package org.apache.ranger.authorization.hbase;

import com.google.common.base.MoreObjects;
import com.google.common.collect.Lists;
import com.google.common.collect.MapMaker;
import com.google.common.collect.Sets;
import com.google.protobuf.Message;
import com.google.protobuf.RpcCallback;
import com.google.protobuf.RpcController;
import com.google.protobuf.Service;
import java.io.IOException;
import java.net.InetAddress;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.NavigableSet;
import java.util.NoSuchElementException;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.AuthUtil;
import org.apache.hadoop.hbase.Cell;
import org.apache.hadoop.hbase.CompareOperator;
import org.apache.hadoop.hbase.Coprocessor;
import org.apache.hadoop.hbase.CoprocessorEnvironment;
import org.apache.hadoop.hbase.NamespaceDescriptor;
import org.apache.hadoop.hbase.ServerName;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.client.Admin;
import org.apache.hadoop.hbase.client.Append;
import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder;
import org.apache.hadoop.hbase.client.Delete;
import org.apache.hadoop.hbase.client.Durability;
import org.apache.hadoop.hbase.client.Get;
import org.apache.hadoop.hbase.client.Increment;
import org.apache.hadoop.hbase.client.Put;
import org.apache.hadoop.hbase.client.RegionInfo;
import org.apache.hadoop.hbase.client.Result;
import org.apache.hadoop.hbase.client.Scan;
import org.apache.hadoop.hbase.client.SnapshotDescription;
import org.apache.hadoop.hbase.client.TableDescriptor;
import org.apache.hadoop.hbase.client.TableDescriptorBuilder;
import org.apache.hadoop.hbase.coprocessor.BulkLoadObserver;
import org.apache.hadoop.hbase.coprocessor.CoprocessorException;
import org.apache.hadoop.hbase.coprocessor.EndpointObserver;
import org.apache.hadoop.hbase.coprocessor.MasterCoprocessor;
import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.MasterObserver;
import org.apache.hadoop.hbase.coprocessor.ObserverContext;
import org.apache.hadoop.hbase.coprocessor.RegionCoprocessor;
import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.RegionObserver;
import org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessor;
import org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.RegionServerObserver;
import org.apache.hadoop.hbase.filter.ByteArrayComparable;
import org.apache.hadoop.hbase.filter.Filter;
import org.apache.hadoop.hbase.filter.FilterList;
import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
import org.apache.hadoop.hbase.quotas.GlobalQuotaSettings;
import org.apache.hadoop.hbase.regionserver.BloomType;
import org.apache.hadoop.hbase.regionserver.FlushLifeCycleTracker;
import org.apache.hadoop.hbase.regionserver.InternalScanner;
import org.apache.hadoop.hbase.regionserver.Region;
import org.apache.hadoop.hbase.regionserver.RegionScanner;
import org.apache.hadoop.hbase.regionserver.ScanType;
import org.apache.hadoop.hbase.regionserver.Store;
import org.apache.hadoop.hbase.regionserver.StoreFile;
import org.apache.hadoop.hbase.regionserver.compactions.CompactionLifeCycleTracker;
import org.apache.hadoop.hbase.regionserver.compactions.CompactionRequest;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.AccessControlUtil;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.security.access.TablePermission;
import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.hadoop.hbase.shaded.protobuf.ResponseConverter;
import org.apache.hadoop.hbase.shaded.protobuf.generated.ClientProtos;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.util.Pair;
import org.apache.hadoop.hbase.wal.WALEdit;
import org.apache.hadoop.security.AccessControlException;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.audit.provider.AuditProviderFactory;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.class */
public class RangerAuthorizationCoprocessor implements AccessControlProtos.AccessControlService.Interface, RegionCoprocessor, MasterCoprocessor, RegionServerCoprocessor, MasterObserver, RegionObserver, RegionServerObserver, EndpointObserver, BulkLoadObserver, Coprocessor {
    private static final String GROUP_PREFIX = "@";
    private UserProvider userProvider;
    private RegionCoprocessorEnvironment regionEnv;
    private boolean shouldCheckExecPermission;
    private static final String MASTER_COPROCESSOR_TYPE = "master";
    private static final String REGIONAL_COPROCESSOR_TYPE = "regional";
    private static final String REGIONAL_SERVER_COPROCESSOR_TYPE = "regionalServer";
    private static final Logger LOG = LoggerFactory.getLogger(RangerAuthorizationCoprocessor.class.getName());
    private static final Logger PERF_HBASEAUTH_REQUEST_LOG = RangerPerfTracer.getPerfLogger("hbaseauth.request");
    private static boolean UpdateRangerPoliciesOnGrantRevoke = true;
    private static volatile RangerHBasePlugin hbasePlugin = null;
    private Map<InternalScanner, String> scannerOwners = new MapMaker().weakKeys().makeMap();
    final HbaseFactory _factory = HbaseFactory.getInstance();
    final HbaseUserUtils _userUtils = this._factory.getUserUtils();
    final HbaseAuthUtils _authUtils = this._factory.getAuthUtils();
    private String coprocessorType = "unknown";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor$4, reason: invalid class name */
    /* loaded from: input_file:org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor$4.class */
    public static /* synthetic */ class AnonymousClass4 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$hadoop$hbase$protobuf$generated$AccessControlProtos$Permission$Type;

        static {
            try {
                $SwitchMap$org$apache$ranger$authorization$hbase$RangerAuthorizationCoprocessor$PredicateType[PredicateType.STARTROW.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$ranger$authorization$hbase$RangerAuthorizationCoprocessor$PredicateType[PredicateType.STOPROW.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$ranger$authorization$hbase$RangerAuthorizationCoprocessor$PredicateType[PredicateType.FILTER.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$ranger$authorization$hbase$RangerAuthorizationCoprocessor$PredicateType[PredicateType.COLUMNS.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apache$ranger$authorization$hbase$RangerAuthorizationCoprocessor$PredicateType[PredicateType.ROW.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            $SwitchMap$org$apache$hadoop$hbase$protobuf$generated$AccessControlProtos$Permission$Type = new int[AccessControlProtos.Permission.Type.values().length];
            try {
                $SwitchMap$org$apache$hadoop$hbase$protobuf$generated$AccessControlProtos$Permission$Type[AccessControlProtos.Permission.Type.Global.ordinal()] = 1;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hbase$protobuf$generated$AccessControlProtos$Permission$Type[AccessControlProtos.Permission.Type.Table.ordinal()] = 2;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hbase$protobuf$generated$AccessControlProtos$Permission$Type[AccessControlProtos.Permission.Type.Namespace.ordinal()] = 3;
            } catch (NoSuchFieldError e8) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor$ColumnFamilyAccessResult.class */
    public static class ColumnFamilyAccessResult {
        final boolean _everythingIsAccessible;
        final boolean _somethingIsAccessible;
        final List<AuthzAuditEvent> _accessAllowedEvents;
        final List<AuthzAuditEvent> _familyLevelAccessEvents;
        final AuthzAuditEvent _accessDeniedEvent;
        final String _denialReason;
        final RangerAuthorizationFilter _filter;

        ColumnFamilyAccessResult(boolean z, boolean z2, List<AuthzAuditEvent> list, List<AuthzAuditEvent> list2, AuthzAuditEvent authzAuditEvent, String str, RangerAuthorizationFilter rangerAuthorizationFilter) {
            this._everythingIsAccessible = z;
            this._somethingIsAccessible = z2;
            this._accessAllowedEvents = list;
            this._familyLevelAccessEvents = list2;
            this._accessDeniedEvent = authzAuditEvent;
            this._denialReason = str;
            this._filter = rangerAuthorizationFilter;
        }

        public String toString() {
            return MoreObjects.toStringHelper(getClass()).add("everythingIsAccessible", this._everythingIsAccessible).add("somethingIsAccessible", this._somethingIsAccessible).add("accessAllowedEvents", this._accessAllowedEvents).add("familyLevelAccessEvents", this._familyLevelAccessEvents).add("accessDeniedEvent", this._accessDeniedEvent).add("denialReason", this._denialReason).add(HbaseConstants.FILTER, this._filter).toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor$PredicateType.class */
    public enum PredicateType {
        STARTROW,
        STOPROW,
        FILTER,
        COLUMNS,
        ROW
    }

    protected byte[] getTableName(RegionCoprocessorEnvironment regionCoprocessorEnvironment) {
        RegionInfo regionInfo;
        Region region = regionCoprocessorEnvironment.getRegion();
        byte[] bArr = null;
        if (region != null && (regionInfo = region.getRegionInfo()) != null) {
            bArr = regionInfo.getTable().getName();
        }
        return bArr;
    }

    protected void requireSystemOrSuperUser(Configuration configuration, ObserverContext<?> observerContext) throws IOException {
        User current = User.getCurrent();
        if (current == null) {
            throw new IOException("Unable to obtain the current user, authorization checks for internal operations will not work correctly!");
        }
        String shortName = current.getShortName();
        User activeUser = getActiveUser(observerContext);
        if (!Objects.equals(shortName, activeUser.getShortName()) && !this._userUtils.isSuperUser(activeUser)) {
            throw new AccessDeniedException("User '" + current.getShortName() + "is not system or super user.");
        }
    }

    protected boolean isSpecialTable(RegionInfo regionInfo) {
        return isSpecialTable(regionInfo.getTable().getName());
    }

    protected boolean isSpecialTable(byte[] bArr) {
        return isSpecialTable(Bytes.toString(bArr));
    }

    protected boolean isSpecialTable(String str) {
        for (String str2 : new String[]{HbaseConstants.HBASE_META_TABLE, "-ROOT-", ".META.", "hbase:acl", "hbase:namespace"}) {
            if (str2.equals(str)) {
                return true;
            }
        }
        return false;
    }

