package org.apache.tez.dag.history.ats.acls;

import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.service.Service;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.api.records.timeline.TimelineDomain;
import org.apache.hadoop.yarn.api.records.timeline.TimelineEntity;
import org.apache.hadoop.yarn.client.api.TimelineClient;
import org.apache.tez.common.security.ACLConfigurationParser;
import org.apache.tez.common.security.ACLManager;
import org.apache.tez.common.security.ACLType;
import org.apache.tez.common.security.DAGAccessControls;
import org.apache.tez.common.security.HistoryACLPolicyException;
import org.apache.tez.common.security.HistoryACLPolicyManager;
import org.apache.tez.dag.api.TezUncheckedException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/tez/dag/history/ats/acls/ATSHistoryACLPolicyManager.class */
public class ATSHistoryACLPolicyManager implements HistoryACLPolicyManager {
    private static final Logger LOG = LoggerFactory.getLogger(ATSHistoryACLPolicyManager.class);
    TimelineClient timelineClient;
    Configuration conf;
    String user;
    static final String DOMAIN_ID_PREFIX = "Tez_ATS_";
    private static final String atsHistoryLoggingServiceClassName = "org.apache.tez.dag.history.logging.ats.ATSHistoryLoggingService";

    private void initializeTimelineClient() {
        if (this.conf == null) {
            throw new TezUncheckedException("ATSACLManager not configured");
        }
        if (this.timelineClient != null) {
            this.timelineClient.stop();
            this.timelineClient = null;
        }
        if (this.conf.getBoolean("yarn.timeline-service.enabled", false)) {
            this.timelineClient = TimelineClient.createTimelineClient();
            this.timelineClient.init(this.conf);
            this.timelineClient.start();
        } else {
            this.timelineClient = null;
            if (this.conf.get("tez.history.logging.service.class", "").equals(atsHistoryLoggingServiceClassName)) {
                LOG.warn("org.apache.tez.dag.history.logging.ats.ATSHistoryLoggingService is disabled due to Timeline Service being disabled, yarn.timeline-service.enabled set to false");
            }
        }
        try {
            this.user = UserGroupInformation.getCurrentUser().getShortUserName();
        } catch (IOException e) {
            throw new TezUncheckedException("Unable to get Current User UGI", e);
        }
    }

    private String getMergedViewACLs(ACLConfigurationParser aCLConfigurationParser, DAGAccessControls dAGAccessControls) {
        Map allowedUsers = aCLConfigurationParser.getAllowedUsers();
        Map allowedGroups = aCLConfigurationParser.getAllowedGroups();
        HashSet hashSet = new HashSet();
        hashSet.add(this.user);
        if (allowedUsers.containsKey(ACLType.AM_VIEW_ACL)) {
            hashSet.addAll((Collection) allowedUsers.get(ACLType.AM_VIEW_ACL));
        }
        if (dAGAccessControls != null && dAGAccessControls.getUsersWithViewACLs() != null) {
            hashSet.addAll(dAGAccessControls.getUsersWithViewACLs());
        }
        if (hashSet.contains("*")) {
            return "*";
        }
        HashSet hashSet2 = new HashSet();
        if (allowedGroups.containsKey(ACLType.AM_VIEW_ACL)) {
            hashSet2.addAll((Collection) allowedGroups.get(ACLType.AM_VIEW_ACL));
        }
        if (dAGAccessControls != null && dAGAccessControls.getGroupsWithViewACLs() != null) {
            hashSet2.addAll(dAGAccessControls.getGroupsWithViewACLs());
        }
        return ACLManager.toCommaSeparatedString(hashSet) + " " + ACLManager.toCommaSeparatedString(hashSet2);
    }

    private void createTimelineDomain(String str, Configuration configuration, DAGAccessControls dAGAccessControls) throws IOException, HistoryACLPolicyException {
        TimelineDomain timelineDomain = new TimelineDomain();
        timelineDomain.setId(str);
        timelineDomain.setReaders(getMergedViewACLs(new ACLConfigurationParser(configuration, false), dAGAccessControls));
        timelineDomain.setWriters(this.user);
        try {
            if (this.timelineClient != null) {
                this.timelineClient.putDomain(timelineDomain);
            }
        } catch (Exception e) {
            LOG.warn("Could not post timeline domain", e);
            throw new HistoryACLPolicyException("Fail to create ACL-related domain in Timeline", e);
        }
    }

