package org.apache.hadoop.hbase.security.token;

import com.google.protobuf.RpcCallback;
import com.google.protobuf.RpcController;
import com.google.protobuf.Service;
import java.io.IOException;
import org.apache.hadoop.hbase.Coprocessor;
import org.apache.hadoop.hbase.CoprocessorEnvironment;
import org.apache.hadoop.hbase.classification.InterfaceAudience;
import org.apache.hadoop.hbase.coprocessor.CoprocessorService;
import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;
import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.protobuf.ResponseConverter;
import org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hive.org.apache.commons.logging.Log;
import org.apache.hive.org.apache.commons.logging.LogFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hbase/security/token/TokenProvider.class */
public class TokenProvider implements AuthenticationProtos.AuthenticationService.Interface, Coprocessor, CoprocessorService {
    private static final Log LOG = LogFactory.getLog(TokenProvider.class);
    private AuthenticationTokenSecretManager secretManager;

    @Override // org.apache.hadoop.hbase.Coprocessor
    public void start(CoprocessorEnvironment coprocessorEnvironment) {
        if (coprocessorEnvironment instanceof RegionCoprocessorEnvironment) {
            SecretManager<? extends TokenIdentifier> secretManager = ((RpcServer) ((RegionCoprocessorEnvironment) coprocessorEnvironment).getRegionServerServices().getRpcServer()).getSecretManager();
            if (secretManager instanceof AuthenticationTokenSecretManager) {
                this.secretManager = (AuthenticationTokenSecretManager) secretManager;
            }
        }
    }

    @Override // org.apache.hadoop.hbase.Coprocessor
    public void stop(CoprocessorEnvironment coprocessorEnvironment) throws IOException {
    }

    private boolean isAllowedDelegationTokenOp(UserGroupInformation userGroupInformation) {
        UserGroupInformation.AuthenticationMethod authenticationMethod = userGroupInformation.getAuthenticationMethod();
        if (authenticationMethod == UserGroupInformation.AuthenticationMethod.PROXY) {
            authenticationMethod = userGroupInformation.getRealUser().getAuthenticationMethod();
        }
        return authenticationMethod.allowsDelegation();
    }

    @Override // org.apache.hadoop.hbase.coprocessor.CoprocessorService
    public Service getService() {
        return AuthenticationProtos.AuthenticationService.newReflectiveService(this);
    }

    @Override // org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos.AuthenticationService.Interface
    public void getAuthenticationToken(RpcController rpcController, AuthenticationProtos.GetAuthenticationTokenRequest getAuthenticationTokenRequest, RpcCallback<AuthenticationProtos.GetAuthenticationTokenResponse> rpcCallback) {
        AuthenticationProtos.GetAuthenticationTokenResponse.Builder newBuilder = AuthenticationProtos.GetAuthenticationTokenResponse.newBuilder();
        try {
        } catch (IOException e) {
            ResponseConverter.setControllerException(rpcController, e);
        }
        if (this.secretManager == null) {
            throw new IOException("No secret manager configured for token authentication");
        }
        User requestUser = RpcServer.getRequestUser();
        UserGroupInformation userGroupInformation = null;
        if (requestUser != null) {
            userGroupInformation = requestUser.getUGI();
        }
        if (requestUser == null) {
            throw new AccessDeniedException("No authenticated user for request!");
        }
        if (!isAllowedDelegationTokenOp(userGroupInformation)) {
            LOG.warn("Token generation denied for user=" + requestUser.getName() + ", authMethod=" + userGroupInformation.getAuthenticationMethod());
            throw new AccessDeniedException("Token generation only allowed for Kerberos authenticated clients");
        }
        newBuilder.setToken(ProtobufUtil.toToken(this.secretManager.generateToken(requestUser.getName()))).m5533build();
        rpcCallback.run(newBuilder.m5533build());
    }

    @Override // org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos.AuthenticationService.Interface
    public void whoAmI(RpcController rpcController, AuthenticationProtos.WhoAmIRequest whoAmIRequest, RpcCallback<AuthenticationProtos.WhoAmIResponse> rpcCallback) {
        User requestUser = RpcServer.getRequestUser();
        AuthenticationProtos.WhoAmIResponse.Builder newBuilder = AuthenticationProtos.WhoAmIResponse.newBuilder();
        if (requestUser != null) {
            newBuilder.setUsername(requestUser.getShortName());
            UserGroupInformation.AuthenticationMethod authenticationMethod = requestUser.getUGI().getAuthenticationMethod();
            if (authenticationMethod != null) {
                newBuilder.setAuthMethod(authenticationMethod.name());
            }
        }
        rpcCallback.run(newBuilder.m5723build());
    }
}
