apache
diff --git a/‎hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/PermissionStorage.java‎
Lines changed: 5 additions & 0 deletions b/‎hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/PermissionStorage.java‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SnapshotScannerHDFSAclController.java‎
Lines changed: 104 additions & 70 deletions b/‎hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SnapshotScannerHDFSAclController.java‎
Lines changed: 104 additions & 70 deletions
@@ -508,6 +508,11 @@ public static ListMultimap<String, UserPermission> getNamespacePermissions(Confi
       false);
   }
 
+  public static ListMultimap<String, UserPermission> getGlobalPermissions(Configuration conf)
+      throws IOException {
+    return getPermissions(conf, null, null, null, null, null, false);
+  }
+
   /**
    * Reads user permission assignments stored in the <code>l:</code> column family of the first
    * table row in <code>_acl_</code>.
 
@@ -25,6 +25,7 @@
 import java.util.List;
 import java.util.Optional;
 import java.util.Set;
+import java.util.function.Supplier;
 import java.util.stream.Collectors;
 
 import org.apache.hadoop.conf.Configuration;
@@ -58,20 +59,22 @@
 import org.apache.hadoop.hbase.master.MasterServices;
 import org.apache.hadoop.hbase.security.User;
 import org.apache.hadoop.hbase.security.UserProvider;
-import org.apache.hadoop.hbase.security.access.Permission.Action;
 import org.apache.hadoop.hbase.security.access.SnapshotScannerHDFSAclHelper.PathHelper;
 import org.apache.hadoop.hbase.util.Bytes;
 import org.apache.hadoop.hbase.util.Pair;
 import org.apache.yetus.audience.InterfaceAudience;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import org.apache.hbase.thirdparty.com.google.common.annotations.VisibleForTesting;
+import org.apache.hbase.thirdparty.com.google.common.collect.Sets;
+
 /**
  * Set HDFS ACLs to hFiles to make HBase granted users have permission to scan snapshot
  * <p>
  * To use this feature, please mask sure HDFS config:
  * <ul>
- * <li>dfs.permissions.enabled = true</li>
+ * <li>dfs.namenode.acls.enabled = true</li>
  * <li>fs.permissions.umask-mode = 027 (or smaller umask than 027)</li>
  * </ul>
  * </p>
@@ -103,7 +106,9 @@ public class SnapshotScannerHDFSAclController implements MasterCoprocessor, Mast
   private SnapshotScannerHDFSAclHelper hdfsAclHelper = null;
   private PathHelper pathHelper = null;
   private FileSystem fs = null;
+  private MasterServices masterServices = null;
   private volatile boolean initialized = false;
+  private volatile boolean aclTableInitialized = false;
   /** Provider for mapping principal names to Users */
   private UserProvider userProvider;
 
@@ -121,7 +126,7 @@ public void preMasterInitialization(ObserverContext<MasterCoprocessorEnvironment
       if (!(mEnv instanceof HasMasterServices)) {
         throw new IOException("Does not implement HMasterServices");
       }
-      MasterServices masterServices = ((HasMasterServices) mEnv).getMasterServices();
+      masterServices = ((HasMasterServices) mEnv).getMasterServices();
       hdfsAclHelper = new SnapshotScannerHDFSAclHelper(masterServices.getConfiguration(),
           masterServices.getConnection());
       pathHelper = hdfsAclHelper.getPathHelper();
@@ -138,7 +143,7 @@ public void preMasterInitialization(ObserverContext<MasterCoprocessorEnvironment
 
   @Override
   public void postStartMaster(ObserverContext<MasterCoprocessorEnvironment> c) throws IOException {
-    if (checkInitialized()) {
+    if (initialized) {
       try (Admin admin = c.getEnvironment().getConnection().getAdmin()) {
         if (admin.tableExists(PermissionStorage.ACL_TABLE_NAME)) {
           // Check if hbase acl table has 'm' CF, if not, add 'm' CF
@@ -151,6 +156,8 @@ public void postStartMaster(ObserverContext<MasterCoprocessorEnvironment> c) thr
                 .setColumnFamily(ColumnFamilyDescriptorBuilder
                     .newBuilder(SnapshotScannerHDFSAclStorage.HDFS_ACL_FAMILY).build());
             admin.modifyTable(builder.build());
+          } else {
+            aclTableInitialized = true;
           }
         } else {
           throw new TableNotFoundException("Table " + PermissionStorage.ACL_TABLE_NAME
@@ -163,26 +170,21 @@ public void postStartMaster(ObserverContext<MasterCoprocessorEnvironment> c) thr
 
   @Override
   public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> c) {
-    if (checkInitialized()) {
+    if (initialized) {
       hdfsAclHelper.close();
     }
   }
 
