package org.apache.hudi.org.apache.hadoop.hbase.security.access;

import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.NavigableSet;
import java.util.Optional;
import java.util.Set;
import java.util.TreeMap;
import java.util.TreeSet;
import java.util.stream.Collectors;
import org.apache.hadoop.conf.Configuration;
import org.apache.hudi.com.google.protobuf.Message;
import org.apache.hudi.com.google.protobuf.RpcCallback;
import org.apache.hudi.com.google.protobuf.RpcController;
import org.apache.hudi.com.google.protobuf.Service;
import org.apache.hudi.common.model.HoodieWriteStat;
import org.apache.hudi.org.apache.hadoop.hbase.ArrayBackedTag;
import org.apache.hudi.org.apache.hadoop.hbase.Cell;
import org.apache.hudi.org.apache.hadoop.hbase.CellScanner;
import org.apache.hudi.org.apache.hadoop.hbase.CellUtil;
import org.apache.hudi.org.apache.hadoop.hbase.CompareOperator;
import org.apache.hudi.org.apache.hadoop.hbase.CompoundConfiguration;
import org.apache.hudi.org.apache.hadoop.hbase.CoprocessorEnvironment;
import org.apache.hudi.org.apache.hadoop.hbase.DoNotRetryIOException;
import org.apache.hudi.org.apache.hadoop.hbase.HBaseInterfaceAudience;
import org.apache.hudi.org.apache.hadoop.hbase.KeyValue;
import org.apache.hudi.org.apache.hadoop.hbase.NamespaceDescriptor;
import org.apache.hudi.org.apache.hadoop.hbase.PrivateCellUtil;
import org.apache.hudi.org.apache.hadoop.hbase.ServerName;
import org.apache.hudi.org.apache.hadoop.hbase.TableName;
import org.apache.hudi.org.apache.hadoop.hbase.Tag;
import org.apache.hudi.org.apache.hadoop.hbase.client.Admin;
import org.apache.hudi.org.apache.hadoop.hbase.client.Append;
import org.apache.hudi.org.apache.hadoop.hbase.client.ColumnFamilyDescriptor;
import org.apache.hudi.org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder;
import org.apache.hudi.org.apache.hadoop.hbase.client.Delete;
import org.apache.hudi.org.apache.hadoop.hbase.client.Durability;
import org.apache.hudi.org.apache.hadoop.hbase.client.Get;
import org.apache.hudi.org.apache.hadoop.hbase.client.Increment;
import org.apache.hudi.org.apache.hadoop.hbase.client.MasterSwitchType;
import org.apache.hudi.org.apache.hadoop.hbase.client.Mutation;
import org.apache.hudi.org.apache.hadoop.hbase.client.Put;
import org.apache.hudi.org.apache.hadoop.hbase.client.Query;
import org.apache.hudi.org.apache.hadoop.hbase.client.RegionInfo;
import org.apache.hudi.org.apache.hadoop.hbase.client.Result;
import org.apache.hudi.org.apache.hadoop.hbase.client.Scan;
import org.apache.hudi.org.apache.hadoop.hbase.client.SnapshotDescription;
import org.apache.hudi.org.apache.hadoop.hbase.client.Table;
import org.apache.hudi.org.apache.hadoop.hbase.client.TableDescriptor;
import org.apache.hudi.org.apache.hadoop.hbase.client.TableDescriptorBuilder;
import org.apache.hudi.org.apache.hadoop.hbase.coprocessor.BulkLoadObserver;
import org.apache.hudi.org.apache.hadoop.hbase.coprocessor.CoprocessorException;
import org.apache.hudi.org.apache.hadoop.hbase.coprocessor.CoreCoprocessor;
import org.apache.hudi.org.apache.hadoop.hbase.coprocessor.EndpointObserver;
import org.apache.hudi.org.apache.hadoop.hbase.coprocessor.HasMasterServices;
import org.apache.hudi.org.apache.hadoop.hbase.coprocessor.HasRegionServerServices;
import org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterCoprocessor;
import org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
import org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver;
import org.apache.hudi.org.apache.hadoop.hbase.coprocessor.ObserverContext;
import org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionCoprocessor;
import org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;
import org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver;
import org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessor;
import org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessorEnvironment;
import org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionServerObserver;
import org.apache.hudi.org.apache.hadoop.hbase.filter.ByteArrayComparable;
import org.apache.hudi.org.apache.hadoop.hbase.filter.Filter;
import org.apache.hudi.org.apache.hadoop.hbase.filter.FilterList;
import org.apache.hudi.org.apache.hadoop.hbase.io.hfile.HFile;
import org.apache.hudi.org.apache.hadoop.hbase.ipc.CoprocessorRpcUtils;
import org.apache.hudi.org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hudi.org.apache.hadoop.hbase.master.MasterServices;
import org.apache.hudi.org.apache.hadoop.hbase.master.MetricsAssignmentManagerSource;
import org.apache.hudi.org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hudi.org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
import org.apache.hudi.org.apache.hadoop.hbase.quotas.GlobalQuotaSettings;
import org.apache.hudi.org.apache.hadoop.hbase.regionserver.BloomType;
import org.apache.hudi.org.apache.hadoop.hbase.regionserver.FlushLifeCycleTracker;
import org.apache.hudi.org.apache.hadoop.hbase.regionserver.InternalScanner;
import org.apache.hudi.org.apache.hadoop.hbase.regionserver.MetricsRegionServerSource;
import org.apache.hudi.org.apache.hadoop.hbase.regionserver.MiniBatchOperationInProgress;
import org.apache.hudi.org.apache.hadoop.hbase.regionserver.Region;
import org.apache.hudi.org.apache.hadoop.hbase.regionserver.RegionScanner;
import org.apache.hudi.org.apache.hadoop.hbase.regionserver.RegionServerServices;
import org.apache.hudi.org.apache.hadoop.hbase.regionserver.ScanType;
import org.apache.hudi.org.apache.hadoop.hbase.regionserver.ScannerContext;
import org.apache.hudi.org.apache.hadoop.hbase.regionserver.Store;
import org.apache.hudi.org.apache.hadoop.hbase.regionserver.compactions.CompactionLifeCycleTracker;
import org.apache.hudi.org.apache.hadoop.hbase.regionserver.compactions.CompactionRequest;
import org.apache.hudi.org.apache.hadoop.hbase.replication.ReplicationEndpoint;
import org.apache.hudi.org.apache.hadoop.hbase.replication.ReplicationPeerConfig;
import org.apache.hudi.org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hudi.org.apache.hadoop.hbase.security.Superusers;
import org.apache.hudi.org.apache.hadoop.hbase.security.User;
import org.apache.hudi.org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hudi.org.apache.hadoop.hbase.security.access.AccessControlFilter;
import org.apache.hudi.org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hudi.org.apache.hadoop.hbase.security.visibility.VisibilityConstants;
import org.apache.hudi.org.apache.hadoop.hbase.shaded.protobuf.ResponseConverter;
import org.apache.hudi.org.apache.hadoop.hbase.snapshot.SnapshotDescriptionUtils;
import org.apache.hudi.org.apache.hadoop.hbase.util.Bytes;
import org.apache.hudi.org.apache.hadoop.hbase.util.EnvironmentEdgeManager;
import org.apache.hudi.org.apache.hadoop.hbase.util.Pair;
import org.apache.hudi.org.apache.hadoop.hbase.util.SimpleMutableByteRange;
import org.apache.hudi.org.apache.hadoop.hbase.wal.WALEdit;
import org.apache.hudi.org.apache.hbase.thirdparty.com.google.common.collect.ImmutableSet;
import org.apache.hudi.org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;
import org.apache.hudi.org.apache.hbase.thirdparty.com.google.common.collect.Lists;
import org.apache.hudi.org.apache.hbase.thirdparty.com.google.common.collect.MapMaker;
import org.apache.hudi.org.apache.hbase.thirdparty.com.google.common.collect.Maps;
import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.LimitedPrivate({HBaseInterfaceAudience.CONFIG})
@CoreCoprocessor
/* loaded from: input_file:org/apache/hudi/org/apache/hadoop/hbase/security/access/AccessController.class */
public class AccessController implements MasterCoprocessor, RegionCoprocessor, RegionServerCoprocessor, AccessControlProtos.AccessControlService.Interface, MasterObserver, RegionObserver, RegionServerObserver, EndpointObserver, BulkLoadObserver {
    private static final String CHECK_COVERING_PERM = "check_covering_perm";
    private static final String TAG_CHECK_PASSED = "tag_check_passed";
    private AccessChecker accessChecker;
    private ZKPermissionWatcher zkPermissionWatcher;
    private RegionCoprocessorEnvironment regionEnv;
    private Map<TableName, List<UserPermission>> tableAcls;
    private UserProvider userProvider;
    private boolean authorizationEnabled;
    private boolean cellFeaturesEnabled;
    private boolean shouldCheckExecPermission;
    private boolean compatibleEarlyTermination;
    private static final Logger LOG = LoggerFactory.getLogger(AccessController.class);
    private static final Logger AUDITLOG = LoggerFactory.getLogger("SecurityLogger." + AccessController.class.getName());
    private static final byte[] TRUE = Bytes.toBytes(true);
    private boolean aclRegion = false;
    private Map<InternalScanner, String> scannerOwners = new MapMaker().weakKeys().makeMap();
    private volatile boolean initialized = false;
    private volatile boolean aclTabAvailable = false;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hudi/org/apache/hadoop/hbase/security/access/AccessController$OpType.class */
    public enum OpType {
        GET(MetricsRegionServerSource.GET_KEY),
        EXISTS("exists"),
        SCAN("scan"),
        PUT(MetricsRegionServerSource.PUT_KEY),
        DELETE(MetricsRegionServerSource.DELETE_KEY),
        CHECK_AND_PUT(MetricsRegionServerSource.CHECK_AND_PUT_KEY),
        CHECK_AND_DELETE(MetricsRegionServerSource.CHECK_AND_DELETE_KEY),
        APPEND("append"),
        INCREMENT(MetricsRegionServerSource.INCREMENT_KEY);

        private String type;

        OpType(String str) {
            this.type = str;
        }

        @Override // java.lang.Enum
        public String toString() {
            return this.type;
        }
    }

    public static boolean isCellAuthorizationSupported(Configuration configuration) {
        return AccessChecker.isAuthorizationSupported(configuration) && HFile.getFormatVersion(configuration) >= 3;
    }

    public Region getRegion() {
        if (this.regionEnv != null) {
            return this.regionEnv.getRegion();
        }
        return null;
    }

    public AuthManager getAuthManager() {
        return this.accessChecker.getAuthManager();
    }

    private void initialize(RegionCoprocessorEnvironment regionCoprocessorEnvironment) throws IOException {
        Region region = regionCoprocessorEnvironment.getRegion();
        Configuration configuration = regionCoprocessorEnvironment.getConfiguration();
        for (Map.Entry<byte[], ListMultimap<String, UserPermission>> entry : PermissionStorage.loadAll(region).entrySet()) {
            this.zkPermissionWatcher.writeToZookeeper(entry.getKey(), PermissionStorage.writePermissionsAsBytes(entry.getValue(), configuration));
        }
        this.initialized = true;
    }

