package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd;

import com.google.common.collect.ImmutableSet;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.metastore.IMetaStoreClient;
import org.apache.hadoop.hive.metastore.api.GetPrincipalsInRoleRequest;
import org.apache.hadoop.hive.metastore.api.GetPrincipalsInRoleResponse;
import org.apache.hadoop.hive.metastore.api.GetRoleGrantsForPrincipalRequest;
import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege;
import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
import org.apache.hadoop.hive.metastore.api.HiveObjectType;
import org.apache.hadoop.hive.metastore.api.MetaException;
import org.apache.hadoop.hive.metastore.api.PrincipalType;
import org.apache.hadoop.hive.metastore.api.PrivilegeBag;
import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo;
import org.apache.hadoop.hive.metastore.api.Role;
import org.apache.hadoop.hive.metastore.api.RolePrincipalGrant;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils;
import org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilege;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeInfo;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant;
import org.apache.hadoop.hive.ql.security.authorization.plugin.SettableConfigUpdater;
import org.apache.thrift.TException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:WEB-INF/lib/hive-exec-2.1.1-mapr-1912-core.jar:org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAccessController.class */
public class SQLStdHiveAccessController implements HiveAccessController {
    private static final String ALL = "ALL";
    private static final String DEFAULT = "DEFAULT";
    private static final String NONE = "NONE";
    private final HiveMetastoreClientFactory metastoreClientFactory;
    private final HiveAuthenticationProvider authenticator;
    private String currentUserName;
    private List<HiveRoleGrant> currentRoles;
    private HiveRoleGrant adminRole;
    private final String ADMIN_ONLY_MSG = "User has to belong to ADMIN role and have it as current role, for this action.";
    private final String HAS_ADMIN_PRIV_MSG = "grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action.";
    private final HiveAuthzSessionContext sessionCtx;
    private static final ImmutableSet<String> RESERVED_ROLE_NAMES = ImmutableSet.of("ALL", "DEFAULT", "NONE");
    public static final Logger LOG = LoggerFactory.getLogger(SQLStdHiveAccessController.class);

    public SQLStdHiveAccessController(HiveMetastoreClientFactory hiveMetastoreClientFactory, HiveConf hiveConf, HiveAuthenticationProvider hiveAuthenticationProvider, HiveAuthzSessionContext hiveAuthzSessionContext) throws HiveAuthzPluginException {
        this.metastoreClientFactory = hiveMetastoreClientFactory;
        this.authenticator = hiveAuthenticationProvider;
        this.sessionCtx = SQLAuthorizationUtils.applyTestSettings(hiveAuthzSessionContext, hiveConf);
        LOG.info("Created SQLStdHiveAccessController for session context : " + this.sessionCtx);
    }

    private void initUserRoles() throws HiveAuthzPluginException {
        String userName = this.authenticator.getUserName();
        if (this.currentUserName == userName) {
            return;
        }
        this.currentUserName = userName;
        this.currentRoles = getRolesFromMS();
        LOG.info("Current user : " + this.currentUserName + ", Current Roles : " + this.currentRoles);
    }

    private List<HiveRoleGrant> getRolesFromMS() throws HiveAuthzPluginException {
        try {
            List<RolePrincipalGrant> roleGrants = getRoleGrants(this.currentUserName, PrincipalType.USER);
            HashMap hashMap = new HashMap();
            getAllRoleAncestors(hashMap, roleGrants);
            ArrayList arrayList = new ArrayList(roleGrants.size());
            for (HiveRoleGrant hiveRoleGrant : hashMap.values()) {
                if ("admin".equalsIgnoreCase(hiveRoleGrant.getRoleName())) {
                    this.adminRole = hiveRoleGrant;
                } else {
                    arrayList.add(hiveRoleGrant);
                }
            }
            return arrayList;
        } catch (Exception e) {
            throw SQLAuthorizationUtils.getPluginException("Failed to retrieve roles for " + this.currentUserName, e);
        }
    }

    private List<RolePrincipalGrant> getRoleGrants(String str, PrincipalType principalType) throws MetaException, TException, HiveAuthzPluginException {
        return this.metastoreClientFactory.getHiveMetastoreClient().get_role_grants_for_principal(new GetRoleGrantsForPrincipalRequest(str, principalType)).getPrincipalGrants();
    }

