package org.apache.ranger.authorization.hadoop;

import com.google.common.collect.Sets;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.Stack;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.hdfs.DFSUtil;
import org.apache.hadoop.hdfs.server.namenode.INode;
import org.apache.hadoop.hdfs.server.namenode.INodeAttributeProvider;
import org.apache.hadoop.hdfs.server.namenode.INodeAttributes;
import org.apache.hadoop.hdfs.server.namenode.INodeDirectory;
import org.apache.hadoop.hdfs.server.namenode.INodeDirectoryAttributes;
import org.apache.hadoop.hdfs.util.ReadOnlyList;
import org.apache.hadoop.ipc.CallerContext;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.services.hdfs.RangerServiceHdfs;

/* loaded from: input_file:org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.class */
public class RangerHdfsAuthorizer extends INodeAttributeProvider {
    public static final String KEY_FILENAME = "FILENAME";
    public static final String KEY_BASE_FILENAME = "BASE_FILENAME";
    public static final String DEFAULT_FILENAME_EXTENSION_SEPARATOR = ".";
    public static final String KEY_RESOURCE_PATH = "path";
    public static final String RANGER_FILENAME_EXTENSION_SEPARATOR_PROP = "ranger.plugin.hdfs.filename.extension.separator";
    private static final Log LOG = LogFactory.getLog(RangerHdfsAuthorizer.class);
    private static final Log PERF_HDFSAUTH_REQUEST_LOG = RangerPerfTracer.getPerfLogger("hdfsauth.request");
    private RangerHdfsPlugin rangerPlugin;
    private Map<FsAction, Set<String>> access2ActionListMapper;
    private final Path addlConfigFile;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer$AuthzStatus.class */
    public enum AuthzStatus {
        ALLOW,
        DENY,
        NOT_DETERMINED
    }

    /* loaded from: input_file:org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer$RangerAccessControlEnforcer.class */
    class RangerAccessControlEnforcer implements INodeAttributeProvider.AccessControlEnforcer {
        private INodeAttributeProvider.AccessControlEnforcer defaultEnforcer;

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer$RangerAccessControlEnforcer$SubAccessData.class */
        public class SubAccessData {
            final INodeDirectory dir;
            final String resourcePath;

            SubAccessData(INodeDirectory iNodeDirectory, String str) {
                this.dir = iNodeDirectory;
                this.resourcePath = str;
            }
        }

        public RangerAccessControlEnforcer(INodeAttributeProvider.AccessControlEnforcer accessControlEnforcer) {
            this.defaultEnforcer = null;
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("==> RangerAccessControlEnforcer.RangerAccessControlEnforcer()");
            }
            this.defaultEnforcer = accessControlEnforcer;
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("<== RangerAccessControlEnforcer.RangerAccessControlEnforcer()");
            }
        }

        public void checkPermissionWithContext(INodeAttributeProvider.AuthorizationContext authorizationContext) throws AccessControlException {
            checkRangerPermission(authorizationContext.getFsOwner(), authorizationContext.getSupergroup(), authorizationContext.getCallerUgi(), authorizationContext.getInodeAttrs(), authorizationContext.getInodes(), authorizationContext.getPathByNameArr(), authorizationContext.getSnapshotId(), authorizationContext.getPath(), authorizationContext.getAncestorIndex(), authorizationContext.isDoCheckOwner(), authorizationContext.getAncestorAccess(), authorizationContext.getParentAccess(), authorizationContext.getAccess(), authorizationContext.getSubAccess(), authorizationContext.isIgnoreEmptyDir(), authorizationContext.getOperationName(), authorizationContext.getCallerContext());
        }

        public void checkPermission(String str, String str2, UserGroupInformation userGroupInformation, INodeAttributes[] iNodeAttributesArr, INode[] iNodeArr, byte[][] bArr, int i, String str3, int i2, boolean z, FsAction fsAction, FsAction fsAction2, FsAction fsAction3, FsAction fsAction4, boolean z2) throws AccessControlException {
            checkRangerPermission(str, str2, userGroupInformation, iNodeAttributesArr, iNodeArr, bArr, i, str3, i2, z, fsAction, fsAction2, fsAction3, fsAction4, z2, null, null);
        }