   @Override
   public void postCompletedCreateTableAction(ObserverContext<MasterCoprocessorEnvironment> c,
       TableDescriptor desc, RegionInfo[] regions) throws IOException {
-    if (!desc.getTableName().isSystemTable() && checkInitialized()) {
+    if (checkTable(desc, () -> "createTable " + desc.getTableName())) {
       TableName tableName = desc.getTableName();
-      List<Path> paths = hdfsAclHelper.getTableRootPaths(tableName, false);
-      for (Path path : paths) {
-        if (!fs.exists(path)) {
-          fs.mkdirs(path);
-        }
-      }
+      hdfsAclHelper.createTableDirectories(tableName);
       // Add table owner HDFS acls
       String owner =
           desc.getOwnerString() == null ? getActiveUser(c).getShortName() : desc.getOwnerString();
-      hdfsAclHelper.addTableAcl(tableName, owner);
+      hdfsAclHelper.addTableAcl(tableName, Sets.newHashSet(owner));
       try (Table aclTable =
           c.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
         SnapshotScannerHDFSAclStorage.addUserTableHdfsAcl(aclTable, owner, tableName);
@@ -193,7 +195,7 @@ public void postCompletedCreateTableAction(ObserverContext<MasterCoprocessorEnvi
   @Override
   public void postCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> c,
       NamespaceDescriptor ns) throws IOException {
-    if (checkInitialized()) {
+    if (checkInitialized(() -> "createNamespace " + ns.getName())) {
       List<Path> paths = hdfsAclHelper.getNamespaceRootPaths(ns.getName());
       for (Path path : paths) {
         if (!fs.exists(path)) {
@@ -206,23 +208,23 @@ public void postCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> c,
   @Override
   public void postCompletedSnapshotAction(ObserverContext<MasterCoprocessorEnvironment> c,
       SnapshotDescription snapshot, TableDescriptor tableDescriptor) throws IOException {
-    if (!tableDescriptor.getTableName().isSystemTable() && checkInitialized()) {
+    if (checkTable(tableDescriptor, () -> "snapshot " + snapshot.getName())) {
       hdfsAclHelper.snapshotAcl(snapshot);
     }
   }
 
   @Override
   public void postCompletedTruncateTableAction(ObserverContext<MasterCoprocessorEnvironment> c,
       TableName tableName) throws IOException {
-    if (!tableName.isSystemTable() && checkInitialized()) {
+    if (checkTable(tableName, () -> "truncateTable " + tableName)) {
       hdfsAclHelper.resetTableAcl(tableName);
     }
   }
 
   @Override
   public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> ctx,
       TableName tableName) throws IOException {
-    if (!tableName.isSystemTable() && checkInitialized()) {
+    if (checkTable(tableName, () -> "deleteTable " + tableName)) {
       /*
        * remove table user access HDFS acl from namespace directory if the user has no permissions
        * of global, ns of the table or other tables of the ns, eg: Bob has 'ns1:t1' read permission,
@@ -263,10 +265,36 @@ public void postDeleteTable(ObserverContext<MasterCoprocessorEnvironment> ctx,
     }
   }
 
