package org.apache.impala.authorization.ranger;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.collect.Lists;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.impala.analysis.AnalysisContext;
import org.apache.impala.authorization.Authorizable;
import org.apache.impala.authorization.AuthorizableTable;
import org.apache.impala.authorization.AuthorizationConfig;
import org.apache.impala.authorization.AuthorizationContext;
import org.apache.impala.authorization.AuthorizationException;
import org.apache.impala.authorization.BaseAuthorizationChecker;
import org.apache.impala.authorization.DefaultAuthorizableFactory;
import org.apache.impala.authorization.Privilege;
import org.apache.impala.authorization.PrivilegeRequest;
import org.apache.impala.authorization.User;
import org.apache.impala.catalog.FeCatalog;
import org.apache.impala.common.InternalException;
import org.apache.impala.common.RuntimeEnv;
import org.apache.impala.service.BackendConfig;
import org.apache.impala.thrift.TSessionState;
import org.apache.impala.util.EventSequence;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.plugin.model.RangerServiceDef;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/impala/authorization/ranger/RangerAuthorizationChecker.class */
public class RangerAuthorizationChecker extends BaseAuthorizationChecker {
    private static final Logger LOG = LoggerFactory.getLogger(RangerAuthorizationChecker.class);
    public static final String UPDATE_ACCESS_TYPE = "update";
    public static final String SELECT_ACCESS_TYPE = "select";
    private final RangerImpalaPlugin plugin_;

    public RangerAuthorizationChecker(AuthorizationConfig authorizationConfig) {
        super(authorizationConfig);
        Preconditions.checkArgument(authorizationConfig instanceof RangerAuthorizationConfig);
        RangerAuthorizationConfig rangerAuthorizationConfig = (RangerAuthorizationConfig) authorizationConfig;
        this.plugin_ = RangerImpalaPlugin.getInstance(rangerAuthorizationConfig.getServiceType(), rangerAuthorizationConfig.getAppId());
    }

    @Override // org.apache.impala.authorization.BaseAuthorizationChecker
    protected boolean authorizeResource(AuthorizationContext authorizationContext, User user, PrivilegeRequest privilegeRequest) throws InternalException {
        Preconditions.checkArgument(authorizationContext instanceof RangerAuthorizationContext);
        Preconditions.checkNotNull(user);
        Preconditions.checkNotNull(privilegeRequest);
        RangerAuthorizationContext rangerAuthorizationContext = (RangerAuthorizationContext) authorizationContext;
        ArrayList<RangerAccessResourceImpl> arrayList = new ArrayList();
        Authorizable authorizable = privilegeRequest.getAuthorizable();
        Privilege privilege = privilegeRequest.getPrivilege();
        switch (authorizable.getType()) {
            case SERVER:
                arrayList.add(new RangerImpalaResourceBuilder().database(DefaultAuthorizableFactory.ALL).table(DefaultAuthorizableFactory.ALL).column(DefaultAuthorizableFactory.ALL).build());
                arrayList.add(new RangerImpalaResourceBuilder().database(DefaultAuthorizableFactory.ALL).function(DefaultAuthorizableFactory.ALL).build());
                arrayList.add(new RangerImpalaResourceBuilder().uri(DefaultAuthorizableFactory.ALL).build());
                if (privilege == Privilege.ALL || privilege == Privilege.OWNER || privilege == Privilege.RWSTORAGE) {
                    arrayList.add(new RangerImpalaResourceBuilder().storageType(DefaultAuthorizableFactory.ALL).storageUri(DefaultAuthorizableFactory.ALL).build());
                    break;
                }
                break;
            case DB:
                arrayList.add(new RangerImpalaResourceBuilder().database(authorizable.getDbName()).owner(authorizable.getOwnerUser()).build());
                break;
            case TABLE:
                arrayList.add(new RangerImpalaResourceBuilder().database(authorizable.getDbName()).table(authorizable.getTableName()).owner(authorizable.getOwnerUser()).build());
                break;
            case COLUMN:
                RangerImpalaResourceBuilder rangerImpalaResourceBuilder = new RangerImpalaResourceBuilder();
                rangerImpalaResourceBuilder.database(authorizable.getDbName());
                if (privilege != Privilege.ANY || !DefaultAuthorizableFactory.ALL.equals(authorizable.getTableName())) {
                    rangerImpalaResourceBuilder.table(authorizable.getTableName());
                }
                if (privilege != Privilege.ANY || !DefaultAuthorizableFactory.ALL.equals(authorizable.getColumnName())) {
                    rangerImpalaResourceBuilder.column(authorizable.getColumnName());
                }
                rangerImpalaResourceBuilder.owner(authorizable.getOwnerUser());
                arrayList.add(rangerImpalaResourceBuilder.build());
                break;
            case FUNCTION:
                arrayList.add(new RangerImpalaResourceBuilder().database(authorizable.getDbName()).function(authorizable.getFnName()).build());
                break;
            case URI:
                arrayList.add(new RangerImpalaResourceBuilder().uri(authorizable.getName()).build());
                break;
            case STORAGEHANDLER_URI:
                arrayList.add(new RangerImpalaResourceBuilder().storageType(authorizable.getStorageType()).storageUri(authorizable.getStorageUri()).build());
                break;
            default:
                throw new IllegalArgumentException(String.format("Invalid authorizable type: %s", authorizable.getType()));
        }
        for (RangerAccessResourceImpl rangerAccessResourceImpl : arrayList) {
            if (privilege != Privilege.ANY) {
                if (!(privilege.hasAnyOf() ? authorizeAny(rangerAuthorizationContext, rangerAccessResourceImpl, authorizable, user, privilege) : authorizeAll(rangerAuthorizationContext, rangerAccessResourceImpl, authorizable, user, privilege))) {
                    return false;
                }
            } else if (!authorizeResource(rangerAuthorizationContext, user, rangerAccessResourceImpl, authorizable, privilege, rangerAuthorizationContext.getAuditHandler())) {
                return false;
            }
        }
        return true;
    }

