisibility();<a name="line.732"></a>
-<span class="sourceLineNo">733</span>    } catch (DeserializationException e) {<a name="line.733"></a>
-<span class="sourceLineNo">734</span>      throw new IOException(e);<a name="line.734"></a>
-<span class="sourceLineNo">735</span>    }<a name="line.735"></a>
-<span class="sourceLineNo">736</span>    if (cellVisibility == null) {<a name="line.736"></a>
-<span class="sourceLineNo">737</span>      return newCell;<a name="line.737"></a>
-<span class="sourceLineNo">738</span>    }<a name="line.738"></a>
-<span class="sourceLineNo">739</span>    // Prepend new visibility tags to a new list of tags for the cell<a name="line.739"></a>
-<span class="sourceLineNo">740</span>    // Don't check user auths for labels with Mutations when the user is super user<a name="line.740"></a>
-<span class="sourceLineNo">741</span>    boolean authCheck = authorizationEnabled &amp;&amp; checkAuths &amp;&amp; !(isSystemOrSuperUser());<a name="line.741"></a>
-<span class="sourceLineNo">742</span>    tags.addAll(this.visibilityLabelService.createVisibilityExpTags(cellVisibility.getExpression(),<a name="line.742"></a>
-<span class="sourceLineNo">743</span>        true, authCheck));<a name="line.743"></a>
-<span class="sourceLineNo">744</span>    // Save an object allocation where we can<a name="line.744"></a>
-<span class="sourceLineNo">745</span>    if (newCell.getTagsLength() &gt; 0) {<a name="line.745"></a>
-<span class="sourceLineNo">746</span>      // Carry forward all other tags<a name="line.746"></a>
-<span class="sourceLineNo">747</span>      Iterator&lt;Tag&gt; tagsItr = CellUtil.tagsIterator(newCell.getTagsArray(),<a name="line.747"></a>
-<span class="sourceLineNo">748</span>          newCell.getTagsOffset(), newCell.getTagsLength());<a name="line.748"></a>
-<span class="sourceLineNo">749</span>      while (tagsItr.hasNext()) {<a name="line.749"></a>
-<span class="sourceLineNo">750</span>        Tag tag = tagsItr.next();<a name="line.750"></a>
-<span class="sourceLineNo">751</span>        if (tag.getType() != TagType.VISIBILITY_TAG_TYPE<a name="line.751"></a>
-<span class="sourceLineNo">752</span>            &amp;&amp; tag.getType() != TagType.VISIBILITY_EXP_SERIALIZATION_FORMAT_TAG_TYPE) {<a name="line.752"></a>
-<span class="sourceLineNo">753</span>          tags.add(tag);<a name="line.753"></a>
-<span class="sourceLineNo">754</span>        }<a name="line.754"></a>
-<span class="sourceLineNo">755</span>      }<a name="line.755"></a>
-<span class="sourceLineNo">756</span>    }<a name="line.756"></a>
-<span class="sourceLineNo">757</span><a name="line.757"></a>
-<span class="sourceLineNo">758</span>    Cell rewriteCell = new TagRewriteCell(newCell, Tag.fromList(tags));<a name="line.758"></a>
-<span class="sourceLineNo">759</span>    return rewriteCell;<a name="line.759"></a>
-<span class="sourceLineNo">760</span>  }<a name="line.760"></a>
-<span class="sourceLineNo">761</span><a name="line.761"></a>
-<span class="sourceLineNo">762</span>  @Override<a name="line.762"></a>
-<span class="sourceLineNo">763</span>  public Service getService() {<a name="line.763"></a>
-<span class="sourceLineNo">764</span>    return VisibilityLabelsProtos.VisibilityLabelsService.newReflectiveService(this);<a name="line.764"></a>
-<span class="sourceLineNo">765</span>  }<a name="line.765"></a>
-<span class="sourceLineNo">766</span><a name="line.766"></a>
-<span class="sourceLineNo">767</span>  @Override<a name="line.767"></a>
-<span class="sourceLineNo">768</span>  public boolean postScannerFilterRow(final ObserverContext&lt;RegionCoprocessorEnvironment&gt; e,<a name="line.768"></a>
-<span class="sourceLineNo">769</span>      final InternalScanner s, final Cell curRowCell, final boolean hasMore) throws IOException {<a name="line.769"></a>
-<span class="sourceLineNo">770</span>    // Impl in BaseRegionObserver might do unnecessary copy for Off heap backed Cells.<a name="line.770"></a>
-<span class="sourceLineNo">771</span>    return hasMore;<a name="line.771"></a>
-<span class="sourceLineNo">772</span>  }<a name="line.772"></a>
-<span class="sourceLineNo">773</span><a name="line.773"></a>
-<span class="sourceLineNo">774</span>  /****************************** VisibilityEndpoint service related methods ******************************/<a name="line.774"></a>
-<span class="sourceLineNo">775</span>  @Override<a name="line.775"></a>
-<span class="sourceLineNo">776</span>  public synchronized void addLabels(RpcController controller, VisibilityLabelsRequest request,<a name="line.776"></a>
-<span class="sourceLineNo">777</span>      RpcCallback&lt;VisibilityLabelsResponse&gt; done) {<a name="line.777"></a>
-<span class="sourceLineNo">778</span>    VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();<a name="line.778"></a>
-<span class="sourceLineNo">779</span>    List&lt;VisibilityLabel&gt; visLabels = request.getVisLabelList();<a name="line.779"></a>
-<span class="sourceLineNo">780</span>    if (!initialized) {<a name="line.780"></a>
-<span class="sourceLineNo">781</span>      setExceptionResults(visLabels.size(),<a name="line.781"></a>
-<span class="sourceLineNo">782</span>        new VisibilityControllerNotReadyException("VisibilityController not yet initialized!"),<a name="line.782"></a>
-<span class="sourceLineNo">783</span>        response);<a name="line.783"></a>
-<span class="sourceLineNo">784</span>    } else {<a name="line.784"></a>
-<span class="sourceLineNo">785</span>      List&lt;byte[]&gt; labels = new ArrayList&lt;byte[]&gt;(visLabels.size());<a name="line.785"></a>
-<span class="sourceLineNo">786</span>      try {<a name="line.786"></a>
-<span class="sourceLineNo">787</span>        if (authorizationEnabled) {<a name="line.787"></a>
-<span class="sourceLineNo">788</span>          checkCallingUserAuth();<a name="line.788"></a>
-<span class="sourceLineNo">789</span>        }<a name="line.789"></a>
-<span class="sourceLineNo">790</span>        RegionActionResult successResult = RegionActionResult.newBuilder().build();<a name="line.790"></a>
-<span class="sourceLineNo">791</span>        for (VisibilityLabel visLabel : visLabels) {<a name="line.791"></a>
-<span class="sourceLineNo">792</span>          byte[] label = visLabel.getLabel().toByteArray();<a name="line.792"></a>
-<span class="sourceLineNo">793</span>          labels.add(label);<a name="line.793"></a>
-<span class="sourceLineNo">794</span>          response.addResult(successResult); // Just mark as success. Later it will get reset<a name="line.794"></a>
-<span class="sourceLineNo">795</span>                                             // based on the result from<a name="line.795"></a>
-<span class="sourceLineNo">796</span>                                             // visibilityLabelService.addLabels ()<a name="line.796"></a>
-<span class="sourceLineNo">797</span>        }<a name="line.797"></a>
-<span class="sourceLineNo">798</span>        if (!labels.isEmpty()) {<a name="line.798"></a>
-<span class="sourceLineNo">799</span>          OperationStatus[] opStatus = this.visibilityLabelService.addLabels(labels);<a name="line.799"></a>
-<span class="sourceLineNo">800</span>          logResult(true, "addLabels", "Adding labels allowed", null, labels, null);<a name="line.800"></a>
-<span class="sourceLineNo">801</span>          int i = 0;<a name="line.801"></a>
-<span class="sourceLineNo">802</span>          for (OperationStatus status : opStatus) {<a name="line.802"></a>
-<span class="sourceLineNo">803</span>            while (response.getResult(i) != successResult)<a name="line.803"></a>
