package org.apache.sentry.binding.hive.v2.authorizer;

import com.google.common.base.Preconditions;
import com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
import org.apache.hadoop.hive.ql.plan.HiveOperation;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
import org.apache.sentry.SentryUserException;
import org.apache.sentry.binding.hive.SentryOnFailureHookContextImpl;
import org.apache.sentry.binding.hive.authz.HiveAuthzBinding;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
import org.apache.sentry.binding.hive.v2.util.SentryAuthorizerUtil;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.model.db.AccessConstants;
import org.apache.sentry.core.model.db.AccessURI;
import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.core.model.db.Table;
import org.apache.sentry.provider.db.SentryAccessDeniedException;
import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
import org.apache.sentry.provider.db.service.thrift.TSentryRole;
import org.apache.sentry.service.thrift.SentryServiceClientFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController.class */
public class DefaultSentryAccessController extends SentryHiveAccessController {
    public static final Logger LOG = LoggerFactory.getLogger(DefaultSentryAccessController.class);
    public static final String REQUIRED_AUTHZ_SERVER_NAME = "Config " + HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar() + " is required";
    private HiveAuthenticationProvider authenticator;
    private String serverName;
    private HiveConf conf;
    private HiveAuthzConf authzConf;
    private HiveAuthzSessionContext ctx;
    private HiveAuthzBinding.HiveHook hiveHook;
    private HiveAuthzBinding hiveAuthzBinding;
    protected SentryPolicyServiceClient sentryClient;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.sentry.binding.hive.v2.authorizer.DefaultSentryAccessController$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/sentry/binding/hive/v2/authorizer/DefaultSentryAccessController$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$plugin$HivePrivilegeObject$HivePrivilegeObjectType = new int[HivePrivilegeObject.HivePrivilegeObjectType.values().length];

        static {
            try {
                $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$plugin$HivePrivilegeObject$HivePrivilegeObjectType[HivePrivilegeObject.HivePrivilegeObjectType.GLOBAL.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$plugin$HivePrivilegeObject$HivePrivilegeObjectType[HivePrivilegeObject.HivePrivilegeObjectType.DATABASE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$plugin$HivePrivilegeObject$HivePrivilegeObjectType[HivePrivilegeObject.HivePrivilegeObjectType.TABLE_OR_VIEW.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$plugin$HivePrivilegeObject$HivePrivilegeObjectType[HivePrivilegeObject.HivePrivilegeObjectType.LOCAL_URI.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$plugin$HivePrivilegeObject$HivePrivilegeObjectType[HivePrivilegeObject.HivePrivilegeObjectType.DFS_URI.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$plugin$HivePrivilegeObject$HivePrivilegeObjectType[HivePrivilegeObject.HivePrivilegeObjectType.FUNCTION.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$plugin$HivePrivilegeObject$HivePrivilegeObjectType[HivePrivilegeObject.HivePrivilegeObjectType.PARTITION.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$plugin$HivePrivilegeObject$HivePrivilegeObjectType[HivePrivilegeObject.HivePrivilegeObjectType.COLUMN.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$plugin$HivePrivilegeObject$HivePrivilegeObjectType[HivePrivilegeObject.HivePrivilegeObjectType.COMMAND_PARAMS.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
        }
    }

    public DefaultSentryAccessController(HiveConf hiveConf, HiveAuthzConf hiveAuthzConf, HiveAuthenticationProvider hiveAuthenticationProvider, HiveAuthzSessionContext hiveAuthzSessionContext) throws Exception {
        initilize(hiveConf, hiveAuthzConf, hiveAuthenticationProvider, hiveAuthzSessionContext);
        this.hiveHook = HiveAuthzBinding.HiveHook.HiveServer2;
    }

    public DefaultSentryAccessController(HiveAuthzBinding.HiveHook hiveHook, HiveConf hiveConf, HiveAuthzConf hiveAuthzConf, HiveAuthenticationProvider hiveAuthenticationProvider, HiveAuthzSessionContext hiveAuthzSessionContext) throws Exception {
        initilize(hiveConf, hiveAuthzConf, hiveAuthenticationProvider, hiveAuthzSessionContext);
        this.hiveHook = hiveHook;
    }