    @Override // org.apache.impala.authorization.BaseAuthorizationChecker, org.apache.impala.authorization.AuthorizationChecker
    public void postAuthorize(AuthorizationContext authorizationContext, boolean z, boolean z2) {
        Preconditions.checkArgument(authorizationContext instanceof RangerAuthorizationContext);
        super.postAuthorize(authorizationContext, z, z2);
        if (z) {
            ((RangerAuthorizationContext) authorizationContext).consolidateAuthzEvents();
            ((RangerAuthorizationContext) authorizationContext).applyDeduplicatedAuthzEvents();
        }
        RangerBufferAuditHandler auditHandler = ((RangerAuthorizationContext) authorizationContext).getAuditHandler();
        if (!z || z2) {
            auditHandler.flush();
        } else {
            auditHandler.getAuthzEvents().clear();
        }
    }

    @Override // org.apache.impala.authorization.BaseAuthorizationChecker
    protected void authorizeRowFilterAndColumnMask(User user, List<PrivilegeRequest> list) throws AuthorizationException, InternalException {
        boolean isColumnMaskingEnabled = BackendConfig.INSTANCE.isColumnMaskingEnabled();
        boolean isRowFilteringEnabled = BackendConfig.INSTANCE.isRowFilteringEnabled();
        if (isColumnMaskingEnabled && isRowFilteringEnabled) {
            return;
        }
        for (PrivilegeRequest privilegeRequest : list) {
            if (!isColumnMaskingEnabled && privilegeRequest.getAuthorizable().getType() == Authorizable.Type.COLUMN) {
                throwIfColumnMaskingRequired(user, privilegeRequest.getAuthorizable().getDbName(), privilegeRequest.getAuthorizable().getTableName(), privilegeRequest.getAuthorizable().getColumnName());
            } else if (!isRowFilteringEnabled && privilegeRequest.getAuthorizable().getType() == Authorizable.Type.TABLE) {
                throwIfRowFilteringRequired(user, privilegeRequest.getAuthorizable().getDbName(), privilegeRequest.getAuthorizable().getTableName());
            }
        }
    }

    @Override // org.apache.impala.authorization.BaseAuthorizationChecker, org.apache.impala.authorization.AuthorizationChecker
    public void invalidateAuthorizationCache() {
        long currentTimeMillis = System.currentTimeMillis();
        try {
            this.plugin_.refreshPoliciesAndTags();
            LOG.debug("Refreshing Ranger policies took {} ms", Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
        } catch (Throwable th) {
            LOG.debug("Refreshing Ranger policies took {} ms", Long.valueOf(System.currentTimeMillis() - currentTimeMillis));
            throw th;
        }
    }

