package org.apache.hadoop.hive.ql.security.authorization;

import com.mapr.db.mapreduce.impl.ClusterTablePath;
import java.io.IOException;
import java.security.AccessControlException;
import java.util.ArrayList;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.login.LoginException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileStatus;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.hive.common.FileUtils;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.metastore.HiveMetaStore;
import org.apache.hadoop.hive.metastore.TableType;
import org.apache.hadoop.hive.metastore.Warehouse;
import org.apache.hadoop.hive.metastore.api.Database;
import org.apache.hadoop.hive.metastore.api.MetaException;
import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
import org.apache.hadoop.hive.ql.metadata.Hive;
import org.apache.hadoop.hive.ql.metadata.HiveException;
import org.apache.hadoop.hive.ql.metadata.Partition;
import org.apache.hadoop.hive.ql.metadata.Table;
import org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProviderBase;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/hive-exec-2.3.6-mapr-2110-r3-core.jar:org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider.class */
public class StorageBasedAuthorizationProvider extends HiveAuthorizationProviderBase implements HiveMetastoreAuthorizationProvider {
    private Warehouse wh;
    private boolean isRunFromMetaStore = false;
    private static Logger LOG = LoggerFactory.getLogger(StorageBasedAuthorizationProvider.class);

    /* loaded from: input_file:WEB-INF/lib/hive-exec-2.3.6-mapr-2110-r3-core.jar:org/apache/hadoop/hive/ql/security/authorization/StorageBasedAuthorizationProvider$DropPrivilegeExtractor.class */
    public class DropPrivilegeExtractor {
        private boolean hasDropPrivilege = false;
        private final Privilege[] readReqPriv;
        private final Privilege[] writeReqPriv;

        public DropPrivilegeExtractor(Privilege[] privilegeArr, Privilege[] privilegeArr2) {
            this.readReqPriv = extractDropPriv(privilegeArr);
            this.writeReqPriv = extractDropPriv(privilegeArr2);
        }

        private Privilege[] extractDropPriv(Privilege[] privilegeArr) {
            if (privilegeArr == null) {
                return null;
            }
            ArrayList arrayList = new ArrayList();
            for (Privilege privilege : privilegeArr) {
                if (privilege.equals(Privilege.DROP)) {
                    this.hasDropPrivilege = true;
                } else {
                    arrayList.add(privilege);
                }
            }
            return (Privilege[]) arrayList.toArray(new Privilege[0]);
        }

        public boolean hasDropPrivilege() {
            return this.hasDropPrivilege;
        }

        public void setHasDropPrivilege(boolean z) {
            this.hasDropPrivilege = z;
        }

        public Privilege[] getReadReqPriv() {
            return this.readReqPriv;
        }

        public Privilege[] getWriteReqPriv() {
            return this.writeReqPriv;
        }
    }

    private void initWh() throws MetaException, HiveException {
        if (this.wh != null) {
            if (this.isRunFromMetaStore || !isWarehouseChanged()) {
                return;
            }
            this.wh = new Warehouse(getConf());
            this.hive_db = new HiveAuthorizationProviderBase.HiveProxy(Hive.get(getConf(), (Class<?>) StorageBasedAuthorizationProvider.class));
            return;
        }
        if (this.isRunFromMetaStore) {
            throw new IllegalStateException("Uninitialized Warehouse from MetastoreHandler");
        }
        this.hive_db = new HiveAuthorizationProviderBase.HiveProxy(Hive.get(getConf(), (Class<?>) StorageBasedAuthorizationProvider.class));
        this.wh = new Warehouse(getConf());
        if (this.wh == null) {
            throw new IllegalStateException("Unable to initialize Warehouse from clientside.");
        }
    }

    private boolean isWarehouseChanged() throws MetaException {
        return !normalize(this.wh.getWhRoot().toString()).equals(normalize(HiveConf.getVar(getConf(), HiveConf.ConfVars.METASTOREWAREHOUSE)));
    }

