package org.apache.hadoop.hbase.security.visibility;

import com.google.common.collect.Lists;
import com.google.common.collect.MapMaker;
import com.google.protobuf.ByteString;
import com.google.protobuf.RpcCallback;
import com.google.protobuf.RpcController;
import com.google.protobuf.Service;
import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.BitSet;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.Cell;
import org.apache.hadoop.hbase.CellScanner;
import org.apache.hadoop.hbase.CellUtil;
import org.apache.hadoop.hbase.CoprocessorEnvironment;
import org.apache.hadoop.hbase.DoNotRetryIOException;
import org.apache.hadoop.hbase.HColumnDescriptor;
import org.apache.hadoop.hbase.HConstants;
import org.apache.hadoop.hbase.HRegionInfo;
import org.apache.hadoop.hbase.HTableDescriptor;
import org.apache.hadoop.hbase.KeyValue;
import org.apache.hadoop.hbase.KeyValueUtil;
import org.apache.hadoop.hbase.NamespaceDescriptor;
import org.apache.hadoop.hbase.ServerName;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.Tag;
import org.apache.hadoop.hbase.catalog.MetaReader;
import org.apache.hadoop.hbase.client.Append;
import org.apache.hadoop.hbase.client.Delete;
import org.apache.hadoop.hbase.client.Get;
import org.apache.hadoop.hbase.client.Increment;
import org.apache.hadoop.hbase.client.Mutation;
import org.apache.hadoop.hbase.client.Put;
import org.apache.hadoop.hbase.client.Result;
import org.apache.hadoop.hbase.client.Scan;
import org.apache.hadoop.hbase.constraint.ConstraintException;
import org.apache.hadoop.hbase.coprocessor.BaseRegionObserver;
import org.apache.hadoop.hbase.coprocessor.CoprocessorException;
import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
import org.apache.hadoop.hbase.coprocessor.CoprocessorService;
import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.MasterObserver;
import org.apache.hadoop.hbase.coprocessor.ObserverContext;
import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.RegionObserver;
import org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessorEnvironment;
import org.apache.hadoop.hbase.exceptions.DeserializationException;
import org.apache.hadoop.hbase.exceptions.FailedSanityCheckException;
import org.apache.hadoop.hbase.filter.Filter;
import org.apache.hadoop.hbase.filter.FilterBase;
import org.apache.hadoop.hbase.filter.FilterList;
import org.apache.hadoop.hbase.io.hfile.HFile;
import org.apache.hadoop.hbase.io.util.StreamUtils;
import org.apache.hadoop.hbase.ipc.RequestContext;
import org.apache.hadoop.hbase.master.MasterServices;
import org.apache.hadoop.hbase.master.RegionPlan;
import org.apache.hadoop.hbase.protobuf.ResponseConverter;
import org.apache.hadoop.hbase.protobuf.generated.ClientProtos;
import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos;
import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos;
import org.apache.hadoop.hbase.regionserver.BloomType;
import org.apache.hadoop.hbase.regionserver.DeleteTracker;
import org.apache.hadoop.hbase.regionserver.DisabledRegionSplitPolicy;
import org.apache.hadoop.hbase.regionserver.HRegion;
import org.apache.hadoop.hbase.regionserver.InternalScanner;
import org.apache.hadoop.hbase.regionserver.MiniBatchOperationInProgress;
import org.apache.hadoop.hbase.regionserver.OperationStatus;
import org.apache.hadoop.hbase.regionserver.RegionScanner;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.AccessController;
import org.apache.hadoop.hbase.security.visibility.expression.ExpressionNode;
import org.apache.hadoop.hbase.security.visibility.expression.LeafExpressionNode;
import org.apache.hadoop.hbase.security.visibility.expression.NonLeafExpressionNode;
import org.apache.hadoop.hbase.security.visibility.expression.Operator;
import org.apache.hadoop.hbase.util.ByteStringer;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.util.Pair;
import org.apache.hadoop.hbase.util.SimpleByteRange;
import org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hbase/security/visibility/VisibilityController.class */
public class VisibilityController extends BaseRegionObserver implements MasterObserver, RegionObserver, VisibilityLabelsProtos.VisibilityLabelsService.Interface, CoprocessorService {
    private static final Log LOG;
    private static final byte[] DUMMY_VALUE;
    private static final int SYSTEM_LABEL_ORDINAL = 1;
    private static final Tag[] LABELS_TABLE_TAGS;
    private VisibilityLabelsManager visibilityManager;
    private RegionCoprocessorEnvironment regionEnv;
    private List<ScanLabelGenerator> scanLabelGenerators;
    private Configuration conf;
    List<String> superUsers;
    private static ArrayList<Byte> reservedVisTagTypes;
    static final /* synthetic */ boolean $assertionsDisabled;
    private final ExpressionParser expressionParser = new ExpressionParser();
    private final ExpressionExpander expressionExpander = new ExpressionExpander();
    private volatile int ordinalCounter = -1;
    private boolean labelsRegion = false;
    private boolean acOn = false;
    private volatile boolean initialized = false;
    private Map<InternalScanner, String> scannerOwners = new MapMaker().weakKeys().makeMap();

    /* loaded from: input_file:org/apache/hadoop/hbase/security/visibility/VisibilityController$DeleteVersionVisibilityExpressionFilter.class */
    static class DeleteVersionVisibilityExpressionFilter extends FilterBase {
        private List<Tag> visibilityTags;

        public DeleteVersionVisibilityExpressionFilter(List<Tag> list) {
            this.visibilityTags = list;
        }

