package org.apache.sentry.binding.hive.authz;

import com.google.common.base.Splitter;
import com.google.common.base.Strings;
import com.google.common.collect.Sets;
import java.lang.reflect.Constructor;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicInteger;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
import org.apache.hadoop.hive.ql.plan.HiveOperation;
import org.apache.sentry.SentryUserException;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
import org.apache.sentry.binding.hive.conf.InvalidConfigurationException;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.model.db.AccessConstants;
import org.apache.sentry.core.model.db.DBModelAction;
import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.policy.common.PolicyEngine;
import org.apache.sentry.provider.cache.SentryPrivilegeCache;
import org.apache.sentry.provider.cache.SimpleSentryCacheProviderBackend;
import org.apache.sentry.provider.common.AuthorizationProvider;
import org.apache.sentry.provider.common.ProviderBackend;
import org.apache.sentry.provider.common.ProviderBackendContext;
import org.apache.sentry.provider.db.service.thrift.TSentryRole;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sentry/binding/hive/authz/HiveAuthzBinding.class */
public class HiveAuthzBinding {
    private static final Logger LOG = LoggerFactory.getLogger(HiveAuthzBinding.class);
    private static final AtomicInteger queryID = new AtomicInteger();
    private static final Splitter ROLE_SET_SPLITTER = Splitter.on(",").trimResults().omitEmptyStrings();
    public static final String HIVE_BINDING_TAG = "hive.authz.bindings.tag";
    private final HiveConf hiveConf;
    private final Server authServer;
    private final AuthorizationProvider authProvider;
    private volatile boolean open;
    private ActiveRoleSet activeRoleSet;
    private HiveAuthzConf authzConf;

    /* loaded from: input_file:org/apache/sentry/binding/hive/authz/HiveAuthzBinding$HiveHook.class */
    public enum HiveHook {
        HiveServer2,
        HiveMetaStore
    }

    public HiveAuthzBinding(HiveConf hiveConf, HiveAuthzConf hiveAuthzConf) throws Exception {
        this(HiveHook.HiveServer2, hiveConf, hiveAuthzConf);
    }

    public HiveAuthzBinding(HiveHook hiveHook, HiveConf hiveConf, HiveAuthzConf hiveAuthzConf) throws Exception {
        validateHiveConfig(hiveHook, hiveConf, hiveAuthzConf);
        this.hiveConf = hiveConf;
        this.authzConf = hiveAuthzConf;
        this.authServer = new Server(hiveAuthzConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar()));
        this.authProvider = getAuthProvider(hiveConf, hiveAuthzConf, this.authServer.getName());
        this.open = true;
        this.activeRoleSet = parseActiveRoleSet(hiveConf.get("hive.sentry.active.role.set", hiveAuthzConf.get("hive.sentry.active.role.set", "")).trim());
    }

    public HiveAuthzBinding(HiveHook hiveHook, HiveConf hiveConf, HiveAuthzConf hiveAuthzConf, SentryPrivilegeCache sentryPrivilegeCache) throws Exception {
        validateHiveConfig(hiveHook, hiveConf, hiveAuthzConf);
        this.hiveConf = hiveConf;
        this.authzConf = hiveAuthzConf;
        this.authServer = new Server(hiveAuthzConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar()));
        this.authProvider = getAuthProviderWithPrivilegeCache(hiveAuthzConf, this.authServer.getName(), sentryPrivilegeCache);
        this.open = true;
        this.activeRoleSet = parseActiveRoleSet(hiveConf.get("hive.sentry.active.role.set", hiveAuthzConf.get("hive.sentry.active.role.set", "")).trim());
    }

    private static ActiveRoleSet parseActiveRoleSet(String str) throws SentryUserException {
        return parseActiveRoleSet(str, null);
    }

    private static ActiveRoleSet parseActiveRoleSet(String str, Set<TSentryRole> set) throws SentryUserException {
        if (str.isEmpty()) {
            return ActiveRoleSet.ALL;
        }
        if ("NONE".equalsIgnoreCase(str)) {
            return new ActiveRoleSet(new HashSet());
        }
        if ("ALL".equalsIgnoreCase(str)) {
            return ActiveRoleSet.ALL;
        }
        if (AccessConstants.RESERVED_ROLE_NAMES.contains(str.toUpperCase())) {
            throw new IllegalArgumentException("Role " + str + " is reserved");
        }
        if (set != null) {
            boolean z = false;
            Iterator<TSentryRole> it = set.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                if (it.next().getRoleName().equalsIgnoreCase(str)) {
                    z = true;
                    break;
                }
            }
            if (!z) {
                throw new SentryUserException("Not authorized to set role " + str, "Not authorized to set role " + str);
            }
        }
        return new ActiveRoleSet(Sets.newHashSet(ROLE_SET_SPLITTER.split(str)));
    }

