hbase-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From te...@apache.org
Subject [2/3] hbase git commit: HBASE-19483 Add proper privilege check for rsgroup commands
Date Tue, 09 Jan 2018 16:11:23 GMT
http://git-wip-us.apache.org/repos/asf/hbase/blob/3fa3dcd9/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
index 602af91..5a3c883 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/AccessController.java
@@ -23,7 +23,6 @@ import com.google.protobuf.RpcCallback;
 import com.google.protobuf.RpcController;
 import com.google.protobuf.Service;
 import java.io.IOException;
-import java.net.InetAddress;
 import java.security.PrivilegedExceptionAction;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -96,7 +95,6 @@ import org.apache.hadoop.hbase.filter.FilterList;
 import org.apache.hadoop.hbase.io.hfile.HFile;
 import org.apache.hadoop.hbase.ipc.CoprocessorRpcUtils;
 import org.apache.hadoop.hbase.ipc.RpcServer;
-import org.apache.hadoop.hbase.net.Address;
 import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
 import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
 import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService;
@@ -186,10 +184,10 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   private static final String TAG_CHECK_PASSED = "tag_check_passed";
   private static final byte[] TRUE = Bytes.toBytes(true);
 
-  TableAuthManager authManager = null;
+  private AccessChecker accessChecker;
 
   /** flags if we are running on a region of the _acl_ table */
-  boolean aclRegion = false;
+  private boolean aclRegion = false;
 
   /** defined only for Endpoint implementation, so it can have way to
    access region services */
@@ -204,19 +202,19 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   /** Provider for mapping principal names to Users */
   private UserProvider userProvider;
 
-  /** if we are active, usually true, only not true if "hbase.security.authorization"
-   has been set to false in site configuration */
-  boolean authorizationEnabled;
+  /** if we are active, usually false, only true if "hbase.security.authorization"
+   has been set to true in site configuration */
+  private boolean authorizationEnabled;
 
   /** if we are able to support cell ACLs */
-  boolean cellFeaturesEnabled;
+  private boolean cellFeaturesEnabled;
 
   /** if we should check EXEC permissions */
-  boolean shouldCheckExecPermission;
+  private boolean shouldCheckExecPermission;
 
   /** if we should terminate access checks early as soon as table or CF grants
     allow access; pre-0.98 compatible behavior */
-  boolean compatibleEarlyTermination;
+  private boolean compatibleEarlyTermination;
 
   /** if we have been successfully initialized */
   private volatile boolean initialized = false;
@@ -224,12 +222,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   /** if the ACL table is available, only relevant in the master */
   private volatile boolean aclTabAvailable = false;
 
-  public static boolean isAuthorizationSupported(Configuration conf) {
-    return conf.getBoolean(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, true);
-  }
-
   public static boolean isCellAuthorizationSupported(Configuration conf) {
-    return isAuthorizationSupported(conf) &&
+    return AccessChecker.isAuthorizationSupported(conf) &&
         (HFile.getFormatVersion(conf) >= HFile.MIN_FORMAT_VERSION_WITH_TAGS);
   }
 
@@ -238,10 +232,10 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   }
 
   public TableAuthManager getAuthManager() {
-    return authManager;
+    return accessChecker.getAuthManager();
   }
 
-  void initialize(RegionCoprocessorEnvironment e) throws IOException {
+  private void initialize(RegionCoprocessorEnvironment e) throws IOException {
     final Region region = e.getRegion();
     Configuration conf = e.getConfiguration();
     Map<byte[], ListMultimap<String,TablePermission>> tables =
@@ -253,7 +247,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
       byte[] entry = t.getKey();
       ListMultimap<String,TablePermission> perms = t.getValue();
       byte[] serialized = AccessControlLists.writePermissionsAsBytes(perms, conf);
-      this.authManager.getZKPermissionWatcher().writeToZookeeper(entry, serialized);
+      getAuthManager().getZKPermissionWatcher().writeToZookeeper(entry, serialized);
     }
     initialized = true;
   }
@@ -263,7 +257,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
    * znodes.  This is called to synchronize ACL changes following {@code _acl_}
    * table updates.
    */
-  void updateACL(RegionCoprocessorEnvironment e,
+  private void updateACL(RegionCoprocessorEnvironment e,
       final Map<byte[], List<Cell>> familyMap) {
     Set<byte[]> entries = new TreeSet<>(Bytes.BYTES_RAWCOMPARATOR);
     for (Map.Entry<byte[], List<Cell>> f : familyMap.entrySet()) {
@@ -274,7 +268,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
         }
       }
     }
-    ZKPermissionWatcher zkw = this.authManager.getZKPermissionWatcher();
+    ZKPermissionWatcher zkw = getAuthManager().getZKPermissionWatcher();
     Configuration conf = regionEnv.getConfiguration();
     byte [] currentEntry = null;
     // TODO: Here we are already on the ACL region. (And it is single
@@ -312,7 +306,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
    * the request
    * @return an authorization result
    */
-  AuthResult permissionGranted(String request, User user, Action permRequest,
+  private AuthResult permissionGranted(String request, User user, Action permRequest,
       RegionCoprocessorEnvironment e,
       Map<byte [], ? extends Collection<?>> families) {
     RegionInfo hri = e.getRegion().getRegionInfo();
@@ -333,7 +327,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
     }
 
     // 2. check for the table-level, if successful we can short-circuit
-    if (authManager.authorize(user, tableName, (byte[])null, permRequest)) {
+    if (getAuthManager().authorize(user, tableName, (byte[])null, permRequest)) {
       return AuthResult.allow(request, "Table permission granted", user,
         permRequest, tableName, families);
     }
@@ -343,7 +337,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
       // all families must pass
       for (Map.Entry<byte [], ? extends Collection<?>> family : families.entrySet()) {
         // a) check for family level access
-        if (authManager.authorize(user, tableName, family.getKey(),
+        if (getAuthManager().authorize(user, tableName, family.getKey(),
             permRequest)) {
           continue;  // family-level permission overrides per-qualifier
         }
@@ -354,7 +348,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
             // for each qualifier of the family
             Set<byte[]> familySet = (Set<byte[]>)family.getValue();
             for (byte[] qualifier : familySet) {
-              if (!authManager.authorize(user, tableName, family.getKey(),
+              if (!getAuthManager().authorize(user, tableName, family.getKey(),
                                          qualifier, permRequest)) {
                 return AuthResult.deny(request, "Failed qualifier check", user,
                     permRequest, tableName, makeFamilyMap(family.getKey(), qualifier));
@@ -363,7 +357,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
           } else if (family.getValue() instanceof List) { // List<Cell>
             List<Cell> cellList = (List<Cell>)family.getValue();
             for (Cell cell : cellList) {
-              if (!authManager.authorize(user, tableName, family.getKey(),
+              if (!getAuthManager().authorize(user, tableName, family.getKey(),
                 CellUtil.cloneQualifier(cell), permRequest)) {
                 return AuthResult.deny(request, "Failed qualifier check", user, permRequest,
                   tableName, makeFamilyMap(family.getKey(), CellUtil.cloneQualifier(cell)));
@@ -398,7 +392,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
    * @param actions the desired actions
    * @return an authorization result
    */
-  AuthResult permissionGranted(OpType opType, User user, RegionCoprocessorEnvironment e,
+  private AuthResult permissionGranted(OpType opType, User user, RegionCoprocessorEnvironment e,
       Map<byte [], ? extends Collection<?>> families, Action... actions) {
     AuthResult result = null;
     for (Action action: actions) {
@@ -410,241 +404,61 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
     return result;
   }
 
-  private void logResult(AuthResult result) {
-    if (AUDITLOG.isTraceEnabled()) {
-      AUDITLOG.trace("Access " + (result.isAllowed() ? "allowed" : "denied") + " for user " +
-          (result.getUser() != null ? result.getUser().getShortName() : "UNKNOWN") + "; reason: " +
-          result.getReason() + "; remote address: " +
-          RpcServer.getRemoteAddress().map(InetAddress::toString).orElse("") + "; request: " +
-          result.getRequest() + "; context: " + result.toContextString());
-    }
+  public void requireAccess(ObserverContext<?> ctx, String request, TableName tableName,
+      Action... permissions) throws IOException {
+    accessChecker.requireAccess(getActiveUser(ctx), request, tableName, permissions);
   }
 
-  /**
-   * Returns the active user to which authorization checks should be applied.
-   * If we are in the context of an RPC call, the remote user is used,
-   * otherwise the currently logged in user is used.
-   */
-  private User getActiveUser(ObserverContext<?> ctx) throws IOException {
-    // for non-rpc handling, fallback to system user
-    Optional<User> optionalUser = ctx.getCaller();
-    User user;
-    if (optionalUser.isPresent()) {
-      return optionalUser.get();
-    }
-    return userProvider.getCurrent();
+  public void requirePermission(ObserverContext<?> ctx, String request,
+      Action perm) throws IOException {
+    accessChecker.requirePermission(getActiveUser(ctx), request, perm);
   }
 
