package oracle.hadoop.sql.authz.sentry;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import java.io.IOException;
import java.lang.reflect.UndeclaredThrowableException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import oracle.hadoop.sql.JXADException;
import oracle.hadoop.sql.authz.Authorizables;
import oracle.hadoop.sql.authz.AuthzCore;
import oracle.hadoop.sql.authz.AuthzPrivileges;
import oracle.hadoop.sql.authz.sentry.SentryPrivileges;
import oracle.hadoop.sql.messages.HSqlMessage;
import oracle.hadoop.sql.xadxml.XadUtils;
import oracle.hadoop.sql.xcat.common.XCatConstants;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.sentry.SentryUserException;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.core.model.db.Table;
import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
import org.apache.sentry.provider.db.service.thrift.TSentryAuthorizable;
import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
import org.apache.sentry.provider.db.service.thrift.TSentryPrivilegeMap;
import org.apache.sentry.provider.db.service.thrift.TSentryRole;
import org.apache.sentry.service.thrift.SentryServiceClientFactory;

/* loaded from: input_file:oracle/hadoop/sql/authz/sentry/SentryProviderBackend.class */
public class SentryProviderBackend extends AuthzCore.AuthzProviderBackend {
    private static final Log LOG = LogFactory.getLog(SentryProviderBackend.class);
    public static final String RETRY_COUNT_CONF = "sentry.provider.backend.db.retry.count";
    public static final int RETRY_COUNT_DEFAULT = 3;
    public static final String RETRY_INTERVAL_SEC_CONF = "sentry.provider.backend.db.retry.interval.seconds";
    public static final int RETRY_INTERVAL_SEC_DEFAULT = 30;
    protected final Configuration sentryConf;

    public SentryProviderBackend(Configuration configuration, SentryAuthzConf sentryAuthzConf) throws JXADException {
        super(configuration);
        if (null == sentryAuthzConf) {
            throw new IllegalArgumentException("null authz conf");
        }
        if (null == configuration) {
            throw new IllegalArgumentException("null conf");
        }
        this.sentryConf = sentryAuthzConf.getSentryConf();
    }

    @Override // oracle.hadoop.sql.authz.AuthzCore.AuthzProviderBackend
    public AuthzPrivileges getPrivileges(Authorizables.AuthzUser authzUser, Authorizables.AuthzDatabase authzDatabase, Authorizables.AuthzTable authzTable) throws JXADException {
        try {
            if (null == authzUser || null == authzDatabase || null == authzTable) {
                throw new IllegalArgumentException("null input");
            }
            return getAuthzTblPrivileges(authzUser, authzDatabase, authzTable);
        } catch (JXADException e) {
            throw e;
        }
    }

    private SentryPrivileges getAuthzTblPrivileges(Authorizables.AuthzUser authzUser, Authorizables.AuthzDatabase authzDatabase, Authorizables.AuthzTable authzTable) throws JXADException {
        String serverScope = SentryAuthzConf.getServerScope(this.sentryConf);
        if (LOG.isDebugEnabled()) {
            LOG.debug("backend Sentry global server scope name=" + serverScope);
        }
        SentryPrivileges sentryPrivileges = new SentryPrivileges(serverScope, authzUser, authzDatabase, authzTable);
        try {
            listPrivsByUser(getConf(), this.sentryConf, sentryPrivileges, serverScope, authzUser, authzDatabase, authzTable);
            return sentryPrivileges;
        } catch (JXADException e) {
            throw e;
        }
    }

