package org.apache.sentry.binding.hbaseindexer.authz;

import com.ngdata.hbaseindexer.model.api.IndexerDefinition;
import java.io.File;
import java.io.IOException;
import java.lang.reflect.Constructor;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.EnumSet;
import java.util.Set;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.sentry.binding.hbaseindexer.conf.HBaseIndexerAuthzConf;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.model.indexer.Indexer;
import org.apache.sentry.core.model.indexer.IndexerModelAction;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.common.GroupMappingService;
import org.apache.sentry.provider.common.ProviderBackend;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sentry/binding/hbaseindexer/authz/HBaseIndexerAuthzBinding.class */
public class HBaseIndexerAuthzBinding {
    public static final int SC_UNAUTHORIZED = 401;
    private static final Logger LOG = LoggerFactory.getLogger(HBaseIndexerAuthzBinding.class);
    private static final String[] HADOOP_HBASE_CONF_FILES = {"core-site.xml", "hdfs-site.xml", "mapred-site.xml", "yarn-site.xml", "hadoop-site.xml", "hbase-site.xml"};
    private static Boolean kerberosInit;
    private final HBaseIndexerAuthzConf authzConf;
    private final AuthorizationProvider authProvider = getAuthProvider();
    private final GroupMappingService groupMapping = this.authProvider.getGroupMapping();
    private ProviderBackend providerBackend;

    public HBaseIndexerAuthzBinding(HBaseIndexerAuthzConf hBaseIndexerAuthzConf) throws Exception {
        this.authzConf = addHdfsPropsToConf(hBaseIndexerAuthzConf);
    }

    private AuthorizationProvider getAuthProvider() throws Exception {
        String str = this.authzConf.get(HBaseIndexerAuthzConf.AuthzConfVars.AUTHZ_PROVIDER.getVar());
        String str2 = this.authzConf.get(HBaseIndexerAuthzConf.AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar());
        String str3 = this.authzConf.get(HBaseIndexerAuthzConf.AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar());
        String str4 = this.authzConf.get(HBaseIndexerAuthzConf.AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar());
        LOG.debug("Using authorization provider " + str + " with resource " + str2 + ", policy engine " + str4 + ", provider backend " + str3);
        Constructor<?> declaredConstructor = Class.forName(str3).getDeclaredConstructor(Configuration.class, String.class);
        declaredConstructor.setAccessible(true);
        if ("kerberos".equals(this.authzConf.get("hadoop.security.authentication"))) {
            String str5 = this.authzConf.get("hbase.regionserver.keytab.file");
            String str6 = this.authzConf.get("hbase.regionserver.kerberos.principal");
            if (str5 != null && str6 != null) {
                String str7 = this.authzConf.get(HBaseIndexerAuthzConf.AuthzConfVars.PRINCIPAL_HOSTNAME.getVar());
                if (str7 != null) {
                    str6 = SecurityUtil.getServerPrincipal(str6, str7);
                }
                initKerberos(str5, str6);
            }
        }
        this.providerBackend = (ProviderBackend) declaredConstructor.newInstance(this.authzConf, str2);
        Constructor<?> declaredConstructor2 = Class.forName(str4).getDeclaredConstructor(ProviderBackend.class);
        declaredConstructor2.setAccessible(true);
        PolicyEngine policyEngine = (PolicyEngine) declaredConstructor2.newInstance(this.providerBackend);
        Constructor<?> declaredConstructor3 = Class.forName(str).getDeclaredConstructor(String.class, PolicyEngine.class);
        declaredConstructor3.setAccessible(true);
        return (AuthorizationProvider) declaredConstructor3.newInstance(str2, policyEngine);
    }

    public void authorizeIndexerAction(Subject subject, Indexer indexer, Set<IndexerModelAction> set) throws SentryHBaseIndexerAuthorizationException {
        if (this.authProvider.hasAccess(subject, Arrays.asList(indexer), set, ActiveRoleSet.ALL)) {
        } else {
            throw new SentryHBaseIndexerAuthorizationException("User '" + (subject != null ? subject.getName() : "") + "' does not have privileges for indexer '" + (indexer != null ? indexer.getName() : "") + "'");
        }
    }

    public Collection<IndexerDefinition> filterIndexers(Subject subject, Collection<IndexerDefinition> collection) {
        ArrayList arrayList = new ArrayList();
        EnumSet of = EnumSet.of(IndexerModelAction.READ);
        for (IndexerDefinition indexerDefinition : collection) {
            if (this.authProvider.hasAccess(subject, Arrays.asList(new Indexer(indexerDefinition.getName())), of, ActiveRoleSet.ALL)) {
                arrayList.add(indexerDefinition);
            }
        }
        return arrayList;
    }

    private HBaseIndexerAuthzConf addHdfsPropsToConf(HBaseIndexerAuthzConf hBaseIndexerAuthzConf) throws IOException {
        String property = System.getProperty("hbaseindxer.hdfs.confdir", ".");
        if (property != null && property.length() > 0) {
            File file = new File(property);
            if (!file.exists()) {
                throw new IOException("Resource directory does not exist: " + file.getAbsolutePath());
            }
            if (!file.isDirectory()) {
                throw new IOException("Specified resource directory is not a directory" + file.getAbsolutePath());
            }
            if (!file.canRead()) {
                throw new IOException("Resource directory must be readable by the Hbase Indexer process: " + file.getAbsolutePath());
            }
            for (String str : HADOOP_HBASE_CONF_FILES) {
                if (new File(file, str).exists()) {
                    hBaseIndexerAuthzConf.addResource(new Path(property, str));
                }
            }
        }
        return hBaseIndexerAuthzConf;
    }

    public void initKerberos(String str, String str2) {
        if (str == null || str.length() == 0) {
            throw new IllegalArgumentException("keytabFile required because kerberos is enabled");
        }
        if (str2 == null || str2.length() == 0) {
            throw new IllegalArgumentException("principal required because kerberos is enabled");
        }
        synchronized (HBaseIndexerAuthzBinding.class) {
            if (kerberosInit == null) {
                kerberosInit = new Boolean(true);
                UserGroupInformation.setConfiguration(new Configuration(this.authzConf));
                LOG.info("Attempting to acquire kerberos ticket with keytab: {}, principal: {} ", str, str2);
                try {
                    UserGroupInformation.loginUserFromKeytab(str2, str);
                    LOG.info("Got Kerberos ticket");
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
        }
    }
}