    private void validateHiveConfig(HiveHook hiveHook, HiveConf hiveConf, HiveAuthzConf hiveAuthzConf) throws InvalidConfigurationException {
        if (hiveHook.equals(HiveHook.HiveMetaStore)) {
            validateHiveMetaStoreConfig(hiveConf, hiveAuthzConf);
        } else if (hiveHook.equals(HiveHook.HiveServer2)) {
            validateHiveServer2Config(hiveConf, hiveAuthzConf);
        }
    }

    private void validateHiveMetaStoreConfig(HiveConf hiveConf, HiveAuthzConf hiveAuthzConf) throws InvalidConfigurationException {
        boolean parseBoolean = Boolean.parseBoolean(Strings.nullToEmpty(hiveAuthzConf.get(HiveAuthzConf.AuthzConfVars.SENTRY_TESTING_MODE.getVar())).trim());
        LOG.debug("Testing mode is " + parseBoolean);
        if (parseBoolean) {
            if (!hiveConf.getBoolVar(HiveConf.ConfVars.METASTORE_EXECUTE_SET_UGI)) {
                throw new InvalidConfigurationException(HiveConf.ConfVars.METASTORE_EXECUTE_SET_UGI.toString() + " can't be false in non secure mode");
            }
        } else if (!hiveConf.getBoolVar(HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL)) {
            throw new InvalidConfigurationException(HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL + " can't be false in non-testing mode");
        }
    }

    private void validateHiveServer2Config(HiveConf hiveConf, HiveAuthzConf hiveAuthzConf) throws InvalidConfigurationException {
        boolean parseBoolean = Boolean.parseBoolean(Strings.nullToEmpty(hiveAuthzConf.get(HiveAuthzConf.AuthzConfVars.SENTRY_TESTING_MODE.getVar())).trim());
        LOG.debug("Testing mode is " + parseBoolean);
        if (!parseBoolean) {
            if ("none".equalsIgnoreCase(Strings.nullToEmpty(hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION)).trim())) {
                throw new InvalidConfigurationException(HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION + " can't be none in non-testing mode");
            }
            boolean boolVar = hiveConf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS);
            boolean parseBoolean2 = Boolean.parseBoolean(Strings.nullToEmpty(hiveAuthzConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_ALLOW_HIVE_IMPERSONATION.getVar())).trim());
            if (boolVar && !parseBoolean2) {
                LOG.error("Role based authorization does not work with HiveServer2 impersonation");
                throw new InvalidConfigurationException(HiveConf.ConfVars.HIVE_SERVER2_ENABLE_DOAS + " can't be set to true in non-testing mode");
            }
        }
        if ("077".equalsIgnoreCase(hiveConf.get("fs.permissions.umask-mode"))) {
            LOG.error("HiveServer2 required a default umask of 077");
            throw new InvalidConfigurationException("fs.permissions.umask-mode should be 077 in non-testing mode");
        }
    }

    public static AuthorizationProvider getAuthProvider(HiveConf hiveConf, HiveAuthzConf hiveAuthzConf, String str) throws Exception {
        String str2 = hiveAuthzConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_PROVIDER.getVar());
        String str3 = hiveAuthzConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar());
        String str4 = hiveAuthzConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_PROVIDER_BACKEND.getVar());
        String str5 = hiveAuthzConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar());
        LOG.debug("Using authorization provider " + str2 + " with resource " + str3 + ", policy engine " + str5 + ", provider backend " + str4);
        Constructor<?> declaredConstructor = Class.forName(str4).getDeclaredConstructor(Configuration.class, String.class);
        declaredConstructor.setAccessible(true);
        ProviderBackend providerBackend = (ProviderBackend) declaredConstructor.newInstance(hiveAuthzConf, str3);
        Constructor<?> declaredConstructor2 = Class.forName(str5).getDeclaredConstructor(String.class, ProviderBackend.class);
        declaredConstructor2.setAccessible(true);
        PolicyEngine policyEngine = (PolicyEngine) declaredConstructor2.newInstance(str, providerBackend);
        Constructor<?> declaredConstructor3 = Class.forName(str2).getDeclaredConstructor(String.class, PolicyEngine.class);
        declaredConstructor3.setAccessible(true);
        return (AuthorizationProvider) declaredConstructor3.newInstance(str3, policyEngine);
    }

    public static AuthorizationProvider getAuthProviderWithPrivilegeCache(HiveAuthzConf hiveAuthzConf, String str, SentryPrivilegeCache sentryPrivilegeCache) throws Exception {
        String str2 = hiveAuthzConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_PROVIDER.getVar());
        String str3 = hiveAuthzConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_PROVIDER_RESOURCE.getVar());
        String str4 = hiveAuthzConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_POLICY_ENGINE.getVar());
        LOG.debug("Using authorization provider " + str2 + " with resource " + str3 + ", policy engine " + str4 + ", provider backend SimpleSentryCacheProviderBackend");
        SimpleSentryCacheProviderBackend simpleSentryCacheProviderBackend = new SimpleSentryCacheProviderBackend(hiveAuthzConf, str3);
        ProviderBackendContext providerBackendContext = new ProviderBackendContext();
        providerBackendContext.setBindingHandle(sentryPrivilegeCache);
        simpleSentryCacheProviderBackend.initialize(providerBackendContext);
        Constructor<?> declaredConstructor = Class.forName(str4).getDeclaredConstructor(String.class, ProviderBackend.class);
        declaredConstructor.setAccessible(true);
        PolicyEngine policyEngine = (PolicyEngine) declaredConstructor.newInstance(str, simpleSentryCacheProviderBackend);
        Constructor<?> declaredConstructor2 = Class.forName(str2).getDeclaredConstructor(String.class, PolicyEngine.class);
        declaredConstructor2.setAccessible(true);
        return (AuthorizationProvider) declaredConstructor2.newInstance(str3, policyEngine);
    }

