package org.apache.hadoop.yarn.server.resourcemanager;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.service.Service;
import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest;
import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationsRequest;
import org.apache.hadoop.yarn.api.protocolrecords.GetNewApplicationRequest;
import org.apache.hadoop.yarn.api.protocolrecords.KillApplicationRequest;
import org.apache.hadoop.yarn.api.protocolrecords.SubmitApplicationRequest;
import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.api.records.ApplicationReport;
import org.apache.hadoop.yarn.api.records.ApplicationResourceUsageReport;
import org.apache.hadoop.yarn.api.records.ApplicationSubmissionContext;
import org.apache.hadoop.yarn.api.records.ContainerLaunchContext;
import org.apache.hadoop.yarn.api.records.QueueACL;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.exceptions.YarnException;
import org.apache.hadoop.yarn.factories.RecordFactory;
import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
import org.apache.hadoop.yarn.ipc.YarnRPC;
import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStoreFactory;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppState;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairSchedulerConfiguration;
import org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager;
import org.apache.hadoop.yarn.server.utils.BuilderUtils;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.mockito.Matchers;
import org.mockito.Mockito;
import org.mockito.invocation.InvocationOnMock;
import org.mockito.stubbing.Answer;

/* JADX WARN: Classes with same name are omitted:
  input_file:test-classes/org/apache/hadoop/yarn/server/resourcemanager/TestApplicationACLs.class
 */
/* loaded from: input_file:hadoop-yarn-server-resourcemanager-2.7.0-mapr-1803-r1-tests.jar:org/apache/hadoop/yarn/server/resourcemanager/TestApplicationACLs.class */
public class TestApplicationACLs {
    private static final String APP_OWNER = "owner";
    private static final String FRIEND = "friend";
    private static final String ENEMY = "enemy";
    private static final String QUEUE_ADMIN_USER = "queue-admin-user";
    private static final String SUPER_USER = "superUser";
    private static final String FRIENDLY_GROUP = "friendly-group";
    private static final String SUPER_GROUP = "superGroup";
    private static final String UNAVAILABLE = "N/A";
    static MockRM resourceManager;
    private static ApplicationClientProtocol rmClient;
    private static final Log LOG = LogFactory.getLog(TestApplicationACLs.class);
    static Configuration conf = new YarnConfiguration();
    static final YarnRPC rpc = YarnRPC.create(conf);
    static final InetSocketAddress rmAddress = conf.getSocketAddr("yarn.resourcemanager.address", "0.0.0.0:8032", 8032);
    private static RecordFactory recordFactory = RecordFactoryProvider.getRecordFactory(conf);
    private static boolean isQueueUser = false;

    /* JADX WARN: Type inference failed for: r0v7, types: [org.apache.hadoop.yarn.server.resourcemanager.TestApplicationACLs$2] */
    @BeforeClass
    public static void setup() throws InterruptedException, IOException {
        RMStateStoreFactory.getStore(conf);
        conf.setBoolean("yarn.acl.enable", true);
        AccessControlList accessControlList = new AccessControlList("");
        accessControlList.addGroup(SUPER_GROUP);
        conf.set("yarn.admin.acl", accessControlList.getAclString());
        resourceManager = new MockRM(conf) { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestApplicationACLs.1
            @Override // org.apache.hadoop.yarn.server.resourcemanager.ResourceManager
            protected QueueACLsManager createQueueACLsManager(ResourceScheduler resourceScheduler, Configuration configuration) {
                QueueACLsManager queueACLsManager = (QueueACLsManager) Mockito.mock(QueueACLsManager.class);
                Mockito.when(Boolean.valueOf(queueACLsManager.checkAccess((UserGroupInformation) Matchers.any(UserGroupInformation.class), (QueueACL) Matchers.any(QueueACL.class), Matchers.anyString()))).thenAnswer(new Answer() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestApplicationACLs.1.1
                    public Object answer(InvocationOnMock invocationOnMock) {
                        return Boolean.valueOf(TestApplicationACLs.isQueueUser);
                    }
                });
                return queueACLsManager;
            }

