Java 类org.apache.hadoop.hbase.coprocessor.CoprocessorException 实例源码

@Override
public void grant(UserPermission perm) throws IOException {
  // verify it's only running at .acl.
  if (aclRegion) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Received request to grant access permission " + perm.toString());
    }

    requirePermission("grant", perm.getTable(), perm.getFamily(), perm.getQualifier(), Action.ADMIN);

    AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm);
    if (AUDITLOG.isTraceEnabled()) {
      // audit log should store permission changes in addition to auth results
      AUDITLOG.trace("Granted permission " + perm.toString());
    }
  } else {
    throw new CoprocessorException(AccessController.class, "This method "
        + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table.");
  }
}

@Override
public void revoke(UserPermission perm) throws IOException {
  // only allowed to be called on _acl_ region
  if (aclRegion) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Received request to revoke access permission " + perm.toString());
    }

    requirePermission("revoke", perm.getTable(), perm.getFamily(),
                      perm.getQualifier(), Action.ADMIN);

    AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm);
    if (AUDITLOG.isTraceEnabled()) {
      // audit log should record all permission changes
      AUDITLOG.trace("Revoked permission " + perm.toString());
    }
  } else {
    throw new CoprocessorException(AccessController.class, "This method "
        + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table.");
  }
}

@Override
public void grant(UserPermission perm) throws IOException {
  // verify it's only running at .acl.
  if (aclRegion) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Received request to grant access permission " + perm.toString());
    }

    requirePermission("grant", perm.getTable(), perm.getFamily(), perm.getQualifier(), Action.ADMIN);

    AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm);
    if (AUDITLOG.isTraceEnabled()) {
      // audit log should store permission changes in addition to auth results
      AUDITLOG.trace("Granted permission " + perm.toString());
    }
  } else {
    throw new CoprocessorException(AccessController.class, "This method "
        + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table.");
  }
}

@Override
public void revoke(UserPermission perm) throws IOException {
  // only allowed to be called on _acl_ region
  if (aclRegion) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Received request to revoke access permission " + perm.toString());
    }

    requirePermission("revoke", perm.getTable(), perm.getFamily(),
                      perm.getQualifier(), Action.ADMIN);

    AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm);
    if (AUDITLOG.isTraceEnabled()) {
      // audit log should record all permission changes
      AUDITLOG.trace("Revoked permission " + perm.toString());
    }
  } else {
    throw new CoprocessorException(AccessController.class, "This method "
        + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table.");
  }
}

@Override
public void grant(UserPermission perm) throws IOException {
  // verify it's only running at .acl.
  if (aclRegion) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Received request to grant access permission " + perm.toString());
    }

    requirePermission("grant", perm.getTable(), perm.getFamily(), perm.getQualifier(), Action.ADMIN);

    AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm);
    if (AUDITLOG.isTraceEnabled()) {
      // audit log should store permission changes in addition to auth results
      AUDITLOG.trace("Granted permission " + perm.toString());
    }
  } else {
    throw new CoprocessorException(AccessController.class, "This method "
        + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table.");
  }
}

@Override
public void revoke(UserPermission perm) throws IOException {
  // only allowed to be called on _acl_ region
  if (aclRegion) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Received request to revoke access permission " + perm.toString());
    }

    requirePermission("revoke", perm.getTable(), perm.getFamily(),
                      perm.getQualifier(), Action.ADMIN);

    AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm);
    if (AUDITLOG.isTraceEnabled()) {
      // audit log should record all permission changes
      AUDITLOG.trace("Revoked permission " + perm.toString());
    }
  } else {
    throw new CoprocessorException(AccessController.class, "This method "
        + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table.");
  }
}

@Override
public void grant(UserPermission perm) throws IOException {
  // verify it's only running at .acl.
  if (aclRegion) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Received request to grant access permission " + perm.toString());
    }

    requirePermission("grant", perm.getTable(), perm.getFamily(), perm.getQualifier(), Action.ADMIN);

    AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm);
    if (AUDITLOG.isTraceEnabled()) {
      // audit log should store permission changes in addition to auth results
      AUDITLOG.trace("Granted permission " + perm.toString());
    }
  } else {
    throw new CoprocessorException(AccessController.class, "This method "
        + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table.");
  }
}

@Override
public void revoke(UserPermission perm) throws IOException {
  // only allowed to be called on _acl_ region
  if (aclRegion) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Received request to revoke access permission " + perm.toString());
    }

    requirePermission("revoke", perm.getTable(), perm.getFamily(),
                      perm.getQualifier(), Action.ADMIN);

    AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm);
    if (AUDITLOG.isTraceEnabled()) {
      // audit log should record all permission changes
      AUDITLOG.trace("Revoked permission " + perm.toString());
    }
  } else {
    throw new CoprocessorException(AccessController.class, "This method "
        + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table.");
  }
}

@Override
public void grant(UserPermission perm) throws IOException {
  // verify it's only running at .acl.
  if (aclRegion) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Received request to grant access permission " + perm.toString());
    }

    requirePermission("grant", perm.getTable(), perm.getFamily(), perm.getQualifier(), Action.ADMIN);

    AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm);
    if (AUDITLOG.isTraceEnabled()) {
      // audit log should store permission changes in addition to auth results
      AUDITLOG.trace("Granted permission " + perm.toString());
    }
  } else {
    throw new CoprocessorException(AccessController.class, "This method "
        + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table.");
  }
}

@Override
public void revoke(UserPermission perm) throws IOException {
  // only allowed to be called on _acl_ region
  if (aclRegion) {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Received request to revoke access permission " + perm.toString());
    }

    requirePermission("revoke", perm.getTable(), perm.getFamily(),
                      perm.getQualifier(), Action.ADMIN);

    AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm);
    if (AUDITLOG.isTraceEnabled()) {
      // audit log should record all permission changes
      AUDITLOG.trace("Revoked permission " + perm.toString());
    }
  } else {
    throw new CoprocessorException(AccessController.class, "This method "
        + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table.");
  }
}

@Override
public void start(CoprocessorEnvironment env) throws IOException {
  if (env instanceof RegionCoprocessorEnvironment) {
    this.env = (RegionCoprocessorEnvironment) env;
  } else {
    throw new CoprocessorException("Must be loaded on a table region!");
  }
}

@Override
public void start(CoprocessorEnvironment env) throws IOException {
    if (env instanceof RegionCoprocessorEnvironment) {
        this.env = (RegionCoprocessorEnvironment) env;
    } else {
        throw new CoprocessorException("Must be loaded on a table region!");
    }
}

@Override
public void start(CoprocessorEnvironment env) throws IOException {
  if (env instanceof RegionCoprocessorEnvironment) {
    this.env = (RegionCoprocessorEnvironment) env;
  } else {
    throw new CoprocessorException("Must be loaded on a table region!");
  }
}

@Override
public void getUserPermissions(RpcController controller,
                               AccessControlProtos.GetUserPermissionsRequest request,
                               RpcCallback<AccessControlProtos.GetUserPermissionsResponse> done) {
  AccessControlProtos.GetUserPermissionsResponse response = null;
  try {
    // only allowed to be called on _acl_ region
    if (aclRegion) {
      if (!initialized) {
        throw new CoprocessorException("AccessController not yet initialized");
      }
      List<UserPermission> perms = null;
      if(request.getType() == AccessControlProtos.Permission.Type.Table) {
        TableName table = null;
        if (request.hasTableName()) {
          table = ProtobufUtil.toTableName(request.getTableName());
        }
        requirePermission("userPermissions", table, null, null, Action.ADMIN);

        perms = AccessControlLists.getUserTablePermissions(
            regionEnv.getConfiguration(), table);
      } else if (request.getType() == AccessControlProtos.Permission.Type.Namespace) {
        perms = AccessControlLists.getUserNamespacePermissions(
            regionEnv.getConfiguration(), request.getNamespaceName().toStringUtf8());
      } else {
        perms = AccessControlLists.getUserPermissions(
            regionEnv.getConfiguration(), null);
      }
      response = ResponseConverter.buildGetUserPermissionsResponse(perms);
    } else {
      throw new CoprocessorException(AccessController.class, "This method "
          + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table.");
    }
  } catch (IOException ioe) {
    // pass exception back up
    ResponseConverter.setControllerException(controller, ioe);
  }
  done.run(response);
}

@Override
public void start(CoprocessorEnvironment env) throws IOException {
  if (env instanceof RegionCoprocessorEnvironment) {
    this.env = (RegionCoprocessorEnvironment) env;
  } else {
    throw new CoprocessorException("Must be loaded on a table region!");
  }
}

