package org.apache.hadoop.hive.llap.daemon.impl;

import com.google.protobuf.BlockingService;
import com.google.protobuf.ByteString;
import com.google.protobuf.RpcController;
import com.google.protobuf.ServiceException;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.security.PrivilegedAction;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.llap.DaemonId;
import org.apache.hadoop.hive.llap.LlapUtil;
import org.apache.hadoop.hive.llap.daemon.ContainerRunner;
import org.apache.hadoop.hive.llap.daemon.rpc.LlapDaemonProtocolProtos;
import org.apache.hadoop.hive.llap.io.api.LlapIo;
import org.apache.hadoop.hive.llap.io.api.LlapProxy;
import org.apache.hadoop.hive.llap.protocol.LlapManagementProtocolPB;
import org.apache.hadoop.hive.llap.protocol.LlapProtocolBlockingPB;
import org.apache.hadoop.hive.llap.security.LlapDaemonPolicyProvider;
import org.apache.hadoop.hive.llap.security.LlapTokenIdentifier;
import org.apache.hadoop.hive.llap.security.SecretManager;
import org.apache.hadoop.ipc.RPC;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.service.AbstractService;
import org.apache.hive.com.google.common.io.ByteArrayDataOutput;
import org.apache.hive.com.google.common.io.ByteStreams;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hive/llap/daemon/impl/LlapProtocolServerImpl.class */
public class LlapProtocolServerImpl extends AbstractService implements LlapProtocolBlockingPB, LlapManagementProtocolPB {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) LlapProtocolServerImpl.class);
    private final int numHandlers;
    private final ContainerRunner containerRunner;
    private final int srvPort;
    private final int mngPort;
    private RPC.Server server;
    private RPC.Server mngServer;
    private final AtomicReference<InetSocketAddress> srvAddress;
    private final AtomicReference<InetSocketAddress> mngAddress;
    private final SecretManager secretManager;
    private String clusterUser;
    private boolean isRestrictedToClusterUser;
    private final DaemonId daemonId;
    private TokenRequiresSigning isSigningRequiredConfig;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/hive/llap/daemon/impl/LlapProtocolServerImpl$TokenRequiresSigning.class */
    public enum TokenRequiresSigning {
        TRUE,
        FALSE,
        EXCEPT_OWNER
    }

    public LlapProtocolServerImpl(SecretManager secretManager, int i, ContainerRunner containerRunner, AtomicReference<InetSocketAddress> atomicReference, AtomicReference<InetSocketAddress> atomicReference2, int i2, int i3, DaemonId daemonId) {
        super("LlapDaemonProtocolServerImpl");
        this.clusterUser = null;
        this.isRestrictedToClusterUser = false;
        this.isSigningRequiredConfig = TokenRequiresSigning.TRUE;
        this.numHandlers = i;
        this.containerRunner = containerRunner;
        this.secretManager = secretManager;
        this.srvAddress = atomicReference;
        this.srvPort = i2;
        this.mngAddress = atomicReference2;
        this.mngPort = i3;
        this.daemonId = daemonId;
        LOG.info("Creating: " + LlapProtocolServerImpl.class.getSimpleName() + " with port configured to: " + i2);
    }

    @Override // org.apache.hadoop.hive.llap.daemon.rpc.LlapDaemonProtocolProtos.LlapDaemonProtocol.BlockingInterface
    public LlapDaemonProtocolProtos.SubmitWorkResponseProto submitWork(RpcController rpcController, LlapDaemonProtocolProtos.SubmitWorkRequestProto submitWorkRequestProto) throws ServiceException {
        try {
            return this.containerRunner.submitWork(submitWorkRequestProto);
        } catch (IOException e) {
            throw new ServiceException(e);
        }
    }

    @Override // org.apache.hadoop.hive.llap.daemon.rpc.LlapDaemonProtocolProtos.LlapDaemonProtocol.BlockingInterface
    public LlapDaemonProtocolProtos.SourceStateUpdatedResponseProto sourceStateUpdated(RpcController rpcController, LlapDaemonProtocolProtos.SourceStateUpdatedRequestProto sourceStateUpdatedRequestProto) throws ServiceException {
        try {
            return this.containerRunner.sourceStateUpdated(sourceStateUpdatedRequestProto);
        } catch (IOException e) {
            throw new ServiceException(e);
        }
    }