    protected void initilize(HiveConf hiveConf, HiveAuthzConf hiveAuthzConf, HiveAuthenticationProvider hiveAuthenticationProvider, HiveAuthzSessionContext hiveAuthzSessionContext) throws Exception {
        Preconditions.checkNotNull(hiveConf, "HiveConf cannot be null");
        Preconditions.checkNotNull(hiveAuthzConf, "HiveAuthzConf cannot be null");
        Preconditions.checkNotNull(hiveAuthenticationProvider, "Hive authenticator provider cannot be null");
        Preconditions.checkNotNull(hiveAuthzSessionContext, "HiveAuthzSessionContext cannot be null");
        this.conf = hiveConf;
        this.authzConf = hiveAuthzConf;
        this.authenticator = hiveAuthenticationProvider;
        this.ctx = hiveAuthzSessionContext;
        this.serverName = (String) Preconditions.checkNotNull(hiveAuthzConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar()), REQUIRED_AUTHZ_SERVER_NAME);
    }

    @Override // org.apache.sentry.binding.hive.v2.authorizer.SentryHiveAccessController
    public void createRole(String str, HivePrincipal hivePrincipal) throws HiveAuthzPluginException, HiveAccessControlException {
        try {
            if (AccessConstants.RESERVED_ROLE_NAMES.contains(str.toUpperCase())) {
                throw new HiveAccessControlException("Roles cannot be one of the reserved roles: " + AccessConstants.RESERVED_ROLE_NAMES);
            }
            try {
                this.sentryClient = getSentryClient();
                this.sentryClient.createRole(this.authenticator.getUserName(), str);
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
            } catch (SentryAccessDeniedException e) {
                executeOnFailureHooks(HiveOperation.CREATEROLE, e);
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
            } catch (SentryUserException e2) {
                executeOnErrorHooks("Error occurred when Sentry client creating role: " + e2.getMessage(), e2);
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
            }
        } catch (Throwable th) {
            if (this.sentryClient != null) {
                this.sentryClient.close();
            }
            throw th;
        }
    }

    @Override // org.apache.sentry.binding.hive.v2.authorizer.SentryHiveAccessController
    public void dropRole(String str) throws HiveAuthzPluginException, HiveAccessControlException {
        try {
            if (AccessConstants.RESERVED_ROLE_NAMES.contains(str.toUpperCase())) {
                throw new HiveAccessControlException("Roles cannot be one of the reserved roles: " + AccessConstants.RESERVED_ROLE_NAMES);
            }
            try {
                this.sentryClient = getSentryClient();
                this.sentryClient.dropRole(this.authenticator.getUserName(), str);
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
            } catch (SentryAccessDeniedException e) {
                executeOnFailureHooks(HiveOperation.DROPROLE, e);
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
            } catch (SentryUserException e2) {
                executeOnErrorHooks("Error occurred when Sentry client creating role: " + e2.getMessage(), e2);
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
            }
        } catch (Throwable th) {
            if (this.sentryClient != null) {
                this.sentryClient.close();
            }
            throw th;
        }
    }

    @Override // org.apache.sentry.binding.hive.v2.authorizer.SentryHiveAccessController
    public List<String> getAllRoles() throws HiveAccessControlException, HiveAuthzPluginException {
        List<String> arrayList = new ArrayList();
        try {
            try {
                this.sentryClient = getSentryClient();
                arrayList = convert2RoleList(this.sentryClient.listRoles(this.authenticator.getUserName()));
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
            } catch (SentryAccessDeniedException e) {
                executeOnFailureHooks(HiveOperation.SHOW_ROLES, e);
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
            } catch (SentryUserException e2) {
                executeOnErrorHooks("Error when sentryClient listRoles: " + e2.getMessage(), e2);
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
            }
            return arrayList;
        } catch (Throwable th) {
            if (this.sentryClient != null) {
                this.sentryClient.close();
            }
            throw th;
        }
    }

    @Override // org.apache.sentry.binding.hive.v2.authorizer.SentryHiveAccessController
    public void grantPrivileges(List<HivePrincipal> list, List<HivePrivilege> list2, HivePrivilegeObject hivePrivilegeObject, HivePrincipal hivePrincipal, boolean z) throws HiveAuthzPluginException, HiveAccessControlException {
        grantOrRevokePrivlegeOnRole(list, list2, hivePrivilegeObject, z, true);
    }