-<span class="sourceLineNo">804</span>              i++;<a name="line.804"></a>
-<span class="sourceLineNo">805</span>            if (status.getOperationStatusCode() != SUCCESS) {<a name="line.805"></a>
-<span class="sourceLineNo">806</span>              RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();<a name="line.806"></a>
-<span class="sourceLineNo">807</span>              failureResultBuilder.setException(ResponseConverter<a name="line.807"></a>
-<span class="sourceLineNo">808</span>                  .buildException(new DoNotRetryIOException(status.getExceptionMsg())));<a name="line.808"></a>
-<span class="sourceLineNo">809</span>              response.setResult(i, failureResultBuilder.build());<a name="line.809"></a>
-<span class="sourceLineNo">810</span>            }<a name="line.810"></a>
-<span class="sourceLineNo">811</span>            i++;<a name="line.811"></a>
-<span class="sourceLineNo">812</span>          }<a name="line.812"></a>
-<span class="sourceLineNo">813</span>        }<a name="line.813"></a>
-<span class="sourceLineNo">814</span>      } catch (AccessDeniedException e) {<a name="line.814"></a>
-<span class="sourceLineNo">815</span>        logResult(false, "addLabels", e.getMessage(), null, labels, null);<a name="line.815"></a>
-<span class="sourceLineNo">816</span>        LOG.error("User is not having required permissions to add labels", e);<a name="line.816"></a>
-<span class="sourceLineNo">817</span>        setExceptionResults(visLabels.size(), e, response);<a name="line.817"></a>
-<span class="sourceLineNo">818</span>      } catch (IOException e) {<a name="line.818"></a>
-<span class="sourceLineNo">819</span>        LOG.error(e);<a name="line.819"></a>
-<span class="sourceLineNo">820</span>        setExceptionResults(visLabels.size(), e, response);<a name="line.820"></a>
-<span class="sourceLineNo">821</span>      }<a name="line.821"></a>
-<span class="sourceLineNo">822</span>    }<a name="line.822"></a>
-<span class="sourceLineNo">823</span>    done.run(response.build());<a name="line.823"></a>
-<span class="sourceLineNo">824</span>  }<a name="line.824"></a>
-<span class="sourceLineNo">825</span><a name="line.825"></a>
-<span class="sourceLineNo">826</span>  private void setExceptionResults(int size, IOException e,<a name="line.826"></a>
-<span class="sourceLineNo">827</span>      VisibilityLabelsResponse.Builder response) {<a name="line.827"></a>
-<span class="sourceLineNo">828</span>    RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();<a name="line.828"></a>
-<span class="sourceLineNo">829</span>    failureResultBuilder.setException(ResponseConverter.buildException(e));<a name="line.829"></a>
-<span class="sourceLineNo">830</span>    RegionActionResult failureResult = failureResultBuilder.build();<a name="line.830"></a>
-<span class="sourceLineNo">831</span>    for (int i = 0; i &lt; size; i++) {<a name="line.831"></a>
-<span class="sourceLineNo">832</span>      response.addResult(i, failureResult);<a name="line.832"></a>
-<span class="sourceLineNo">833</span>    }<a name="line.833"></a>
-<span class="sourceLineNo">834</span>  }<a name="line.834"></a>
-<span class="sourceLineNo">835</span><a name="line.835"></a>
-<span class="sourceLineNo">836</span>  @Override<a name="line.836"></a>
-<span class="sourceLineNo">837</span>  public synchronized void setAuths(RpcController controller, SetAuthsRequest request,<a name="line.837"></a>
-<span class="sourceLineNo">838</span>      RpcCallback&lt;VisibilityLabelsResponse&gt; done) {<a name="line.838"></a>
-<span class="sourceLineNo">839</span>    VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();<a name="line.839"></a>
-<span class="sourceLineNo">840</span>    List&lt;ByteString&gt; auths = request.getAuthList();<a name="line.840"></a>
-<span class="sourceLineNo">841</span>    if (!initialized) {<a name="line.841"></a>
-<span class="sourceLineNo">842</span>      setExceptionResults(auths.size(),<a name="line.842"></a>
-<span class="sourceLineNo">843</span>        new VisibilityControllerNotReadyException("VisibilityController not yet initialized!"),<a name="line.843"></a>
-<span class="sourceLineNo">844</span>        response);<a name="line.844"></a>
-<span class="sourceLineNo">845</span>    } else {<a name="line.845"></a>
-<span class="sourceLineNo">846</span>      byte[] user = request.getUser().toByteArray();<a name="line.846"></a>
-<span class="sourceLineNo">847</span>      List&lt;byte[]&gt; labelAuths = new ArrayList&lt;byte[]&gt;(auths.size());<a name="line.847"></a>
-<span class="sourceLineNo">848</span>      try {<a name="line.848"></a>
-<span class="sourceLineNo">849</span>        if (authorizationEnabled) {<a name="line.849"></a>
-<span class="sourceLineNo">850</span>          checkCallingUserAuth();<a name="line.850"></a>
-<span class="sourceLineNo">851</span>        }<a name="line.851"></a>
-<span class="sourceLineNo">852</span>        for (ByteString authBS : auths) {<a name="line.852"></a>
-<span class="sourceLineNo">853</span>          labelAuths.add(authBS.toByteArray());<a name="line.853"></a>
-<span class="sourceLineNo">854</span>        }<a name="line.854"></a>
-<span class="sourceLineNo">855</span>        OperationStatus[] opStatus = this.visibilityLabelService.setAuths(user, labelAuths);<a name="line.855"></a>
-<span class="sourceLineNo">856</span>        logResult(true, "setAuths", "Setting authorization for labels allowed", user, labelAuths,<a name="line.856"></a>
-<span class="sourceLineNo">857</span>          null);<a name="line.857"></a>
-<span class="sourceLineNo">858</span>        RegionActionResult successResult = RegionActionResult.newBuilder().build();<a name="line.858"></a>
-<span class="sourceLineNo">859</span>        for (OperationStatus status : opStatus) {<a name="line.859"></a>
-<span class="sourceLineNo">860</span>          if (status.getOperationStatusCode() == SUCCESS) {<a name="line.860"></a>
-<span class="sourceLineNo">861</span>            response.addResult(successResult);<a name="line.861"></a>
-<span class="sourceLineNo">862</span>          } else {<a name="line.862"></a>
-<span class="sourceLineNo">863</span>            RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();<a name="line.863"></a>
-<span class="sourceLineNo">864</span>            failureResultBuilder.setException(ResponseConverter<a name="line.864"></a>
-<span class="sourceLineNo">865</span>                .buildException(new DoNotRetryIOException(status.getExceptionMsg())));<a name="line.865"></a>
-<span class="sourceLineNo">866</span>            response.addResult(failureResultBuilder.build());<a name="line.866"></a>
-<span class="sourceLineNo">867</span>          }<a name="line.867"></a>
-<span class="sourceLineNo">868</span>        }<a name="line.868"></a>
-<span class="sourceLineNo">869</span>      } catch (AccessDeniedException e) {<a name="line.869"></a>
-<span class="sourceLineNo">870</span>        logResult(false, "setAuths", e.getMessage(), user, labelAuths, null);<a name="line.870"></a>
-<span class="sourceLineNo">871</span>        LOG.error("User is not having required permissions to set authorization", e);<a name="line.871"></a>
-<span class="sourceLineNo">872</span>        setExceptionResults(auths.size(), e, response);<a name="line.872"></a>
-<span class="sourceLineNo">873</span>      } catch (IOException e) {<a name="line.873"></a>
-<span class="sourceLineNo">874</span>        LOG.error(e);<a name="line.874"></a>