    /* JADX WARN: Finally extract failed */
    private void updateACL(RegionCoprocessorEnvironment regionCoprocessorEnvironment, Map<byte[], List<Cell>> map) {
        TreeSet<byte[]> treeSet = new TreeSet((Comparator) Bytes.BYTES_RAWCOMPARATOR);
        Iterator<Map.Entry<byte[], List<Cell>>> it = map.entrySet().iterator();
        while (it.hasNext()) {
            for (Cell cell : it.next().getValue()) {
                if (CellUtil.matchingFamily(cell, PermissionStorage.ACL_LIST_FAMILY)) {
                    treeSet.add(CellUtil.cloneRow(cell));
                }
            }
        }
        Configuration configuration = this.regionEnv.getConfiguration();
        byte[] bArr = null;
        try {
            Table table = regionCoprocessorEnvironment.getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
            Throwable th = null;
            try {
                for (byte[] bArr2 : treeSet) {
                    bArr = bArr2;
                    this.zkPermissionWatcher.writeToZookeeper(bArr2, PermissionStorage.writePermissionsAsBytes(PermissionStorage.getPermissions(configuration, bArr2, table, null, null, null, false), configuration));
                }
                if (table != null) {
                    if (0 != 0) {
                        try {
                            table.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        table.close();
                    }
                }
            } catch (Throwable th3) {
                if (table != null) {
                    if (0 != 0) {
                        try {
                            table.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        table.close();
                    }
                }
                throw th3;
            }
        } catch (IOException e) {
            LOG.error("Failed updating permissions mirror for '" + (bArr == null ? HoodieWriteStat.NULL_COMMIT : Bytes.toString(bArr)) + "'", e);
        }
    }

    private AuthResult permissionGranted(OpType opType, User user, RegionCoprocessorEnvironment regionCoprocessorEnvironment, Map<byte[], ? extends Collection<?>> map, Permission.Action... actionArr) {
        AuthResult authResult = null;
        for (Permission.Action action : actionArr) {
            authResult = this.accessChecker.permissionGranted(opType.toString(), user, action, regionCoprocessorEnvironment.getRegion().getRegionInfo().getTable(), map);
            if (!authResult.isAllowed()) {
                return authResult;
            }
        }
        return authResult;
    }

    public void requireAccess(ObserverContext<?> observerContext, String str, TableName tableName, Permission.Action... actionArr) throws IOException {
        this.accessChecker.requireAccess(getActiveUser(observerContext), str, tableName, actionArr);
    }

    public void requirePermission(ObserverContext<?> observerContext, String str, Permission.Action action) throws IOException {
        this.accessChecker.requirePermission(getActiveUser(observerContext), str, null, action);
    }

    public void requireGlobalPermission(ObserverContext<?> observerContext, String str, Permission.Action action, TableName tableName, Map<byte[], ? extends Collection<byte[]>> map) throws IOException {
        this.accessChecker.requireGlobalPermission(getActiveUser(observerContext), str, action, tableName, map, null);
    }

    public void requireGlobalPermission(ObserverContext<?> observerContext, String str, Permission.Action action, String str2) throws IOException {
        this.accessChecker.requireGlobalPermission(getActiveUser(observerContext), str, action, str2);
    }

    public void requireNamespacePermission(ObserverContext<?> observerContext, String str, String str2, Permission.Action... actionArr) throws IOException {
        this.accessChecker.requireNamespacePermission(getActiveUser(observerContext), str, str2, null, actionArr);
    }

    public void requireNamespacePermission(ObserverContext<?> observerContext, String str, String str2, TableName tableName, Map<byte[], ? extends Collection<byte[]>> map, Permission.Action... actionArr) throws IOException {
        this.accessChecker.requireNamespacePermission(getActiveUser(observerContext), str, str2, tableName, map, actionArr);
    }

    public void requirePermission(ObserverContext<?> observerContext, String str, TableName tableName, byte[] bArr, byte[] bArr2, Permission.Action... actionArr) throws IOException {
        this.accessChecker.requirePermission(getActiveUser(observerContext), str, tableName, bArr, bArr2, null, actionArr);
    }

    public void requireTablePermission(ObserverContext<?> observerContext, String str, TableName tableName, byte[] bArr, byte[] bArr2, Permission.Action... actionArr) throws IOException {
        this.accessChecker.requireTablePermission(getActiveUser(observerContext), str, tableName, bArr, bArr2, actionArr);
    }

    public void checkLockPermissions(ObserverContext<?> observerContext, String str, TableName tableName, RegionInfo[] regionInfoArr, String str2) throws IOException {
        this.accessChecker.checkLockPermissions(getActiveUser(observerContext), str, tableName, regionInfoArr, str2);
    }

    private boolean hasFamilyQualifierPermission(User user, Permission.Action action, RegionCoprocessorEnvironment regionCoprocessorEnvironment, Map<byte[], ? extends Collection<byte[]>> map) throws IOException {
        TableName table = regionCoprocessorEnvironment.getRegion().getRegionInfo().getTable();
        if (user == null) {
            return false;
        }
        if (map == null || map.size() <= 0) {
            if (!LOG.isDebugEnabled()) {
                return false;
            }
            LOG.debug("Empty family map passed for permission check");
            return false;
        }
        for (Map.Entry<byte[], ? extends Collection<byte[]>> entry : map.entrySet()) {
            if (entry.getValue() == null || entry.getValue().isEmpty()) {
                if (getAuthManager().authorizeUserFamily(user, table, entry.getKey(), action)) {
                    return true;
                }
            } else {
                Iterator<byte[]> it = entry.getValue().iterator();
                while (it.hasNext()) {
                    if (getAuthManager().authorizeUserTable(user, table, entry.getKey(), it.next(), action)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private boolean checkCoveringPermission(User user, OpType opType, RegionCoprocessorEnvironment regionCoprocessorEnvironment, byte[] bArr, Map<byte[], ? extends Collection<?>> map, long j, Permission.Action... actionArr) throws IOException {
        boolean next;
        if (!this.cellFeaturesEnabled) {
            return false;
        }
        long j2 = 0;
        long j3 = 0;
        Get get = new Get(bArr);
        boolean z = opType == OpType.PUT || opType == OpType.DELETE;
        if (z) {
            get.setMaxVersions();
        } else {
            get.setMaxVersions(1);
        }
        boolean z2 = false;
        for (Map.Entry<byte[], ? extends Collection<?>> entry : map.entrySet()) {
            byte[] key = entry.getKey();
            if (entry.getValue() instanceof Set) {
                Set set = (Set) entry.getValue();
                if (set == null || set.isEmpty()) {
                    get.addFamily(key);
                } else {
                    Iterator it = set.iterator();
                    while (it.hasNext()) {
                        get.addColumn(key, (byte[]) it.next());
                    }
                }
            } else if (entry.getValue() instanceof List) {
                List<Cell> list = (List) entry.getValue();
                if (list == null || list.isEmpty()) {
                    get.addFamily(key);
                } else {
                    for (Cell cell : list) {
                        if (cell.getQualifierLength() == 0 && (cell.getTypeByte() == KeyValue.Type.DeleteFamily.getCode() || cell.getTypeByte() == KeyValue.Type.DeleteFamilyVersion.getCode())) {
                            get.addFamily(key);
                        } else {
                            get.addColumn(key, CellUtil.cloneQualifier(cell));
                        }
                        if (z) {
                            long timestamp = cell.getTimestamp();
                            j3 = Math.max(j3, timestamp);
                            z2 = z2 || j != timestamp;
                        }
                    }
                }
            } else {
                if (entry.getValue() != null) {
                    throw new RuntimeException("Unhandled collection type " + entry.getValue().getClass().getName());
                }
                get.addFamily(key);
            }
        }
        long max = Math.max(j, j3);
        if (max == 0 || max == Long.MAX_VALUE) {
            max = EnvironmentEdgeManager.currentTime();
        }
        get.setTimeRange(0L, max + 1);
        if (!z2 && opType == OpType.PUT) {
            get.setMaxVersions(1);
        }
        if (LOG.isTraceEnabled()) {
            LOG.trace("Scanning for cells with " + get);
        }
        HashMap hashMap = new HashMap();
        for (Map.Entry<byte[], ? extends Collection<?>> entry2 : map.entrySet()) {
            if (entry2.getValue() instanceof List) {
                hashMap.put(new SimpleMutableByteRange(entry2.getKey()), (List) entry2.getValue());
            }
        }
        RegionScanner scanner = getRegion(regionCoprocessorEnvironment).getScanner(new Scan(get));
        ArrayList newArrayList = Lists.newArrayList();
        Cell cell2 = null;
        SimpleMutableByteRange simpleMutableByteRange = new SimpleMutableByteRange();
        boolean z3 = opType == OpType.DELETE;
        long j4 = j;
        boolean z4 = false;
        try {
            try {
                ScannerContext build = ScannerContext.newBuilder().setBatchLimit(1).build();
                do {
                    newArrayList.clear();
                    next = scanner.next(newArrayList, build);
                    for (Cell cell3 : newArrayList) {
                        if (LOG.isTraceEnabled()) {
                            LOG.trace("Found cell " + cell3);
                        }
                        boolean z5 = cell2 == null || !CellUtil.matchingColumn(cell2, cell3);
                        if (z5) {
                            z4 = false;
                        }
                        cell2 = cell3;
                        if (z3 || !z4) {
                            if (z5 && z) {
                                simpleMutableByteRange.set(cell3.getFamilyArray(), cell3.getFamilyOffset(), cell3.getFamilyLength());
                                for (Cell cell4 : (List) hashMap.get(simpleMutableByteRange)) {
                                    if ((cell4.getQualifierLength() == 0 && opType == OpType.DELETE) || CellUtil.matchingQualifier(cell3, cell4)) {
                                        byte typeByte = cell4.getTypeByte();
                                        if (z) {
                                            j4 = cell4.getTimestamp();
                                        }
                                        z3 = KeyValue.Type.DeleteColumn.getCode() == typeByte || KeyValue.Type.DeleteFamily.getCode() == typeByte;
                                    }
                                }
                            }
                            if (cell3.getTimestamp() <= j4) {
                                z4 = true;
                                for (Permission.Action action : actionArr) {
                                    if (!getAuthManager().authorizeCell(user, getTableName(regionCoprocessorEnvironment), cell3, action)) {
                                        scanner.close();
                                        return false;
                                    }
                                }
                                j2++;
                            }
                        }
                    }
                } while (next);
                scanner.close();
            } catch (AccessDeniedException e) {
                throw e;
            } catch (IOException e2) {
                LOG.error("Exception while getting cells to calculate covering permission", e2);
                scanner.close();
            }
            return j2 > 0;
        } catch (Throwable th) {
            scanner.close();
            throw th;
        }
    }