@Override
public void start(CoprocessorEnvironment env) throws IOException {
  if (env instanceof RegionCoprocessorEnvironment) {
    this.env = (RegionCoprocessorEnvironment) env;
    Configuration conf = env.getConfiguration();
    String rows = conf.get("com.larsgeorge.copro.stoprows", "5");
    for (String row : rows.split(",")) {
      stopRows.set(Integer.parseInt(row));
    }
  } else {
    throw new CoprocessorException("Must be loaded on a table region!");
  }
}

@Override
public void start(CoprocessorEnvironment env) throws IOException {
    if (env instanceof RegionCoprocessorEnvironment) {
        this.env = (RegionCoprocessorEnvironment) env;
    } else {
        throw new CoprocessorException("Must be loaded on a table region!");
    }
}

@Override
public void start(CoprocessorEnvironment env) throws IOException {
    if (env instanceof RegionCoprocessorEnvironment) {
        this.env = (RegionCoprocessorEnvironment) env;
    } else {
        throw new CoprocessorException("Must be loaded on a table region!");
    }
}

@Override
public List<UserPermission> getUserPermissions(final byte[] tableName) throws IOException {
  // only allowed to be called on _acl_ region
  if (aclRegion) {
    requirePermission("userPermissions", tableName, null, null, Action.ADMIN);

    List<UserPermission> perms = AccessControlLists.getUserPermissions(
      regionEnv.getConfiguration(), tableName);
    return perms;
  } else {
    throw new CoprocessorException(AccessController.class, "This method "
        + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table.");
  }
}

@Override
public void start(CoprocessorEnvironment env) throws IOException {
  if (env instanceof RegionCoprocessorEnvironment) {
    this.env = (RegionCoprocessorEnvironment) env;
  } else {
    throw new CoprocessorException("Must be loaded on a table region!");
  }
}

/**
 * Creates the scanner for compacting the pipeline.
 * @return the scanner
 */
private InternalScanner createScanner(HStore store, List<KeyValueScanner> scanners)
    throws IOException {
  InternalScanner scanner = null;
  boolean success = false;
  try {
    RegionCoprocessorHost cpHost = store.getCoprocessorHost();
    ScanInfo scanInfo;
    if (cpHost != null) {
      scanInfo = cpHost.preMemStoreCompactionCompactScannerOpen(store);
    } else {
      scanInfo = store.getScanInfo();
    }
    scanner = new StoreScanner(store, scanInfo, scanners, ScanType.COMPACT_RETAIN_DELETES,
        store.getSmallestReadPoint(), HConstants.OLDEST_TIMESTAMP);
    if (cpHost != null) {
      InternalScanner scannerFromCp = cpHost.preMemStoreCompactionCompact(store, scanner);
      if (scannerFromCp == null) {
        throw new CoprocessorException("Got a null InternalScanner when calling" +
            " preMemStoreCompactionCompact which is not acceptable");
      }
      success = true;
      return scannerFromCp;
    } else {
      success = true;
      return scanner;
    }
  } finally {
    if (!success) {
      Closeables.close(scanner, true);
      scanners.forEach(KeyValueScanner::close);
    }
  }
}

@Override
public void start(CoprocessorEnvironment env) throws IOException {
  if (env instanceof RegionCoprocessorEnvironment) {
    this.env = (RegionCoprocessorEnvironment) env;
  } else {
    throw new CoprocessorException("Must be loaded on a table region!");
  }
}

@Override
public void start(CoprocessorEnvironment env) throws IOException {
  if (env instanceof RegionCoprocessorEnvironment) {
    this.env = (RegionCoprocessorEnvironment) env;
  } else {
    throw new CoprocessorException("Must be loaded on a table region!");
  }
}

@Override
public void start(CoprocessorEnvironment env) throws IOException {
    if (env instanceof RegionCoprocessorEnvironment) {
        this.env = (RegionCoprocessorEnvironment) env;
    } else {
        throw new CoprocessorException("Must be loaded on a table region!");
    }
}

@Override
public void getUserPermissions(RpcController controller,
                               AccessControlProtos.GetUserPermissionsRequest request,
                               RpcCallback<AccessControlProtos.GetUserPermissionsResponse> done) {
  AccessControlProtos.GetUserPermissionsResponse response = null;
  try {
    // only allowed to be called on _acl_ region
    if (aclRegion) {
      if (!initialized) {
        throw new CoprocessorException("AccessController not yet initialized");
      }
      List<UserPermission> perms = null;
      if(request.getType() == AccessControlProtos.Permission.Type.Table) {
        TableName table = null;
        if (request.hasTableName()) {
          table = ProtobufUtil.toTableName(request.getTableName());
        }
        requirePermission("userPermissions", table, null, null, Action.ADMIN);