        public Filter.ReturnCode filterKeyValue(Cell cell) throws IOException {
            return VisibilityUtils.checkForMatchingVisibilityTags(cell, this.visibilityTags) ? Filter.ReturnCode.INCLUDE : Filter.ReturnCode.SKIP;
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseRegionObserver
    public void start(CoprocessorEnvironment coprocessorEnvironment) throws IOException {
        this.conf = coprocessorEnvironment.getConfiguration();
        if (HFile.getFormatVersion(this.conf) < 3) {
            throw new RuntimeException("A minimum HFile version of 3 is required to persist visibility labels. Consider setting hfile.format.version accordingly.");
        }
        ZooKeeperWatcher zooKeeperWatcher = null;
        if (coprocessorEnvironment instanceof MasterCoprocessorEnvironment) {
            zooKeeperWatcher = ((MasterCoprocessorEnvironment) coprocessorEnvironment).getMasterServices().getZooKeeper();
        } else if (coprocessorEnvironment instanceof RegionCoprocessorEnvironment) {
            this.regionEnv = (RegionCoprocessorEnvironment) coprocessorEnvironment;
            zooKeeperWatcher = this.regionEnv.getRegionServerServices().getZooKeeper();
        } else if (coprocessorEnvironment instanceof RegionServerCoprocessorEnvironment) {
            throw new RuntimeException("Visibility controller should not be configured as 'hbase.coprocessor.regionserver.classes'.");
        }
        if (zooKeeperWatcher == null) {
            throw new RuntimeException("Error obtaining VisibilityLabelsManager, zk found null.");
        }
        try {
            this.visibilityManager = VisibilityLabelsManager.get(zooKeeperWatcher, this.conf);
            if (coprocessorEnvironment instanceof RegionCoprocessorEnvironment) {
                this.scanLabelGenerators = VisibilityUtils.getScanLabelGenerators(this.conf);
            }
            this.superUsers = getSystemAndSuperUsers();
        } catch (IOException e) {
            throw new RuntimeException("Error obtaining VisibilityLabelsManager", e);
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseRegionObserver
    public void stop(CoprocessorEnvironment coprocessorEnvironment) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postStartMaster(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        MasterServices masterServices = observerContext.getEnvironment().getMasterServices();
        if (MetaReader.tableExists(masterServices.getCatalogTracker(), VisibilityConstants.LABELS_TABLE_NAME)) {
            return;
        }
        HTableDescriptor hTableDescriptor = new HTableDescriptor(VisibilityConstants.LABELS_TABLE_NAME);
        HColumnDescriptor hColumnDescriptor = new HColumnDescriptor(VisibilityConstants.LABELS_TABLE_FAMILY);
        hColumnDescriptor.setBloomFilterType(BloomType.NONE);
        hColumnDescriptor.setBlockCacheEnabled(false);
        hTableDescriptor.addFamily(hColumnDescriptor);
        hTableDescriptor.setValue("SPLIT_POLICY", DisabledRegionSplitPolicy.class.getName());
        hTableDescriptor.setValue(Bytes.toBytes("hbase.regionserver.disallow.writes.when.recovering"), Bytes.toBytes(true));
        masterServices.createTable(hTableDescriptor, (byte[][]) null);
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preCreateTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, HTableDescriptor hTableDescriptor, HRegionInfo[] hRegionInfoArr) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postCreateTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, HTableDescriptor hTableDescriptor, HRegionInfo[] hRegionInfoArr) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preCreateTableHandler(ObserverContext<MasterCoprocessorEnvironment> observerContext, HTableDescriptor hTableDescriptor, HRegionInfo[] hRegionInfoArr) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postCreateTableHandler(ObserverContext<MasterCoprocessorEnvironment> observerContext, HTableDescriptor hTableDescriptor, HRegionInfo[] hRegionInfoArr) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preDeleteTableHandler(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postDeleteTableHandler(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, HTableDescriptor hTableDescriptor) throws IOException {
        if (VisibilityConstants.LABELS_TABLE_NAME.equals(tableName)) {
            throw new ConstraintException("Cannot alter " + VisibilityConstants.LABELS_TABLE_NAME);
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postModifyTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, HTableDescriptor hTableDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preModifyTableHandler(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, HTableDescriptor hTableDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postModifyTableHandler(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, HTableDescriptor hTableDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preAddColumn(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, HColumnDescriptor hColumnDescriptor) throws IOException {
        if (VisibilityConstants.LABELS_TABLE_NAME.equals(tableName)) {
            throw new ConstraintException("Cannot alter " + VisibilityConstants.LABELS_TABLE_NAME);
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postAddColumn(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, HColumnDescriptor hColumnDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preAddColumnHandler(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, HColumnDescriptor hColumnDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postAddColumnHandler(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, HColumnDescriptor hColumnDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preModifyColumn(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, HColumnDescriptor hColumnDescriptor) throws IOException {
        if (VisibilityConstants.LABELS_TABLE_NAME.equals(tableName)) {
            throw new ConstraintException("Cannot alter " + VisibilityConstants.LABELS_TABLE_NAME);
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postModifyColumn(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, HColumnDescriptor hColumnDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preModifyColumnHandler(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, HColumnDescriptor hColumnDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postModifyColumnHandler(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, HColumnDescriptor hColumnDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, byte[] bArr) throws IOException {
        if (VisibilityConstants.LABELS_TABLE_NAME.equals(tableName)) {
            throw new ConstraintException("Cannot alter " + VisibilityConstants.LABELS_TABLE_NAME);
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, byte[] bArr) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preDeleteColumnHandler(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, byte[] bArr) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postDeleteColumnHandler(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, byte[] bArr) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postEnableTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preEnableTableHandler(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postEnableTableHandler(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
        if (VisibilityConstants.LABELS_TABLE_NAME.equals(tableName)) {
            throw new ConstraintException("Cannot disable " + VisibilityConstants.LABELS_TABLE_NAME);
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postDisableTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preDisableTableHandler(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postDisableTableHandler(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preMove(ObserverContext<MasterCoprocessorEnvironment> observerContext, HRegionInfo hRegionInfo, ServerName serverName, ServerName serverName2) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postMove(ObserverContext<MasterCoprocessorEnvironment> observerContext, HRegionInfo hRegionInfo, ServerName serverName, ServerName serverName2) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preAssign(ObserverContext<MasterCoprocessorEnvironment> observerContext, HRegionInfo hRegionInfo) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postAssign(ObserverContext<MasterCoprocessorEnvironment> observerContext, HRegionInfo hRegionInfo) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> observerContext, HRegionInfo hRegionInfo, boolean z) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postUnassign(ObserverContext<MasterCoprocessorEnvironment> observerContext, HRegionInfo hRegionInfo, boolean z) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preRegionOffline(ObserverContext<MasterCoprocessorEnvironment> observerContext, HRegionInfo hRegionInfo) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postRegionOffline(ObserverContext<MasterCoprocessorEnvironment> observerContext, HRegionInfo hRegionInfo) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preBalance(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postBalance(ObserverContext<MasterCoprocessorEnvironment> observerContext, List<RegionPlan> list) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public boolean preBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> observerContext, boolean z) throws IOException {
        return false;
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> observerContext, boolean z, boolean z2) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, HBaseProtos.SnapshotDescription snapshotDescription, HTableDescriptor hTableDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, HBaseProtos.SnapshotDescription snapshotDescription, HTableDescriptor hTableDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preCloneSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, HBaseProtos.SnapshotDescription snapshotDescription, HTableDescriptor hTableDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postCloneSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, HBaseProtos.SnapshotDescription snapshotDescription, HTableDescriptor hTableDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preRestoreSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, HBaseProtos.SnapshotDescription snapshotDescription, HTableDescriptor hTableDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postRestoreSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, HBaseProtos.SnapshotDescription snapshotDescription, HTableDescriptor hTableDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preDeleteSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, HBaseProtos.SnapshotDescription snapshotDescription) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postDeleteSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, HBaseProtos.SnapshotDescription snapshotDescription) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> observerContext, List<TableName> list, List<HTableDescriptor> list2) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> observerContext, List<HTableDescriptor> list) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, NamespaceDescriptor namespaceDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, NamespaceDescriptor namespaceDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preModifyNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, NamespaceDescriptor namespaceDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postModifyNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, NamespaceDescriptor namespaceDescriptor) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preMasterInitialization(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseRegionObserver, org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void postOpen(ObserverContext<RegionCoprocessorEnvironment> observerContext) {
        if (!observerContext.getEnvironment().getRegion().getRegionInfo().getTable().equals(VisibilityConstants.LABELS_TABLE_NAME)) {
            this.initialized = true;
            return;
        }
        this.labelsRegion = true;
        this.acOn = CoprocessorHost.getLoadedCoprocessors().contains(AccessController.class.getName());
        if (observerContext.getEnvironment().getRegion().isRecovering()) {
            return;
        }
        initialize(observerContext);
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseRegionObserver, org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void postLogReplay(ObserverContext<RegionCoprocessorEnvironment> observerContext) {
        if (this.labelsRegion) {
            initialize(observerContext);
        }
    }