-<span class="sourceLineNo">875</span>        setExceptionResults(auths.size(), e, response);<a name="line.875"></a>
-<span class="sourceLineNo">876</span>      }<a name="line.876"></a>
-<span class="sourceLineNo">877</span>    }<a name="line.877"></a>
-<span class="sourceLineNo">878</span>    done.run(response.build());<a name="line.878"></a>
-<span class="sourceLineNo">879</span>  }<a name="line.879"></a>
-<span class="sourceLineNo">880</span><a name="line.880"></a>
-<span class="sourceLineNo">881</span>  private void logResult(boolean isAllowed, String request, String reason, byte[] user,<a name="line.881"></a>
-<span class="sourceLineNo">882</span>      List&lt;byte[]&gt; labelAuths, String regex) {<a name="line.882"></a>
-<span class="sourceLineNo">883</span>    if (AUDITLOG.isTraceEnabled()) {<a name="line.883"></a>
-<span class="sourceLineNo">884</span>      // This is more duplicated code!<a name="line.884"></a>
-<span class="sourceLineNo">885</span>      InetAddress remoteAddr = RpcServer.getRemoteAddress();<a name="line.885"></a>
-<span class="sourceLineNo">886</span>      List&lt;String&gt; labelAuthsStr = new ArrayList&lt;&gt;();<a name="line.886"></a>
-<span class="sourceLineNo">887</span>      if (labelAuths != null) {<a name="line.887"></a>
-<span class="sourceLineNo">888</span>        int labelAuthsSize = labelAuths.size();<a name="line.888"></a>
-<span class="sourceLineNo">889</span>        labelAuthsStr = new ArrayList&lt;&gt;(labelAuthsSize);<a name="line.889"></a>
-<span class="sourceLineNo">890</span>        for (int i = 0; i &lt; labelAuthsSize; i++) {<a name="line.890"></a>
-<span class="sourceLineNo">891</span>          labelAuthsStr.add(Bytes.toString(labelAuths.get(i)));<a name="line.891"></a>
-<span class="sourceLineNo">892</span>        }<a name="line.892"></a>
-<span class="sourceLineNo">893</span>      }<a name="line.893"></a>
-<span class="sourceLineNo">894</span><a name="line.894"></a>
-<span class="sourceLineNo">895</span>      User requestingUser = null;<a name="line.895"></a>
-<span class="sourceLineNo">896</span>      try {<a name="line.896"></a>
-<span class="sourceLineNo">897</span>        requestingUser = VisibilityUtils.getActiveUser();<a name="line.897"></a>
-<span class="sourceLineNo">898</span>      } catch (IOException e) {<a name="line.898"></a>
-<span class="sourceLineNo">899</span>        LOG.warn("Failed to get active system user.");<a name="line.899"></a>
-<span class="sourceLineNo">900</span>        LOG.debug("Details on failure to get active system user.", e);<a name="line.900"></a>
-<span class="sourceLineNo">901</span>      }<a name="line.901"></a>
-<span class="sourceLineNo">902</span>      AUDITLOG.trace("Access " + (isAllowed ? "allowed" : "denied") + " for user "<a name="line.902"></a>
-<span class="sourceLineNo">903</span>          + (requestingUser != null ? requestingUser.getShortName() : "UNKNOWN") + "; reason: "<a name="line.903"></a>
-<span class="sourceLineNo">904</span>          + reason + "; remote address: " + (remoteAddr != null ? remoteAddr : "") + "; request: "<a name="line.904"></a>
-<span class="sourceLineNo">905</span>          + request + "; user: " + (user != null ? Bytes.toShort(user) : "null") + "; labels: "<a name="line.905"></a>
-<span class="sourceLineNo">906</span>          + labelAuthsStr + "; regex: " + regex);<a name="line.906"></a>
-<span class="sourceLineNo">907</span>    }<a name="line.907"></a>
-<span class="sourceLineNo">908</span>  }<a name="line.908"></a>
-<span class="sourceLineNo">909</span><a name="line.909"></a>
-<span class="sourceLineNo">910</span>  @Override<a name="line.910"></a>
-<span class="sourceLineNo">911</span>  public synchronized void getAuths(RpcController controller, GetAuthsRequest request,<a name="line.911"></a>
-<span class="sourceLineNo">912</span>      RpcCallback&lt;GetAuthsResponse&gt; done) {<a name="line.912"></a>
-<span class="sourceLineNo">913</span>    GetAuthsResponse.Builder response = GetAuthsResponse.newBuilder();<a name="line.913"></a>
-<span class="sourceLineNo">914</span>    if (!initialized) {<a name="line.914"></a>
-<span class="sourceLineNo">915</span>      controller.setFailed("VisibilityController not yet initialized");<a name="line.915"></a>
-<span class="sourceLineNo">916</span>    } else {<a name="line.916"></a>
-<span class="sourceLineNo">917</span>      byte[] user = request.getUser().toByteArray();<a name="line.917"></a>
-<span class="sourceLineNo">918</span>      List&lt;String&gt; labels = null;<a name="line.918"></a>
-<span class="sourceLineNo">919</span>      try {<a name="line.919"></a>
-<span class="sourceLineNo">920</span>        // We do ACL check here as we create scanner directly on region. It will not make calls to<a name="line.920"></a>
-<span class="sourceLineNo">921</span>        // AccessController CP methods.<a name="line.921"></a>
-<span class="sourceLineNo">922</span>        if (authorizationEnabled &amp;&amp; accessControllerAvailable &amp;&amp; !isSystemOrSuperUser()) {<a name="line.922"></a>
-<span class="sourceLineNo">923</span>          User requestingUser = VisibilityUtils.getActiveUser();<a name="line.923"></a>
-<span class="sourceLineNo">924</span>          throw new AccessDeniedException("User '"<a name="line.924"></a>
-<span class="sourceLineNo">925</span>              + (requestingUser != null ? requestingUser.getShortName() : "null")<a name="line.925"></a>
-<span class="sourceLineNo">926</span>              + "' is not authorized to perform this action.");<a name="line.926"></a>
-<span class="sourceLineNo">927</span>        }<a name="line.927"></a>
-<span class="sourceLineNo">928</span>        if (AuthUtil.isGroupPrincipal(Bytes.toString(user))) {<a name="line.928"></a>
-<span class="sourceLineNo">929</span>          String group = AuthUtil.getGroupName(Bytes.toString(user));<a name="line.929"></a>
-<span class="sourceLineNo">930</span>          labels = this.visibilityLabelService.getGroupAuths(new String[]{group}, false);<a name="line.930"></a>
-<span class="sourceLineNo">931</span>        }<a name="line.931"></a>
-<span class="sourceLineNo">932</span>        else {<a name="line.932"></a>
-<span class="sourceLineNo">933</span>          labels = this.visibilityLabelService.getUserAuths(user, false);<a name="line.933"></a>
-<span class="sourceLineNo">934</span>        }<a name="line.934"></a>
-<span class="sourceLineNo">935</span>        logResult(true, "getAuths", "Get authorizations for user allowed", user, null, null);<a name="line.935"></a>
-<span class="sourceLineNo">936</span>      } catch (AccessDeniedException e) {<a name="line.936"></a>
-<span class="sourceLineNo">937</span>        logResult(false, "getAuths", e.getMessage(), user, null, null);<a name="line.937"></a>
+<span class="sourceLineNo">453</span>   * @param cell The cell under consideration<a name="line.453"></a>
+<span class="sourceLineNo">454</span>   * @param pair An optional pair of type {@code &lt;Boolean, Tag&gt;} which would be reused if already<a name="line.454"></a>
+<span class="sourceLineNo">455</span>   *     set and new one will be created if NULL is passed<a name="line.455"></a>
+<span class="sourceLineNo">456</span>   * @return If the boolean is false then it indicates that the cell has a RESERVERD_VIS_TAG and<a name="line.456"></a>
+<span class="sourceLineNo">457</span>   *     with boolean as true, not null tag indicates that a string modified tag was found.<a name="line.457"></a>
+<span class="sourceLineNo">458</span>   */<a name="line.458"></a>