-  /**
-   * Authorizes that the current user has any of the given permissions for the
-   * given table, column family and column qualifier.
-   * @param tableName Table requested
-   * @param family Column family requested
-   * @param qualifier Column qualifier requested
-   * @throws IOException if obtaining the current user fails
-   * @throws AccessDeniedException if user has no authorization
-   */
-  private void requirePermission(User user, String request, TableName tableName, byte[] family,
-      byte[] qualifier, Action... permissions) throws IOException {
-    AuthResult result = null;
-
-    for (Action permission : permissions) {
-      if (authManager.authorize(user, tableName, family, qualifier, permission)) {
-        result = AuthResult.allow(request, "Table permission granted", user,
-                                  permission, tableName, family, qualifier);
-        break;
-      } else {
-        // rest of the world
-        result = AuthResult.deny(request, "Insufficient permissions", user,
-                                 permission, tableName, family, qualifier);
-      }
-    }
-    logResult(result);
-    if (authorizationEnabled && !result.isAllowed()) {
-      throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
-    }
+  public void requireGlobalPermission(ObserverContext<?> ctx, String request,
+      Action perm, TableName tableName,
+      Map<byte[], ? extends Collection<byte[]>> familyMap) throws IOException {
+    accessChecker.requireGlobalPermission(getActiveUser(ctx),
+        request, perm,tableName, familyMap);
   }
 
-  /**
-   * Authorizes that the current user has any of the given permissions for the
-   * given table, column family and column qualifier.
-   * @param tableName Table requested
-   * @param family Column family param
-   * @param qualifier Column qualifier param
-   * @throws IOException if obtaining the current user fails
-   * @throws AccessDeniedException if user has no authorization
-   */
-  private void requireTablePermission(User user, String request, TableName tableName, byte[] family,
-      byte[] qualifier, Action... permissions) throws IOException {
-    AuthResult result = null;
-
-    for (Action permission : permissions) {
-      if (authManager.authorize(user, tableName, null, null, permission)) {
-        result = AuthResult.allow(request, "Table permission granted", user,
-            permission, tableName, null, null);
-        result.getParams().setFamily(family).setQualifier(qualifier);
-        break;
-      } else {
-        // rest of the world
-        result = AuthResult.deny(request, "Insufficient permissions", user,
-            permission, tableName, family, qualifier);
-        result.getParams().setFamily(family).setQualifier(qualifier);
-      }
-    }
-    logResult(result);
-    if (authorizationEnabled && !result.isAllowed()) {
-      throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
-    }
+  public void requireGlobalPermission(ObserverContext<?> ctx, String request,
+      Action perm, String namespace) throws IOException {
+    accessChecker.requireGlobalPermission(getActiveUser(ctx),
+        request, perm, namespace);
   }
 
-  /**
-   * Authorizes that the current user has any of the given permissions to access the table.
-   *
-   * @param tableName Table requested
-   * @param permissions Actions being requested
-   * @throws IOException if obtaining the current user fails
-   * @throws AccessDeniedException if user has no authorization
-   */
-  private void requireAccess(User user, String request, TableName tableName,
+  public void requireNamespacePermission(ObserverContext<?> ctx, String request, String namespace,
       Action... permissions) throws IOException {
-    AuthResult result = null;
-
-    for (Action permission : permissions) {
-      if (authManager.hasAccess(user, tableName, permission)) {
-        result = AuthResult.allow(request, "Table permission granted", user,
-                                  permission, tableName, null, null);
-        break;
-      } else {
-        // rest of the world
-        result = AuthResult.deny(request, "Insufficient permissions", user,
-                                 permission, tableName, null, null);
-      }
-    }
-    logResult(result);
-    if (authorizationEnabled && !result.isAllowed()) {
-      throw new AccessDeniedException("Insufficient permissions " + result.toContextString());
-    }
+    accessChecker.requireNamespacePermission(getActiveUser(ctx),
+        request, namespace, permissions);
   }
 
-  /**
-   * Authorizes that the current user has global privileges for the given action.
-   * @param perm The action being requested
-   * @throws IOException if obtaining the current user fails
-   * @throws AccessDeniedException if authorization is denied
-   */
-  private void requirePermission(User user, String request, Action perm) throws IOException {
-    requireGlobalPermission(user, request, perm, null, null);
-  }
-
-  /**
-   * Checks that the user has the given global permission. The generated
-   * audit log message will contain context information for the operation
-   * being authorized, based on the given parameters.
-   * @param perm Action being requested
-   * @param tableName Affected table name.
-   * @param familyMap Affected column families.
-   */
-  private void requireGlobalPermission(User user, String request, Action perm, TableName tableName,
-      Map<byte[], ? extends Collection<byte[]>> familyMap) throws IOException {
-    AuthResult result = null;
-    if (authManager.authorize(user, perm)) {
-      result = AuthResult.allow(request, "Global check allowed", user, perm, tableName, familyMap);
-      result.getParams().setTableName(tableName).setFamilies(familyMap);
-      logResult(result);
-    } else {
-      result = AuthResult.deny(request, "Global check failed", user, perm, tableName, familyMap);
-      result.getParams().setTableName(tableName).setFamilies(familyMap);
-      logResult(result);
-      if (authorizationEnabled) {
-        throw new AccessDeniedException("Insufficient permissions for user '" +
-          (user != null ? user.getShortName() : "null") +"' (global, action=" +
-          perm.toString() + ")");
-      }
-    }
+  public void requireNamespacePermission(ObserverContext<?> ctx, String request, String namespace,
+      TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap,
+      Action... permissions) throws IOException {
+    accessChecker.requireNamespacePermission(getActiveUser(ctx),
+        request, namespace, tableName, familyMap,
+        permissions);
   }
 
-  /**
-   * Checks that the user has the given global permission. The generated
-   * audit log message will contain context information for the operation
-   * being authorized, based on the given parameters.
-   * @param perm Action being requested
-   * @param namespace
-   */
-  private void requireGlobalPermission(User user, String request, Action perm,
-                                       String namespace) throws IOException {
-    AuthResult authResult = null;
-    if (authManager.authorize(user, perm)) {
-      authResult = AuthResult.allow(request, "Global check allowed", user, perm, null);
-      authResult.getParams().setNamespace(namespace);
-      logResult(authResult);
-    } else {
-      authResult = AuthResult.deny(request, "Global check failed", user, perm, null);
-      authResult.getParams().setNamespace(namespace);
-      logResult(authResult);
-      if (authorizationEnabled) {
-        throw new AccessDeniedException("Insufficient permissions for user '" +
-          (user != null ? user.getShortName() : "null") +"' (global, action=" +
-          perm.toString() + ")");
-      }
-    }
+  public void requirePermission(ObserverContext<?> ctx, String request, TableName tableName,
+      byte[] family, byte[] qualifier, Action... permissions) throws IOException {
+    accessChecker.requirePermission(getActiveUser(ctx), request,
+        tableName, family, qualifier, permissions);
   }
 
-  /**
-   * Checks that the user has the given global or namespace permission.
-   * @param namespace
-   * @param permissions Actions being requested
-   */
-  public void requireNamespacePermission(User user, String request, String namespace,
+  public void requireTablePermission(ObserverContext<?> ctx, String request,
+      TableName tableName,byte[] family, byte[] qualifier,
       Action... permissions) throws IOException {
-    AuthResult result = null;
-
-    for (Action permission : permissions) {
-      if (authManager.authorize(user, namespace, permission)) {
-        result = AuthResult.allow(request, "Namespace permission granted",
-            user, permission, namespace);
-        break;
-      } else {
-        // rest of the world
-        result = AuthResult.deny(request, "Insufficient permissions", user,
-            permission, namespace);
-      }
-    }
-    logResult(result);
-    if (authorizationEnabled && !result.isAllowed()) {
-      throw new AccessDeniedException("Insufficient permissions "
-          + result.toContextString());
-    }
+    accessChecker.requireTablePermission(getActiveUser(ctx),
+        request, tableName, family, qualifier, permissions);
   }
 
-  /**
-   * Checks that the user has the given global or namespace permission.
-   * @param namespace
-   * @param permissions Actions being requested
-   */
-  public void requireNamespacePermission(User user, String request, String namespace,
-      TableName tableName, Map<byte[], ? extends Collection<byte[]>> familyMap,
-      Action... permissions)
+  public void checkLockPermissions(ObserverContext<?> ctx, String namespace,
+      TableName tableName, RegionInfo[] regionInfos, String reason)
       throws IOException {
-    AuthResult result = null;
-
-    for (Action permission : permissions) {
-      if (authManager.authorize(user, namespace, permission)) {
-        result = AuthResult.allow(request, "Namespace permission granted",
-            user, permission, namespace);
-        result.getParams().setTableName(tableName).setFamilies(familyMap);
-        break;
-      } else {
-        // rest of the world
-        result = AuthResult.deny(request, "Insufficient permissions", user,
-            permission, namespace);
-        result.getParams().setTableName(tableName).setFamilies(familyMap);
-      }
-    }
-    logResult(result);
-    if (authorizationEnabled && !result.isAllowed()) {
-      throw new AccessDeniedException("Insufficient permissions "
-          + result.toContextString());
-    }
+    accessChecker.checkLockPermissions(getActiveUser(ctx),
+        namespace, tableName, regionInfos, reason);
   }
 