    private void initialize(ObserverContext<RegionCoprocessorEnvironment> observerContext) {
        try {
            Pair<Map<String, Integer>, Map<String, List<Integer>>> extractLabelsAndAuths = extractLabelsAndAuths(getExistingLabelsWithAuths());
            Map<String, Integer> map = (Map) extractLabelsAndAuths.getFirst();
            Map<String, List<Integer>> map2 = (Map) extractLabelsAndAuths.getSecond();
            addSystemLabel(observerContext.getEnvironment().getRegion(), map, map2);
            int i = 1;
            for (Integer num : map.values()) {
                if (num.intValue() > i) {
                    i = num.intValue();
                }
            }
            this.ordinalCounter = i + 1;
            if (map.size() > 0) {
                this.visibilityManager.writeToZookeeper(VisibilityUtils.getDataToWriteToZooKeeper(map), true);
            }
            if (map2.size() > 0) {
                this.visibilityManager.writeToZookeeper(VisibilityUtils.getUserAuthsDataToWriteToZooKeeper(map2), false);
            }
            this.initialized = true;
        } catch (IOException e) {
            LOG.error("Error while updating the zk with the exisiting labels data", e);
        }
    }

    private void addSystemLabel(HRegion hRegion, Map<String, Integer> map, Map<String, List<Integer>> map2) throws IOException {
        if (map.containsKey(VisibilityUtils.SYSTEM_LABEL)) {
            return;
        }
        Put put = new Put(Bytes.toBytes(1));
        put.addImmutable(VisibilityConstants.LABELS_TABLE_FAMILY, VisibilityConstants.LABEL_QUALIFIER, Bytes.toBytes(VisibilityUtils.SYSTEM_LABEL));
        Iterator<String> it = this.superUsers.iterator();
        while (it.hasNext()) {
            put.addImmutable(VisibilityConstants.LABELS_TABLE_FAMILY, Bytes.toBytes(it.next()), DUMMY_VALUE, LABELS_TABLE_TAGS);
        }
        hRegion.put(put);
        map.put(VisibilityUtils.SYSTEM_LABEL, 1);
        for (String str : this.superUsers) {
            List<Integer> list = map2.get(str);
            if (list == null) {
                list = new ArrayList(1);
                map2.put(str, list);
            }
            list.add(1);
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseRegionObserver, org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void preBatchMutate(ObserverContext<RegionCoprocessorEnvironment> observerContext, MiniBatchOperationInProgress<Mutation> miniBatchOperationInProgress) throws IOException {
        if (observerContext.getEnvironment().getRegion().getRegionInfo().getTable().isSystemTable()) {
            return;
        }
        HashMap hashMap = new HashMap();
        for (int i = 0; i < miniBatchOperationInProgress.size(); i++) {
            Delete delete = (Mutation) miniBatchOperationInProgress.getOperation(i);
            try {
                CellVisibility cellVisibility = delete.getCellVisibility();
                boolean z = false;
                CellScanner cellScanner = delete.cellScanner();
                while (true) {
                    if (!cellScanner.advance()) {
                        break;
                    }
                    if (!checkForReservedVisibilityTagPresence(cellScanner.current())) {
                        miniBatchOperationInProgress.setOperationStatus(i, new OperationStatus(HConstants.OperationStatusCode.SANITY_CHECK_FAILURE, "Mutation contains cell with reserved type tag"));
                        z = true;
                        break;
                    }
                }
                if (!z && cellVisibility != null) {
                    String expression = cellVisibility.getExpression();
                    List<Tag> list = (List) hashMap.get(expression);
                    if (list == null) {
                        try {
                            list = createVisibilityTags(expression, true);
                        } catch (ParseException e) {
                            miniBatchOperationInProgress.setOperationStatus(i, new OperationStatus(HConstants.OperationStatusCode.SANITY_CHECK_FAILURE, e.getMessage()));
                        } catch (InvalidLabelException e2) {
                            miniBatchOperationInProgress.setOperationStatus(i, new OperationStatus(HConstants.OperationStatusCode.SANITY_CHECK_FAILURE, e2.getMessage()));
                        }
                    }
                    if (list != null) {
                        hashMap.put(expression, list);
                        ArrayList<Cell> arrayList = new ArrayList();
                        CellScanner cellScanner2 = delete.cellScanner();
                        while (cellScanner2.advance()) {
                            Cell current = cellScanner2.current();
                            List asList = Tag.asList(current.getTagsArray(), current.getTagsOffset(), current.getTagsLengthUnsigned());
                            asList.addAll(list);
                            arrayList.add(new KeyValue(current.getRowArray(), current.getRowOffset(), current.getRowLength(), current.getFamilyArray(), current.getFamilyOffset(), current.getFamilyLength(), current.getQualifierArray(), current.getQualifierOffset(), current.getQualifierLength(), current.getTimestamp(), KeyValue.Type.codeToType(current.getTypeByte()), current.getValueArray(), current.getValueOffset(), current.getValueLength(), asList));
                        }
                        delete.getFamilyCellMap().clear();
                        for (Cell cell : arrayList) {
                            if (delete instanceof Put) {
                                ((Put) delete).add(cell);
                            } else if (delete instanceof Delete) {
                                delete.addDeleteMarker(cell);
                            }
                        }
                    }
                }
            } catch (DeserializationException e3) {
                miniBatchOperationInProgress.setOperationStatus(i, new OperationStatus(HConstants.OperationStatusCode.SANITY_CHECK_FAILURE, e3.getMessage()));
            }
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseRegionObserver, org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void prePrepareTimeStampForDeleteVersion(ObserverContext<RegionCoprocessorEnvironment> observerContext, Mutation mutation, Cell cell, byte[] bArr, Get get) throws IOException {