        /* JADX WARN: Multi-variable type inference failed */
        /* JADX WARN: Type inference failed for: r0v52, types: [byte[], byte[][]] */
        private void checkRangerPermission(String str, String str2, UserGroupInformation userGroupInformation, INodeAttributes[] iNodeAttributesArr, INode[] iNodeArr, byte[][] bArr, int i, String str3, int i2, boolean z, FsAction fsAction, FsAction fsAction2, FsAction fsAction3, FsAction fsAction4, boolean z2, String str4, CallerContext callerContext) throws AccessControlException {
            boolean isDebugEnabled;
            AuthzStatus authzStatus = AuthzStatus.NOT_DETERMINED;
            String str5 = str3;
            AuthzContext authzContext = new AuthzContext(RangerHdfsAuthorizer.this.rangerPlugin, userGroupInformation, str4, fsAction3 == null && fsAction2 == null && fsAction == null && fsAction4 == null);
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("==> RangerAccessControlEnforcer.checkPermission(fsOwner=" + str + "; superGroup=" + str2 + ", inodesCount=" + (iNodeArr != null ? iNodeArr.length : 0) + ", snapshotId=" + i + ", user=" + authzContext.user + ", provided-path=" + str3 + ", ancestorIndex=" + i2 + ", doCheckOwner=" + z + ", ancestorAccess=" + fsAction + ", parentAccess=" + fsAction2 + ", access=" + fsAction3 + ", subAccess=" + fsAction4 + ", ignoreEmptyDir=" + z2 + ", operationName=" + str4 + ", callerContext=" + callerContext + ")");
            }
            RangerPerfTracer perfTracer = RangerPerfTracer.isPerfTraceEnabled(RangerHdfsAuthorizer.PERF_HDFSAUTH_REQUEST_LOG) ? RangerPerfTracer.getPerfTracer(RangerHdfsAuthorizer.PERF_HDFSAUTH_REQUEST_LOG, "RangerHdfsAuthorizer.checkPermission(provided-path=" + str3 + ")") : null;
            try {
                INode iNode = null;
                INode iNode2 = null;
                INode iNode3 = null;
                boolean z3 = false;
                boolean z4 = false;
                if (authzContext.plugin != null && !ArrayUtils.isEmpty(iNodeArr)) {
                    int length = iNodeAttributesArr.length;
                    if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                        RangerHdfsAuthorizer.LOG.debug("Size of INodeAttrs array:[" + length + "]");
                        RangerHdfsAuthorizer.LOG.debug("Size of INodes array:[" + iNodeArr.length + "]");
                    }
                    ?? r0 = new byte[length];
                    int i3 = 0;
                    while (i3 < length && iNodeAttributesArr[i3] != null) {
                        r0[i3] = iNodeAttributesArr[i3].getLocalNameBytes();
                        i3++;
                    }
                    if (i3 != length && RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                        RangerHdfsAuthorizer.LOG.debug("Input INodeAttributes array contains null at position " + i3);
                        RangerHdfsAuthorizer.LOG.debug("Will use only first [" + i3 + "] components");
                    }
                    if (length == 1 && iNodeArr.length == 1 && iNodeArr[0].getParent() != null) {
                        z4 = true;
                        if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                            RangerHdfsAuthorizer.LOG.debug("Using the only inode in the array to figure out path to resource. No audit record will be generated for this authorization request");
                        }
                        str5 = iNodeArr[0].getFullPathName();
                        if (i != 2147483646) {
                            z3 = true;
                            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                                RangerHdfsAuthorizer.LOG.debug("path:[" + str5 + "] is for a snapshot, id=[" + i + "], default Authorizer will be used to authorize this request");
                            }
                        } else if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                            RangerHdfsAuthorizer.LOG.debug("path:[" + str5 + "] is not for a snapshot, id=[" + i + "]. It will be used to authorize this request");
                        }
                    } else if (i != 2147483646) {
                        str5 = DFSUtil.byteArray2PathString(bArr);
                        if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                            RangerHdfsAuthorizer.LOG.debug("pathByNameArr array is used to figure out path to resource, resourcePath:[" + str5 + "]");
                        }
                    } else {
                        str5 = DFSUtil.byteArray2PathString((byte[][]) r0, 0, i3);
                        if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                            RangerHdfsAuthorizer.LOG.debug("INodeAttributes array is used to figure out path to resource, resourcePath:[" + str5 + "]");
                        }
                    }
                    if (i2 >= iNodeArr.length) {
                        i2 = iNodeArr.length - 1;
                    }
                    while (i2 >= 0 && iNodeArr[i2] == null) {
                        i2--;
                    }
                    authzStatus = z3 ? AuthzStatus.NOT_DETERMINED : AuthzStatus.ALLOW;
                    iNode = (iNodeArr.length <= i2 || i2 < 0) ? null : iNodeArr[i2];
                    iNode2 = iNodeArr.length > 1 ? iNodeArr[iNodeArr.length - 2] : null;
                    iNode3 = iNodeArr[iNodeArr.length - 1];
                    authzContext.auditHandler = z4 ? null : new RangerHdfsAuditHandler(str3, authzContext.isTraverseOnlyCheck, authzContext.plugin.getHadoopModuleName(), authzContext.plugin.getExcludedUsers(), callerContext != null ? callerContext.toString() : null);
                    if (authzStatus == AuthzStatus.ALLOW && authzContext.isTraverseOnlyCheck) {
                        authzStatus = traverseOnlyCheck(iNode3, iNodeAttributesArr, str5, r0, iNode2, iNode, i2, authzContext);
                    }
                    if (authzStatus == AuthzStatus.ALLOW && fsAction2 != null && fsAction2.implies(FsAction.WRITE) && iNode2 != null && iNode3 != null && iNode2.getFsPermission() != null && iNode2.getFsPermission().getStickyBit()) {
                        authzStatus = (StringUtils.equals(iNode2.getUserName(), authzContext.user) || StringUtils.equals(iNode3.getUserName(), authzContext.user)) ? AuthzStatus.ALLOW : AuthzStatus.NOT_DETERMINED;
                    }
                    if (authzStatus == AuthzStatus.ALLOW && fsAction != null && iNode != null) {
                        INodeAttributes iNodeAttributes = iNodeAttributesArr.length > i2 ? iNodeAttributesArr[i2] : null;
                        authzStatus = isAccessAllowed(iNode, iNodeAttributes, iNodeAttributes != null ? DFSUtil.byteArray2PathString((byte[][]) r0, 0, i2 + 1) : null, fsAction, authzContext);
                        if (authzStatus == AuthzStatus.NOT_DETERMINED) {
                            authzStatus = checkDefaultEnforcer(str, str2, userGroupInformation, iNodeAttributesArr, iNodeArr, bArr, i, str3, i2, z, fsAction, null, null, null, z2, iNode, iNode2, iNode3, authzContext);
                        }
                    }
                    if (authzStatus == AuthzStatus.ALLOW && fsAction2 != null && iNode2 != null) {
                        INodeAttributes iNodeAttributes2 = iNodeAttributesArr.length > 1 ? iNodeAttributesArr[iNodeAttributesArr.length - 2] : null;
                        authzStatus = isAccessAllowed(iNode2, iNodeAttributes2, iNodeAttributes2 != null ? DFSUtil.byteArray2PathString((byte[][]) r0, 0, iNodeAttributesArr.length - 1) : null, fsAction2, authzContext);
                        if (authzStatus == AuthzStatus.NOT_DETERMINED) {
                            authzStatus = checkDefaultEnforcer(str, str2, userGroupInformation, iNodeAttributesArr, iNodeArr, bArr, i, str3, i2, z, null, fsAction2, null, null, z2, iNode, iNode2, iNode3, authzContext);
                        }
                    }
                    if (authzStatus == AuthzStatus.ALLOW && fsAction3 != null && iNode3 != null) {
                        authzStatus = isAccessAllowed(iNode3, iNodeAttributesArr.length > 0 ? iNodeAttributesArr[iNodeAttributesArr.length - 1] : null, str5, fsAction3, authzContext);
                        if (authzStatus == AuthzStatus.NOT_DETERMINED) {
                            authzStatus = checkDefaultEnforcer(str, str2, userGroupInformation, iNodeAttributesArr, iNodeArr, bArr, i, str3, i2, z, null, null, fsAction3, null, z2, iNode, iNode2, iNode3, authzContext);
                        }
                    }
                    if (authzStatus == AuthzStatus.ALLOW && fsAction4 != null && iNode3 != null && iNode3.isDirectory()) {
                        Stack stack = new Stack();
                        stack.push(new SubAccessData(iNode3.asDirectory(), str5));
                        while (!stack.isEmpty()) {
                            SubAccessData subAccessData = (SubAccessData) stack.pop();
                            ReadOnlyList<INode> childrenList = subAccessData.dir.getChildrenList(i);
                            if (!childrenList.isEmpty() || !z2) {
                                INodeDirectoryAttributes snapshotINode = subAccessData.dir.getSnapshotINode(i);
                                authzStatus = isAccessAllowed(subAccessData.dir, snapshotINode, subAccessData.resourcePath, fsAction4, authzContext);
                                if (authzStatus != AuthzStatus.ALLOW) {
                                    break;
                                }
                                AuthzStatus authzStatus2 = AuthzStatus.NOT_DETERMINED;
                                if (RangerHdfsAuthorizer.this.rangerPlugin.isOptimizeSubAccessAuthEnabled()) {
                                    authzStatus2 = isAccessAllowedForHierarchy(subAccessData.dir, snapshotINode, subAccessData.resourcePath, fsAction4, authzContext);
                                }
                                if (authzStatus2 != AuthzStatus.ALLOW) {
                                    for (INode iNode4 : childrenList) {
                                        if (iNode4.isDirectory()) {
                                            stack.push(new SubAccessData(iNode4.asDirectory(), str5 + '/' + iNode4.getLocalName()));
                                        }
                                    }
                                }
                            }
                        }
                        if (authzStatus == AuthzStatus.NOT_DETERMINED) {
                            authzStatus = checkDefaultEnforcer(str, str2, userGroupInformation, iNodeAttributesArr, iNodeArr, bArr, i, str3, i2, z, null, null, null, fsAction4, z2, iNode, iNode2, iNode3, authzContext);
                        }
                    }
                    if (authzStatus == AuthzStatus.ALLOW && z) {
                        INodeAttributes iNodeAttributes3 = iNodeAttributesArr.length > 0 ? iNodeAttributesArr[iNodeAttributesArr.length - 1] : null;
                        authzStatus = StringUtils.equals(authzContext.user, iNodeAttributes3 != null ? iNodeAttributes3.getUserName() : null) ? AuthzStatus.ALLOW : AuthzStatus.NOT_DETERMINED;
                    }
                }
                if (authzStatus == AuthzStatus.NOT_DETERMINED) {
                    authzStatus = checkDefaultEnforcer(str, str2, userGroupInformation, iNodeAttributesArr, iNodeArr, bArr, i, str3, i2, z, fsAction, fsAction2, fsAction3, fsAction4, z2, iNode, iNode2, iNode3, authzContext);
                }
                if (authzStatus == AuthzStatus.ALLOW) {
                    if (isDebugEnabled) {
                        return;
                    } else {
                        return;
                    }
                }
                FsAction fsAction5 = fsAction3;
                if (fsAction5 == null) {
                    fsAction5 = fsAction2 != null ? fsAction2 : fsAction != null ? fsAction : FsAction.EXECUTE;
                }
                throw new RangerAccessControlException("Permission denied: user=" + authzContext.user + ", access=" + fsAction5 + ", inode=\"" + str5 + "\"");
            } finally {
                if (authzContext.auditHandler != null) {
                    authzContext.auditHandler.flushAudit();
                }
                RangerPerfTracer.log(perfTracer);
                if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                    RangerHdfsAuthorizer.LOG.debug("<== RangerAccessControlEnforcer.checkPermission(" + str5 + ", " + fsAction3 + ", user=" + authzContext.user + ") : " + authzStatus);
                }
            }
        }