    private static String normalize(String str) {
        return str.replace("///", "/").replace("//", "/").replace(ClusterTablePath.WRONGCLUSTERPREFIX, "").replace("file:", "");
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider
    public void init(Configuration configuration) throws HiveException {
        this.hive_db = new HiveAuthorizationProviderBase.HiveProxy();
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider
    public void authorize(Privilege[] privilegeArr, Privilege[] privilegeArr2) throws HiveException, AuthorizationException {
        try {
            initWh();
            authorize(this.wh.getWhRoot(), privilegeArr, privilegeArr2);
        } catch (MetaException e) {
            throw hiveException(e);
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider
    public void authorize(Database database, Privilege[] privilegeArr, Privilege[] privilegeArr2) throws HiveException, AuthorizationException {
        Path dbLocation = getDbLocation(database);
        DropPrivilegeExtractor dropPrivilegeExtractor = new DropPrivilegeExtractor(privilegeArr, privilegeArr2);
        Privilege[] readReqPriv = dropPrivilegeExtractor.getReadReqPriv();
        Privilege[] writeReqPriv = dropPrivilegeExtractor.getWriteReqPriv();
        if (dropPrivilegeExtractor.hasDropPrivilege()) {
            checkDeletePermission(dbLocation, getConf(), this.authenticator.getUserName());
        }
        authorize(dbLocation, readReqPriv, writeReqPriv);
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider
    public void authorize(Table table, Privilege[] privilegeArr, Privilege[] privilegeArr2) throws HiveException, AuthorizationException {
        try {
            initWh();
            DropPrivilegeExtractor dropPrivilegeExtractor = new DropPrivilegeExtractor(privilegeArr, privilegeArr2);
            Privilege[] readReqPriv = dropPrivilegeExtractor.getReadReqPriv();
            Privilege[] writeReqPriv = dropPrivilegeExtractor.getWriteReqPriv();
            if ((dropPrivilegeExtractor.hasDropPrivilege || requireCreatePrivilege(readReqPriv) || requireCreatePrivilege(writeReqPriv)) && !table.isSetLocationUri()) {
                authorize(this.hive_db.getDatabase(table.getDbName()), new Privilege[0], new Privilege[]{Privilege.ALTER_DATA});
            }
            Path dataLocation = table.getDataLocation();
            if (dropPrivilegeExtractor.hasDropPrivilege() && (table.getTableType() != TableType.EXTERNAL_TABLE || getConf().getBoolean(HiveConf.ConfVars.METASTORE_AUTHORIZATION_EXTERNALTABLE_DROP_CHECK.varname, HiveConf.ConfVars.METASTORE_AUTHORIZATION_EXTERNALTABLE_DROP_CHECK.defaultBoolVal))) {
                checkDeletePermission(dataLocation, getConf(), this.authenticator.getUserName());
            }
            if (dataLocation != null) {
                authorize(dataLocation, readReqPriv, writeReqPriv);
            }
        } catch (MetaException e) {
            throw hiveException(e);
        }
    }

    private boolean requireCreatePrivilege(Privilege[] privilegeArr) {
        if (privilegeArr == null) {
            return false;
        }
        for (Privilege privilege : privilegeArr) {
            if (privilege.equals(Privilege.CREATE)) {
                return true;
            }
        }
        return false;
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider
    public void authorize(Partition partition, Privilege[] privilegeArr, Privilege[] privilegeArr2) throws HiveException, AuthorizationException {
        authorize(partition.getTable(), partition, privilegeArr, privilegeArr2);
    }

    private void authorize(Table table, Partition partition, Privilege[] privilegeArr, Privilege[] privilegeArr2) throws HiveException, AuthorizationException {
        DropPrivilegeExtractor dropPrivilegeExtractor = new DropPrivilegeExtractor(privilegeArr, privilegeArr2);
        Privilege[] readReqPriv = dropPrivilegeExtractor.getReadReqPriv();
        Privilege[] writeReqPriv = dropPrivilegeExtractor.getWriteReqPriv();
        if (dropPrivilegeExtractor.hasDropPrivilege()) {
            checkDeletePermission(partition.getDataLocation(), getConf(), this.authenticator.getUserName());
        }
        if (partition != null && partition.getLocation() != null) {
            authorize(partition.getDataLocation(), readReqPriv, writeReqPriv);
        } else if (requireCreatePrivilege(readReqPriv) || requireCreatePrivilege(writeReqPriv)) {
            authorize(table, new Privilege[0], new Privilege[]{Privilege.ALTER_DATA});
        } else {
            authorize(table, readReqPriv, writeReqPriv);
        }
    }

    private void checkDeletePermission(Path path, Configuration configuration, String str) throws HiveException {
        try {
            FileUtils.checkDeletePermission(path, configuration, str);
        } catch (Exception e) {
            throw new HiveException(e);
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider
    public void authorize(Table table, Partition partition, List<String> list, Privilege[] privilegeArr, Privilege[] privilegeArr2) throws HiveException, AuthorizationException {
        authorize(table, partition, privilegeArr, privilegeArr2);
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider
    public void setMetaStoreHandler(HiveMetaStore.HMSHandler hMSHandler) {
        this.hive_db.setHandler(hMSHandler);
        this.wh = hMSHandler.getWh();
        this.isRunFromMetaStore = true;
    }

