package org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd;

import java.util.ArrayList;
import java.util.List;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.metastore.IMetaStoreClient;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationValidator;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveOperationType;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrincipal;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.Operation2Privilege;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/hive-exec-2.3.3-mapr-1904-r12-core.jar:org/apache/hadoop/hive/ql/security/authorization/plugin/sqlstd/SQLStdHiveAuthorizationValidator.class */
public class SQLStdHiveAuthorizationValidator implements HiveAuthorizationValidator {
    private final HiveMetastoreClientFactory metastoreClientFactory;
    private final HiveConf conf;
    private final HiveAuthenticationProvider authenticator;
    private final SQLStdHiveAccessControllerWrapper privController;
    private final HiveAuthzSessionContext ctx;
    public static final Logger LOG = LoggerFactory.getLogger(SQLStdHiveAuthorizationValidator.class);

    public SQLStdHiveAuthorizationValidator(HiveMetastoreClientFactory hiveMetastoreClientFactory, HiveConf hiveConf, HiveAuthenticationProvider hiveAuthenticationProvider, SQLStdHiveAccessControllerWrapper sQLStdHiveAccessControllerWrapper, HiveAuthzSessionContext hiveAuthzSessionContext) throws HiveAuthzPluginException {
        this.metastoreClientFactory = hiveMetastoreClientFactory;
        this.conf = hiveConf;
        this.authenticator = hiveAuthenticationProvider;
        this.privController = sQLStdHiveAccessControllerWrapper;
        this.ctx = SQLAuthorizationUtils.applyTestSettings(hiveAuthzSessionContext, hiveConf);
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationValidator
    public void checkPrivileges(HiveOperationType hiveOperationType, List<HivePrivilegeObject> list, List<HivePrivilegeObject> list2, HiveAuthzContext hiveAuthzContext) throws HiveAuthzPluginException, HiveAccessControlException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Checking privileges for operation " + hiveOperationType + " by user " + this.authenticator.getUserName() + " on  input objects " + list + " and output objects " + list2 + ". Context Info: " + hiveAuthzContext);
        }
        String userName = this.authenticator.getUserName();
        IMetaStoreClient hiveMetastoreClient = this.metastoreClientFactory.getHiveMetastoreClient();
        ArrayList arrayList = new ArrayList();
        checkPrivileges(hiveOperationType, list, hiveMetastoreClient, userName, Operation2Privilege.IOType.INPUT, arrayList);
        checkPrivileges(hiveOperationType, list2, hiveMetastoreClient, userName, Operation2Privilege.IOType.OUTPUT, arrayList);
        SQLAuthorizationUtils.assertNoDeniedPermissions(new HivePrincipal(userName, HivePrincipal.HivePrincipalType.USER), hiveOperationType, arrayList);
    }

    private void checkPrivileges(HiveOperationType hiveOperationType, List<HivePrivilegeObject> list, IMetaStoreClient iMetaStoreClient, String str, Operation2Privilege.IOType iOType, List<String> list2) throws HiveAuthzPluginException, HiveAccessControlException {
        if (list == null) {
            return;
        }
        for (HivePrivilegeObject hivePrivilegeObject : list) {
            RequiredPrivileges requiredPrivs = Operation2Privilege.getRequiredPrivs(hiveOperationType, hivePrivilegeObject, iOType);
            if (!requiredPrivs.getRequiredPrivilegeSet().isEmpty()) {
                RequiredPrivileges requiredPrivileges = new RequiredPrivileges();
                switch (hivePrivilegeObject.getType()) {
                    case LOCAL_URI:
                    case DFS_URI:
                        requiredPrivileges = SQLAuthorizationUtils.getPrivilegesFromFS(new Path(hivePrivilegeObject.getObjectName()), this.conf, str);
                        break;
                    case PARTITION:
                        break;
                    case COMMAND_PARAMS:
                    case FUNCTION:
                        if (this.privController.isUserAdmin()) {
                            requiredPrivileges.addPrivilege(SQLPrivTypeGrant.ADMIN_PRIV);
                            break;
                        }
                        break;
                    default:
                        requiredPrivileges = SQLAuthorizationUtils.getPrivilegesFromMetaStore(iMetaStoreClient, str, hivePrivilegeObject, this.privController.getCurrentRoleNames(), this.privController.isUserAdmin());
                        break;
                }
                SQLAuthorizationUtils.addMissingPrivMsg(requiredPrivs.findMissingPrivs(requiredPrivileges), hivePrivilegeObject, list2);
            }
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationValidator
    public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> list, HiveAuthzContext hiveAuthzContext) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Obtained following objects in  filterListCmdObjects " + list + " for user " + this.authenticator.getUserName() + ". Context Info: " + hiveAuthzContext);
        }
        return list;
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationValidator
    public boolean needTransform() {
        return false;
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationValidator
    public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext hiveAuthzContext, List<HivePrivilegeObject> list) throws SemanticException {
        return null;
    }
}
