package org.apache.sentry.binding.hive.authz;

import com.google.common.collect.Table;
import java.io.PrintStream;
import java.security.CodeSource;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.commons.cli.GnuParser;
import org.apache.commons.cli.HelpFormatter;
import org.apache.commons.cli.Option;
import org.apache.commons.cli.OptionGroup;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.ql.Driver;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.processors.CommandProcessorResponse;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.log4j.Level;
import org.apache.log4j.LogManager;
import org.apache.sentry.Command;
import org.apache.sentry.binding.hive.HiveAuthzBindingHook;
import org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
import org.apache.sentry.core.common.SentryConfigurationException;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.policy.db.DBModelAuthorizables;
import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.common.ProviderBackendContext;
import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
import org.apache.sentry.provider.db.service.thrift.TSentryRole;
import org.apache.sentry.provider.file.KeyValue;
import org.apache.sentry.provider.file.PolicyFileConstants;
import org.apache.sentry.provider.file.SimpleFileProviderBackend;

/* loaded from: input_file:org/apache/sentry/binding/hive/authz/SentryConfigTool.class */
public class SentryConfigTool {
    private String sentrySiteFile = null;
    private String policyFile = null;
    private String query = null;
    private String jdbcURL = null;
    private String user = null;
    private String passWord = null;
    private boolean listPrivs = false;
    private boolean validate = false;
    private boolean importPolicy = false;
    private HiveConf hiveConf = null;
    private HiveAuthzConf authzConf = null;
    private AuthorizationProvider sentryProvider = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.sentry.binding.hive.authz.SentryConfigTool$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/sentry/binding/hive/authz/SentryConfigTool$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$sentry$core$model$db$DBModelAuthorizable$AuthorizableType = new int[DBModelAuthorizable.AuthorizableType.values().length];

        static {
            try {
                $SwitchMap$org$apache$sentry$core$model$db$DBModelAuthorizable$AuthorizableType[DBModelAuthorizable.AuthorizableType.Server.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$sentry$core$model$db$DBModelAuthorizable$AuthorizableType[DBModelAuthorizable.AuthorizableType.Db.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$sentry$core$model$db$DBModelAuthorizable$AuthorizableType[DBModelAuthorizable.AuthorizableType.Table.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$sentry$core$model$db$DBModelAuthorizable$AuthorizableType[DBModelAuthorizable.AuthorizableType.View.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apache$sentry$core$model$db$DBModelAuthorizable$AuthorizableType[DBModelAuthorizable.AuthorizableType.URI.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    /* loaded from: input_file:org/apache/sentry/binding/hive/authz/SentryConfigTool$CommandImpl.class */
    public static class CommandImpl implements Command {
        public void run(String[] strArr) throws Exception {
            SentryConfigTool sentryConfigTool = new SentryConfigTool();
            try {
                sentryConfigTool.parseArgs(strArr);
                sentryConfigTool.setupConfig();
                if (sentryConfigTool.isValidate()) {
                    sentryConfigTool.validatePolicy();
                }
                if (sentryConfigTool.isImportPolicy()) {
                    sentryConfigTool.importPolicy();
                }
                if (sentryConfigTool.isListPrivs()) {
                    sentryConfigTool.listPrivs();
                }
                if (sentryConfigTool.getQuery() != null) {
                    if (sentryConfigTool.getJdbcURL() != null) {
                        sentryConfigTool.verifyRemoteQuery(sentryConfigTool.getQuery());
                    } else {
                        sentryConfigTool.verifyLocalQuery(sentryConfigTool.getQuery());
                    }
                }
            } catch (Exception e) {
                System.out.println("Sentry tool reported Errors: " + e.getMessage());
                e.printStackTrace(System.out);
                System.exit(1);
            }
        }
    }

    public AuthorizationProvider getSentryProvider() {
        return this.sentryProvider;
    }

    public void setSentryProvider(AuthorizationProvider authorizationProvider) {
        this.sentryProvider = authorizationProvider;
    }

    public HiveConf getHiveConf() {
        return this.hiveConf;
    }

    public void setHiveConf(HiveConf hiveConf) {
        this.hiveConf = hiveConf;
    }