   /**
@@ -669,13 +483,13 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
           familyMap.entrySet()) {
         if (family.getValue() != null && !family.getValue().isEmpty()) {
           for (byte[] qualifier : family.getValue()) {
-            if (authManager.matchPermission(user, tableName,
+            if (getAuthManager().matchPermission(user, tableName,
                 family.getKey(), qualifier, perm)) {
               return true;
             }
           }
         } else {
-          if (authManager.matchPermission(user, tableName, family.getKey(),
+          if (getAuthManager().matchPermission(user, tableName, family.getKey(),
               perm)) {
             return true;
           }
@@ -865,7 +679,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
           foundColumn = true;
           for (Action action: actions) {
             // Are there permissions for this user for the cell?
-            if (!authManager.authorize(user, getTableName(e), cell, action)) {
+            if (!getAuthManager().authorize(user, getTableName(e), cell, action)) {
               // We can stop if the cell ACL denies access
               return false;
             }
@@ -940,7 +754,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
     CompoundConfiguration conf = new CompoundConfiguration();
     conf.add(env.getConfiguration());
 
-    authorizationEnabled = isAuthorizationSupported(conf);
+    authorizationEnabled = AccessChecker.isAuthorizationSupported(conf);
     if (!authorizationEnabled) {
       LOG.warn("The AccessController has been loaded with authorization checks disabled.");
     }
@@ -980,27 +794,13 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
 
     // set the user-provider.
     this.userProvider = UserProvider.instantiate(env.getConfiguration());
-
-    // If zk is null or IOException while obtaining auth manager,
-    // throw RuntimeException so that the coprocessor is unloaded.
-    if (zk != null) {
-      try {
-        this.authManager = TableAuthManager.getOrCreate(zk, env.getConfiguration());
-      } catch (IOException ioe) {
-        throw new RuntimeException("Error obtaining TableAuthManager", ioe);
-      }
-    } else {
-      throw new RuntimeException("Error obtaining TableAuthManager, zk found null.");
-    }
-
+    accessChecker = new AccessChecker(env.getConfiguration(), zk);
     tableAcls = new MapMaker().weakValues().makeMap();
   }
 
   @Override
   public void stop(CoprocessorEnvironment env) {
-    if (this.authManager != null) {
-      TableAuthManager.release(authManager);
-    }
+    TableAuthManager.release(getAuthManager());
   }
 
   /*********************************** Observer/Service Getters ***********************************/
@@ -1045,7 +845,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
     for (byte[] family: families) {
       familyMap.put(family, null);
     }
-    requireNamespacePermission(getActiveUser(c), "createTable",
+    requireNamespacePermission(c, "createTable",
         desc.getTableName().getNamespaceAsString(), desc.getTableName(), familyMap, Action.CREATE);
   }
 
@@ -1102,8 +902,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   @Override
   public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName)
       throws IOException {
-    requirePermission(getActiveUser(c), "deleteTable", tableName, null, null,
-        Action.ADMIN, Action.CREATE);
+    requirePermission(c, "deleteTable",
+        tableName, null, null, Action.ADMIN, Action.CREATE);
   }
 
   @Override
@@ -1120,14 +920,14 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
         return null;
       }
     });
-    this.authManager.getZKPermissionWatcher().deleteTableACLNode(tableName);
+    getAuthManager().getZKPermissionWatcher().deleteTableACLNode(tableName);
   }
 
   @Override
   public void preTruncateTable(ObserverContext<MasterCoprocessorEnvironment> c,
       final TableName tableName) throws IOException {
-    requirePermission(getActiveUser(c), "truncateTable", tableName, null, null,
-        Action.ADMIN, Action.CREATE);
+    requirePermission(c, "truncateTable",
+        tableName, null, null, Action.ADMIN, Action.CREATE);
 
     final Configuration conf = c.getEnvironment().getConfiguration();
     User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
@@ -1168,8 +968,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName,
       TableDescriptor htd) throws IOException {
     // TODO: potentially check if this is a add/modify/delete column operation
-    requirePermission(getActiveUser(c), "modifyTable", tableName, null, null,
-        Action.ADMIN, Action.CREATE);
+    requirePermission(c, "modifyTable",
+        tableName, null, null, Action.ADMIN, Action.CREATE);
   }
 
   @Override
@@ -1196,8 +996,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   @Override
   public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> c, TableName tableName)
       throws IOException {
-    requirePermission(getActiveUser(c), "enableTable", tableName, null, null,
-        Action.ADMIN, Action.CREATE);
+    requirePermission(c, "enableTable",
+        tableName, null, null, Action.ADMIN, Action.CREATE);
   }
 
   @Override
@@ -1211,14 +1011,14 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
       throw new AccessDeniedException("Not allowed to disable "
           + AccessControlLists.ACL_TABLE_NAME + " table with AccessController installed");
     }
-    requirePermission(getActiveUser(c), "disableTable", tableName, null, null,
-        Action.ADMIN, Action.CREATE);
+    requirePermission(c, "disableTable",
+        tableName, null, null, Action.ADMIN, Action.CREATE);
   }
 
   @Override
   public void preAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> ctx,
       final long procId) throws IOException {
-    requirePermission(getActiveUser(ctx), "abortProcedure", Action.ADMIN);
+    requirePermission(ctx, "abortProcedure", Action.ADMIN);
   }
 
   @Override
@@ -1230,74 +1030,73 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   @Override
   public void preGetProcedures(ObserverContext<MasterCoprocessorEnvironment> ctx)
       throws IOException {
-    requirePermission(getActiveUser(ctx), "getProcedure", Action.ADMIN);
+    requirePermission(ctx, "getProcedure", Action.ADMIN);
   }
 
   @Override
   public void preGetLocks(ObserverContext<MasterCoprocessorEnvironment> ctx)
       throws IOException {
     User user = getActiveUser(ctx);
-    requirePermission(user, "getLocks", Action.ADMIN);
+    accessChecker.requirePermission(user, "getLocks", Action.ADMIN);
   }
 
   @Override
   public void preMove(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo region,
       ServerName srcServer, ServerName destServer) throws IOException {
-    requirePermission(getActiveUser(c), "move", region.getTable(), null, null, Action.ADMIN);
+    requirePermission(c, "move",
+        region.getTable(), null, null, Action.ADMIN);
   }
 
   @Override
   public void preAssign(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo regionInfo)
       throws IOException {
-    requirePermission(getActiveUser(c), "assign", regionInfo.getTable(), null, null, Action.ADMIN);
+    requirePermission(c, "assign",
+        regionInfo.getTable(), null, null, Action.ADMIN);
   }
 
   @Override
   public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> c, RegionInfo regionInfo,
       boolean force) throws IOException {
-    requirePermission(getActiveUser(c), "unassign", regionInfo.getTable(), null, null, Action.ADMIN);
+    requirePermission(c, "unassign",
+        regionInfo.getTable(), null, null, Action.ADMIN);
   }
 
   @Override
   public void preRegionOffline(ObserverContext<MasterCoprocessorEnvironment> c,
       RegionInfo regionInfo) throws IOException {
-    requirePermission(getActiveUser(c), "regionOffline", regionInfo.getTable(), null, null,
-        Action.ADMIN);
+    requirePermission(c, "regionOffline",
+        regionInfo.getTable(), null, null, Action.ADMIN);
   }
 
   @Override
   public void preSetSplitOrMergeEnabled(final ObserverContext<MasterCoprocessorEnvironment> ctx,
       final boolean newValue, final MasterSwitchType switchType) throws IOException {
-    requirePermission(getActiveUser(ctx), "setSplitOrMergeEnabled", Action.ADMIN);
-  }
-
-  @Override
-  public void postSetSplitOrMergeEnabled(final ObserverContext<MasterCoprocessorEnvironment> ctx,
-      final boolean newValue, final MasterSwitchType switchType) throws IOException {
+    requirePermission(ctx, "setSplitOrMergeEnabled",
+        Action.ADMIN);
   }
 
   @Override
   public void preBalance(ObserverContext<MasterCoprocessorEnvironment> c)
       throws IOException {
-    requirePermission(getActiveUser(c), "balance", Action.ADMIN);
+    requirePermission(c, "balance", Action.ADMIN);
   }
 
   @Override
   public void preBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> c,
       boolean newValue) throws IOException {
-    requirePermission(getActiveUser(c), "balanceSwitch", Action.ADMIN);
+    requirePermission(c, "balanceSwitch", Action.ADMIN);
   }
 
   @Override
   public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> c)
       throws IOException {
-    requirePermission(getActiveUser(c), "shutdown", Action.ADMIN);
+    requirePermission(c, "shutdown", Action.ADMIN);
   }
 
   @Override
   public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c)
       throws IOException {
-    requirePermission(getActiveUser(c), "stopMaster", Action.ADMIN);
+    requirePermission(c, "stopMaster", Action.ADMIN);
   }
 
   @Override
@@ -1335,8 +1134,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   public void preSnapshot(final ObserverContext<MasterCoprocessorEnvironment> ctx,
       final SnapshotDescription snapshot, final TableDescriptor hTableDescriptor)
       throws IOException {
-    requirePermission(getActiveUser(ctx), "snapshot " + snapshot.getName(), hTableDescriptor.getTableName(), null, null,
-      Permission.Action.ADMIN);
+    requirePermission(ctx, "snapshot " + snapshot.getName(),
+        hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN);
   }
 
