/*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.hadoop.hbase.security.access;

import java.io.ByteArrayInputStream;
import java.io.DataInput;
import java.io.DataInputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import java.util.TreeSet;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.AuthUtil;
import org.apache.hadoop.hbase.Cell;
import org.apache.hadoop.hbase.Cell.Type;
import org.apache.hadoop.hbase.CellBuilderFactory;
import org.apache.hadoop.hbase.CellBuilderType;
import org.apache.hadoop.hbase.CellUtil;
import org.apache.hadoop.hbase.CompareOperator;
import org.apache.hadoop.hbase.NamespaceDescriptor;
import org.apache.hadoop.hbase.PrivateCellUtil;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.Tag;
import org.apache.hadoop.hbase.TagType;
import org.apache.hadoop.hbase.client.Connection;
import org.apache.hadoop.hbase.client.ConnectionFactory;
import org.apache.hadoop.hbase.client.Delete;
import org.apache.hadoop.hbase.client.Get;
import org.apache.hadoop.hbase.client.Put;
import org.apache.hadoop.hbase.client.Result;
import org.apache.hadoop.hbase.client.ResultScanner;
import org.apache.hadoop.hbase.client.Scan;
import org.apache.hadoop.hbase.client.Table;
import org.apache.hadoop.hbase.client.TableDescriptor;
import org.apache.hadoop.hbase.exceptions.DeserializationException;
import org.apache.hadoop.hbase.filter.QualifierFilter;
import org.apache.hadoop.hbase.filter.RegexStringComparator;
import org.apache.hadoop.hbase.regionserver.InternalScanner;
import org.apache.hadoop.hbase.regionserver.Region;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.util.Pair;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.io.Writable;
import org.apache.hadoop.io.WritableFactories;
import org.apache.hadoop.io.WritableUtils;
import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import org.apache.hbase.thirdparty.com.google.common.collect.ArrayListMultimap;
import org.apache.hbase.thirdparty.com.google.common.collect.ListMultimap;
import org.apache.hbase.thirdparty.com.google.common.collect.Lists;

import org.apache.hadoop.hbase.shaded.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AccessControlProtos;

/**
 * Maintains lists of permission grants to users and groups to allow for authorization checks by
 * {@link AccessController}.
 * <p>
 * Access control lists are stored in an "internal" metadata table named {@code _acl_}. Each table's
 * permission grants are stored as a separate row, keyed by the table name. KeyValues for
 * permissions assignments are stored in one of the formats:
 *
 * <pre>
 * Key                      Desc
 * --------                 --------
 * user                     table level permissions for a user [R=read, W=write]
 * group                    table level permissions for a group
 * user,family              column family level permissions for a user
 * group,family             column family level permissions for a group
 * user,family,qualifier    column qualifier level permissions for a user
 * group,family,qualifier   column qualifier level permissions for a group
 * </pre>
 * <p>
 * All values are encoded as byte arrays containing the codes from the
 * org.apache.hadoop.hbase.security.access.TablePermission.Action enum.
 * </p>
 */
@InterfaceAudience.Private
public final class PermissionStorage {
  /** Internal storage table for access control lists */
  public static final TableName ACL_TABLE_NAME =
    TableName.valueOf(NamespaceDescriptor.SYSTEM_NAMESPACE_NAME_STR, "acl");
  public static final byte[] ACL_GLOBAL_NAME = ACL_TABLE_NAME.getName();
  /** Column family used to store ACL grants */
  public static final String ACL_LIST_FAMILY_STR = "l";
  public static final byte[] ACL_LIST_FAMILY = Bytes.toBytes(ACL_LIST_FAMILY_STR);
  /** KV tag to store per cell access control lists */
  public static final byte ACL_TAG_TYPE = TagType.ACL_TAG_TYPE;

  public static final char NAMESPACE_PREFIX = '@';