            @Override // org.apache.hadoop.yarn.server.resourcemanager.MockRM, org.apache.hadoop.yarn.server.resourcemanager.ResourceManager
            protected ClientRMService createClientRMService() {
                return new ClientRMService(getRMContext(), this.scheduler, this.rmAppManager, this.applicationACLsManager, this.queueACLsManager, null);
            }
        };
        new Thread() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestApplicationACLs.2
            @Override // java.lang.Thread, java.lang.Runnable
            public void run() {
                UserGroupInformation.createUserForTesting(TestApplicationACLs.ENEMY, new String[0]);
                UserGroupInformation.createUserForTesting(TestApplicationACLs.FRIEND, new String[]{TestApplicationACLs.FRIENDLY_GROUP});
                UserGroupInformation.createUserForTesting(TestApplicationACLs.SUPER_USER, new String[]{TestApplicationACLs.SUPER_GROUP});
                TestApplicationACLs.resourceManager.start();
            }
        }.start();
        int i = 0;
        while (resourceManager.getServiceState() == Service.STATE.INITED) {
            int i2 = i;
            i++;
            if (i2 >= 60) {
                break;
            }
            LOG.info("Waiting for RM to start...");
            Thread.sleep(1500L);
        }
        if (resourceManager.getServiceState() != Service.STATE.STARTED) {
            throw new IOException("ResourceManager failed to start. Final state is " + resourceManager.getServiceState());
        }
        rmClient = (ApplicationClientProtocol) UserGroupInformation.createRemoteUser(APP_OWNER).doAs(new PrivilegedExceptionAction<ApplicationClientProtocol>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestApplicationACLs.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public ApplicationClientProtocol run() throws Exception {
                return (ApplicationClientProtocol) TestApplicationACLs.rpc.getProxy(ApplicationClientProtocol.class, TestApplicationACLs.rmAddress, TestApplicationACLs.conf);
            }
        });
    }

    @AfterClass
    public static void tearDown() {
        if (resourceManager != null) {
            resourceManager.stop();
        }
    }

    @Test
    public void testApplicationACLs() throws Exception {
        verifyOwnerAccess();
        verifySuperUserAccess();
        verifyFriendAccess();
        verifyEnemyAccess();
        verifyAdministerQueueUserAccess();
    }

    private ApplicationId submitAppAndGetAppId(AccessControlList accessControlList, AccessControlList accessControlList2) throws Exception {
        SubmitApplicationRequest submitApplicationRequest = (SubmitApplicationRequest) recordFactory.newRecordInstance(SubmitApplicationRequest.class);
        ApplicationSubmissionContext applicationSubmissionContext = (ApplicationSubmissionContext) recordFactory.newRecordInstance(ApplicationSubmissionContext.class);
        ApplicationId applicationId = rmClient.getNewApplication((GetNewApplicationRequest) recordFactory.newRecordInstance(GetNewApplicationRequest.class)).getApplicationId();
        applicationSubmissionContext.setApplicationId(applicationId);
        HashMap hashMap = new HashMap();
        hashMap.put(ApplicationAccessType.VIEW_APP, accessControlList.getAclString());
        hashMap.put(ApplicationAccessType.MODIFY_APP, accessControlList2.getAclString());
        ContainerLaunchContext containerLaunchContext = (ContainerLaunchContext) recordFactory.newRecordInstance(ContainerLaunchContext.class);
        applicationSubmissionContext.setResource(BuilderUtils.newResource(FairSchedulerConfiguration.DEFAULT_RM_SCHEDULER_INCREMENT_ALLOCATION_MB, 1));
        containerLaunchContext.setApplicationACLs(hashMap);
        applicationSubmissionContext.setAMContainerSpec(containerLaunchContext);
        submitApplicationRequest.setApplicationSubmissionContext(applicationSubmissionContext);
        rmClient.submitApplication(submitApplicationRequest);
        resourceManager.waitForState(applicationId, RMAppState.ACCEPTED);
        return applicationId;
    }

    private ApplicationClientProtocol getRMClientForUser(String str) throws IOException, InterruptedException {
        return (ApplicationClientProtocol) UserGroupInformation.createRemoteUser(str).doAs(new PrivilegedExceptionAction<ApplicationClientProtocol>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestApplicationACLs.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public ApplicationClientProtocol run() throws Exception {
                return (ApplicationClientProtocol) TestApplicationACLs.rpc.getProxy(ApplicationClientProtocol.class, TestApplicationACLs.rmAddress, TestApplicationACLs.conf);
            }
        });
    }