    public void authorize(HiveOperation hiveOperation, HiveAuthzPrivileges hiveAuthzPrivileges, Subject subject, Set<List<DBModelAuthorizable>> set, Set<List<DBModelAuthorizable>> set2) throws AuthorizationException {
        if (!this.open) {
            throw new IllegalStateException("Binding has been closed");
        }
        boolean isDebugEnabled = LOG.isDebugEnabled();
        if (isDebugEnabled) {
            LOG.debug("Going to authorize statement " + hiveOperation.name() + " for subject " + subject.getName());
        }
        Map<DBModelAuthorizable.AuthorizableType, EnumSet<DBModelAction>> inputPrivileges = hiveAuthzPrivileges.getInputPrivileges();
        if (isDebugEnabled) {
            LOG.debug("requiredInputPrivileges = " + inputPrivileges);
            LOG.debug("inputHierarchyList = " + set);
        }
        Map<DBModelAuthorizable.AuthorizableType, EnumSet<DBModelAction>> outputPrivileges = hiveAuthzPrivileges.getOutputPrivileges();
        if (isDebugEnabled) {
            LOG.debug("requiredOuputPrivileges = " + outputPrivileges);
            LOG.debug("outputHierarchyList = " + set2);
        }
        boolean z = false;
        for (DBModelAuthorizable.AuthorizableType authorizableType : inputPrivileges.keySet()) {
            for (List<DBModelAuthorizable> list : set) {
                if (getAuthzType(list).equals(authorizableType)) {
                    z = true;
                    if (!this.authProvider.hasAccess(subject, list, inputPrivileges.get(authorizableType), hiveAuthzPrivileges.getGrantOption(), this.activeRoleSet)) {
                        throw new AuthorizationException("User " + subject.getName() + " does not have privileges for " + hiveOperation.name());
                    }
                }
            }
            if (!z && !authorizableType.equals(DBModelAuthorizable.AuthorizableType.URI) && !hiveOperation.equals(HiveOperation.QUERY) && !hiveOperation.equals(HiveOperation.CREATETABLE_AS_SELECT)) {
                throw new AuthorizationException("Required privilege( " + authorizableType.name() + ") not available in input privileges");
            }
            z = false;
        }
        for (DBModelAuthorizable.AuthorizableType authorizableType2 : outputPrivileges.keySet()) {
            for (List<DBModelAuthorizable> list2 : set2) {
                if (getAuthzType(list2).equals(authorizableType2)) {
                    z = true;
                    if (!this.authProvider.hasAccess(subject, list2, outputPrivileges.get(authorizableType2), hiveAuthzPrivileges.getGrantOption(), this.activeRoleSet)) {
                        throw new AuthorizationException("User " + subject.getName() + " does not have privileges for " + hiveOperation.name());
                    }
                }
            }
            if (!z && !authorizableType2.equals(DBModelAuthorizable.AuthorizableType.URI) && !hiveOperation.equals(HiveOperation.QUERY)) {
                throw new AuthorizationException("Required privilege( " + authorizableType2.name() + ") not available in output privileges");
            }
            z = false;
        }
    }

    public void setActiveRoleSet(String str, Set<TSentryRole> set) throws SentryUserException {
        this.activeRoleSet = parseActiveRoleSet(str, set);
        this.hiveConf.set("hive.sentry.active.role.set", str);
    }

    public ActiveRoleSet getActiveRoleSet() {
        return this.activeRoleSet;
    }

    public Set<String> getGroups(Subject subject) {
        return this.authProvider.getGroupMapping().getGroups(subject.getName());
    }

    public Server getAuthServer() {
        if (this.open) {
            return this.authServer;
        }
        throw new IllegalStateException("Binding has been closed");
    }

    public HiveAuthzConf getAuthzConf() {
        return this.authzConf;
    }

    public HiveConf getHiveConf() {
        return this.hiveConf;
    }

    private DBModelAuthorizable.AuthorizableType getAuthzType(List<DBModelAuthorizable> list) {
        return list.get(list.size() - 1).getAuthzType();
    }

    public List<String> getLastQueryPrivilegeErrors() {
        if (this.open) {
            return this.authProvider.getLastFailedPrivileges();
        }
        throw new IllegalStateException("Binding has been closed");
    }

    public void close() {
        this.authProvider.close();
    }

    public AuthorizationProvider getCurrentAuthProvider() {
        return this.authProvider;
    }
}
