package org.apache.hadoop.mapred;

import java.io.IOException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/hadoop-core-2.3.0-mr1-cdh5.1.3.jar:org/apache/hadoop/mapred/ACLsManager.class */
public class ACLsManager {
    private final UserGroupInformation mrOwner;
    private final AccessControlList adminAcl;
    private final JobACLsManager jobACLsManager;
    private final QueueManager queueManager;
    private final boolean aclsEnabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ACLsManager(Configuration configuration, JobACLsManager jobACLsManager, QueueManager queueManager) throws IOException {
        if (UserGroupInformation.isLoginKeytabBased()) {
            this.mrOwner = UserGroupInformation.getLoginUser();
        } else {
            this.mrOwner = UserGroupInformation.getCurrentUser();
        }
        this.aclsEnabled = configuration.getBoolean("mapred.acls.enabled", false);
        this.adminAcl = new AccessControlList(configuration.get("mapreduce.cluster.administrators", " "));
        this.adminAcl.addUser(this.mrOwner.getShortUserName());
        this.jobACLsManager = jobACLsManager;
        this.queueManager = queueManager;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public UserGroupInformation getMROwner() {
        return this.mrOwner;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AccessControlList getAdminsAcl() {
        return this.adminAcl;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JobACLsManager getJobACLsManager() {
        return this.jobACLsManager;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isMRAdmin(UserGroupInformation userGroupInformation) {
        return this.adminAcl.isUserAllowed(userGroupInformation);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkAccess(JobInProgress jobInProgress, UserGroupInformation userGroupInformation, Operation operation) throws AccessControlException {
        checkAccess(jobInProgress.getStatus(), userGroupInformation, jobInProgress.getProfile().getQueueName(), operation);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkAccess(JobStatus jobStatus, UserGroupInformation userGroupInformation, String str, Operation operation) throws AccessControlException {
        checkAccess(jobStatus.getJobID().toString(), userGroupInformation, str, operation, jobStatus.getUsername(), jobStatus.getJobACLs().get(operation.jobACLNeeded));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkAccess(String str, UserGroupInformation userGroupInformation, String str2, Operation operation, String str3, AccessControlList accessControlList) throws AccessControlException {
        if (this.aclsEnabled) {
            String shortUserName = userGroupInformation.getShortUserName();
            String str4 = str + " in queue " + str2;
            if (isMRAdmin(userGroupInformation)) {
                AuditLogger.logSuccess(shortUserName, operation.name(), str4);
                return;
            }
            if (operation == Operation.SUBMIT_JOB) {
                if (this.queueManager.hasAccess(str2, operation.qACLNeeded, userGroupInformation)) {
                    AuditLogger.logSuccess(shortUserName, operation.name(), str4);
                    return;
                } else {
                    AuditLogger.logFailure(shortUserName, operation.name(), this.queueManager.getQueueACL(str2, operation.qACLNeeded).toString(), str4, "Unauthorized user");
                    throw new AccessControlException("User " + userGroupInformation.getShortUserName() + " cannot perform operation " + operation.name() + " on queue " + str2 + ".\n Please run \"hadoop queue -showacls\" command to find the queues you have access to .");
                }
            }
            if (operation == Operation.VIEW_TASK_LOGS) {
                if (this.jobACLsManager.checkAccess(userGroupInformation, operation.jobACLNeeded, str3, accessControlList)) {
                    AuditLogger.logSuccess(shortUserName, operation.name(), str4);
                    return;
                }
            } else if (this.queueManager.hasAccess(str2, operation.qACLNeeded, userGroupInformation) || this.jobACLsManager.checkAccess(userGroupInformation, operation.jobACLNeeded, str3, accessControlList)) {
                AuditLogger.logSuccess(shortUserName, operation.name(), str4);
                return;
            }
            AuditLogger.logFailure(shortUserName, operation.name(), accessControlList.toString(), str4, "Unauthorized user");
            throw new AccessControlException("User " + userGroupInformation.getShortUserName() + " cannot perform operation " + operation.name() + " on " + str + " that is in the queue " + str2);
        }
    }
}