    public HiveAuthzConf getAuthzConf() {
        return this.authzConf;
    }

    public void setAuthzConf(HiveAuthzConf hiveAuthzConf) {
        this.authzConf = hiveAuthzConf;
    }

    public boolean isValidate() {
        return this.validate;
    }

    public void setValidate(boolean z) {
        this.validate = z;
    }

    public boolean isImportPolicy() {
        return this.importPolicy;
    }

    public void setImportPolicy(boolean z) {
        this.importPolicy = z;
    }

    public String getSentrySiteFile() {
        return this.sentrySiteFile;
    }

    public void setSentrySiteFile(String str) {
        this.sentrySiteFile = str;
    }

    public String getPolicyFile() {
        return this.policyFile;
    }

    public void setPolicyFile(String str) {
        this.policyFile = str;
    }

    public String getQuery() {
        return this.query;
    }

    public void setQuery(String str) {
        this.query = str;
    }

    public String getJdbcURL() {
        return this.jdbcURL;
    }

    public void setJdbcURL(String str) {
        this.jdbcURL = str;
    }

    public String getUser() {
        return this.user;
    }

    public void setUser(String str) {
        this.user = str;
    }

    public String getPassWord() {
        return this.passWord;
    }

    public void setPassWord(String str) {
        this.passWord = str;
    }

    public boolean isListPrivs() {
        return this.listPrivs;
    }

    public void setListPrivs(boolean z) {
        this.listPrivs = z;
    }

    public void setupConfig() throws Exception {
        System.out.println("Configuration: ");
        CodeSource codeSource = SentryConfigTool.class.getProtectionDomain().getCodeSource();
        if (codeSource != null) {
            System.out.println("Sentry package jar: " + codeSource.getLocation());
        }
        if (getPolicyFile() != null) {
            System.setProperty(HiveAuthzConf.AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar(), getPolicyFile());
        }
        System.setProperty(HiveAuthzConf.AuthzConfVars.SENTRY_TESTING_MODE.getVar(), "true");
        setHiveConf(new HiveConf(SessionState.class));
        getHiveConf().setVar(HiveConf.ConfVars.SEMANTIC_ANALYZER_HOOK, HiveAuthzBindingHook.class.getName());
        try {
            PrintStream printStream = System.out;
            StringBuilder append = new StringBuilder().append("Hive config: ");
            getHiveConf();
            printStream.println(append.append(HiveConf.getHiveSiteLocation()).toString());
            if (getSentrySiteFile() != null) {
                getHiveConf().set(HiveAuthzConf.HIVE_SENTRY_CONF_URL, getSentrySiteFile());
            }
            setAuthzConf(HiveAuthzConf.getAuthzConf(getHiveConf()));
            System.out.println("Sentry config: " + getAuthzConf().getHiveAuthzSiteFile());
            System.out.println("Sentry Policy: " + getAuthzConf().get(HiveAuthzConf.AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar()));
            System.out.println("Sentry server: " + getAuthzConf().get(HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar()));
            setSentryProvider(getAuthorizationProvider());
        } catch (NullPointerException e) {
            throw new SentryConfigurationException("Didn't find a hive-site.xml");
        }
    }

    private AuthorizationProvider getAuthorizationProvider() throws IllegalStateException, SentryConfigurationException {
        AuthorizationProvider authorizationProvider = null;
        try {
            authorizationProvider = HiveAuthzBinding.getAuthProvider(getHiveConf(), this.authzConf, new Server(getAuthzConf().get(HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar())).getName());
        } catch (SentryConfigurationException e) {
            printConfigErrors(e);
        } catch (Exception e2) {
            throw new IllegalStateException("Couldn't load sentry provider ", e2);
        }
        return authorizationProvider;
    }

    public void validatePolicy() throws Exception {
        try {
            getSentryProvider().validateResource(true);
        } catch (SentryConfigurationException e) {
            printConfigErrors(e);
        }
        System.out.println("No errors found in the policy file");
    }