  /**
   * Delimiter to separate user, column family, and qualifier in _acl_ table info: column keys
   */
  public static final char ACL_KEY_DELIMITER = ',';

  private static final Logger LOG = LoggerFactory.getLogger(PermissionStorage.class);

  private PermissionStorage() {
  }

  /**
   * Stores a new user permission grant in the access control lists table.
   * @param conf     the configuration
   * @param userPerm the details of the permission to be granted
   * @param t        acl table instance. It is closed upon method return.
   * @throws IOException in the case of an error accessing the metadata table
   */
  public static void addUserPermission(Configuration conf, UserPermission userPerm, Table t,
    boolean mergeExistingPermissions) throws IOException {
    Permission permission = userPerm.getPermission();
    Permission.Action[] actions = permission.getActions();
    byte[] rowKey = userPermissionRowKey(permission);
    Put p = new Put(rowKey);
    byte[] key = userPermissionKey(userPerm);

    if ((actions == null) || (actions.length == 0)) {
      String msg = "No actions associated with user '" + userPerm.getUser() + "'";
      LOG.warn(msg);
      throw new IOException(msg);
    }

    Set<Permission.Action> actionSet = new TreeSet<Permission.Action>();
    if (mergeExistingPermissions) {
      List<UserPermission> perms = getUserPermissions(conf, rowKey, null, null, null, false);
      UserPermission currentPerm = null;
      for (UserPermission perm : perms) {
        if (userPerm.equalsExceptActions(perm)) {
          currentPerm = perm;
          break;
        }
      }

      if (currentPerm != null && currentPerm.getPermission().getActions() != null) {
        actionSet.addAll(Arrays.asList(currentPerm.getPermission().getActions()));
      }
    }

    // merge current action with new action.
    actionSet.addAll(Arrays.asList(actions));

    // serialize to byte array.
    byte[] value = new byte[actionSet.size()];
    int index = 0;
    for (Permission.Action action : actionSet) {
      value[index++] = action.code();
    }
    p.add(CellBuilderFactory.create(CellBuilderType.SHALLOW_COPY).setRow(p.getRow())
      .setFamily(ACL_LIST_FAMILY).setQualifier(key).setTimestamp(p.getTimestamp()).setType(Type.Put)
      .setValue(value).build());
    if (LOG.isDebugEnabled()) {
      LOG.debug("Writing permission with rowKey " + Bytes.toString(rowKey) + " "
        + Bytes.toString(key) + ": " + Bytes.toStringBinary(value));
    }
    try {
      t.put(p);
    } finally {
      t.close();
    }
  }

  static void addUserPermission(Configuration conf, UserPermission userPerm, Table t)
    throws IOException {
    addUserPermission(conf, userPerm, t, false);
  }

  /**
   * Removes a previously granted permission from the stored access control lists. The
   * {@link TablePermission} being removed must exactly match what is stored -- no wildcard matching
   * is attempted. Ie, if user "bob" has been granted "READ" access to the "data" table, but only to
   * column family plus qualifier "info:colA", then trying to call this method with only user "bob"
   * and the table name "data" (but without specifying the column qualifier "info:colA") will have
   * no effect.
   * @param conf     the configuration
   * @param userPerm the details of the permission to be revoked
   * @param t        acl table
   * @throws IOException if there is an error accessing the metadata table
   */
  public static void removeUserPermission(Configuration conf, UserPermission userPerm, Table t)
    throws IOException {
    if (
      null == userPerm.getPermission().getActions()
        || userPerm.getPermission().getActions().length == 0
    ) {
      removePermissionRecord(conf, userPerm, t);
    } else {
      // Get all the global user permissions from the acl table
      List<UserPermission> permsList = getUserPermissions(conf,
        userPermissionRowKey(userPerm.getPermission()), null, null, null, false);
      List<Permission.Action> remainingActions = new ArrayList<>();
      List<Permission.Action> dropActions = Arrays.asList(userPerm.getPermission().getActions());
      for (UserPermission perm : permsList) {
        // Find the user and remove only the requested permissions
        if (perm.getUser().equals(userPerm.getUser())) {
          for (Permission.Action oldAction : perm.getPermission().getActions()) {
            if (!dropActions.contains(oldAction)) {
              remainingActions.add(oldAction);
            }
          }
          if (!remainingActions.isEmpty()) {
            perm.getPermission()
              .setActions(remainingActions.toArray(new Permission.Action[remainingActions.size()]));
            addUserPermission(conf, perm, t);
          } else {
            removePermissionRecord(conf, userPerm, t);
          }
          break;
        }
      }
    }
    if (LOG.isDebugEnabled()) {
      LOG.debug("Removed permission " + userPerm.toString());
    }
  }

  private static void removePermissionRecord(Configuration conf, UserPermission userPerm, Table t)
    throws IOException {
    Delete d = new Delete(userPermissionRowKey(userPerm.getPermission()));
    d.addColumns(ACL_LIST_FAMILY, userPermissionKey(userPerm));
    try {
      t.delete(d);
    } finally {
      t.close();
    }
  }