        private AuthzStatus traverseOnlyCheck(INode iNode, INodeAttributes[] iNodeAttributesArr, String str, byte[][] bArr, INode iNode2, INode iNode3, int i, AuthzContext authzContext) {
            AuthzStatus authzStatus;
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("==> RangerAccessControlEnforcer.traverseOnlyCheck(path=" + str + ", user=" + authzContext.user + ", groups=" + authzContext.userGroups + ")");
            }
            INode iNode4 = iNode;
            INodeAttributes iNodeAttributes = iNodeAttributesArr.length > 0 ? iNodeAttributesArr[iNodeAttributesArr.length - 1] : null;
            boolean z = false;
            String str2 = str;
            if (iNode4 == null || iNode4.isFile()) {
                z = true;
                if (iNode2 != null) {
                    iNode4 = iNode2;
                    iNodeAttributes = iNodeAttributesArr.length > 1 ? iNodeAttributesArr[iNodeAttributesArr.length - 2] : null;
                    str2 = iNodeAttributesArr.length > 0 ? DFSUtil.byteArray2PathString(bArr, 0, iNodeAttributesArr.length - 1) : "/";
                } else if (iNode3 != null) {
                    iNode4 = iNode3;
                    iNodeAttributes = iNodeAttributesArr.length > i ? iNodeAttributesArr[i] : null;
                    str2 = iNodeAttributes != null ? DFSUtil.byteArray2PathString(bArr, 0, i + 1) : "/";
                }
            }
            if (iNode4 != null) {
                if (str2.length() > 1 && str2.endsWith("/")) {
                    str2 = str2.substring(0, str2.length() - 1);
                }
                authzStatus = isAccessAllowedForTraversal(iNode4, iNodeAttributes, str2, z, authzContext);
            } else {
                authzStatus = AuthzStatus.ALLOW;
            }
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("<== RangerAccessControlEnforcer.traverseOnlyCheck(path=" + str + ", resourcePath=" + str2 + ", user=" + authzContext.user + ", groups=" + authzContext.userGroups + ") : " + authzStatus);
            }
            return authzStatus;
        }