    protected boolean isAccessForMetaTables(RegionCoprocessorEnvironment regionCoprocessorEnvironment) {
        return regionCoprocessorEnvironment.getRegion().getRegionInfo().isMetaRegion();
    }

    private User getActiveUser(ObserverContext<?> observerContext) {
        User user = null;
        if (observerContext != null) {
            try {
                Optional caller = observerContext.getCaller();
                user = caller.isPresent() ? (User) caller.get() : this.userProvider.getCurrent();
            } catch (Exception e) {
                LOG.info("Unable to get request user using context" + observerContext);
            }
        }
        if (user == null) {
            try {
                user = (User) RpcServer.getRequestUser().get();
            } catch (NoSuchElementException e2) {
                LOG.info("Unable to get request user via RPCServer");
            }
        }
        if (user == null) {
            try {
                user = User.getCurrent();
            } catch (IOException e3) {
                LOG.error("Unable to find the current user");
                user = null;
            }
        }
        return user;
    }

    private String getRemoteAddress() {
        InetAddress inetAddress = null;
        try {
            inetAddress = (InetAddress) RpcServer.getRemoteAddress().get();
        } catch (NoSuchElementException e) {
            LOG.info("Unable to get remote Address");
        }
        if (inetAddress == null) {
            inetAddress = RpcServer.getRemoteIp();
        }
        return inetAddress != null ? inetAddress.getHostAddress() : null;
    }

    private void requireScannerOwner(ObserverContext<?> observerContext, InternalScanner internalScanner) throws AccessDeniedException {
        if (RpcServer.isInRpcCallContext()) {
            String shortName = getActiveUser(observerContext).getShortName();
            String str = this.scannerOwners.get(internalScanner);
            if (str != null && !str.equals(shortName)) {
                throw new AccessDeniedException("User '" + shortName + "' is not the scanner owner!");
            }
        }
    }

    Map<String, Set<String>> getColumnFamilies(Map<byte[], ? extends Collection<?>> map) {
        if (map == null) {
            return Collections.emptyMap();
        }
        HashMap hashMap = new HashMap();
        for (Map.Entry<byte[], ? extends Collection<?>> entry : map.entrySet()) {
            String bytes = Bytes.toString(entry.getKey());
            if (bytes == null || bytes.isEmpty()) {
                LOG.error("Unexpected Input: got null or empty column family (key) in families map! Ignoring...");
            } else {
                Collection<?> value = entry.getValue();
                if (CollectionUtils.isEmpty(value)) {
                    hashMap.put(bytes, Collections.emptySet());
                } else {
                    ColumnIterator columnIterator = new ColumnIterator(value);
                    HashSet hashSet = new HashSet();
                    while (columnIterator.hasNext()) {
                        try {
                            hashSet.add(columnIterator.next());
                        } catch (Throwable th) {
                            LOG.error("Exception encountered when converting family-map to set of columns. Ignoring and returning empty set of columns for family[" + bytes + "]", th);
                            LOG.error("Ignoring exception and returning empty set of columns for family[" + bytes + "]");
                            hashSet.clear();
                        }
                    }
                    hashMap.put(bytes, hashSet);
                }
            }
        }
        return hashMap;
    }

    ColumnFamilyAccessResult evaluateAccess(ObserverContext<?> observerContext, String str, Permission.Action action, RegionCoprocessorEnvironment regionCoprocessorEnvironment, Map<byte[], ? extends Collection<?>> map, String str2) throws AccessDeniedException {
        String access = this._authUtils.getAccess(action);
        User activeUser = getActiveUser(observerContext);
        String userAsString = this._userUtils.getUserAsString(activeUser);
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("evaluateAccess: entered: user[%s], Operation[%s], access[%s], families[%s]", userAsString, str, access, getColumnFamilies(map).toString()));
        }
        byte[] tableName = getTableName(regionCoprocessorEnvironment);
        if (tableName == null || tableName.length == 0) {
            LOG.debug("evaluateAccess: Unexpected: Couldn't get table from RegionCoprocessorEnvironment. Access denied, not audited");
            throw new AccessDeniedException("Insufficient permissions for operation '" + str + "',action: " + action);
        }
        String bytes = Bytes.toString(tableName);
        if (canSkipAccessCheck(activeUser, str, access, bytes) || canSkipAccessCheck(activeUser, str, access, regionCoprocessorEnvironment)) {
            LOG.debug("evaluateAccess: exiting: isKnownAccessPattern returned true: access allowed, not audited");
            ColumnFamilyAccessResult columnFamilyAccessResult = new ColumnFamilyAccessResult(true, true, null, null, null, null, null);
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("evaluateAccess: exiting: user[%s], Operation[%s], access[%s], families[%s], verdict[%s]", userAsString, str, access, getColumnFamilies(map).toString(), columnFamilyAccessResult.toString()));
            }
            return columnFamilyAccessResult;
        }
        HbaseAuditHandler auditHandler = this._factory.getAuditHandler();
        AuthorizationSession table = new AuthorizationSession(hbasePlugin).operation(str).otherInformation(str2).remoteAddress(getRemoteAddress()).auditHandler(auditHandler).user(activeUser).access(access).table(bytes);
        Map<String, Set<String>> columnFamilies = getColumnFamilies(map);
        if (LOG.isDebugEnabled()) {
            LOG.debug("evaluateAccess: families to process: " + columnFamilies.toString());
        }
        if (columnFamilies == null || columnFamilies.isEmpty()) {
            LOG.debug("evaluateAccess: Null or empty families collection, ok.  Table level access is desired");
            table.buildRequest().authorize();
            boolean isAuthorized = table.isAuthorized();
            String str3 = "";
            if (!isAuthorized) {
                str3 = String.format("Insufficient permissions for user ‘%s',action: %s, tableName:%s, no column families found.", activeUser.getName(), str, bytes);
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("evaluateAccess: table level access granted [" + bytes + "]");
            }
            AuthzAuditEvent andDiscardMostRecentEvent = auditHandler.getAndDiscardMostRecentEvent();
            ColumnFamilyAccessResult columnFamilyAccessResult2 = new ColumnFamilyAccessResult(isAuthorized, isAuthorized, isAuthorized ? Collections.singletonList(andDiscardMostRecentEvent) : null, null, isAuthorized ? null : andDiscardMostRecentEvent, str3, null);
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("evaluateAccess: exiting: user[%s], Operation[%s], access[%s], families[%s], verdict[%s]", userAsString, str, access, columnFamilies.toString(), columnFamilyAccessResult2.toString()));
            }
            return columnFamilyAccessResult2;
        }
        LOG.debug("evaluateAccess: Families collection not null.  Skipping table-level check, will do finer level check");
        boolean z = true;
        boolean z2 = false;
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        AuthzAuditEvent authzAuditEvent = null;
        String str4 = null;
        HashMap hashMap = new HashMap();
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        HashSet hashSet3 = new HashSet();
        for (Map.Entry<String, Set<String>> entry : columnFamilies.entrySet()) {
            String key = entry.getKey();
            table.columnFamily(key);
            if (LOG.isDebugEnabled()) {
                LOG.debug("evaluateAccess: Processing family: " + key);
            }
            Set<String> value = entry.getValue();
            if (value == null || value.isEmpty()) {
                LOG.debug("evaluateAccess: columns collection null or empty, ok.  Family level access is desired.");
                table.column(null).buildRequest().authorize();
                AuthzAuditEvent andDiscardMostRecentEvent2 = auditHandler.getAndDiscardMostRecentEvent();
                boolean isAuthorized2 = table.isAuthorized();
                if (andDiscardMostRecentEvent2 != null) {
                    if (isAuthorized2) {
                        arrayList2.add(andDiscardMostRecentEvent2);
                    } else if (authzAuditEvent == null) {
                        LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure audit event.");
                        authzAuditEvent = andDiscardMostRecentEvent2;
                    }
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("evaluateAccess: family level access for [" + key + "] is evaluated to " + isAuthorized2 + ". Checking if [" + key + "] descendants have access.");
                }
                table.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS).buildRequest().authorize();
                AuthzAuditEvent andDiscardMostRecentEvent3 = auditHandler.getAndDiscardMostRecentEvent();
                if (table.isAuthorized()) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("evaluateAccess: [" + key + "] descendants have access");
                    }
                    z2 = true;
                    if (isAuthorized2) {
                        hashSet.add(key);
                        if (andDiscardMostRecentEvent3 != null) {
                            LOG.debug("evaluateAccess: adding to family-level-access-granted-event-set");
                            arrayList2.add(andDiscardMostRecentEvent3);
                        }
                    } else {
                        hashSet3.add(key);
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("evaluateAccess: has partial access (of some type) in family [" + key + "]");
                        }
                        z = false;
                        if (andDiscardMostRecentEvent3 != null && authzAuditEvent == null) {
                            LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure audit event.");
                            authzAuditEvent = andDiscardMostRecentEvent3;
                        }
                    }
                } else {
                    z = false;
                    if (isAuthorized2) {
                        z2 = true;
                        hashSet3.add(key);
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("evaluateAccess: has partial access (of some type) in family [" + key + "]");
                        }
                        if (andDiscardMostRecentEvent3 != null && authzAuditEvent == null) {
                            LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure audit event.");
                            authzAuditEvent = andDiscardMostRecentEvent3;
                        }
                    } else {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("evaluateAccess: has no access of [" + access + "] type in family [" + key + "]");
                        }
                        hashSet2.add(key);
                        str4 = String.format("Insufficient permissions for user ‘%s',action: %s, tableName:%s, family:%s.", activeUser.getName(), str, bytes, key);
                    }
                }
                table.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF);
            } else {
                LOG.debug("evaluateAccess: columns collection not empty.  Skipping Family level check, will do finer level access check.");
                HashSet hashSet4 = new HashSet();
                for (String str5 : value) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("evaluateAccess: Processing column: " + str5);
                    }
                    table.column(str5).buildRequest().authorize();
                    AuthzAuditEvent andDiscardMostRecentEvent4 = auditHandler.getAndDiscardMostRecentEvent();
                    if (table.isAuthorized()) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("evaluateAccess: has column level access [" + key + ", " + str5 + "]");
                        }
                        z2 = true;
                        hashSet4.add(str5);
                        if (andDiscardMostRecentEvent4 != null) {
                            LOG.debug("evaluateAccess: adding to access-granted-audit-event-set");
                            arrayList.add(andDiscardMostRecentEvent4);
                        }
                    } else {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("evaluateAccess: no column level access [" + key + ", " + str5 + "]");
                        }
                        z2 = false;
                        z = false;
                        str4 = String.format("Insufficient permissions for user ‘%s',action: %s, tableName:%s, family:%s, column: %s", activeUser.getName(), str, bytes, key, str5);
                        if (andDiscardMostRecentEvent4 != null && authzAuditEvent == null) {
                            LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure audit event.");
                            authzAuditEvent = andDiscardMostRecentEvent4;
                        }
                    }
                    if (!hashSet4.isEmpty()) {
                        hashMap.put(key, hashSet4);
                    }
                }
            }
        }
        ColumnFamilyAccessResult columnFamilyAccessResult3 = new ColumnFamilyAccessResult(z, z2, arrayList, arrayList2, authzAuditEvent, str4, new RangerAuthorizationFilter(table, hashSet, hashSet2, hashSet3, hashMap));
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("evaluateAccess: exiting: user[%s], Operation[%s], access[%s], families[%s], verdict[%s]", userAsString, str, access, columnFamilies.toString(), columnFamilyAccessResult3.toString()));
        }
        return columnFamilyAccessResult3;
    }