+<span class="sourceLineNo">459</span>  private Pair&lt;Boolean, Tag&gt; checkForReservedVisibilityTagPresence(Cell cell,<a name="line.459"></a>
+<span class="sourceLineNo">460</span>      Pair&lt;Boolean, Tag&gt; pair) throws IOException {<a name="line.460"></a>
+<span class="sourceLineNo">461</span>    if (pair == null) {<a name="line.461"></a>
+<span class="sourceLineNo">462</span>      pair = new Pair&lt;Boolean, Tag&gt;(false, null);<a name="line.462"></a>
+<span class="sourceLineNo">463</span>    } else {<a name="line.463"></a>
+<span class="sourceLineNo">464</span>      pair.setFirst(false);<a name="line.464"></a>
+<span class="sourceLineNo">465</span>      pair.setSecond(null);<a name="line.465"></a>
+<span class="sourceLineNo">466</span>    }<a name="line.466"></a>
+<span class="sourceLineNo">467</span>    // Bypass this check when the operation is done by a system/super user.<a name="line.467"></a>
+<span class="sourceLineNo">468</span>    // This is done because, while Replication, the Cells coming to the peer cluster with reserved<a name="line.468"></a>
+<span class="sourceLineNo">469</span>    // typed tags and this is fine and should get added to the peer cluster table<a name="line.469"></a>
+<span class="sourceLineNo">470</span>    if (isSystemOrSuperUser()) {<a name="line.470"></a>
+<span class="sourceLineNo">471</span>      // Does the cell contain special tag which indicates that the replicated<a name="line.471"></a>
+<span class="sourceLineNo">472</span>      // cell visiblilty tags<a name="line.472"></a>
+<span class="sourceLineNo">473</span>      // have been modified<a name="line.473"></a>
+<span class="sourceLineNo">474</span>      Tag modifiedTag = null;<a name="line.474"></a>
+<span class="sourceLineNo">475</span>      if (cell.getTagsLength() &gt; 0) {<a name="line.475"></a>
+<span class="sourceLineNo">476</span>        Iterator&lt;Tag&gt; tagsIterator = CellUtil.tagsIterator(cell.getTagsArray(),<a name="line.476"></a>
+<span class="sourceLineNo">477</span>            cell.getTagsOffset(), cell.getTagsLength());<a name="line.477"></a>
+<span class="sourceLineNo">478</span>        while (tagsIterator.hasNext()) {<a name="line.478"></a>
+<span class="sourceLineNo">479</span>          Tag tag = tagsIterator.next();<a name="line.479"></a>
+<span class="sourceLineNo">480</span>          if (tag.getType() == TagType.STRING_VIS_TAG_TYPE) {<a name="line.480"></a>
+<span class="sourceLineNo">481</span>            modifiedTag = tag;<a name="line.481"></a>
+<span class="sourceLineNo">482</span>            break;<a name="line.482"></a>
+<span class="sourceLineNo">483</span>          }<a name="line.483"></a>
+<span class="sourceLineNo">484</span>        }<a name="line.484"></a>
+<span class="sourceLineNo">485</span>      }<a name="line.485"></a>
+<span class="sourceLineNo">486</span>      pair.setFirst(true);<a name="line.486"></a>
+<span class="sourceLineNo">487</span>      pair.setSecond(modifiedTag);<a name="line.487"></a>
+<span class="sourceLineNo">488</span>      return pair;<a name="line.488"></a>
+<span class="sourceLineNo">489</span>    }<a name="line.489"></a>
+<span class="sourceLineNo">490</span>    if (cell.getTagsLength() &gt; 0) {<a name="line.490"></a>
+<span class="sourceLineNo">491</span>      Iterator&lt;Tag&gt; tagsItr = CellUtil.tagsIterator(cell.getTagsArray(), cell.getTagsOffset(),<a name="line.491"></a>
+<span class="sourceLineNo">492</span>          cell.getTagsLength());<a name="line.492"></a>
+<span class="sourceLineNo">493</span>      while (tagsItr.hasNext()) {<a name="line.493"></a>
+<span class="sourceLineNo">494</span>        if (RESERVED_VIS_TAG_TYPES.contains(tagsItr.next().getType())) {<a name="line.494"></a>
+<span class="sourceLineNo">495</span>          return pair;<a name="line.495"></a>
+<span class="sourceLineNo">496</span>        }<a name="line.496"></a>
+<span class="sourceLineNo">497</span>      }<a name="line.497"></a>
+<span class="sourceLineNo">498</span>    }<a name="line.498"></a>
+<span class="sourceLineNo">499</span>    pair.setFirst(true);<a name="line.499"></a>
+<span class="sourceLineNo">500</span>    return pair;<a name="line.500"></a>
+<span class="sourceLineNo">501</span>  }<a name="line.501"></a>
+<span class="sourceLineNo">502</span><a name="line.502"></a>
+<span class="sourceLineNo">503</span>  /**<a name="line.503"></a>
+<span class="sourceLineNo">504</span>   * Checks whether cell contains any tag with type as VISIBILITY_TAG_TYPE. This<a name="line.504"></a>
+<span class="sourceLineNo">505</span>   * tag type is reserved and should not be explicitly set by user. There are<a name="line.505"></a>
+<span class="sourceLineNo">506</span>   * two versions of this method one that accepts pair and other without pair.<a name="line.506"></a>
+<span class="sourceLineNo">507</span>   * In case of preAppend and preIncrement the additional operations are not<a name="line.507"></a>
+<span class="sourceLineNo">508</span>   * needed like checking for STRING_VIS_TAG_TYPE and hence the API without pair<a name="line.508"></a>
+<span class="sourceLineNo">509</span>   * could be used.<a name="line.509"></a>
+<span class="sourceLineNo">510</span>   *<a name="line.510"></a>
+<span class="sourceLineNo">511</span>   * @param cell<a name="line.511"></a>
+<span class="sourceLineNo">512</span>   * @throws IOException<a name="line.512"></a>
+<span class="sourceLineNo">513</span>   */<a name="line.513"></a>
+<span class="sourceLineNo">514</span>  private boolean checkForReservedVisibilityTagPresence(Cell cell) throws IOException {<a name="line.514"></a>
+<span class="sourceLineNo">515</span>    // Bypass this check when the operation is done by a system/super user.<a name="line.515"></a>
+<span class="sourceLineNo">516</span>    // This is done because, while Replication, the Cells coming to the peer<a name="line.516"></a>
+<span class="sourceLineNo">517</span>    // cluster with reserved<a name="line.517"></a>
+<span class="sourceLineNo">518</span>    // typed tags and this is fine and should get added to the peer cluster<a name="line.518"></a>
+<span class="sourceLineNo">519</span>    // table<a name="line.519"></a>
+<span class="sourceLineNo">520</span>    if (isSystemOrSuperUser()) {<a name="line.520"></a>
+<span class="sourceLineNo">521</span>      return true;<a name="line.521"></a>
+<span class="sourceLineNo">522</span>    }<a name="line.522"></a>
+<span class="sourceLineNo">523</span>    if (cell.getTagsLength() &gt; 0) {<a name="line.523"></a>
+<span class="sourceLineNo">524</span>      Iterator&lt;Tag&gt; tagsItr = CellUtil.tagsIterator(cell.getTagsArray(), cell.getTagsOffset(),<a name="line.524"></a>
+<span class="sourceLineNo">525</span>          cell.getTagsLength());<a name="line.525"></a>
+<span class="sourceLineNo">526</span>      while (tagsItr.hasNext()) {<a name="line.526"></a>
+<span class="sourceLineNo">527</span>        if (RESERVED_VIS_TAG_TYPES.contains(tagsItr.next().getType())) {<a name="line.527"></a>
+<span class="sourceLineNo">528</span>          return false;<a name="line.528"></a>
+<span class="sourceLineNo">529</span>        }<a name="line.529"></a>
+<span class="sourceLineNo">530</span>      }<a name="line.530"></a>
+<span class="sourceLineNo">531</span>    }<a name="line.531"></a>
+<span class="sourceLineNo">532</span>    return true;<a name="line.532"></a>
+<span class="sourceLineNo">533</span>  }<a name="line.533"></a>
+<span class="sourceLineNo">534</span><a name="line.534"></a>
+<span class="sourceLineNo">535</span>  private void removeReplicationVisibilityTag(List&lt;Tag&gt; tags) throws IOException {<a name="line.535"></a>