    @Override // org.apache.sentry.binding.hive.v2.authorizer.SentryHiveAccessController
    public void revokePrivileges(List<HivePrincipal> list, List<HivePrivilege> list2, HivePrivilegeObject hivePrivilegeObject, HivePrincipal hivePrincipal, boolean z) throws HiveAuthzPluginException, HiveAccessControlException {
        grantOrRevokePrivlegeOnRole(list, list2, hivePrivilegeObject, z, false);
    }

    @Override // org.apache.sentry.binding.hive.v2.authorizer.SentryHiveAccessController
    public void grantRole(List<HivePrincipal> list, List<String> list2, boolean z, HivePrincipal hivePrincipal) throws HiveAuthzPluginException, HiveAccessControlException {
        grantOrRevokeRoleOnGroup(list, list2, hivePrincipal, true);
    }

    @Override // org.apache.sentry.binding.hive.v2.authorizer.SentryHiveAccessController
    public void revokeRole(List<HivePrincipal> list, List<String> list2, boolean z, HivePrincipal hivePrincipal) throws HiveAuthzPluginException, HiveAccessControlException {
        grantOrRevokeRoleOnGroup(list, list2, hivePrincipal, false);
    }

    @Override // org.apache.sentry.binding.hive.v2.authorizer.SentryHiveAccessController
    public List<HivePrivilegeInfo> showPrivileges(HivePrincipal hivePrincipal, HivePrivilegeObject hivePrivilegeObject) throws HiveAuthzPluginException, HiveAccessControlException {
        if (hivePrincipal.getType() != HivePrincipal.HivePrincipalType.ROLE) {
            throw new HiveAuthzPluginException("Sentry does not allow privileges to be granted/revoked to/from: " + hivePrincipal.getType());
        }
        ArrayList arrayList = new ArrayList();
        try {
            try {
                try {
                    this.sentryClient = getSentryClient();
                    List<List<DBModelAuthorizable>> authzHierarchy = SentryAuthorizerUtil.getAuthzHierarchy(new Server(this.serverName), hivePrivilegeObject);
                    HashSet hashSet = new HashSet();
                    if (authzHierarchy == null || authzHierarchy.isEmpty()) {
                        hashSet.addAll(this.sentryClient.listPrivilegesByRoleName(this.authenticator.getUserName(), hivePrincipal.getName(), (List) null));
                    } else {
                        Iterator<List<DBModelAuthorizable>> it = authzHierarchy.iterator();
                        while (it.hasNext()) {
                            hashSet.addAll(this.sentryClient.listPrivilegesByRoleName(this.authenticator.getUserName(), hivePrincipal.getName(), it.next()));
                        }
                    }
                    if (hashSet != null && !hashSet.isEmpty()) {
                        Iterator it2 = hashSet.iterator();
                        while (it2.hasNext()) {
                            arrayList.add(SentryAuthorizerUtil.convert2HivePrivilegeInfo((TSentryPrivilege) it2.next(), hivePrincipal));
                        }
                    }
                    if (this.sentryClient != null) {
                        this.sentryClient.close();
                    }
                } catch (SentryUserException e) {
                    executeOnErrorHooks("Error when sentryClient listPrivilegesByRoleName: " + e.getMessage(), e);
                    if (this.sentryClient != null) {
                        this.sentryClient.close();
                    }
                }
            } catch (SentryAccessDeniedException e2) {
                executeOnFailureHooks(HiveOperation.SHOW_GRANT, e2);
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
            }
            return arrayList;
        } catch (Throwable th) {
            if (this.sentryClient != null) {
                this.sentryClient.close();
            }
            throw th;
        }
    }