        perms = AccessControlLists.getUserTablePermissions(
            regionEnv.getConfiguration(), table);
      } else if (request.getType() == AccessControlProtos.Permission.Type.Namespace) {
        perms = AccessControlLists.getUserNamespacePermissions(
            regionEnv.getConfiguration(), request.getNamespaceName().toStringUtf8());
      } else {
        perms = AccessControlLists.getUserPermissions(
            regionEnv.getConfiguration(), null);
      }
      response = ResponseConverter.buildGetUserPermissionsResponse(perms);
    } else {
      throw new CoprocessorException(AccessController.class, "This method "
          + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table.");
    }
  } catch (IOException ioe) {
    // pass exception back up
    ResponseConverter.setControllerException(controller, ioe);
  }
  done.run(response);
}

@Override
public void start(CoprocessorEnvironment env) throws IOException {
  if (env instanceof RegionCoprocessorEnvironment) {
    this.env = (RegionCoprocessorEnvironment) env;
  } else {
    throw new CoprocessorException("Must be loaded on a table region!");
  }
}

@Override
public void start(
        final CoprocessorEnvironment env )
        throws IOException {
    if (env instanceof RegionCoprocessorEnvironment) {
        this.env = (RegionCoprocessorEnvironment) env;
    }
    else {
        throw new CoprocessorException(
                "Must be loaded on a table region!");
    }
}

@Override
public List<UserPermission> getUserPermissions(final byte[] tableName) throws IOException {
  // only allowed to be called on _acl_ region
  if (aclRegion) {
    requirePermission("userPermissions", tableName, null, null, Action.ADMIN);

    List<UserPermission> perms = AccessControlLists.getUserPermissions(
      regionEnv.getConfiguration(), tableName);
    return perms;
  } else {
    throw new CoprocessorException(AccessController.class, "This method "
        + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table.");
  }
}

@Override
public List<UserPermission> getUserPermissions(final byte[] tableName) throws IOException {
  // only allowed to be called on _acl_ region
  if (aclRegion) {
    requirePermission("userPermissions", tableName, null, null, Action.ADMIN);

    List<UserPermission> perms = AccessControlLists.getUserPermissions(
      regionEnv.getConfiguration(), tableName);
    return perms;
  } else {
    throw new CoprocessorException(AccessController.class, "This method "
        + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table.");
  }
}

@Override
public List<UserPermission> getUserPermissions(final byte[] tableName) throws IOException {
  // only allowed to be called on _acl_ region
  if (aclRegion) {
    requirePermission("userPermissions", tableName, null, null, Action.ADMIN);

    List<UserPermission> perms = AccessControlLists.getUserPermissions(
      regionEnv.getConfiguration(), tableName);
    return perms;
  } else {
    throw new CoprocessorException(AccessController.class, "This method "
        + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table.");
  }
}

@Override
public void start(CoprocessorEnvironment env) throws IOException {
  if (env instanceof RegionCoprocessorEnvironment) {
    this.env = (RegionCoprocessorEnvironment) env;
  } else {
    throw new CoprocessorException("Must be loaded on a table region!");
  }
}

@Override
public List<UserPermission> getUserPermissions(final byte[] tableName) throws IOException {
  // only allowed to be called on _acl_ region
  if (aclRegion) {
    requirePermission("userPermissions", tableName, null, null, Action.ADMIN);

    List<UserPermission> perms = AccessControlLists.getUserPermissions(
      regionEnv.getConfiguration(), tableName);
    return perms;
  } else {
    throw new CoprocessorException(AccessController.class, "This method "
        + "can only execute at " + Bytes.toString(AccessControlLists.ACL_TABLE_NAME) + " table.");
  }
}

@Override
public void grant(RpcController controller,
                  AccessControlProtos.GrantRequest request,
                  RpcCallback<AccessControlProtos.GrantResponse> done) {
  final UserPermission perm = ProtobufUtil.toUserPermission(request.getUserPermission());
  AccessControlProtos.GrantResponse response = null;
  try {
    // verify it's only running at .acl.
    if (aclRegion) {
      if (!initialized) {
        throw new CoprocessorException("AccessController not yet initialized");
      }
      if (LOG.isDebugEnabled()) {
        LOG.debug("Received request to grant access permission " + perm.toString());
      }

      switch(request.getUserPermission().getPermission().getType()) {
        case Global :
        case Table :
          requirePermission("grant", perm.getTableName(), perm.getFamily(),
            perm.getQualifier(), Action.ADMIN);
          break;
        case Namespace :
          requireNamespacePermission("grant", perm.getNamespace(), Action.ADMIN);
         break;
      }

