package org.apache.hadoop.security.authorize;

import com.google.common.annotations.VisibleForTesting;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.regex.Pattern;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.MachineList;

/* loaded from: input_file:hadoop-client-2.5.1-mapr-1501/share/hadoop/client/lib/hadoop-common-2.5.1-mapr-1501.jar:org/apache/hadoop/security/authorize/DefaultImpersonationProvider.class */
public class DefaultImpersonationProvider implements ImpersonationProvider {
    private static final String CONF_HADOOP_PROXYUSER = "hadoop.proxyuser.";
    private static final String CONF_HADOOP_PROXYUSER_RE = "hadoop\\.proxyuser\\.";
    private Map<String, AccessControlList> proxyUserAcl = new HashMap();
    private Configuration conf;
    private static final String CONF_USERS = ".users";
    private static final String CONF_GROUPS = ".groups";
    private static final String CONF_HADOOP_PROXYUSER_RE_USERS_GROUPS = "hadoop\\.proxyuser\\.[^.]*(" + Pattern.quote(CONF_USERS) + "|" + Pattern.quote(CONF_GROUPS) + DefaultExpressionEngine.DEFAULT_INDEX_END;
    private static final String CONF_HOSTS = ".hosts";
    private static final String CONF_HADOOP_PROXYUSER_RE_HOSTS = "hadoop\\.proxyuser\\.[^.]*" + Pattern.quote(CONF_HOSTS);
    private static Map<String, MachineList> proxyHosts = new HashMap();

    @Override // org.apache.hadoop.conf.Configurable
    public void setConf(Configuration configuration) {
        this.conf = configuration;
        Map<String, String> valByRegex = configuration.getValByRegex(CONF_HADOOP_PROXYUSER_RE_USERS_GROUPS);
        Iterator<Map.Entry<String, String>> it = valByRegex.entrySet().iterator();
        while (it.hasNext()) {
            String aclKey = getAclKey(it.next().getKey());
            if (!this.proxyUserAcl.containsKey(aclKey)) {
                this.proxyUserAcl.put(aclKey, new AccessControlList(valByRegex.get(aclKey + CONF_USERS), valByRegex.get(aclKey + CONF_GROUPS)));
            }
        }
        for (Map.Entry<String, String> entry : configuration.getValByRegex(CONF_HADOOP_PROXYUSER_RE_HOSTS).entrySet()) {
            proxyHosts.put(entry.getKey(), new MachineList(entry.getValue()));
        }
    }

    @Override // org.apache.hadoop.conf.Configurable
    public Configuration getConf() {
        return this.conf;
    }

    @Override // org.apache.hadoop.security.authorize.ImpersonationProvider
    public void authorize(UserGroupInformation userGroupInformation, String str) throws AuthorizationException {
        UserGroupInformation realUser = userGroupInformation.getRealUser();
        if (realUser == null) {
            return;
        }
        AccessControlList accessControlList = this.proxyUserAcl.get(CONF_HADOOP_PROXYUSER + realUser.getShortUserName());
        if (accessControlList == null || !accessControlList.isUserAllowed(userGroupInformation)) {
            throw new AuthorizationException("User: " + realUser.getUserName() + " is not allowed to impersonate " + userGroupInformation.getUserName());
        }
        if (!proxyHosts.get(getProxySuperuserIpConfKey(realUser.getShortUserName())).includes(str)) {
            throw new AuthorizationException("Unauthorized connection for super-user: " + realUser.getUserName() + " from IP " + str);
        }
    }

    private String getAclKey(String str) {
        int lastIndexOf = str.lastIndexOf(".");
        return lastIndexOf != -1 ? str.substring(0, lastIndexOf) : str;
    }

    public static String getProxySuperuserUserConfKey(String str) {
        return CONF_HADOOP_PROXYUSER + str + CONF_USERS;
    }

    public static String getProxySuperuserGroupConfKey(String str) {
        return CONF_HADOOP_PROXYUSER + str + CONF_GROUPS;
    }

    public static String getProxySuperuserIpConfKey(String str) {
        return CONF_HADOOP_PROXYUSER + str + CONF_HOSTS;
    }

    @VisibleForTesting
    public Map<String, Collection<String>> getProxyGroups() {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, AccessControlList> entry : this.proxyUserAcl.entrySet()) {
            hashMap.put(entry.getKey() + CONF_GROUPS, entry.getValue().getGroups());
        }
        return hashMap;
    }

    @VisibleForTesting
    public Map<String, Collection<String>> getProxyHosts() {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, MachineList> entry : proxyHosts.entrySet()) {
            hashMap.put(entry.getKey(), entry.getValue().getCollection());
        }
        return hashMap;
    }
}