    Filter authorizeAccess(ObserverContext<?> observerContext, String str, Permission.Action action, RegionCoprocessorEnvironment regionCoprocessorEnvironment, Map<byte[], NavigableSet<byte[]>> map, String str2) throws AccessDeniedException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> authorizeAccess");
        }
        try {
            RangerPerfTracer perfTracer = RangerPerfTracer.getPerfTracer(PERF_HBASEAUTH_REQUEST_LOG, "RangerAuthorizationCoprocessor.authorizeAccess(request=Operation[" + str + "]");
            ColumnFamilyAccessResult evaluateAccess = evaluateAccess(observerContext, str, action, regionCoprocessorEnvironment, map, str2);
            RangerDefaultAuditHandler rangerDefaultAuditHandler = new RangerDefaultAuditHandler(hbasePlugin.getConfig());
            if (evaluateAccess._everythingIsAccessible) {
                rangerDefaultAuditHandler.logAuthzAudits(evaluateAccess._accessAllowedEvents);
                rangerDefaultAuditHandler.logAuthzAudits(evaluateAccess._familyLevelAccessEvents);
                LOG.debug("authorizeAccess: exiting: No filter returned since all access was allowed");
                RangerPerfTracer.log(perfTracer);
                if (LOG.isDebugEnabled()) {
                    LOG.debug("<== authorizeAccess");
                }
                return null;
            }
            if (!evaluateAccess._somethingIsAccessible) {
                rangerDefaultAuditHandler.logAuthzAudit(evaluateAccess._accessDeniedEvent);
                LOG.debug("authorizeAccess: exiting: Throwing exception since nothing was accessible");
                throw new AccessDeniedException(evaluateAccess._denialReason);
            }
            rangerDefaultAuditHandler.logAuthzAudits(evaluateAccess._accessAllowedEvents);
            LOG.debug("authorizeAccess: exiting: Filter returned since some access was allowed");
            RangerAuthorizationFilter rangerAuthorizationFilter = evaluateAccess._filter;
            RangerPerfTracer.log(perfTracer);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== authorizeAccess");
            }
            return rangerAuthorizationFilter;
        } catch (Throwable th) {
            RangerPerfTracer.log((RangerPerfTracer) null);
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== authorizeAccess");
            }
            throw th;
        }
    }

    Filter combineFilters(Filter filter, Filter filter2) {
        Filter filter3 = filter;
        if (filter2 != null) {
            filter3 = new FilterList(FilterList.Operator.MUST_PASS_ALL, Lists.newArrayList(new Filter[]{filter, filter2}));
        }
        return filter3;
    }

    void requirePermission(ObserverContext<?> observerContext, String str, Permission.Action action, RegionCoprocessorEnvironment regionCoprocessorEnvironment, Map<byte[], ? extends Collection<?>> map) throws AccessDeniedException {
        RangerPerfTracer rangerPerfTracer = null;
        try {
            if (RangerPerfTracer.isPerfTraceEnabled(PERF_HBASEAUTH_REQUEST_LOG)) {
                rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_HBASEAUTH_REQUEST_LOG, "RangerAuthorizationCoprocessor.requirePermission(request=Operation[" + str + "]");
            }
            ColumnFamilyAccessResult evaluateAccess = evaluateAccess(observerContext, str, action, regionCoprocessorEnvironment, map, null);
            RangerDefaultAuditHandler rangerDefaultAuditHandler = new RangerDefaultAuditHandler(hbasePlugin.getConfig());
            if (!evaluateAccess._everythingIsAccessible) {
                rangerDefaultAuditHandler.logAuthzAudit(evaluateAccess._accessDeniedEvent);
                LOG.debug("requirePermission: exiting: throwing exception as everything wasn't accessible");
                throw new AccessDeniedException(evaluateAccess._denialReason);
            }
            rangerDefaultAuditHandler.logAuthzAudits(evaluateAccess._accessAllowedEvents);
            rangerDefaultAuditHandler.logAuthzAudits(evaluateAccess._familyLevelAccessEvents);
            LOG.debug("requirePermission: exiting: all access was allowed");
            RangerPerfTracer.log(rangerPerfTracer);
        } catch (Throwable th) {
            RangerPerfTracer.log((RangerPerfTracer) null);
            throw th;
        }
    }

    void authorizeAccess(ObserverContext<?> observerContext, String str, String str2, Permission.Action action, String str3, String str4, String str5) throws AccessDeniedException {
        User activeUser = getActiveUser(observerContext);
        String access = this._authUtils.getAccess(action);
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("authorizeAccess: %s: Operation[%s], Info[%s], access[%s], table[%s], columnFamily[%s], column[%s]", "Entering", str, str2, access, str3, str4, str5));
        }
        if (canSkipAccessCheck(activeUser, str, access, str3)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("authorizeAccess: %s: Operation[%s], Info[%s], access[%s], table[%s], columnFamily[%s], column[%s], allowed[%s], reason[%s]", "Exiting", str, str2, access, str3, str4, str5, true, "can skip auth check"));
            }
        } else {
            AuthorizationSession authorize = new AuthorizationSession(hbasePlugin).operation(str).otherInformation(str2).remoteAddress(getRemoteAddress()).auditHandler(this._factory.getAuditHandler()).user(activeUser).access(access).table(str3).columnFamily(str4).column(str5).buildRequest().authorize();
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("authorizeAccess: %s: Operation[%s], Info[%s], access[%s], table[%s], columnFamily[%s], column[%s], allowed[%s], reason[%s]", "Exiting", str, str2, access, str3, str4, str5, Boolean.valueOf(authorize.isAuthorized()), authorize.getDenialReason()));
            }
            authorize.publishResults();
        }
    }

    boolean canSkipAccessCheck(User user, String str, String str2, String str3) throws AccessDeniedException {
        boolean z = false;
        if (user == null) {
            LOG.warn("canSkipAccessCheck: exitingUnexpeceted: User is null: access denied, not audited!");
            throw new AccessDeniedException("No user associated with request (" + str + ") for action: " + str2 + "on table:" + str3);
        }
        if (isAccessForMetadataRead(str2, str3)) {
            LOG.debug("canSkipAccessCheck: true: metadata read access always allowed, not audited");
            z = true;
        } else {
            LOG.debug("Can't skip access checks");
        }
        return z;
    }

    boolean canSkipAccessCheck(User user, String str, String str2, RegionCoprocessorEnvironment regionCoprocessorEnvironment) throws AccessDeniedException {
        if (isAccessForMetaTables(regionCoprocessorEnvironment) && this._authUtils.isReadAccess(str2)) {
            LOG.debug("isKnownAccessPattern: exiting: Read access for metadata tables allowed, not audited!");
            return true;
        }
        if (!this._authUtils.isWriteAccess(str2) || !isAccessForMetaTables(regionCoprocessorEnvironment)) {
            return false;
        }
        if (!new AuthorizationSession(hbasePlugin).operation(str).remoteAddress(getRemoteAddress()).user(user).access(this._authUtils.getAccess(Permission.Action.CREATE)).buildRequest().authorize().isAuthorized()) {
            return false;
        }
        LOG.debug("isKnownAccessPattern: exiting: User has global create access, allowed!");
        return true;
    }

    boolean isAccessForMetadataRead(String str, String str2) {
        if (!this._authUtils.isReadAccess(str) || !isSpecialTable(str2)) {
            return false;
        }
        LOG.debug("isAccessForMetadataRead: Metadata tables read: access allowed!");
        return true;
    }