  /**
   * Remove specified table from the _acl_ table.
   */
  static void removeTablePermissions(Configuration conf, TableName tableName, Table t)
    throws IOException {
    Delete d = new Delete(tableName.getName());
    d.addFamily(ACL_LIST_FAMILY);

    if (LOG.isDebugEnabled()) {
      LOG.debug("Removing permissions of removed table " + tableName);
    }
    try {
      t.delete(d);
    } finally {
      t.close();
    }
  }

  /**
   * Remove specified namespace from the acl table.
   */
  static void removeNamespacePermissions(Configuration conf, String namespace, Table t)
    throws IOException {
    Delete d = new Delete(Bytes.toBytes(toNamespaceEntry(namespace)));
    d.addFamily(ACL_LIST_FAMILY);
    if (LOG.isDebugEnabled()) {
      LOG.debug("Removing permissions of removed namespace " + namespace);
    }

    try {
      t.delete(d);
    } finally {
      t.close();
    }
  }

  static private void removeTablePermissions(TableName tableName, byte[] column, Table table,
    boolean closeTable) throws IOException {
    Scan scan = new Scan();
    scan.addFamily(ACL_LIST_FAMILY);

    String columnName = Bytes.toString(column);
    scan.setFilter(new QualifierFilter(CompareOperator.EQUAL,
      new RegexStringComparator(String.format("(%s%s%s)|(%s%s)$", ACL_KEY_DELIMITER, columnName,
        ACL_KEY_DELIMITER, ACL_KEY_DELIMITER, columnName))));

    Set<byte[]> qualifierSet = new TreeSet<>(Bytes.BYTES_COMPARATOR);
    ResultScanner scanner = null;
    try {
      scanner = table.getScanner(scan);
      for (Result res : scanner) {
        for (byte[] q : res.getFamilyMap(ACL_LIST_FAMILY).navigableKeySet()) {
          qualifierSet.add(q);
        }
      }

      if (qualifierSet.size() > 0) {
        Delete d = new Delete(tableName.getName());
        for (byte[] qualifier : qualifierSet) {
          d.addColumns(ACL_LIST_FAMILY, qualifier);
        }
        table.delete(d);
      }
    } finally {
      if (scanner != null) {
        scanner.close();
      }
      if (closeTable) {
        table.close();
      }
    }
  }

  /**
   * Remove specified table column from the acl table.
   */
  static void removeTablePermissions(Configuration conf, TableName tableName, byte[] column,
    Table t) throws IOException {
    if (LOG.isDebugEnabled()) {
      LOG.debug("Removing permissions of removed column " + Bytes.toString(column) + " from table "
        + tableName);
    }
    removeTablePermissions(tableName, column, t, true);
  }

  static byte[] userPermissionRowKey(Permission permission) {
    byte[] row;
    if (permission instanceof TablePermission) {
      TablePermission tablePerm = (TablePermission) permission;
      row = tablePerm.getTableName().getName();
    } else if (permission instanceof NamespacePermission) {
      NamespacePermission nsPerm = (NamespacePermission) permission;
      row = Bytes.toBytes(toNamespaceEntry(nsPerm.getNamespace()));
    } else {
      // permission instanceof TablePermission
      row = ACL_GLOBAL_NAME;
    }
    return row;
  }

