package org.apache.hadoop.hive.llap.security;

import com.google.protobuf.ByteString;
import com.google.protobuf.RpcController;
import com.google.protobuf.ServiceException;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.URL;
import java.nio.ByteBuffer;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import javax.net.SocketFactory;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.llap.LlapUtil;
import org.apache.hadoop.hive.llap.daemon.rpc.LlapDaemonProtocolProtos;
import org.apache.hadoop.hive.llap.impl.LlapManagementProtocolClientImpl;
import org.apache.hadoop.hive.llap.registry.LlapServiceInstance;
import org.apache.hadoop.hive.llap.registry.impl.LlapRegistryService;
import org.apache.hadoop.hive.registry.ServiceInstanceSet;
import org.apache.hadoop.io.DataInputByteBuffer;
import org.apache.hadoop.io.retry.RetryPolicies;
import org.apache.hadoop.io.retry.RetryPolicy;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hive/llap/security/LlapTokenClient.class */
public class LlapTokenClient {
    private static final Logger LOG;
    private final LlapRegistryService registry = new LlapRegistryService(false);
    private final SocketFactory socketFactory;
    private final RetryPolicy retryPolicy;
    private final Configuration conf;
    private ServiceInstanceSet<LlapServiceInstance> activeInstances;
    private Collection<LlapServiceInstance> lastKnownInstances;
    private LlapManagementProtocolClientImpl client;
    private LlapServiceInstance clientInstance;
    private Token<LlapTokenIdentifier> currentToken;
    static final /* synthetic */ boolean $assertionsDisabled;

    public LlapTokenClient(Configuration configuration) {
        this.conf = configuration;
        this.registry.init(configuration);
        this.socketFactory = NetUtils.getDefaultSocketFactory(configuration);
        this.retryPolicy = RetryPolicies.retryUpToMaximumTimeWithFixedSleep(16000L, 2000L, TimeUnit.MILLISECONDS);
    }

    public Token<LlapTokenIdentifier> getDelegationToken(String str) throws IOException {
        if (!UserGroupInformation.isSecurityEnabled()) {
            return null;
        }
        Iterator<LlapServiceInstance> it = null;
        if (this.clientInstance == null) {
            if (!$assertionsDisabled && this.client != null) {
                throw new AssertionError();
            }
            it = getLlapServices(false).iterator();
            this.clientInstance = it.next();
        }
        boolean z = false;
        while (true) {
            try {
                Token<LlapTokenIdentifier> extractToken = extractToken(getTokenBytes(str));
                LOG.info("Obtained a LLAP delegation token from {}: {}", this.clientInstance, extractToken);
                return extractToken;
            } catch (IOException | ServiceException e) {
                LOG.error("Cannot get a token, trying a different instance", e);
                this.client = null;
                this.clientInstance = null;
                this.currentToken = null;
                if (it != null && it.hasNext()) {
                    continue;
                } else {
                    if (z) {
                        throw new RuntimeException("Cannot find any LLAPs to get the token from");
                    }
                    it = getLlapServices(true).iterator();
                    z = true;
                }
                this.clientInstance = it.next();
            }
        }
    }

    private Token<LlapTokenIdentifier> extractToken(ByteString byteString) throws IOException {
        Token<LlapTokenIdentifier> token = new Token<>();
        DataInputByteBuffer dataInputByteBuffer = new DataInputByteBuffer();
        dataInputByteBuffer.reset(new ByteBuffer[]{byteString.asReadOnlyByteBuffer()});
        token.readFields(dataInputByteBuffer);
        return token;
    }

    private ByteString getTokenBytes(String str) throws IOException, ServiceException {
        if (!$assertionsDisabled && this.clientInstance == null) {
            throw new AssertionError();
        }
        if (this.currentToken == null) {
            LOG.info("currentToken is null, let's try to fetch one with kerberos login");
            return fetchTokenWithKerberosLogin(str);
        }
        try {
            return fetchTokenWithCurrentToken(str);
        } catch (IOException | ServiceException e) {
            LOG.warn("Exception while getting delegation token, trying with kerberos login", e);
            return fetchTokenWithKerberosLogin(str);
        }
    }

    private ByteString fetchTokenWithCurrentToken(String str) throws IOException, ServiceException {
        return getTokenWithUgi(str, getUgiWithCurrentToken());
    }

    private ByteString fetchTokenWithKerberosLogin(String str) throws IOException, ServiceException {
        return getTokenWithUgi(str, getUgiFromKerberosLogin());
    }

    private UserGroupInformation getUgiWithCurrentToken() throws IOException {
        UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser(UserGroupInformation.getCurrentUser().getShortUserName());
        String host = new URL(this.clientInstance.getServicesAddress()).getHost();
        int managementPort = this.clientInstance.getManagementPort();
        InetSocketAddress createSocketAddrForHost = NetUtils.createSocketAddrForHost(host, managementPort);
        LOG.debug("Setup token with {}:{}, socketAddr: {}", new Object[]{host, Integer.valueOf(managementPort), createSocketAddrForHost});
        SecurityUtil.setTokenService(this.currentToken, createSocketAddrForHost);
        createRemoteUser.addToken(this.currentToken);
        return createRemoteUser;
    }

    private UserGroupInformation getUgiFromKerberosLogin() throws IOException {
        String var = HiveConf.getVar(this.conf, HiveConf.ConfVars.LLAP_KERBEROS_PRINCIPAL);
        String var2 = HiveConf.getVar(this.conf, HiveConf.ConfVars.LLAP_KERBEROS_KEYTAB_FILE);
        LOG.info("Logging in using principal {} and keytab {}", var, var2);
        return LlapUtil.loginWithKerberos(var, var2);
    }

    private ByteString getTokenWithUgi(String str, UserGroupInformation userGroupInformation) throws ServiceException {
        if (this.client == null) {
            this.client = new LlapManagementProtocolClientImpl(this.conf, this.clientInstance.getHost(), this.clientInstance.getManagementPort(), this.retryPolicy, this.socketFactory);
        }
        this.client.withUgi(userGroupInformation);
        LlapDaemonProtocolProtos.GetTokenRequestProto.Builder newBuilder = LlapDaemonProtocolProtos.GetTokenRequestProto.newBuilder();
        if (!StringUtils.isBlank(str)) {
            newBuilder.setAppId(str);
        }
        return this.client.getDelegationToken((RpcController) null, newBuilder.build()).getToken();
    }

    private synchronized List<LlapServiceInstance> getLlapServices(boolean z) throws IOException {
        if (!z && this.lastKnownInstances != null) {
            return new ArrayList(this.lastKnownInstances);
        }
        if (this.activeInstances == null) {
            this.registry.start();
            this.activeInstances = this.registry.getInstances();
        }
        Collection<LlapServiceInstance> all = this.activeInstances.getAll();
        if (all == null || all.isEmpty()) {
            throw new RuntimeException("No LLAPs found");
        }
        this.lastKnownInstances = all;
        return new ArrayList(this.lastKnownInstances);
    }

    public LlapTokenClient withCurrentToken(Token<LlapTokenIdentifier> token) {
        this.currentToken = token;
        return this;
    }

    static {
        $assertionsDisabled = !LlapTokenClient.class.desiredAssertionStatus();
        LOG = LoggerFactory.getLogger(LlapTokenClient.class);
    }
}