    private static void addCellPermissions(byte[] bArr, Map<byte[], List<Cell>> map) {
        for (Map.Entry<byte[], List<Cell>> entry : map.entrySet()) {
            ArrayList newArrayList = Lists.newArrayList();
            for (Cell cell : entry.getValue()) {
                ArrayList arrayList = new ArrayList();
                arrayList.add(new ArrayBackedTag((byte) 1, bArr));
                Iterator<Tag> tagsIterator = PrivateCellUtil.tagsIterator(cell);
                while (tagsIterator.hasNext()) {
                    arrayList.add(tagsIterator.next());
                }
                newArrayList.add(PrivateCellUtil.createCell(cell, arrayList));
            }
            entry.setValue(newArrayList);
        }
    }

    private void checkForReservedTagPresence(User user, Mutation mutation) throws IOException {
        if (!this.authorizationEnabled) {
            mutation.setAttribute(TAG_CHECK_PASSED, TRUE);
            return;
        }
        if (Superusers.isSuperUser(user)) {
            mutation.setAttribute(TAG_CHECK_PASSED, TRUE);
            return;
        }
        if (mutation.getAttribute(TAG_CHECK_PASSED) != null) {
            return;
        }
        CellScanner cellScanner = mutation.cellScanner();
        while (cellScanner.advance()) {
            Iterator<Tag> tagsIterator = PrivateCellUtil.tagsIterator(cellScanner.current());
            while (tagsIterator.hasNext()) {
                if (tagsIterator.next().getType() == 1) {
                    throw new AccessDeniedException("Mutation contains cell with reserved type tag");
                }
            }
        }
        mutation.setAttribute(TAG_CHECK_PASSED, TRUE);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.Coprocessor
    public void start(CoprocessorEnvironment coprocessorEnvironment) throws IOException {
        CompoundConfiguration compoundConfiguration = new CompoundConfiguration();
        compoundConfiguration.add(coprocessorEnvironment.getConfiguration());
        this.authorizationEnabled = AccessChecker.isAuthorizationSupported(compoundConfiguration);
        if (!this.authorizationEnabled) {
            LOG.warn("AccessController has been loaded with authorization checks DISABLED!");
        }
        this.shouldCheckExecPermission = compoundConfiguration.getBoolean(AccessControlConstants.EXEC_PERMISSION_CHECKS_KEY, false);
        this.cellFeaturesEnabled = HFile.getFormatVersion(compoundConfiguration) >= 3;
        if (!this.cellFeaturesEnabled) {
            LOG.info("A minimum HFile version of 3 is required to persist cell ACLs. Consider setting hfile.format.version accordingly.");
        }
        if (coprocessorEnvironment instanceof MasterCoprocessorEnvironment) {
            MasterCoprocessorEnvironment masterCoprocessorEnvironment = (MasterCoprocessorEnvironment) coprocessorEnvironment;
            if (masterCoprocessorEnvironment instanceof HasMasterServices) {
                MasterServices masterServices = ((HasMasterServices) masterCoprocessorEnvironment).getMasterServices();
                this.zkPermissionWatcher = masterServices.getZKPermissionWatcher();
                this.accessChecker = masterServices.getAccessChecker();
            }
        } else if (coprocessorEnvironment instanceof RegionServerCoprocessorEnvironment) {
            RegionServerCoprocessorEnvironment regionServerCoprocessorEnvironment = (RegionServerCoprocessorEnvironment) coprocessorEnvironment;
            if (regionServerCoprocessorEnvironment instanceof HasRegionServerServices) {
                RegionServerServices regionServerServices = ((HasRegionServerServices) regionServerCoprocessorEnvironment).getRegionServerServices();
                this.zkPermissionWatcher = regionServerServices.getZKPermissionWatcher();
                this.accessChecker = regionServerServices.getAccessChecker();
            }
        } else if (coprocessorEnvironment instanceof RegionCoprocessorEnvironment) {
            this.regionEnv = (RegionCoprocessorEnvironment) coprocessorEnvironment;
            compoundConfiguration.addBytesMap(this.regionEnv.getRegion().getTableDescriptor().getValues());
            this.compatibleEarlyTermination = compoundConfiguration.getBoolean(AccessControlConstants.CF_ATTRIBUTE_EARLY_OUT, true);
            if (this.regionEnv instanceof HasRegionServerServices) {
                RegionServerServices regionServerServices2 = ((HasRegionServerServices) this.regionEnv).getRegionServerServices();
                this.zkPermissionWatcher = regionServerServices2.getZKPermissionWatcher();
                this.accessChecker = regionServerServices2.getAccessChecker();
            }
        }
        if (this.zkPermissionWatcher == null) {
            throw new NullPointerException("ZKPermissionWatcher is null");
        }
        if (this.accessChecker == null) {
            throw new NullPointerException("AccessChecker is null");
        }
        this.userProvider = UserProvider.instantiate(coprocessorEnvironment.getConfiguration());
        this.tableAcls = new MapMaker().weakValues().makeMap();
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.Coprocessor
    public void stop(CoprocessorEnvironment coprocessorEnvironment) {
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionCoprocessor
    public Optional<RegionObserver> getRegionObserver() {
        return Optional.of(this);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterCoprocessor
    public Optional<MasterObserver> getMasterObserver() {
        return Optional.of(this);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionCoprocessor
    public Optional<EndpointObserver> getEndpointObserver() {
        return Optional.of(this);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionCoprocessor
    public Optional<BulkLoadObserver> getBulkLoadObserver() {
        return Optional.of(this);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessor
    public Optional<RegionServerObserver> getRegionServerObserver() {
        return Optional.of(this);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.Coprocessor
    public Iterable<Service> getServices() {
        return Collections.singleton(AccessControlProtos.AccessControlService.newReflectiveService(this));
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preCreateTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableDescriptor tableDescriptor, RegionInfo[] regionInfoArr) throws IOException {
        Set<byte[]> columnFamilyNames = tableDescriptor.getColumnFamilyNames();
        TreeMap treeMap = new TreeMap(Bytes.BYTES_COMPARATOR);
        Iterator<byte[]> it = columnFamilyNames.iterator();
        while (it.hasNext()) {
            treeMap.put(it.next(), null);
        }
        requireNamespacePermission(observerContext, "createTable", tableDescriptor.getTableName().getNamespaceAsString(), tableDescriptor.getTableName(), treeMap, Permission.Action.ADMIN, Permission.Action.CREATE);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postCompletedCreateTableAction(final ObserverContext<MasterCoprocessorEnvironment> observerContext, TableDescriptor tableDescriptor, RegionInfo[] regionInfoArr) throws IOException {
        if (PermissionStorage.isAclTable(tableDescriptor)) {
            this.aclTabAvailable = true;
            return;
        }
        if (TableName.NAMESPACE_TABLE_NAME.equals(tableDescriptor.getTableName())) {
            return;
        }
        if (!this.aclTabAvailable) {
            LOG.warn("Not adding owner permission for table " + tableDescriptor.getTableName() + ". " + PermissionStorage.ACL_TABLE_NAME + " is not yet created. " + getClass().getSimpleName() + " should be configured as the first Coprocessor");
            return;
        }
        String ownerString = tableDescriptor.getOwnerString();
        if (ownerString == null) {
            ownerString = getActiveUser(observerContext).getShortName();
        }
        final UserPermission userPermission = new UserPermission(ownerString, Permission.newBuilder(tableDescriptor.getTableName()).withActions(Permission.Action.values()).build());
        User.runAsLoginUser(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hudi.org.apache.hadoop.hbase.security.access.AccessController.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                Table table = ((MasterCoprocessorEnvironment) observerContext.getEnvironment()).getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
                Throwable th = null;
                try {
                    PermissionStorage.addUserPermission(((MasterCoprocessorEnvironment) observerContext.getEnvironment()).getConfiguration(), userPermission, table);
                    if (table == null) {
                        return null;
                    }
                    if (0 == 0) {
                        table.close();
                        return null;
                    }
                    try {
                        table.close();
                        return null;
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                        return null;
                    }
                } catch (Throwable th3) {
                    if (table != null) {
                        if (0 != 0) {
                            try {
                                table.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            table.close();
                        }
                    }
                    throw th3;
                }
            }
        });
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
        requirePermission(observerContext, "deleteTable", tableName, null, null, Permission.Action.ADMIN, Permission.Action.CREATE);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postDeleteTable(final ObserverContext<MasterCoprocessorEnvironment> observerContext, final TableName tableName) throws IOException {
        final Configuration configuration = observerContext.getEnvironment().getConfiguration();
        User.runAsLoginUser(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hudi.org.apache.hadoop.hbase.security.access.AccessController.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                Table table = ((MasterCoprocessorEnvironment) observerContext.getEnvironment()).getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
                Throwable th = null;
                try {
                    PermissionStorage.removeTablePermissions(configuration, tableName, table);
                    if (table == null) {
                        return null;
                    }
                    if (0 == 0) {
                        table.close();
                        return null;
                    }
                    try {
                        table.close();
                        return null;
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                        return null;
                    }
                } catch (Throwable th3) {
                    if (table != null) {
                        if (0 != 0) {
                            try {
                                table.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            table.close();
                        }
                    }
                    throw th3;
                }
            }
        });
        this.zkPermissionWatcher.deleteTableACLNode(tableName);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preTruncateTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, final TableName tableName) throws IOException {
        requirePermission(observerContext, "truncateTable", tableName, null, null, Permission.Action.ADMIN, Permission.Action.CREATE);
        final Configuration configuration = observerContext.getEnvironment().getConfiguration();
        User.runAsLoginUser(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hudi.org.apache.hadoop.hbase.security.access.AccessController.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                List<UserPermission> userTablePermissions = PermissionStorage.getUserTablePermissions(configuration, tableName, null, null, null, false);
                if (userTablePermissions == null) {
                    return null;
                }
                AccessController.this.tableAcls.put(tableName, userTablePermissions);
                return null;
            }
        });
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postTruncateTable(final ObserverContext<MasterCoprocessorEnvironment> observerContext, final TableName tableName) throws IOException {
        final Configuration configuration = observerContext.getEnvironment().getConfiguration();
        User.runAsLoginUser(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hudi.org.apache.hadoop.hbase.security.access.AccessController.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                List<UserPermission> list = (List) AccessController.this.tableAcls.get(tableName);
                if (list != null) {
                    for (UserPermission userPermission : list) {
                        Table table = ((MasterCoprocessorEnvironment) observerContext.getEnvironment()).getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
                        Throwable th = null;
                        try {
                            try {
                                PermissionStorage.addUserPermission(configuration, userPermission, table);
                                if (table != null) {
                                    if (0 != 0) {
                                        try {
                                            table.close();
                                        } catch (Throwable th2) {
                                            th.addSuppressed(th2);
                                        }
                                    } else {
                                        table.close();
                                    }
                                }
                            } finally {
                            }
                        } catch (Throwable th3) {
                            if (table != null) {
                                if (th != null) {
                                    try {
                                        table.close();
                                    } catch (Throwable th4) {
                                        th.addSuppressed(th4);
                                    }
                                } else {
                                    table.close();
                                }
                            }
                            throw th3;
                        }
                    }
                }
                AccessController.this.tableAcls.remove(tableName);
                return null;
            }
        });
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public TableDescriptor preModifyTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, TableDescriptor tableDescriptor, TableDescriptor tableDescriptor2) throws IOException {
        requirePermission(observerContext, "modifyTable", tableName, null, null, Permission.Action.ADMIN, Permission.Action.CREATE);
        return tableDescriptor2;
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postModifyTable(final ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, final TableDescriptor tableDescriptor) throws IOException {
        final Configuration configuration = observerContext.getEnvironment().getConfiguration();
        final String ownerString = tableDescriptor.getOwnerString() != null ? tableDescriptor.getOwnerString() : getActiveUser(observerContext).getShortName();
        User.runAsLoginUser(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hudi.org.apache.hadoop.hbase.security.access.AccessController.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                UserPermission userPermission = new UserPermission(ownerString, Permission.newBuilder(tableDescriptor.getTableName()).withActions(Permission.Action.values()).build());
                Table table = ((MasterCoprocessorEnvironment) observerContext.getEnvironment()).getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
                Throwable th = null;
                try {
                    try {
                        PermissionStorage.addUserPermission(configuration, userPermission, table);
                        if (table == null) {
                            return null;
                        }
                        if (0 == 0) {
                            table.close();
                            return null;
                        }
                        try {
                            table.close();
                            return null;
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                            return null;
                        }
                    } catch (Throwable th3) {
                        th = th3;
                        throw th3;
                    }
                } catch (Throwable th4) {
                    if (table != null) {
                        if (th != null) {
                            try {
                                table.close();
                            } catch (Throwable th5) {
                                th.addSuppressed(th5);
                            }
                        } else {
                            table.close();
                        }
                    }
                    throw th4;
                }
            }
        });
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
        requirePermission(observerContext, "enableTable", tableName, null, null, Permission.Action.ADMIN, Permission.Action.CREATE);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
        if (Bytes.equals(tableName.getName(), PermissionStorage.ACL_GLOBAL_NAME)) {
            throw new AccessDeniedException("Not allowed to disable " + PermissionStorage.ACL_TABLE_NAME + " table with AccessController installed");
        }
        requirePermission(observerContext, "disableTable", tableName, null, null, Permission.Action.ADMIN, Permission.Action.CREATE);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> observerContext, long j) throws IOException {
        requirePermission(observerContext, "abortProcedure", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preGetProcedures(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission(observerContext, "getProcedure", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preGetLocks(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        this.accessChecker.requirePermission(getActiveUser(observerContext), "getLocks", null, Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preMove(ObserverContext<MasterCoprocessorEnvironment> observerContext, RegionInfo regionInfo, ServerName serverName, ServerName serverName2) throws IOException {
        requirePermission(observerContext, MetricsAssignmentManagerSource.MOVE_METRIC_PREFIX, regionInfo.getTable(), null, null, Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preAssign(ObserverContext<MasterCoprocessorEnvironment> observerContext, RegionInfo regionInfo) throws IOException {
        requirePermission(observerContext, MetricsAssignmentManagerSource.ASSIGN_METRIC_PREFIX, regionInfo.getTable(), null, null, Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> observerContext, RegionInfo regionInfo) throws IOException {
        requirePermission(observerContext, MetricsAssignmentManagerSource.UNASSIGN_METRIC_PREFIX, regionInfo.getTable(), null, null, Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preRegionOffline(ObserverContext<MasterCoprocessorEnvironment> observerContext, RegionInfo regionInfo) throws IOException {
        requirePermission(observerContext, "regionOffline", regionInfo.getTable(), null, null, Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preSetSplitOrMergeEnabled(ObserverContext<MasterCoprocessorEnvironment> observerContext, boolean z, MasterSwitchType masterSwitchType) throws IOException {
        requirePermission(observerContext, "setSplitOrMergeEnabled", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preBalance(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission(observerContext, "balance", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> observerContext, boolean z) throws IOException {
        requirePermission(observerContext, "balanceSwitch", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission(observerContext, "shutdown", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission(observerContext, "stopMaster", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postStartMaster(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        Admin admin = observerContext.getEnvironment().getConnection().getAdmin();
        Throwable th = null;
        try {
            if (admin.tableExists(PermissionStorage.ACL_TABLE_NAME)) {
                this.aclTabAvailable = true;
            } else {
                createACLTable(admin);
            }
            if (admin != null) {
                if (0 == 0) {
                    admin.close();
                    return;
                }
                try {
                    admin.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (admin != null) {
                if (0 != 0) {
                    try {
                        admin.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    admin.close();
                }
            }
            throw th3;
        }
    }

