package org.apache.impala.authorization.ranger;

import com.google.common.annotations.VisibleForTesting;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.regex.Pattern;
import org.apache.hadoop.hive.metastore.api.PrincipalType;
import org.apache.impala.authorization.AuthorizationDelta;
import org.apache.impala.authorization.AuthorizationManager;
import org.apache.impala.authorization.Privilege;
import org.apache.impala.authorization.User;
import org.apache.impala.authorization.ranger.RangerBufferAuditHandler;
import org.apache.impala.catalog.CatalogServiceCatalog;
import org.apache.impala.common.ImpalaException;
import org.apache.impala.common.InternalException;
import org.apache.impala.thrift.TCatalogServiceRequestHeader;
import org.apache.impala.thrift.TCreateDropRoleParams;
import org.apache.impala.thrift.TDdlExecResponse;
import org.apache.impala.thrift.TGrantRevokePrivParams;
import org.apache.impala.thrift.TGrantRevokeRoleParams;
import org.apache.impala.thrift.TPrivilege;
import org.apache.impala.thrift.TPrivilegeLevel;
import org.apache.impala.thrift.TResultSet;
import org.apache.impala.thrift.TShowGrantPrincipalParams;
import org.apache.impala.thrift.TShowRolesParams;
import org.apache.impala.thrift.TShowRolesResult;
import org.apache.impala.util.ClassUtil;
import org.apache.ranger.plugin.model.RangerRole;
import org.apache.ranger.plugin.util.GrantRevokeRequest;
import org.apache.ranger.plugin.util.GrantRevokeRoleRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/impala/authorization/ranger/RangerCatalogdAuthorizationManager.class */
public class RangerCatalogdAuthorizationManager implements AuthorizationManager {
    private static final Logger LOG = LoggerFactory.getLogger(RangerCatalogdAuthorizationManager.class);
    private static final String AUTHZ_CACHE_INVALIDATION_MARKER = "ranger";
    private final Supplier<RangerImpalaPlugin> plugin_;
    private final CatalogServiceCatalog catalog_;