    protected void requireGlobalPermission(ObserverContext<?> observerContext, String str, String str2, Permission.Action action) throws AccessDeniedException {
        authorizeAccess(observerContext, str, str2, action, null, null, null);
    }

    protected void requirePermission(ObserverContext<?> observerContext, String str, Permission.Action action) throws AccessDeniedException {
        requirePermission(observerContext, str, null, action);
    }

    protected void requirePermission(ObserverContext<?> observerContext, String str, byte[] bArr, Permission.Action action) throws AccessDeniedException {
        authorizeAccess(observerContext, str, null, action, Bytes.toString(bArr), null, null);
    }

    protected void requirePermission(ObserverContext<?> observerContext, String str, byte[] bArr, byte[] bArr2, byte[] bArr3, Permission.Action action) throws AccessDeniedException {
        authorizeAccess(observerContext, str, null, action, Bytes.toString(bArr), Bytes.toString(bArr2), Bytes.toString(bArr3));
    }

    protected void requirePermission(ObserverContext<?> observerContext, String str, Permission.Action action, RegionCoprocessorEnvironment regionCoprocessorEnvironment, Collection<byte[]> collection) throws IOException {
        HashMap hashMap = new HashMap();
        if (collection != null) {
            Iterator<byte[]> it = collection.iterator();
            while (it.hasNext()) {
                hashMap.put(it.next(), null);
            }
        }
        requirePermission(observerContext, str, action, regionCoprocessorEnvironment, hashMap);
    }

    public Optional<RegionObserver> getRegionObserver() {
        return Optional.of(this);
    }

    public Optional<MasterObserver> getMasterObserver() {
        return Optional.of(this);
    }

    public Optional<EndpointObserver> getEndpointObserver() {
        return Optional.of(this);
    }

    public Optional<BulkLoadObserver> getBulkLoadObserver() {
        return Optional.of(this);
    }

    public Optional<RegionServerObserver> getRegionServerObserver() {
        return Optional.of(this);
    }

    public void postScannerClose(ObserverContext<RegionCoprocessorEnvironment> observerContext, InternalScanner internalScanner) throws IOException {
        this.scannerOwners.remove(internalScanner);
    }

    public RegionScanner postScannerOpen(ObserverContext<RegionCoprocessorEnvironment> observerContext, Scan scan, RegionScanner regionScanner) throws IOException {
        User activeUser = getActiveUser(observerContext);
        if (activeUser != null && activeUser.getShortName() != null) {
            this.scannerOwners.put(regionScanner, activeUser.getShortName());
        }
        return regionScanner;
    }

    public void postStartMaster(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        if (UpdateRangerPoliciesOnGrantRevoke) {
            LOG.debug("Calling create ACL table ...");
            Admin admin = observerContext.getEnvironment().getConnection().getAdmin();
            Throwable th = null;
            try {
                try {
                    if (!admin.tableExists(AccessControlLists.ACL_TABLE_NAME)) {
                        createACLTable(admin);
                    }
                    if (admin != null) {
                        if (0 == 0) {
                            admin.close();
                            return;
                        }
                        try {
                            admin.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } catch (Throwable th4) {
                if (admin != null) {
                    if (th != null) {
                        try {
                            admin.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    } else {
                        admin.close();
                    }
                }
                throw th4;
            }
        }
    }

    private static void createACLTable(Admin admin) throws IOException {
        admin.createTable(TableDescriptorBuilder.newBuilder(AccessControlLists.ACL_TABLE_NAME).addColumnFamily(ColumnFamilyDescriptorBuilder.newBuilder(AccessControlLists.ACL_LIST_FAMILY).setMaxVersions(1).setInMemory(true).setBlockCacheEnabled(true).setBlocksize(8192).setBloomFilterType(BloomType.NONE).setScope(0).build()).build());
    }

    public Iterable<Service> getServices() {
        return Collections.singleton(AccessControlProtos.AccessControlService.newReflectiveService(this));
    }

    public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> observerContext, Append append) throws IOException {
        requirePermission((ObserverContext<?>) observerContext, "append", Permission.Action.WRITE, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), (Map<byte[], ? extends Collection<?>>) append.getFamilyCellMap());
        return null;
    }

    public void preAssign(ObserverContext<MasterCoprocessorEnvironment> observerContext, RegionInfo regionInfo) throws IOException {
        requirePermission(observerContext, "assign", regionInfo.getTable().getName(), null, null, Permission.Action.ADMIN);
    }

    public void preBalance(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission(observerContext, "balance", Permission.Action.ADMIN);
    }

    public void preBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> observerContext, boolean z) throws IOException {
        requirePermission(observerContext, "balanceSwitch", Permission.Action.ADMIN);
    }

    public void preBulkLoadHFile(ObserverContext<RegionCoprocessorEnvironment> observerContext, List<Pair<byte[], String>> list) throws IOException {
        LinkedList linkedList = new LinkedList();
        Iterator<Pair<byte[], String>> it = list.iterator();
        while (it.hasNext()) {
            linkedList.add((byte[]) it.next().getFirst());
        }
        requirePermission((ObserverContext<?>) observerContext, "bulkLoadHFile", Permission.Action.WRITE, observerContext.getEnvironment(), (Collection<byte[]>) linkedList);
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], byte[]] */
    public boolean preCheckAndDelete(ObserverContext<RegionCoprocessorEnvironment> observerContext, byte[] bArr, byte[] bArr2, byte[] bArr3, CompareOperator compareOperator, ByteArrayComparable byteArrayComparable, Delete delete, boolean z) throws IOException {
        List asList = Arrays.asList(new byte[]{bArr2});
        requirePermission((ObserverContext<?>) observerContext, "checkAndDelete", Permission.Action.READ, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), (Collection<byte[]>) asList);
        requirePermission((ObserverContext<?>) observerContext, "checkAndDelete", Permission.Action.WRITE, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), (Collection<byte[]>) asList);
        return z;
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], byte[]] */
    public boolean preCheckAndPut(ObserverContext<RegionCoprocessorEnvironment> observerContext, byte[] bArr, byte[] bArr2, byte[] bArr3, CompareOperator compareOperator, ByteArrayComparable byteArrayComparable, Put put, boolean z) throws IOException {
        List asList = Arrays.asList(new byte[]{bArr2});
        requirePermission((ObserverContext<?>) observerContext, "checkAndPut", Permission.Action.READ, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), (Collection<byte[]>) asList);
        requirePermission((ObserverContext<?>) observerContext, "checkAndPut", Permission.Action.WRITE, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), (Collection<byte[]>) asList);
        return z;
    }

    public void preCloneSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, SnapshotDescription snapshotDescription, TableDescriptor tableDescriptor) throws IOException {
        requirePermission(observerContext, "cloneSnapshot", tableDescriptor.getTableName().getName(), Permission.Action.ADMIN);
    }

    public void preClose(ObserverContext<RegionCoprocessorEnvironment> observerContext, boolean z) throws IOException {
        requirePermission(observerContext, "close", getTableName((RegionCoprocessorEnvironment) observerContext.getEnvironment()), Permission.Action.ADMIN);
    }

    public InternalScanner preCompact(ObserverContext<RegionCoprocessorEnvironment> observerContext, Store store, InternalScanner internalScanner, ScanType scanType, CompactionLifeCycleTracker compactionLifeCycleTracker, CompactionRequest compactionRequest) throws IOException {
        requirePermission(observerContext, "compact", getTableName((RegionCoprocessorEnvironment) observerContext.getEnvironment()), null, null, Permission.Action.CREATE);
        return internalScanner;
    }

    public void preCompactSelection(ObserverContext<RegionCoprocessorEnvironment> observerContext, Store store, List<? extends StoreFile> list, CompactionLifeCycleTracker compactionLifeCycleTracker) throws IOException {
        requirePermission(observerContext, "compactSelection", getTableName((RegionCoprocessorEnvironment) observerContext.getEnvironment()), null, null, Permission.Action.CREATE);
    }

    public void preCreateTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableDescriptor tableDescriptor, RegionInfo[] regionInfoArr) throws IOException {
        requirePermission(observerContext, "createTable", tableDescriptor.getTableName().getName(), Permission.Action.CREATE);
    }

    public void preDelete(ObserverContext<RegionCoprocessorEnvironment> observerContext, Delete delete, WALEdit wALEdit, Durability durability) throws IOException {
        requirePermission((ObserverContext<?>) observerContext, "delete", Permission.Action.WRITE, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), (Map<byte[], ? extends Collection<?>>) delete.getFamilyCellMap());
    }

    public void preDeleteSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, SnapshotDescription snapshotDescription) throws IOException {
        requirePermission(observerContext, "deleteSnapshot", snapshotDescription.getTableName().getName(), Permission.Action.ADMIN);
    }

    public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
        requirePermission(observerContext, "deleteTable", tableName.getName(), null, null, Permission.Action.CREATE);
    }

    public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
        requirePermission(observerContext, "disableTable", tableName.getName(), null, null, Permission.Action.CREATE);
    }

    public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
        requirePermission(observerContext, "enableTable", tableName.getName(), null, null, Permission.Action.CREATE);
    }

    public boolean preExists(ObserverContext<RegionCoprocessorEnvironment> observerContext, Get get, boolean z) throws IOException {
        requirePermission((ObserverContext<?>) observerContext, "exists", Permission.Action.READ, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), (Collection<byte[]>) get.familySet());
        return z;
    }

    public void preFlush(ObserverContext<RegionCoprocessorEnvironment> observerContext, FlushLifeCycleTracker flushLifeCycleTracker) throws IOException {
        requirePermission(observerContext, "flush", getTableName((RegionCoprocessorEnvironment) observerContext.getEnvironment()), null, null, Permission.Action.CREATE);
    }

