package org.apache.hadoop.hive.llap.security;

import com.google.protobuf.ByteString;
import com.google.protobuf.RpcController;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.PrivilegedExceptionAction;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.net.SocketFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.llap.daemon.rpc.LlapDaemonProtocolProtos;
import org.apache.hadoop.hive.llap.impl.LlapManagementProtocolClientImpl;
import org.apache.hadoop.hive.llap.registry.ServiceInstance;
import org.apache.hadoop.hive.llap.registry.ServiceInstanceSet;
import org.apache.hadoop.hive.llap.registry.impl.LlapRegistryService;
import org.apache.hadoop.io.DataInputByteBuffer;
import org.apache.hadoop.io.retry.RetryPolicies;
import org.apache.hadoop.io.retry.RetryPolicy;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hive/llap/security/LlapSecurityHelper.class */
public class LlapSecurityHelper implements LlapTokenProvider {
    private static final Logger LOG = LoggerFactory.getLogger(LlapSecurityHelper.class);
    private UserGroupInformation llapUgi;
    private final LlapRegistryService registry = new LlapRegistryService(false);
    private ServiceInstanceSet activeInstances;
    private final Configuration conf;
    private LlapManagementProtocolClientImpl client;
    private final SocketFactory socketFactory;
    private final RetryPolicy retryPolicy;

    public LlapSecurityHelper(Configuration configuration) {
        this.conf = configuration;
        this.registry.init(configuration);
        this.socketFactory = NetUtils.getDefaultSocketFactory(configuration);
        this.retryPolicy = RetryPolicies.retryUpToMaximumTimeWithFixedSleep(16000L, 2000L, TimeUnit.MILLISECONDS);
    }

    public static UserGroupInformation loginWithKerberos(String str, String str2) throws IOException {
        if (!UserGroupInformation.isSecurityEnabled()) {
            return null;
        }
        if (str.isEmpty() || str2.isEmpty()) {
            throw new RuntimeException("Kerberos principal and/or keytab are empty");
        }
        LOG.info("Logging in as " + str + " via " + str2);
        UserGroupInformation.loginUserFromKeytab(SecurityUtil.getServerPrincipal(str, "0.0.0.0"), str2);
        return UserGroupInformation.getLoginUser();
    }

    public Token<LlapTokenIdentifier> getDelegationToken() throws IOException {
        if (!UserGroupInformation.isSecurityEnabled()) {
            return null;
        }
        if (this.llapUgi == null) {
            this.llapUgi = UserGroupInformation.getCurrentUser();
        }
        Iterator<ServiceInstance> it = null;
        ServiceInstance serviceInstance = null;
        if (this.client == null) {
            it = getLlapServices(false);
            serviceInstance = it.next();
        }
        boolean z = false;
        while (true) {
            try {
                ByteString tokenBytes = getTokenBytes(serviceInstance);
                Token<LlapTokenIdentifier> token = new Token<>();
                DataInputByteBuffer dataInputByteBuffer = new DataInputByteBuffer();
                dataInputByteBuffer.reset(new ByteBuffer[]{tokenBytes.asReadOnlyByteBuffer()});
                token.readFields(dataInputByteBuffer);
                return token;
            } catch (IOException e) {
                LOG.error("Cannot get a token, trying a different instance", e);
                this.client = null;
                if (it != null && it.hasNext()) {
                    continue;
                } else {
                    if (z) {
                        throw new RuntimeException("Cannot find any LLAPs to get the token from");
                    }
                    it = getLlapServices(true);
                    z = true;
                }
                serviceInstance = it.next();
            } catch (InterruptedException e2) {
                throw new RuntimeException(e2);
            }
        }
    }

    private ByteString getTokenBytes(final ServiceInstance serviceInstance) throws InterruptedException, IOException {
        return (ByteString) this.llapUgi.doAs(new PrivilegedExceptionAction<ByteString>() { // from class: org.apache.hadoop.hive.llap.security.LlapSecurityHelper.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public ByteString run() throws Exception {
                if (LlapSecurityHelper.this.client == null) {
                    LlapSecurityHelper.this.client = new LlapManagementProtocolClientImpl(LlapSecurityHelper.this.conf, serviceInstance.getHost(), serviceInstance.getManagementPort(), LlapSecurityHelper.this.retryPolicy, LlapSecurityHelper.this.socketFactory);
                }
                return LlapSecurityHelper.this.client.getDelegationToken((RpcController) null, LlapDaemonProtocolProtos.GetTokenRequestProto.newBuilder().build()).getToken();
            }
        });
    }

    private Iterator<ServiceInstance> getLlapServices(boolean z) throws IOException {
        if (this.activeInstances == null) {
            this.registry.start();
            this.activeInstances = this.registry.getInstances();
        }
        Map all = this.activeInstances.getAll();
        if (z || all == null || all.isEmpty()) {
            this.activeInstances.refresh();
            all = this.activeInstances.getAll();
            if (all == null || all.isEmpty()) {
                throw new RuntimeException("No LLAPs found");
            }
        }
        return all.values().iterator();
    }
}