    private static void createACLTable(Admin admin) throws IOException {
        admin.createTable(TableDescriptorBuilder.newBuilder(PermissionStorage.ACL_TABLE_NAME).setColumnFamily(ColumnFamilyDescriptorBuilder.newBuilder(PermissionStorage.ACL_LIST_FAMILY).setMaxVersions(1).setInMemory(true).setBlockCacheEnabled(true).setBlocksize(8192).setBloomFilterType(BloomType.NONE).setScope(0).build()).build());
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, SnapshotDescription snapshotDescription, TableDescriptor tableDescriptor) throws IOException {
        requirePermission(observerContext, "snapshot " + snapshotDescription.getName(), tableDescriptor.getTableName(), null, null, Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preListSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, SnapshotDescription snapshotDescription) throws IOException {
        User activeUser = getActiveUser(observerContext);
        if (SnapshotDescriptionUtils.isSnapshotOwner(snapshotDescription, activeUser)) {
            AccessChecker.logResult(AuthResult.allow("listSnapshot " + snapshotDescription.getName(), "Snapshot owner check allowed", activeUser, null, null, null));
        } else {
            this.accessChecker.requirePermission(activeUser, "listSnapshot " + snapshotDescription.getName(), null, Permission.Action.ADMIN);
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preCloneSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, SnapshotDescription snapshotDescription, TableDescriptor tableDescriptor) throws IOException {
        User activeUser = getActiveUser(observerContext);
        if (SnapshotDescriptionUtils.isSnapshotOwner(snapshotDescription, activeUser) && tableDescriptor.getTableName().getNameAsString().equals(snapshotDescription.getTable())) {
            AccessChecker.logResult(AuthResult.allow("cloneSnapshot " + snapshotDescription.getName(), "Snapshot owner check allowed", activeUser, null, tableDescriptor.getTableName(), null));
        } else {
            this.accessChecker.requirePermission(activeUser, "cloneSnapshot " + snapshotDescription.getName(), null, Permission.Action.ADMIN);
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preRestoreSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, SnapshotDescription snapshotDescription, TableDescriptor tableDescriptor) throws IOException {
        User activeUser = getActiveUser(observerContext);
        if (SnapshotDescriptionUtils.isSnapshotOwner(snapshotDescription, activeUser)) {
            this.accessChecker.requirePermission(activeUser, "restoreSnapshot " + snapshotDescription.getName(), tableDescriptor.getTableName(), null, null, null, Permission.Action.ADMIN);
        } else {
            this.accessChecker.requirePermission(activeUser, "restoreSnapshot " + snapshotDescription.getName(), null, Permission.Action.ADMIN);
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preDeleteSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, SnapshotDescription snapshotDescription) throws IOException {
        User activeUser = getActiveUser(observerContext);
        if (SnapshotDescriptionUtils.isSnapshotOwner(snapshotDescription, activeUser)) {
            AccessChecker.logResult(AuthResult.allow("deleteSnapshot " + snapshotDescription.getName(), "Snapshot owner check allowed", activeUser, null, null, null));
        } else {
            this.accessChecker.requirePermission(activeUser, "deleteSnapshot " + snapshotDescription.getName(), null, Permission.Action.ADMIN);
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, NamespaceDescriptor namespaceDescriptor) throws IOException {
        requireGlobalPermission(observerContext, "createNamespace", Permission.Action.ADMIN, namespaceDescriptor.getName());
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str) throws IOException {
        requireGlobalPermission(observerContext, "deleteNamespace", Permission.Action.ADMIN, str);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postDeleteNamespace(final ObserverContext<MasterCoprocessorEnvironment> observerContext, final String str) throws IOException {
        final Configuration configuration = observerContext.getEnvironment().getConfiguration();
        User.runAsLoginUser(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hudi.org.apache.hadoop.hbase.security.access.AccessController.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                Table table = ((MasterCoprocessorEnvironment) observerContext.getEnvironment()).getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
                Throwable th = null;
                try {
                    PermissionStorage.removeNamespacePermissions(configuration, str, table);
                    if (table == null) {
                        return null;
                    }
                    if (0 == 0) {
                        table.close();
                        return null;
                    }
                    try {
                        table.close();
                        return null;
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                        return null;
                    }
                } catch (Throwable th3) {
                    if (table != null) {
                        if (0 != 0) {
                            try {
                                table.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            table.close();
                        }
                    }
                    throw th3;
                }
            }
        });
        this.zkPermissionWatcher.deleteNamespaceACLNode(str);
        LOG.info(str + " entry deleted in " + PermissionStorage.ACL_TABLE_NAME + " table.");
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preModifyNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, NamespaceDescriptor namespaceDescriptor) throws IOException {
        requireGlobalPermission(observerContext, "modifyNamespace", Permission.Action.ADMIN, namespaceDescriptor.getName());
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preGetNamespaceDescriptor(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str) throws IOException {
        requireNamespacePermission(observerContext, "getNamespaceDescriptor", str, Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postListNamespaces(ObserverContext<MasterCoprocessorEnvironment> observerContext, List<String> list) throws IOException {
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postListNamespaceDescriptors(ObserverContext<MasterCoprocessorEnvironment> observerContext, List<NamespaceDescriptor> list) throws IOException {
        Iterator<NamespaceDescriptor> it = list.iterator();
        User activeUser = getActiveUser(observerContext);
        while (it.hasNext()) {
            try {
                this.accessChecker.requireNamespacePermission(activeUser, "listNamespaces", it.next().getName(), null, Permission.Action.ADMIN);
            } catch (AccessDeniedException e) {
                it.remove();
            }
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preTableFlush(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
        requirePermission(observerContext, "flushTable", tableName, null, null, Permission.Action.ADMIN, Permission.Action.CREATE);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preSplitRegion(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, byte[] bArr) throws IOException {
        requirePermission(observerContext, "split", tableName, null, null, Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preClearDeadServers(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission(observerContext, "clearDeadServers", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preDecommissionRegionServers(ObserverContext<MasterCoprocessorEnvironment> observerContext, List<ServerName> list, boolean z) throws IOException {
        requirePermission(observerContext, "decommissionRegionServers", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preListDecommissionedRegionServers(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission(observerContext, "listDecommissionedRegionServers", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preRecommissionRegionServer(ObserverContext<MasterCoprocessorEnvironment> observerContext, ServerName serverName, List<byte[]> list) throws IOException {
        requirePermission(observerContext, "recommissionRegionServers", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void preOpen(ObserverContext<RegionCoprocessorEnvironment> observerContext) throws IOException {
        Region region = observerContext.getEnvironment().getRegion();
        if (region == null) {
            LOG.error("NULL region from RegionCoprocessorEnvironment in preOpen()");
        } else if (region.getRegionInfo().getTable().isSystemTable()) {
            checkSystemOrSuperUser(getActiveUser(observerContext));
        } else {
            requirePermission(observerContext, "preOpen", Permission.Action.ADMIN);
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void postOpen(ObserverContext<RegionCoprocessorEnvironment> observerContext) {
        RegionCoprocessorEnvironment environment = observerContext.getEnvironment();
        Region region = environment.getRegion();
        if (region == null) {
            LOG.error("NULL region from RegionCoprocessorEnvironment in postOpen()");
            return;
        }
        if (!PermissionStorage.isAclRegion(region)) {
            this.initialized = true;
            return;
        }
        this.aclRegion = true;
        try {
            initialize(environment);
        } catch (IOException e) {
            throw new RuntimeException("Failed to initialize permissions cache", e);
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void preFlush(ObserverContext<RegionCoprocessorEnvironment> observerContext, FlushLifeCycleTracker flushLifeCycleTracker) throws IOException {
        requirePermission(observerContext, "flush", getTableName(observerContext.getEnvironment()), null, null, Permission.Action.ADMIN, Permission.Action.CREATE);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public InternalScanner preCompact(ObserverContext<RegionCoprocessorEnvironment> observerContext, Store store, InternalScanner internalScanner, ScanType scanType, CompactionLifeCycleTracker compactionLifeCycleTracker, CompactionRequest compactionRequest) throws IOException {
        requirePermission(observerContext, "compact", getTableName(observerContext.getEnvironment()), null, null, Permission.Action.ADMIN, Permission.Action.CREATE);
        return internalScanner;
    }