      User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm);
          return null;
        }
      });

      if (AUDITLOG.isTraceEnabled()) {
        // audit log should store permission changes in addition to auth results
        AUDITLOG.trace("Granted permission " + perm.toString());
      }
    } else {
      throw new CoprocessorException(AccessController.class, "This method "
          + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table.");
    }
    response = AccessControlProtos.GrantResponse.getDefaultInstance();
  } catch (IOException ioe) {
    // pass exception back up
    ResponseConverter.setControllerException(controller, ioe);
  }
  done.run(response);
}

@Override
public void revoke(RpcController controller,
                   AccessControlProtos.RevokeRequest request,
                   RpcCallback<AccessControlProtos.RevokeResponse> done) {
  final UserPermission perm = ProtobufUtil.toUserPermission(request.getUserPermission());
  AccessControlProtos.RevokeResponse response = null;
  try {
    // only allowed to be called on _acl_ region
    if (aclRegion) {
      if (!initialized) {
        throw new CoprocessorException("AccessController not yet initialized");
      }
      if (LOG.isDebugEnabled()) {
        LOG.debug("Received request to revoke access permission " + perm.toString());
      }

      switch(request.getUserPermission().getPermission().getType()) {
        case Global :
        case Table :
          requirePermission("revoke", perm.getTableName(), perm.getFamily(),
            perm.getQualifier(), Action.ADMIN);
          break;
        case Namespace :
          requireNamespacePermission("revoke", perm.getNamespace(), Action.ADMIN);
          break;
      }

      User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm);
          return null;
        }
      });

      if (AUDITLOG.isTraceEnabled()) {
        // audit log should record all permission changes
        AUDITLOG.trace("Revoked permission " + perm.toString());
      }
    } else {
      throw new CoprocessorException(AccessController.class, "This method "
          + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table.");
    }
    response = AccessControlProtos.RevokeResponse.getDefaultInstance();
  } catch (IOException ioe) {
    // pass exception back up
    ResponseConverter.setControllerException(controller, ioe);
  }
  done.run(response);
}

@Override
public void start(CoprocessorEnvironment env) throws IOException {
  if (env instanceof RegionCoprocessorEnvironment) return;
  throw new CoprocessorException("Must be loaded on a table region!");
}

@Override
public void grant(RpcController controller,
                  AccessControlProtos.GrantRequest request,
                  RpcCallback<AccessControlProtos.GrantResponse> done) {
  final UserPermission perm = ProtobufUtil.toUserPermission(request.getUserPermission());
  AccessControlProtos.GrantResponse response = null;
  try {
    // verify it's only running at .acl.
    if (aclRegion) {
      if (!initialized) {
        throw new CoprocessorException("AccessController not yet initialized");
      }
      if (LOG.isDebugEnabled()) {
        LOG.debug("Received request to grant access permission " + perm.toString());
      }

      switch(request.getUserPermission().getPermission().getType()) {
        case Global :
        case Table :
          requirePermission("grant", perm.getTableName(), perm.getFamily(),
              perm.getQualifier(), Action.ADMIN);
          break;
        case Namespace :
          requireGlobalPermission("grant", Action.ADMIN, perm.getNamespace());
          break;
      }

      User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm);
          return null;
        }
      });

      if (AUDITLOG.isTraceEnabled()) {
        // audit log should store permission changes in addition to auth results
        AUDITLOG.trace("Granted permission " + perm.toString());
      }
    } else {
      throw new CoprocessorException(AccessController.class, "This method "
          + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table.");
    }
    response = AccessControlProtos.GrantResponse.getDefaultInstance();
  } catch (IOException ioe) {
    // pass exception back up
    ResponseConverter.setControllerException(controller, ioe);
  }
  done.run(response);
}

@Override
public void revoke(RpcController controller,
                   AccessControlProtos.RevokeRequest request,
                   RpcCallback<AccessControlProtos.RevokeResponse> done) {
  final UserPermission perm = ProtobufUtil.toUserPermission(request.getUserPermission());
  AccessControlProtos.RevokeResponse response = null;
  try {
    // only allowed to be called on _acl_ region
    if (aclRegion) {
      if (!initialized) {
        throw new CoprocessorException("AccessController not yet initialized");
      }
      if (LOG.isDebugEnabled()) {
        LOG.debug("Received request to revoke access permission " + perm.toString());
      }

      switch(request.getUserPermission().getPermission().getType()) {
        case Global :
        case Table :
          requirePermission("revoke", perm.getTableName(), perm.getFamily(),
                            perm.getQualifier(), Action.ADMIN);
          break;
        case Namespace :
          requireGlobalPermission("revoke", Action.ADMIN, perm.getNamespace());
          break;
      }