    protected FsAction getFsAction(Privilege privilege) {
        switch (privilege.getPriv()) {
            case ALL:
                return FsAction.READ_WRITE;
            case ALTER_DATA:
                return FsAction.WRITE;
            case ALTER_METADATA:
                return FsAction.WRITE;
            case CREATE:
                return FsAction.WRITE;
            case DROP:
                return FsAction.WRITE;
            case INDEX:
                throw new AuthorizationException("StorageBasedAuthorizationProvider cannot handle INDEX privilege");
            case LOCK:
                throw new AuthorizationException("StorageBasedAuthorizationProvider cannot handle LOCK privilege");
            case SELECT:
                return FsAction.READ;
            case SHOW_DATABASE:
                return FsAction.READ;
            case UNKNOWN:
            default:
                throw new AuthorizationException("Unknown privilege");
        }
    }

    protected EnumSet<FsAction> getFsActions(Privilege[] privilegeArr) {
        EnumSet<FsAction> noneOf = EnumSet.noneOf(FsAction.class);
        if (privilegeArr == null) {
            return noneOf;
        }
        for (Privilege privilege : privilegeArr) {
            noneOf.add(getFsAction(privilege));
        }
        return noneOf;
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.HiveAuthorizationProvider
    public void authorize(Path path, Privilege[] privilegeArr, Privilege[] privilegeArr2) throws HiveException, AuthorizationException {
        try {
            EnumSet<FsAction> fsActions = getFsActions(privilegeArr);
            fsActions.addAll(getFsActions(privilegeArr2));
            if (fsActions.isEmpty()) {
                return;
            }
            checkPermissions(getConf(), path, fsActions);
        } catch (IOException e) {
            throw hiveException(e);
        } catch (AccessControlException e2) {
            throw authorizationException(e2);
        } catch (LoginException e3) {
            throw authorizationException(e3);
        }
    }

    protected void checkPermissions(Configuration configuration, Path path, EnumSet<FsAction> enumSet) throws IOException, LoginException, HiveException {
        if (path == null) {
            throw new IllegalArgumentException("path is null");
        }
        FileSystem fileSystem = path.getFileSystem(configuration);
        FileStatus fileStatusOrNull = FileUtils.getFileStatusOrNull(fileSystem, path);
        if (fileStatusOrNull != null) {
            checkPermissions(fileSystem, fileStatusOrNull, enumSet, this.authenticator.getUserName());
            return;
        }
        if (path.getParent() != null) {
            FileStatus fileStatus = null;
            for (Path parent = path.getParent(); parent != null; parent = parent.getParent()) {
                fileStatus = FileUtils.getFileStatusOrNull(fileSystem, parent);
                if (fileStatus != null) {
                    break;
                }
            }
            checkPermissions(fileSystem, fileStatus, enumSet, this.authenticator.getUserName());
        }
    }

    protected static void checkPermissions(FileSystem fileSystem, FileStatus fileStatus, EnumSet<FsAction> enumSet, String str) throws IOException, AccessControlException, HiveException {
        if (fileStatus == null) {
            return;
        }
        FsAction fsAction = FsAction.NONE;
        Iterator it = enumSet.iterator();
        while (it.hasNext()) {
            fsAction = fsAction.or((FsAction) it.next());
        }
        try {
            FileUtils.checkFileAccessWithImpersonation(fileSystem, fileStatus, fsAction, str);
        } catch (Exception e) {
            if (!e.getClass().getName().equals("org.apache.hadoop.fs.permission.AccessControlException")) {
                throw new HiveException(e);
            }
            throw accessControlException(e);
        }
    }

    protected Path getDbLocation(Database database) throws HiveException {
        try {
            initWh();
            return database.getLocationUri() == null ? this.wh.getDefaultDatabasePath(database.getName()) : this.wh.getDnsPath(this.wh.getDatabasePath(database));
        } catch (MetaException e) {
            throw hiveException(e);
        }
    }

    private HiveException hiveException(Exception exc) {
        return new HiveException(exc);
    }

    private AuthorizationException authorizationException(Exception exc) {
        return new AuthorizationException(exc);
    }

    private static AccessControlException accessControlException(Exception exc) {
        AccessControlException accessControlException = new AccessControlException(exc.getMessage());
        accessControlException.initCause(exc);
        return accessControlException;
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.HiveMetastoreAuthorizationProvider
    public void authorizeAuthorizationApiInvocation() throws HiveException, AuthorizationException {
    }
}