    private void internalPreRead(ObserverContext<RegionCoprocessorEnvironment> observerContext, Query query, OpType opType) throws IOException {
        Map<byte[], NavigableSet<byte[]>> familyMap;
        Filter filter = query.getFilter();
        if (filter == null || !(filter instanceof AccessControlFilter)) {
            User activeUser = getActiveUser(observerContext);
            RegionCoprocessorEnvironment environment = observerContext.getEnvironment();
            switch (opType) {
                case GET:
                case EXISTS:
                    familyMap = ((Get) query).getFamilyMap();
                    break;
                case SCAN:
                    familyMap = ((Scan) query).getFamilyMap();
                    break;
                default:
                    throw new RuntimeException("Unhandled operation " + opType);
            }
            AuthResult permissionGranted = permissionGranted(opType, activeUser, environment, familyMap, Permission.Action.READ);
            Region region = getRegion(environment);
            TableName tableName = getTableName(region);
            HashMap newHashMap = Maps.newHashMap();
            for (ColumnFamilyDescriptor columnFamilyDescriptor : region.getTableDescriptor().getColumnFamilies()) {
                newHashMap.put(new SimpleMutableByteRange(columnFamilyDescriptor.getName()), Integer.valueOf(columnFamilyDescriptor.getMaxVersions()));
            }
            if (!permissionGranted.isAllowed()) {
                if (this.cellFeaturesEnabled && !this.compatibleEarlyTermination) {
                    permissionGranted.setAllowed(true);
                    permissionGranted.setReason("Access allowed with filter");
                    if (this.authorizationEnabled) {
                        Filter accessControlFilter = new AccessControlFilter(getAuthManager(), activeUser, tableName, AccessControlFilter.Strategy.CHECK_CELL_DEFAULT, newHashMap);
                        if (filter != null) {
                            accessControlFilter = new FilterList(FilterList.Operator.MUST_PASS_ALL, Lists.newArrayList(accessControlFilter, filter));
                        }
                        switch (opType) {
                            case GET:
                            case EXISTS:
                                ((Get) query).setFilter(accessControlFilter);
                                break;
                            case SCAN:
                                ((Scan) query).setFilter(accessControlFilter);
                                break;
                            default:
                                throw new RuntimeException("Unhandled operation " + opType);
                        }
                    }
                } else if (hasFamilyQualifierPermission(activeUser, Permission.Action.READ, environment, familyMap)) {
                    permissionGranted.setAllowed(true);
                    permissionGranted.setReason("Access allowed with filter");
                    if (this.authorizationEnabled) {
                        Filter accessControlFilter2 = new AccessControlFilter(getAuthManager(), activeUser, tableName, AccessControlFilter.Strategy.CHECK_TABLE_AND_CF_ONLY, newHashMap);
                        if (filter != null) {
                            accessControlFilter2 = new FilterList(FilterList.Operator.MUST_PASS_ALL, Lists.newArrayList(accessControlFilter2, filter));
                        }
                        switch (opType) {
                            case GET:
                            case EXISTS:
                                ((Get) query).setFilter(accessControlFilter2);
                                break;
                            case SCAN:
                                ((Scan) query).setFilter(accessControlFilter2);
                                break;
                            default:
                                throw new RuntimeException("Unhandled operation " + opType);
                        }
                    }
                }
            }
            AccessChecker.logResult(permissionGranted);
            if (this.authorizationEnabled && !permissionGranted.isAllowed()) {
                throw new AccessDeniedException("Insufficient permissions for user '" + (activeUser != null ? activeUser.getShortName() : HoodieWriteStat.NULL_COMMIT) + "' (table=" + tableName + ", action=READ)");
            }
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void preGetOp(ObserverContext<RegionCoprocessorEnvironment> observerContext, Get get, List<Cell> list) throws IOException {
        internalPreRead(observerContext, get, OpType.GET);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public boolean preExists(ObserverContext<RegionCoprocessorEnvironment> observerContext, Get get, boolean z) throws IOException {
        internalPreRead(observerContext, get, OpType.EXISTS);
        return z;
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void prePut(ObserverContext<RegionCoprocessorEnvironment> observerContext, Put put, WALEdit wALEdit, Durability durability) throws IOException {
        User activeUser = getActiveUser(observerContext);
        checkForReservedTagPresence(activeUser, put);
        AuthResult permissionGranted = permissionGranted(OpType.PUT, activeUser, observerContext.getEnvironment(), put.getFamilyCellMap(), Permission.Action.WRITE);
        AccessChecker.logResult(permissionGranted);
        if (!permissionGranted.isAllowed()) {
            if (this.cellFeaturesEnabled && !this.compatibleEarlyTermination) {
                put.setAttribute(CHECK_COVERING_PERM, TRUE);
            } else if (this.authorizationEnabled) {
                throw new AccessDeniedException("Insufficient permissions " + permissionGranted.toContextString());
            }
        }
        byte[] attribute = put.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);
        if (attribute != null) {
            if (!this.cellFeaturesEnabled) {
                throw new DoNotRetryIOException("Cell ACLs cannot be persisted");
            }
            addCellPermissions(attribute, put.getFamilyCellMap());
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void postPut(ObserverContext<RegionCoprocessorEnvironment> observerContext, Put put, WALEdit wALEdit, Durability durability) {
        if (this.aclRegion) {
            updateACL(observerContext.getEnvironment(), put.getFamilyCellMap());
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void preDelete(ObserverContext<RegionCoprocessorEnvironment> observerContext, Delete delete, WALEdit wALEdit, Durability durability) throws IOException {
        if (delete.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL) != null) {
            throw new DoNotRetryIOException("ACL on delete has no effect: " + delete.toString());
        }
        AuthResult permissionGranted = permissionGranted(OpType.DELETE, getActiveUser(observerContext), observerContext.getEnvironment(), delete.getFamilyCellMap(), Permission.Action.WRITE);
        AccessChecker.logResult(permissionGranted);
        if (permissionGranted.isAllowed()) {
            return;
        }
        if (this.cellFeaturesEnabled && !this.compatibleEarlyTermination) {
            delete.setAttribute(CHECK_COVERING_PERM, TRUE);
        } else if (this.authorizationEnabled) {
            throw new AccessDeniedException("Insufficient permissions " + permissionGranted.toContextString());
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void preBatchMutate(ObserverContext<RegionCoprocessorEnvironment> observerContext, MiniBatchOperationInProgress<Mutation> miniBatchOperationInProgress) throws IOException {
        OpType opType;
        long max;
        if (!this.cellFeaturesEnabled || this.compatibleEarlyTermination) {
            return;
        }
        TableName table = observerContext.getEnvironment().getRegion().getRegionInfo().getTable();
        User activeUser = getActiveUser(observerContext);
        for (int i = 0; i < miniBatchOperationInProgress.size(); i++) {
            Mutation operation = miniBatchOperationInProgress.getOperation(i);
            if (operation.getAttribute(CHECK_COVERING_PERM) != null) {
                if (operation instanceof Put) {
                    checkForReservedTagPresence(activeUser, operation);
                    opType = OpType.PUT;
                    max = operation.getTimestamp();
                } else if (operation instanceof Delete) {
                    opType = OpType.DELETE;
                    max = operation.getTimestamp();
                } else if (operation instanceof Increment) {
                    opType = OpType.INCREMENT;
                    max = ((Increment) operation).getTimeRange().getMax();
                } else if (operation instanceof Append) {
                    opType = OpType.APPEND;
                    max = ((Append) operation).getTimeRange().getMax();
                } else {
                    continue;
                }
                AuthResult allow = checkCoveringPermission(activeUser, opType, observerContext.getEnvironment(), operation.getRow(), operation.getFamilyCellMap(), max, Permission.Action.WRITE) ? AuthResult.allow(opType.toString(), "Covering cell set", activeUser, Permission.Action.WRITE, table, operation.getFamilyCellMap()) : AuthResult.deny(opType.toString(), "Covering cell set", activeUser, Permission.Action.WRITE, table, operation.getFamilyCellMap());
                AccessChecker.logResult(allow);
                if (this.authorizationEnabled && !allow.isAllowed()) {
                    throw new AccessDeniedException("Insufficient permissions " + allow.toContextString());
                }
            }
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void postDelete(ObserverContext<RegionCoprocessorEnvironment> observerContext, Delete delete, WALEdit wALEdit, Durability durability) throws IOException {
        if (this.aclRegion) {
            updateACL(observerContext.getEnvironment(), delete.getFamilyCellMap());
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public boolean preCheckAndPut(ObserverContext<RegionCoprocessorEnvironment> observerContext, byte[] bArr, byte[] bArr2, byte[] bArr3, CompareOperator compareOperator, ByteArrayComparable byteArrayComparable, Put put, boolean z) throws IOException {
        User activeUser = getActiveUser(observerContext);
        checkForReservedTagPresence(activeUser, put);
        AuthResult permissionGranted = permissionGranted(OpType.CHECK_AND_PUT, activeUser, observerContext.getEnvironment(), makeFamilyMap(bArr2, bArr3), Permission.Action.READ, Permission.Action.WRITE);
        AccessChecker.logResult(permissionGranted);
        if (!permissionGranted.isAllowed()) {
            if (this.cellFeaturesEnabled && !this.compatibleEarlyTermination) {
                put.setAttribute(CHECK_COVERING_PERM, TRUE);
            } else if (this.authorizationEnabled) {
                throw new AccessDeniedException("Insufficient permissions " + permissionGranted.toContextString());
            }
        }
        byte[] attribute = put.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);
        if (attribute != null) {
            if (!this.cellFeaturesEnabled) {
                throw new DoNotRetryIOException("Cell ACLs cannot be persisted");
            }
            addCellPermissions(attribute, put.getFamilyCellMap());
        }
        return z;
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public boolean preCheckAndPutAfterRowLock(ObserverContext<RegionCoprocessorEnvironment> observerContext, byte[] bArr, byte[] bArr2, byte[] bArr3, CompareOperator compareOperator, ByteArrayComparable byteArrayComparable, Put put, boolean z) throws IOException {
        if (put.getAttribute(CHECK_COVERING_PERM) != null) {
            TableName table = observerContext.getEnvironment().getRegion().getRegionInfo().getTable();
            Map<byte[], ? extends Collection<byte[]>> makeFamilyMap = makeFamilyMap(bArr2, bArr3);
            User activeUser = getActiveUser(observerContext);
            AuthResult allow = checkCoveringPermission(activeUser, OpType.CHECK_AND_PUT, observerContext.getEnvironment(), bArr, makeFamilyMap, Long.MAX_VALUE, Permission.Action.READ) ? AuthResult.allow(OpType.CHECK_AND_PUT.toString(), "Covering cell set", activeUser, Permission.Action.READ, table, makeFamilyMap) : AuthResult.deny(OpType.CHECK_AND_PUT.toString(), "Covering cell set", activeUser, Permission.Action.READ, table, makeFamilyMap);
            AccessChecker.logResult(allow);
            if (this.authorizationEnabled && !allow.isAllowed()) {
                throw new AccessDeniedException("Insufficient permissions " + allow.toContextString());
            }
        }
        return z;
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public boolean preCheckAndDelete(ObserverContext<RegionCoprocessorEnvironment> observerContext, byte[] bArr, byte[] bArr2, byte[] bArr3, CompareOperator compareOperator, ByteArrayComparable byteArrayComparable, Delete delete, boolean z) throws IOException {
        if (delete.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL) != null) {
            throw new DoNotRetryIOException("ACL on checkAndDelete has no effect: " + delete.toString());
        }
        AuthResult permissionGranted = permissionGranted(OpType.CHECK_AND_DELETE, getActiveUser(observerContext), observerContext.getEnvironment(), makeFamilyMap(bArr2, bArr3), Permission.Action.READ, Permission.Action.WRITE);
        AccessChecker.logResult(permissionGranted);
        if (!permissionGranted.isAllowed()) {
            if (this.cellFeaturesEnabled && !this.compatibleEarlyTermination) {
                delete.setAttribute(CHECK_COVERING_PERM, TRUE);
            } else if (this.authorizationEnabled) {
                throw new AccessDeniedException("Insufficient permissions " + permissionGranted.toContextString());
            }
        }
        return z;
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public boolean preCheckAndDeleteAfterRowLock(ObserverContext<RegionCoprocessorEnvironment> observerContext, byte[] bArr, byte[] bArr2, byte[] bArr3, CompareOperator compareOperator, ByteArrayComparable byteArrayComparable, Delete delete, boolean z) throws IOException {
        if (delete.getAttribute(CHECK_COVERING_PERM) != null) {
            TableName table = observerContext.getEnvironment().getRegion().getRegionInfo().getTable();
            Map<byte[], ? extends Collection<byte[]>> makeFamilyMap = makeFamilyMap(bArr2, bArr3);
            User activeUser = getActiveUser(observerContext);
            AuthResult allow = checkCoveringPermission(activeUser, OpType.CHECK_AND_DELETE, observerContext.getEnvironment(), bArr, makeFamilyMap, Long.MAX_VALUE, Permission.Action.READ) ? AuthResult.allow(OpType.CHECK_AND_DELETE.toString(), "Covering cell set", activeUser, Permission.Action.READ, table, makeFamilyMap) : AuthResult.deny(OpType.CHECK_AND_DELETE.toString(), "Covering cell set", activeUser, Permission.Action.READ, table, makeFamilyMap);
            AccessChecker.logResult(allow);
            if (this.authorizationEnabled && !allow.isAllowed()) {
                throw new AccessDeniedException("Insufficient permissions " + allow.toContextString());
            }
        }
        return z;
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> observerContext, Append append) throws IOException {
        User activeUser = getActiveUser(observerContext);
        checkForReservedTagPresence(activeUser, append);
        AuthResult permissionGranted = permissionGranted(OpType.APPEND, activeUser, observerContext.getEnvironment(), append.getFamilyCellMap(), Permission.Action.WRITE);
        AccessChecker.logResult(permissionGranted);
        if (!permissionGranted.isAllowed()) {
            if (this.cellFeaturesEnabled && !this.compatibleEarlyTermination) {
                append.setAttribute(CHECK_COVERING_PERM, TRUE);
            } else if (this.authorizationEnabled) {
                throw new AccessDeniedException("Insufficient permissions " + permissionGranted.toContextString());
            }
        }
        byte[] attribute = append.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);
        if (attribute == null) {
            return null;
        }
        if (!this.cellFeaturesEnabled) {
            throw new DoNotRetryIOException("Cell ACLs cannot be persisted");
        }
        addCellPermissions(attribute, append.getFamilyCellMap());
        return null;
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public Result preIncrement(ObserverContext<RegionCoprocessorEnvironment> observerContext, Increment increment) throws IOException {
        User activeUser = getActiveUser(observerContext);
        checkForReservedTagPresence(activeUser, increment);
        AuthResult permissionGranted = permissionGranted(OpType.INCREMENT, activeUser, observerContext.getEnvironment(), increment.getFamilyCellMap(), Permission.Action.WRITE);
        AccessChecker.logResult(permissionGranted);
        if (!permissionGranted.isAllowed()) {
            if (this.cellFeaturesEnabled && !this.compatibleEarlyTermination) {
                increment.setAttribute(CHECK_COVERING_PERM, TRUE);
            } else if (this.authorizationEnabled) {
                throw new AccessDeniedException("Insufficient permissions " + permissionGranted.toContextString());
            }
        }
        byte[] attribute = increment.getAttribute(AccessControlConstants.OP_ATTRIBUTE_ACL);
        if (attribute == null) {
            return null;
        }
        if (!this.cellFeaturesEnabled) {
            throw new DoNotRetryIOException("Cell ACLs cannot be persisted");
        }
        addCellPermissions(attribute, increment.getFamilyCellMap());
        return null;
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public List<Pair<Cell, Cell>> postIncrementBeforeWAL(ObserverContext<RegionCoprocessorEnvironment> observerContext, Mutation mutation, List<Pair<Cell, Cell>> list) throws IOException {
        return (!this.cellFeaturesEnabled || mutation.getACL() == null) ? list : (List) list.stream().map(pair -> {
            return new Pair(pair.getFirst(), createNewCellWithTags(mutation, (Cell) pair.getFirst(), (Cell) pair.getSecond()));
        }).collect(Collectors.toList());
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public List<Pair<Cell, Cell>> postAppendBeforeWAL(ObserverContext<RegionCoprocessorEnvironment> observerContext, Mutation mutation, List<Pair<Cell, Cell>> list) throws IOException {
        return (!this.cellFeaturesEnabled || mutation.getACL() == null) ? list : (List) list.stream().map(pair -> {
            return new Pair(pair.getFirst(), createNewCellWithTags(mutation, (Cell) pair.getFirst(), (Cell) pair.getSecond()));
        }).collect(Collectors.toList());
    }