    public Result preIncrement(ObserverContext<RegionCoprocessorEnvironment> observerContext, Increment increment) throws IOException {
        requirePermission((ObserverContext<?>) observerContext, "increment", Permission.Action.WRITE, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), (Collection<byte[]>) increment.getFamilyCellMap().keySet());
        return null;
    }

    public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, TableDescriptor tableDescriptor) throws IOException {
        requirePermission(observerContext, "modifyTable", tableName.getName(), null, null, Permission.Action.CREATE);
    }

    public void preMove(ObserverContext<MasterCoprocessorEnvironment> observerContext, RegionInfo regionInfo, ServerName serverName, ServerName serverName2) throws IOException {
        requirePermission(observerContext, "move", regionInfo.getTable().getName(), null, null, Permission.Action.ADMIN);
    }

    public void preAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> observerContext, long j) throws IOException {
        requirePermission(observerContext, "abortProcedure", Permission.Action.ADMIN);
    }

    public void postGetProcedures(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission(observerContext, "getProcedures", Permission.Action.ADMIN);
    }

    public void preOpen(ObserverContext<RegionCoprocessorEnvironment> observerContext) throws IOException {
        Region region = observerContext.getEnvironment().getRegion();
        if (region == null) {
            LOG.error("NULL region from RegionCoprocessorEnvironment in preOpen()");
        } else if (isSpecialTable(region.getRegionInfo())) {
            requireSystemOrSuperUser(this.regionEnv.getConfiguration(), observerContext);
        } else {
            requirePermission(observerContext, "open", getTableName((RegionCoprocessorEnvironment) observerContext.getEnvironment()), Permission.Action.ADMIN);
        }
    }

    public void preRestoreSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, SnapshotDescription snapshotDescription, TableDescriptor tableDescriptor) throws IOException {
        requirePermission(observerContext, "restoreSnapshot", tableDescriptor.getTableName().getName(), Permission.Action.ADMIN);
    }

    public void preScannerClose(ObserverContext<RegionCoprocessorEnvironment> observerContext, InternalScanner internalScanner) throws IOException {
        requireScannerOwner(observerContext, internalScanner);
    }

    public boolean preScannerNext(ObserverContext<RegionCoprocessorEnvironment> observerContext, InternalScanner internalScanner, List<Result> list, int i, boolean z) throws IOException {
        requireScannerOwner(observerContext, internalScanner);
        return z;
    }

    public void preScannerOpen(ObserverContext<RegionCoprocessorEnvironment> observerContext, Scan scan) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> preScannerOpen");
        }
        String str = null;
        try {
            RegionCoprocessorEnvironment regionCoprocessorEnvironment = (RegionCoprocessorEnvironment) observerContext.getEnvironment();
            Map<byte[], NavigableSet<byte[]>> familyMap = scan.getFamilyMap();
            byte[] tableName = getTableName(regionCoprocessorEnvironment);
            str = getCommandString(HbaseConstants.SCAN, tableName != null ? new String(tableName) : HbaseConstants.SPACE, scan.toMap());
            Filter authorizeAccess = authorizeAccess(observerContext, "scannerOpen", Permission.Action.READ, regionCoprocessorEnvironment, familyMap, str);
            if (authorizeAccess != null) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("preScannerOpen: Access allowed for some of the families/column. New filter added.");
                }
                scan.setFilter(combineFilters(authorizeAccess, scan.getFilter()));
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("preScannerOpen: Access allowed for all families/column.  No filter added");
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== preScannerOpen: commandStr: " + str);
            }
        } catch (Throwable th) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== preScannerOpen: commandStr: " + str);
            }
            throw th;
        }
    }

    public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission(observerContext, "shutdown", Permission.Action.ADMIN);
        cleanUp_HBaseRangerPlugin();
    }

    public void preSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, SnapshotDescription snapshotDescription, TableDescriptor tableDescriptor) throws IOException {
        requirePermission(observerContext, "snapshot", tableDescriptor.getTableName().getName(), Permission.Action.ADMIN);
    }

    public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission(observerContext, "stopMaster", Permission.Action.ADMIN);
        cleanUp_HBaseRangerPlugin();
    }

    public void preStopRegionServer(ObserverContext<RegionServerCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission(observerContext, "stop", Permission.Action.ADMIN);
        cleanUp_HBaseRangerPlugin();
    }

    public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> observerContext, RegionInfo regionInfo, boolean z) throws IOException {
        requirePermission(observerContext, "unassign", regionInfo.getTable().getName(), null, null, Permission.Action.ADMIN);
    }

    public void preSetUserQuota(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, GlobalQuotaSettings globalQuotaSettings) throws IOException {
        requireGlobalPermission(observerContext, "setUserQuota", null, Permission.Action.ADMIN);
    }

    public void preSetUserQuota(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, TableName tableName, GlobalQuotaSettings globalQuotaSettings) throws IOException {
        requirePermission(observerContext, "setUserTableQuota", tableName.getName(), null, null, Permission.Action.ADMIN);
    }

    public void preSetUserQuota(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, String str2, GlobalQuotaSettings globalQuotaSettings) throws IOException {
        requireGlobalPermission(observerContext, "setUserNamespaceQuota", str2, Permission.Action.ADMIN);
    }

    public void preSetTableQuota(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, GlobalQuotaSettings globalQuotaSettings) throws IOException {
        requirePermission(observerContext, "setTableQuota", tableName.getName(), null, null, Permission.Action.ADMIN);
    }

    public void preSetNamespaceQuota(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, GlobalQuotaSettings globalQuotaSettings) throws IOException {
        requireGlobalPermission(observerContext, "setNamespaceQuota", str, Permission.Action.ADMIN);
    }

    public void start(CoprocessorEnvironment coprocessorEnvironment) throws IOException {
        String str = "unknown";
        this.shouldCheckExecPermission = coprocessorEnvironment.getConfiguration().getBoolean("hbase.security.exec.permission.checks", false);
        if (coprocessorEnvironment instanceof MasterCoprocessorEnvironment) {
            this.coprocessorType = MASTER_COPROCESSOR_TYPE;
            str = "hbaseMaster";
        } else if (coprocessorEnvironment instanceof RegionServerCoprocessorEnvironment) {
            this.coprocessorType = REGIONAL_SERVER_COPROCESSOR_TYPE;
            str = "hbaseRegional";
        } else if (coprocessorEnvironment instanceof RegionCoprocessorEnvironment) {
            this.regionEnv = (RegionCoprocessorEnvironment) coprocessorEnvironment;
            this.coprocessorType = REGIONAL_COPROCESSOR_TYPE;
            str = "hbaseRegional";
        }
        this.userProvider = UserProvider.instantiate(coprocessorEnvironment.getConfiguration());
        HbaseFactory.initialize(coprocessorEnvironment.getConfiguration());
        if (hbasePlugin == null) {
            synchronized (RangerAuthorizationCoprocessor.class) {
                if (hbasePlugin == null) {
                    RangerHBasePlugin rangerHBasePlugin = new RangerHBasePlugin(str);
                    rangerHBasePlugin.init();
                    UpdateRangerPoliciesOnGrantRevoke = rangerHBasePlugin.getConfig().getBoolean("xasecure.hbase.update.xapolicies.on.grant.revoke", true);
                    hbasePlugin = rangerHBasePlugin;
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Start of Coprocessor: [" + this.coprocessorType + "]");
        }
    }

    public void prePut(ObserverContext<RegionCoprocessorEnvironment> observerContext, Put put, WALEdit wALEdit, Durability durability) throws IOException {
        requirePermission((ObserverContext<?>) observerContext, "put", Permission.Action.WRITE, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), (Map<byte[], ? extends Collection<?>>) put.getFamilyCellMap());
    }

    public void preGetOp(ObserverContext<RegionCoprocessorEnvironment> observerContext, Get get, List<Cell> list) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> preGetOp");
        }
        String str = null;
        try {
            RegionCoprocessorEnvironment regionCoprocessorEnvironment = (RegionCoprocessorEnvironment) observerContext.getEnvironment();
            Map<byte[], NavigableSet<byte[]>> familyMap = get.getFamilyMap();
            byte[] tableName = getTableName(regionCoprocessorEnvironment);
            str = getCommandString(HbaseConstants.GET, tableName != null ? new String(tableName) : HbaseConstants.SPACE, get.toMap());
            Filter authorizeAccess = authorizeAccess(observerContext, HbaseConstants.GET, Permission.Action.READ, regionCoprocessorEnvironment, familyMap, str);
            if (authorizeAccess != null) {
                get.setFilter(combineFilters(authorizeAccess, get.getFilter()));
                if (LOG.isDebugEnabled()) {
                    LOG.debug("preGetOp: partial access, new filter added");
                }
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("preGetOp: all access allowed, no filter returned");
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== preGetOp: commandStr: " + str);
            }
        } catch (Throwable th) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== preGetOp: commandStr: " + str);
            }
            throw th;
        }
    }

    public void preRegionOffline(ObserverContext<MasterCoprocessorEnvironment> observerContext, RegionInfo regionInfo) throws IOException {
        requirePermission(observerContext, "regionOffline", regionInfo.getTable().getName(), null, null, Permission.Action.ADMIN);
    }

    public void preCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, NamespaceDescriptor namespaceDescriptor) throws IOException {
        requireGlobalPermission(observerContext, "createNamespace", namespaceDescriptor.getName(), Permission.Action.ADMIN);
    }

    public void preDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str) throws IOException {
        requireGlobalPermission(observerContext, "deleteNamespace", str, Permission.Action.ADMIN);
    }