        private AuthzStatus isAccessAllowedForTraversal(INode iNode, INodeAttributes iNodeAttributes, String str, boolean z, AuthzContext authzContext) {
            String userName = iNodeAttributes != null ? iNodeAttributes.getUserName() : null;
            FsAction fsAction = FsAction.EXECUTE;
            if (userName == null) {
                userName = iNode.getUserName();
            }
            if ("".equals(str)) {
                str = "/";
            }
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("==> RangerAccessControlEnforcer.isAccessAllowedForTraversal(" + str + ", " + fsAction + ", " + authzContext.user + ", " + z + ")");
            }
            RangerAccessResult isAccessAllowed = authzContext.plugin.isAccessAllowed(new RangerHdfsAccessRequest(iNode, str, userName, fsAction, "execute", authzContext.operationName, authzContext.user, authzContext.userGroups), null);
            authzContext.saveResult(isAccessAllowed);
            AuthzStatus authzStatus = (isAccessAllowed == null || !isAccessAllowed.getIsAccessDetermined() || isAccessAllowed.getIsAllowed()) ? AuthzStatus.ALLOW : AuthzStatus.DENY;
            if ((authzStatus == AuthzStatus.DENY || (!z && isAccessAllowed != null && isAccessAllowed.getIsAccessDetermined())) && authzContext.auditHandler != null) {
                authzContext.auditHandler.processResult(isAccessAllowed);
            }
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("<== RangerAccessControlEnforcer.isAccessAllowedForTraversal(" + str + ", " + fsAction + ", " + authzContext.user + ", " + z + "): " + authzStatus);
            }
            return authzStatus;
        }