+<span class="sourceLineNo">536</span>    Iterator&lt;Tag&gt; iterator = tags.iterator();<a name="line.536"></a>
+<span class="sourceLineNo">537</span>    while (iterator.hasNext()) {<a name="line.537"></a>
+<span class="sourceLineNo">538</span>      Tag tag = iterator.next();<a name="line.538"></a>
+<span class="sourceLineNo">539</span>      if (tag.getType() == TagType.STRING_VIS_TAG_TYPE) {<a name="line.539"></a>
+<span class="sourceLineNo">540</span>        iterator.remove();<a name="line.540"></a>
+<span class="sourceLineNo">541</span>        break;<a name="line.541"></a>
+<span class="sourceLineNo">542</span>      }<a name="line.542"></a>
+<span class="sourceLineNo">543</span>    }<a name="line.543"></a>
+<span class="sourceLineNo">544</span>  }<a name="line.544"></a>
+<span class="sourceLineNo">545</span><a name="line.545"></a>
+<span class="sourceLineNo">546</span>  @Override<a name="line.546"></a>
+<span class="sourceLineNo">547</span>  public RegionScanner preScannerOpen(ObserverContext&lt;RegionCoprocessorEnvironment&gt; e, Scan scan,<a name="line.547"></a>
+<span class="sourceLineNo">548</span>      RegionScanner s) throws IOException {<a name="line.548"></a>
+<span class="sourceLineNo">549</span>    if (!initialized) {<a name="line.549"></a>
+<span class="sourceLineNo">550</span>      throw new VisibilityControllerNotReadyException("VisibilityController not yet initialized!");<a name="line.550"></a>
+<span class="sourceLineNo">551</span>    }<a name="line.551"></a>
+<span class="sourceLineNo">552</span>    // Nothing to do if authorization is not enabled<a name="line.552"></a>
+<span class="sourceLineNo">553</span>    if (!authorizationEnabled) {<a name="line.553"></a>
+<span class="sourceLineNo">554</span>      return s;<a name="line.554"></a>
+<span class="sourceLineNo">555</span>    }<a name="line.555"></a>
+<span class="sourceLineNo">556</span>    Region region = e.getEnvironment().getRegion();<a name="line.556"></a>
+<span class="sourceLineNo">557</span>    Authorizations authorizations = null;<a name="line.557"></a>
+<span class="sourceLineNo">558</span>    try {<a name="line.558"></a>
+<span class="sourceLineNo">559</span>      authorizations = scan.getAuthorizations();<a name="line.559"></a>
+<span class="sourceLineNo">560</span>    } catch (DeserializationException de) {<a name="line.560"></a>
+<span class="sourceLineNo">561</span>      throw new IOException(de);<a name="line.561"></a>
+<span class="sourceLineNo">562</span>    }<a name="line.562"></a>
+<span class="sourceLineNo">563</span>    if (authorizations == null) {<a name="line.563"></a>
+<span class="sourceLineNo">564</span>      // No Authorizations present for this scan/Get!<a name="line.564"></a>
+<span class="sourceLineNo">565</span>      // In case of system tables other than "labels" just scan with out visibility check and<a name="line.565"></a>
+<span class="sourceLineNo">566</span>      // filtering. Checking visibility labels for META and NAMESPACE table is not needed.<a name="line.566"></a>
+<span class="sourceLineNo">567</span>      TableName table = region.getRegionInfo().getTable();<a name="line.567"></a>
+<span class="sourceLineNo">568</span>      if (table.isSystemTable() &amp;&amp; !table.equals(LABELS_TABLE_NAME)) {<a name="line.568"></a>
+<span class="sourceLineNo">569</span>        return s;<a name="line.569"></a>
+<span class="sourceLineNo">570</span>      }<a name="line.570"></a>
+<span class="sourceLineNo">571</span>    }<a name="line.571"></a>
+<span class="sourceLineNo">572</span><a name="line.572"></a>
+<span class="sourceLineNo">573</span>    Filter visibilityLabelFilter = VisibilityUtils.createVisibilityLabelFilter(region,<a name="line.573"></a>
+<span class="sourceLineNo">574</span>        authorizations);<a name="line.574"></a>
+<span class="sourceLineNo">575</span>    if (visibilityLabelFilter != null) {<a name="line.575"></a>
+<span class="sourceLineNo">576</span>      Filter filter = scan.getFilter();<a name="line.576"></a>
+<span class="sourceLineNo">577</span>      if (filter != null) {<a name="line.577"></a>
+<span class="sourceLineNo">578</span>        scan.setFilter(new FilterList(filter, visibilityLabelFilter));<a name="line.578"></a>
+<span class="sourceLineNo">579</span>      } else {<a name="line.579"></a>
+<span class="sourceLineNo">580</span>        scan.setFilter(visibilityLabelFilter);<a name="line.580"></a>
+<span class="sourceLineNo">581</span>      }<a name="line.581"></a>
+<span class="sourceLineNo">582</span>    }<a name="line.582"></a>
+<span class="sourceLineNo">583</span>    return s;<a name="line.583"></a>
+<span class="sourceLineNo">584</span>  }<a name="line.584"></a>
+<span class="sourceLineNo">585</span><a name="line.585"></a>
+<span class="sourceLineNo">586</span>  @Override<a name="line.586"></a>
+<span class="sourceLineNo">587</span>  public DeleteTracker postInstantiateDeleteTracker(<a name="line.587"></a>
+<span class="sourceLineNo">588</span>      ObserverContext&lt;RegionCoprocessorEnvironment&gt; ctx, DeleteTracker delTracker)<a name="line.588"></a>
+<span class="sourceLineNo">589</span>      throws IOException {<a name="line.589"></a>
+<span class="sourceLineNo">590</span>    // Nothing to do if we are not filtering by visibility<a name="line.590"></a>
+<span class="sourceLineNo">591</span>    if (!authorizationEnabled) {<a name="line.591"></a>
+<span class="sourceLineNo">592</span>      return delTracker;<a name="line.592"></a>
+<span class="sourceLineNo">593</span>    }<a name="line.593"></a>
+<span class="sourceLineNo">594</span>    Region region = ctx.getEnvironment().getRegion();<a name="line.594"></a>
+<span class="sourceLineNo">595</span>    TableName table = region.getRegionInfo().getTable();<a name="line.595"></a>
+<span class="sourceLineNo">596</span>    if (table.isSystemTable()) {<a name="line.596"></a>
+<span class="sourceLineNo">597</span>      return delTracker;<a name="line.597"></a>
+<span class="sourceLineNo">598</span>    }<a name="line.598"></a>
+<span class="sourceLineNo">599</span>    // We are creating a new type of delete tracker here which is able to track<a name="line.599"></a>
+<span class="sourceLineNo">600</span>    // the timestamps and also the<a name="line.600"></a>
+<span class="sourceLineNo">601</span>    // visibility tags per cell. The covering cells are determined not only<a name="line.601"></a>
+<span class="sourceLineNo">602</span>    // based on the delete type and ts<a name="line.602"></a>
+<span class="sourceLineNo">603</span>    // but also on the visibility expression matching.<a name="line.603"></a>
+<span class="sourceLineNo">604</span>    return new VisibilityScanDeleteTracker();<a name="line.604"></a>
+<span class="sourceLineNo">605</span>  }<a name="line.605"></a>
+<span class="sourceLineNo">606</span><a name="line.606"></a>
+<span class="sourceLineNo">607</span>  @Override<a name="line.607"></a>
+<span class="sourceLineNo">608</span>  public RegionScanner postScannerOpen(final ObserverContext&lt;RegionCoprocessorEnvironment&gt; c,<a name="line.608"></a>
+<span class="sourceLineNo">609</span>      final Scan scan, final RegionScanner s) throws IOException {<a name="line.609"></a>
+<span class="sourceLineNo">610</span>    User user = VisibilityUtils.getActiveUser();<a name="line.610"></a>
+<span class="sourceLineNo">611</span>    if (user != null &amp;&amp; user.getShortName() != null) {<a name="line.611"></a>