        KeyValue ensureKeyValue = KeyValueUtil.ensureKeyValue(cell);
        try {
            CellVisibility cellVisibility = mutation.getCellVisibility();
            List<Tag> arrayList = new ArrayList();
            if (cellVisibility != null) {
                String expression = cellVisibility.getExpression();
                try {
                    arrayList = createVisibilityTags(expression, false);
                } catch (ParseException e) {
                    throw new IOException("Invalid cell visibility expression " + expression, e);
                } catch (InvalidLabelException e2) {
                    throw new IOException("Invalid cell visibility specified " + expression, e2);
                }
            }
            get.setFilter(new DeleteVersionVisibilityExpressionFilter(arrayList));
            List<Cell> list = observerContext.getEnvironment().getRegion().get(get, false);
            if (list.size() < get.getMaxVersions()) {
                ensureKeyValue.updateLatestStamp(Bytes.toBytes(Long.MIN_VALUE));
            } else {
                if (list.size() > get.getMaxVersions()) {
                    throw new RuntimeException("Unexpected size: " + list.size() + ". Results more than the max versions obtained.");
                }
                KeyValue ensureKeyValue2 = KeyValueUtil.ensureKeyValue(list.get(get.getMaxVersions() - 1));
                Bytes.putBytes(ensureKeyValue.getBuffer(), ensureKeyValue.getTimestampOffset(), ensureKeyValue2.getBuffer(), ensureKeyValue2.getTimestampOffset(), 8);
                observerContext.bypass();
            }
        } catch (DeserializationException e3) {
            throw new IOException("Invalid cell visibility specified " + mutation, e3);
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseRegionObserver, org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void postBatchMutate(ObserverContext<RegionCoprocessorEnvironment> observerContext, MiniBatchOperationInProgress<Mutation> miniBatchOperationInProgress) throws IOException {
        if (this.labelsRegion) {
            Pair<Map<String, Integer>, Map<String, List<Integer>>> extractLabelsAndAuths = extractLabelsAndAuths(getExistingLabelsWithAuths());
            Map map = (Map) extractLabelsAndAuths.getFirst();
            Map map2 = (Map) extractLabelsAndAuths.getSecond();
            boolean z = false;
            boolean z2 = false;
            for (int i = 0; i < miniBatchOperationInProgress.size(); i++) {
                Mutation operation = miniBatchOperationInProgress.getOperation(i);
                if (miniBatchOperationInProgress.getOperationStatus(i).getOperationStatusCode() == HConstants.OperationStatusCode.SUCCESS) {
                    Iterator it = operation.getFamilyCellMap().values().iterator();
                    while (it.hasNext()) {
                        for (Cell cell : (List) it.next()) {
                            int i2 = Bytes.toInt(cell.getRowArray(), cell.getRowOffset());
                            if (!Bytes.equals(cell.getQualifierArray(), cell.getQualifierOffset(), cell.getQualifierLength(), VisibilityConstants.LABEL_QUALIFIER, 0, VisibilityConstants.LABEL_QUALIFIER.length)) {
                                String bytes = Bytes.toString(cell.getQualifierArray(), cell.getQualifierOffset(), cell.getQualifierLength());
                                List list = (List) map2.get(bytes);
                                if (list == null) {
                                    list = new ArrayList();
                                    map2.put(bytes, list);
                                }
                                if (operation instanceof Delete) {
                                    list.remove(Integer.valueOf(i2));
                                } else {
                                    list.add(Integer.valueOf(i2));
                                }
                                z2 = true;
                            } else if (operation instanceof Put) {
                                map.put(Bytes.toString(cell.getValueArray(), cell.getValueOffset(), cell.getValueLength()), Integer.valueOf(i2));
                                z = true;
                            }
                        }
                    }
                }
            }
            if (z) {
                this.visibilityManager.writeToZookeeper(VisibilityUtils.getDataToWriteToZooKeeper(map), true);
            }
            if (z2) {
                this.visibilityManager.writeToZookeeper(VisibilityUtils.getUserAuthsDataToWriteToZooKeeper(map2), false);
            }
        }
    }

    private Pair<Map<String, Integer>, Map<String, List<Integer>>> extractLabelsAndAuths(List<List<Cell>> list) {
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        Iterator<List<Cell>> it = list.iterator();
        while (it.hasNext()) {
            for (Cell cell : it.next()) {
                if (Bytes.equals(cell.getQualifierArray(), cell.getQualifierOffset(), cell.getQualifierLength(), VisibilityConstants.LABEL_QUALIFIER, 0, VisibilityConstants.LABEL_QUALIFIER.length)) {
                    hashMap.put(Bytes.toString(cell.getValueArray(), cell.getValueOffset(), cell.getValueLength()), Integer.valueOf(Bytes.toInt(cell.getRowArray(), cell.getRowOffset())));
                } else {
                    String bytes = Bytes.toString(cell.getQualifierArray(), cell.getQualifierOffset(), cell.getQualifierLength());
                    List list2 = (List) hashMap2.get(bytes);
                    if (list2 == null) {
                        list2 = new ArrayList();
                        hashMap2.put(bytes, list2);
                    }
                    list2.add(Integer.valueOf(Bytes.toInt(cell.getRowArray(), cell.getRowOffset())));
                }
            }
        }
        return new Pair<>(hashMap, hashMap2);
    }

    private boolean checkForReservedVisibilityTagPresence(Cell cell) throws IOException {
        if (isSystemOrSuperUser() || cell.getTagsLengthUnsigned() <= 0) {
            return true;
        }
        Iterator tagsIterator = CellUtil.tagsIterator(cell.getTagsArray(), cell.getTagsOffset(), cell.getTagsLengthUnsigned());
        while (tagsIterator.hasNext()) {
            if (reservedVisTagTypes.contains(Byte.valueOf(((Tag) tagsIterator.next()).getType()))) {
                return false;
            }
        }
        return true;
    }