    private Cell createNewCellWithTags(Mutation mutation, Cell cell, Cell cell2) {
        ArrayList newArrayList = Lists.newArrayList();
        if (cell2 != null) {
            Iterator<Tag> tagsIterator = PrivateCellUtil.tagsIterator(cell2);
            while (tagsIterator.hasNext()) {
                Tag next = tagsIterator.next();
                if (next.getType() != 1) {
                    if (LOG.isTraceEnabled()) {
                        LOG.trace("Carrying forward tag from " + cell2 + ": type " + ((int) next.getType()) + " length " + next.getValueLength());
                    }
                    newArrayList.add(next);
                }
            }
        }
        newArrayList.add(new ArrayBackedTag((byte) 1, mutation.getACL()));
        return PrivateCellUtil.createCell(cell2, newArrayList);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void preScannerOpen(ObserverContext<RegionCoprocessorEnvironment> observerContext, Scan scan) throws IOException {
        internalPreRead(observerContext, scan, OpType.SCAN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public RegionScanner postScannerOpen(ObserverContext<RegionCoprocessorEnvironment> observerContext, Scan scan, RegionScanner regionScanner) throws IOException {
        User activeUser = getActiveUser(observerContext);
        if (activeUser != null && activeUser.getShortName() != null) {
            this.scannerOwners.put(regionScanner, activeUser.getShortName());
        }
        return regionScanner;
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public boolean preScannerNext(ObserverContext<RegionCoprocessorEnvironment> observerContext, InternalScanner internalScanner, List<Result> list, int i, boolean z) throws IOException {
        requireScannerOwner(internalScanner);
        return z;
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void preScannerClose(ObserverContext<RegionCoprocessorEnvironment> observerContext, InternalScanner internalScanner) throws IOException {
        requireScannerOwner(internalScanner);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void postScannerClose(ObserverContext<RegionCoprocessorEnvironment> observerContext, InternalScanner internalScanner) throws IOException {
        this.scannerOwners.remove(internalScanner);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    @Deprecated
    public boolean postScannerFilterRow(ObserverContext<RegionCoprocessorEnvironment> observerContext, InternalScanner internalScanner, Cell cell, boolean z) throws IOException {
        return z;
    }