      User.runAsLoginUser(new PrivilegedExceptionAction<Void>() {
        @Override
        public Void run() throws Exception {
          AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm);
          return null;
        }
      });

      if (AUDITLOG.isTraceEnabled()) {
        // audit log should record all permission changes
        AUDITLOG.trace("Revoked permission " + perm.toString());
      }
    } else {
      throw new CoprocessorException(AccessController.class, "This method "
          + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table.");
    }
    response = AccessControlProtos.RevokeResponse.getDefaultInstance();
  } catch (IOException ioe) {
    // pass exception back up
    ResponseConverter.setControllerException(controller, ioe);
  }
  done.run(response);
}

@Override
public void start(CoprocessorEnvironment env) throws IOException {
  if (env instanceof RegionCoprocessorEnvironment) return;
  throw new CoprocessorException("Must be loaded on a table region!");
}

@Override
public void grant(RpcController controller,
                  AccessControlProtos.GrantRequest request,
                  RpcCallback<AccessControlProtos.GrantResponse> done) {
  UserPermission perm = ProtobufUtil.toUserPermission(request.getUserPermission());
  AccessControlProtos.GrantResponse response = null;
  try {
    // verify it's only running at .acl.
    if (aclRegion) {
      if (!initialized) {
        throw new CoprocessorException("AccessController not yet initialized");
      }
      if (LOG.isDebugEnabled()) {
        LOG.debug("Received request to grant access permission " + perm.toString());
      }

      switch(request.getUserPermission().getPermission().getType()) {
        case Global :
        case Table :
          requirePermission("grant", perm.getTableName(), perm.getFamily(),
              perm.getQualifier(), Action.ADMIN);
          break;
        case Namespace :
          requireGlobalPermission("grant", Action.ADMIN, perm.getNamespace());
      }

      AccessControlLists.addUserPermission(regionEnv.getConfiguration(), perm);
      if (AUDITLOG.isTraceEnabled()) {
        // audit log should store permission changes in addition to auth results
        AUDITLOG.trace("Granted permission " + perm.toString());
      }
    } else {
      throw new CoprocessorException(AccessController.class, "This method "
          + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table.");
    }
    response = AccessControlProtos.GrantResponse.getDefaultInstance();
  } catch (IOException ioe) {
    // pass exception back up
    ResponseConverter.setControllerException(controller, ioe);
  }
  done.run(response);
}

@Override
public void revoke(RpcController controller,
                   AccessControlProtos.RevokeRequest request,
                   RpcCallback<AccessControlProtos.RevokeResponse> done) {
  UserPermission perm = ProtobufUtil.toUserPermission(request.getUserPermission());
  AccessControlProtos.RevokeResponse response = null;
  try {
    // only allowed to be called on _acl_ region
    if (aclRegion) {
      if (!initialized) {
        throw new CoprocessorException("AccessController not yet initialized");
      }
      if (LOG.isDebugEnabled()) {
        LOG.debug("Received request to revoke access permission " + perm.toString());
      }

      switch(request.getUserPermission().getPermission().getType()) {
        case Global :
        case Table :
          requirePermission("revoke", perm.getTableName(), perm.getFamily(),
                            perm.getQualifier(), Action.ADMIN);
          break;
        case Namespace :
          requireGlobalPermission("revoke", Action.ADMIN, perm.getNamespace());
      }

      AccessControlLists.removeUserPermission(regionEnv.getConfiguration(), perm);
      if (AUDITLOG.isTraceEnabled()) {
        // audit log should record all permission changes
        AUDITLOG.trace("Revoked permission " + perm.toString());
      }
    } else {
      throw new CoprocessorException(AccessController.class, "This method "
          + "can only execute at " + AccessControlLists.ACL_TABLE_NAME + " table.");
    }
    response = AccessControlProtos.RevokeResponse.getDefaultInstance();
  } catch (IOException ioe) {
    // pass exception back up
    ResponseConverter.setControllerException(controller, ioe);
  }
  done.run(response);
}