package org.apache.sentry.binding.hive.v2;

import com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
import org.apache.sentry.binding.hive.HiveAuthzBindingHookBase;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
import org.apache.sentry.binding.hive.v2.authorizer.DefaultSentryAccessController;
import org.apache.sentry.binding.hive.v2.authorizer.DefaultSentryValidator;
import org.apache.sentry.binding.hive.v2.authorizer.SentryHiveAccessController;
import org.apache.sentry.binding.hive.v2.authorizer.SentryHiveAuthorizationValidator;
import org.apache.sentry.binding.hive.v2.authorizer.SentryHiveAuthorizer;

/* loaded from: input_file:org/apache/sentry/binding/hive/v2/SentryAuthorizerFactory.class */
public class SentryAuthorizerFactory implements HiveAuthorizerFactory {
    public static final String HIVE_SENTRY_ACCESS_CONTROLLER = "hive.security.sentry.access.controller";
    public static final String HIVE_SENTRY_AUTHORIZATION_CONTROLLER = "hive.security.sentry.authorization.controller";
    private HiveAuthzConf authzConf;

    public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory hiveMetastoreClientFactory, HiveConf hiveConf, HiveAuthenticationProvider hiveAuthenticationProvider, HiveAuthzSessionContext hiveAuthzSessionContext) throws HiveAuthzPluginException {
        try {
            this.authzConf = HiveAuthzBindingHookBase.loadAuthzConf(hiveConf);
            HiveAuthzSessionContext applyTestSettings = applyTestSettings(hiveAuthzSessionContext, hiveConf);
            assertHiveCliAuthDisabled(hiveConf, applyTestSettings);
            return new SentryHiveAuthorizer(getAccessController(hiveConf, this.authzConf, hiveAuthenticationProvider, applyTestSettings), getAuthzValidator(hiveConf, this.authzConf, hiveAuthenticationProvider));
        } catch (Exception e) {
            throw new HiveAuthzPluginException(e);
        }
    }

    private HiveAuthzSessionContext applyTestSettings(HiveAuthzSessionContext hiveAuthzSessionContext, HiveConf hiveConf) {
        if (!hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_TEST_AUTHORIZATION_SQLSTD_HS2_MODE) || hiveAuthzSessionContext.getClientType() != HiveAuthzSessionContext.CLIENT_TYPE.HIVECLI) {
            return hiveAuthzSessionContext;
        }
        HiveAuthzSessionContext.Builder builder = new HiveAuthzSessionContext.Builder(hiveAuthzSessionContext);
        builder.setClientType(HiveAuthzSessionContext.CLIENT_TYPE.HIVESERVER2);
        return builder.build();
    }

    private void assertHiveCliAuthDisabled(HiveConf hiveConf, HiveAuthzSessionContext hiveAuthzSessionContext) throws HiveAuthzPluginException {
        if (hiveAuthzSessionContext.getClientType() == HiveAuthzSessionContext.CLIENT_TYPE.HIVECLI && hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
            throw new HiveAuthzPluginException("SQL standards based authorization should not be enabled from hive cliInstead the use of storage based authorization in hive metastore is reccomended. Set " + HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED.varname + "=false to disable authz within cli");
        }
    }

    @VisibleForTesting
    protected HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory hiveMetastoreClientFactory, HiveConf hiveConf, HiveAuthzConf hiveAuthzConf, HiveAuthenticationProvider hiveAuthenticationProvider, HiveAuthzSessionContext hiveAuthzSessionContext) throws HiveAuthzPluginException {
        return new SentryHiveAuthorizer(getAccessController(hiveConf, hiveAuthzConf, hiveAuthenticationProvider, hiveAuthzSessionContext), getAuthzValidator(hiveConf, hiveAuthzConf, hiveAuthenticationProvider));
    }

    public static SentryHiveAccessController getAccessController(HiveConf hiveConf, HiveAuthzConf hiveAuthzConf, HiveAuthenticationProvider hiveAuthenticationProvider, HiveAuthzSessionContext hiveAuthzSessionContext) throws HiveAuthzPluginException {
        if (hiveConf.getClass(HIVE_SENTRY_ACCESS_CONTROLLER, DefaultSentryAccessController.class, SentryHiveAccessController.class) == null) {
            throw new HiveAuthzPluginException("Configuration value hive.security.sentry.access.controller is not set to valid SentryAccessController subclass");
        }
        try {
            return new DefaultSentryAccessController(hiveConf, hiveAuthzConf, hiveAuthenticationProvider, hiveAuthzSessionContext);
        } catch (Exception e) {
            throw new HiveAuthzPluginException(e);
        }
    }

    public static SentryHiveAuthorizationValidator getAuthzValidator(HiveConf hiveConf, HiveAuthzConf hiveAuthzConf, HiveAuthenticationProvider hiveAuthenticationProvider) throws HiveAuthzPluginException {
        if (hiveConf.getClass(HIVE_SENTRY_AUTHORIZATION_CONTROLLER, DefaultSentryValidator.class, SentryHiveAuthorizationValidator.class) == null) {
            throw new HiveAuthzPluginException("Configuration value hive.security.sentry.authorization.controller is not set to valid SentryAuthorizationValidator subclass");
        }
        try {
            return new DefaultSentryValidator(hiveConf, hiveAuthzConf, hiveAuthenticationProvider);
        } catch (Exception e) {
            throw new HiveAuthzPluginException(e);
        }
    }
}