    public void importPolicy() throws Exception {
        SimpleFileProviderBackend simpleFileProviderBackend = new SimpleFileProviderBackend(getAuthzConf(), getAuthzConf().get(HiveAuthzConf.AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar()));
        ProviderBackendContext providerBackendContext = new ProviderBackendContext();
        providerBackendContext.setAllowPerDatabase(true);
        simpleFileProviderBackend.initialize(providerBackendContext);
        SentryPolicyServiceClient sentryPolicyServiceClient = new SentryPolicyServiceClient(getAuthzConf());
        HashSet hashSet = new HashSet();
        Iterator it = sentryPolicyServiceClient.listRoles("hive").iterator();
        while (it.hasNext()) {
            hashSet.add(((TSentryRole) it.next()).getRoleName());
        }
        Table groupRolePrivilegeTable = simpleFileProviderBackend.getGroupRolePrivilegeTable();
        for (String str : groupRolePrivilegeTable.rowKeySet()) {
            for (String str2 : groupRolePrivilegeTable.columnKeySet()) {
                if (!hashSet.contains(str2)) {
                    sentryPolicyServiceClient.createRole("hive", str2);
                    System.out.println(String.format("CREATE ROLE %s;", str2));
                    hashSet.add(str2);
                }
                Set<String> set = (Set) groupRolePrivilegeTable.get(str, str2);
                if (set != null) {
                    sentryPolicyServiceClient.grantRoleToGroup("hive", str, str2);
                    System.out.println(String.format("GRANT ROLE %s TO GROUP %s;", str2, str));
                    for (String str3 : set) {
                        String str4 = null;
                        String str5 = null;
                        String str6 = null;
                        String str7 = null;
                        String str8 = "*";
                        Iterator it2 = PolicyFileConstants.AUTHORIZABLE_SPLITTER.trimResults().split(str3).iterator();
                        while (it2.hasNext()) {
                            KeyValue keyValue = new KeyValue((String) it2.next());
                            DBModelAuthorizable from = DBModelAuthorizables.from(keyValue);
                            if (from != null) {
                                switch (AnonymousClass1.$SwitchMap$org$apache$sentry$core$model$db$DBModelAuthorizable$AuthorizableType[from.getAuthzType().ordinal()]) {
                                    case 1:
                                        str4 = from.getName();
                                        break;
                                    case 2:
                                        str5 = from.getName();
                                        break;
                                    case 3:
                                    case 4:
                                        str6 = from.getName();
                                        break;
                                    case 5:
                                        str7 = from.getName();
                                        break;
                                }
                            } else {
                                str8 = keyValue.getValue();
                            }
                        }
                        if (str7 != null) {
                            System.out.println(String.format("# server=%s", str4));
                            System.out.println(String.format("GRANT ALL ON URI %s TO ROLE %s;", str7, str2));
                            sentryPolicyServiceClient.grantURIPrivilege("hive", str2, str4, str7);
                        } else if (str6 != null && !"*".equals(str6)) {
                            System.out.println(String.format("# server=%s, database=%s", str4, str5));
                            PrintStream printStream = System.out;
                            Object[] objArr = new Object[3];
                            objArr[0] = "*".equals(str8) ? "ALL" : str8.toUpperCase();
                            objArr[1] = str6;
                            objArr[2] = str2;
                            printStream.println(String.format("GRANT %s ON TABLE %s TO ROLE %s;", objArr));
                            sentryPolicyServiceClient.grantTablePrivilege("hive", str2, str4, str5, str6, str8);
                        } else if (str5 != null && !"*".equals(str5)) {
                            System.out.println(String.format("# server=%s", str4));
                            PrintStream printStream2 = System.out;
                            Object[] objArr2 = new Object[3];
                            objArr2[0] = "*".equals(str8) ? "ALL" : str8.toUpperCase();
                            objArr2[1] = str5;
                            objArr2[2] = str2;
                            printStream2.println(String.format("GRANT %s ON DATABASE %s TO ROLE %s;", objArr2));
                            sentryPolicyServiceClient.grantDatabasePrivilege("hive", str2, str4, str5, str8);
                        } else if (str4 != null) {
                            System.out.println(String.format("GRANT ALL ON SERVER %s TO ROLE %s;", str4, str2));
                            sentryPolicyServiceClient.grantServerPrivilege("hive", str2, str4);
                        } else {
                            System.out.println(String.format("No grant for permission %s", str3));
                        }
                    }
                }
            }
        }
    }