+  @Override
+  public void postModifyTable(ObserverContext<MasterCoprocessorEnvironment> ctx,
+      TableName tableName, TableDescriptor oldDescriptor, TableDescriptor currentDescriptor)
+      throws IOException {
+    if (checkTable(currentDescriptor, () -> "modifyTable " + tableName)
+        && !hdfsAclHelper.isTableUserScanSnapshotEnabled(oldDescriptor)) {
+      hdfsAclHelper.createTableDirectories(tableName);
+      Set<String> users = new HashSet<>();
+      users.addAll(hdfsAclHelper.getUsersWithGlobalReadAction());
+      users.addAll(hdfsAclHelper.getUsersWithNamespaceReadAction(tableName.getNamespaceAsString()));
+      Set<String> userWithTableReadPermission =
+          hdfsAclHelper.getUsersWithTableReadAction(tableName);
+      users.addAll(userWithTableReadPermission);
+      hdfsAclHelper.addTableAcl(tableName, users);
+      try (Table aclTable =
+          ctx.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
+        for (String user : userWithTableReadPermission) {
+          SnapshotScannerHDFSAclStorage.addUserTableHdfsAcl(aclTable, user, tableName);
+        }
+      }
+    } else if (!aclTableInitialized
+        && Bytes.equals(PermissionStorage.ACL_GLOBAL_NAME, tableName.getName())) {
+      aclTableInitialized = true;
+    }
+  }
+
   @Override
   public void postDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> ctx,
       String namespace) throws IOException {
-    if (checkInitialized()) {
+    if (checkInitialized(() -> "deleteNamespace " + namespace)) {
       try (Table aclTable =
           ctx.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
         SnapshotScannerHDFSAclStorage.deleteNamespaceHdfsAcl(aclTable, namespace);
@@ -292,7 +320,8 @@ public void postDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> ct
   @Override
   public void postGrant(ObserverContext<MasterCoprocessorEnvironment> c,
       UserPermission userPermission, boolean mergeExistingPermissions) throws IOException {
-    if (!checkInitialized()) {
+    if (!checkInitialized(() -> "grant " + userPermission + ", merge existing permissions "
+        + mergeExistingPermissions)) {
       return;
     }
     try (Table aclTable =
@@ -302,7 +331,7 @@ public void postGrant(ObserverContext<MasterCoprocessorEnvironment> c,
       switch (userPermission.getAccessScope()) {
         case GLOBAL:
           UserPermission perm = getUserGlobalPermission(conf, userName);
-          if (perm != null && containReadPermission(perm)) {
+          if (perm != null && hdfsAclHelper.containReadAction(perm)) {
             if (!isHdfsAclSet(aclTable, userName)) {
               Pair<Set<String>, Set<TableName>> namespaceAndTable =
                       SnapshotScannerHDFSAclStorage.getUserNamespaceAndTable(aclTable, userName);
@@ -322,7 +351,7 @@ public void postGrant(ObserverContext<MasterCoprocessorEnvironment> c,
         case NAMESPACE:
           String namespace = ((NamespacePermission) userPermission.getPermission()).getNamespace();
           UserPermission nsPerm = getUserNamespacePermission(conf, userName, namespace);
-          if (nsPerm != null && containReadPermission(nsPerm)) {
+          if (nsPerm != null && hdfsAclHelper.containReadAction(nsPerm)) {
             if (!isHdfsAclSet(aclTable, userName, namespace)) {
               Set<TableName> skipTables = SnapshotScannerHDFSAclStorage
                       .getUserNamespaceAndTable(aclTable, userName).getSecond();
@@ -336,23 +365,20 @@ public void postGrant(ObserverContext<MasterCoprocessorEnvironment> c,
           }
           break;
         case TABLE:
-          TableName tableName = ((TablePermission) userPermission.getPermission()).getTableName();
-          UserPermission tPerm = getUserTablePermission(conf, userName, tableName);
-          if (tPerm != null) {
-            TablePermission tablePermission = (TablePermission) tPerm.getPermission();
-            if (tablePermission.hasFamily() || tablePermission.hasQualifier()) {
-              break;
-            }
-          }
-          if (tPerm != null && containReadPermission(tPerm)) {
-            if (!isHdfsAclSet(aclTable, userName, tableName)) {
-              hdfsAclHelper.grantAcl(userPermission, new HashSet<>(0), new HashSet<>(0));
+          TablePermission tablePerm = (TablePermission) userPermission.getPermission();
+          if (checkTableAndPermission(tablePerm)) {
+            TableName tableName = tablePerm.getTableName();
+            UserPermission tPerm = getUserTablePermission(conf, userName, tableName);
+            if (tPerm != null && hdfsAclHelper.containReadAction(tPerm)) {
+              if (!isHdfsAclSet(aclTable, userName, tableName)) {
+                hdfsAclHelper.grantAcl(userPermission, new HashSet<>(0), new HashSet<>(0));
+              }
+              SnapshotScannerHDFSAclStorage.addUserTableHdfsAcl(aclTable, userName, tableName);
+            } else {
+              // The merged user permission doesn't contain READ, so remove user table HDFS acls if
+              // it's set
+              removeUserTableHdfsAcl(aclTable, userName, tableName, userPermission);
             }
-            SnapshotScannerHDFSAclStorage.addUserTableHdfsAcl(aclTable, userName, tableName);
-          } else {
-            // The merged user permission doesn't contain READ, so remove user table HDFS acls if
-            // it's set
-            removeUserTableHdfsAcl(aclTable, userName, tableName, userPermission);
           }
           break;
         default:
@@ -365,32 +391,34 @@ public void postGrant(ObserverContext<MasterCoprocessorEnvironment> c,
   @Override
   public void postRevoke(ObserverContext<MasterCoprocessorEnvironment> c,
       UserPermission userPermission) throws IOException {
-    if (checkInitialized()) {
+    if (checkInitialized(() -> "revoke " + userPermission)) {
       try (Table aclTable =
           c.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME)) {
         String userName = userPermission.getUser();
         Configuration conf = c.getEnvironment().getConfiguration();
         switch (userPermission.getAccessScope()) {
           case GLOBAL:
             UserPermission userGlobalPerm = getUserGlobalPermission(conf, userName);
-            if (userGlobalPerm == null || !containReadPermission(userGlobalPerm)) {
+            if (userGlobalPerm == null || !hdfsAclHelper.containReadAction(userGlobalPerm)) {
               removeUserGlobalHdfsAcl(aclTable, userName, userPermission);
             }
             break;
           case NAMESPACE:
             NamespacePermission nsPerm = (NamespacePermission) userPermission.getPermission();
             UserPermission userNsPerm =
                 getUserNamespacePermission(conf, userName, nsPerm.getNamespace());
-            if (userNsPerm == null || !containReadPermission(userNsPerm)) {
+            if (userNsPerm == null || !hdfsAclHelper.containReadAction(userNsPerm)) {
               removeUserNamespaceHdfsAcl(aclTable, userName, nsPerm.getNamespace(), userPermission);
             }
             break;
           case TABLE:
             TablePermission tPerm = (TablePermission) userPermission.getPermission();
-            UserPermission userTablePerm =
-                getUserTablePermission(conf, userName, tPerm.getTableName());
-            if (userTablePerm == null || !containReadPermission(userTablePerm)) {
-              removeUserTableHdfsAcl(aclTable, userName, tPerm.getTableName(), userPermission);
+            if (checkTableAndPermission(tPerm)) {
+              TableName tableName = tPerm.getTableName();
+              UserPermission userTablePerm = getUserTablePermission(conf, userName, tableName);
+              if (userTablePerm == null || !hdfsAclHelper.containReadAction(userTablePerm)) {
+                removeUserTableHdfsAcl(aclTable, userName, tableName, userPermission);
+              }
             }
             break;
           default:
@@ -442,42 +470,28 @@ private void removeUserTableHdfsAcl(Table aclTable, String userName, TableName t
     }
   }
 
