package org.apache.sentry.binding.solr.authz;

import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import java.io.File;
import java.io.IOException;
import java.lang.reflect.Constructor;
import java.util.Arrays;
import java.util.Set;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.sentry.SentryUserException;
import org.apache.sentry.binding.solr.conf.SolrAuthzConf;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.model.search.Collection;
import org.apache.sentry.core.model.search.SearchModelAction;
import org.apache.sentry.core.model.search.SearchModelAuthorizable;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.common.GroupMappingService;
import org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider;
import org.apache.sentry.provider.common.ProviderBackend;
import org.apache.sentry.provider.db.generic.SentryGenericProviderBackend;
import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient;
import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientFactory;
import org.apache.sentry.provider.db.generic.service.thrift.TAuthorizable;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryGrantOption;
import org.apache.sentry.provider.db.generic.service.thrift.TSentryPrivilege;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sentry/binding/solr/authz/SolrAuthzBinding.class */
public class SolrAuthzBinding {
    private static Boolean kerberosInit;
    private final SolrAuthzConf authzConf;
    private ProviderBackend providerBackend;
    private static final Logger LOG = LoggerFactory.getLogger(SolrAuthzBinding.class);
    private static final String[] HADOOP_CONF_FILES = {"core-site.xml", "hdfs-site.xml", "mapred-site.xml", "yarn-site.xml", "hadoop-site.xml"};
    public static final String KERBEROS_ENABLED = "solr.hdfs.security.kerberos.enabled";
    private static final String kerberosEnabledProp = Strings.nullToEmpty(System.getProperty(KERBEROS_ENABLED)).trim();
    public static final String KERBEROS_KEYTAB = "solr.hdfs.security.kerberos.keytabfile";
    private static final String keytabProp = Strings.nullToEmpty(System.getProperty(KERBEROS_KEYTAB)).trim();
    public static final String KERBEROS_PRINCIPAL = "solr.hdfs.security.kerberos.principal";
    private static final String principalProp = Strings.nullToEmpty(System.getProperty(KERBEROS_PRINCIPAL)).trim();
    private final AuthorizationProvider authProvider = getAuthProvider();
    private final GroupMappingService groupMapping = this.authProvider.getGroupMapping();
    private Subject bindingSubject = new Subject(UserGroupInformation.getCurrentUser().getShortUserName());

    public SolrAuthzBinding(SolrAuthzConf solrAuthzConf) throws Exception {
        this.authzConf = addHdfsPropsToConf(solrAuthzConf);
    }

    private AuthorizationProvider getAuthProvider() throws Exception {
        String str = this.authzConf.get(SolrAuthzConf.AuthzConfVars.AUTHZ_PROVIDER.getVar());
        String str2 = this.authzConf.get(SolrAuthzConf.AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar());
        String str3 = this.authzConf.get(SolrAuthzConf.AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar());
        String str4 = this.authzConf.get(SolrAuthzConf.AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar());
        String str5 = this.authzConf.get("sentry.search.cluster", "cluster1");
        LOG.debug("Using authorization provider " + str + " with resource " + str2 + ", policy engine " + str4 + ", provider backend " + str3);
        if (kerberosEnabledProp.equalsIgnoreCase("true")) {
            initKerberos(keytabProp, principalProp);
        } else {
            UserGroupInformation.setConfiguration(this.authzConf);
        }
        if ("org.apache.sentry.provider.db.generic.service.thrift.SearchProviderBackend".equals(str3)) {
            str3 = SentryGenericProviderBackend.class.getName();
        }
        Constructor<?> declaredConstructor = Class.forName(str3).getDeclaredConstructor(Configuration.class, String.class);
        declaredConstructor.setAccessible(true);
        this.providerBackend = (ProviderBackend) declaredConstructor.newInstance(this.authzConf, str2);
        if (this.providerBackend instanceof SentryGenericProviderBackend) {
            this.providerBackend.setComponentType("solr");
            this.providerBackend.setServiceName(str5);
        }
        Constructor<?> declaredConstructor2 = Class.forName(str4).getDeclaredConstructor(ProviderBackend.class);
        declaredConstructor2.setAccessible(true);
        PolicyEngine policyEngine = (PolicyEngine) declaredConstructor2.newInstance(this.providerBackend);
        if (this.authzConf.get(HadoopGroupResourceAuthorizationProvider.USE_NEW_GROUPS) == null) {
            this.authzConf.setBoolean(HadoopGroupResourceAuthorizationProvider.USE_NEW_GROUPS, true);
        }
        Constructor<?> declaredConstructor3 = Class.forName(str).getDeclaredConstructor(Configuration.class, String.class, PolicyEngine.class);
        declaredConstructor3.setAccessible(true);
        return (AuthorizationProvider) declaredConstructor3.newInstance(this.authzConf, str2, policyEngine);
    }

    public void authorizeCollection(Subject subject, Collection collection, Set<SearchModelAction> set) throws SentrySolrAuthorizationException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Going to authorize collection " + collection.getName() + " for subject " + subject.getName());
            LOG.debug("Actions: " + set);
        }
        if (!this.authProvider.hasAccess(subject, Arrays.asList(collection), set, ActiveRoleSet.ALL)) {
            throw new SentrySolrAuthorizationException("User " + subject.getName() + " does not have privileges for " + collection.getName());
        }
    }