    @Override // org.apache.impala.authorization.AuthorizationChecker
    public AuthorizationContext createAuthorizationContext(boolean z, String str, TSessionState tSessionState, Optional<EventSequence> optional) {
        RangerAuthorizationContext rangerAuthorizationContext = new RangerAuthorizationContext(tSessionState, optional);
        if (z) {
            if (str != null) {
                rangerAuthorizationContext.setAuditHandler(new RangerBufferAuditHandler(str, this.plugin_.getClusterName(), tSessionState.getNetwork_address().getHostname()));
            } else {
                rangerAuthorizationContext.setAuditHandler(new RangerBufferAuditHandler());
            }
        }
        return rangerAuthorizationContext;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.impala.authorization.BaseAuthorizationChecker
    public void authorizeTableAccess(AuthorizationContext authorizationContext, AnalysisContext.AnalysisResult analysisResult, FeCatalog feCatalog, List<PrivilegeRequest> list) throws AuthorizationException, InternalException {
        RangerAuthorizationContext rangerAuthorizationContext = (RangerAuthorizationContext) authorizationContext;
        RangerBufferAuditHandler auditHandler = rangerAuthorizationContext.getAuditHandler();
        RangerAuthorizationContext rangerAuthorizationContext2 = new RangerAuthorizationContext(rangerAuthorizationContext.getSessionState(), rangerAuthorizationContext.getTimeline());
        rangerAuthorizationContext2.setAuditHandler(new RangerBufferAuditHandler(auditHandler));
        AuthorizationException authorizationException = null;
        try {
            try {
                super.authorizeTableAccess(rangerAuthorizationContext2, analysisResult, feCatalog, list);
                if (0 == 0) {
                    rangerAuthorizationContext.getAuditHandler().getAuthzEvents().addAll((List) rangerAuthorizationContext2.getAuditHandler().getAuthzEvents().stream().filter(authzAuditEvent -> {
                        return authzAuditEvent.getAccessResult() != 0;
                    }).collect(Collectors.toList()));
                }
            } catch (AuthorizationException e) {
                authorizationException = e;
                rangerAuthorizationContext2.getAuditHandler().getAuthzEvents().stream().filter(authzAuditEvent2 -> {
                    return (!SELECT_ACCESS_TYPE.equalsIgnoreCase(authzAuditEvent2.getAccessType()) && "@table".equals(authzAuditEvent2.getResourceType())) || (("@table".equals(authzAuditEvent2.getResourceType()) || "@column".equals(authzAuditEvent2.getResourceType())) && authzAuditEvent2.getAccessResult() == 0);
                }).findFirst().ifPresent(authzAuditEvent3 -> {
                    rangerAuthorizationContext.getAuditHandler().getAuthzEvents().add(authzAuditEvent3);
                });
                throw e;
            }
        } catch (Throwable th) {
            if (authorizationException == null) {
                rangerAuthorizationContext.getAuditHandler().getAuthzEvents().addAll((List) rangerAuthorizationContext2.getAuditHandler().getAuthzEvents().stream().filter(authzAuditEvent4 -> {
                    return authzAuditEvent4.getAccessResult() != 0;
                }).collect(Collectors.toList()));
            }
            throw th;
        }
    }

    private void throwIfColumnMaskingRequired(User user, String str, String str2, String str3) throws InternalException, AuthorizationException {
        if (evalColumnMask(user, str, str2, str3, null).isMaskEnabled()) {
            throw new AuthorizationException(String.format("Column masking is disabled by --enable_column_masking flag. Can't access column %s.%s.%s that has column masking policy.", str, str2, str3));
        }
    }

    @Override // org.apache.impala.authorization.AuthorizationChecker
    public boolean needsMaskingOrFiltering(User user, String str, String str2, List<String> list) throws InternalException {
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            if (evalColumnMask(user, str, str2, it.next(), null).isMaskEnabled()) {
                return true;
            }
        }
        return needsRowFiltering(user, str, str2);
    }

    @Override // org.apache.impala.authorization.AuthorizationChecker
    public boolean needsRowFiltering(User user, String str, String str2) throws InternalException {
        return evalRowFilter(user, str, str2, null).isRowFilterEnabled();
    }

    private void removeStaleAudits(RangerBufferAuditHandler rangerBufferAuditHandler, int i) {
        List<AuthzAuditEvent> authzEvents = rangerBufferAuditHandler.getAuthzEvents();
        Preconditions.checkState(authzEvents.size() - i <= 1);
        if (authzEvents.size() > i) {
            rangerBufferAuditHandler.getAuthzEvents().remove(authzEvents.size() - 1);
        }
    }

