package org.apache.sentry.service.thrift.shim;

import com.google.common.base.Preconditions;
import java.io.IOException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
import org.apache.sentry.service.thrift.GSSCallback;
import org.apache.sentry.service.thrift.ServiceConstants;
import org.apache.sentry.service.thrift.shim.HadoopThriftAuthBridge;
import org.apache.thrift.transport.TSaslServerTransport;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportException;
import org.apache.thrift.transport.TTransportFactory;

/* loaded from: input_file:org/apache/sentry/service/thrift/shim/HadoopThriftAuthBridge20.class */
public class HadoopThriftAuthBridge20 extends HadoopThriftAuthBridge {

    /* loaded from: input_file:org/apache/sentry/service/thrift/shim/HadoopThriftAuthBridge20$Client.class */
    public static class Client extends HadoopThriftAuthBridge.Client {
        @Override // org.apache.sentry.service.thrift.shim.HadoopThriftAuthBridge.Client
        public TTransport createClientTransport(String str, String str2, TTransport tTransport, boolean z) throws IOException {
            Preconditions.checkNotNull(str, "Unsupported authentication method. Only Kerberos is supported. To use Kerberos please set value of 'sentry.service.security.mode' property to 'kerberos'");
            String serverPrincipal = SecurityUtil.getServerPrincipal(str, str2);
            String[] splitKerberosName = SaslRpcServer.splitKerberosName(serverPrincipal);
            Preconditions.checkArgument(splitKerberosName.length == 3, "Kerberos principal should have 3 parts: " + serverPrincipal);
            return new SentryPolicyServiceClient.UgiSaslClientTransport(SaslRpcServer.AuthMethod.KERBEROS.getMechanismName(), null, splitKerberosName[0], splitKerberosName[1], ServiceConstants.ClientConfig.SASL_PROPERTIES, null, tTransport, z);
        }
    }

    /* loaded from: input_file:org/apache/sentry/service/thrift/shim/HadoopThriftAuthBridge20$Server.class */
    public static class Server extends HadoopThriftAuthBridge.Server {
        final UserGroupInformation realUgi;
        static final /* synthetic */ boolean $assertionsDisabled;

        public Server() throws TTransportException {
            try {
                this.realUgi = UserGroupInformation.getCurrentUser();
            } catch (IOException e) {
                throw new TTransportException(e);
            }
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public Server(String str, String str2) throws TTransportException {
            if (str == null || str.isEmpty()) {
                throw new TTransportException("No keytab specified");
            }
            if (str2 == null || str2.isEmpty()) {
                throw new TTransportException("No principal specified");
            }
            try {
                UserGroupInformation.loginUserFromKeytab(SecurityUtil.getServerPrincipal(str2, ServiceConstants.ServerConfig.RPC_ADDRESS_DEFAULT), str);
                this.realUgi = UserGroupInformation.getLoginUser();
                if ($assertionsDisabled || this.realUgi.isFromKeytab()) {
                } else {
                    throw new AssertionError();
                }
            } catch (IOException e) {
                throw new TTransportException(e);
            }
        }

        @Override // org.apache.sentry.service.thrift.shim.HadoopThriftAuthBridge.Server
        public TTransportFactory createTransportFactory(Configuration configuration) throws TTransportException, IOException {
            TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory();
            String userName = this.realUgi.getUserName();
            String[] splitKerberosName = SaslRpcServer.splitKerberosName(userName);
            if (splitKerberosName.length != 3) {
                throw new TTransportException("Kerberos principal should have 3 parts: " + userName);
            }
            factory.addServerDefinition(SaslRpcServer.AuthMethod.KERBEROS.getMechanismName(), splitKerberosName[0], splitKerberosName[1], ServiceConstants.ServerConfig.SASL_PROPERTIES, new GSSCallback(configuration));
            return new HadoopThriftAuthBridge.TUGIAssumingTransportFactory(factory, this.realUgi);
        }

        static {
            $assertionsDisabled = !HadoopThriftAuthBridge20.class.desiredAssertionStatus();
        }
    }

    @Override // org.apache.sentry.service.thrift.shim.HadoopThriftAuthBridge
    public Client createClient() {
        return new Client();
    }

    @Override // org.apache.sentry.service.thrift.shim.HadoopThriftAuthBridge
    public Server createServer(String str, String str2) throws TTransportException {
        return new Server(str, str2);
    }
}