    public RangerCatalogdAuthorizationManager(Supplier<RangerImpalaPlugin> supplier, CatalogServiceCatalog catalogServiceCatalog) {
        this.plugin_ = supplier;
        this.catalog_ = catalogServiceCatalog;
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void createRole(User user, TCreateDropRoleParams tCreateDropRoleParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        RangerRole rangerRole = new RangerRole();
        rangerRole.setName(tCreateDropRoleParams.getRole_name());
        rangerRole.setCreatedByUser(user.getShortName());
        try {
            this.plugin_.get().createRole(rangerRole, null);
            refreshAuthorization(tDdlExecResponse);
        } catch (Exception e) {
            LOG.error("Error creating role {} by user {} in Ranger.", tCreateDropRoleParams.getRole_name(), user.getShortName());
            throw new InternalException("Error creating role " + tCreateDropRoleParams.getRole_name() + " by user " + user.getShortName() + " in Ranger. Ranger error message: " + e.getMessage());
        }
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void dropRole(User user, TCreateDropRoleParams tCreateDropRoleParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        try {
            RangerUtil.validateRangerAdmin(this.plugin_.get(), user.getShortName());
            this.plugin_.get().dropRole(user.getShortName(), tCreateDropRoleParams.getRole_name(), null);
            refreshAuthorization(tDdlExecResponse);
        } catch (Exception e) {
            LOG.error("Error dropping role {} by user {} in Ranger.", tCreateDropRoleParams.getRole_name(), user.getShortName());
            throw new InternalException("Error dropping role " + tCreateDropRoleParams.getRole_name() + " by user " + user.getShortName() + " in Ranger. Ranger error message: " + e.getMessage());
        }
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public TShowRolesResult getRoles(TShowRolesParams tShowRolesParams) throws ImpalaException {
        throw new UnsupportedOperationException(String.format("%s is not supported in Catalogd", ClassUtil.getMethodName()));
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void grantRoleToGroup(User user, TGrantRevokeRoleParams tGrantRevokeRoleParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        GrantRevokeRoleRequest createGrantRevokeRoleRequest = createGrantRevokeRoleRequest(user.getShortName(), new HashSet(tGrantRevokeRoleParams.getRole_names()), new HashSet(tGrantRevokeRoleParams.getGroup_names()));
        try {
            this.plugin_.get().revokeRole(createGrantRevokeRoleRequest, null);
            this.plugin_.get().grantRole(createGrantRevokeRoleRequest, null);
            refreshAuthorization(tDdlExecResponse);
        } catch (Exception e) {
            if (Pattern.compile(".*doesn't have permissions.*").matcher(e.getMessage()).matches()) {
                LOG.error("Error granting role {} to group {} by user {} in Ranger. Ranger error message: HTTP 400 Error: User doesn't have permissions to grant role " + tGrantRevokeRoleParams.getRole_names().get(0), new Object[]{tGrantRevokeRoleParams.getRole_names().get(0), tGrantRevokeRoleParams.getGroup_names().get(0), user.getShortName()});
                throw new InternalException("Error granting role " + tGrantRevokeRoleParams.getRole_names().get(0) + " to group " + tGrantRevokeRoleParams.getGroup_names().get(0) + " by user " + user.getShortName() + " in Ranger. Ranger error message: HTTP 400 Error: User doesn't have permissions to grant role " + tGrantRevokeRoleParams.getRole_names().get(0));
            }
            LOG.error("Error granting role {} to group {} by user {} in Ranger. Ranger error message: " + e.getMessage(), new Object[]{tGrantRevokeRoleParams.getRole_names().get(0), tGrantRevokeRoleParams.getGroup_names().get(0), user.getShortName()});
            throw new InternalException("Error granting role " + tGrantRevokeRoleParams.getRole_names().get(0) + " to group " + tGrantRevokeRoleParams.getGroup_names().get(0) + " by user " + user.getShortName() + " in Ranger. Ranger error message: " + e.getMessage());
        }
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void revokeRoleFromGroup(User user, TGrantRevokeRoleParams tGrantRevokeRoleParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        try {
            this.plugin_.get().revokeRole(createGrantRevokeRoleRequest(user.getShortName(), new HashSet(tGrantRevokeRoleParams.getRole_names()), new HashSet(tGrantRevokeRoleParams.getGroup_names())), null);
            refreshAuthorization(tDdlExecResponse);
        } catch (Exception e) {
            LOG.error("Error revoking role {} from group {} by user {} in Ranger. Ranger error message: " + e.getMessage(), new Object[]{tGrantRevokeRoleParams.getRole_names().get(0), tGrantRevokeRoleParams.getGroup_names().get(0), user.getShortName()});
            throw new InternalException("Error revoking role " + tGrantRevokeRoleParams.getRole_names().get(0) + " from group " + tGrantRevokeRoleParams.getGroup_names().get(0) + " by user " + user.getShortName() + " in Ranger. Ranger error message: " + e.getMessage());
        }
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void grantPrivilegeToRole(TCatalogServiceRequestHeader tCatalogServiceRequestHeader, TGrantRevokePrivParams tGrantRevokePrivParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        grantPrivilege(createGrantRevokeRequests(new User(tCatalogServiceRequestHeader.getRequesting_user()).getShortName(), true, null, Collections.emptyList(), Collections.singletonList(tGrantRevokePrivParams.getPrincipal_name()), this.plugin_.get().getClusterName(), tCatalogServiceRequestHeader.getClient_ip(), tGrantRevokePrivParams.getPrivileges()), tCatalogServiceRequestHeader.getRedacted_sql_stmt(), tCatalogServiceRequestHeader.getClient_ip());
        refreshAuthorization(tDdlExecResponse);
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void revokePrivilegeFromRole(TCatalogServiceRequestHeader tCatalogServiceRequestHeader, TGrantRevokePrivParams tGrantRevokePrivParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        revokePrivilege(createGrantRevokeRequests(new User(tCatalogServiceRequestHeader.getRequesting_user()).getShortName(), false, null, Collections.emptyList(), Collections.singletonList(tGrantRevokePrivParams.getPrincipal_name()), this.plugin_.get().getClusterName(), tCatalogServiceRequestHeader.getClient_ip(), tGrantRevokePrivParams.getPrivileges()), tCatalogServiceRequestHeader.getRedacted_sql_stmt(), tCatalogServiceRequestHeader.getClient_ip());
        refreshAuthorization(tDdlExecResponse);
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void grantPrivilegeToUser(TCatalogServiceRequestHeader tCatalogServiceRequestHeader, TGrantRevokePrivParams tGrantRevokePrivParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        grantPrivilege(createGrantRevokeRequests(new User(tCatalogServiceRequestHeader.getRequesting_user()).getShortName(), true, tGrantRevokePrivParams.getPrincipal_name(), Collections.emptyList(), Collections.emptyList(), this.plugin_.get().getClusterName(), tCatalogServiceRequestHeader.getClient_ip(), tGrantRevokePrivParams.getPrivileges()), tCatalogServiceRequestHeader.getRedacted_sql_stmt(), tCatalogServiceRequestHeader.getClient_ip());
        refreshAuthorization(tDdlExecResponse);
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void revokePrivilegeFromUser(TCatalogServiceRequestHeader tCatalogServiceRequestHeader, TGrantRevokePrivParams tGrantRevokePrivParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        revokePrivilege(createGrantRevokeRequests(new User(tCatalogServiceRequestHeader.getRequesting_user()).getShortName(), false, tGrantRevokePrivParams.getPrincipal_name(), Collections.emptyList(), Collections.emptyList(), this.plugin_.get().getClusterName(), tCatalogServiceRequestHeader.getClient_ip(), tGrantRevokePrivParams.getPrivileges()), tCatalogServiceRequestHeader.getRedacted_sql_stmt(), tCatalogServiceRequestHeader.getClient_ip());
        refreshAuthorization(tDdlExecResponse);
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void grantPrivilegeToGroup(TCatalogServiceRequestHeader tCatalogServiceRequestHeader, TGrantRevokePrivParams tGrantRevokePrivParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        grantPrivilege(createGrantRevokeRequests(new User(tCatalogServiceRequestHeader.getRequesting_user()).getShortName(), true, null, Collections.singletonList(tGrantRevokePrivParams.getPrincipal_name()), Collections.emptyList(), this.plugin_.get().getClusterName(), tCatalogServiceRequestHeader.getClient_ip(), tGrantRevokePrivParams.getPrivileges()), tCatalogServiceRequestHeader.getRedacted_sql_stmt(), tCatalogServiceRequestHeader.getClient_ip());
        refreshAuthorization(tDdlExecResponse);
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void revokePrivilegeFromGroup(TCatalogServiceRequestHeader tCatalogServiceRequestHeader, TGrantRevokePrivParams tGrantRevokePrivParams, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
        revokePrivilege(createGrantRevokeRequests(new User(tCatalogServiceRequestHeader.getRequesting_user()).getShortName(), false, null, Collections.singletonList(tGrantRevokePrivParams.getPrincipal_name()), Collections.emptyList(), this.plugin_.get().getClusterName(), tCatalogServiceRequestHeader.getClient_ip(), tGrantRevokePrivParams.getPrivileges()), tCatalogServiceRequestHeader.getRedacted_sql_stmt(), tCatalogServiceRequestHeader.getClient_ip());
        refreshAuthorization(tDdlExecResponse);
    }