  /**
   * Build qualifier key from user permission: username username,family username,family,qualifier
   */
  static byte[] userPermissionKey(UserPermission permission) {
    byte[] key = Bytes.toBytes(permission.getUser());
    byte[] qualifier = null;
    byte[] family = null;
    if (permission.getPermission().getAccessScope() == Permission.Scope.TABLE) {
      TablePermission tablePermission = (TablePermission) permission.getPermission();
      family = tablePermission.getFamily();
      qualifier = tablePermission.getQualifier();
    }

    if (family != null && family.length > 0) {
      key = Bytes.add(key, Bytes.add(new byte[] { ACL_KEY_DELIMITER }, family));
      if (qualifier != null && qualifier.length > 0) {
        key = Bytes.add(key, Bytes.add(new byte[] { ACL_KEY_DELIMITER }, qualifier));
      }
    }

    return key;
  }

  /**
   * Returns {@code true} if the given region is part of the {@code _acl_} metadata table.
   */
  static boolean isAclRegion(Region region) {
    return ACL_TABLE_NAME.equals(region.getTableDescriptor().getTableName());
  }

  /**
   * Returns {@code true} if the given table is {@code _acl_} metadata table.
   */
  static boolean isAclTable(TableDescriptor desc) {
    return ACL_TABLE_NAME.equals(desc.getTableName());
  }

  /**
   * Loads all of the permission grants stored in a region of the {@code _acl_} table.
   * @param aclRegion the acl region
   * @return a map of the permissions for this table.
   * @throws IOException if an error occurs
   */
  static Map<byte[], ListMultimap<String, UserPermission>> loadAll(Region aclRegion)
    throws IOException {
    if (!isAclRegion(aclRegion)) {
      throw new IOException("Can only load permissions from " + ACL_TABLE_NAME);
    }

    Map<byte[], ListMultimap<String, UserPermission>> allPerms =
      new TreeMap<>(Bytes.BYTES_RAWCOMPARATOR);

    // do a full scan of _acl_ table

    Scan scan = new Scan();
    scan.addFamily(ACL_LIST_FAMILY);

    InternalScanner iScanner = null;
    try {
      iScanner = aclRegion.getScanner(scan);

      while (true) {
        List<Cell> row = new ArrayList<>();

        boolean hasNext = iScanner.next(row);
        ListMultimap<String, UserPermission> perms = ArrayListMultimap.create();
        byte[] entry = null;
        for (Cell kv : row) {
          if (entry == null) {
            entry = CellUtil.cloneRow(kv);
          }
          Pair<String, Permission> permissionsOfUserOnTable =
            parsePermissionRecord(entry, kv, null, null, false, null);
          if (permissionsOfUserOnTable != null) {
            String username = permissionsOfUserOnTable.getFirst();
            Permission permission = permissionsOfUserOnTable.getSecond();
            perms.put(username, new UserPermission(username, permission));
          }
        }
        if (entry != null) {
          allPerms.put(entry, perms);
        }
        if (!hasNext) {
          break;
        }
      }
    } finally {
      if (iScanner != null) {
        iScanner.close();
      }
    }

    return allPerms;
  }

  /**
   * Load all permissions from the region server holding {@code _acl_}, primarily intended for
   * testing purposes.
   */
  static Map<byte[], ListMultimap<String, UserPermission>> loadAll(Configuration conf)
    throws IOException {
    Map<byte[], ListMultimap<String, UserPermission>> allPerms =
      new TreeMap<>(Bytes.BYTES_RAWCOMPARATOR);

    // do a full scan of _acl_, filtering on only first table region rows

    Scan scan = new Scan();
    scan.addFamily(ACL_LIST_FAMILY);

    ResultScanner scanner = null;
    // TODO: Pass in a Connection rather than create one each time.
    try (Connection connection = ConnectionFactory.createConnection(conf)) {
      try (Table table = connection.getTable(ACL_TABLE_NAME)) {
        scanner = table.getScanner(scan);
        try {
          for (Result row : scanner) {
            ListMultimap<String, UserPermission> resultPerms =
              parsePermissions(row.getRow(), row, null, null, null, false);
            allPerms.put(row.getRow(), resultPerms);
          }
        } finally {
          if (scanner != null) {
            scanner.close();
          }
        }
      }
    }

    return allPerms;
  }

  public static ListMultimap<String, UserPermission> getTablePermissions(Configuration conf,
    TableName tableName) throws IOException {
    return getPermissions(conf, tableName != null ? tableName.getName() : null, null, null, null,
      null, false);
  }

  public static ListMultimap<String, UserPermission> getNamespacePermissions(Configuration conf,
    String namespace) throws IOException {
    return getPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)), null, null, null, null,
      false);
  }

  public static ListMultimap<String, UserPermission> getGlobalPermissions(Configuration conf)
    throws IOException {
    return getPermissions(conf, null, null, null, null, null, false);
  }