    private void verifyOwnerAccess() throws Exception {
        AccessControlList accessControlList = new AccessControlList("");
        accessControlList.addGroup(FRIENDLY_GROUP);
        AccessControlList accessControlList2 = new AccessControlList("");
        accessControlList2.addUser(FRIEND);
        ApplicationId submitAppAndGetAppId = submitAppAndGetAppId(accessControlList, accessControlList2);
        GetApplicationReportRequest getApplicationReportRequest = (GetApplicationReportRequest) recordFactory.newRecordInstance(GetApplicationReportRequest.class);
        getApplicationReportRequest.setApplicationId(submitAppAndGetAppId);
        KillApplicationRequest killApplicationRequest = (KillApplicationRequest) recordFactory.newRecordInstance(KillApplicationRequest.class);
        killApplicationRequest.setApplicationId(submitAppAndGetAppId);
        rmClient.getApplicationReport(getApplicationReportRequest);
        Assert.assertEquals("App view by owner should list the apps!!", 1L, rmClient.getApplications((GetApplicationsRequest) recordFactory.newRecordInstance(GetApplicationsRequest.class)).getApplicationList().size());
        rmClient.forceKillApplication(killApplicationRequest);
        resourceManager.waitForState(submitAppAndGetAppId, RMAppState.KILLED);
    }

    private void verifySuperUserAccess() throws Exception {
        AccessControlList accessControlList = new AccessControlList("");
        accessControlList.addGroup(FRIENDLY_GROUP);
        AccessControlList accessControlList2 = new AccessControlList("");
        accessControlList2.addUser(FRIEND);
        ApplicationId submitAppAndGetAppId = submitAppAndGetAppId(accessControlList, accessControlList2);
        GetApplicationReportRequest getApplicationReportRequest = (GetApplicationReportRequest) recordFactory.newRecordInstance(GetApplicationReportRequest.class);
        getApplicationReportRequest.setApplicationId(submitAppAndGetAppId);
        KillApplicationRequest killApplicationRequest = (KillApplicationRequest) recordFactory.newRecordInstance(KillApplicationRequest.class);
        killApplicationRequest.setApplicationId(submitAppAndGetAppId);
        ApplicationClientProtocol rMClientForUser = getRMClientForUser(SUPER_USER);
        rMClientForUser.getApplicationReport(getApplicationReportRequest);
        Assert.assertEquals("App view by super-user should list the apps!!", 2L, rMClientForUser.getApplications((GetApplicationsRequest) recordFactory.newRecordInstance(GetApplicationsRequest.class)).getApplicationList().size());
        rMClientForUser.forceKillApplication(killApplicationRequest);
        resourceManager.waitForState(submitAppAndGetAppId, RMAppState.KILLED);
    }

    private void verifyFriendAccess() throws Exception {
        AccessControlList accessControlList = new AccessControlList("");
        accessControlList.addGroup(FRIENDLY_GROUP);
        AccessControlList accessControlList2 = new AccessControlList("");
        accessControlList2.addUser(FRIEND);
        ApplicationId submitAppAndGetAppId = submitAppAndGetAppId(accessControlList, accessControlList2);
        GetApplicationReportRequest getApplicationReportRequest = (GetApplicationReportRequest) recordFactory.newRecordInstance(GetApplicationReportRequest.class);
        getApplicationReportRequest.setApplicationId(submitAppAndGetAppId);
        KillApplicationRequest killApplicationRequest = (KillApplicationRequest) recordFactory.newRecordInstance(KillApplicationRequest.class);
        killApplicationRequest.setApplicationId(submitAppAndGetAppId);
        ApplicationClientProtocol rMClientForUser = getRMClientForUser(FRIEND);
        rMClientForUser.getApplicationReport(getApplicationReportRequest);
        Assert.assertEquals("App view by a friend should list the apps!!", 3L, rMClientForUser.getApplications((GetApplicationsRequest) recordFactory.newRecordInstance(GetApplicationsRequest.class)).getApplicationList().size());
        rMClientForUser.forceKillApplication(killApplicationRequest);
        resourceManager.waitForState(submitAppAndGetAppId, RMAppState.KILLED);
    }