   @Override
@@ -1347,9 +1146,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
       // list it, if user is the owner of snapshot
       AuthResult result = AuthResult.allow("listSnapshot " + snapshot.getName(),
           "Snapshot owner check allowed", user, null, null, null);
-      logResult(result);
+      AccessChecker.logResult(result);
     } else {
-      requirePermission(user, "listSnapshot " + snapshot.getName(), Action.ADMIN);
+      accessChecker.requirePermission(user, "listSnapshot " + snapshot.getName(), Action.ADMIN);
     }
   }
 
@@ -1363,9 +1162,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
       // Snapshot owner is allowed to create a table with the same name as the snapshot he took
       AuthResult result = AuthResult.allow("cloneSnapshot " + snapshot.getName(),
         "Snapshot owner check allowed", user, null, hTableDescriptor.getTableName(), null);
-      logResult(result);
+      AccessChecker.logResult(result);
     } else {
-      requirePermission(user, "cloneSnapshot " + snapshot.getName(), Action.ADMIN);
+      accessChecker.requirePermission(user, "cloneSnapshot " + snapshot.getName(), Action.ADMIN);
     }
   }
 
@@ -1375,10 +1174,10 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
       throws IOException {
     User user = getActiveUser(ctx);
     if (SnapshotDescriptionUtils.isSnapshotOwner(snapshot, user)) {
-      requirePermission(user, "restoreSnapshot " + snapshot.getName(), hTableDescriptor.getTableName(), null, null,
-        Permission.Action.ADMIN);
+      accessChecker.requirePermission(user, "restoreSnapshot " + snapshot.getName(),
+          hTableDescriptor.getTableName(), null, null, Permission.Action.ADMIN);
     } else {
-      requirePermission(user, "restoreSnapshot " + snapshot.getName(), Action.ADMIN);
+      accessChecker.requirePermission(user, "restoreSnapshot " + snapshot.getName(), Action.ADMIN);
     }
   }
 
@@ -1390,22 +1189,24 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
       // Snapshot owner is allowed to delete the snapshot
       AuthResult result = AuthResult.allow("deleteSnapshot " + snapshot.getName(),
           "Snapshot owner check allowed", user, null, null, null);
-      logResult(result);
+      AccessChecker.logResult(result);
     } else {
-      requirePermission(user, "deleteSnapshot " + snapshot.getName(), Action.ADMIN);
+      accessChecker.requirePermission(user, "deleteSnapshot " + snapshot.getName(), Action.ADMIN);
     }
   }
 
   @Override
   public void preCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,
       NamespaceDescriptor ns) throws IOException {
-    requireGlobalPermission(getActiveUser(ctx), "createNamespace", Action.ADMIN, ns.getName());
+    requireGlobalPermission(ctx, "createNamespace",
+        Action.ADMIN, ns.getName());
   }
 
   @Override
   public void preDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx, String namespace)
       throws IOException {
-    requireGlobalPermission(getActiveUser(ctx), "deleteNamespace", Action.ADMIN, namespace);
+    requireGlobalPermission(ctx, "deleteNamespace",
+        Action.ADMIN, namespace);
   }
 
   @Override
@@ -1422,7 +1223,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
         return null;
       }
     });
-    this.authManager.getZKPermissionWatcher().deleteNamespaceACLNode(namespace);
+    getAuthManager().getZKPermissionWatcher().deleteNamespaceACLNode(namespace);
     LOG.info(namespace + " entry deleted in " + AccessControlLists.ACL_TABLE_NAME + " table.");
   }
 
@@ -1431,13 +1232,15 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
       NamespaceDescriptor ns) throws IOException {
     // We require only global permission so that
     // a user with NS admin cannot altering namespace configurations. i.e. namespace quota
-    requireGlobalPermission(getActiveUser(ctx), "modifyNamespace", Action.ADMIN, ns.getName());
+    requireGlobalPermission(ctx, "modifyNamespace",
+        Action.ADMIN, ns.getName());
   }
 
   @Override
   public void preGetNamespaceDescriptor(ObserverContext<MasterCoprocessorEnvironment> ctx, String namespace)
       throws IOException {
-    requireNamespacePermission(getActiveUser(ctx), "getNamespaceDescriptor", namespace, Action.ADMIN);
+    requireNamespacePermission(ctx, "getNamespaceDescriptor",
+        namespace, Action.ADMIN);
   }
 
   @Override
@@ -1450,7 +1253,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
     while (itr.hasNext()) {
       NamespaceDescriptor desc = itr.next();
       try {
-        requireNamespacePermission(user, "listNamespaces", desc.getName(), Action.ADMIN);
+        accessChecker.requireNamespacePermission(user, "listNamespaces",
+            desc.getName(), Action.ADMIN);
       } catch (AccessDeniedException e) {
         itr.remove();
       }
@@ -1460,8 +1264,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   @Override
   public void preTableFlush(final ObserverContext<MasterCoprocessorEnvironment> ctx,
       final TableName tableName) throws IOException {
-    requirePermission(getActiveUser(ctx), "flushTable", tableName, null, null,
-        Action.ADMIN, Action.CREATE);
+    requirePermission(ctx, "flushTable", tableName,
+        null, null, Action.ADMIN, Action.CREATE);
   }
 
   @Override
@@ -1469,29 +1273,33 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
       final ObserverContext<MasterCoprocessorEnvironment> ctx,
       final TableName tableName,
       final byte[] splitRow) throws IOException {
-    requirePermission(getActiveUser(ctx), "split", tableName, null, null, Action.ADMIN);
+    requirePermission(ctx, "split", tableName,
+        null, null, Action.ADMIN);
   }
 
   @Override
-  public void preClearDeadServers(ObserverContext<MasterCoprocessorEnvironment> ctx) throws IOException {
-    requirePermission(getActiveUser(ctx), "clearDeadServers", Action.ADMIN);
+  public void preClearDeadServers(ObserverContext<MasterCoprocessorEnvironment> ctx)
+      throws IOException {
+    requirePermission(ctx, "clearDeadServers", Action.ADMIN);
   }
 
   @Override
   public void preDecommissionRegionServers(ObserverContext<MasterCoprocessorEnvironment> ctx,
       List<ServerName> servers, boolean offload) throws IOException {
-    requirePermission(getActiveUser(ctx), "decommissionRegionServers", Action.ADMIN);
+    requirePermission(ctx, "decommissionRegionServers", Action.ADMIN);
   }
 
   @Override
-  public void preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment> ctx) throws IOException {
-    requirePermission(getActiveUser(ctx), "listDecommissionedRegionServers", Action.ADMIN);
+  public void preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment> ctx)
+      throws IOException {
+    requirePermission(ctx, "listDecommissionedRegionServers",
+        Action.ADMIN);
   }
 
   @Override
   public void preRecommissionRegionServer(ObserverContext<MasterCoprocessorEnvironment> ctx,
       ServerName server, List<byte[]> encodedRegionNames) throws IOException {
-    requirePermission(getActiveUser(ctx), "recommissionRegionServers", Action.ADMIN);
+    requirePermission(ctx, "recommissionRegionServers", Action.ADMIN);
   }
 
   /* ---- RegionObserver implementation ---- */
@@ -1508,7 +1316,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
       if (regionInfo.getTable().isSystemTable()) {
         checkSystemOrSuperUser(getActiveUser(c));
       } else {
-        requirePermission(getActiveUser(c), "preOpen", Action.ADMIN);
+        requirePermission(c, "preOpen", Action.ADMIN);
       }
     }
   }
@@ -1538,16 +1346,16 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   @Override
   public void preFlush(ObserverContext<RegionCoprocessorEnvironment> c,
       FlushLifeCycleTracker tracker) throws IOException {
-    requirePermission(getActiveUser(c), "flush", getTableName(c.getEnvironment()), null, null,
-      Action.ADMIN, Action.CREATE);
+    requirePermission(c, "flush", getTableName(c.getEnvironment()),
+        null, null, Action.ADMIN, Action.CREATE);
   }
 
   @Override
   public InternalScanner preCompact(ObserverContext<RegionCoprocessorEnvironment> c, Store store,
       InternalScanner scanner, ScanType scanType, CompactionLifeCycleTracker tracker,
       CompactionRequest request) throws IOException {
-    requirePermission(getActiveUser(c), "compact", getTableName(c.getEnvironment()), null, null,
-      Action.ADMIN, Action.CREATE);
+    requirePermission(c, "compact", getTableName(c.getEnvironment()),
+        null, null, Action.ADMIN, Action.CREATE);
     return scanner;
   }
 