    public void preModifyNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, NamespaceDescriptor namespaceDescriptor) throws IOException {
        requireGlobalPermission(observerContext, "modifyNamespace", namespaceDescriptor.getName(), Permission.Action.ADMIN);
    }

    public void postGetTableNames(ObserverContext<MasterCoprocessorEnvironment> observerContext, List<TableDescriptor> list, String str) throws IOException {
        if (LOG.isDebugEnabled()) {
            Logger logger = LOG;
            Object[] objArr = new Object[2];
            objArr[0] = Integer.valueOf(list == null ? 0 : list.size());
            objArr[1] = str;
            logger.debug(String.format("==> postGetTableNames(count(descriptors)=%s, regex=%s)", objArr));
        }
        checkGetTableInfoAccess(observerContext, "getTableNames", list, str, "_any");
        if (LOG.isDebugEnabled()) {
            Logger logger2 = LOG;
            Object[] objArr2 = new Object[2];
            objArr2[0] = Integer.valueOf(list == null ? 0 : list.size());
            objArr2[1] = str;
            logger2.debug(String.format("<== postGetTableNames(count(descriptors)=%s, regex=%s)", objArr2));
        }
    }

    public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> observerContext, List<TableName> list, List<TableDescriptor> list2, String str) throws IOException {
        if (LOG.isDebugEnabled()) {
            Logger logger = LOG;
            Object[] objArr = new Object[3];
            objArr[0] = Integer.valueOf(list == null ? 0 : list.size());
            objArr[1] = Integer.valueOf(list2 == null ? 0 : list2.size());
            objArr[2] = str;
            logger.debug(String.format("==> postGetTableDescriptors(count(tableNamesList)=%s, count(descriptors)=%s, regex=%s)", objArr));
        }
        checkGetTableInfoAccess(observerContext, "getTableDescriptors", list2, str, this._authUtils.getAccess(Permission.Action.CREATE));
        if (LOG.isDebugEnabled()) {
            Logger logger2 = LOG;
            Object[] objArr2 = new Object[3];
            objArr2[0] = Integer.valueOf(list == null ? 0 : list.size());
            objArr2[1] = Integer.valueOf(list2 == null ? 0 : list2.size());
            objArr2[2] = str;
            logger2.debug(String.format("<== postGetTableDescriptors(count(tableNamesList)=%s, count(descriptors)=%s, regex=%s)", objArr2));
        }
    }

    public void postListNamespaceDescriptors(ObserverContext<MasterCoprocessorEnvironment> observerContext, List<NamespaceDescriptor> list) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerAuthorizationCoprocessor.postListNamespaceDescriptors()");
        }
        checkAccessForNamespaceDescriptor(observerContext, "getNameSpaceDescriptors", list);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerAuthorizationCoprocessor.postListNamespaceDescriptors()");
        }
    }

    public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> observerContext, ClientProtos.PrepareBulkLoadRequest prepareBulkLoadRequest) throws IOException {
        requirePermission((ObserverContext<?>) observerContext, "prePrepareBulkLoad", Permission.Action.WRITE, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), (Collection<byte[]>) null);
    }

    public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> observerContext, ClientProtos.CleanupBulkLoadRequest cleanupBulkLoadRequest) throws IOException {
        requirePermission((ObserverContext<?>) observerContext, "preCleanupBulkLoad", Permission.Action.WRITE, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), (Collection<byte[]>) null);
    }

    public Message preEndpointInvocation(ObserverContext<RegionCoprocessorEnvironment> observerContext, Service service, String str, Message message) throws IOException {
        if (this.shouldCheckExecPermission && !(service instanceof AccessControlProtos.AccessControlService)) {
            requirePermission(observerContext, "invoke(" + service.getDescriptorForType().getName() + "." + str + ")", getTableName((RegionCoprocessorEnvironment) observerContext.getEnvironment()), null, null, Permission.Action.EXEC);
        }
        return message;
    }

    public void grant(RpcController rpcController, AccessControlProtos.GrantRequest grantRequest, RpcCallback<AccessControlProtos.GrantResponse> rpcCallback) {
        boolean z = false;
        if (UpdateRangerPoliciesOnGrantRevoke) {
            try {
                GrantRevokeRequest createGrantData = createGrantData(grantRequest);
                RangerHBasePlugin rangerHBasePlugin = hbasePlugin;
                if (rangerHBasePlugin != null) {
                    rangerHBasePlugin.grantAccess(createGrantData, new RangerDefaultAuditHandler(hbasePlugin.getConfig()));
                    z = true;
                }
            } catch (IOException e) {
                LOG.warn("grant() failed", e);
                ResponseConverter.setControllerException(rpcController, e);
            } catch (Exception e2) {
                LOG.warn("grant() failed", e2);
                ResponseConverter.setControllerException(rpcController, new CoprocessorException(e2.getMessage()));
            } catch (AccessControlException e3) {
                LOG.warn("grant() failed", e3);
                ResponseConverter.setControllerException(rpcController, new AccessDeniedException(e3));
            }
        }
        rpcCallback.run(z ? AccessControlProtos.GrantResponse.getDefaultInstance() : null);
    }

    public void revoke(RpcController rpcController, AccessControlProtos.RevokeRequest revokeRequest, RpcCallback<AccessControlProtos.RevokeResponse> rpcCallback) {
        boolean z = false;
        if (UpdateRangerPoliciesOnGrantRevoke) {
            try {
                GrantRevokeRequest createRevokeData = createRevokeData(revokeRequest);
                RangerHBasePlugin rangerHBasePlugin = hbasePlugin;
                if (rangerHBasePlugin != null) {
                    rangerHBasePlugin.revokeAccess(createRevokeData, new RangerDefaultAuditHandler(hbasePlugin.getConfig()));
                    z = true;
                }
            } catch (IOException e) {
                LOG.warn("revoke() failed", e);
                ResponseConverter.setControllerException(rpcController, e);
            } catch (Exception e2) {
                LOG.warn("revoke() failed", e2);
                ResponseConverter.setControllerException(rpcController, new CoprocessorException(e2.getMessage()));
            } catch (AccessControlException e3) {
                LOG.warn("revoke() failed", e3);
                ResponseConverter.setControllerException(rpcController, new AccessDeniedException(e3));
            }
        }
        rpcCallback.run(z ? AccessControlProtos.RevokeResponse.getDefaultInstance() : null);
    }

    public void hasPermission(RpcController rpcController, AccessControlProtos.HasPermissionRequest hasPermissionRequest, RpcCallback<AccessControlProtos.HasPermissionResponse> rpcCallback) {
        LOG.debug("hasPermission(): ");
    }

    public void checkPermissions(RpcController rpcController, AccessControlProtos.CheckPermissionsRequest checkPermissionsRequest, RpcCallback<AccessControlProtos.CheckPermissionsResponse> rpcCallback) {
        LOG.debug("checkPermissions(): ");
    }

    public void getUserPermissions(RpcController rpcController, AccessControlProtos.GetUserPermissionsRequest getUserPermissionsRequest, RpcCallback<AccessControlProtos.GetUserPermissionsResponse> rpcCallback) {
        List list;
        String[] groupNames;
        AccessControlProtos.GetUserPermissionsResponse getUserPermissionsResponse = null;
        try {
            RangerAccessResourceImpl rangerAccessResourceImpl = new RangerAccessResourceImpl();
            User activeUser = getActiveUser(null);
            Set<String> userGroups = this._userUtils.getUserGroups(activeUser);
            if (userGroups.isEmpty() && activeUser.getUGI() != null && (groupNames = activeUser.getUGI().getGroupNames()) != null) {
                userGroups = Sets.newHashSet(groupNames);
            }
            final RangerAccessRequestImpl rangerAccessRequestImpl = new RangerAccessRequestImpl(rangerAccessResourceImpl, (String) null, this._userUtils.getUserAsString(activeUser), userGroups, (Set) null);
            rangerAccessRequestImpl.setAction("userPermissions");
            rangerAccessRequestImpl.setClientIPAddress(getRemoteAddress());
            rangerAccessRequestImpl.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF);
            if (getUserPermissionsRequest.getType() == AccessControlProtos.Permission.Type.Table) {
                final TableName tableName = getUserPermissionsRequest.hasTableName() ? ProtobufUtil.toTableName(getUserPermissionsRequest.getTableName()) : null;
                requirePermission(null, "userPermissions", tableName.getName(), Permission.Action.ADMIN);
                rangerAccessResourceImpl.setValue(RangerHBaseResource.KEY_TABLE, tableName.getNameAsString());
                list = (List) User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() { // from class: org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public List<UserPermission> run() throws Exception {
                        return RangerAuthorizationCoprocessor.this.getUserPermissions(RangerAuthorizationCoprocessor.hbasePlugin.getResourceACLs(rangerAccessRequestImpl), tableName.getNameAsString(), false);
                    }
                });
            } else if (getUserPermissionsRequest.getType() == AccessControlProtos.Permission.Type.Namespace) {
                final String stringUtf8 = getUserPermissionsRequest.getNamespaceName().toStringUtf8();
                requireGlobalPermission(null, "getUserPermissionForNamespace", stringUtf8, Permission.Action.ADMIN);
                rangerAccessResourceImpl.setValue(RangerHBaseResource.KEY_TABLE, stringUtf8 + RangerHBaseResource.NAMESPACE_SEPARATOR);
                rangerAccessRequestImpl.setRequestData(stringUtf8);
                list = (List) User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() { // from class: org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public List<UserPermission> run() throws Exception {
                        return RangerAuthorizationCoprocessor.this.getUserPermissions(RangerAuthorizationCoprocessor.hbasePlugin.getResourceACLs(rangerAccessRequestImpl), stringUtf8, true);
                    }
                });
            } else {
                requirePermission(null, "userPermissions", Permission.Action.ADMIN);
                list = (List) User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() { // from class: org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor.3
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public List<UserPermission> run() throws Exception {
                        return RangerAuthorizationCoprocessor.this.getUserPermissions(RangerAuthorizationCoprocessor.hbasePlugin.getResourceACLs(rangerAccessRequestImpl), (String) null, false);
                    }
                });
                if (this._userUtils.isSuperUser(activeUser)) {
                    list.add(new UserPermission(this._userUtils.getUserAsString(activeUser), Permission.newBuilder(AccessControlLists.ACL_TABLE_NAME).withActions(Permission.Action.values()).build()));
                }
            }
            getUserPermissionsResponse = AccessControlUtil.buildGetUserPermissionsResponse(list);
        } catch (IOException e) {
            ResponseConverter.setControllerException(rpcController, e);
        }
        rpcCallback.run(getUserPermissionsResponse);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public List<UserPermission> getUserPermissions(RangerResourceACLs rangerResourceACLs, String str, boolean z) {
        ArrayList arrayList = new ArrayList();
        Permission.Action[] values = Permission.Action.values();
        ArrayList arrayList2 = new ArrayList();
        for (Permission.Action action : values) {
            arrayList2.add(action.name());
        }
        addPermission(rangerResourceACLs.getUserACLs(), z, arrayList2, arrayList, str, false);
        addPermission(rangerResourceACLs.getGroupACLs(), z, arrayList2, arrayList, str, true);
        return arrayList;
    }