    private void verifyEnemyAccess() throws Exception {
        AccessControlList accessControlList = new AccessControlList("");
        accessControlList.addGroup(FRIENDLY_GROUP);
        AccessControlList accessControlList2 = new AccessControlList("");
        accessControlList2.addUser(FRIEND);
        ApplicationId submitAppAndGetAppId = submitAppAndGetAppId(accessControlList, accessControlList2);
        GetApplicationReportRequest getApplicationReportRequest = (GetApplicationReportRequest) recordFactory.newRecordInstance(GetApplicationReportRequest.class);
        getApplicationReportRequest.setApplicationId(submitAppAndGetAppId);
        KillApplicationRequest killApplicationRequest = (KillApplicationRequest) recordFactory.newRecordInstance(KillApplicationRequest.class);
        killApplicationRequest.setApplicationId(submitAppAndGetAppId);
        ApplicationClientProtocol rMClientForUser = getRMClientForUser(ENEMY);
        verifyEnemyAppReport(rMClientForUser.getApplicationReport(getApplicationReportRequest).getApplicationReport());
        List applicationList = rMClientForUser.getApplications((GetApplicationsRequest) recordFactory.newRecordInstance(GetApplicationsRequest.class)).getApplicationList();
        Assert.assertEquals("App view by enemy should list the apps!!", 4L, applicationList.size());
        Iterator it = applicationList.iterator();
        while (it.hasNext()) {
            verifyEnemyAppReport((ApplicationReport) it.next());
        }
        try {
            rMClientForUser.forceKillApplication(killApplicationRequest);
            Assert.fail("App killing by the enemy should fail!!");
        } catch (YarnException e) {
            LOG.info("Got exception while killing app as the enemy", e);
            Assert.assertTrue(e.getMessage().contains("User enemy cannot perform operation MODIFY_APP on " + submitAppAndGetAppId));
        }
        rmClient.forceKillApplication(killApplicationRequest);
    }

    private void verifyEnemyAppReport(ApplicationReport applicationReport) {
        Assert.assertEquals("Enemy should not see app host!", UNAVAILABLE, applicationReport.getHost());
        Assert.assertEquals("Enemy should not see app rpc port!", -1L, applicationReport.getRpcPort());
        Assert.assertEquals("Enemy should not see app client token!", (Object) null, applicationReport.getClientToAMToken());
        Assert.assertEquals("Enemy should not see app diagnostics!", UNAVAILABLE, applicationReport.getDiagnostics());
        Assert.assertEquals("Enemy should not see app tracking url!", UNAVAILABLE, applicationReport.getTrackingUrl());
        Assert.assertEquals("Enemy should not see app original tracking url!", UNAVAILABLE, applicationReport.getOriginalTrackingUrl());
        ApplicationResourceUsageReport applicationResourceUsageReport = applicationReport.getApplicationResourceUsageReport();
        Assert.assertEquals("Enemy should not see app used containers", -1L, applicationResourceUsageReport.getNumUsedContainers());
        Assert.assertEquals("Enemy should not see app reserved containers", -1L, applicationResourceUsageReport.getNumReservedContainers());
        Assert.assertEquals("Enemy should not see app used resources", -1L, applicationResourceUsageReport.getUsedResources().getMemory());
        Assert.assertEquals("Enemy should not see app reserved resources", -1L, applicationResourceUsageReport.getReservedResources().getMemory());
        Assert.assertEquals("Enemy should not see app needed resources", -1L, applicationResourceUsageReport.getNeededResources().getMemory());
    }

    private void verifyAdministerQueueUserAccess() throws Exception {
        isQueueUser = true;
        AccessControlList accessControlList = new AccessControlList("");
        accessControlList.addGroup(FRIENDLY_GROUP);
        AccessControlList accessControlList2 = new AccessControlList("");
        accessControlList2.addUser(FRIEND);
        ApplicationId submitAppAndGetAppId = submitAppAndGetAppId(accessControlList, accessControlList2);
        GetApplicationReportRequest getApplicationReportRequest = (GetApplicationReportRequest) recordFactory.newRecordInstance(GetApplicationReportRequest.class);
        getApplicationReportRequest.setApplicationId(submitAppAndGetAppId);
        KillApplicationRequest killApplicationRequest = (KillApplicationRequest) recordFactory.newRecordInstance(KillApplicationRequest.class);
        killApplicationRequest.setApplicationId(submitAppAndGetAppId);
        ApplicationClientProtocol rMClientForUser = getRMClientForUser(QUEUE_ADMIN_USER);
        rMClientForUser.getApplicationReport(getApplicationReportRequest);
        Assert.assertEquals("App view by queue-admin-user should list the apps!!", 5L, rMClientForUser.getApplications((GetApplicationsRequest) recordFactory.newRecordInstance(GetApplicationsRequest.class)).getApplicationList().size());
        rMClientForUser.forceKillApplication(killApplicationRequest);
        resourceManager.waitForState(submitAppAndGetAppId, RMAppState.KILLED);
    }
}