    private static void listPrivilegsbyAuthorizable(Configuration configuration, Configuration configuration2, SentryPrivileges sentryPrivileges, String str, Authorizables.AuthzUser authzUser, Authorizables.AuthzDatabase authzDatabase, Authorizables.AuthzTable authzTable) throws JXADException {
        String userName = authzUser.getUserName();
        String databaseName = authzDatabase.getDatabaseName();
        String tableName = authzTable.getTableName();
        ActiveRoleSet activeRoleSet = ActiveRoleSet.ALL;
        try {
            ArrayList newArrayList = Lists.newArrayList(new DBModelAuthorizable[]{new Server(str), new Database(databaseName), new Table(tableName)});
            ArrayList newArrayList2 = Lists.newArrayList(new DBModelAuthorizable[]{new Server(str), new Database(databaseName)});
            ArrayList newArrayList3 = Lists.newArrayList(new Server[]{new Server(str)});
            HashSet newHashSet = Sets.newHashSet();
            newHashSet.add(newArrayList3);
            newHashSet.add(newArrayList2);
            newHashSet.add(newArrayList);
            Map<TSentryAuthorizable, TSentryPrivilegeMap> privilegsbyAuthorizable = getPrivilegsbyAuthorizable(configuration, configuration2, userName, newHashSet, null, activeRoleSet);
            if (LOG.isDebugEnabled()) {
                LOG.debug("sentry listPrivilegsbyAuthorizable begin");
            }
            for (Map.Entry<TSentryAuthorizable, TSentryPrivilegeMap> entry : privilegsbyAuthorizable.entrySet()) {
                TSentryAuthorizable key = entry.getKey();
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Authorizable=" + key.toString());
                }
                for (Map.Entry entry2 : entry.getValue().getPrivilegeMap().entrySet()) {
                    LOG.debug("sentry listPrivilegsbyAuthorizable role=" + ((String) entry2.getKey()));
                    Set set = (Set) entry2.getValue();
                    if (null != set && !set.isEmpty()) {
                        addPrivs(set, sentryPrivileges);
                    }
                }
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("sentry listPrivilegsbyAuthorizable end");
            }
        } catch (JXADException e) {
            LOG.debug(e);
            throw e;
        }
    }

    private static Map<TSentryAuthorizable, TSentryPrivilegeMap> getPrivilegsbyAuthorizable(Configuration configuration, Configuration configuration2, String str, Set<List<? extends Authorizable>> set, Set<String> set2, ActiveRoleSet activeRoleSet) throws JXADException {
        int i = configuration2.getInt(RETRY_COUNT_CONF, 3);
        int i2 = configuration2.getInt(RETRY_INTERVAL_SEC_CONF, 30);
        int max = Math.max(i + 1, 1);
        while (max > 0) {
            max--;
            SentryPolicyServiceClient sentryPolicyServiceClient = null;
            try {
                try {
                    sentryPolicyServiceClient = getSentryClient(configuration, configuration2);
                    ImmutableMap copyOf = ImmutableMap.copyOf(sentryPolicyServiceClient.listPrivilegsbyAuthorizable(str, set, set2, activeRoleSet));
                    if (sentryPolicyServiceClient != null) {
                        sentryPolicyServiceClient.close();
                    }
                    return copyOf;
                } catch (Exception e) {
                    checkRetries(max, i2, e);
                    if (sentryPolicyServiceClient != null) {
                        sentryPolicyServiceClient.close();
                    }
                }
            } catch (Throwable th) {
                if (sentryPolicyServiceClient != null) {
                    sentryPolicyServiceClient.close();
                }
                throw th;
            }
        }
        return ImmutableMap.of();
    }

    private static SentryPolicyServiceClient getSentryClientWithUgi(UserGroupInformation userGroupInformation, final Configuration configuration) throws JXADException {
        try {
            return (SentryPolicyServiceClient) userGroupInformation.doAs(new PrivilegedExceptionAction<SentryPolicyServiceClient>() { // from class: oracle.hadoop.sql.authz.sentry.SentryProviderBackend.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public SentryPolicyServiceClient run() throws Exception {
                    return SentryServiceClientFactory.create(configuration);
                }
            });
        } catch (IOException | InterruptedException e) {
            throw new JXADException(JXADException.CODE.INTERNAL, e, HSqlMessage.MSG.IO_ERROR, "error getting Sentry client");
        } catch (UndeclaredThrowableException e2) {
            throw new JXADException(JXADException.CODE.INTERNAL, e2.getCause(), HSqlMessage.MSG.IO_ERROR, "error getting Sentry client");
        }
    }

    private static SentryPolicyServiceClient getSentryClient(Configuration configuration, Configuration configuration2) throws JXADException {
        if (!configuration.getBoolean(XCatConstants.XCAT_USE_LOGIN_USER, false)) {
            try {
                return SentryServiceClientFactory.create(configuration2);
            } catch (Exception e) {
                throw new JXADException(JXADException.CODE.INTERNAL, e, HSqlMessage.MSG.IO_ERROR, "error getting Sentry client");
            }
        }
        try {
            return getSentryClientWithUgi(UserGroupInformation.getLoginUser(), configuration2);
        } catch (IOException e2) {
            throw new JXADException(JXADException.CODE.INTERNAL, e2, HSqlMessage.MSG.IO_ERROR, "error getting Sentry client");
        } catch (JXADException e3) {
            throw e3;
        }
    }