        private AuthzStatus checkDefaultEnforcer(String str, String str2, UserGroupInformation userGroupInformation, INodeAttributes[] iNodeAttributesArr, INode[] iNodeArr, byte[][] bArr, int i, String str3, int i2, boolean z, FsAction fsAction, FsAction fsAction2, FsAction fsAction3, FsAction fsAction4, boolean z2, INode iNode, INode iNode2, INode iNode3, AuthzContext authzContext) throws AccessControlException {
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("==> RangerAccessControlEnforcer.checkDefaultEnforcer(fsOwner=" + str + "; superGroup=" + str2 + ", inodesCount=" + (iNodeArr != null ? iNodeArr.length : 0) + ", snapshotId=" + i + ", path=" + str3 + ", ancestorIndex=" + i2 + ", doCheckOwner=" + z + ", ancestorAccess=" + fsAction + ", parentAccess=" + fsAction2 + ", access=" + fsAction3 + ", subAccess=" + fsAction4 + ", ignoreEmptyDir=" + z2 + ", isTraverseOnlyCheck=" + authzContext.isTraverseOnlyCheck + ",ancestor=" + (iNode == null ? null : iNode.getFullPathName()) + ", parent=" + (iNode2 == null ? null : iNode2.getFullPathName()) + ", inode=" + (iNode3 == null ? null : iNode3.getFullPathName()) + ")");
            }
            AuthzStatus authzStatus = AuthzStatus.NOT_DETERMINED;
            if (RangerHdfsAuthorizer.this.rangerPlugin.isHadoopAuthEnabled() && this.defaultEnforcer != null) {
                RangerPerfTracer rangerPerfTracer = null;
                if (RangerPerfTracer.isPerfTraceEnabled(RangerHdfsAuthorizer.PERF_HDFSAUTH_REQUEST_LOG)) {
                    rangerPerfTracer = RangerPerfTracer.getPerfTracer(RangerHdfsAuthorizer.PERF_HDFSAUTH_REQUEST_LOG, "RangerAccessControlEnforcer.checkDefaultEnforcer(path=" + str3 + ")");
                }
                try {
                    this.defaultEnforcer.checkPermission(str, str2, userGroupInformation, iNodeAttributesArr, iNodeArr, bArr, i, str3, i2, z, fsAction, fsAction2, fsAction3, fsAction4, z2);
                    authzStatus = AuthzStatus.ALLOW;
                    if (authzContext.auditHandler != null) {
                        INode iNode4 = iNode3;
                        FsAction fsAction5 = fsAction3;
                        if (authzContext.isTraverseOnlyCheck) {
                            if (iNode4 == null || iNode4.isFile()) {
                                if (iNode2 != null) {
                                    iNode4 = iNode2;
                                } else if (iNode != null) {
                                    iNode4 = iNode;
                                }
                            }
                            fsAction5 = FsAction.EXECUTE;
                        } else if (fsAction5 == null || fsAction5 == FsAction.NONE) {
                            if (fsAction2 != null && fsAction2 != FsAction.NONE) {
                                iNode4 = iNode2;
                                fsAction5 = fsAction2;
                            } else if (fsAction != null && fsAction != FsAction.NONE) {
                                iNode4 = iNode;
                                fsAction5 = fsAction;
                            } else if (fsAction4 != null && fsAction4 != FsAction.NONE) {
                                fsAction5 = fsAction4;
                            }
                        }
                        String fullPathName = iNode4 != null ? iNode4.getFullPathName() : str3;
                        boolean z3 = authzStatus == AuthzStatus.ALLOW;
                        RangerAccessResult lastResult = authzContext.getLastResult();
                        if (lastResult != null) {
                            lastResult.setIsAllowed(z3);
                            lastResult.setIsAccessDetermined(true);
                            authzContext.plugin.evalAuditPolicies(lastResult);
                            authzContext.auditHandler.processResult(lastResult);
                        }
                        authzContext.auditHandler.logHadoopEvent(fullPathName, fsAction5, z3);
                    }
                    RangerPerfTracer.log(rangerPerfTracer);
                } catch (Throwable th) {
                    if (authzContext.auditHandler != null) {
                        INode iNode5 = iNode3;
                        FsAction fsAction6 = fsAction3;
                        if (authzContext.isTraverseOnlyCheck) {
                            if (iNode5 == null || iNode5.isFile()) {
                                if (iNode2 != null) {
                                    iNode5 = iNode2;
                                } else if (iNode != null) {
                                    iNode5 = iNode;
                                }
                            }
                            fsAction6 = FsAction.EXECUTE;
                        } else if (fsAction6 == null || fsAction6 == FsAction.NONE) {
                            if (fsAction2 != null && fsAction2 != FsAction.NONE) {
                                iNode5 = iNode2;
                                fsAction6 = fsAction2;
                            } else if (fsAction != null && fsAction != FsAction.NONE) {
                                iNode5 = iNode;
                                fsAction6 = fsAction;
                            } else if (fsAction4 != null && fsAction4 != FsAction.NONE) {
                                fsAction6 = fsAction4;
                            }
                        }
                        String fullPathName2 = iNode5 != null ? iNode5.getFullPathName() : str3;
                        boolean z4 = authzStatus == AuthzStatus.ALLOW;
                        RangerAccessResult lastResult2 = authzContext.getLastResult();
                        if (lastResult2 != null) {
                            lastResult2.setIsAllowed(z4);
                            lastResult2.setIsAccessDetermined(true);
                            authzContext.plugin.evalAuditPolicies(lastResult2);
                            authzContext.auditHandler.processResult(lastResult2);
                        }
                        authzContext.auditHandler.logHadoopEvent(fullPathName2, fsAction6, z4);
                    }
                    RangerPerfTracer.log(rangerPerfTracer);
                    throw th;
                }
            }
            RangerHdfsAuthorizer.LOG.debug("<== RangerAccessControlEnforcer.checkDefaultEnforcer(fsOwner=" + str + "; superGroup=" + str2 + ", inodesCount=" + (iNodeArr != null ? iNodeArr.length : 0) + ", snapshotId=" + i + ", path=" + str3 + ", ancestorIndex=" + i2 + ", doCheckOwner=" + z + ", ancestorAccess=" + fsAction + ", parentAccess=" + fsAction2 + ", access=" + fsAction3 + ", subAccess=" + fsAction4 + ", ignoreEmptyDir=" + z2 + ", isTraverseOnlyCheck=" + authzContext.isTraverseOnlyCheck + ",ancestor=" + (iNode == null ? null : iNode.getFullPathName()) + ", parent=" + (iNode2 == null ? null : iNode2.getFullPathName()) + ", inode=" + (iNode3 == null ? null : iNode3.getFullPathName()) + ") : " + authzStatus);
            return authzStatus;
        }