    private Map<String, String> createSessionDomain(Configuration configuration, ApplicationId applicationId, DAGAccessControls dAGAccessControls) throws IOException, HistoryACLPolicyException {
        String str = configuration.get("tez.yarn.ats.acl.session.domain.id");
        if (!configuration.getBoolean("tez.am.acls.enabled", true)) {
            if (str != null) {
                throw new TezUncheckedException("ACLs disabled but DomainId is specified, aclsEnabled=true, domainId=" + str);
            }
            return null;
        }
        boolean z = configuration.getBoolean("tez.yarn.ats.acl.domains.auto-create", true);
        if (str != null) {
            LOG.info("Using specified domainId with Timeline, domainId=" + str);
        } else {
            if (!z) {
                throw new TezUncheckedException("Timeline DomainId is not specified and auto-create Domains is disabled");
            }
            str = "Tez_ATS_" + applicationId.toString();
            createTimelineDomain(str, configuration, dAGAccessControls);
            LOG.info("Created Timeline Domain for History ACLs, domainId=" + str);
        }
        return Collections.singletonMap("tez.yarn.ats.acl.session.domain.id", str);
    }

    private Map<String, String> createDAGDomain(Configuration configuration, ApplicationId applicationId, String str, DAGAccessControls dAGAccessControls) throws IOException, HistoryACLPolicyException {
        String str2 = configuration.get("tez.yarn.ats.acl.dag.domain.id");
        if (!configuration.getBoolean("tez.am.acls.enabled", true)) {
            if (str2 != null) {
                throw new TezUncheckedException("ACLs disabled but domainId for DAG is specified, aclsEnabled=true, domainId=" + str2);
            }
            return null;
        }
        boolean z = configuration.getBoolean("tez.yarn.ats.acl.domains.auto-create", true);
        if (str2 != null) {
            LOG.info("Using specified domainId with Timeline, domainId=" + str2);
        } else {
            if (!z) {
                throw new TezUncheckedException("Timeline DomainId is not specified and auto-create Domains is disabled");
            }
            if (dAGAccessControls == null) {
                return null;
            }
            str2 = "Tez_ATS_" + applicationId.toString() + "_" + str;
            createTimelineDomain(str2, configuration, dAGAccessControls);
            LOG.info("Created Timeline Domain for DAG-specific History ACLs, domainId=" + str2);
        }
        return Collections.singletonMap("tez.yarn.ats.acl.dag.domain.id", str2);
    }

    public void setConf(Configuration configuration) {
        this.conf = configuration;
        initializeTimelineClient();
    }

    public Configuration getConf() {
        return this.conf;
    }

    public Map<String, String> setupSessionACLs(Configuration configuration, ApplicationId applicationId) throws IOException, HistoryACLPolicyException {
        return createSessionDomain(configuration, applicationId, null);
    }

    public Map<String, String> setupNonSessionACLs(Configuration configuration, ApplicationId applicationId, DAGAccessControls dAGAccessControls) throws IOException, HistoryACLPolicyException {
        return createSessionDomain(configuration, applicationId, dAGAccessControls);
    }

    public Map<String, String> setupSessionDAGACLs(Configuration configuration, ApplicationId applicationId, String str, DAGAccessControls dAGAccessControls) throws IOException, HistoryACLPolicyException {
        return createDAGDomain(configuration, applicationId, str, dAGAccessControls);
    }

    public void updateTimelineEntityDomain(Object obj, String str) {
        if (!(obj instanceof TimelineEntity)) {
            throw new UnsupportedOperationException("Invalid object provided of type" + obj.getClass().getName());
        }
        ((TimelineEntity) obj).setDomainId(str);
    }

    public void close() {
        if (this.timelineClient == null || !this.timelineClient.isInState(Service.STATE.STARTED)) {
            return;
        }
        this.timelineClient.stop();
    }
}