    private void requireScannerOwner(InternalScanner internalScanner) throws AccessDeniedException {
        if (RpcServer.isInRpcCallContext()) {
            String orElse = RpcServer.getRequestUserName().orElse(null);
            String str = this.scannerOwners.get(internalScanner);
            if (this.authorizationEnabled && str != null && !str.equals(orElse)) {
                throw new AccessDeniedException("User '" + orElse + "' is not the scanner owner!");
            }
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void preBulkLoadHFile(ObserverContext<RegionCoprocessorEnvironment> observerContext, List<Pair<byte[], String>> list) throws IOException {
        User activeUser = getActiveUser(observerContext);
        Iterator<Pair<byte[], String>> it = list.iterator();
        while (it.hasNext()) {
            this.accessChecker.requirePermission(activeUser, "preBulkLoadHFile", observerContext.getEnvironment().getRegion().getTableDescriptor().getTableName(), it.next().getFirst(), null, null, Permission.Action.ADMIN, Permission.Action.CREATE);
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.BulkLoadObserver
    public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> observerContext) throws IOException {
        requireAccess(observerContext, "prePrepareBulkLoad", observerContext.getEnvironment().getRegion().getTableDescriptor().getTableName(), Permission.Action.ADMIN, Permission.Action.CREATE);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.BulkLoadObserver
    public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> observerContext) throws IOException {
        requireAccess(observerContext, "preCleanupBulkLoad", observerContext.getEnvironment().getRegion().getTableDescriptor().getTableName(), Permission.Action.ADMIN, Permission.Action.CREATE);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.EndpointObserver
    public Message preEndpointInvocation(ObserverContext<RegionCoprocessorEnvironment> observerContext, Service service, String str, Message message) throws IOException {
        if (this.shouldCheckExecPermission && !(service instanceof AccessControlProtos.AccessControlService)) {
            requirePermission(observerContext, "invoke(" + service.getDescriptorForType().getName() + "." + str + VisibilityConstants.CLOSED_PARAN, getTableName(observerContext.getEnvironment()), null, null, Permission.Action.EXEC);
        }
        return message;
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.EndpointObserver
    public void postEndpointInvocation(ObserverContext<RegionCoprocessorEnvironment> observerContext, Service service, String str, Message message, Message.Builder builder) throws IOException {
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService.Interface
    @Deprecated
    public void grant(RpcController rpcController, AccessControlProtos.GrantRequest grantRequest, RpcCallback<AccessControlProtos.GrantResponse> rpcCallback) {
        UserPermission userPermission = AccessControlUtil.toUserPermission(grantRequest.getUserPermission());
        AccessControlProtos.GrantResponse grantResponse = null;
        try {
        } catch (IOException e) {
            CoprocessorRpcUtils.setControllerException(rpcController, e);
        }
        if (!this.aclRegion) {
            throw new CoprocessorException(AccessController.class, "This method can only execute at " + PermissionStorage.ACL_TABLE_NAME + " table.");
        }
        if (!this.initialized) {
            throw new CoprocessorException("AccessController not yet initialized");
        }
        User orElse = RpcServer.getRequestUser().orElse(null);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Received request from {} to grant access permission {}", orElse.getName(), userPermission.toString());
        }
        preGrantOrRevoke(orElse, "grant", userPermission);
        this.regionEnv.getConnection().getAdmin().grant(new UserPermission(userPermission.getUser(), userPermission.getPermission()), grantRequest.getMergeExistingPermissions());
        if (AUDITLOG.isTraceEnabled()) {
            AUDITLOG.trace("Granted permission " + userPermission.toString());
        }
        grantResponse = AccessControlProtos.GrantResponse.getDefaultInstance();
        rpcCallback.run(grantResponse);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService.Interface
    @Deprecated
    public void revoke(RpcController rpcController, AccessControlProtos.RevokeRequest revokeRequest, RpcCallback<AccessControlProtos.RevokeResponse> rpcCallback) {
        UserPermission userPermission = AccessControlUtil.toUserPermission(revokeRequest.getUserPermission());
        AccessControlProtos.RevokeResponse revokeResponse = null;
        try {
        } catch (IOException e) {
            CoprocessorRpcUtils.setControllerException(rpcController, e);
        }
        if (!this.aclRegion) {
            throw new CoprocessorException(AccessController.class, "This method can only execute at " + PermissionStorage.ACL_TABLE_NAME + " table.");
        }
        if (!this.initialized) {
            throw new CoprocessorException("AccessController not yet initialized");
        }
        User orElse = RpcServer.getRequestUser().orElse(null);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Received request from {} to revoke access permission {}", orElse.getShortName(), userPermission.toString());
        }
        preGrantOrRevoke(orElse, "revoke", userPermission);
        this.regionEnv.getConnection().getAdmin().revoke(new UserPermission(userPermission.getUser(), userPermission.getPermission()));
        if (AUDITLOG.isTraceEnabled()) {
            AUDITLOG.trace("Revoked permission " + userPermission.toString());
        }
        revokeResponse = AccessControlProtos.RevokeResponse.getDefaultInstance();
        rpcCallback.run(revokeResponse);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService.Interface
    @Deprecated
    public void getUserPermissions(RpcController rpcController, AccessControlProtos.GetUserPermissionsRequest getUserPermissionsRequest, RpcCallback<AccessControlProtos.GetUserPermissionsResponse> rpcCallback) {
        AccessControlProtos.GetUserPermissionsResponse getUserPermissionsResponse = null;
        try {
        } catch (IOException e) {
            CoprocessorRpcUtils.setControllerException(rpcController, e);
        }
        if (!this.aclRegion) {
            throw new CoprocessorException(AccessController.class, "This method can only execute at " + PermissionStorage.ACL_TABLE_NAME + " table.");
        }
        if (!this.initialized) {
            throw new CoprocessorException("AccessController not yet initialized");
        }
        User orElse = RpcServer.getRequestUser().orElse(null);
        String stringUtf8 = getUserPermissionsRequest.hasUserName() ? getUserPermissionsRequest.getUserName().toStringUtf8() : null;
        String stringUtf82 = getUserPermissionsRequest.hasNamespaceName() ? getUserPermissionsRequest.getNamespaceName().toStringUtf8() : null;
        TableName tableName = getUserPermissionsRequest.hasTableName() ? ProtobufUtil.toTableName(getUserPermissionsRequest.getTableName()) : null;
        byte[] byteArray = getUserPermissionsRequest.hasColumnFamily() ? getUserPermissionsRequest.getColumnFamily().toByteArray() : null;
        byte[] byteArray2 = getUserPermissionsRequest.hasColumnQualifier() ? getUserPermissionsRequest.getColumnQualifier().toByteArray() : null;
        preGetUserPermissions(orElse, stringUtf8, stringUtf82, tableName, byteArray, byteArray2);
        getUserPermissionsResponse = AccessControlUtil.buildGetUserPermissionsResponse(this.regionEnv.getConnection().getAdmin().getUserPermissions(getUserPermissionsRequest.getType() == AccessControlProtos.Permission.Type.Table ? GetUserPermissionsRequest.newBuilder(tableName).withFamily(byteArray).withQualifier(byteArray2).withUserName(stringUtf8).build() : getUserPermissionsRequest.getType() == AccessControlProtos.Permission.Type.Namespace ? GetUserPermissionsRequest.newBuilder(stringUtf82).withUserName(stringUtf8).build() : GetUserPermissionsRequest.newBuilder().withUserName(stringUtf8).build()));
        rpcCallback.run(getUserPermissionsResponse);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService.Interface
    @Deprecated
    public void checkPermissions(RpcController rpcController, AccessControlProtos.CheckPermissionsRequest checkPermissionsRequest, RpcCallback<AccessControlProtos.CheckPermissionsResponse> rpcCallback) {
        AccessControlProtos.CheckPermissionsResponse checkPermissionsResponse = null;
        try {
            User orElse = RpcServer.getRequestUser().orElse(null);
            TableName tableName = this.regionEnv.getRegion().getTableDescriptor().getTableName();
            ArrayList<Permission> arrayList = new ArrayList();
            for (int i = 0; i < checkPermissionsRequest.getPermissionCount(); i++) {
                Permission permission = AccessControlUtil.toPermission(checkPermissionsRequest.getPermission(i));
                arrayList.add(permission);
                if (permission instanceof TablePermission) {
                    TablePermission tablePermission = (TablePermission) permission;
                    if (!tablePermission.getTableName().equals(tableName)) {
                        throw new CoprocessorException(AccessController.class, String.format("This method can only execute at the table specified in TablePermission. Table of the region:%s , requested table:%s", tableName, tablePermission.getTableName()));
                    }
                }
            }
            for (Permission permission2 : arrayList) {
                if (!this.accessChecker.hasUserPermission(orElse, "checkPermissions", permission2)) {
                    throw new AccessDeniedException("Insufficient permissions " + permission2.toString());
                }
            }
            checkPermissionsResponse = AccessControlProtos.CheckPermissionsResponse.getDefaultInstance();
        } catch (IOException e) {
            CoprocessorRpcUtils.setControllerException(rpcController, e);
        }
        rpcCallback.run(checkPermissionsResponse);
    }

    private Region getRegion(RegionCoprocessorEnvironment regionCoprocessorEnvironment) {
        return regionCoprocessorEnvironment.getRegion();
    }

    private TableName getTableName(RegionCoprocessorEnvironment regionCoprocessorEnvironment) {
        Region region = regionCoprocessorEnvironment.getRegion();
        if (region != null) {
            return getTableName(region);
        }
        return null;
    }

    private TableName getTableName(Region region) {
        RegionInfo regionInfo = region.getRegionInfo();
        if (regionInfo != null) {
            return regionInfo.getTable();
        }
        return null;
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void preClose(ObserverContext<RegionCoprocessorEnvironment> observerContext, boolean z) throws IOException {
        requirePermission(observerContext, "preClose", Permission.Action.ADMIN);
    }

    private void checkSystemOrSuperUser(User user) throws IOException {
        if (this.authorizationEnabled && !Superusers.isSuperUser(user)) {
            throw new AccessDeniedException("User '" + (user != null ? user.getShortName() : HoodieWriteStat.NULL_COMMIT) + "' is not system or super user.");
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionServerObserver
    public void preStopRegionServer(ObserverContext<RegionServerCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission(observerContext, "preStopRegionServer", Permission.Action.ADMIN);
    }