  /**
   * Reads user permission assignments stored in the <code>l:</code> column family of the first
   * table row in <code>_acl_</code>.
   * <p>
   * See {@link PermissionStorage class documentation} for the key structure used for storage.
   * </p>
   */
  static ListMultimap<String, UserPermission> getPermissions(Configuration conf, byte[] entryName,
    Table t, byte[] cf, byte[] cq, String user, boolean hasFilterUser) throws IOException {
    if (entryName == null) {
      entryName = ACL_GLOBAL_NAME;
    }
    // for normal user tables, we just read the table row from _acl_
    ListMultimap<String, UserPermission> perms = ArrayListMultimap.create();
    Get get = new Get(entryName);
    get.addFamily(ACL_LIST_FAMILY);
    Result row = null;
    if (t == null) {
      try (Connection connection = ConnectionFactory.createConnection(conf)) {
        try (Table table = connection.getTable(ACL_TABLE_NAME)) {
          row = table.get(get);
        }
      }
    } else {
      row = t.get(get);
    }
    if (!row.isEmpty()) {
      perms = parsePermissions(entryName, row, cf, cq, user, hasFilterUser);
    } else {
      LOG.info("No permissions found in " + ACL_TABLE_NAME + " for acl entry "
        + Bytes.toString(entryName));
    }

    return perms;
  }

  /**
   * Returns the currently granted permissions for a given table as the specified user plus
   * associated permissions.
   */
  public static List<UserPermission> getUserTablePermissions(Configuration conf,
    TableName tableName, byte[] cf, byte[] cq, String userName, boolean hasFilterUser)
    throws IOException {
    return getUserPermissions(conf, tableName == null ? null : tableName.getName(), cf, cq,
      userName, hasFilterUser);
  }

  /**
   * Returns the currently granted permissions for a given namespace as the specified user plus
   * associated permissions.
   */
  public static List<UserPermission> getUserNamespacePermissions(Configuration conf,
    String namespace, String user, boolean hasFilterUser) throws IOException {
    return getUserPermissions(conf, Bytes.toBytes(toNamespaceEntry(namespace)), null, null, user,
      hasFilterUser);
  }

  /**
   * Returns the currently granted permissions for a given table/namespace with associated
   * permissions based on the specified column family, column qualifier and user name.
   * @param conf          the configuration
   * @param entryName     Table name or the namespace
   * @param cf            Column family
   * @param cq            Column qualifier
   * @param user          User name to be filtered from permission as requested
   * @param hasFilterUser true if filter user is provided, otherwise false.
   * @return List of UserPermissions
   * @throws IOException on failure
   */
  public static List<UserPermission> getUserPermissions(Configuration conf, byte[] entryName,
    byte[] cf, byte[] cq, String user, boolean hasFilterUser) throws IOException {
    ListMultimap<String, UserPermission> allPerms =
      getPermissions(conf, entryName, null, cf, cq, user, hasFilterUser);
    List<UserPermission> perms = new ArrayList<>();
    for (Map.Entry<String, UserPermission> entry : allPerms.entries()) {
      perms.add(entry.getValue());
    }
    return perms;
  }

  /**
   * Parse and filter permission based on the specified column family, column qualifier and user
   * name.
   */
  private static ListMultimap<String, UserPermission> parsePermissions(byte[] entryName,
    Result result, byte[] cf, byte[] cq, String user, boolean hasFilterUser) {
    ListMultimap<String, UserPermission> perms = ArrayListMultimap.create();
    if (result != null && result.size() > 0) {
      for (Cell kv : result.rawCells()) {
        Pair<String, Permission> permissionsOfUserOnTable =
          parsePermissionRecord(entryName, kv, cf, cq, hasFilterUser, user);