    @VisibleForTesting
    public void grantPrivilege(List<GrantRevokeRequest> list, String str, String str2) throws ImpalaException {
        try {
            for (GrantRevokeRequest grantRevokeRequest : list) {
                RangerBufferAuditHandler.AutoFlush autoFlush = RangerBufferAuditHandler.autoFlush(str, this.plugin_.get().getClusterName(), str2);
                Throwable th = null;
                try {
                    try {
                        this.plugin_.get().grantAccess(grantRevokeRequest, autoFlush);
                        if (autoFlush != null) {
                            if (0 != 0) {
                                try {
                                    autoFlush.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                autoFlush.close();
                            }
                        }
                    } finally {
                    }
                } finally {
                }
            }
        } catch (Exception e) {
            LOG.error("Error granting a privilege in Ranger: ", e);
            throw new InternalException("Error granting a privilege in Ranger. Ranger error message: " + e.getMessage());
        }
    }

    @VisibleForTesting
    public void revokePrivilege(List<GrantRevokeRequest> list, String str, String str2) throws ImpalaException {
        try {
            for (GrantRevokeRequest grantRevokeRequest : list) {
                RangerBufferAuditHandler.AutoFlush autoFlush = RangerBufferAuditHandler.autoFlush(str, this.plugin_.get().getClusterName(), str2);
                Throwable th = null;
                try {
                    try {
                        this.plugin_.get().revokeAccess(grantRevokeRequest, autoFlush);
                        if (autoFlush != null) {
                            if (0 != 0) {
                                try {
                                    autoFlush.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                autoFlush.close();
                            }
                        }
                    } finally {
                    }
                } finally {
                }
            }
        } catch (Exception e) {
            LOG.error("Error revoking a privilege in Ranger: ", e);
            throw new InternalException("Error revoking a privilege in Ranger. Ranger error message: " + e.getMessage());
        }
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public TResultSet getPrivileges(TShowGrantPrincipalParams tShowGrantPrincipalParams) throws ImpalaException {
        throw new UnsupportedOperationException(String.format("%s is not supported in Catalogd", ClassUtil.getMethodName()));
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void updateDatabaseOwnerPrivilege(String str, String str2, String str3, PrincipalType principalType, String str4, PrincipalType principalType2, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public void updateTableOwnerPrivilege(String str, String str2, String str3, String str4, PrincipalType principalType, String str5, PrincipalType principalType2, TDdlExecResponse tDdlExecResponse) throws ImpalaException {
    }

