package org.apache.sentry.hdfs;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableList;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.hadoop.conf.Configurable;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.UnresolvedLinkException;
import org.apache.hadoop.fs.permission.AclEntry;
import org.apache.hadoop.fs.permission.AclEntryScope;
import org.apache.hadoop.fs.permission.AclEntryType;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.hdfs.server.namenode.AclFeature;
import org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider;
import org.apache.hadoop.security.AccessControlException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sentry/hdfs/SentryAuthorizationProvider.class */
public class SentryAuthorizationProvider extends AuthorizationProvider implements Configurable {
    private boolean started;
    private Configuration conf;
    private AuthorizationProvider defaultAuthzProvider;
    private String user;
    private String group;
    private FsPermission permission;
    private boolean originalAuthzAsAcl;
    private SentryAuthorizationInfo authzInfo;
    private static Logger LOG = LoggerFactory.getLogger(SentryAuthorizationProvider.class);
    private static String WARN_VISIBILITY = " The result won't be visible when the path is managed by Sentry";
    private static final String[] EMPTY_STRING_ARRAY = new String[0];

    /* loaded from: input_file:org/apache/sentry/hdfs/SentryAuthorizationProvider$SentryAclFeature.class */
    static class SentryAclFeature extends AclFeature {
        public SentryAclFeature(ImmutableList<AclEntry> immutableList) {
            super((int[]) null);
            throw new RuntimeException("HDFS ACL plugin is not supported by this distribution");
        }
    }

    public SentryAuthorizationProvider() {
        this(null);
    }

    @VisibleForTesting
    SentryAuthorizationProvider(SentryAuthorizationInfo sentryAuthorizationInfo) {
        this.authzInfo = sentryAuthorizationInfo;
    }

    public void setConf(Configuration configuration) {
        this.conf = configuration;
    }

    public Configuration getConf() {
        return this.conf;
    }

    @Override // org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider
    public synchronized void start() {
        if (this.started) {
            throw new IllegalStateException("Provider already started");
        }
        this.started = true;
        try {
            if (!this.conf.getBoolean("dfs.namenode.acls.enabled", false)) {
                throw new RuntimeException("HDFS ACLs must be enabled");
            }
            this.defaultAuthzProvider = AuthorizationProvider.get();
            this.defaultAuthzProvider.start();
            Configuration configuration = new Configuration(this.conf);
            configuration.addResource(SentryAuthorizationConstants.CONFIG_FILE);
            this.user = configuration.get(SentryAuthorizationConstants.HDFS_USER_KEY, "hive");
            this.group = configuration.get(SentryAuthorizationConstants.HDFS_GROUP_KEY, "hive");
            this.permission = FsPermission.createImmutable((short) configuration.getLong(SentryAuthorizationConstants.HDFS_PERMISSION_KEY, 771L));
            this.originalAuthzAsAcl = configuration.getBoolean(SentryAuthorizationConstants.INCLUDE_HDFS_AUTHZ_AS_ACL_KEY, false);
            LOG.info("Starting");
            LOG.info("Config: hdfs-user[{}] hdfs-group[{}] hdfs-permission[{}] include-hdfs-authz-as-acl[{}]", new Object[]{this.user, this.group, this.permission, Boolean.valueOf(this.originalAuthzAsAcl)});
            if (this.authzInfo == null) {
                this.authzInfo = new SentryAuthorizationInfo(configuration);
            }
            this.authzInfo.start();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Override // org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider
    public synchronized void stop() {
        LOG.debug("Stopping");
        this.authzInfo.stop();
        this.defaultAuthzProvider.stop();
        this.defaultAuthzProvider = null;
    }

    @Override // org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider
    public void setSnaphottableDirs(Map<AuthorizationProvider.INodeAuthorizationInfo, Integer> map) {
        this.defaultAuthzProvider.setSnaphottableDirs(map);
    }

    @Override // org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider
    public void addSnapshottable(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo) {
        this.defaultAuthzProvider.addSnapshottable(iNodeAuthorizationInfo);
    }

    @Override // org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider
    public void removeSnapshottable(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo) {
        this.defaultAuthzProvider.removeSnapshottable(iNodeAuthorizationInfo);
    }

    @Override // org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider
    public void createSnapshot(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, int i) throws IOException {
        this.defaultAuthzProvider.createSnapshot(iNodeAuthorizationInfo, i);
    }

    @Override // org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider
    public void removeSnapshot(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, int i) throws IOException {
        this.defaultAuthzProvider.removeSnapshot(iNodeAuthorizationInfo, i);
    }