    @Override // org.apache.sentry.binding.hive.v2.authorizer.SentryHiveAccessController
    public void setCurrentRole(String str) throws HiveAccessControlException, HiveAuthzPluginException {
        try {
            try {
                try {
                    this.sentryClient = getSentryClient();
                    this.hiveAuthzBinding = new HiveAuthzBinding(this.hiveHook, this.conf, this.authzConf);
                    this.hiveAuthzBinding.setActiveRoleSet(str, this.sentryClient.listUserRoles(this.authenticator.getUserName()));
                    if (this.sentryClient != null) {
                        this.sentryClient.close();
                    }
                    if (this.hiveAuthzBinding != null) {
                        this.hiveAuthzBinding.close();
                    }
                } catch (SentryAccessDeniedException e) {
                    executeOnFailureHooks(HiveOperation.GRANT_ROLE, e);
                    if (this.sentryClient != null) {
                        this.sentryClient.close();
                    }
                    if (this.hiveAuthzBinding != null) {
                        this.hiveAuthzBinding.close();
                    }
                }
            } catch (Exception e2) {
                executeOnErrorHooks("Error when sentryClient setCurrentRole: " + e2.getMessage(), e2);
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
                if (this.hiveAuthzBinding != null) {
                    this.hiveAuthzBinding.close();
                }
            }
        } catch (Throwable th) {
            if (this.sentryClient != null) {
                this.sentryClient.close();
            }
            if (this.hiveAuthzBinding != null) {
                this.hiveAuthzBinding.close();
            }
            throw th;
        }
    }

    @Override // org.apache.sentry.binding.hive.v2.authorizer.SentryHiveAccessController
    public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
        List<String> arrayList = new ArrayList();
        try {
            try {
                this.sentryClient = getSentryClient();
                this.hiveAuthzBinding = new HiveAuthzBinding(this.hiveHook, this.conf, this.authzConf);
                ActiveRoleSet activeRoleSet = this.hiveAuthzBinding.getActiveRoleSet();
                if (activeRoleSet.isAll()) {
                    arrayList = convert2RoleList(this.sentryClient.listUserRoles(this.authenticator.getUserName()));
                } else {
                    arrayList.addAll(activeRoleSet.getRoles());
                }
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
                if (this.hiveAuthzBinding != null) {
                    this.hiveAuthzBinding.close();
                }
            } catch (Exception e) {
                executeOnErrorHooks("Error when sentryClient listUserRoles: " + e.getMessage(), e);
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
                if (this.hiveAuthzBinding != null) {
                    this.hiveAuthzBinding.close();
                }
            }
            return arrayList;
        } catch (Throwable th) {
            if (this.sentryClient != null) {
                this.sentryClient.close();
            }
            if (this.hiveAuthzBinding != null) {
                this.hiveAuthzBinding.close();
            }
            throw th;
        }
    }

    @Override // org.apache.sentry.binding.hive.v2.authorizer.SentryHiveAccessController
    public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String str) throws HiveAuthzPluginException {
        throw new HiveAuthzPluginException("Not supported of SHOW_ROLE_PRINCIPALS in Sentry");
    }

    @Override // org.apache.sentry.binding.hive.v2.authorizer.SentryHiveAccessController
    public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal hivePrincipal) throws HiveAccessControlException, HiveAuthzPluginException {
        ArrayList arrayList = new ArrayList();
        try {
            try {
                try {
                    this.sentryClient = getSentryClient();
                } catch (SentryUserException e) {
                    executeOnErrorHooks("Error when sentryClient listRolesByGroupName: " + e.getMessage(), e);
                    if (this.sentryClient != null) {
                        this.sentryClient.close();
                    }
                }
            } catch (SentryAccessDeniedException e2) {
                executeOnFailureHooks(HiveOperation.SHOW_ROLE_GRANT, e2);
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
            }
            if (hivePrincipal.getType() != HivePrincipal.HivePrincipalType.GROUP) {
                throw new HiveAuthzPluginException("Sentry does not allow privileges to be granted/revoked to/from: " + hivePrincipal.getType());
            }
            Set listRolesByGroupName = this.sentryClient.listRolesByGroupName(this.authenticator.getUserName(), hivePrincipal.getName());
            if (listRolesByGroupName != null && !listRolesByGroupName.isEmpty()) {
                Iterator it = listRolesByGroupName.iterator();
                while (it.hasNext()) {
                    arrayList.add(SentryAuthorizerUtil.convert2HiveRoleGrant((TSentryRole) it.next()));
                }
            }
            if (this.sentryClient != null) {
                this.sentryClient.close();
            }
            return arrayList;
        } catch (Throwable th) {
            if (this.sentryClient != null) {
                this.sentryClient.close();
            }
            throw th;
        }
    }