        private AuthzStatus isAccessAllowed(INode iNode, INodeAttributes iNodeAttributes, String str, FsAction fsAction, AuthzContext authzContext) {
            AuthzStatus authzStatus = null;
            String userName = iNodeAttributes != null ? iNodeAttributes.getUserName() : null;
            if (userName == null && iNode != null) {
                userName = iNode.getUserName();
            }
            if ("".equals(str)) {
                str = "/";
            }
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("==> RangerAccessControlEnforcer.isAccessAllowed(" + str + ", " + fsAction + ", " + authzContext.user + ")");
            }
            Set set = (Set) RangerHdfsAuthorizer.this.access2ActionListMapper.get(fsAction);
            if (set == null) {
                RangerHdfsAuthorizer.LOG.warn("RangerAccessControlEnforcer.isAccessAllowed(" + str + ", " + fsAction + ", " + authzContext.user + "): no Ranger accessType found for " + fsAction);
                set = (Set) RangerHdfsAuthorizer.this.access2ActionListMapper.get(FsAction.NONE);
            }
            Iterator it = set.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                RangerAccessRequest rangerHdfsAccessRequest = new RangerHdfsAccessRequest(iNode, str, userName, fsAction, (String) it.next(), authzContext.operationName, authzContext.user, authzContext.userGroups);
                rangerHdfsAccessRequest.getContext().put("ACCESSTYPES", set);
                RangerAccessResult isAccessAllowed = authzContext.plugin.isAccessAllowed(rangerHdfsAccessRequest, authzContext.auditHandler);
                authzContext.saveResult(isAccessAllowed);
                if (isAccessAllowed == null || !isAccessAllowed.getIsAccessDetermined()) {
                    authzStatus = AuthzStatus.NOT_DETERMINED;
                } else {
                    if (!isAccessAllowed.getIsAllowed()) {
                        authzStatus = AuthzStatus.DENY;
                        break;
                    }
                    if (!AuthzStatus.NOT_DETERMINED.equals(authzStatus)) {
                        authzStatus = AuthzStatus.ALLOW;
                    }
                }
            }
            if (authzStatus == null) {
                authzStatus = AuthzStatus.NOT_DETERMINED;
            }
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("<== RangerAccessControlEnforcer.isAccessAllowed(" + str + ", " + fsAction + ", " + authzContext.user + "): " + authzStatus);
            }
            return authzStatus;
        }