@@ -1594,7 +1402,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
           authResult.setReason("Access allowed with filter");
           // Only wrap the filter if we are enforcing authorizations
           if (authorizationEnabled) {
-            Filter ourFilter = new AccessControlFilter(authManager, user, table,
+            Filter ourFilter = new AccessControlFilter(getAuthManager(), user, table,
               AccessControlFilter.Strategy.CHECK_TABLE_AND_CF_ONLY,
               cfVsMaxVersions);
             // wrap any existing filter
@@ -1624,7 +1432,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
         authResult.setReason("Access allowed with filter");
         // Only wrap the filter if we are enforcing authorizations
         if (authorizationEnabled) {
-          Filter ourFilter = new AccessControlFilter(authManager, user, table,
+          Filter ourFilter = new AccessControlFilter(getAuthManager(), user, table,
             AccessControlFilter.Strategy.CHECK_CELL_DEFAULT, cfVsMaxVersions);
           // wrap any existing filter
           if (filter != null) {
@@ -1646,7 +1454,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
       }
     }
 
-    logResult(authResult);
+    AccessChecker.logResult(authResult);
     if (authorizationEnabled && !authResult.isAllowed()) {
       throw new AccessDeniedException("Insufficient permissions for user '"
           + (user != null ? user.getShortName() : "null")
@@ -1682,8 +1490,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
     // security policy over time without requiring expensive updates.
     RegionCoprocessorEnvironment env = c.getEnvironment();
     Map<byte[],? extends Collection<Cell>> families = put.getFamilyCellMap();
-    AuthResult authResult = permissionGranted(OpType.PUT, user, env, families, Action.WRITE);
-    logResult(authResult);
+    AuthResult authResult = permissionGranted(OpType.PUT,
+        user, env, families, Action.WRITE);
+    AccessChecker.logResult(authResult);
     if (!authResult.isAllowed()) {
       if (cellFeaturesEnabled && !compatibleEarlyTermination) {
         put.setAttribute(CHECK_COVERING_PERM, TRUE);
@@ -1727,8 +1536,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
     RegionCoprocessorEnvironment env = c.getEnvironment();
     Map<byte[],? extends Collection<Cell>> families = delete.getFamilyCellMap();
     User user = getActiveUser(c);
-    AuthResult authResult = permissionGranted(OpType.DELETE, user, env, families, Action.WRITE);
-    logResult(authResult);
+    AuthResult authResult = permissionGranted(OpType.DELETE,
+        user, env, families, Action.WRITE);
+    AccessChecker.logResult(authResult);
     if (!authResult.isAllowed()) {
       if (cellFeaturesEnabled && !compatibleEarlyTermination) {
         delete.setAttribute(CHECK_COVERING_PERM, TRUE);
@@ -1766,7 +1576,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
             authResult = AuthResult.deny(opType.toString(), "Covering cell set",
               user, Action.WRITE, table, m.getFamilyCellMap());
           }
-          logResult(authResult);
+          AccessChecker.logResult(authResult);
           if (authorizationEnabled && !authResult.isAllowed()) {
             throw new AccessDeniedException("Insufficient permissions "
               + authResult.toContextString());
@@ -1797,9 +1607,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
     // Require READ and WRITE permissions on the table, CF, and KV to update
     RegionCoprocessorEnvironment env = c.getEnvironment();
     Map<byte[],? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);
-    AuthResult authResult = permissionGranted(OpType.CHECK_AND_PUT, user, env, families,
-      Action.READ, Action.WRITE);
-    logResult(authResult);
+    AuthResult authResult = permissionGranted(OpType.CHECK_AND_PUT,
+        user, env, families, Action.READ, Action.WRITE);
+    AccessChecker.logResult(authResult);
     if (!authResult.isAllowed()) {
       if (cellFeaturesEnabled && !compatibleEarlyTermination) {
         put.setAttribute(CHECK_COVERING_PERM, TRUE);
@@ -1822,10 +1632,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
 
   @Override
   public boolean preCheckAndPutAfterRowLock(final ObserverContext<RegionCoprocessorEnvironment> c,
-                                            final byte[] row, final byte[] family, final byte[] qualifier,
-                                            final CompareOperator opp, final ByteArrayComparable comparator, final Put put,
-                                            final boolean result)
-  throws IOException {
+      final byte[] row, final byte[] family, final byte[] qualifier,
+      final CompareOperator opp, final ByteArrayComparable comparator, final Put put,
+      final boolean result) throws IOException {
     if (put.getAttribute(CHECK_COVERING_PERM) != null) {
       // We had failure with table, cf and q perm checks and now giving a chance for cell
       // perm check
@@ -1835,13 +1644,13 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
       User user = getActiveUser(c);
       if (checkCoveringPermission(user, OpType.CHECK_AND_PUT, c.getEnvironment(), row, families,
           HConstants.LATEST_TIMESTAMP, Action.READ)) {
-        authResult = AuthResult.allow(OpType.CHECK_AND_PUT.toString(), "Covering cell set",
-            user, Action.READ, table, families);
+        authResult = AuthResult.allow(OpType.CHECK_AND_PUT.toString(),
+            "Covering cell set", user, Action.READ, table, families);
       } else {
-        authResult = AuthResult.deny(OpType.CHECK_AND_PUT.toString(), "Covering cell set",
-            user, Action.READ, table, families);
+        authResult = AuthResult.deny(OpType.CHECK_AND_PUT.toString(),
+            "Covering cell set", user, Action.READ, table, families);
       }
-      logResult(authResult);
+      AccessChecker.logResult(authResult);
       if (authorizationEnabled && !authResult.isAllowed()) {
         throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
       }
@@ -1865,9 +1674,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
     RegionCoprocessorEnvironment env = c.getEnvironment();
     Map<byte[],? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);
     User user = getActiveUser(c);
-    AuthResult authResult = permissionGranted(OpType.CHECK_AND_DELETE, user, env, families,
-        Action.READ, Action.WRITE);
-    logResult(authResult);
+    AuthResult authResult = permissionGranted(
+        OpType.CHECK_AND_DELETE, user, env, families, Action.READ, Action.WRITE);
+    AccessChecker.logResult(authResult);
     if (!authResult.isAllowed()) {
       if (cellFeaturesEnabled && !compatibleEarlyTermination) {
         delete.setAttribute(CHECK_COVERING_PERM, TRUE);
@@ -1881,8 +1690,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
 
   @Override
   public boolean preCheckAndDeleteAfterRowLock(
-      final ObserverContext<RegionCoprocessorEnvironment> c, final byte[] row, final byte[] family,
-      final byte[] qualifier, final CompareOperator op,
+      final ObserverContext<RegionCoprocessorEnvironment> c, final byte[] row,
+      final byte[] family, final byte[] qualifier, final CompareOperator op,
       final ByteArrayComparable comparator, final Delete delete, final boolean result)
       throws IOException {
     if (delete.getAttribute(CHECK_COVERING_PERM) != null) {
@@ -1892,15 +1701,15 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
       Map<byte[], ? extends Collection<byte[]>> families = makeFamilyMap(family, qualifier);
       AuthResult authResult = null;
       User user = getActiveUser(c);
-      if (checkCoveringPermission(user, OpType.CHECK_AND_DELETE, c.getEnvironment(), row, families,
-          HConstants.LATEST_TIMESTAMP, Action.READ)) {
-        authResult = AuthResult.allow(OpType.CHECK_AND_DELETE.toString(), "Covering cell set",
-            user, Action.READ, table, families);
+      if (checkCoveringPermission(user, OpType.CHECK_AND_DELETE, c.getEnvironment(),
+          row, families, HConstants.LATEST_TIMESTAMP, Action.READ)) {
+        authResult = AuthResult.allow(OpType.CHECK_AND_DELETE.toString(),
+            "Covering cell set", user, Action.READ, table, families);
       } else {
-        authResult = AuthResult.deny(OpType.CHECK_AND_DELETE.toString(), "Covering cell set",
-            user, Action.READ, table, families);
+        authResult = AuthResult.deny(OpType.CHECK_AND_DELETE.toString(),
+            "Covering cell set", user, Action.READ, table, families);
       }
-      logResult(authResult);
+      AccessChecker.logResult(authResult);
       if (authorizationEnabled && !authResult.isAllowed()) {
         throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
       }
@@ -1917,8 +1726,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
     // Require WRITE permission to the table, CF, and the KV to be appended
     RegionCoprocessorEnvironment env = c.getEnvironment();
     Map<byte[],? extends Collection<Cell>> families = append.getFamilyCellMap();
-    AuthResult authResult = permissionGranted(OpType.APPEND, user, env, families, Action.WRITE);
-    logResult(authResult);
+    AuthResult authResult = permissionGranted(OpType.APPEND, user,
+        env, families, Action.WRITE);
+    AccessChecker.logResult(authResult);
     if (!authResult.isAllowed()) {
       if (cellFeaturesEnabled && !compatibleEarlyTermination) {
         append.setAttribute(CHECK_COVERING_PERM, TRUE);
@@ -1951,13 +1761,13 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
       User user = getActiveUser(c);
       if (checkCoveringPermission(user, OpType.APPEND, c.getEnvironment(), append.getRow(),
           append.getFamilyCellMap(), append.getTimeRange().getMax(), Action.WRITE)) {
-        authResult = AuthResult.allow(OpType.APPEND.toString(), "Covering cell set",
-            user, Action.WRITE, table, append.getFamilyCellMap());
+        authResult = AuthResult.allow(OpType.APPEND.toString(),
+            "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());
       } else {
-        authResult = AuthResult.deny(OpType.APPEND.toString(), "Covering cell set",
-            user, Action.WRITE, table, append.getFamilyCellMap());
+        authResult = AuthResult.deny(OpType.APPEND.toString(),
+            "Covering cell set", user, Action.WRITE, table, append.getFamilyCellMap());
       }
-      logResult(authResult);
+      AccessChecker.logResult(authResult);
       if (authorizationEnabled && !authResult.isAllowed()) {
         throw new AccessDeniedException("Insufficient permissions " +
           authResult.toContextString());
@@ -1977,9 +1787,9 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
     // the incremented value
     RegionCoprocessorEnvironment env = c.getEnvironment();
     Map<byte[],? extends Collection<Cell>> families = increment.getFamilyCellMap();
-    AuthResult authResult = permissionGranted(OpType.INCREMENT, user, env, families,
-      Action.WRITE);
-    logResult(authResult);
+    AuthResult authResult = permissionGranted(OpType.INCREMENT,
+        user, env, families, Action.WRITE);
+    AccessChecker.logResult(authResult);
     if (!authResult.isAllowed()) {
       if (cellFeaturesEnabled && !compatibleEarlyTermination) {
         increment.setAttribute(CHECK_COVERING_PERM, TRUE);
@@ -2018,7 +1828,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
         authResult = AuthResult.deny(OpType.INCREMENT.toString(), "Covering cell set",
             user, Action.WRITE, table, increment.getFamilyCellMap());
       }
-      logResult(authResult);
+      AccessChecker.logResult(authResult);
       if (authorizationEnabled && !authResult.isAllowed()) {
         throw new AccessDeniedException("Insufficient permissions " +
           authResult.toContextString());
@@ -2156,7 +1966,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
       List<Pair<byte[], String>> familyPaths) throws IOException {
     User user = getActiveUser(ctx);
     for(Pair<byte[],String> el : familyPaths) {
-      requirePermission(user, "preBulkLoadHFile",
+      accessChecker.requirePermission(user, "preBulkLoadHFile",
           ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(),
           el.getFirst(),
           null,
@@ -2173,7 +1983,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   @Override
   public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
   throws IOException {
-    requireAccess(getActiveUser(ctx), "prePrepareBulkLoad",
+    requireAccess(ctx, "prePrepareBulkLoad",
         ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE);
   }
 