    @Override // org.apache.sentry.binding.hive.v2.authorizer.SentryHiveAccessController
    public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException {
        if (this.ctx.getClientType() != HiveAuthzSessionContext.CLIENT_TYPE.HIVESERVER2 || !hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
            throw new HiveAuthzPluginException("Sentry just support for hiveserver2");
        }
    }

    private void grantOrRevokePrivlegeOnRole(List<HivePrincipal> list, List<HivePrivilege> list2, HivePrivilegeObject hivePrivilegeObject, boolean z, boolean z2) throws HiveAuthzPluginException, HiveAccessControlException {
        try {
            try {
                this.sentryClient = getSentryClient();
                for (HivePrincipal hivePrincipal : list) {
                    if (hivePrincipal.getType() != HivePrincipal.HivePrincipalType.ROLE) {
                        throw new HiveAuthzPluginException("Sentry does not allow privileges to be granted/revoked to/from: " + hivePrincipal.getType());
                    }
                    for (HivePrivilege hivePrivilege : list2) {
                        String userName = this.authenticator.getUserName();
                        String name = hivePrincipal.getName();
                        String convert2SentryAction = SentryAuthorizerUtil.convert2SentryAction(hivePrivilege);
                        List columns = hivePrivilege.getColumns();
                        Boolean valueOf = z2 ? Boolean.valueOf(z) : null;
                        switch (AnonymousClass1.$SwitchMap$org$apache$hadoop$hive$ql$security$authorization$plugin$HivePrivilegeObject$HivePrivilegeObjectType[hivePrivilegeObject.getType().ordinal()]) {
                            case 1:
                                if (z2) {
                                    this.sentryClient.grantServerPrivilege(userName, name, hivePrivilegeObject.getObjectName(), convert2SentryAction, valueOf);
                                    break;
                                } else {
                                    this.sentryClient.revokeServerPrivilege(userName, name, hivePrivilegeObject.getObjectName(), convert2SentryAction, valueOf);
                                    break;
                                }
                            case 2:
                                if (z2) {
                                    this.sentryClient.grantDatabasePrivilege(userName, name, this.serverName, hivePrivilegeObject.getDbname(), convert2SentryAction, valueOf);
                                    break;
                                } else {
                                    this.sentryClient.revokeDatabasePrivilege(userName, name, this.serverName, hivePrivilegeObject.getDbname(), convert2SentryAction, valueOf);
                                    break;
                                }
                            case 3:
                                if (columns == null || columns.isEmpty()) {
                                    if (z2) {
                                        this.sentryClient.grantTablePrivilege(userName, name, this.serverName, hivePrivilegeObject.getDbname(), hivePrivilegeObject.getObjectName(), convert2SentryAction, valueOf);
                                        break;
                                    } else {
                                        this.sentryClient.revokeTablePrivilege(userName, name, this.serverName, hivePrivilegeObject.getDbname(), hivePrivilegeObject.getObjectName(), convert2SentryAction, valueOf);
                                        break;
                                    }
                                } else if (!convert2SentryAction.equalsIgnoreCase("insert") && !convert2SentryAction.equalsIgnoreCase("*")) {
                                    if (z2) {
                                        this.sentryClient.grantColumnsPrivileges(userName, name, this.serverName, hivePrivilegeObject.getDbname(), hivePrivilegeObject.getObjectName(), columns, convert2SentryAction, valueOf);
                                        break;
                                    } else {
                                        this.sentryClient.revokeColumnsPrivilege(userName, name, this.serverName, hivePrivilegeObject.getDbname(), hivePrivilegeObject.getObjectName(), columns, convert2SentryAction, valueOf);
                                        break;
                                    }
                                } else {
                                    throw new HiveAuthzPluginException("Sentry does not support privilege: " + hivePrivilege.getName() + " on Column");
                                }
                                break;
                            case 4:
                            case 5:
                                String replace = hivePrivilegeObject.getObjectName().replace("'", "").replace("\"", "");
                                if (z2) {
                                    this.sentryClient.grantURIPrivilege(userName, name, this.serverName, replace, valueOf);
                                    break;
                                } else {
                                    this.sentryClient.revokeURIPrivilege(userName, name, this.serverName, replace, valueOf);
                                    break;
                                }
                            case 6:
                            case 7:
                            case 8:
                            case 9:
                                throw new HiveAuthzPluginException(hivePrivilegeObject.getType().name() + " are not supported in sentry");
                        }
                    }
                }
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
            } catch (SentryUserException e) {
                executeOnErrorHooks("Error when sentryClient grant/revoke privilege:" + e.getMessage(), e);
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
            } catch (SentryAccessDeniedException e2) {
                executeOnFailureHooks(z2 ? HiveOperation.GRANT_PRIVILEGE : HiveOperation.REVOKE_PRIVILEGE, e2);
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
            }
        } catch (Throwable th) {
            if (this.sentryClient != null) {
                this.sentryClient.close();
            }
            throw th;
        }
    }

