I was reading some of the security related code and noticed that many of the security related classes lack @InterfaceAudience markings.
WIth the current api I believe all but Permission should be Private. With the introduction of cell level ACL's Permission must be public because it is now exposed in the Mutation setACL calls.
There is an inconsistency with the Mutation ACL – the acl setters take Permission instances but the getter returns byte's. As a follow on issue we could change the signature of Mutation.setACL so we don't have to expose the Permission class and convert it to be byte, or change the getter to return an exposed Permission instance.