    private List<Tag> createVisibilityTags(String str, boolean z) throws IOException, ParseException, InvalidLabelException {
        ExpressionNode expand = this.expressionExpander.expand(this.expressionParser.parse(str));
        ArrayList arrayList = new ArrayList();
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        DataOutputStream dataOutputStream = new DataOutputStream(byteArrayOutputStream);
        List<Integer> arrayList2 = new ArrayList<>();
        if (z) {
            arrayList.add(VisibilityUtils.VIS_SERIALIZATION_TAG);
        }
        if (expand.isSingleNode()) {
            getLabelOrdinals(expand, arrayList2);
            writeLabelOrdinalsToStream(arrayList2, dataOutputStream);
            arrayList.add(new Tag((byte) 2, byteArrayOutputStream.toByteArray()));
            byteArrayOutputStream.reset();
        } else {
            NonLeafExpressionNode nonLeafExpressionNode = (NonLeafExpressionNode) expand;
            if (nonLeafExpressionNode.getOperator() == Operator.OR) {
                Iterator<ExpressionNode> it = nonLeafExpressionNode.getChildExps().iterator();
                while (it.hasNext()) {
                    getLabelOrdinals(it.next(), arrayList2);
                    writeLabelOrdinalsToStream(arrayList2, dataOutputStream);
                    arrayList.add(new Tag((byte) 2, byteArrayOutputStream.toByteArray()));
                    byteArrayOutputStream.reset();
                    arrayList2.clear();
                }
            } else {
                getLabelOrdinals(nonLeafExpressionNode, arrayList2);
                writeLabelOrdinalsToStream(arrayList2, dataOutputStream);
                arrayList.add(new Tag((byte) 2, byteArrayOutputStream.toByteArray()));
                byteArrayOutputStream.reset();
            }
        }
        return arrayList;
    }

    private void writeLabelOrdinalsToStream(List<Integer> list, DataOutputStream dataOutputStream) throws IOException {
        Collections.sort(list);
        Iterator<Integer> it = list.iterator();
        while (it.hasNext()) {
            StreamUtils.writeRawVInt32(dataOutputStream, it.next().intValue());
        }
    }

    private void getLabelOrdinals(ExpressionNode expressionNode, List<Integer> list) throws IOException, InvalidLabelException {
        String identifier;
        int labelOrdinal;
        if (!expressionNode.isSingleNode()) {
            Iterator<ExpressionNode> it = ((NonLeafExpressionNode) expressionNode).getChildExps().iterator();
            while (it.hasNext()) {
                getLabelOrdinals(it.next(), list);
            }
            return;
        }
        if (expressionNode instanceof LeafExpressionNode) {
            identifier = ((LeafExpressionNode) expressionNode).getIdentifier();
            if (LOG.isTraceEnabled()) {
                LOG.trace("The identifier is " + identifier);
            }
            labelOrdinal = this.visibilityManager.getLabelOrdinal(identifier);
        } else {
            identifier = ((LeafExpressionNode) ((NonLeafExpressionNode) expressionNode).getChildExps().get(0)).getIdentifier();
            labelOrdinal = (-1) * this.visibilityManager.getLabelOrdinal(identifier);
        }
        if (labelOrdinal == 0) {
            throw new InvalidLabelException("Invalid visibility label " + identifier);
        }
        list.add(Integer.valueOf(labelOrdinal));
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseRegionObserver, org.apache.hadoop.hbase.coprocessor.RegionObserver
    public RegionScanner preScannerOpen(ObserverContext<RegionCoprocessorEnvironment> observerContext, Scan scan, RegionScanner regionScanner) throws IOException {
        HRegion region = observerContext.getEnvironment().getRegion();
        if (checkIfScanOrGetFromSuperUser()) {
            return regionScanner;
        }
        try {
            Filter createVisibilityLabelFilter = createVisibilityLabelFilter(region, scan.getAuthorizations());
            if (createVisibilityLabelFilter != null) {
                Filter filter = scan.getFilter();
                if (filter != null) {
                    scan.setFilter(new FilterList(new Filter[]{filter, createVisibilityLabelFilter}));
                } else {
                    scan.setFilter(createVisibilityLabelFilter);
                }
            }
            return regionScanner;
        } catch (DeserializationException e) {
            throw new IOException((Throwable) e);
        }
    }

    private boolean checkIfScanOrGetFromSuperUser() throws IOException {
        User activeUser = getActiveUser();
        if (activeUser == null || activeUser.getShortName() == null) {
            return false;
        }
        return this.visibilityManager.getAuths(activeUser.getShortName()).contains(VisibilityUtils.SYSTEM_LABEL);
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseRegionObserver, org.apache.hadoop.hbase.coprocessor.RegionObserver
    public DeleteTracker postInstantiateDeleteTracker(ObserverContext<RegionCoprocessorEnvironment> observerContext, DeleteTracker deleteTracker) throws IOException {
        return observerContext.getEnvironment().getRegion().getRegionInfo().getTable().isSystemTable() ? deleteTracker : new VisibilityScanDeleteTracker();
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseRegionObserver, org.apache.hadoop.hbase.coprocessor.RegionObserver
    public RegionScanner postScannerOpen(ObserverContext<RegionCoprocessorEnvironment> observerContext, Scan scan, RegionScanner regionScanner) throws IOException {
        User activeUser = getActiveUser();
        if (activeUser != null && activeUser.getShortName() != null) {
            this.scannerOwners.put(regionScanner, activeUser.getShortName());
        }
        return regionScanner;
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseRegionObserver, org.apache.hadoop.hbase.coprocessor.RegionObserver
    public boolean preScannerNext(ObserverContext<RegionCoprocessorEnvironment> observerContext, InternalScanner internalScanner, List<Result> list, int i, boolean z) throws IOException {
        requireScannerOwner(internalScanner);
        return z;
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseRegionObserver, org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void preScannerClose(ObserverContext<RegionCoprocessorEnvironment> observerContext, InternalScanner internalScanner) throws IOException {
        requireScannerOwner(internalScanner);
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseRegionObserver, org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void postScannerClose(ObserverContext<RegionCoprocessorEnvironment> observerContext, InternalScanner internalScanner) throws IOException {
        this.scannerOwners.remove(internalScanner);
    }

    private void requireScannerOwner(InternalScanner internalScanner) throws AccessDeniedException {
        if (RequestContext.isInRequestContext()) {
            String requestUserName = RequestContext.getRequestUserName();
            String str = this.scannerOwners.get(internalScanner);
            if (str != null && !str.equals(requestUserName)) {
                throw new AccessDeniedException("User '" + requestUserName + "' is not the scanner owner!");
            }
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseRegionObserver, org.apache.hadoop.hbase.coprocessor.RegionObserver
    public void preGetOp(ObserverContext<RegionCoprocessorEnvironment> observerContext, Get get, List<Cell> list) throws IOException {
        if (checkIfScanOrGetFromSuperUser()) {
            return;
        }
        try {
            Filter createVisibilityLabelFilter = createVisibilityLabelFilter(observerContext.getEnvironment().getRegion(), get.getAuthorizations());
            if (createVisibilityLabelFilter != null) {
                Filter filter = get.getFilter();
                if (filter != null) {
                    get.setFilter(new FilterList(new Filter[]{filter, createVisibilityLabelFilter}));
                } else {
                    get.setFilter(createVisibilityLabelFilter);
                }
            }
        } catch (DeserializationException e) {
            throw new IOException((Throwable) e);
        }
    }