    @Override // org.apache.hadoop.hive.llap.daemon.rpc.LlapDaemonProtocolProtos.LlapDaemonProtocol.BlockingInterface
    public LlapDaemonProtocolProtos.QueryCompleteResponseProto queryComplete(RpcController rpcController, LlapDaemonProtocolProtos.QueryCompleteRequestProto queryCompleteRequestProto) throws ServiceException {
        try {
            return this.containerRunner.queryComplete(queryCompleteRequestProto);
        } catch (IOException e) {
            throw new ServiceException(e);
        }
    }

    @Override // org.apache.hadoop.hive.llap.daemon.rpc.LlapDaemonProtocolProtos.LlapDaemonProtocol.BlockingInterface
    public LlapDaemonProtocolProtos.TerminateFragmentResponseProto terminateFragment(RpcController rpcController, LlapDaemonProtocolProtos.TerminateFragmentRequestProto terminateFragmentRequestProto) throws ServiceException {
        try {
            return this.containerRunner.terminateFragment(terminateFragmentRequestProto);
        } catch (IOException e) {
            throw new ServiceException(e);
        }
    }

    @Override // org.apache.hadoop.hive.llap.daemon.rpc.LlapDaemonProtocolProtos.LlapDaemonProtocol.BlockingInterface
    public LlapDaemonProtocolProtos.UpdateFragmentResponseProto updateFragment(RpcController rpcController, LlapDaemonProtocolProtos.UpdateFragmentRequestProto updateFragmentRequestProto) throws ServiceException {
        try {
            return this.containerRunner.updateFragment(updateFragmentRequestProto);
        } catch (IOException e) {
            throw new ServiceException(e);
        }
    }

    public void serviceStart() {
        final Configuration config = getConfig();
        this.isSigningRequiredConfig = getSigningConfig(config);
        final BlockingService newReflectiveBlockingService = LlapDaemonProtocolProtos.LlapDaemonProtocol.newReflectiveBlockingService(this);
        final BlockingService newReflectiveBlockingService2 = LlapDaemonProtocolProtos.LlapManagementProtocol.newReflectiveBlockingService(this);
        if (!UserGroupInformation.isSecurityEnabled()) {
            startProtocolServers(config, newReflectiveBlockingService, newReflectiveBlockingService2);
            return;
        }
        try {
            this.clusterUser = UserGroupInformation.getCurrentUser().getShortUserName();
            if (isPermissiveManagementAcl(config)) {
                LOG.warn("Management protocol has a '*' ACL.");
                this.isRestrictedToClusterUser = true;
            }
            try {
                LlapUtil.loginWithKerberos(HiveConf.getVar(config, HiveConf.ConfVars.LLAP_KERBEROS_PRINCIPAL), HiveConf.getVar(config, HiveConf.ConfVars.LLAP_KERBEROS_KEYTAB_FILE)).doAs(new PrivilegedAction<Void>() { // from class: org.apache.hadoop.hive.llap.daemon.impl.LlapProtocolServerImpl.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedAction
                    public Void run() {
                        LlapProtocolServerImpl.this.startProtocolServers(config, newReflectiveBlockingService, newReflectiveBlockingService2);
                        return null;
                    }
                });
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        } catch (IOException e2) {
            throw new RuntimeException(e2);
        }
    }

    private static TokenRequiresSigning getSigningConfig(Configuration configuration) {
        String lowerCase = HiveConf.getVar(configuration, HiveConf.ConfVars.LLAP_REMOTE_TOKEN_REQUIRES_SIGNING).toLowerCase();
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case 3569038:
                if (lowerCase.equals("true")) {
                    z = false;
                    break;
                }
                break;
            case 97196323:
                if (lowerCase.equals("false")) {
                    z = 2;
                    break;
                }
                break;
            case 1204168457:
                if (lowerCase.equals("except_llap_owner")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return TokenRequiresSigning.TRUE;
            case true:
                return TokenRequiresSigning.EXCEPT_OWNER;
            case true:
                return TokenRequiresSigning.FALSE;
            default:
                throw new RuntimeException("Invalid value for " + HiveConf.ConfVars.LLAP_REMOTE_TOKEN_REQUIRES_SIGNING.varname + ": " + lowerCase);
        }
    }

    private static boolean isPermissiveManagementAcl(Configuration configuration) {
        return HiveConf.getBoolVar(configuration, HiveConf.ConfVars.LLAP_VALIDATE_ACLS) && "*".equals(HiveConf.getVar(configuration, HiveConf.ConfVars.LLAP_MANAGEMENT_ACL)) && "".equals(HiveConf.getVar(configuration, HiveConf.ConfVars.LLAP_MANAGEMENT_ACL_DENY));
    }