    private void grantOrRevokeRoleOnGroup(List<HivePrincipal> list, List<String> list2, HivePrincipal hivePrincipal, boolean z) throws HiveAuthzPluginException, HiveAccessControlException {
        try {
            try {
                this.sentryClient = getSentryClient();
                HashSet newHashSet = Sets.newHashSet();
                for (HivePrincipal hivePrincipal2 : list) {
                    if (hivePrincipal2.getType() != HivePrincipal.HivePrincipalType.GROUP) {
                        throw new HiveAuthzPluginException("Sentry does not allow privileges to be granted/revoked to/from: " + hivePrincipal2.getType());
                    }
                    newHashSet.add(hivePrincipal2.getName());
                }
                for (String str : list2) {
                    if (z) {
                        this.sentryClient.grantRoleToGroups(hivePrincipal.getName(), str, newHashSet);
                    } else {
                        this.sentryClient.revokeRoleFromGroups(hivePrincipal.getName(), str, newHashSet);
                    }
                }
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
            } catch (SentryAccessDeniedException e) {
                executeOnFailureHooks(z ? HiveOperation.GRANT_ROLE : HiveOperation.REVOKE_ROLE, e);
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
            } catch (SentryUserException e2) {
                executeOnErrorHooks("Error when sentryClient grant/revoke role:" + e2.getMessage(), e2);
                if (this.sentryClient != null) {
                    this.sentryClient.close();
                }
            }
        } catch (Throwable th) {
            if (this.sentryClient != null) {
                this.sentryClient.close();
            }
            throw th;
        }
    }

    private void executeOnFailureHooks(HiveOperation hiveOperation, SentryAccessDeniedException sentryAccessDeniedException) throws HiveAccessControlException {
        SentryAuthorizerUtil.executeOnFailureHooks(new SentryOnFailureHookContextImpl(hiveOperation.toString(), (Set) null, (Set) null, hiveOperation, (Database) null, (Table) null, (AccessURI) null, (AccessURI) null, this.authenticator.getUserName(), (String) null, new AuthorizationException(sentryAccessDeniedException), this.authzConf), this.authzConf);
        throw new HiveAccessControlException(sentryAccessDeniedException.getMessage(), sentryAccessDeniedException);
    }

    private void executeOnErrorHooks(String str, Exception exc) throws HiveAuthzPluginException {
        LOG.error(str, exc);
        throw new HiveAuthzPluginException(str, exc);
    }

    private List<String> convert2RoleList(Set<TSentryRole> set) {
        ArrayList arrayList = new ArrayList();
        if (set != null && !set.isEmpty()) {
            Iterator<TSentryRole> it = set.iterator();
            while (it.hasNext()) {
                arrayList.add(it.next().getRoleName());
            }
        }
        return arrayList;
    }

    private SentryPolicyServiceClient getSentryClient() throws HiveAuthzPluginException {
        try {
            Preconditions.checkNotNull(this.authzConf, "HiveAuthConf cannot be null");
            return SentryServiceClientFactory.create(this.authzConf);
        } catch (Exception e) {
            throw new HiveAuthzPluginException("Error occurred when creating Sentry client: " + e.getMessage(), e);
        }
    }
}