@@ -2186,7 +1996,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   @Override
   public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> ctx)
   throws IOException {
-    requireAccess(getActiveUser(ctx), "preCleanupBulkLoad",
+    requireAccess(ctx, "preCleanupBulkLoad",
         ctx.getEnvironment().getRegion().getTableDescriptor().getTableName(), Action.CREATE);
   }
 
@@ -2198,7 +2008,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
     // Don't intercept calls to our own AccessControlService, we check for
     // appropriate permissions in the service handlers
     if (shouldCheckExecPermission && !(service instanceof AccessControlService)) {
-      requirePermission(getActiveUser(ctx),
+      requirePermission(ctx,
           "invoke(" + service.getDescriptorForType().getName() + "." + methodName + ")",
           getTableName(ctx.getEnvironment()), null, null,
           Action.EXEC);
@@ -2215,8 +2025,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
 
   @Override
   public void grant(RpcController controller,
-                    AccessControlProtos.GrantRequest request,
-                    RpcCallback<AccessControlProtos.GrantResponse> done) {
+      AccessControlProtos.GrantRequest request,
+      RpcCallback<AccessControlProtos.GrantResponse> done) {
     final UserPermission perm = AccessControlUtil.toUserPermission(request.getUserPermission());
     AccessControlProtos.GrantResponse response = null;
     try {
@@ -2233,11 +2043,12 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
         switch(request.getUserPermission().getPermission().getType()) {
           case Global :
           case Table :
-            requirePermission(caller, "grant", perm.getTableName(),
+            accessChecker.requirePermission(caller, "grant", perm.getTableName(),
                 perm.getFamily(), perm.getQualifier(), Action.ADMIN);
             break;
           case Namespace :
-            requireNamespacePermission(caller, "grant", perm.getNamespace(), Action.ADMIN);
+            accessChecker.requireNamespacePermission(caller, "grant", perm.getNamespace(),
+                Action.ADMIN);
            break;
         }
 
@@ -2272,8 +2083,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
 
   @Override
   public void revoke(RpcController controller,
-                     AccessControlProtos.RevokeRequest request,
-                     RpcCallback<AccessControlProtos.RevokeResponse> done) {
+      AccessControlProtos.RevokeRequest request,
+      RpcCallback<AccessControlProtos.RevokeResponse> done) {
     final UserPermission perm = AccessControlUtil.toUserPermission(request.getUserPermission());
     AccessControlProtos.RevokeResponse response = null;
     try {
@@ -2290,11 +2101,12 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
         switch(request.getUserPermission().getPermission().getType()) {
           case Global :
           case Table :
-            requirePermission(caller, "revoke", perm.getTableName(), perm.getFamily(),
+            accessChecker.requirePermission(caller, "revoke", perm.getTableName(), perm.getFamily(),
               perm.getQualifier(), Action.ADMIN);
             break;
           case Namespace :
-            requireNamespacePermission(caller, "revoke", perm.getNamespace(), Action.ADMIN);
+            accessChecker.requireNamespacePermission(caller, "revoke", perm.getNamespace(),
+                Action.ADMIN);
             break;
         }
 
@@ -2328,8 +2140,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
 
   @Override
   public void getUserPermissions(RpcController controller,
-                                 AccessControlProtos.GetUserPermissionsRequest request,
-                                 RpcCallback<AccessControlProtos.GetUserPermissionsResponse> done) {
+      AccessControlProtos.GetUserPermissionsRequest request,
+      RpcCallback<AccessControlProtos.GetUserPermissionsResponse> done) {
     AccessControlProtos.GetUserPermissionsResponse response = null;
     try {
       // only allowed to be called on _acl_ region
@@ -2343,7 +2155,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
         if (request.getType() == AccessControlProtos.Permission.Type.Table) {
           final TableName table = request.hasTableName() ?
             ProtobufUtil.toTableName(request.getTableName()) : null;
-          requirePermission(caller, "userPermissions", table, null, null, Action.ADMIN);
+          accessChecker.requirePermission(caller, "userPermissions",
+              table, null, null, Action.ADMIN);
           perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
             @Override
             public List<UserPermission> run() throws Exception {
@@ -2352,7 +2165,8 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
           });
         } else if (request.getType() == AccessControlProtos.Permission.Type.Namespace) {
           final String namespace = request.getNamespaceName().toStringUtf8();
-          requireNamespacePermission(caller, "userPermissions", namespace, Action.ADMIN);
+          accessChecker.requireNamespacePermission(caller, "userPermissions",
+              namespace, Action.ADMIN);
           perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
             @Override
             public List<UserPermission> run() throws Exception {
@@ -2361,7 +2175,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
             }
           });
         } else {
-          requirePermission(caller, "userPermissions", Action.ADMIN);
+          accessChecker.requirePermission(caller, "userPermissions", Action.ADMIN);
           perms = User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() {
             @Override
             public List<UserPermission> run() throws Exception {
@@ -2426,7 +2240,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
 
             AuthResult result = permissionGranted("checkPermissions", user, action, regionEnv,
               familyMap);
-            logResult(result);
+            AccessChecker.logResult(result);
             if (!result.isAllowed()) {
               // Even if passive we need to throw an exception here, we support checking
               // effective permissions, so throw unconditionally
@@ -2441,14 +2255,14 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
 
           for (Action action : permission.getActions()) {
             AuthResult result;
-            if (authManager.authorize(user, action)) {
+            if (getAuthManager().authorize(user, action)) {
               result = AuthResult.allow("checkPermissions", "Global action allowed", user,
                 action, null, null);
             } else {
               result = AuthResult.deny("checkPermissions", "Global action denied", user, action,
                 null, null);
             }
-            logResult(result);
+            AccessChecker.logResult(result);
             if (!result.isAllowed()) {
               // Even if passive we need to throw an exception here, we support checking
               // effective permissions, so throw unconditionally
@@ -2488,7 +2302,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   @Override
   public void preClose(ObserverContext<RegionCoprocessorEnvironment> c, boolean abortRequested)
       throws IOException {
-    requirePermission(getActiveUser(c), "preClose", Action.ADMIN);
+    requirePermission(c, "preClose", Action.ADMIN);
   }
 
   private void checkSystemOrSuperUser(User activeUser) throws IOException {
@@ -2506,7 +2320,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   public void preStopRegionServer(
       ObserverContext<RegionServerCoprocessorEnvironment> ctx)
       throws IOException {
-    requirePermission(getActiveUser(ctx), "preStopRegionServer", Action.ADMIN);
+    requirePermission(ctx, "preStopRegionServer", Action.ADMIN);
   }
 