    private void getAllRoleAncestors(Map<String, HiveRoleGrant> map, List<RolePrincipalGrant> list) throws MetaException, HiveAuthzPluginException, TException {
        for (RolePrincipalGrant rolePrincipalGrant : list) {
            String roleName = rolePrincipalGrant.getRoleName();
            if (map.get(roleName) == null) {
                List<RolePrincipalGrant> roleGrants = getRoleGrants(roleName, PrincipalType.ROLE);
                map.put(roleName, new HiveRoleGrant(rolePrincipalGrant));
                getAllRoleAncestors(map, roleGrants);
            }
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController
    public void grantPrivileges(List<HivePrincipal> list, List<HivePrivilege> list2, HivePrivilegeObject hivePrivilegeObject, HivePrincipal hivePrincipal, boolean z) throws HiveAuthzPluginException, HiveAccessControlException {
        List<HivePrivilege> expandAndValidatePrivileges = expandAndValidatePrivileges(list2);
        IMetaStoreClient hiveMetastoreClient = this.metastoreClientFactory.getHiveMetastoreClient();
        GrantPrivAuthUtils.authorize(list, expandAndValidatePrivileges, hivePrivilegeObject, z, hiveMetastoreClient, this.authenticator.getUserName(), getCurrentRoleNames(), isUserAdmin());
        try {
            hiveMetastoreClient.grant_privileges(SQLAuthorizationUtils.getThriftPrivilegesBag(list, expandAndValidatePrivileges, hivePrivilegeObject, hivePrincipal, z));
        } catch (Exception e) {
            throw SQLAuthorizationUtils.getPluginException("Error granting privileges", e);
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController
    public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
        ArrayList arrayList = new ArrayList();
        Iterator<HiveRoleGrant> it = getCurrentRoles().iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().getRoleName());
        }
        return arrayList;
    }

    private List<HivePrivilege> expandAndValidatePrivileges(List<HivePrivilege> list) throws HiveAuthzPluginException {
        List<HivePrivilege> expandAllPrivileges = expandAllPrivileges(list);
        SQLAuthorizationUtils.validatePrivileges(expandAllPrivileges);
        return expandAllPrivileges;
    }