        if (permissionsOfUserOnTable != null) {
          String username = permissionsOfUserOnTable.getFirst();
          Permission permission = permissionsOfUserOnTable.getSecond();
          perms.put(username, new UserPermission(username, permission));
        }
      }
    }
    return perms;
  }

  private static Pair<String, Permission> parsePermissionRecord(byte[] entryName, Cell kv,
    byte[] cf, byte[] cq, boolean filterPerms, String filterUser) {
    // return X given a set of permissions encoded in the permissionRecord kv.
    byte[] family = CellUtil.cloneFamily(kv);
    if (!Bytes.equals(family, ACL_LIST_FAMILY)) {
      return null;
    }

    byte[] key = CellUtil.cloneQualifier(kv);
    byte[] value = CellUtil.cloneValue(kv);
    if (LOG.isDebugEnabled()) {
      LOG.debug("Read acl: entry[" + Bytes.toStringBinary(entryName) + "], kv ["
        + Bytes.toStringBinary(key) + ": " + Bytes.toStringBinary(value) + "]");
    }

    // check for a column family appended to the key
    // TODO: avoid the string conversion to make this more efficient
    String username = Bytes.toString(key);

    // Retrieve group list for the filterUser if cell key is a group.
    // Group list is not required when filterUser itself a group
    List<String> filterUserGroups = null;
    if (filterPerms) {
      if (
        username.charAt(0) == '@' && !StringUtils.isEmpty(filterUser) && filterUser.charAt(0) != '@'
      ) {
        filterUserGroups = AccessChecker.getUserGroups(filterUser);
      }
    }

    // Handle namespace entry
    if (isNamespaceEntry(entryName)) {
      // Filter the permissions cell record if client query
      if (filterPerms && !validateFilterUser(username, filterUser, filterUserGroups)) {
        return null;
      }

      return new Pair<>(username, Permission
        .newBuilder(Bytes.toString(fromNamespaceEntry(entryName))).withActionCodes(value).build());
    }

    // Handle global entry
    if (isGlobalEntry(entryName)) {
      // Filter the permissions cell record if client query
      if (filterPerms && !validateFilterUser(username, filterUser, filterUserGroups)) {
        return null;
      }

      return new Pair<>(username, Permission.newBuilder().withActionCodes(value).build());
    }

    // Handle table entry
    int idx = username.indexOf(ACL_KEY_DELIMITER);
    byte[] permFamily = null;
    byte[] permQualifier = null;
    if (idx > 0 && idx < username.length() - 1) {
      String remainder = username.substring(idx + 1);
      username = username.substring(0, idx);
      idx = remainder.indexOf(ACL_KEY_DELIMITER);
      if (idx > 0 && idx < remainder.length() - 1) {
        permFamily = Bytes.toBytes(remainder.substring(0, idx));
        permQualifier = Bytes.toBytes(remainder.substring(idx + 1));
      } else {
        permFamily = Bytes.toBytes(remainder);
      }
    }

    // Filter the permissions cell record if client query
    if (filterPerms) {
      // ACL table contain 3 types of cell key entries; hbase:Acl, namespace and table. So to filter
      // the permission cell records additional validations are required at CF, CQ and username.
      // Here we can proceed based on client input whether it contain filterUser.
      // Validate the filterUser when specified
      if (filterUser != null && !validateFilterUser(username, filterUser, filterUserGroups)) {
        return null;
      }
      if (!validateCFAndCQ(permFamily, cf, permQualifier, cq)) {
        return null;
      }
    }

    return new Pair<>(username, Permission.newBuilder(TableName.valueOf(entryName))
      .withFamily(permFamily).withQualifier(permQualifier).withActionCodes(value).build());
  }

  /*
   * Validate the cell key with the client filterUser if specified in the query input. 1. If cell
   * key (username) is not a group then check whether client filterUser is equal to username 2. If
   * cell key (username) is a group then check whether client filterUser belongs to the cell key
   * group (username) 3. In case when both filterUser and username are group names then cell will be
   * filtered if not equal.
   */
  private static boolean validateFilterUser(String username, String filterUser,
    List<String> filterUserGroups) {
    if (filterUserGroups == null) {
      // Validate user name or group names whether equal
      if (filterUser.equals(username)) {
        return true;
      }
    } else {
      // Check whether filter user belongs to the cell key group.
      return filterUserGroups.contains(username.substring(1));
    }
    return false;
  }