    @Override // org.apache.impala.authorization.AuthorizationChecker
    public String createColumnMask(User user, String str, String str2, String str3, AuthorizationContext authorizationContext) throws InternalException {
        RangerBufferAuditHandler auditHandler = authorizationContext == null ? null : ((RangerAuthorizationContext) authorizationContext).getAuditHandler();
        int size = auditHandler == null ? 0 : auditHandler.getAuthzEvents().size();
        RangerAccessResult evalColumnMask = evalColumnMask(user, str, str2, str3, auditHandler);
        if (!evalColumnMask.isMaskEnabled() && auditHandler != null) {
            removeStaleAudits(auditHandler, size);
            return str3;
        }
        String maskType = evalColumnMask.getMaskType();
        RangerServiceDef.RangerDataMaskTypeDef maskTypeDef = evalColumnMask.getMaskTypeDef();
        String str4 = str3;
        String str5 = null;
        if (maskTypeDef != null) {
            str5 = maskTypeDef.getTransformer();
        }
        if (StringUtils.equalsIgnoreCase(maskType, "MASK_NULL")) {
            str4 = "NULL";
        } else if (StringUtils.equalsIgnoreCase(maskType, "CUSTOM")) {
            String maskedValue = evalColumnMask.getMaskedValue();
            str4 = maskedValue == null ? "NULL" : maskedValue.replace("{col}", str3);
        } else if (StringUtils.isNotEmpty(str5)) {
            str4 = str5.replace("{col}", str3);
        }
        LOG.trace("dbName: {}, tableName: {}, column: {}, maskType: {}, columnTransformer: {}", new Object[]{str, str2, str3, maskType, str4});
        return str4;
    }

    @Override // org.apache.impala.authorization.AuthorizationChecker
    public String createRowFilter(User user, String str, String str2, AuthorizationContext authorizationContext) throws InternalException {
        RangerBufferAuditHandler auditHandler = authorizationContext == null ? null : ((RangerAuthorizationContext) authorizationContext).getAuditHandler();
        int size = auditHandler == null ? 0 : auditHandler.getAuthzEvents().size();
        RangerAccessResult evalRowFilter = evalRowFilter(user, str, str2, auditHandler);
        if (!evalRowFilter.isRowFilterEnabled() && auditHandler != null) {
            removeStaleAudits(auditHandler, size);
            return null;
        }
        String filterExpr = evalRowFilter.getFilterExpr();
        LOG.trace("dbName: {}, tableName: {}, rowFilter: {}", new Object[]{str, str2, filterExpr});
        return filterExpr;
    }

    @Override // org.apache.impala.authorization.AuthorizationChecker
    public void postAnalyze(AuthorizationContext authorizationContext) {
        Preconditions.checkArgument(authorizationContext instanceof RangerAuthorizationContext);
        ((RangerAuthorizationContext) authorizationContext).stashTableMaskingAuditEvents(this.plugin_);
    }

    private RangerAccessResult evalColumnMask(User user, String str, String str2, String str3, RangerBufferAuditHandler rangerBufferAuditHandler) throws InternalException {
        Preconditions.checkNotNull(user);
        return this.plugin_.evalDataMaskPolicies(new RangerAccessRequestImpl(new RangerImpalaResourceBuilder().database(str).table(str2).column(str3).build(), SELECT_ACCESS_TYPE, user.getShortName(), getUserGroups(user)), rangerBufferAuditHandler);
    }

    private RangerAccessResult evalRowFilter(User user, String str, String str2, RangerBufferAuditHandler rangerBufferAuditHandler) throws InternalException {
        Preconditions.checkNotNull(user);
        return this.plugin_.evalRowFilterPolicies(new RangerAccessRequestImpl(new RangerImpalaResourceBuilder().database(str).table(str2).build(), SELECT_ACCESS_TYPE, user.getShortName(), getUserGroups(user)), rangerBufferAuditHandler);
    }

    private void throwIfRowFilteringRequired(User user, String str, String str2) throws InternalException, AuthorizationException {
        if (evalRowFilter(user, str, str2, null).isRowFilterEnabled()) {
            throw new AuthorizationException(String.format("Row filtering is disabled by --enable_row_filtering flag. Can't access table %s.%s that has row filtering policy.", str, str2));
        }
    }