        private AuthzStatus isAccessAllowedForHierarchy(INode iNode, INodeAttributes iNodeAttributes, String str, FsAction fsAction, AuthzContext authzContext) {
            AuthzStatus authzStatus = null;
            String userName = iNodeAttributes != null ? iNodeAttributes.getUserName() : null;
            if (userName == null && iNode != null) {
                userName = iNode.getUserName();
            }
            if ("".equals(str)) {
                str = "/";
            }
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("==> RangerAccessControlEnforcer.isAccessAllowedForHierarchy(" + str + ", " + fsAction + ", " + authzContext.user + ")");
            }
            if (str != null) {
                Set set = (Set) RangerHdfsAuthorizer.this.access2ActionListMapper.get(fsAction);
                if (set == null) {
                    RangerHdfsAuthorizer.LOG.warn("RangerAccessControlEnforcer.isAccessAllowedForHierarchy(" + str + ", " + fsAction + ", " + authzContext.user + "): no Ranger accessType found for " + fsAction);
                    set = (Set) RangerHdfsAuthorizer.this.access2ActionListMapper.get(FsAction.NONE);
                }
                String str2 = str;
                if (str2.charAt(str2.length() - 1) != '/') {
                    str2 = str2 + Character.toString('/');
                }
                String str3 = str2 + RangerHdfsAuthorizer.this.rangerPlugin.getRandomizedWildcardPathName();
                Iterator it = set.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    RangerAccessRequest rangerHdfsAccessRequest = new RangerHdfsAccessRequest(null, str3, userName, fsAction, (String) it.next(), authzContext.operationName, authzContext.user, authzContext.userGroups);
                    rangerHdfsAccessRequest.getContext().put("ACCESSTYPES", set);
                    RangerAccessResult isAccessAllowed = authzContext.plugin.isAccessAllowed(rangerHdfsAccessRequest, null);
                    authzContext.saveResult(isAccessAllowed);
                    if (isAccessAllowed == null || !isAccessAllowed.getIsAccessDetermined()) {
                        authzStatus = AuthzStatus.NOT_DETERMINED;
                    } else {
                        if (!isAccessAllowed.getIsAllowed()) {
                            authzStatus = AuthzStatus.DENY;
                            break;
                        }
                        if (!AuthzStatus.NOT_DETERMINED.equals(authzStatus)) {
                            authzStatus = AuthzStatus.ALLOW;
                        }
                    }
                }
            }
            if (authzStatus == null) {
                authzStatus = AuthzStatus.NOT_DETERMINED;
            }
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("<== RangerAccessControlEnforcer.isAccessAllowedForHierarchy(" + str + ", " + fsAction + ", " + authzContext.user + "): " + authzStatus);
            }
            return authzStatus;
        }
    }