  /*
   * Validate the cell with client CF and CQ if specified in the query input. 1. If CF is NULL, then
   * no need of further validation, result should include all CF and CQ. 2. IF CF specified and
   * equal then validation required at CQ level if CF specified in client input, otherwise return
   * all CQ records.
   */
  private static boolean validateCFAndCQ(byte[] permFamily, byte[] cf, byte[] permQualifier,
    byte[] cq) {
    boolean include = true;
    if (cf != null) {
      if (Bytes.equals(cf, permFamily)) {
        if (cq != null && !Bytes.equals(cq, permQualifier)) {
          // if CQ specified and didn't match then ignore this cell
          include = false;
        }
      } else {
        // if CF specified and didn't match then ignore this cell
        include = false;
      }
    }
    return include;
  }

  /**
   * Writes a set of permissions as {@link org.apache.hadoop.io.Writable} instances and returns the
   * resulting byte array. Writes a set of permission [user: table permission]
   */
  public static byte[] writePermissionsAsBytes(ListMultimap<String, UserPermission> perms,
    Configuration conf) {
    return ProtobufUtil
      .prependPBMagic(AccessControlUtil.toUserTablePermissions(perms).toByteArray());
  }

  // This is part of the old HbaseObjectWritableFor96Migration.
  private static final int LIST_CODE = 61;

  private static final int WRITABLE_CODE = 14;

  private static final int WRITABLE_NOT_ENCODED = 0;

  private static List<Permission> readWritableUserPermission(DataInput in, Configuration conf)
    throws IOException, ClassNotFoundException {
    assert WritableUtils.readVInt(in) == LIST_CODE;
    int length = in.readInt();
    List<Permission> list = new ArrayList<>(length);
    for (int i = 0; i < length; i++) {
      assert WritableUtils.readVInt(in) == WRITABLE_CODE;
      assert WritableUtils.readVInt(in) == WRITABLE_NOT_ENCODED;
      String className = Text.readString(in);
      Class<? extends Writable> clazz = conf.getClassByName(className).asSubclass(Writable.class);
      Writable instance = WritableFactories.newInstance(clazz, conf);
      instance.readFields(in);
      list.add((Permission) instance);
    }
    return list;
  }

  public static ListMultimap<String, UserPermission> readUserPermission(byte[] data,
    Configuration conf) throws DeserializationException {
    if (ProtobufUtil.isPBMagicPrefix(data)) {
      int pblen = ProtobufUtil.lengthOfPBMagic();
      try {
        AccessControlProtos.UsersAndPermissions.Builder builder =
          AccessControlProtos.UsersAndPermissions.newBuilder();
        ProtobufUtil.mergeFrom(builder, data, pblen, data.length - pblen);
        return AccessControlUtil.toUserPermission(builder.build());
      } catch (IOException e) {
        throw new DeserializationException(e);
      }
    } else {
      // TODO: We have to re-write non-PB data as PB encoded. Otherwise we will carry old Writables
      // forever (here and a couple of other places).
      ListMultimap<String, UserPermission> userPermission = ArrayListMultimap.create();
      try {
        DataInput in = new DataInputStream(new ByteArrayInputStream(data));
        int length = in.readInt();
        for (int i = 0; i < length; i++) {
          String user = Text.readString(in);
          List<Permission> perms = readWritableUserPermission(in, conf);
          for (Permission p : perms) {
            userPermission.put(user, new UserPermission(user, p));
          }
        }
      } catch (IOException | ClassNotFoundException e) {
        throw new DeserializationException(e);
      }
      return userPermission;
    }
  }