    private List<HivePrivilege> expandAllPrivileges(List<HivePrivilege> list) {
        HashSet hashSet = new HashSet();
        for (HivePrivilege hivePrivilege : list) {
            if (hivePrivilege.getName().equals("ALL")) {
                for (SQLPrivilegeType sQLPrivilegeType : SQLPrivilegeType.values()) {
                    hashSet.add(new HivePrivilege(sQLPrivilegeType.name(), hivePrivilege.getColumns()));
                }
            } else {
                hashSet.add(hivePrivilege);
            }
        }
        return new ArrayList(hashSet);
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController
    public void revokePrivileges(List<HivePrincipal> list, List<HivePrivilege> list2, HivePrivilegeObject hivePrivilegeObject, HivePrincipal hivePrincipal, boolean z) throws HiveAuthzPluginException, HiveAccessControlException {
        List<HivePrivilege> expandAndValidatePrivileges = expandAndValidatePrivileges(list2);
        IMetaStoreClient hiveMetastoreClient = this.metastoreClientFactory.getHiveMetastoreClient();
        try {
            hiveMetastoreClient.revoke_privileges(new PrivilegeBag(RevokePrivAuthUtils.authorizeAndGetRevokePrivileges(list, expandAndValidatePrivileges, hivePrivilegeObject, z, hiveMetastoreClient, this.authenticator.getUserName())), z);
        } catch (Exception e) {
            throw SQLAuthorizationUtils.getPluginException("Error revoking privileges", e);
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController
    public void createRole(String str, HivePrincipal hivePrincipal) throws HiveAuthzPluginException, HiveAccessControlException {
        String name;
        if (!isUserAdmin()) {
            throw new HiveAccessControlException("Current user : " + this.currentUserName + " is not allowed to add roles. User has to belong to ADMIN role and have it as current role, for this action.");
        }
        if (RESERVED_ROLE_NAMES.contains(str.trim().toUpperCase())) {
            throw new HiveAuthzPluginException("Role name cannot be one of the reserved roles: " + RESERVED_ROLE_NAMES);
        }
        if (hivePrincipal == null) {
            name = null;
        } else {
            try {
                name = hivePrincipal.getName();
            } catch (TException e) {
                throw SQLAuthorizationUtils.getPluginException("Error create role", e);
            }
        }
        this.metastoreClientFactory.getHiveMetastoreClient().create_role(new Role(str, 0, name));
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController
    public void dropRole(String str) throws HiveAuthzPluginException, HiveAccessControlException {
        if (!isUserAdmin()) {
            throw new HiveAccessControlException("Current user : " + this.currentUserName + " is not allowed to drop role. User has to belong to ADMIN role and have it as current role, for this action.");
        }
        try {
            this.metastoreClientFactory.getHiveMetastoreClient().drop_role(str);
        } catch (Exception e) {
            throw SQLAuthorizationUtils.getPluginException("Error dropping role", e);
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController
    public void grantRole(List<HivePrincipal> list, List<String> list2, boolean z, HivePrincipal hivePrincipal) throws HiveAuthzPluginException, HiveAccessControlException {
        if (!isUserAdmin() && !doesUserHasAdminOption(list2)) {
            throw new HiveAccessControlException("Current user : " + this.currentUserName + " is not allowed to grant role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action.");
        }
        for (HivePrincipal hivePrincipal2 : list) {
            for (String str : list2) {
                try {
                    this.metastoreClientFactory.getHiveMetastoreClient().grant_role(str, hivePrincipal2.getName(), AuthorizationUtils.getThriftPrincipalType(hivePrincipal2.getType()), hivePrincipal.getName(), AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType()), z);
                } catch (MetaException e) {
                    throw SQLAuthorizationUtils.getPluginException("Error granting role", e);
                } catch (Exception e2) {
                    throw SQLAuthorizationUtils.getPluginException("Error granting roles for " + hivePrincipal2.getName() + " to role " + str, e2);
                }
            }
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController
    public void revokeRole(List<HivePrincipal> list, List<String> list2, boolean z, HivePrincipal hivePrincipal) throws HiveAuthzPluginException, HiveAccessControlException {
        if (!isUserAdmin() && !doesUserHasAdminOption(list2)) {
            throw new HiveAccessControlException("Current user : " + this.currentUserName + " is not allowed to revoke role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action.");
        }
        for (HivePrincipal hivePrincipal2 : list) {
            for (String str : list2) {
                try {
                    this.metastoreClientFactory.getHiveMetastoreClient().revoke_role(str, hivePrincipal2.getName(), AuthorizationUtils.getThriftPrincipalType(hivePrincipal2.getType()), z);
                } catch (Exception e) {
                    throw SQLAuthorizationUtils.getPluginException("Error revoking roles for " + hivePrincipal2.getName() + " to role " + str, e);
                }
            }
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController
    public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException {
        if (!isUserAdmin()) {
            throw new HiveAccessControlException("Current user : " + this.currentUserName + " is not allowed to list roles. User has to belong to ADMIN role and have it as current role, for this action.");
        }
        try {
            return this.metastoreClientFactory.getHiveMetastoreClient().listRoleNames();
        } catch (Exception e) {
            throw SQLAuthorizationUtils.getPluginException("Error listing all roles", e);
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController
    public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String str) throws HiveAuthzPluginException, HiveAccessControlException {
        if (!isUserAdmin() && !doesUserHasAdminOption(Arrays.asList(str))) {
            throw new HiveAccessControlException("Current user : " + this.currentUserName + " is not allowed get principals in a role. User has to belong to ADMIN role and have it as current role, for this action. Otherwise, grantor need to have ADMIN OPTION on role being granted and have it as a current role for this action.");
        }
        try {
            return getHiveRoleGrants(this.metastoreClientFactory.getHiveMetastoreClient(), str);
        } catch (Exception e) {
            throw SQLAuthorizationUtils.getPluginException("Error getting principals for all roles", e);
        }
    }