    private void startProtocolServers(Configuration configuration, BlockingService blockingService, BlockingService blockingService2) {
        LlapDaemonPolicyProvider llapDaemonPolicyProvider = new LlapDaemonPolicyProvider();
        this.server = LlapUtil.startProtocolServer(this.srvPort, this.numHandlers, this.srvAddress, configuration, blockingService, LlapProtocolBlockingPB.class, this.secretManager, llapDaemonPolicyProvider, HiveConf.ConfVars.LLAP_SECURITY_ACL, HiveConf.ConfVars.LLAP_SECURITY_ACL_DENY);
        this.mngServer = LlapUtil.startProtocolServer(this.mngPort, 2, this.mngAddress, configuration, blockingService2, LlapManagementProtocolPB.class, this.secretManager, llapDaemonPolicyProvider, HiveConf.ConfVars.LLAP_MANAGEMENT_ACL, HiveConf.ConfVars.LLAP_MANAGEMENT_ACL_DENY);
    }

    public void serviceStop() {
        if (this.server != null) {
            this.server.stop();
        }
        if (this.mngServer != null) {
            this.mngServer.stop();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @InterfaceAudience.Private
    public InetSocketAddress getBindAddress() {
        return this.srvAddress.get();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @InterfaceAudience.Private
    public InetSocketAddress getManagementBindAddress() {
        return this.mngAddress.get();
    }

    @Override // org.apache.hadoop.hive.llap.daemon.rpc.LlapDaemonProtocolProtos.LlapManagementProtocol.BlockingInterface
    public LlapDaemonProtocolProtos.GetTokenResponseProto getDelegationToken(RpcController rpcController, LlapDaemonProtocolProtos.GetTokenRequestProto getTokenRequestProto) throws ServiceException {
        if (this.secretManager == null) {
            throw new ServiceException("Operation not supported on unsecure cluster");
        }
        try {
            UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
            Token<LlapTokenIdentifier> createLlapToken = this.secretManager.createLlapToken(getTokenRequestProto.hasAppId() ? getTokenRequestProto.getAppId() : null, null, determineIfSigningIsRequired(currentUser));
            if (this.isRestrictedToClusterUser && !this.clusterUser.equals(currentUser.getShortUserName())) {
                throw new ServiceException("Management protocol ACL is too permissive. The access has been automatically restricted to " + this.clusterUser + "; " + currentUser.getShortUserName() + " is denied access. Please set " + HiveConf.ConfVars.LLAP_VALIDATE_ACLS.varname + " to false, or adjust " + HiveConf.ConfVars.LLAP_MANAGEMENT_ACL.varname + " and " + HiveConf.ConfVars.LLAP_MANAGEMENT_ACL_DENY.varname + " to a more restrictive ACL.");
            }
            ByteArrayDataOutput newDataOutput = ByteStreams.newDataOutput();
            try {
                createLlapToken.write(newDataOutput);
                return LlapDaemonProtocolProtos.GetTokenResponseProto.newBuilder().setToken(ByteString.copyFrom(newDataOutput.toByteArray())).m3316build();
            } catch (IOException e) {
                throw new ServiceException(e);
            }
        } catch (IOException e2) {
            throw new ServiceException(e2);
        }
    }

    @Override // org.apache.hadoop.hive.llap.daemon.rpc.LlapDaemonProtocolProtos.LlapManagementProtocol.BlockingInterface
    public LlapDaemonProtocolProtos.PurgeCacheResponseProto purgeCache(RpcController rpcController, LlapDaemonProtocolProtos.PurgeCacheRequestProto purgeCacheRequestProto) throws ServiceException {
        LlapDaemonProtocolProtos.PurgeCacheResponseProto.Builder newBuilder = LlapDaemonProtocolProtos.PurgeCacheResponseProto.newBuilder();
        LlapIo io2 = LlapProxy.getIo();
        if (io2 != null) {
            newBuilder.setPurgedMemoryBytes(io2.purge());
        } else {
            newBuilder.setPurgedMemoryBytes(0L);
        }
        return newBuilder.m3502build();
    }

    private boolean determineIfSigningIsRequired(UserGroupInformation userGroupInformation) {
        switch (this.isSigningRequiredConfig) {
            case FALSE:
                return false;
            case TRUE:
                return true;
            case EXCEPT_OWNER:
                return !this.clusterUser.equals(userGroupInformation.getShortUserName());
            default:
                throw new AssertionError("Unknown value " + this.isSigningRequiredConfig);
        }
    }
}