    @Override // org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider
    public void checkPermission(String str, Set<String> set, AuthorizationProvider.INodeAuthorizationInfo[] iNodeAuthorizationInfoArr, int i, boolean z, FsAction fsAction, FsAction fsAction2, FsAction fsAction3, FsAction fsAction4, boolean z2) throws AccessControlException, UnresolvedLinkException {
        this.defaultAuthzProvider.checkPermission(str, set, iNodeAuthorizationInfoArr, i, z, fsAction, fsAction2, fsAction3, fsAction4, z2);
    }

    private String[] getPathElements(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo) {
        return getPathElements(iNodeAuthorizationInfo, 0);
    }

    private String[] getPathElements(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, int i) {
        String[] pathElements;
        AuthorizationProvider.INodeAuthorizationInfo parent = iNodeAuthorizationInfo.getParent();
        if (parent == null) {
            pathElements = i > 0 ? new String[i] : EMPTY_STRING_ARRAY;
        } else {
            pathElements = getPathElements(parent, i + 1);
            pathElements[(pathElements.length - 1) - i] = iNodeAuthorizationInfo.getLocalName();
        }
        return pathElements;
    }

    private boolean isSentryManaged(String[] strArr) {
        return this.authzInfo.isSentryManaged(strArr);
    }

    private boolean isSentryManaged(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo) {
        return isSentryManaged(getPathElements(iNodeAuthorizationInfo));
    }

    @Override // org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider
    public void setUser(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, String str) {
        if (isSentryManaged(iNodeAuthorizationInfo)) {
            LOG.warn("### setUser {} (sentry managed path) to {}, update HDFS." + WARN_VISIBILITY, iNodeAuthorizationInfo.getFullPathName(), str);
        }
        this.defaultAuthzProvider.setUser(iNodeAuthorizationInfo, str);
    }

    @Override // org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider
    public String getUser(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, int i) {
        return isSentryManaged(iNodeAuthorizationInfo) ? this.user : this.defaultAuthzProvider.getUser(iNodeAuthorizationInfo, i);
    }

    @Override // org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider
    public void setGroup(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, String str) {
        if (isSentryManaged(iNodeAuthorizationInfo)) {
            LOG.warn("### setGroup {} (sentry managed path) to {}, update HDFS." + WARN_VISIBILITY, iNodeAuthorizationInfo.getFullPathName(), str);
        }
        this.defaultAuthzProvider.setGroup(iNodeAuthorizationInfo, str);
    }

    @Override // org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider
    public String getGroup(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, int i) {
        return isSentryManaged(iNodeAuthorizationInfo) ? this.group : this.defaultAuthzProvider.getGroup(iNodeAuthorizationInfo, i);
    }

    @Override // org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider
    public void setPermission(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, FsPermission fsPermission) {
        if (isSentryManaged(iNodeAuthorizationInfo)) {
            LOG.warn("### setPermission {} (sentry managed path) to {}, update HDFS." + WARN_VISIBILITY, iNodeAuthorizationInfo.getFullPathName(), fsPermission.toString());
        }
        this.defaultAuthzProvider.setPermission(iNodeAuthorizationInfo, fsPermission);
    }

    @Override // org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider
    public FsPermission getFsPermission(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, int i) {
        FsPermission fsPermission;
        String[] pathElements = getPathElements(iNodeAuthorizationInfo);
        if (isSentryManaged(pathElements)) {
            FsPermission fsPermission2 = this.permission;
            String[][] pathPrefixes = this.authzInfo.getPathPrefixes();
            int length = pathPrefixes.length;
            int i2 = 0;
            while (true) {
                if (i2 >= length) {
                    break;
                }
                if (Arrays.equals(pathPrefixes[i2], pathElements)) {
                    fsPermission2 = FsPermission.createImmutable((short) (fsPermission2.toShort() | 1));
                    break;
                }
                i2++;
            }
            fsPermission = fsPermission2;
        } else {
            fsPermission = this.defaultAuthzProvider.getFsPermission(iNodeAuthorizationInfo, i);
        }
        return fsPermission;
    }