    public static List<HiveRoleGrant> getHiveRoleGrants(IMetaStoreClient iMetaStoreClient, String str) throws Exception {
        GetPrincipalsInRoleResponse getPrincipalsInRoleResponse = iMetaStoreClient.get_principals_in_role(new GetPrincipalsInRoleRequest(str));
        ArrayList arrayList = new ArrayList();
        Iterator<RolePrincipalGrant> it = getPrincipalsInRoleResponse.getPrincipalGrants().iterator();
        while (it.hasNext()) {
            arrayList.add(new HiveRoleGrant(it.next()));
        }
        return arrayList;
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController
    public List<HivePrivilegeInfo> showPrivileges(HivePrincipal hivePrincipal, HivePrivilegeObject hivePrivilegeObject) throws HiveAuthzPluginException {
        try {
            if (hivePrincipal == null) {
                if (!isUserAdmin()) {
                    throw new HiveAccessControlException("User : " + this.currentUserName + " has to specify a user name or role in the show grant. User has to belong to ADMIN role and have it as current role, for this action.");
                }
            } else if (!isUserAdmin()) {
                ensureShowGrantAllowed(hivePrincipal);
            }
            IMetaStoreClient hiveMetastoreClient = this.metastoreClientFactory.getHiveMetastoreClient();
            ArrayList arrayList = new ArrayList();
            for (HiveObjectPrivilege hiveObjectPrivilege : hiveMetastoreClient.list_privileges(hivePrincipal == null ? null : hivePrincipal.getName(), hivePrincipal == null ? null : AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType()), SQLAuthorizationUtils.getThriftHiveObjectRef(hivePrivilegeObject))) {
                HivePrincipal hivePrincipal2 = new HivePrincipal(hiveObjectPrivilege.getPrincipalName(), AuthorizationUtils.getHivePrincipalType(hiveObjectPrivilege.getPrincipalType()));
                PrivilegeGrantInfo grantInfo = hiveObjectPrivilege.getGrantInfo();
                HivePrivilege hivePrivilege = new HivePrivilege(grantInfo.getPrivilege(), null);
                HiveObjectRef hiveObject = hiveObjectPrivilege.getHiveObject();
                if (isSupportedObjectType(hiveObject.getObjectType())) {
                    arrayList.add(new HivePrivilegeInfo(hivePrincipal2, hivePrivilege, new HivePrivilegeObject(getPluginPrivilegeObjType(hiveObject.getObjectType()), hiveObject.getDbName(), hiveObject.getObjectName(), hiveObject.getPartValues(), hiveObject.getColumnName()), new HivePrincipal(grantInfo.getGrantor(), AuthorizationUtils.getHivePrincipalType(grantInfo.getGrantorType())), grantInfo.isGrantOption(), grantInfo.getCreateTime()));
                }
            }
            return arrayList;
        } catch (Exception e) {
            throw SQLAuthorizationUtils.getPluginException("Error showing privileges", e);
        }
    }

    private void ensureShowGrantAllowed(HivePrincipal hivePrincipal) throws HiveAccessControlException, HiveAuthzPluginException {
        switch (hivePrincipal.getType()) {
            case USER:
                if (!hivePrincipal.getName().equals(this.currentUserName)) {
                    throw new HiveAccessControlException("User : " + this.currentUserName + " is not allowed check privileges of another user : " + hivePrincipal.getName() + ". User has to belong to ADMIN role and have it as current role, for this action.");
                }
                return;
            case ROLE:
                if (!userBelongsToRole(hivePrincipal.getName())) {
                    throw new HiveAccessControlException("User : " + this.currentUserName + " is not allowed check privileges of a role it does not belong to : " + hivePrincipal.getName() + ". User has to belong to ADMIN role and have it as current role, for this action.");
                }
                return;
            default:
                throw new AssertionError("Unexpected principal type " + hivePrincipal.getType());
        }
    }

    private boolean userBelongsToRole(String str) throws HiveAuthzPluginException {
        Iterator<HiveRoleGrant> it = getRolesFromMS().iterator();
        while (it.hasNext()) {
            if (it.next().getRoleName().equalsIgnoreCase(str)) {
                return true;
            }
        }
        return false;
    }

    private HivePrivilegeObject.HivePrivilegeObjectType getPluginPrivilegeObjType(HiveObjectType hiveObjectType) {
        switch (hiveObjectType) {
            case DATABASE:
                return HivePrivilegeObject.HivePrivilegeObjectType.DATABASE;
            case TABLE:
                return HivePrivilegeObject.HivePrivilegeObjectType.TABLE_OR_VIEW;
            default:
                throw new AssertionError("Unexpected object type " + hiveObjectType);
        }
    }

    private boolean isSupportedObjectType(HiveObjectType hiveObjectType) {
        switch (hiveObjectType) {
            case DATABASE:
            case TABLE:
                return true;
            default:
                return false;
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController
    public void setCurrentRole(String str) throws HiveAccessControlException, HiveAuthzPluginException {
        initUserRoles();
        if ("NONE".equalsIgnoreCase(str)) {
            this.currentRoles.clear();
            return;
        }
        if ("ALL".equalsIgnoreCase(str)) {
            this.currentRoles.clear();
            this.currentRoles.addAll(getRolesFromMS());
            return;
        }
        for (HiveRoleGrant hiveRoleGrant : getRolesFromMS()) {
            if (hiveRoleGrant.getRoleName().equalsIgnoreCase(str)) {
                this.currentRoles.clear();
                this.currentRoles.add(hiveRoleGrant);
                return;
            }
        }
        if (!"admin".equalsIgnoreCase(str) || null == this.adminRole) {
            LOG.info("Current user : " + this.currentUserName + ", Current Roles : " + this.currentRoles);
            throw new HiveAccessControlException(this.currentUserName + " doesn't belong to role " + str);
        }
        this.currentRoles.clear();
        this.currentRoles.add(this.adminRole);
    }