    private void addPermission(Map<String, Map<String, RangerResourceACLs.AccessResult>> map, boolean z, List<String> list, List<UserPermission> list2, String str, boolean z2) {
        for (Map.Entry<String, Map<String, RangerResourceACLs.AccessResult>> entry : map.entrySet()) {
            String key = !z2 ? entry.getKey() : AuthUtil.toGroupEntry(entry.getKey());
            ArrayList arrayList = new ArrayList();
            for (Map.Entry<String, RangerResourceACLs.AccessResult> entry2 : entry.getValue().entrySet()) {
                String actionName = this._authUtils.getActionName(entry2.getKey());
                if (list.contains(actionName) && entry2.getValue().getResult() == RangerPolicyEvaluator.ACCESS_ALLOWED.intValue()) {
                    arrayList.add(Permission.Action.valueOf(actionName));
                }
            }
            if (!arrayList.isEmpty()) {
                list2.add(z ? new UserPermission(key, Permission.newBuilder(str).withActions((Permission.Action[]) arrayList.toArray(new Permission.Action[arrayList.size()])).build()) : new UserPermission(key, Permission.newBuilder(TableName.valueOf(str)).withActions((Permission.Action[]) arrayList.toArray(new Permission.Action[arrayList.size()])).build()));
            }
        }
    }

    private GrantRevokeRequest createGrantData(AccessControlProtos.GrantRequest grantRequest) throws Exception {
        AccessControlProtos.UserPermission userPermission = grantRequest.getUserPermission();
        AccessControlProtos.Permission permission = userPermission == null ? null : userPermission.getPermission();
        UserPermission userPermission2 = userPermission == null ? null : AccessControlUtil.toUserPermission(userPermission);
        Permission.Action[] actions = userPermission2 == null ? null : userPermission2.getPermission().getActions();
        String user = userPermission2 == null ? null : userPermission2.getUser();
        String str = null;
        String str2 = null;
        String str3 = null;
        String str4 = null;
        if (permission == null) {
            throw new Exception("grant(): invalid data - permission is null");
        }
        if (StringUtil.isEmpty(user)) {
            throw new Exception("grant(): invalid data - username empty");
        }
        if (actions == null || actions.length == 0) {
            throw new Exception("grant(): invalid data - no action specified");
        }
        switch (AnonymousClass4.$SwitchMap$org$apache$hadoop$hbase$protobuf$generated$AccessControlProtos$Permission$Type[permission.getType().ordinal()]) {
            case 1:
                str4 = RangerHBaseResource.WILDCARD;
                str3 = RangerHBaseResource.WILDCARD;
                str2 = RangerHBaseResource.WILDCARD;
                break;
            case 2:
                TablePermission permission2 = userPermission2.getPermission();
                str2 = Bytes.toString(permission2.getTableName().getName());
                str3 = Bytes.toString(permission2.getFamily());
                str4 = Bytes.toString(permission2.getQualifier());
                break;
            case 3:
                str = userPermission2.getPermission().getNamespace();
                break;
        }
        if (StringUtil.isEmpty(str) && StringUtil.isEmpty(str2) && StringUtil.isEmpty(str3) && StringUtil.isEmpty(str4)) {
            throw new Exception("grant(): namespace/table/columnFamily/columnQualifier not specified");
        }
        String str5 = StringUtil.isEmpty(str2) ? RangerHBaseResource.WILDCARD : str2;
        String str6 = StringUtil.isEmpty(str3) ? RangerHBaseResource.WILDCARD : str3;
        String str7 = StringUtil.isEmpty(str4) ? RangerHBaseResource.WILDCARD : str4;
        if (!StringUtil.isEmpty(str)) {
            str5 = str + RangerHBaseResource.NAMESPACE_SEPARATOR + str5;
        }
        User activeUser = getActiveUser(null);
        String shortName = activeUser != null ? activeUser.getShortName() : null;
        String[] groupNames = activeUser != null ? activeUser.getGroupNames() : null;
        HashSet hashSet = null;
        if (groupNames != null && groupNames.length > 0) {
            hashSet = new HashSet(Arrays.asList(groupNames));
        }
        HashMap hashMap = new HashMap();
        hashMap.put(RangerHBaseResource.KEY_TABLE, str5);
        hashMap.put(RangerHBaseResource.KEY_COLUMN_FAMILY, str6);
        hashMap.put(RangerHBaseResource.KEY_COLUMN, str7);
        GrantRevokeRequest grantRevokeRequest = new GrantRevokeRequest();
        grantRevokeRequest.setGrantor(shortName);
        grantRevokeRequest.setGrantorGroups(hashSet);
        grantRevokeRequest.setDelegateAdmin(Boolean.FALSE);
        grantRevokeRequest.setEnableAudit(Boolean.TRUE);
        grantRevokeRequest.setReplaceExistingPermissions(Boolean.TRUE);
        grantRevokeRequest.setResource(hashMap);
        grantRevokeRequest.setClientIPAddress(getRemoteAddress());
        grantRevokeRequest.setForwardedAddresses((List) null);
        grantRevokeRequest.setRemoteIPAddress(getRemoteAddress());
        grantRevokeRequest.setRequestData(userPermission.toString());
        if (user.startsWith(GROUP_PREFIX)) {
            grantRevokeRequest.getGroups().add(user.substring(GROUP_PREFIX.length()));
        } else {
            grantRevokeRequest.getUsers().add(user);
        }
        for (Permission.Action action : actions) {
            switch (action.code()) {
                case 65:
                    grantRevokeRequest.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_ADMIN);
                    grantRevokeRequest.setDelegateAdmin(Boolean.TRUE);
                    break;
                case 67:
                    grantRevokeRequest.getAccessTypes().add("create");
                    break;
                case 82:
                    grantRevokeRequest.getAccessTypes().add("read");
                    break;
                case 87:
                    grantRevokeRequest.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_WRITE);
                    break;
                case 88:
                    grantRevokeRequest.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_EXECUTE);
                    break;
                default:
                    LOG.warn("grant(): ignoring action '" + action.name() + "' for user '" + user + HbaseConstants.SINGLE_QUOTES);
                    break;
            }
        }
        return grantRevokeRequest;
    }