    public void listPrivs() throws Exception {
        getSentryProvider().validateResource(true);
        System.out.println("Available privileges for user " + getUser() + ":");
        Set listPrivilegesForSubject = getSentryProvider().listPrivilegesForSubject(new Subject(getUser()));
        Iterator it = listPrivilegesForSubject.iterator();
        while (it.hasNext()) {
            System.out.println("\t" + ((String) it.next()));
        }
        if (listPrivilegesForSubject.isEmpty()) {
            System.out.println("\t*** No permissions available ***");
        }
    }

    public void verifyLocalQuery(String str) throws Exception {
        SessionState sessionState = new SessionState(getHiveConf());
        SessionState.start(sessionState);
        Driver driver = new Driver(sessionState.getConf(), getUser(), (String) null);
        CommandProcessorResponse compileAndRespond = driver.compileAndRespond(str);
        if (compileAndRespond.getResponseCode() != 0) {
            if (compileAndRespond.getErrorMessage().contains(HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE)) {
                printMissingPerms(getHiveConf().get(HiveAuthzConf.HIVE_SENTRY_AUTH_ERRORS));
            }
            throw new SemanticException("Compilation error: " + compileAndRespond.getErrorMessage());
        }
        driver.close();
        System.out.println("User " + getUser() + " has privileges to run the query");
    }

    public void verifyRemoteQuery(String str) throws Exception {
        Class.forName("org.apache.hive.jdbc.HiveDriver");
        Connection connection = DriverManager.getConnection(getJdbcURL(), getUser(), getPassWord());
        Statement createStatement = connection.createStatement();
        if (!isSentryEnabledOnHiveServer(createStatement)) {
            throw new IllegalStateException("Sentry is not enabled on HiveServer2");
        }
        createStatement.execute("set hive.sentry.mock.compilation=true");
        try {
            try {
                createStatement.execute(str);
                if (!createStatement.isClosed()) {
                    createStatement.close();
                }
                connection.close();
            } catch (SQLException e) {
                String message = e.getMessage();
                if (!message.contains(HiveAuthzConf.HIVE_SENTRY_MOCK_ERROR)) {
                    if (!message.contains(HiveAuthzConf.HIVE_SENTRY_PRIVILEGE_ERROR_MESSAGE)) {
                        throw e;
                    }
                    printMissingPerms(readConfig(createStatement, HiveAuthzConf.HIVE_SENTRY_AUTH_ERRORS));
                    throw e;
                }
                System.out.println("User " + readConfig(createStatement, HiveAuthzConf.HIVE_SENTRY_SUBJECT_NAME) + " has privileges to run the query");
                if (!createStatement.isClosed()) {
                    createStatement.close();
                }
                connection.close();
            }
        } catch (Throwable th) {
            if (!createStatement.isClosed()) {
                createStatement.close();
            }
            connection.close();
            throw th;
        }
    }

    private boolean isSentryEnabledOnHiveServer(Statement statement) throws SQLException {
        return HiveAuthzBindingSessionHook.class.getName().equalsIgnoreCase(readConfig(statement, HiveConf.ConfVars.HIVE_SERVER2_SESSION_HOOK.varname));
    }

    private String readConfig(Statement statement, String str) throws SQLException {
        ResultSet executeQuery = statement.executeQuery("set " + str);
        if (!executeQuery.next()) {
            return null;
        }
        String string = executeQuery.getString(1);
        executeQuery.close();
        return string.substring(string.indexOf("=") + 1);
    }

    private void printConfigErrors(SentryConfigurationException sentryConfigurationException) throws SentryConfigurationException {
        System.out.println(" *** Found configuration problems *** ");
        Iterator it = sentryConfigurationException.getConfigErrors().iterator();
        while (it.hasNext()) {
            System.out.println("ERROR: " + ((String) it.next()));
        }
        Iterator it2 = sentryConfigurationException.getConfigWarnings().iterator();
        while (it2.hasNext()) {
            System.out.println("Warning: " + ((String) it2.next()));
        }
        throw sentryConfigurationException;
    }