    private Filter createVisibilityLabelFilter(HRegion hRegion, Authorizations authorizations) throws IOException {
        HashMap hashMap = new HashMap();
        for (HColumnDescriptor hColumnDescriptor : hRegion.getTableDesc().getFamilies()) {
            hashMap.put(new SimpleByteRange(hColumnDescriptor.getName()), Integer.valueOf(hColumnDescriptor.getMaxVersions()));
        }
        if (authorizations == null) {
            TableName table = hRegion.getRegionInfo().getTable();
            if (table.isSystemTable() && !table.equals(VisibilityConstants.LABELS_TABLE_NAME)) {
                return null;
            }
        } else {
            for (String str : authorizations.getLabels()) {
                if (!VisibilityLabelsValidator.isValidLabel(str)) {
                    throw new IllegalArgumentException("Invalid authorization label : " + str + ". Authorizations cannot contain '(', ')' ,'&' ,'|', '!' and cannot be empty");
                }
            }
        }
        VisibilityLabelFilter visibilityLabelFilter = null;
        if (this.scanLabelGenerators != null) {
            List<String> list = null;
            Iterator<ScanLabelGenerator> it = this.scanLabelGenerators.iterator();
            while (it.hasNext()) {
                try {
                    List<String> labels = it.next().getLabels(getActiveUser(), authorizations);
                    list = labels == null ? new ArrayList<>() : labels;
                    authorizations = new Authorizations(list);
                } catch (Throwable th) {
                    LOG.error(th);
                    throw new IOException(th);
                }
            }
            BitSet bitSet = new BitSet(this.visibilityManager.getLabelsCount() + 1);
            if (list != null) {
                Iterator<String> it2 = list.iterator();
                while (it2.hasNext()) {
                    int labelOrdinal = this.visibilityManager.getLabelOrdinal(it2.next());
                    if (labelOrdinal != 0) {
                        bitSet.set(labelOrdinal);
                    }
                }
            }
            visibilityLabelFilter = new VisibilityLabelFilter(bitSet, hashMap);
        }
        return visibilityLabelFilter;
    }

    private User getActiveUser() throws IOException {
        User requestUser = RequestContext.getRequestUser();
        if (!RequestContext.isInRequestContext()) {
            requestUser = User.getCurrent();
        }
        if (LOG.isTraceEnabled()) {
            LOG.trace("Current active user name is " + requestUser.getShortName());
        }
        return requestUser;
    }

    private List<String> getSystemAndSuperUsers() throws IOException {
        User current = User.getCurrent();
        if (current == null) {
            throw new IOException("Unable to obtain the current user, authorization checks for internal operations will not work correctly!");
        }
        if (LOG.isTraceEnabled()) {
            LOG.trace("Current user name is " + current.getShortName());
        }
        return Lists.asList(current.getShortName(), this.conf.getStrings(AccessControlLists.SUPERUSER_CONF_KEY, new String[0]));
    }

    private boolean isSystemOrSuperUser() throws IOException {
        return this.superUsers.contains(getActiveUser().getShortName());
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseRegionObserver, org.apache.hadoop.hbase.coprocessor.RegionObserver
    public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> observerContext, Append append) throws IOException {
        CellScanner cellScanner = append.cellScanner();
        while (cellScanner.advance()) {
            if (!checkForReservedVisibilityTagPresence(cellScanner.current())) {
                throw new FailedSanityCheckException("Append contains cell with reserved type tag");
            }
        }
        return null;
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseRegionObserver, org.apache.hadoop.hbase.coprocessor.RegionObserver
    public Result preIncrement(ObserverContext<RegionCoprocessorEnvironment> observerContext, Increment increment) throws IOException {
        CellScanner cellScanner = increment.cellScanner();
        while (cellScanner.advance()) {
            if (!checkForReservedVisibilityTagPresence(cellScanner.current())) {
                throw new FailedSanityCheckException("Increment contains cell with reserved type tag");
            }
        }
        return null;
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseRegionObserver, org.apache.hadoop.hbase.coprocessor.RegionObserver
    public Cell postMutationBeforeWAL(ObserverContext<RegionCoprocessorEnvironment> observerContext, RegionObserver.MutationType mutationType, Mutation mutation, Cell cell, Cell cell2) throws IOException {
        ArrayList newArrayList = Lists.newArrayList();
        try {
            CellVisibility cellVisibility = mutation.getCellVisibility();
            if (cellVisibility == null) {
                return cell2;
            }
            Iterator tagsIterator = CellUtil.tagsIterator(cell2.getTagsArray(), cell2.getTagsOffset(), cell2.getTagsLengthUnsigned());
            while (tagsIterator.hasNext()) {
                Tag tag = (Tag) tagsIterator.next();
                if (tag.getType() != 2 && tag.getType() != 4) {
                    newArrayList.add(tag);
                }
            }
            try {
                newArrayList.addAll(createVisibilityTags(cellVisibility.getExpression(), true));
                KeyValue ensureKeyValue = KeyValueUtil.ensureKeyValue(cell2);
                byte[] buffer = ensureKeyValue.getBuffer();
                KeyValue keyValue = new KeyValue(buffer, ensureKeyValue.getRowOffset(), ensureKeyValue.getRowLength(), buffer, ensureKeyValue.getFamilyOffset(), ensureKeyValue.getFamilyLength(), buffer, ensureKeyValue.getQualifierOffset(), ensureKeyValue.getQualifierLength(), ensureKeyValue.getTimestamp(), KeyValue.Type.codeToType(ensureKeyValue.getTypeByte()), buffer, ensureKeyValue.getValueOffset(), ensureKeyValue.getValueLength(), newArrayList);
                keyValue.setMvccVersion(ensureKeyValue.getMvccVersion());
                return keyValue;
            } catch (ParseException e) {
                throw new IOException(e);
            }
        } catch (DeserializationException e2) {
            throw new IOException((Throwable) e2);
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.CoprocessorService
    public Service getService() {
        return VisibilityLabelsProtos.VisibilityLabelsService.newReflectiveService(this);
    }