+<span class="sourceLineNo">612</span>      scannerOwners.put(s, user.getShortName());<a name="line.612"></a>
+<span class="sourceLineNo">613</span>    }<a name="line.613"></a>
+<span class="sourceLineNo">614</span>    return s;<a name="line.614"></a>
+<span class="sourceLineNo">615</span>  }<a name="line.615"></a>
+<span class="sourceLineNo">616</span><a name="line.616"></a>
+<span class="sourceLineNo">617</span>  @Override<a name="line.617"></a>
+<span class="sourceLineNo">618</span>  public boolean preScannerNext(final ObserverContext&lt;RegionCoprocessorEnvironment&gt; c,<a name="line.618"></a>
+<span class="sourceLineNo">619</span>      final InternalScanner s, final List&lt;Result&gt; result, final int limit, final boolean hasNext)<a name="line.619"></a>
+<span class="sourceLineNo">620</span>      throws IOException {<a name="line.620"></a>
+<span class="sourceLineNo">621</span>    requireScannerOwner(s);<a name="line.621"></a>
+<span class="sourceLineNo">622</span>    return hasNext;<a name="line.622"></a>
+<span class="sourceLineNo">623</span>  }<a name="line.623"></a>
+<span class="sourceLineNo">624</span><a name="line.624"></a>
+<span class="sourceLineNo">625</span>  @Override<a name="line.625"></a>
+<span class="sourceLineNo">626</span>  public void preScannerClose(final ObserverContext&lt;RegionCoprocessorEnvironment&gt; c,<a name="line.626"></a>
+<span class="sourceLineNo">627</span>      final InternalScanner s) throws IOException {<a name="line.627"></a>
+<span class="sourceLineNo">628</span>    requireScannerOwner(s);<a name="line.628"></a>
+<span class="sourceLineNo">629</span>  }<a name="line.629"></a>
+<span class="sourceLineNo">630</span><a name="line.630"></a>
+<span class="sourceLineNo">631</span>  @Override<a name="line.631"></a>
+<span class="sourceLineNo">632</span>  public void postScannerClose(final ObserverContext&lt;RegionCoprocessorEnvironment&gt; c,<a name="line.632"></a>
+<span class="sourceLineNo">633</span>      final InternalScanner s) throws IOException {<a name="line.633"></a>
+<span class="sourceLineNo">634</span>    // clean up any associated owner mapping<a name="line.634"></a>
+<span class="sourceLineNo">635</span>    scannerOwners.remove(s);<a name="line.635"></a>
+<span class="sourceLineNo">636</span>  }<a name="line.636"></a>
+<span class="sourceLineNo">637</span><a name="line.637"></a>
+<span class="sourceLineNo">638</span>  /**<a name="line.638"></a>
+<span class="sourceLineNo">639</span>   * Verify, when servicing an RPC, that the caller is the scanner owner. If so, we assume that<a name="line.639"></a>
+<span class="sourceLineNo">640</span>   * access control is correctly enforced based on the checks performed in preScannerOpen()<a name="line.640"></a>
+<span class="sourceLineNo">641</span>   */<a name="line.641"></a>
+<span class="sourceLineNo">642</span>  private void requireScannerOwner(InternalScanner s) throws AccessDeniedException {<a name="line.642"></a>
+<span class="sourceLineNo">643</span>    if (!RpcServer.isInRpcCallContext())<a name="line.643"></a>
+<span class="sourceLineNo">644</span>      return;<a name="line.644"></a>
+<span class="sourceLineNo">645</span>    String requestUName = RpcServer.getRequestUserName();<a name="line.645"></a>
+<span class="sourceLineNo">646</span>    String owner = scannerOwners.get(s);<a name="line.646"></a>
+<span class="sourceLineNo">647</span>    if (authorizationEnabled &amp;&amp; owner != null &amp;&amp; !owner.equals(requestUName)) {<a name="line.647"></a>
+<span class="sourceLineNo">648</span>      throw new AccessDeniedException("User '" + requestUName + "' is not the scanner owner!");<a name="line.648"></a>
+<span class="sourceLineNo">649</span>    }<a name="line.649"></a>
+<span class="sourceLineNo">650</span>  }<a name="line.650"></a>
+<span class="sourceLineNo">651</span><a name="line.651"></a>
+<span class="sourceLineNo">652</span>  @Override<a name="line.652"></a>
+<span class="sourceLineNo">653</span>  public void preGetOp(ObserverContext&lt;RegionCoprocessorEnvironment&gt; e, Get get,<a name="line.653"></a>
+<span class="sourceLineNo">654</span>      List&lt;Cell&gt; results) throws IOException {<a name="line.654"></a>
+<span class="sourceLineNo">655</span>    if (!initialized) {<a name="line.655"></a>
+<span class="sourceLineNo">656</span>      throw new VisibilityControllerNotReadyException("VisibilityController not yet initialized");<a name="line.656"></a>
+<span class="sourceLineNo">657</span>    }<a name="line.657"></a>
+<span class="sourceLineNo">658</span>    // Nothing useful to do if authorization is not enabled<a name="line.658"></a>
+<span class="sourceLineNo">659</span>    if (!authorizationEnabled) {<a name="line.659"></a>
+<span class="sourceLineNo">660</span>      return;<a name="line.660"></a>
+<span class="sourceLineNo">661</span>    }<a name="line.661"></a>
+<span class="sourceLineNo">662</span>    Region region = e.getEnvironment().getRegion();<a name="line.662"></a>
+<span class="sourceLineNo">663</span>    Authorizations authorizations = null;<a name="line.663"></a>
+<span class="sourceLineNo">664</span>    try {<a name="line.664"></a>
+<span class="sourceLineNo">665</span>      authorizations = get.getAuthorizations();<a name="line.665"></a>
+<span class="sourceLineNo">666</span>    } catch (DeserializationException de) {<a name="line.666"></a>
+<span class="sourceLineNo">667</span>      throw new IOException(de);<a name="line.667"></a>
+<span class="sourceLineNo">668</span>    }<a name="line.668"></a>
+<span class="sourceLineNo">669</span>    if (authorizations == null) {<a name="line.669"></a>
+<span class="sourceLineNo">670</span>      // No Authorizations present for this scan/Get!<a name="line.670"></a>
+<span class="sourceLineNo">671</span>      // In case of system tables other than "labels" just scan with out visibility check and<a name="line.671"></a>
+<span class="sourceLineNo">672</span>      // filtering. Checking visibility labels for META and NAMESPACE table is not needed.<a name="line.672"></a>
+<span class="sourceLineNo">673</span>      TableName table = region.getRegionInfo().getTable();<a name="line.673"></a>
+<span class="sourceLineNo">674</span>      if (table.isSystemTable() &amp;&amp; !table.equals(LABELS_TABLE_NAME)) {<a name="line.674"></a>
+<span class="sourceLineNo">675</span>        return;<a name="line.675"></a>
+<span class="sourceLineNo">676</span>      }<a name="line.676"></a>
+<span class="sourceLineNo">677</span>    }<a name="line.677"></a>
+<span class="sourceLineNo">678</span>    Filter visibilityLabelFilter = VisibilityUtils.createVisibilityLabelFilter(e.getEnvironment()<a name="line.678"></a>
+<span class="sourceLineNo">679</span>        .getRegion(), authorizations);<a name="line.679"></a>
+<span class="sourceLineNo">680</span>    if (visibilityLabelFilter != null) {<a name="line.680"></a>
+<span class="sourceLineNo">681</span>      Filter filter = get.getFilter();<a name="line.681"></a>
+<span class="sourceLineNo">682</span>      if (filter != null) {<a name="line.682"></a>
+<span class="sourceLineNo">683</span>        get.setFilter(new FilterList(filter, visibilityLabelFilter));<a name="line.683"></a>
+<span class="sourceLineNo">684</span>      } else {<a name="line.684"></a>
+<span class="sourceLineNo">685</span>        get.setFilter(visibilityLabelFilter);<a name="line.685"></a>
+<span class="sourceLineNo">686</span>      }<a name="line.686"></a>
+<span class="sourceLineNo">687</span>    }<a name="line.687"></a>
+<span class="sourceLineNo">688</span>  }<a name="line.688"></a>