    private List<HiveRoleGrant> getCurrentRoles() throws HiveAuthzPluginException {
        initUserRoles();
        return this.currentRoles;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isUserAdmin() throws HiveAuthzPluginException {
        Iterator<HiveRoleGrant> it = getCurrentRoles().iterator();
        while (it.hasNext()) {
            if (it.next().getRoleName().equalsIgnoreCase("admin")) {
                return true;
            }
        }
        return false;
    }

    /* JADX WARN: Code restructure failed: missing block: B:13:0x0060, code lost:
    
        if (r8 != false) goto L25;
     */
    /* JADX WARN: Code restructure failed: missing block: B:15:0x0063, code lost:
    
        return false;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private boolean doesUserHasAdminOption(java.util.List<java.lang.String> r4) throws org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException {
        /*
            r3 = this;
            r0 = r3
            java.util.List r0 = r0.getCurrentRoles()
            r5 = r0
            r0 = r4
            java.util.Iterator r0 = r0.iterator()
            r6 = r0
        Lc:
            r0 = r6
            boolean r0 = r0.hasNext()
            if (r0 == 0) goto L68
            r0 = r6
            java.lang.Object r0 = r0.next()
            java.lang.String r0 = (java.lang.String) r0
            r7 = r0
            r0 = 0
            r8 = r0
            r0 = r5
            java.util.Iterator r0 = r0.iterator()
            r9 = r0
        L2b:
            r0 = r9
            boolean r0 = r0.hasNext()
            if (r0 == 0) goto L5e
            r0 = r9
            java.lang.Object r0 = r0.next()
            org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant r0 = (org.apache.hadoop.hive.ql.security.authorization.plugin.HiveRoleGrant) r0
            r10 = r0
            r0 = r7
            r1 = r10
            java.lang.String r1 = r1.getRoleName()
            boolean r0 = r0.equalsIgnoreCase(r1)
            if (r0 == 0) goto L5b
            r0 = 1
            r8 = r0
            r0 = r10
            boolean r0 = r0.isGrantOption()
            if (r0 != 0) goto L5e
            r0 = 0
            return r0
        L5b:
            goto L2b
        L5e:
            r0 = r8
            if (r0 != 0) goto L65
            r0 = 0
            return r0
        L65:
            goto Lc
        L68:
            r0 = 1
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController.doesUserHasAdminOption(java.util.List):boolean");
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController
    public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal hivePrincipal) throws HiveAuthzPluginException, HiveAccessControlException {
        try {
            if (!isUserAdmin()) {
                ensureShowGrantAllowed(hivePrincipal);
            }
            List<RolePrincipalGrant> roleGrants = getRoleGrants(hivePrincipal.getName(), AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType()));
            ArrayList arrayList = new ArrayList(roleGrants.size());
            Iterator<RolePrincipalGrant> it = roleGrants.iterator();
            while (it.hasNext()) {
                arrayList.add(new HiveRoleGrant(it.next()));
            }
            return arrayList;
        } catch (Exception e) {
            throw SQLAuthorizationUtils.getPluginException("Error getting role grant information for user " + hivePrincipal.getName(), e);
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController
    public void applyAuthorizationConfigPolicy(HiveConf hiveConf) throws HiveAuthzPluginException {
        hiveConf.setVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_TABLE_OWNER_GRANTS, "INSERT,SELECT,UPDATE,DELETE");
        if (this.sessionCtx.getClientType() == HiveAuthzSessionContext.CLIENT_TYPE.HIVESERVER2 && hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_ENABLED)) {
            String trim = hiveConf.getVar(HiveConf.ConfVars.PREEXECHOOKS).trim();
            String name = trim.isEmpty() ? DisallowTransformHook.class.getName() : trim + "," + DisallowTransformHook.class.getName();
            LOG.debug("Configuring hooks : " + name);
            hiveConf.setVar(HiveConf.ConfVars.PREEXECHOOKS, name);
            SettableConfigUpdater.setHiveConfWhiteList(hiveConf);
        }
    }
}