    @Deprecated
    public Set<String> getGroups(String str) {
        return this.groupMapping.getGroups(str);
    }

    public Set<String> getRoles(String str) {
        return this.providerBackend.getRoles(getGroups(str), ActiveRoleSet.ALL);
    }

    private SolrAuthzConf addHdfsPropsToConf(SolrAuthzConf solrAuthzConf) throws IOException {
        String property = System.getProperty("solr.hdfs.confdir");
        if (property != null && property.length() > 0) {
            File file = new File(property);
            if (!file.exists()) {
                throw new IOException("Resource directory does not exist: " + file.getAbsolutePath());
            }
            if (!file.isDirectory()) {
                throw new IOException("Specified resource directory is not a directory" + file.getAbsolutePath());
            }
            if (!file.canRead()) {
                throw new IOException("Resource directory must be readable by the Solr process: " + file.getAbsolutePath());
            }
            for (String str : HADOOP_CONF_FILES) {
                if (new File(file, str).exists()) {
                    solrAuthzConf.addResource(new Path(property, str));
                }
            }
        }
        return solrAuthzConf;
    }

    public void initKerberos(String str, String str2) {
        if (str == null || str.length() == 0) {
            throw new IllegalArgumentException("keytabFile required because kerberos is enabled");
        }
        if (str2 == null || str2.length() == 0) {
            throw new IllegalArgumentException("principal required because kerberos is enabled");
        }
        synchronized (SolrAuthzBinding.class) {
            if (kerberosInit == null) {
                kerberosInit = new Boolean(true);
                String str3 = this.authzConf.get("hadoop.security.authentication");
                if (str3 != null && !str3.equals("kerberos")) {
                    throw new IllegalArgumentException("hadoop.security.authentication set to: " + str3 + ", not kerberos, but attempting to  connect to HDFS via kerberos");
                }
                Configuration configuration = new Configuration(this.authzConf);
                configuration.set("hadoop.security.authentication", "kerberos");
                UserGroupInformation.setConfiguration(configuration);
                LOG.info("Attempting to acquire kerberos ticket with keytab: {}, principal: {} ", str, str2);
                try {
                    UserGroupInformation.loginUserFromKeytab(str2, str);
                    LOG.info("Got Kerberos ticket");
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
        }
    }

    public boolean isSyncEnabled() {
        return this.providerBackend instanceof SentryGenericProviderBackend;
    }

    public SentryGenericServiceClient getClient() throws Exception {
        return SentryGenericServiceClientFactory.create(this.authzConf);
    }

    public void deleteCollectionPrivilege(String str) throws SentrySolrAuthorizationException {
        if (isSyncEnabled()) {
            SentryGenericServiceClient sentryGenericServiceClient = null;
            try {
                try {
                    try {
                        sentryGenericServiceClient = getClient();
                        TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
                        tSentryPrivilege.setComponent("solr");
                        tSentryPrivilege.setServiceName(this.authzConf.get("sentry.search.cluster", "cluster1"));
                        tSentryPrivilege.setAction("*");
                        tSentryPrivilege.setGrantOption(TSentryGrantOption.UNSET);
                        tSentryPrivilege.setAuthorizables(Lists.newArrayList(new TAuthorizable[]{new TAuthorizable(SearchModelAuthorizable.AuthorizableType.Collection.name(), str)}));
                        sentryGenericServiceClient.dropPrivilege(this.bindingSubject.getName(), "solr", tSentryPrivilege);
                        if (sentryGenericServiceClient != null) {
                            sentryGenericServiceClient.close();
                        }
                    } catch (SentryUserException e) {
                        throw new SentrySolrAuthorizationException("User " + this.bindingSubject.getName() + " can't delete privileges for collection " + str);
                    }
                } catch (Exception e2) {
                    throw new SentrySolrAuthorizationException("Unable to obtain client:" + e2.getMessage());
                }
            } catch (Throwable th) {
                if (sentryGenericServiceClient != null) {
                    sentryGenericServiceClient.close();
                }
                throw th;
            }
        }
    }
}