    public synchronized void addLabels(RpcController rpcController, VisibilityLabelsProtos.VisibilityLabelsRequest visibilityLabelsRequest, RpcCallback<VisibilityLabelsProtos.VisibilityLabelsResponse> rpcCallback) {
        VisibilityLabelsProtos.VisibilityLabelsResponse.Builder newBuilder = VisibilityLabelsProtos.VisibilityLabelsResponse.newBuilder();
        List visLabelList = visibilityLabelsRequest.getVisLabelList();
        if (!this.initialized) {
            setExceptionResults(visLabelList.size(), new CoprocessorException("VisibilityController not yet initialized"), newBuilder);
        }
        try {
            checkCallingUserAuth();
            ArrayList arrayList = new ArrayList(visLabelList.size());
            ClientProtos.RegionActionResult build = ClientProtos.RegionActionResult.newBuilder().build();
            Iterator it = visLabelList.iterator();
            while (it.hasNext()) {
                byte[] byteArray = ((VisibilityLabelsProtos.VisibilityLabel) it.next()).getLabel().toByteArray();
                String bytes = Bytes.toString(byteArray);
                if (!VisibilityLabelsValidator.isValidLabel(byteArray)) {
                    ClientProtos.RegionActionResult.Builder newBuilder2 = ClientProtos.RegionActionResult.newBuilder();
                    newBuilder2.setException(ResponseConverter.buildException(new InvalidLabelException("Invalid visibility label '" + bytes + "'")));
                    newBuilder.addResult(newBuilder2.build());
                } else if (this.visibilityManager.getLabelOrdinal(bytes) > 0) {
                    ClientProtos.RegionActionResult.Builder newBuilder3 = ClientProtos.RegionActionResult.newBuilder();
                    newBuilder3.setException(ResponseConverter.buildException(new LabelAlreadyExistsException("Label '" + bytes + "' already exists")));
                    newBuilder.addResult(newBuilder3.build());
                } else {
                    Put put = new Put(Bytes.toBytes(this.ordinalCounter));
                    put.addImmutable(VisibilityConstants.LABELS_TABLE_FAMILY, VisibilityConstants.LABEL_QUALIFIER, byteArray, LABELS_TABLE_TAGS);
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Adding the label " + bytes);
                    }
                    arrayList.add(put);
                    this.ordinalCounter++;
                    newBuilder.addResult(build);
                }
            }
            int i = 0;
            for (OperationStatus operationStatus : this.regionEnv.getRegion().batchMutate((Mutation[]) arrayList.toArray(new Mutation[arrayList.size()]))) {
                if (operationStatus.getOperationStatusCode() != HConstants.OperationStatusCode.SUCCESS) {
                    while (newBuilder.getResult(i) != build) {
                        i++;
                    }
                    ClientProtos.RegionActionResult.Builder newBuilder4 = ClientProtos.RegionActionResult.newBuilder();
                    newBuilder4.setException(ResponseConverter.buildException(new DoNotRetryIOException(operationStatus.getExceptionMsg())));
                    newBuilder.setResult(i, newBuilder4.build());
                }
                i++;
            }
        } catch (IOException e) {
            LOG.error(e);
            setExceptionResults(visLabelList.size(), e, newBuilder);
        }
        rpcCallback.run(newBuilder.build());
    }

    private void setExceptionResults(int i, IOException iOException, VisibilityLabelsProtos.VisibilityLabelsResponse.Builder builder) {
        ClientProtos.RegionActionResult.Builder newBuilder = ClientProtos.RegionActionResult.newBuilder();
        newBuilder.setException(ResponseConverter.buildException(iOException));
        ClientProtos.RegionActionResult build = newBuilder.build();
        for (int i2 = 0; i2 < i; i2++) {
            builder.addResult(i2, build);
        }
    }

    private void performACLCheck() throws IOException {
        if (!this.acOn || isSystemOrSuperUser()) {
            return;
        }
        User activeUser = getActiveUser();
        throw new AccessDeniedException("User '" + (activeUser != null ? activeUser.getShortName() : "null") + " is not authorized to perform this action.");
    }

    private List<List<Cell>> getExistingLabelsWithAuths() throws IOException {
        RegionScanner scanner = this.regionEnv.getRegion().getScanner(new Scan());
        ArrayList arrayList = new ArrayList();
        while (true) {
            try {
                ArrayList arrayList2 = new ArrayList();
                scanner.next(arrayList2);
                if (arrayList2.isEmpty()) {
                    return arrayList;
                }
                arrayList.add(arrayList2);
            } finally {
                scanner.close();
            }
        }
    }

    public synchronized void setAuths(RpcController rpcController, VisibilityLabelsProtos.SetAuthsRequest setAuthsRequest, RpcCallback<VisibilityLabelsProtos.VisibilityLabelsResponse> rpcCallback) {
        VisibilityLabelsProtos.VisibilityLabelsResponse.Builder newBuilder = VisibilityLabelsProtos.VisibilityLabelsResponse.newBuilder();
        List authList = setAuthsRequest.getAuthList();
        if (!this.initialized) {
            setExceptionResults(authList.size(), new CoprocessorException("VisibilityController not yet initialized"), newBuilder);
        }
        byte[] byteArray = setAuthsRequest.getUser().toByteArray();
        try {
            checkCallingUserAuth();
            ArrayList arrayList = new ArrayList(authList.size());
            ClientProtos.RegionActionResult build = ClientProtos.RegionActionResult.newBuilder().build();
            Iterator it = authList.iterator();
            while (it.hasNext()) {
                String bytes = Bytes.toString(((ByteString) it.next()).toByteArray());
                int labelOrdinal = this.visibilityManager.getLabelOrdinal(bytes);
                if (labelOrdinal == 0) {
                    ClientProtos.RegionActionResult.Builder newBuilder2 = ClientProtos.RegionActionResult.newBuilder();
                    newBuilder2.setException(ResponseConverter.buildException(new InvalidLabelException("Label '" + bytes + "' doesn't exist")));
                    newBuilder.addResult(newBuilder2.build());
                } else {
                    Put put = new Put(Bytes.toBytes(labelOrdinal));
                    put.addImmutable(VisibilityConstants.LABELS_TABLE_FAMILY, byteArray, DUMMY_VALUE, LABELS_TABLE_TAGS);
                    arrayList.add(put);
                    newBuilder.addResult(build);
                }
            }
            int i = 0;
            for (OperationStatus operationStatus : this.regionEnv.getRegion().batchMutate((Mutation[]) arrayList.toArray(new Mutation[arrayList.size()]))) {
                if (operationStatus.getOperationStatusCode() != HConstants.OperationStatusCode.SUCCESS) {
                    while (newBuilder.getResult(i) != build) {
                        i++;
                    }
                    ClientProtos.RegionActionResult.Builder newBuilder3 = ClientProtos.RegionActionResult.newBuilder();
                    newBuilder3.setException(ResponseConverter.buildException(new DoNotRetryIOException(operationStatus.getExceptionMsg())));
                    newBuilder.setResult(i, newBuilder3.build());
                }
                i++;
            }
        } catch (IOException e) {
            LOG.error(e);
            setExceptionResults(authList.size(), e, newBuilder);
        }
        rpcCallback.run(newBuilder.build());
    }