    private static void listPrivsByUser(Configuration configuration, Configuration configuration2, SentryPrivileges sentryPrivileges, String str, Authorizables.AuthzUser authzUser, Authorizables.AuthzDatabase authzDatabase, Authorizables.AuthzTable authzTable) throws JXADException {
        Set listUserRoles;
        String userName = authzUser.getUserName();
        int i = configuration2.getInt(RETRY_COUNT_CONF, 3);
        int i2 = configuration2.getInt(RETRY_INTERVAL_SEC_CONF, 30);
        int max = Math.max(i + 1, 1);
        while (max > 0) {
            max--;
            SentryPolicyServiceClient sentryPolicyServiceClient = null;
            try {
                try {
                    sentryPolicyServiceClient = getSentryClient(configuration, configuration2);
                    listUserRoles = sentryPolicyServiceClient.listUserRoles(userName);
                } catch (Exception e) {
                    checkRetries(max, i2, e);
                    if (sentryPolicyServiceClient != null) {
                        sentryPolicyServiceClient.close();
                    }
                }
                if (listUserRoles == null || listUserRoles.isEmpty()) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("no sentry role for " + userName);
                    }
                    if (sentryPolicyServiceClient != null) {
                        sentryPolicyServiceClient.close();
                        return;
                    }
                    return;
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("number of sentry roles=" + listUserRoles.size());
                }
                Iterator it = listUserRoles.iterator();
                while (it.hasNext()) {
                    String roleName = ((TSentryRole) it.next()).getRoleName();
                    if (null != roleName && 0 != roleName.trim().length()) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("sentry role=" + roleName);
                        }
                        try {
                            Set listAllPrivilegesByRoleName = sentryPolicyServiceClient.listAllPrivilegesByRoleName(userName, roleName);
                            if (null != listAllPrivilegesByRoleName && !listAllPrivilegesByRoleName.isEmpty()) {
                                if (LOG.isDebugEnabled()) {
                                    LOG.debug("number of privs " + listAllPrivilegesByRoleName.size() + " for role " + roleName);
                                }
                                addPrivs(listAllPrivilegesByRoleName, sentryPrivileges);
                            } else if (LOG.isDebugEnabled()) {
                                LOG.debug("no privs for role " + roleName);
                            }
                        } catch (SentryUserException e2) {
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("sentry role exception ", e2);
                            }
                        }
                    }
                }
                if (sentryPolicyServiceClient != null) {
                    sentryPolicyServiceClient.close();
                }
            } catch (Throwable th) {
                if (sentryPolicyServiceClient != null) {
                    sentryPolicyServiceClient.close();
                }
                throw th;
            }
        }
    }

    private static void addPrivs(Set<TSentryPrivilege> set, SentryPrivileges sentryPrivileges) throws JXADException {
        for (TSentryPrivilege tSentryPrivilege : set) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("sentry privilege=" + tSentryPrivilege.toString());
            }
            sentryPrivileges.addPrivilege(new SentryPrivileges.SentryPrivilege(tSentryPrivilege.getPrivilegeScope(), tSentryPrivilege.getAction(), tSentryPrivilege.getServerName(), tSentryPrivilege.getDbName(), tSentryPrivilege.getTableName(), tSentryPrivilege.getColumnName()));
        }
    }

    private static void checkRetries(int i, int i2, Exception exc) throws JXADException {
        String str = "Unable to obtain privileges from server: " + exc.getMessage() + ".";
        if (i == 0) {
            LOG.error(str, exc);
            throw new JXADException(JXADException.CODE.INTERNAL, exc, HSqlMessage.MSG.IO_ERROR, "error getting Sentry metadata");
        }
        LOG.warn(str + " Will retry for " + i + " time(s)");
        try {
            Thread.sleep(i2 * XadUtils.MAX_FIELD_COUNT);
        } catch (InterruptedException e) {
            LOG.info("Sleeping is interrupted.", e);
        }
    }
}