    @Override // org.apache.impala.authorization.AuthorizationManager
    public AuthorizationDelta refreshAuthorization(boolean z) {
        AuthorizationDelta authorizationDelta = new AuthorizationDelta();
        authorizationDelta.addCatalogObjectAdded(this.catalog_.incrementAuthzCacheInvalidationVersion(AUTHZ_CACHE_INVALIDATION_MARKER).toTCatalogObject());
        return authorizationDelta;
    }

    private void refreshAuthorization(TDdlExecResponse tDdlExecResponse) {
        tDdlExecResponse.result.setUpdated_catalog_objects(refreshAuthorization(false).getCatalogObjectsAdded());
    }

    public static List<GrantRevokeRequest> createGrantRevokeRequests(String str, boolean z, String str2, List<String> list, List<String> list2, String str3, String str4, List<TPrivilege> list3) {
        ArrayList arrayList = new ArrayList();
        for (TPrivilege tPrivilege : list3) {
            Function function = map -> {
                return createGrantRevokeRequest(str, str2, list, list2, str3, tPrivilege.has_grant_opt, z, tPrivilege.privilege_level, map, str4);
            };
            if (tPrivilege.getColumn_name() != null || tPrivilege.getTable_name() != null) {
                arrayList.add(function.apply(RangerUtil.createColumnResource(tPrivilege)));
            } else if (tPrivilege.getUri() != null) {
                arrayList.add(function.apply(RangerUtil.createUriResource(tPrivilege)));
            } else if (tPrivilege.getFn_name() != null) {
                arrayList.add(function.apply(RangerUtil.createFunctionResource(tPrivilege)));
            } else if (tPrivilege.getDb_name() != null) {
                arrayList.add(function.apply(RangerUtil.createColumnResource(tPrivilege)));
                arrayList.add(function.apply(RangerUtil.createFunctionResource(tPrivilege)));
            } else if (tPrivilege.getStorage_url() == null && tPrivilege.getStorage_type() == null) {
                arrayList.add(function.apply(RangerUtil.createColumnResource(tPrivilege)));
                arrayList.add(function.apply(RangerUtil.createFunctionResource(tPrivilege)));
                arrayList.add(function.apply(RangerUtil.createUriResource(tPrivilege)));
                arrayList.add(function.apply(RangerUtil.createStorageHandlerUriResource(tPrivilege)));
            } else {
                arrayList.add(function.apply(RangerUtil.createStorageHandlerUriResource(tPrivilege)));
            }
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static GrantRevokeRequest createGrantRevokeRequest(String str, String str2, List<String> list, List<String> list2, String str3, boolean z, boolean z2, TPrivilegeLevel tPrivilegeLevel, Map<String, String> map, String str4) {
        GrantRevokeRequest grantRevokeRequest = new GrantRevokeRequest();
        grantRevokeRequest.setGrantor(str);
        grantRevokeRequest.setGrantorGroups(RangerUtil.getGroups(str));
        if (str2 != null) {
            grantRevokeRequest.getUsers().add(str2);
        }
        if (!list.isEmpty()) {
            grantRevokeRequest.getGroups().addAll(list);
        }
        if (!list2.isEmpty()) {
            grantRevokeRequest.getRoles().addAll(list2);
        }
        grantRevokeRequest.setDelegateAdmin(Boolean.valueOf(z2 && z));
        grantRevokeRequest.setEnableAudit(Boolean.TRUE);
        grantRevokeRequest.setReplaceExistingPermissions(Boolean.FALSE);
        grantRevokeRequest.setClusterName(str3);
        grantRevokeRequest.setResource(map);
        grantRevokeRequest.setClientIPAddress(str4);
        if (z2 || !z) {
            if (map.containsKey(RangerImpalaResourceBuilder.STORAGE_TYPE)) {
                if (tPrivilegeLevel == TPrivilegeLevel.ALL || tPrivilegeLevel == TPrivilegeLevel.OWNER || tPrivilegeLevel == TPrivilegeLevel.RWSTORAGE) {
                    grantRevokeRequest.getAccessTypes().add(Privilege.RWSTORAGE.name().toLowerCase());
                }
            } else if (tPrivilegeLevel == TPrivilegeLevel.INSERT) {
                grantRevokeRequest.getAccessTypes().add(RangerAuthorizationChecker.UPDATE_ACCESS_TYPE);
            } else if (tPrivilegeLevel != TPrivilegeLevel.RWSTORAGE) {
                grantRevokeRequest.getAccessTypes().add(tPrivilegeLevel.name().toLowerCase());
            }
        }
        return grantRevokeRequest;
    }

    private static GrantRevokeRoleRequest createGrantRevokeRoleRequest(String str, Set<String> set, Set<String> set2) {
        GrantRevokeRoleRequest grantRevokeRoleRequest = new GrantRevokeRoleRequest();
        grantRevokeRoleRequest.setGrantor(str);
        grantRevokeRoleRequest.setTargetRoles(set);
        grantRevokeRoleRequest.setGroups(set2);
        return grantRevokeRoleRequest;
    }
}