    private List<AclEntry> createAclEntries(String str, String str2, FsPermission fsPermission) {
        ArrayList arrayList = new ArrayList();
        AclEntry.Builder builder = new AclEntry.Builder();
        FsPermission fsPermission2 = new FsPermission(fsPermission);
        builder.setName(str);
        builder.setType(AclEntryType.USER);
        builder.setScope(AclEntryScope.ACCESS);
        builder.setPermission(fsPermission2.getUserAction());
        arrayList.add(builder.build());
        builder.setName(str2);
        builder.setType(AclEntryType.GROUP);
        builder.setScope(AclEntryScope.ACCESS);
        builder.setPermission(fsPermission2.getGroupAction());
        arrayList.add(builder.build());
        builder.setName((String) null);
        return arrayList;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v41, types: [org.apache.hadoop.hdfs.server.namenode.AclFeature] */
    /* JADX WARN: Type inference failed for: r0v49, types: [org.apache.hadoop.hdfs.server.namenode.AclFeature] */
    @Override // org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider
    public AclFeature getAclFeature(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, int i) {
        boolean z;
        SentryAclFeature sentryAclFeature;
        String[] pathElements = getPathElements(iNodeAuthorizationInfo);
        String arrays = Arrays.toString(pathElements);
        boolean z2 = false;
        boolean z3 = false;
        HashMap hashMap = null;
        if (!this.authzInfo.isUnderPrefix(pathElements)) {
            z = false;
            sentryAclFeature = this.defaultAuthzProvider.getAclFeature(iNodeAuthorizationInfo, i);
        } else if (this.authzInfo.doesBelongToAuthzObject(pathElements)) {
            z = true;
            z3 = true;
            hashMap = new HashMap();
            if (this.originalAuthzAsAcl) {
                addToACLMap(hashMap, createAclEntries(this.defaultAuthzProvider.getUser(iNodeAuthorizationInfo, i), getDefaultProviderGroup(iNodeAuthorizationInfo, i), this.defaultAuthzProvider.getFsPermission(iNodeAuthorizationInfo, i)));
            } else {
                addToACLMap(hashMap, createAclEntries(this.user, this.group, this.permission));
            }
            if (this.authzInfo.isStale()) {
                z2 = true;
                sentryAclFeature = new SentryAclFeature(ImmutableList.copyOf(hashMap.values()));
            } else {
                z2 = false;
                addToACLMap(hashMap, this.authzInfo.getAclEntries(pathElements));
                sentryAclFeature = new SentryAclFeature(ImmutableList.copyOf(hashMap.values()));
            }
        } else {
            z = true;
            sentryAclFeature = this.defaultAuthzProvider.getAclFeature(iNodeAuthorizationInfo, i);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("### getAclEntry \n[" + arrays + "] : [isPreifxed=" + z + ", isStale=" + z2 + ", hasAuthzObj=" + z3 + ", origAuthzAsAcl=" + this.originalAuthzAsAcl + "]\n[" + (hashMap == null ? "null" : hashMap) + "]\n");
        }
        return sentryAclFeature;
    }

    private void addToACLMap(Map<String, AclEntry> map, Collection<AclEntry> collection) {
        for (AclEntry aclEntry : collection) {
            String str = (aclEntry.getName() == null ? "" : aclEntry.getName()) + aclEntry.getScope() + aclEntry.getType();
            AclEntry aclEntry2 = map.get(str);
            if (aclEntry2 == null) {
                map.put(str, aclEntry);
            } else {
                map.put(str, new AclEntry.Builder().setName(aclEntry.getName()).setScope(aclEntry.getScope()).setType(aclEntry.getType()).setPermission(aclEntry.getPermission().or(aclEntry2.getPermission())).build());
            }
        }
    }

    private String getDefaultProviderGroup(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, int i) {
        String group = this.defaultAuthzProvider.getGroup(iNodeAuthorizationInfo, i);
        AuthorizationProvider.INodeAuthorizationInfo parent = iNodeAuthorizationInfo.getParent();
        while (true) {
            AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo2 = parent;
            if (group != null || iNodeAuthorizationInfo2 == null) {
                break;
            }
            group = this.defaultAuthzProvider.getGroup(iNodeAuthorizationInfo2, i);
            parent = iNodeAuthorizationInfo2.getParent();
        }
        return group;
    }

    private void checkAndRemoveHdfsAcl(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, boolean z) {
        if (this.defaultAuthzProvider.getAclFeature(iNodeAuthorizationInfo, AuthorizationProvider.CURRENT_STATE_ID) != null) {
            this.defaultAuthzProvider.removeAclFeature(iNodeAuthorizationInfo);
        } else if (z) {
            LOG.warn("### removeAclFeature is requested on {}, but it does not have any acl.", iNodeAuthorizationInfo);
        }
    }

    @Override // org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider
    public void removeAclFeature(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo) {
        if (!isSentryManaged(iNodeAuthorizationInfo)) {
            this.defaultAuthzProvider.removeAclFeature(iNodeAuthorizationInfo);
        } else {
            LOG.warn("### removeAclFeature {} (sentry managed path), update HDFS." + WARN_VISIBILITY, iNodeAuthorizationInfo.getFullPathName());
            checkAndRemoveHdfsAcl(iNodeAuthorizationInfo, true);
        }
    }

    @Override // org.apache.hadoop.hdfs.server.namenode.AuthorizationProvider
    public void addAclFeature(AuthorizationProvider.INodeAuthorizationInfo iNodeAuthorizationInfo, AclFeature aclFeature) {
        if (isSentryManaged(iNodeAuthorizationInfo)) {
            LOG.warn("### addAclFeature {} (sentry managed path) {}, update HDFS." + WARN_VISIBILITY, iNodeAuthorizationInfo.getFullPathName(), aclFeature.toString());
            checkAndRemoveHdfsAcl(iNodeAuthorizationInfo, false);
        }
        this.defaultAuthzProvider.addAclFeature(iNodeAuthorizationInfo, aclFeature);
    }
}