+<span class="sourceLineNo">689</span><a name="line.689"></a>
+<span class="sourceLineNo">690</span>  private boolean isSystemOrSuperUser() throws IOException {<a name="line.690"></a>
+<span class="sourceLineNo">691</span>    return Superusers.isSuperUser(VisibilityUtils.getActiveUser());<a name="line.691"></a>
+<span class="sourceLineNo">692</span>  }<a name="line.692"></a>
+<span class="sourceLineNo">693</span><a name="line.693"></a>
+<span class="sourceLineNo">694</span>  @Override<a name="line.694"></a>
+<span class="sourceLineNo">695</span>  public Result preAppend(ObserverContext&lt;RegionCoprocessorEnvironment&gt; e, Append append)<a name="line.695"></a>
+<span class="sourceLineNo">696</span>      throws IOException {<a name="line.696"></a>
+<span class="sourceLineNo">697</span>    // If authorization is not enabled, we don't care about reserved tags<a name="line.697"></a>
+<span class="sourceLineNo">698</span>    if (!authorizationEnabled) {<a name="line.698"></a>
+<span class="sourceLineNo">699</span>      return null;<a name="line.699"></a>
+<span class="sourceLineNo">700</span>    }<a name="line.700"></a>
+<span class="sourceLineNo">701</span>    for (CellScanner cellScanner = append.cellScanner(); cellScanner.advance();) {<a name="line.701"></a>
+<span class="sourceLineNo">702</span>      if (!checkForReservedVisibilityTagPresence(cellScanner.current())) {<a name="line.702"></a>
+<span class="sourceLineNo">703</span>        throw new FailedSanityCheckException("Append contains cell with reserved type tag");<a name="line.703"></a>
+<span class="sourceLineNo">704</span>      }<a name="line.704"></a>
+<span class="sourceLineNo">705</span>    }<a name="line.705"></a>
+<span class="sourceLineNo">706</span>    return null;<a name="line.706"></a>
+<span class="sourceLineNo">707</span>  }<a name="line.707"></a>
+<span class="sourceLineNo">708</span><a name="line.708"></a>
+<span class="sourceLineNo">709</span>  @Override<a name="line.709"></a>
+<span class="sourceLineNo">710</span>  public Result preIncrement(ObserverContext&lt;RegionCoprocessorEnvironment&gt; e, Increment increment)<a name="line.710"></a>
+<span class="sourceLineNo">711</span>      throws IOException {<a name="line.711"></a>
+<span class="sourceLineNo">712</span>    // If authorization is not enabled, we don't care about reserved tags<a name="line.712"></a>
+<span class="sourceLineNo">713</span>    if (!authorizationEnabled) {<a name="line.713"></a>
+<span class="sourceLineNo">714</span>      return null;<a name="line.714"></a>
+<span class="sourceLineNo">715</span>    }<a name="line.715"></a>
+<span class="sourceLineNo">716</span>    for (CellScanner cellScanner = increment.cellScanner(); cellScanner.advance();) {<a name="line.716"></a>
+<span class="sourceLineNo">717</span>      if (!checkForReservedVisibilityTagPresence(cellScanner.current())) {<a name="line.717"></a>
+<span class="sourceLineNo">718</span>        throw new FailedSanityCheckException("Increment contains cell with reserved type tag");<a name="line.718"></a>
+<span class="sourceLineNo">719</span>      }<a name="line.719"></a>
+<span class="sourceLineNo">720</span>    }<a name="line.720"></a>
+<span class="sourceLineNo">721</span>    return null;<a name="line.721"></a>
+<span class="sourceLineNo">722</span>  }<a name="line.722"></a>
+<span class="sourceLineNo">723</span><a name="line.723"></a>
+<span class="sourceLineNo">724</span>  @Override<a name="line.724"></a>
+<span class="sourceLineNo">725</span>  public Cell postMutationBeforeWAL(ObserverContext&lt;RegionCoprocessorEnvironment&gt; ctx,<a name="line.725"></a>
+<span class="sourceLineNo">726</span>      MutationType opType, Mutation mutation, Cell oldCell, Cell newCell) throws IOException {<a name="line.726"></a>
+<span class="sourceLineNo">727</span>    List&lt;Tag&gt; tags = Lists.newArrayList();<a name="line.727"></a>
+<span class="sourceLineNo">728</span>    CellVisibility cellVisibility = null;<a name="line.728"></a>
+<span class="sourceLineNo">729</span>    try {<a name="line.729"></a>
+<span class="sourceLineNo">730</span>      cellVisibility = mutation.getCellVisibility();<a name="line.730"></a>
+<span class="sourceLineNo">731</span>    } catch (DeserializationException e) {<a name="line.731"></a>
+<span class="sourceLineNo">732</span>      throw new IOException(e);<a name="line.732"></a>
+<span class="sourceLineNo">733</span>    }<a name="line.733"></a>
+<span class="sourceLineNo">734</span>    if (cellVisibility == null) {<a name="line.734"></a>
+<span class="sourceLineNo">735</span>      return newCell;<a name="line.735"></a>
+<span class="sourceLineNo">736</span>    }<a name="line.736"></a>
+<span class="sourceLineNo">737</span>    // Prepend new visibility tags to a new list of tags for the cell<a name="line.737"></a>
+<span class="sourceLineNo">738</span>    // Don't check user auths for labels with Mutations when the user is super user<a name="line.738"></a>
+<span class="sourceLineNo">739</span>    boolean authCheck = authorizationEnabled &amp;&amp; checkAuths &amp;&amp; !(isSystemOrSuperUser());<a name="line.739"></a>
+<span class="sourceLineNo">740</span>    tags.addAll(this.visibilityLabelService.createVisibilityExpTags(cellVisibility.getExpression(),<a name="line.740"></a>
+<span class="sourceLineNo">741</span>        true, authCheck));<a name="line.741"></a>
+<span class="sourceLineNo">742</span>    // Save an object allocation where we can<a name="line.742"></a>
+<span class="sourceLineNo">743</span>    if (newCell.getTagsLength() &gt; 0) {<a name="line.743"></a>
+<span class="sourceLineNo">744</span>      // Carry forward all other tags<a name="line.744"></a>
+<span class="sourceLineNo">745</span>      Iterator&lt;Tag&gt; tagsItr = CellUtil.tagsIterator(newCell.getTagsArray(),<a name="line.745"></a>
+<span class="sourceLineNo">746</span>          newCell.getTagsOffset(), newCell.getTagsLength());<a name="line.746"></a>
+<span class="sourceLineNo">747</span>      while (tagsItr.hasNext()) {<a name="line.747"></a>
+<span class="sourceLineNo">748</span>        Tag tag = tagsItr.next();<a name="line.748"></a>
+<span class="sourceLineNo">749</span>        if (tag.getType() != TagType.VISIBILITY_TAG_TYPE<a name="line.749"></a>
+<span class="sourceLineNo">750</span>            &amp;&amp; tag.getType() != TagType.VISIBILITY_EXP_SERIALIZATION_FORMAT_TAG_TYPE) {<a name="line.750"></a>
+<span class="sourceLineNo">751</span>          tags.add(tag);<a name="line.751"></a>
+<span class="sourceLineNo">752</span>        }<a name="line.752"></a>
+<span class="sourceLineNo">753</span>      }<a name="line.753"></a>
+<span class="sourceLineNo">754</span>    }<a name="line.754"></a>
+<span class="sourceLineNo">755</span><a name="line.755"></a>
+<span class="sourceLineNo">756</span>    Cell rewriteCell = new TagRewriteCell(newCell, Tag.fromList(tags));<a name="line.756"></a>
+<span class="sourceLineNo">757</span>    return rewriteCell;<a name="line.757"></a>
+<span class="sourceLineNo">758</span>  }<a name="line.758"></a>
+<span class="sourceLineNo">759</span><a name="line.759"></a>
+<span class="sourceLineNo">760</span>  @Override<a name="line.760"></a>
+<span class="sourceLineNo">761</span>  public Service getService() {<a name="line.761"></a>
+<span class="sourceLineNo">762</span>    return VisibilityLabelsProtos.VisibilityLabelsService.newReflectiveService(this);<a name="line.762"></a>
+<span class="sourceLineNo">763</span>  }<a name="line.763"></a>
+<span class="sourceLineNo">764</span><a name="line.764"></a>