    public synchronized void getAuths(RpcController rpcController, VisibilityLabelsProtos.GetAuthsRequest getAuthsRequest, RpcCallback<VisibilityLabelsProtos.GetAuthsResponse> rpcCallback) {
        byte[] byteArray = getAuthsRequest.getUser().toByteArray();
        VisibilityLabelsProtos.GetAuthsResponse.Builder newBuilder = VisibilityLabelsProtos.GetAuthsResponse.newBuilder();
        newBuilder.setUser(getAuthsRequest.getUser());
        try {
            Iterator<String> it = getUserAuthsFromLabelsTable(byteArray).iterator();
            while (it.hasNext()) {
                newBuilder.addAuth(ByteStringer.wrap(Bytes.toBytes(it.next())));
            }
        } catch (IOException e) {
            ResponseConverter.setControllerException(rpcController, e);
        }
        rpcCallback.run(newBuilder.build());
    }

    private List<String> getUserAuthsFromLabelsTable(byte[] bArr) throws IOException {
        Scan scan = new Scan();
        scan.addColumn(VisibilityConstants.LABELS_TABLE_FAMILY, bArr);
        scan.setFilter(createVisibilityLabelFilter(this.regionEnv.getRegion(), new Authorizations(new String[]{VisibilityUtils.SYSTEM_LABEL})));
        ArrayList arrayList = new ArrayList();
        performACLCheck();
        RegionScanner scanner = this.regionEnv.getRegion().getScanner(scan);
        ArrayList arrayList2 = new ArrayList(1);
        while (true) {
            scanner.next(arrayList2);
            if (arrayList2.isEmpty()) {
                return arrayList;
            }
            Cell cell = arrayList2.get(0);
            String label = this.visibilityManager.getLabel(Bytes.toInt(cell.getRowArray(), cell.getRowOffset(), cell.getRowLength()));
            if (label != null) {
                arrayList.add(label);
            }
            arrayList2.clear();
        }
    }

    public synchronized void clearAuths(RpcController rpcController, VisibilityLabelsProtos.SetAuthsRequest setAuthsRequest, RpcCallback<VisibilityLabelsProtos.VisibilityLabelsResponse> rpcCallback) {
        VisibilityLabelsProtos.VisibilityLabelsResponse.Builder newBuilder = VisibilityLabelsProtos.VisibilityLabelsResponse.newBuilder();
        List authList = setAuthsRequest.getAuthList();
        if (!this.initialized) {
            setExceptionResults(authList.size(), new CoprocessorException("VisibilityController not yet initialized"), newBuilder);
        }
        byte[] byteArray = setAuthsRequest.getUser().toByteArray();
        try {
            checkCallingUserAuth();
            List<String> userAuthsFromLabelsTable = getUserAuthsFromLabelsTable(byteArray);
            ArrayList arrayList = new ArrayList(authList.size());
            ClientProtos.RegionActionResult build = ClientProtos.RegionActionResult.newBuilder().build();
            Iterator it = authList.iterator();
            while (it.hasNext()) {
                String bytes = Bytes.toString(((ByteString) it.next()).toByteArray());
                if (userAuthsFromLabelsTable.contains(bytes)) {
                    int labelOrdinal = this.visibilityManager.getLabelOrdinal(bytes);
                    if (!$assertionsDisabled && labelOrdinal <= 0) {
                        throw new AssertionError();
                    }
                    Delete delete = new Delete(Bytes.toBytes(labelOrdinal));
                    delete.deleteColumns(VisibilityConstants.LABELS_TABLE_FAMILY, byteArray);
                    arrayList.add(delete);
                    newBuilder.addResult(build);
                } else {
                    ClientProtos.RegionActionResult.Builder newBuilder2 = ClientProtos.RegionActionResult.newBuilder();
                    newBuilder2.setException(ResponseConverter.buildException(new InvalidLabelException("Label '" + bytes + "' is not set for the user " + Bytes.toString(byteArray))));
                    newBuilder.addResult(newBuilder2.build());
                }
            }
            int i = 0;
            for (OperationStatus operationStatus : this.regionEnv.getRegion().batchMutate((Mutation[]) arrayList.toArray(new Mutation[arrayList.size()]))) {
                if (operationStatus.getOperationStatusCode() != HConstants.OperationStatusCode.SUCCESS) {
                    while (newBuilder.getResult(i) != build) {
                        i++;
                    }
                    ClientProtos.RegionActionResult.Builder newBuilder3 = ClientProtos.RegionActionResult.newBuilder();
                    newBuilder3.setException(ResponseConverter.buildException(new DoNotRetryIOException(operationStatus.getExceptionMsg())));
                    newBuilder.setResult(i, newBuilder3.build());
                }
                i++;
            }
        } catch (IOException e) {
            LOG.error(e);
            setExceptionResults(authList.size(), e, newBuilder);
        }
        rpcCallback.run(newBuilder.build());
    }

    private void checkCallingUserAuth() throws IOException {
        if (this.acOn) {
            return;
        }
        User activeUser = getActiveUser();
        if (activeUser == null) {
            throw new IOException("Unable to retrieve calling user");
        }
        List<String> auths = this.visibilityManager.getAuths(activeUser.getShortName());
        if (LOG.isTraceEnabled()) {
            LOG.trace("The list of auths are " + auths);
        }
        if (!auths.contains(VisibilityUtils.SYSTEM_LABEL)) {
            throw new AccessDeniedException("User '" + activeUser.getShortName() + "' is not authorized to perform this action.");
        }
    }

    static {
        $assertionsDisabled = !VisibilityController.class.desiredAssertionStatus();
        LOG = LogFactory.getLog(VisibilityController.class);
        DUMMY_VALUE = new byte[0];
        LABELS_TABLE_TAGS = new Tag[1];
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            StreamUtils.writeRawVInt32(new DataOutputStream(byteArrayOutputStream), 1);
        } catch (IOException e) {
        }
        LABELS_TABLE_TAGS[0] = new Tag((byte) 2, byteArrayOutputStream.toByteArray());
        reservedVisTagTypes = new ArrayList<>();
        reservedVisTagTypes.add((byte) 2);
        reservedVisTagTypes.add((byte) 4);
    }
}