    private GrantRevokeRequest createRevokeData(AccessControlProtos.RevokeRequest revokeRequest) throws Exception {
        AccessControlProtos.UserPermission userPermission = revokeRequest.getUserPermission();
        AccessControlProtos.Permission permission = userPermission == null ? null : userPermission.getPermission();
        UserPermission userPermission2 = userPermission == null ? null : AccessControlUtil.toUserPermission(userPermission);
        String user = userPermission2 == null ? null : userPermission2.getUser();
        String str = null;
        String str2 = null;
        String str3 = null;
        String str4 = null;
        if (permission == null) {
            throw new Exception("revoke(): invalid data - permission is null");
        }
        if (StringUtil.isEmpty(user)) {
            throw new Exception("revoke(): invalid data - username empty");
        }
        switch (AnonymousClass4.$SwitchMap$org$apache$hadoop$hbase$protobuf$generated$AccessControlProtos$Permission$Type[permission.getType().ordinal()]) {
            case 1:
                str4 = RangerHBaseResource.WILDCARD;
                str3 = RangerHBaseResource.WILDCARD;
                str2 = RangerHBaseResource.WILDCARD;
                break;
            case 2:
                TablePermission permission2 = userPermission2.getPermission();
                str2 = Bytes.toString(permission2.getTableName().getName());
                str3 = Bytes.toString(permission2.getFamily());
                str4 = Bytes.toString(permission2.getQualifier());
                break;
            case 3:
                str = userPermission2.getPermission().getNamespace();
                break;
        }
        if (StringUtil.isEmpty(str) && StringUtil.isEmpty(str2) && StringUtil.isEmpty(str3) && StringUtil.isEmpty(str4)) {
            throw new Exception("revoke(): table/columnFamily/columnQualifier not specified");
        }
        String str5 = StringUtil.isEmpty(str2) ? RangerHBaseResource.WILDCARD : str2;
        String str6 = StringUtil.isEmpty(str3) ? RangerHBaseResource.WILDCARD : str3;
        String str7 = StringUtil.isEmpty(str4) ? RangerHBaseResource.WILDCARD : str4;
        if (!StringUtil.isEmpty(str)) {
            str5 = str + RangerHBaseResource.NAMESPACE_SEPARATOR + str5;
        }
        User activeUser = getActiveUser(null);
        String shortName = activeUser != null ? activeUser.getShortName() : null;
        String[] groupNames = activeUser != null ? activeUser.getGroupNames() : null;
        HashSet hashSet = null;
        if (groupNames != null && groupNames.length > 0) {
            hashSet = new HashSet(Arrays.asList(groupNames));
        }
        HashMap hashMap = new HashMap();
        hashMap.put(RangerHBaseResource.KEY_TABLE, str5);
        hashMap.put(RangerHBaseResource.KEY_COLUMN_FAMILY, str6);
        hashMap.put(RangerHBaseResource.KEY_COLUMN, str7);
        GrantRevokeRequest grantRevokeRequest = new GrantRevokeRequest();
        grantRevokeRequest.setGrantor(shortName);
        grantRevokeRequest.setGrantorGroups(hashSet);
        grantRevokeRequest.setDelegateAdmin(Boolean.TRUE);
        grantRevokeRequest.setEnableAudit(Boolean.TRUE);
        grantRevokeRequest.setReplaceExistingPermissions(Boolean.TRUE);
        grantRevokeRequest.setResource(hashMap);
        grantRevokeRequest.setClientIPAddress(getRemoteAddress());
        grantRevokeRequest.setForwardedAddresses((List) null);
        grantRevokeRequest.setRemoteIPAddress(getRemoteAddress());
        grantRevokeRequest.setRequestData(userPermission.toString());
        if (user.startsWith(GROUP_PREFIX)) {
            grantRevokeRequest.getGroups().add(user.substring(GROUP_PREFIX.length()));
        } else {
            grantRevokeRequest.getUsers().add(user);
        }
        grantRevokeRequest.getAccessTypes().add("read");
        grantRevokeRequest.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_WRITE);
        grantRevokeRequest.getAccessTypes().add("create");
        grantRevokeRequest.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_ADMIN);
        grantRevokeRequest.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_EXECUTE);
        return grantRevokeRequest;
    }

    private void cleanUp_HBaseRangerPlugin() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerAuthorizationCoprocessor.cleanUp_HBaseRangerPlugin()");
        }
        if (hbasePlugin != null) {
            hbasePlugin.setHBaseShuttingDown(true);
            hbasePlugin.cleanup();
            AuditProviderFactory auditProviderFactory = hbasePlugin.getAuditProviderFactory();
            if (auditProviderFactory != null) {
                auditProviderFactory.shutdown();
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerAuthorizationCoprocessor.cleanUp_HBaseRangerPlugin() completed!");
        }
    }

    private String getCommandString(String str, String str2, Map<String, Object> map) {
        StringBuilder sb = new StringBuilder();
        if (!HbaseConstants.HBASE_META_TABLE.equals(str2)) {
            sb.append(str);
            sb.append(HbaseConstants.SPACE);
            sb.append(str2).append(HbaseConstants.COMMA).append(HbaseConstants.SPACE);
            sb.append(getPredicates(str, map));
        }
        return sb.toString();
    }

    private String getPredicates(String str, Map<String, Object> map) {
        StringBuilder sb = new StringBuilder();
        if (MapUtils.isNotEmpty(map)) {
            HashMap<String, ArrayList<?>> hashMap = (HashMap) map.get(HbaseConstants.FAMILIES);
            String str2 = (String) map.get(HbaseConstants.STARTROW);
            String str3 = (String) map.get(HbaseConstants.STOPROW);
            String str4 = (String) map.get(HbaseConstants.FILTER);
            String str5 = (String) map.get(HbaseConstants.ROW);
            if (!isQueryforInfo(hashMap)) {
                sb.append(HbaseConstants.OPEN_BRACES);
                if (HbaseConstants.SCAN.equals(str)) {
                    if (StringUtils.isNotEmpty(str2)) {
                        sb.append(formatPredicate(sb, PredicateType.STARTROW, str2));
                    }
                    if (StringUtils.isNotEmpty(str3)) {
                        sb.append(formatPredicate(sb, PredicateType.STOPROW, str3));
                    }
                } else if (StringUtils.isNotEmpty(str5)) {
                    sb.append(formatPredicate(sb, PredicateType.ROW, str5));
                }
                if (StringUtils.isNotEmpty(str4)) {
                    sb.append(formatPredicate(sb, PredicateType.FILTER, str4));
                }
                if (MapUtils.isNotEmpty(hashMap)) {
                    sb.append(formatPredicate(sb, PredicateType.COLUMNS, hashMap.toString()));
                }
                sb.append(HbaseConstants.SPACE).append(HbaseConstants.CLOSED_BRACES);
            }
        }
        return sb.toString();
    }

    private boolean isQueryforInfo(HashMap<String, ArrayList<?>> hashMap) {
        boolean z = false;
        Iterator<Map.Entry<String, ArrayList<?>>> it = hashMap.entrySet().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (HbaseConstants.INFO.equals(it.next().getKey())) {
                z = true;
                break;
            }
        }
        return z;
    }

    private String formatPredicate(StringBuilder sb, PredicateType predicateType, String str) {
        StringBuilder sb2 = new StringBuilder();
        if (HbaseConstants.OPEN_BRACES.equals(sb.toString())) {
            sb2.append(HbaseConstants.SPACE);
        } else {
            sb2.append(HbaseConstants.COMMA).append(HbaseConstants.SPACE);
        }
        sb2.append(buildPredicate(predicateType, str));
        return sb2.toString();
    }

    private String buildPredicate(PredicateType predicateType, String str) {
        StringBuilder sb = new StringBuilder();
        switch (predicateType) {
            case STARTROW:
                sb.append(PredicateType.STARTROW.name().toUpperCase());
                sb.append(HbaseConstants.ARROW);
                sb.append(HbaseConstants.SINGLE_QUOTES).append(str).append(HbaseConstants.SINGLE_QUOTES);
                break;
            case STOPROW:
                sb.append(PredicateType.STOPROW.name().toUpperCase());
                sb.append(HbaseConstants.ARROW);
                sb.append(HbaseConstants.SINGLE_QUOTES).append(str).append(HbaseConstants.SINGLE_QUOTES);
                break;
            case FILTER:
                sb.append(PredicateType.FILTER.name().toUpperCase());
                sb.append(HbaseConstants.ARROW);
                sb.append(HbaseConstants.SINGLE_QUOTES).append(str).append(HbaseConstants.SINGLE_QUOTES);
                break;
            case COLUMNS:
                sb.append(PredicateType.COLUMNS.name().toUpperCase());
                sb.append(HbaseConstants.ARROW);
                sb.append(HbaseConstants.SINGLE_QUOTES).append(str).append(HbaseConstants.SINGLE_QUOTES);
                break;
            case ROW:
                sb.append(str);
                break;
        }
        return sb.toString();
    }

    private void checkGetTableInfoAccess(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, List<TableDescriptor> list, String str2, String str3) {
        if (CollectionUtils.isNotEmpty(list)) {
            User activeUser = getActiveUser(observerContext);
            HbaseAuditHandler auditHandler = this._factory.getAuditHandler();
            AuthorizationSession access = new AuthorizationSession(hbasePlugin).operation(str).otherInformation("regex=" + str2).remoteAddress(getRemoteAddress()).auditHandler(auditHandler).user(activeUser).access(str3);
            Iterator<TableDescriptor> it = list.iterator();
            while (it.hasNext()) {
                access.table(it.next().getTableName().getNameAsString()).buildRequest().authorize();
                if (!access.isAuthorized()) {
                    ArrayList arrayList = null;
                    it.remove();
                    AuthzAuditEvent andDiscardMostRecentEvent = auditHandler.getAndDiscardMostRecentEvent();
                    if (andDiscardMostRecentEvent != null) {
                        arrayList = Lists.newArrayList(new AuthzAuditEvent[]{andDiscardMostRecentEvent});
                    }
                    auditHandler.logAuthzAudits(arrayList);
                }
            }
            if (list.size() > 0) {
                access.logCapturedEvents();
            }
        }
    }

    private void checkAccessForNamespaceDescriptor(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, List<NamespaceDescriptor> list) {
        if (CollectionUtils.isNotEmpty(list)) {
            User activeUser = getActiveUser(observerContext);
            String access = this._authUtils.getAccess(Permission.Action.ADMIN);
            HbaseAuditHandler auditHandler = this._factory.getAuditHandler();
            AuthorizationSession access2 = new AuthorizationSession(hbasePlugin).operation(str).remoteAddress(getRemoteAddress()).auditHandler(auditHandler).user(activeUser).access(access);
            Iterator<NamespaceDescriptor> it = list.iterator();
            while (it.hasNext()) {
                access2.table(it.next().getName()).buildRequest().authorize();
                if (!access2.isAuthorized()) {
                    ArrayList arrayList = null;
                    it.remove();
                    AuthzAuditEvent andDiscardMostRecentEvent = auditHandler.getAndDiscardMostRecentEvent();
                    if (andDiscardMostRecentEvent != null) {
                        arrayList = Lists.newArrayList(new AuthzAuditEvent[]{andDiscardMostRecentEvent});
                    }
                    auditHandler.logAuthzAudits(arrayList);
                }
            }
            if (list.size() > 0) {
                access2.logCapturedEvents();
            }
        }
    }
}