+<span class="sourceLineNo">765</span>  @Override<a name="line.765"></a>
+<span class="sourceLineNo">766</span>  public boolean postScannerFilterRow(final ObserverContext&lt;RegionCoprocessorEnvironment&gt; e,<a name="line.766"></a>
+<span class="sourceLineNo">767</span>      final InternalScanner s, final Cell curRowCell, final boolean hasMore) throws IOException {<a name="line.767"></a>
+<span class="sourceLineNo">768</span>    // Impl in BaseRegionObserver might do unnecessary copy for Off heap backed Cells.<a name="line.768"></a>
+<span class="sourceLineNo">769</span>    return hasMore;<a name="line.769"></a>
+<span class="sourceLineNo">770</span>  }<a name="line.770"></a>
+<span class="sourceLineNo">771</span><a name="line.771"></a>
+<span class="sourceLineNo">772</span>  /****************************** VisibilityEndpoint service related methods ******************************/<a name="line.772"></a>
+<span class="sourceLineNo">773</span>  @Override<a name="line.773"></a>
+<span class="sourceLineNo">774</span>  public synchronized void addLabels(RpcController controller, VisibilityLabelsRequest request,<a name="line.774"></a>
+<span class="sourceLineNo">775</span>      RpcCallback&lt;VisibilityLabelsResponse&gt; done) {<a name="line.775"></a>
+<span class="sourceLineNo">776</span>    VisibilityLabelsResponse.Builder response = VisibilityLabelsResponse.newBuilder();<a name="line.776"></a>
+<span class="sourceLineNo">777</span>    List&lt;VisibilityLabel&gt; visLabels = request.getVisLabelList();<a name="line.777"></a>
+<span class="sourceLineNo">778</span>    if (!initialized) {<a name="line.778"></a>
+<span class="sourceLineNo">779</span>      setExceptionResults(visLabels.size(),<a name="line.779"></a>
+<span class="sourceLineNo">780</span>        new VisibilityControllerNotReadyException("VisibilityController not yet initialized!"),<a name="line.780"></a>
+<span class="sourceLineNo">781</span>        response);<a name="line.781"></a>
+<span class="sourceLineNo">782</span>    } else {<a name="line.782"></a>
+<span class="sourceLineNo">783</span>      List&lt;byte[]&gt; labels = new ArrayList&lt;byte[]&gt;(visLabels.size());<a name="line.783"></a>
+<span class="sourceLineNo">784</span>      try {<a name="line.784"></a>
+<span class="sourceLineNo">785</span>        if (authorizationEnabled) {<a name="line.785"></a>
+<span class="sourceLineNo">786</span>          checkCallingUserAuth();<a name="line.786"></a>
+<span class="sourceLineNo">787</span>        }<a name="line.787"></a>
+<span class="sourceLineNo">788</span>        RegionActionResult successResult = RegionActionResult.newBuilder().build();<a name="line.788"></a>
+<span class="sourceLineNo">789</span>        for (VisibilityLabel visLabel : visLabels) {<a name="line.789"></a>
+<span class="sourceLineNo">790</span>          byte[] label = visLabel.getLabel().toByteArray();<a name="line.790"></a>
+<span class="sourceLineNo">791</span>          labels.add(label);<a name="line.791"></a>
+<span class="sourceLineNo">792</span>          response.addResult(successResult); // Just mark as success. Later it will get reset<a name="line.792"></a>
+<span class="sourceLineNo">793</span>                                             // based on the result from<a name="line.793"></a>
+<span class="sourceLineNo">794</span>                                             // visibilityLabelService.addLabels ()<a name="line.794"></a>
+<span class="sourceLineNo">795</span>        }<a name="line.795"></a>
+<span class="sourceLineNo">796</span>        if (!labels.isEmpty()) {<a name="line.796"></a>
+<span class="sourceLineNo">797</span>          OperationStatus[] opStatus = this.visibilityLabelService.addLabels(labels);<a name="line.797"></a>
+<span class="sourceLineNo">798</span>          logResult(true, "addLabels", "Adding labels allowed", null, labels, null);<a name="line.798"></a>
+<span class="sourceLineNo">799</span>          int i = 0;<a name="line.799"></a>
+<span class="sourceLineNo">800</span>          for (OperationStatus status : opStatus) {<a name="line.800"></a>
+<span class="sourceLineNo">801</span>            while (response.getResult(i) != successResult)<a name="line.801"></a>
+<span class="sourceLineNo">802</span>              i++;<a name="line.802"></a>
+<span class="sourceLineNo">803</span>            if (status.getOperationStatusCode() != SUCCESS) {<a name="line.803"></a>
+<span class="sourceLineNo">804</span>              RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();<a name="line.804"></a>
+<span class="sourceLineNo">805</span>              failureResultBuilder.setException(ResponseConverter<a name="line.805"></a>
+<span class="sourceLineNo">806</span>                  .buildException(new DoNotRetryIOException(status.getExceptionMsg())));<a name="line.806"></a>
+<span class="sourceLineNo">807</span>              response.setResult(i, failureResultBuilder.build());<a name="line.807"></a>
+<span class="sourceLineNo">808</span>            }<a name="line.808"></a>
+<span class="sourceLineNo">809</span>            i++;<a name="line.809"></a>
+<span class="sourceLineNo">810</span>          }<a name="line.810"></a>
+<span class="sourceLineNo">811</span>        }<a name="line.811"></a>
+<span class="sourceLineNo">812</span>      } catch (AccessDeniedException e) {<a name="line.812"></a>
+<span class="sourceLineNo">813</span>        logResult(false, "addLabels", e.getMessage(), null, labels, null);<a name="line.813"></a>
+<span class="sourceLineNo">814</span>        LOG.error("User is not having required permissions to add labels", e);<a name="line.814"></a>
+<span class="sourceLineNo">815</span>        setExceptionResults(visLabels.size(), e, response);<a name="line.815"></a>
+<span class="sourceLineNo">816</span>      } catch (IOException e) {<a name="line.816"></a>
+<span class="sourceLineNo">817</span>        LOG.error(e);<a name="line.817"></a>
+<span class="sourceLineNo">818</span>        setExceptionResults(visLabels.size(), e, response);<a name="line.818"></a>
+<span class="sourceLineNo">819</span>      }<a name="line.819"></a>
+<span class="sourceLineNo">820</span>    }<a name="line.820"></a>
+<span class="sourceLineNo">821</span>    done.run(response.build());<a name="line.821"></a>
+<span class="sourceLineNo">822</span>  }<a name="line.822"></a>
+<span class="sourceLineNo">823</span><a name="line.823"></a>
+<span class="sourceLineNo">824</span>  private void setExceptionResults(int size, IOException e,<a name="line.824"></a>
+<span class="sourceLineNo">825</span>      VisibilityLabelsResponse.Builder response) {<a name="line.825"></a>
+<span class="sourceLineNo">826</span>    RegionActionResult.Builder failureResultBuilder = RegionActionResult.newBuilder();<a name="line.826"></a>
+<span class="sourceLineNo">827</span>    failureResultBuilder.setException(ResponseConverter.buildException(e));<a name="line.827"></a>
+<span class="sourceLineNo">828</span>    RegionActionResult failureResult = failureResultBuilder.build();<a name="line.828"></a>
+<span class="sourceLineNo">829</span>    for (int i = 0; i &lt; size; i++) {<a name="line.829"></a>
+<span class="sourceLineNo">830</span>      response.addResult(i, failureResult);<a name="line.830"></a>
+<span class="sourceLineNo">831</span>    }<a name="line.831"></a>
+<span class="sourceLineNo">832</span>  }<a name="line.832"></a>
+<span class="sourceLineNo">833</span><a name="line.833"></a>
+<span class="sourceLineNo">834</span>  @Override<a name="line.834"></a>

<TRUNCATED>

Mime
View raw message