    private Map<byte[], ? extends Collection<byte[]>> makeFamilyMap(byte[] bArr, byte[] bArr2) {
        if (bArr == null) {
            return null;
        }
        TreeMap treeMap = new TreeMap(Bytes.BYTES_COMPARATOR);
        treeMap.put(bArr, bArr2 != null ? ImmutableSet.of(bArr2) : null);
        return treeMap;
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> observerContext, List<TableName> list, List<TableDescriptor> list2, String str) throws IOException {
        if (str != null || list == null || list.isEmpty()) {
            return;
        }
        Admin admin = observerContext.getEnvironment().getConnection().getAdmin();
        Throwable th = null;
        try {
            if (admin.listTableNames() == null) {
                if (admin != null) {
                    if (0 == 0) {
                        admin.close();
                        return;
                    }
                    try {
                        admin.close();
                        return;
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                        return;
                    }
                }
                return;
            }
            for (TableName tableName : list) {
                if (admin.tableExists(tableName)) {
                    requirePermission(observerContext, "getTableDescriptors", tableName, null, null, Permission.Action.ADMIN, Permission.Action.CREATE);
                }
            }
            if (admin != null) {
                if (0 == 0) {
                    admin.close();
                    return;
                }
                try {
                    admin.close();
                } catch (Throwable th3) {
                    th.addSuppressed(th3);
                }
            }
        } catch (Throwable th4) {
            if (admin != null) {
                if (0 != 0) {
                    try {
                        admin.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    admin.close();
                }
            }
            throw th4;
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> observerContext, List<TableName> list, List<TableDescriptor> list2, String str) throws IOException {
        if (str != null || list == null || list.isEmpty()) {
            Iterator<TableDescriptor> it = list2.iterator();
            while (it.hasNext()) {
                try {
                    requirePermission(observerContext, "getTableDescriptors", it.next().getTableName(), null, null, Permission.Action.ADMIN, Permission.Action.CREATE);
                } catch (AccessDeniedException e) {
                    it.remove();
                }
            }
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postGetTableNames(ObserverContext<MasterCoprocessorEnvironment> observerContext, List<TableDescriptor> list, String str) throws IOException {
        Iterator<TableDescriptor> it = list.iterator();
        while (it.hasNext()) {
            try {
                requireAccess(observerContext, "getTableNames", it.next().getTableName(), Permission.Action.values());
            } catch (AccessDeniedException e) {
                it.remove();
            }
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preMergeRegions(ObserverContext<MasterCoprocessorEnvironment> observerContext, RegionInfo[] regionInfoArr) throws IOException {
        requirePermission(observerContext, "mergeRegions", regionInfoArr[0].getTable(), null, null, Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionServerObserver
    public void preRollWALWriterRequest(ObserverContext<RegionServerCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission(observerContext, "preRollLogWriterRequest", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionServerObserver
    public void postRollWALWriterRequest(ObserverContext<RegionServerCoprocessorEnvironment> observerContext) throws IOException {
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preSetUserQuota(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, GlobalQuotaSettings globalQuotaSettings) throws IOException {
        requirePermission(observerContext, "setUserQuota", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preSetUserQuota(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, TableName tableName, GlobalQuotaSettings globalQuotaSettings) throws IOException {
        requirePermission(observerContext, "setUserTableQuota", tableName, null, null, Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preSetUserQuota(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, String str2, GlobalQuotaSettings globalQuotaSettings) throws IOException {
        requirePermission(observerContext, "setUserNamespaceQuota", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preSetTableQuota(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, GlobalQuotaSettings globalQuotaSettings) throws IOException {
        requirePermission(observerContext, "setTableQuota", tableName, null, null, Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preSetNamespaceQuota(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, GlobalQuotaSettings globalQuotaSettings) throws IOException {
        requirePermission(observerContext, "setNamespaceQuota", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preSetRegionServerQuota(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, GlobalQuotaSettings globalQuotaSettings) throws IOException {
        requirePermission(observerContext, "setRegionServerQuota", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionServerObserver
    public ReplicationEndpoint postCreateReplicationEndPoint(ObserverContext<RegionServerCoprocessorEnvironment> observerContext, ReplicationEndpoint replicationEndpoint) {
        return replicationEndpoint;
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionServerObserver
    public void preReplicateLogEntries(ObserverContext<RegionServerCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission(observerContext, "replicateLogEntries", Permission.Action.WRITE);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionServerObserver
    public void preClearCompactionQueues(ObserverContext<RegionServerCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission(observerContext, "preClearCompactionQueues", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preAddReplicationPeer(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, ReplicationPeerConfig replicationPeerConfig) throws IOException {
        requirePermission(observerContext, "addReplicationPeer", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preRemoveReplicationPeer(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str) throws IOException {
        requirePermission(observerContext, "removeReplicationPeer", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preEnableReplicationPeer(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str) throws IOException {
        requirePermission(observerContext, "enableReplicationPeer", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preDisableReplicationPeer(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str) throws IOException {
        requirePermission(observerContext, "disableReplicationPeer", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preGetReplicationPeerConfig(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str) throws IOException {
        requirePermission(observerContext, "getReplicationPeerConfig", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preUpdateReplicationPeerConfig(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, ReplicationPeerConfig replicationPeerConfig) throws IOException {
        requirePermission(observerContext, "updateReplicationPeerConfig", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preListReplicationPeers(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str) throws IOException {
        requirePermission(observerContext, "listReplicationPeers", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preRequestLock(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, TableName tableName, RegionInfo[] regionInfoArr, String str2) throws IOException {
        checkLockPermissions(observerContext, str, tableName, regionInfoArr, String.format("Description=%s", str2));
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preLockHeartbeat(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, String str) throws IOException {
        checkLockPermissions(observerContext, null, tableName, null, str);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.RegionServerObserver
    public void preExecuteProcedures(ObserverContext<RegionServerCoprocessorEnvironment> observerContext) throws IOException {
        checkSystemOrSuperUser(getActiveUser(observerContext));
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preSwitchRpcThrottle(ObserverContext<MasterCoprocessorEnvironment> observerContext, boolean z) throws IOException {
        requirePermission(observerContext, "switchRpcThrottle", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preIsRpcThrottleEnabled(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission(observerContext, "isRpcThrottleEnabled", Permission.Action.ADMIN);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preSwitchExceedThrottleQuota(ObserverContext<MasterCoprocessorEnvironment> observerContext, boolean z) throws IOException {
        requirePermission(observerContext, "switchExceedThrottleQuota", Permission.Action.ADMIN);
    }

    private User getActiveUser(ObserverContext<?> observerContext) throws IOException {
        Optional<User> caller = observerContext.getCaller();
        return caller.isPresent() ? caller.get() : this.userProvider.getCurrent();
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos.AccessControlService.Interface
    @Deprecated
    public void hasPermission(RpcController rpcController, AccessControlProtos.HasPermissionRequest hasPermissionRequest, RpcCallback<AccessControlProtos.HasPermissionResponse> rpcCallback) {
        TablePermission tablePermission = AccessControlUtil.toTablePermission(hasPermissionRequest.getTablePermission());
        if (!hasPermissionRequest.hasUserName()) {
            throw new IllegalStateException("Input username cannot be empty");
        }
        String stringUtf8 = hasPermissionRequest.getUserName().toStringUtf8();
        AccessControlProtos.HasPermissionResponse hasPermissionResponse = null;
        try {
            User orElse = RpcServer.getRequestUser().orElse(null);
            ArrayList newArrayList = Lists.newArrayList(tablePermission);
            preHasUserPermissions(orElse, stringUtf8, newArrayList);
            hasPermissionResponse = ResponseConverter.buildHasPermissionResponse(this.regionEnv.getConnection().getAdmin().hasUserPermissions(stringUtf8, newArrayList).get(0).booleanValue());
        } catch (IOException e) {
            ResponseConverter.setControllerException(rpcController, e);
        }
        rpcCallback.run(hasPermissionResponse);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preGrant(ObserverContext<MasterCoprocessorEnvironment> observerContext, UserPermission userPermission, boolean z) throws IOException {
        preGrantOrRevoke(getActiveUser(observerContext), "grant", userPermission);
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preRevoke(ObserverContext<MasterCoprocessorEnvironment> observerContext, UserPermission userPermission) throws IOException {
        preGrantOrRevoke(getActiveUser(observerContext), "revoke", userPermission);
    }

    private void preGrantOrRevoke(User user, String str, UserPermission userPermission) throws IOException {
        switch (userPermission.getPermission().scope) {
            case GLOBAL:
                this.accessChecker.requireGlobalPermission(user, str, Permission.Action.ADMIN, "");
                break;
            case NAMESPACE:
                this.accessChecker.requireNamespacePermission(user, str, ((NamespacePermission) userPermission.getPermission()).getNamespace(), null, Permission.Action.ADMIN);
                break;
            case TABLE:
                TablePermission tablePermission = (TablePermission) userPermission.getPermission();
                this.accessChecker.requirePermission(user, str, tablePermission.getTableName(), tablePermission.getFamily(), tablePermission.getQualifier(), null, Permission.Action.ADMIN);
                break;
        }
        if (Superusers.isSuperUser(user)) {
            return;
        }
        this.accessChecker.performOnSuperuser(str, user, userPermission.getUser());
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preGetUserPermissions(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, String str2, TableName tableName, byte[] bArr, byte[] bArr2) throws IOException {
        preGetUserPermissions(getActiveUser(observerContext), str, str2, tableName, bArr, bArr2);
    }

    private void preGetUserPermissions(User user, String str, String str2, TableName tableName, byte[] bArr, byte[] bArr2) throws IOException {
        if (tableName != null) {
            this.accessChecker.requirePermission(user, "getUserPermissions", tableName, bArr, bArr2, str, Permission.Action.ADMIN);
        } else if (str2 != null) {
            this.accessChecker.requireNamespacePermission(user, "getUserPermissions", str2, str, Permission.Action.ADMIN);
        } else {
            this.accessChecker.requirePermission(user, "getUserPermissions", str, Permission.Action.ADMIN);
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preHasUserPermissions(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, List<Permission> list) throws IOException {
        preHasUserPermissions(getActiveUser(observerContext), str, list);
    }

    private void preHasUserPermissions(User user, String str, List<Permission> list) throws IOException {
        AuthResult allow;
        for (Permission permission : list) {
            if (user.getShortName().equals(str)) {
                if (permission instanceof TablePermission) {
                    TablePermission tablePermission = (TablePermission) permission;
                    allow = AuthResult.allow("hasUserPermissions", "Self user validation allowed", user, null, tablePermission.getTableName(), tablePermission.getFamily(), tablePermission.getQualifier());
                } else {
                    allow = permission instanceof NamespacePermission ? AuthResult.allow("hasUserPermissions", "Self user validation allowed", user, null, ((NamespacePermission) permission).getNamespace()) : AuthResult.allow("hasUserPermissions", "Self user validation allowed", user, null, null, null, null);
                }
                AccessChecker.logResult(allow);
            } else if (permission instanceof TablePermission) {
                TablePermission tablePermission2 = (TablePermission) permission;
                this.accessChecker.requirePermission(user, "hasUserPermissions", tablePermission2.getTableName(), tablePermission2.getFamily(), tablePermission2.getQualifier(), str, Permission.Action.ADMIN);
            } else if (permission instanceof NamespacePermission) {
                this.accessChecker.requireNamespacePermission(user, "hasUserPermissions", ((NamespacePermission) permission).getNamespace(), str, Permission.Action.ADMIN);
            } else {
                this.accessChecker.requirePermission(user, "hasUserPermissions", str, Permission.Action.ADMIN);
            }
        }
    }
}