-  private boolean containReadPermission(UserPermission userPermission) {
-    if (userPermission != null) {
-      return Arrays.stream(userPermission.getPermission().getActions())
-          .anyMatch(action -> action == Action.READ);
-    }
-    return false;
-  }
-
   private UserPermission getUserGlobalPermission(Configuration conf, String userName)
       throws IOException {
     List<UserPermission> permissions = PermissionStorage.getUserPermissions(conf,
       PermissionStorage.ACL_GLOBAL_NAME, null, null, userName, true);
-    if (permissions != null && permissions.size() > 0) {
-      return permissions.get(0);
-    }
-    return null;
+    return permissions.size() > 0 ? permissions.get(0) : null;
   }
 
   private UserPermission getUserNamespacePermission(Configuration conf, String userName,
       String namespace) throws IOException {
     List<UserPermission> permissions =
         PermissionStorage.getUserNamespacePermissions(conf, namespace, userName, true);
-    if (permissions != null && permissions.size() > 0) {
-      return permissions.get(0);
-    }
-    return null;
+    return permissions.size() > 0 ? permissions.get(0) : null;
   }
 
   private UserPermission getUserTablePermission(Configuration conf, String userName,
       TableName tableName) throws IOException {
-    List<UserPermission> permissions =
-        PermissionStorage.getUserTablePermissions(conf, tableName, null, null, userName, true);
-    if (permissions != null && permissions.size() > 0) {
-      return permissions.get(0);
-    }
-    return null;
+    List<UserPermission> permissions = PermissionStorage
+        .getUserTablePermissions(conf, tableName, null, null, userName, true).stream()
+        .filter(userPermission -> hdfsAclHelper
+            .checkTablePermission((TablePermission) userPermission.getPermission()))
+        .collect(Collectors.toList());
+    return permissions.size() > 0 ? permissions.get(0) : null;
   }
 
   private boolean isHdfsAclSet(Table aclTable, String userName) throws IOException {
@@ -513,12 +527,32 @@ private boolean isHdfsAclSet(Table aclTable, String userName, String namespace,
     return isSet;
   }
 
-  private boolean checkInitialized() {
+  @VisibleForTesting
+  boolean checkInitialized(Supplier<String> operation) {
     if (initialized) {
-      return true;
-    } else {
-      return false;
+      if (aclTableInitialized) {
+        return true;
+      } else {
+        LOG.warn("Skip set HDFS acls because acl table is not initialized when " + operation.get());
+      }
     }
+    return false;
+  }
+
+  private boolean checkTableAndPermission(TablePermission tablePermission) throws IOException {
+    return checkTable(tablePermission.getTableName(), () -> "")
+        && hdfsAclHelper.checkTablePermission(tablePermission);
+  }
+
+  private boolean checkTable(TableName tableName, Supplier<String> operation) throws IOException {
+    return !tableName.isSystemTable() && checkInitialized(operation) && hdfsAclHelper
+        .isTableUserScanSnapshotEnabled(masterServices.getTableDescriptors().get(tableName));
+  }
+
+  private boolean checkTable(TableDescriptor tableDescriptor, Supplier<String> operation) {
+    TableName tableName = tableDescriptor.getTableName();
+    return !tableName.isSystemTable() && checkInitialized(operation)
+        && hdfsAclHelper.isTableUserScanSnapshotEnabled(tableDescriptor);
   }
 
   private User getActiveUser(ObserverContext<?> ctx) throws IOException {