    private void printMissingPerms(String str) {
        if (str == null || str.isEmpty()) {
            return;
        }
        System.out.println("*** Query compilation failed ***");
        String[] split = str.replaceFirst(".*No valid privileges", "").split(";");
        System.out.println("Required privileges for given query:");
        for (String str2 : split) {
            System.out.println(" \t " + str2);
        }
    }

    private void usage(Options options) {
        new HelpFormatter().printHelp("sentry --command config-tool", options);
        System.exit(-1);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void parseArgs(String[] strArr) {
        boolean z = false;
        Options options = new Options();
        Option option = new Option("h", "help", false, "Print usage");
        option.setRequired(false);
        Option option2 = new Option("v", "validate", false, "Validate policy file");
        option2.setRequired(false);
        Option option3 = new Option("e", "query", true, "Query privilege verification, requires -u");
        option3.setRequired(false);
        Option option4 = new Option("l", "listPerms", false, "list permissions for given user, requires -u");
        option4.setRequired(false);
        Option option5 = new Option("listPrivs", false, "list privileges for given user, requires -u");
        option5.setRequired(false);
        Option option6 = new Option("I", "import", false, "Import policy file");
        OptionGroup optionGroup = new OptionGroup();
        optionGroup.addOption(option);
        optionGroup.addOption(option2);
        optionGroup.addOption(option3);
        optionGroup.addOption(option4);
        optionGroup.addOption(option5);
        optionGroup.addOption(option6);
        optionGroup.setRequired(true);
        options.addOptionGroup(optionGroup);
        Option option7 = new Option("j", "jdbcURL", true, "JDBC URL");
        option7.setRequired(false);
        options.addOption(option7);
        Option option8 = new Option("s", "sentry-site", true, "sentry-site file path");
        option8.setRequired(false);
        options.addOption(option8);
        Option option9 = new Option("i", "policyIni", true, "Policy file path");
        option9.setRequired(false);
        options.addOption(option9);
        Option option10 = new Option("u", "user", true, "user name");
        option10.setRequired(false);
        options.addOption(option10);
        Option option11 = new Option("p", "password", true, "Password");
        option10.setRequired(false);
        options.addOption(option11);
        Option option12 = new Option("d", "debug", false, "enable debug output");
        option12.setRequired(false);
        options.addOption(option12);
        try {
            for (Option option13 : new GnuParser().parse(options, strArr).getOptions()) {
                if (option13.getOpt().equals("s")) {
                    setSentrySiteFile(option13.getValue());
                } else if (option13.getOpt().equals("i")) {
                    setPolicyFile(option13.getValue());
                } else if (option13.getOpt().equals("e")) {
                    setQuery(option13.getValue());
                } else if (option13.getOpt().equals("j")) {
                    setJdbcURL(option13.getValue());
                } else if (option13.getOpt().equals("u")) {
                    setUser(option13.getValue());
                } else if (option13.getOpt().equals("p")) {
                    setPassWord(option13.getValue());
                } else if (option13.getOpt().equals("l") || option13.getOpt().equals("listPrivs")) {
                    setListPrivs(true);
                } else if (option13.getOpt().equals("v")) {
                    setValidate(true);
                } else if (option13.getOpt().equals("I")) {
                    setImportPolicy(true);
                } else if (option13.getOpt().equals("h")) {
                    usage(options);
                } else if (option13.getOpt().equals("d")) {
                    z = true;
                }
            }
        } catch (ParseException e) {
            usage(options);
        }
        if (isListPrivs() && getUser() == null) {
            throw new ParseException("Can't use -l without -u ");
        }
        if (getQuery() != null && getUser() == null) {
            throw new ParseException("Must use -u with -e ");
        }
        if (z) {
            return;
        }
        LogManager.getRootLogger().setLevel(Level.OFF);
    }
}