    @Override // org.apache.impala.authorization.BaseAuthorizationChecker, org.apache.impala.authorization.AuthorizationChecker
    public Set<String> getUserGroups(User user) throws InternalException {
        Preconditions.checkNotNull(user);
        return new HashSet(((RuntimeEnv.INSTANCE.isTestEnv() || BackendConfig.INSTANCE.useCustomizedUserGroupsMapperForRanger()) ? UserGroupInformation.createUserForTesting(user.getShortName(), new String[]{user.getShortName()}) : UserGroupInformation.createRemoteUser(user.getShortName())).getGroups());
    }

    private boolean authorizeAny(RangerAuthorizationContext rangerAuthorizationContext, RangerAccessResourceImpl rangerAccessResourceImpl, Authorizable authorizable, User user, Privilege privilege) throws InternalException {
        boolean z = false;
        RangerBufferAuditHandler auditHandler = rangerAuthorizationContext.getAuditHandler();
        RangerBufferAuditHandler rangerBufferAuditHandler = (auditHandler == null || !rangerAuthorizationContext.getRetainAudits()) ? null : new RangerBufferAuditHandler(auditHandler);
        Iterator it = privilege.getImpliedPrivileges().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (authorizeResource(rangerAuthorizationContext, user, rangerAccessResourceImpl, authorizable, (Privilege) it.next(), rangerBufferAuditHandler)) {
                z = true;
                break;
            }
        }
        if (auditHandler != null && rangerBufferAuditHandler != null) {
            updateAuditEvents(rangerBufferAuditHandler, auditHandler, true, privilege);
        }
        return z;
    }

    private boolean authorizeAll(RangerAuthorizationContext rangerAuthorizationContext, RangerAccessResourceImpl rangerAccessResourceImpl, Authorizable authorizable, User user, Privilege privilege) throws InternalException {
        boolean z = true;
        RangerBufferAuditHandler auditHandler = rangerAuthorizationContext.getAuditHandler();
        RangerBufferAuditHandler rangerBufferAuditHandler = (auditHandler == null || !rangerAuthorizationContext.getRetainAudits()) ? null : new RangerBufferAuditHandler(auditHandler);
        Iterator it = privilege.getImpliedPrivileges().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (!authorizeResource(rangerAuthorizationContext, user, rangerAccessResourceImpl, authorizable, (Privilege) it.next(), rangerBufferAuditHandler)) {
                z = false;
                break;
            }
        }
        if (auditHandler != null && rangerBufferAuditHandler != null) {
            updateAuditEvents(rangerBufferAuditHandler, auditHandler, false, rangerAccessResourceImpl.getKeys().contains(RangerImpalaResourceBuilder.STORAGE_TYPE) ? Privilege.RWSTORAGE : privilege);
        }
        return z;
    }

    private static void updateAuditEvents(RangerBufferAuditHandler rangerBufferAuditHandler, RangerBufferAuditHandler rangerBufferAuditHandler2, boolean z, Privilege privilege) {
        AuthzAuditEvent authzAuditEvent = null;
        Iterator<AuthzAuditEvent> it = rangerBufferAuditHandler.getAuthzEvents().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            AuthzAuditEvent next = it.next();
            if (next.getAccessResult() == (z ? (short) 1 : (short) 0)) {
                authzAuditEvent = next;
                break;
            }
            authzAuditEvent = next;
        }
        if (authzAuditEvent != null) {
            authzAuditEvent.setAccessType(privilege.name().toLowerCase());
            rangerBufferAuditHandler2.getAuthzEvents().add(authzAuditEvent);
        }
    }