   private Map<byte[], ? extends Collection<byte[]>> makeFamilyMap(byte[] family,
@@ -2536,7 +2350,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
         for (TableName tableName: tableNamesList) {
           // Skip checks for a table that does not exist
           if (!admin.tableExists(tableName)) continue;
-          requirePermission(getActiveUser(ctx), "getTableDescriptors", tableName, null, null,
+          requirePermission(ctx, "getTableDescriptors", tableName, null, null,
             Action.ADMIN, Action.CREATE);
         }
       }
@@ -2558,7 +2372,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
     while (itr.hasNext()) {
       TableDescriptor htd = itr.next();
       try {
-        requirePermission(getActiveUser(ctx), "getTableDescriptors", htd.getTableName(), null, null,
+        requirePermission(ctx, "getTableDescriptors", htd.getTableName(), null, null,
             Action.ADMIN, Action.CREATE);
       } catch (AccessDeniedException e) {
         itr.remove();
@@ -2574,7 +2388,7 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
     while (itr.hasNext()) {
       TableDescriptor htd = itr.next();
       try {
-        requireAccess(getActiveUser(ctx), "getTableNames", htd.getTableName(), Action.values());
+        requireAccess(ctx, "getTableNames", htd.getTableName(), Action.values());
       } catch (AccessDeniedException e) {
         itr.remove();
       }
@@ -2584,14 +2398,14 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   @Override
   public void preMergeRegions(final ObserverContext<MasterCoprocessorEnvironment> ctx,
                               final RegionInfo[] regionsToMerge) throws IOException {
-    requirePermission(getActiveUser(ctx), "mergeRegions", regionsToMerge[0].getTable(), null, null,
+    requirePermission(ctx, "mergeRegions", regionsToMerge[0].getTable(), null, null,
       Action.ADMIN);
   }
 
   @Override
   public void preRollWALWriterRequest(ObserverContext<RegionServerCoprocessorEnvironment> ctx)
       throws IOException {
-    requirePermission(getActiveUser(ctx), "preRollLogWriterRequest", Permission.Action.ADMIN);
+    requirePermission(ctx, "preRollLogWriterRequest", Permission.Action.ADMIN);
   }
 
   @Override
@@ -2601,33 +2415,33 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   @Override
   public void preSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
       final String userName, final GlobalQuotaSettings quotas) throws IOException {
-    requirePermission(getActiveUser(ctx), "setUserQuota", Action.ADMIN);
+    requirePermission(ctx, "setUserQuota", Action.ADMIN);
   }
 
   @Override
   public void preSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
       final String userName, final TableName tableName, final GlobalQuotaSettings quotas)
           throws IOException {
-    requirePermission(getActiveUser(ctx), "setUserTableQuota", tableName, null, null, Action.ADMIN);
+    requirePermission(ctx, "setUserTableQuota", tableName, null, null, Action.ADMIN);
   }
 
   @Override
   public void preSetUserQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
       final String userName, final String namespace, final GlobalQuotaSettings quotas)
           throws IOException {
-    requirePermission(getActiveUser(ctx), "setUserNamespaceQuota", Action.ADMIN);
+    requirePermission(ctx, "setUserNamespaceQuota", Action.ADMIN);
   }
 
   @Override
   public void preSetTableQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
       final TableName tableName, final GlobalQuotaSettings quotas) throws IOException {
-    requirePermission(getActiveUser(ctx), "setTableQuota", tableName, null, null, Action.ADMIN);
+    requirePermission(ctx, "setTableQuota", tableName, null, null, Action.ADMIN);
   }
 
   @Override
   public void preSetNamespaceQuota(final ObserverContext<MasterCoprocessorEnvironment> ctx,
       final String namespace, final GlobalQuotaSettings quotas) throws IOException {
-    requirePermission(getActiveUser(ctx), "setNamespaceQuota", Action.ADMIN);
+    requirePermission(ctx, "setNamespaceQuota", Action.ADMIN);
   }
 
   @Override
@@ -2639,98 +2453,56 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
   @Override
   public void preReplicateLogEntries(ObserverContext<RegionServerCoprocessorEnvironment> ctx)
       throws IOException {
-    requirePermission(getActiveUser(ctx), "replicateLogEntries", Action.WRITE);
+    requirePermission(ctx, "replicateLogEntries", Action.WRITE);
   }
 
   @Override
   public void  preClearCompactionQueues(ObserverContext<RegionServerCoprocessorEnvironment> ctx)
           throws IOException {
-    requirePermission(getActiveUser(ctx), "preClearCompactionQueues", Permission.Action.ADMIN);
-  }
-
-  @Override
-  public void preMoveServersAndTables(ObserverContext<MasterCoprocessorEnvironment> ctx,
-      Set<Address> servers, Set<TableName> tables, String targetGroup) throws IOException {
-    requirePermission(getActiveUser(ctx), "moveServersAndTables", Action.ADMIN);
-  }
-
-  @Override
-  public void preMoveServers(ObserverContext<MasterCoprocessorEnvironment> ctx,
-                             Set<Address> servers, String targetGroup) throws IOException {
-    requirePermission(getActiveUser(ctx), "moveServers", Action.ADMIN);
-  }
-
-  @Override
-  public void preMoveTables(ObserverContext<MasterCoprocessorEnvironment> ctx,
-                            Set<TableName> tables, String targetGroup) throws IOException {
-    requirePermission(getActiveUser(ctx), "moveTables", Action.ADMIN);
-  }
-
-  @Override
-  public void preAddRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx,
-                            String name) throws IOException {
-    requirePermission(getActiveUser(ctx), "addRSGroup", Action.ADMIN);
-  }
-
-  @Override
-  public void preRemoveRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx,
-                               String name) throws IOException {
-    requirePermission(getActiveUser(ctx), "removeRSGroup", Action.ADMIN);
-  }
-
-  @Override
-  public void preBalanceRSGroup(ObserverContext<MasterCoprocessorEnvironment> ctx,
-                                String groupName) throws IOException {
-    requirePermission(getActiveUser(ctx), "balanceRSGroup", Action.ADMIN);
-  }
-
-  @Override
-  public void preRemoveServers(ObserverContext<MasterCoprocessorEnvironment> ctx,
-      Set<Address> servers) throws IOException {
-    requirePermission(getActiveUser(ctx), "removeServers", Action.ADMIN);
+    requirePermission(ctx, "preClearCompactionQueues", Permission.Action.ADMIN);
   }
 
   @Override
   public void preAddReplicationPeer(final ObserverContext<MasterCoprocessorEnvironment> ctx,
       String peerId, ReplicationPeerConfig peerConfig) throws IOException {
-    requirePermission(getActiveUser(ctx), "addReplicationPeer", Action.ADMIN);
+    requirePermission(ctx, "addReplicationPeer", Action.ADMIN);
   }
 
   @Override
   public void preRemoveReplicationPeer(final ObserverContext<MasterCoprocessorEnvironment> ctx,
       String peerId) throws IOException {
-    requirePermission(getActiveUser(ctx), "removeReplicationPeer", Action.ADMIN);
+    requirePermission(ctx, "removeReplicationPeer", Action.ADMIN);
   }
 
   @Override
   public void preEnableReplicationPeer(final ObserverContext<MasterCoprocessorEnvironment> ctx,
       String peerId) throws IOException {
-    requirePermission(getActiveUser(ctx), "enableReplicationPeer", Action.ADMIN);
+    requirePermission(ctx, "enableReplicationPeer", Action.ADMIN);
   }
 
   @Override
   public void preDisableReplicationPeer(final ObserverContext<MasterCoprocessorEnvironment> ctx,
       String peerId) throws IOException {
-    requirePermission(getActiveUser(ctx), "disableReplicationPeer", Action.ADMIN);
+    requirePermission(ctx, "disableReplicationPeer", Action.ADMIN);
   }
 
   @Override
   public void preGetReplicationPeerConfig(final ObserverContext<MasterCoprocessorEnvironment> ctx,
       String peerId) throws IOException {
-    requirePermission(getActiveUser(ctx), "getReplicationPeerConfig", Action.ADMIN);
+    requirePermission(ctx, "getReplicationPeerConfig", Action.ADMIN);
   }
 
   @Override
   public void preUpdateReplicationPeerConfig(
       final ObserverContext<MasterCoprocessorEnvironment> ctx, String peerId,
       ReplicationPeerConfig peerConfig) throws IOException {
-    requirePermission(getActiveUser(ctx), "updateReplicationPeerConfig", Action.ADMIN);
+    requirePermission(ctx, "updateReplicationPeerConfig", Action.ADMIN);
   }
 
   @Override
   public void preListReplicationPeers(final ObserverContext<MasterCoprocessorEnvironment> ctx,
       String regex) throws IOException {
-    requirePermission(getActiveUser(ctx), "listReplicationPeers", Action.ADMIN);
+    requirePermission(ctx, "listReplicationPeers", Action.ADMIN);
   }
 
   @Override
@@ -2740,27 +2512,26 @@ public class AccessController implements MasterCoprocessor, RegionCoprocessor,
     // There are operations in the CREATE and ADMIN domain which may require lock, READ
     // or WRITE. So for any lock request, we check for these two perms irrespective of lock type.
     String reason = String.format("Description=%s", description);
-    checkLockPermissions(getActiveUser(ctx), namespace, tableName, regionInfos, reason);
+    checkLockPermissions(ctx, namespace, tableName, regionInfos, reason);
   }
 