    public RangerHdfsAuthorizer() {
        this(null);
    }

    public RangerHdfsAuthorizer(Path path) {
        this.rangerPlugin = null;
        this.access2ActionListMapper = new HashMap();
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsAuthorizer.RangerHdfsAuthorizer()");
        }
        this.addlConfigFile = path;
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsAuthorizer.RangerHdfsAuthorizer()");
        }
    }

    public void start() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsAuthorizer.start()");
        }
        RangerHdfsPlugin rangerHdfsPlugin = new RangerHdfsPlugin(this.addlConfigFile);
        rangerHdfsPlugin.init();
        if (rangerHdfsPlugin.isOptimizeSubAccessAuthEnabled()) {
            LOG.info("ranger.optimize-subaccess-authorization is enabled");
        }
        this.access2ActionListMapper.put(FsAction.NONE, new HashSet());
        this.access2ActionListMapper.put(FsAction.ALL, Sets.newHashSet(new String[]{RangerServiceHdfs.ACCESS_TYPE_READ, "write", "execute"}));
        this.access2ActionListMapper.put(FsAction.READ, Sets.newHashSet(new String[]{RangerServiceHdfs.ACCESS_TYPE_READ}));
        this.access2ActionListMapper.put(FsAction.READ_WRITE, Sets.newHashSet(new String[]{RangerServiceHdfs.ACCESS_TYPE_READ, "write"}));
        this.access2ActionListMapper.put(FsAction.READ_EXECUTE, Sets.newHashSet(new String[]{RangerServiceHdfs.ACCESS_TYPE_READ, "execute"}));
        this.access2ActionListMapper.put(FsAction.WRITE, Sets.newHashSet(new String[]{"write"}));
        this.access2ActionListMapper.put(FsAction.WRITE_EXECUTE, Sets.newHashSet(new String[]{"write", "execute"}));
        this.access2ActionListMapper.put(FsAction.EXECUTE, Sets.newHashSet(new String[]{"execute"}));
        this.rangerPlugin = rangerHdfsPlugin;
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsAuthorizer.start()");
        }
    }

    public void stop() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsAuthorizer.stop()");
        }
        RangerHdfsPlugin rangerHdfsPlugin = this.rangerPlugin;
        this.rangerPlugin = null;
        if (rangerHdfsPlugin != null) {
            rangerHdfsPlugin.cleanup();
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsAuthorizer.stop()");
        }
    }

    public INodeAttributes getAttributes(String str, INodeAttributes iNodeAttributes) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsAuthorizer.getAttributes(" + str + ")");
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsAuthorizer.getAttributes(" + str + "): " + iNodeAttributes);
        }
        return iNodeAttributes;
    }

    public INodeAttributes getAttributes(String[] strArr, INodeAttributes iNodeAttributes) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsAuthorizer.getAttributes(pathElementsCount=" + (strArr == null ? 0 : strArr.length) + ")");
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsAuthorizer.getAttributes(pathElementsCount=" + (strArr == null ? 0 : strArr.length) + "): " + iNodeAttributes);
        }
        return iNodeAttributes;
    }

    public INodeAttributeProvider.AccessControlEnforcer getExternalAccessControlEnforcer(INodeAttributeProvider.AccessControlEnforcer accessControlEnforcer) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsAuthorizer.getExternalAccessControlEnforcer()");
        }
        RangerAccessControlEnforcer rangerAccessControlEnforcer = new RangerAccessControlEnforcer(accessControlEnforcer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsAuthorizer.getExternalAccessControlEnforcer()");
        }
        return rangerAccessControlEnforcer;
    }

    public Configuration getConfig() {
        return this.rangerPlugin.getConfig();
    }
}