    private boolean authorizeResource(RangerAuthorizationContext rangerAuthorizationContext, User user, RangerAccessResourceImpl rangerAccessResourceImpl, Authorizable authorizable, Privilege privilege, RangerBufferAuditHandler rangerBufferAuditHandler) throws InternalException {
        RangerAccessRequest rangerAccessRequestImpl = new RangerAccessRequestImpl(rangerAccessResourceImpl, rangerAccessResourceImpl.getKeys().contains(RangerImpalaResourceBuilder.STORAGE_TYPE) ? Privilege.RWSTORAGE.name().toLowerCase() : privilege == Privilege.ANY ? "_any" : privilege == Privilege.INSERT ? UPDATE_ACCESS_TYPE : privilege.name().toLowerCase(), user.getShortName(), getUserGroups(user));
        rangerAccessRequestImpl.setClusterName(this.plugin_.getClusterName());
        if (rangerAuthorizationContext.getSessionState() != null) {
            rangerAccessRequestImpl.setClientIPAddress(rangerAuthorizationContext.getSessionState().getNetwork_address().getHostname());
        }
        RangerAccessResult isAccessAllowed = this.plugin_.isAccessAllowed(rangerAccessRequestImpl, rangerBufferAuditHandler);
        if (isAccessAllowed == null || !isAccessAllowed.getIsAllowed()) {
            return false;
        }
        if (!this.plugin_.blockUpdateIfTableMaskSpecified() || !privilege.impliesUpdate()) {
            return true;
        }
        if (authorizable.getType() == Authorizable.Type.TABLE || authorizable.getType() == Authorizable.Type.COLUMN) {
            return authorizeByTableMasking(rangerAccessRequestImpl, user, authorizable, isAccessAllowed, privilege, rangerBufferAuditHandler);
        }
        return true;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private boolean authorizeByTableMasking(RangerAccessRequestImpl rangerAccessRequestImpl, User user, Authorizable authorizable, RangerAccessResult rangerAccessResult, Privilege privilege, RangerBufferAuditHandler rangerBufferAuditHandler) throws InternalException {
        List newArrayList;
        Preconditions.checkNotNull(rangerAccessResult, "accessResult is null!");
        Preconditions.checkState(rangerAccessResult.getIsAllowed(), "update should be allowed before checking this");
        String accessType = rangerAccessRequestImpl.getAccessType();
        rangerAccessRequestImpl.setAccessType(SELECT_ACCESS_TYPE);
        if (authorizable.getType() == Authorizable.Type.TABLE) {
            RangerAccessResult evalRowFilterPolicies = this.plugin_.evalRowFilterPolicies(rangerAccessRequestImpl, null);
            if (evalRowFilterPolicies == null || !evalRowFilterPolicies.isRowFilterEnabled()) {
                LOG.trace("No row filtering policy found on {}.", authorizable.getName());
            } else {
                LOG.trace("Deny {} on {} due to row filtering policy {}", new Object[]{privilege, authorizable.getName(), Long.valueOf(evalRowFilterPolicies.getPolicyId())});
                rangerAccessResult.setIsAllowed(false);
                rangerAccessResult.setPolicyId(evalRowFilterPolicies.getPolicyId());
                rangerAccessResult.setReason("User does not have access to all rows of the table");
            }
        }
        if (rangerAccessResult.getIsAllowed()) {
            if (authorizable.getType() == Authorizable.Type.TABLE) {
                newArrayList = ((AuthorizableTable) authorizable).getColumns();
                LOG.trace("Checking mask policies on {} columns of table {}", Integer.valueOf(newArrayList.size()), authorizable.getFullTableName());
            } else {
                newArrayList = Lists.newArrayList(new String[]{authorizable.getColumnName()});
            }
            Iterator it = newArrayList.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                String str = (String) it.next();
                RangerAccessResult evalColumnMask = evalColumnMask(user, authorizable.getDbName(), authorizable.getTableName(), str, null);
                if (evalColumnMask != null && evalColumnMask.isMaskEnabled()) {
                    LOG.trace("Deny {} on {} due to column masking policy {}", new Object[]{privilege, authorizable.getName(), Long.valueOf(evalColumnMask.getPolicyId())});
                    rangerAccessResult.setIsAllowed(false);
                    rangerAccessResult.setPolicyId(evalColumnMask.getPolicyId());
                    rangerAccessResult.setReason("User does not have access to unmasked column values");
                    break;
                }
                LOG.trace("No column masking policy found on column {} of {}.", str, authorizable.getFullTableName());
            }
        }
        rangerAccessRequestImpl.setAccessType(accessType);
        if (!rangerAccessResult.getIsAllowed() && rangerBufferAuditHandler != null) {
            rangerBufferAuditHandler.processResult(rangerAccessResult);
        }
        return rangerAccessResult.getIsAllowed();
    }

    @VisibleForTesting
    public RangerImpalaPlugin getRangerImpalaPlugin() {
        return this.plugin_;
    }
}