   @Override
   public void preLockHeartbeat(ObserverContext<MasterCoprocessorEnvironment> ctx,
       TableName tableName, String description) throws IOException {
-    checkLockPermissions(getActiveUser(ctx), null, tableName, null, description);
+    checkLockPermissions(ctx, null, tableName, null, description);
   }
 
-  private void checkLockPermissions(User user, String namespace,
-      TableName tableName, RegionInfo[] regionInfos, String reason)
-  throws IOException {
-    if (namespace != null && !namespace.isEmpty()) {
-      requireNamespacePermission(user, reason, namespace, Action.ADMIN, Action.CREATE);
-    } else if (tableName != null || (regionInfos != null && regionInfos.length > 0)) {
-      // So, either a table or regions op. If latter, check perms ons table.
-      TableName tn = tableName != null? tableName: regionInfos[0].getTable();
-      requireTablePermission(user, reason, tn, null, null,
-          Action.ADMIN, Action.CREATE);
-    } else {
-      throw new DoNotRetryIOException("Invalid lock level when requesting permissions.");
+  /**
+   * Returns the active user to which authorization checks should be applied.
+   * If we are in the context of an RPC call, the remote user is used,
+   * otherwise the currently logged in user is used.
+   */
+  public User getActiveUser(ObserverContext<?> ctx) throws IOException {
+    // for non-rpc handling, fallback to system user
+    Optional<User> optionalUser = ctx.getCaller();
+    if (optionalUser.isPresent()) {
+      return optionalUser.get();
     }
+    return userProvider.getCurrent();
   }
 }

http://git-wip-us.apache.org/repos/asf/hbase/blob/3fa3dcd9/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java
index 41a4dd3..76feff4 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/TableAuthManager.java
@@ -754,7 +754,7 @@ public class TableAuthManager implements Closeable {
   }
 
   @VisibleForTesting
-  static int getTotalRefCount() {
+  public static int getTotalRefCount() {
     int total = 0;
     for (int count : refCount.values()) {
       total += count;

http://git-wip-us.apache.org/repos/asf/hbase/blob/3fa3dcd9/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java
index d4b8e58..1ba6029 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java
@@ -105,6 +105,7 @@ import org.apache.hadoop.hbase.regionserver.querymatcher.DeleteTracker;
 import org.apache.hadoop.hbase.security.AccessDeniedException;
 import org.apache.hadoop.hbase.security.Superusers;
 import org.apache.hadoop.hbase.security.User;
+import org.apache.hadoop.hbase.security.access.AccessChecker;
 import org.apache.hadoop.hbase.security.access.AccessController;
 import org.apache.hbase.thirdparty.com.google.common.collect.Lists;
 import org.apache.hbase.thirdparty.com.google.common.collect.MapMaker;
@@ -141,8 +142,8 @@ public class VisibilityController implements MasterCoprocessor, RegionCoprocesso
 
   private VisibilityLabelService visibilityLabelService;
 
-  /** if we are active, usually true, only not true if "hbase.security.authorization"
-    has been set to false in site configuration */
+  /** if we are active, usually false, only true if "hbase.security.authorization"
+    has been set to true in site configuration */
   boolean authorizationEnabled;
 
   // Add to this list if there are any reserved tag types
@@ -153,19 +154,15 @@ public class VisibilityController implements MasterCoprocessor, RegionCoprocesso
     RESERVED_VIS_TAG_TYPES.add(TagType.STRING_VIS_TAG_TYPE);
   }
 
-  public static boolean isAuthorizationSupported(Configuration conf) {
-    return conf.getBoolean(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, true);
-  }
-
   public static boolean isCellAuthorizationSupported(Configuration conf) {
-    return isAuthorizationSupported(conf);
+    return AccessChecker.isAuthorizationSupported(conf);
   }
 
   @Override
   public void start(CoprocessorEnvironment env) throws IOException {
     this.conf = env.getConfiguration();
 
-    authorizationEnabled = isAuthorizationSupported(conf);
+    authorizationEnabled = AccessChecker.isAuthorizationSupported(conf);
     if (!authorizationEnabled) {
       LOG.warn("The VisibilityController has been loaded with authorization checks disabled.");
     }

http://git-wip-us.apache.org/repos/asf/hbase/blob/3fa3dcd9/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
index 8bf792b..407ebf9 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/SecureTestUtil.java
@@ -106,6 +106,7 @@ public class SecureTestUtil {
     conf.set(CoprocessorHost.REGIONSERVER_COPROCESSOR_CONF_KEY, AccessController.class.getName());
     // Need HFile V3 for tags for security features
     conf.setInt(HFile.FORMAT_VERSION_KEY, 3);
+    conf.set(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, "true");
     configureSuperuser(conf);
   }
 
@@ -129,6 +130,11 @@ public class SecureTestUtil {
     if (conf.getInt(HFile.FORMAT_VERSION_KEY, 2) < HFile.MIN_FORMAT_VERSION_WITH_TAGS) {
       throw new RuntimeException("Post 0.96 security features require HFile version >= 3");
     }
+
+    if (!conf.getBoolean(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, false)) {
+      throw new RuntimeException("Post 2.0.0 security features require set "
+          + User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY + " to true");
+    }
   }
 
   public static void checkTablePerms(Configuration conf, TableName table, byte[] family, byte[] column,

http://git-wip-us.apache.org/repos/asf/hbase/blob/3fa3dcd9/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
index 2435532..be1b0e4 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/access/TestAccessController.java
@@ -2839,81 +2839,6 @@ public class TestAccessController extends SecureTestUtil {
   }
 
   @Test
-  public void testMoveServers() throws Exception {
-    AccessTestAction action1 = new AccessTestAction() {
-      @Override
-      public Object run() throws Exception {
-        ACCESS_CONTROLLER.preMoveServers(ObserverContextImpl.createAndPrepare(CP_ENV),
-            null, null);
-        return null;
-      }
-    };
-
-    verifyAllowed(action1, SUPERUSER, USER_ADMIN);
-    verifyDenied(action1, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
-  }
-
-  @Test
-  public void testMoveTables() throws Exception {
-    AccessTestAction action1 = new AccessTestAction() {
-      @Override
-      public Object run() throws Exception {
-        ACCESS_CONTROLLER.preMoveTables(ObserverContextImpl.createAndPrepare(CP_ENV),
-            null, null);
-        return null;
-      }
-    };
-
-    verifyAllowed(action1, SUPERUSER, USER_ADMIN);
-    verifyDenied(action1, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
-  }
-
-  @Test
-  public void testAddGroup() throws Exception {
-    AccessTestAction action1 = new AccessTestAction() {
-      @Override
-      public Object run() throws Exception {
-        ACCESS_CONTROLLER.preAddRSGroup(ObserverContextImpl.createAndPrepare(CP_ENV),
-            null);
-        return null;
-      }
-    };
-
-    verifyAllowed(action1, SUPERUSER, USER_ADMIN);
-    verifyDenied(action1, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
-  }
-
-  @Test
-  public void testRemoveGroup() throws Exception {
-    AccessTestAction action1 = new AccessTestAction() {
-      @Override
-      public Object run() throws Exception {
-        ACCESS_CONTROLLER.preRemoveRSGroup(ObserverContextImpl.createAndPrepare(CP_ENV),
-            null);
-        return null;
-      }
-    };
-
-    verifyAllowed(action1, SUPERUSER, USER_ADMIN);
-    verifyDenied(action1, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
-  }
-
-  @Test
-  public void testBalanceGroup() throws Exception {
-    AccessTestAction action1 = new AccessTestAction() {
-      @Override
-      public Object run() throws Exception {
-        ACCESS_CONTROLLER.preBalanceRSGroup(ObserverContextImpl.createAndPrepare(CP_ENV),
-            null);
-        return null;
-      }
-    };
-
-    verifyAllowed(action1, SUPERUSER, USER_ADMIN);
-    verifyDenied(action1, USER_CREATE, USER_RW, USER_RO, USER_NONE, USER_OWNER);
-  }
-
-  @Test
   public void testAddReplicationPeer() throws Exception {
     AccessTestAction action = new AccessTestAction() {
       @Override

http://git-wip-us.apache.org/repos/asf/hbase/blob/3fa3dcd9/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/VisibilityTestUtil.java
----------------------------------------------------------------------
diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/VisibilityTestUtil.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/VisibilityTestUtil.java
index 7dbe256..4e2c4b7 100644
--- a/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/VisibilityTestUtil.java
+++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/security/visibility/VisibilityTestUtil.java
@@ -14,7 +14,7 @@ import java.io.IOException;
 
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
-
+import org.apache.hadoop.hbase.security.User;
 
 /**
  * Utility methods for testing visibility labels.
@@ -23,6 +23,7 @@ public class VisibilityTestUtil {
 
   public static void enableVisiblityLabels(Configuration conf) throws IOException {
     conf.setInt("hfile.format.version", 3);
+    conf.setBoolean(User.HBASE_SECURITY_AUTHORIZATION_CONF_KEY, true);
     appendCoprocessor(conf, CoprocessorHost.MASTER_COPROCESSOR_CONF_KEY,
       VisibilityController.class.getName());
     appendCoprocessor(conf, CoprocessorHost.REGION_COPROCESSOR_CONF_KEY,


Mime
View raw message