  public static ListMultimap<String, Permission> readPermissions(byte[] data, Configuration conf)
    throws DeserializationException {
    if (ProtobufUtil.isPBMagicPrefix(data)) {
      int pblen = ProtobufUtil.lengthOfPBMagic();
      try {
        AccessControlProtos.UsersAndPermissions.Builder builder =
          AccessControlProtos.UsersAndPermissions.newBuilder();
        ProtobufUtil.mergeFrom(builder, data, pblen, data.length - pblen);
        return AccessControlUtil.toPermission(builder.build());
      } catch (IOException e) {
        throw new DeserializationException(e);
      }
    } else {
      // TODO: We have to re-write non-PB data as PB encoded. Otherwise we will carry old Writables
      // forever (here and a couple of other places).
      ListMultimap<String, Permission> perms = ArrayListMultimap.create();
      try {
        DataInput in = new DataInputStream(new ByteArrayInputStream(data));
        int length = in.readInt();
        for (int i = 0; i < length; i++) {
          String user = Text.readString(in);
          perms.putAll(user, readWritableUserPermission(in, conf));
        }
      } catch (IOException | ClassNotFoundException e) {
        throw new DeserializationException(e);
      }
      return perms;
    }
  }

  public static boolean isGlobalEntry(byte[] entryName) {
    return Bytes.equals(entryName, ACL_GLOBAL_NAME);
  }

  public static boolean isNamespaceEntry(String entryName) {
    return isNamespaceEntry(Bytes.toBytes(entryName));
  }

  public static boolean isNamespaceEntry(byte[] entryName) {
    return entryName != null && entryName.length != 0 && entryName[0] == NAMESPACE_PREFIX;
  }

  public static boolean isTableEntry(byte[] entryName) {
    return !isNamespaceEntry(entryName) && !isGlobalEntry(entryName) && entryName != null;
  }

  public static String toNamespaceEntry(String namespace) {
    return NAMESPACE_PREFIX + namespace;
  }

  public static String fromNamespaceEntry(String namespace) {
    if (namespace.charAt(0) != NAMESPACE_PREFIX) {
      throw new IllegalArgumentException("Argument is not a valid namespace entry");
    }
    return namespace.substring(1);
  }

  public static byte[] toNamespaceEntry(byte[] namespace) {
    byte[] ret = new byte[namespace.length + 1];
    ret[0] = NAMESPACE_PREFIX;
    System.arraycopy(namespace, 0, ret, 1, namespace.length);
    return ret;
  }

  public static byte[] fromNamespaceEntry(byte[] namespace) {
    if (namespace[0] != NAMESPACE_PREFIX) {
      throw new IllegalArgumentException(
        "Argument is not a valid namespace entry: " + Bytes.toString(namespace));
    }
    return Arrays.copyOfRange(namespace, 1, namespace.length);
  }

  public static List<Permission> getCellPermissionsForUser(User user, Cell cell)
    throws IOException {
    // Save an object allocation where we can
    if (cell.getTagsLength() == 0) {
      return null;
    }
    List<Permission> results = Lists.newArrayList();
    Iterator<Tag> tagsIterator = PrivateCellUtil.tagsIterator(cell);
    while (tagsIterator.hasNext()) {
      Tag tag = tagsIterator.next();
      if (tag.getType() == ACL_TAG_TYPE) {
        // Deserialize the table permissions from the KV
        // TODO: This can be improved. Don't build UsersAndPermissions just to unpack it again,
        // use the builder
        AccessControlProtos.UsersAndPermissions.Builder builder =
          AccessControlProtos.UsersAndPermissions.newBuilder();
        if (tag.hasArray()) {
          ProtobufUtil.mergeFrom(builder, tag.getValueArray(), tag.getValueOffset(),
            tag.getValueLength());
        } else {
          ProtobufUtil.mergeFrom(builder, Tag.cloneValue(tag));
        }
        ListMultimap<String, Permission> kvPerms =
          AccessControlUtil.toUsersAndPermissions(builder.build());
        // Are there permissions for this user?
        List<Permission> userPerms = kvPerms.get(user.getShortName());
        if (userPerms != null) {
          results.addAll(userPerms);
        }
        // Are there permissions for any of the groups this user belongs to?
        String[] groupNames = user.getGroupNames();
        if (groupNames != null) {
          for (String group : groupNames) {
            List<Permission> groupPerms = kvPerms.get(AuthUtil.toGroupEntry(group));
            if (results != null) {
              results.addAll(groupPerms);
            }
          }
        }
      }
    }
    return results;
  }
}