package org.apache.ranger.authorization.hadoop;

import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.Stack;
import java.util.TreeSet;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.hdfs.DFSUtil;
import org.apache.hadoop.hdfs.server.namenode.INode;
import org.apache.hadoop.hdfs.server.namenode.INodeAttributeProvider;
import org.apache.hadoop.hdfs.server.namenode.INodeAttributes;
import org.apache.hadoop.hdfs.server.namenode.INodeDirectory;
import org.apache.hadoop.hdfs.server.namenode.INodeDirectoryAttributes;
import org.apache.hadoop.hdfs.util.ReadOnlyList;
import org.apache.hadoop.ipc.CallerContext;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.services.hdfs.RangerServiceHdfs;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer.class */
public class RangerHdfsAuthorizer extends INodeAttributeProvider {
    public static final String KEY_FILENAME = "FILENAME";
    public static final String KEY_BASE_FILENAME = "BASE_FILENAME";
    public static final String DEFAULT_FILENAME_EXTENSION_SEPARATOR = ".";
    public static final String KEY_RESOURCE_PATH = "path";
    public static final String RANGER_FILENAME_EXTENSION_SEPARATOR_PROP = "ranger.plugin.hdfs.filename.extension.separator";
    public static final String OPERATION_NAME_CREATE = "create";
    public static final String OPERATION_NAME_DELETE = "delete";
    public static final String OPERATION_NAME_RENAME = "rename";
    public static final String OPERATION_NAME_LISTSTATUS = "listStatus";
    public static final String OPERATION_NAME_MKDIRS = "mkdirs";
    public static final String OPERATION_NAME_GETEZFORPATH = "getEZForPath";
    private RangerHdfsPlugin rangerPlugin;
    private final Map<FsAction, Set<String>> access2ActionListMapper;
    private final Path addlConfigFile;
    private boolean AUTHZ_OPTIMIZATION_ENABLED;
    private final OptimizedAuthzContext OPT_BYPASS_AUTHZ;
    private static final Logger LOG = LoggerFactory.getLogger(RangerHdfsAuthorizer.class);
    private static final Logger PERF_HDFSAUTH_REQUEST_LOG = RangerPerfTracer.getPerfLogger("hdfsauth.request");
    private static final Set<String> OPTIMIZED_OPERATIONS = new HashSet<String>() { // from class: org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer.1
        {
            add(RangerHdfsAuthorizer.OPERATION_NAME_CREATE);
            add(RangerHdfsAuthorizer.OPERATION_NAME_DELETE);
            add(RangerHdfsAuthorizer.OPERATION_NAME_RENAME);
            add(RangerHdfsAuthorizer.OPERATION_NAME_LISTSTATUS);
            add(RangerHdfsAuthorizer.OPERATION_NAME_MKDIRS);
            add(RangerHdfsAuthorizer.OPERATION_NAME_GETEZFORPATH);
        }
    };

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer$AuthzStatus.class */
    public enum AuthzStatus {
        ALLOW,
        DENY,
        NOT_DETERMINED
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer$OptimizedAuthzContext.class */
    public static class OptimizedAuthzContext {
        private final String path;
        private final FsAction ancestorAccess;
        private final FsAction parentAccess;
        private final FsAction access;
        private AuthzStatus authzStatus;

        OptimizedAuthzContext(String str, FsAction fsAction, FsAction fsAction2, FsAction fsAction3, AuthzStatus authzStatus) {
            this.path = str;
            this.ancestorAccess = fsAction;
            this.parentAccess = fsAction2;
            this.access = fsAction3;
            this.authzStatus = authzStatus;
        }

        public String toString() {
            return "path=" + this.path + ", authzStatus=" + this.authzStatus;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer$RangerAccessControlEnforcer.class */
    public class RangerAccessControlEnforcer implements INodeAttributeProvider.AccessControlEnforcer {
        private final INodeAttributeProvider.AccessControlEnforcer defaultEnforcer;
        private Map<String, OptimizedAuthzContext> CACHE = null;

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer$RangerAccessControlEnforcer$OperationOptimizer.class */
        public class OperationOptimizer {
            private final String operationName;
            private final byte[][] components;
            private final INodeAttributes[] inodeAttrs;
            private final int ancestorIndex;
            private final INode ancestor;
            private final INode parent;
            private final INode inode;
            private String resourcePath;
            private FsAction ancestorAccess;
            private FsAction parentAccess;
            private FsAction access;
            private final FsAction subAccess;

            OperationOptimizer(String str, String str2, FsAction fsAction, FsAction fsAction2, FsAction fsAction3, FsAction fsAction4, byte[][] bArr, INodeAttributes[] iNodeAttributesArr, int i, INode iNode, INode iNode2, INode iNode3) {
                this.operationName = str;
                this.resourcePath = str2;
                this.ancestorAccess = fsAction;
                this.parentAccess = fsAction2;
                this.access = fsAction3;
                this.subAccess = fsAction4;
                this.components = bArr;
                this.inodeAttrs = iNodeAttributesArr;
                this.ancestorIndex = i;
                this.ancestor = iNode;
                this.parent = iNode2;
                this.inode = iNode3;
            }

            OptimizedAuthzContext optimize() {
                if (RangerHdfsAuthorizer.this.AUTHZ_OPTIMIZATION_ENABLED && RangerHdfsAuthorizer.OPTIMIZED_OPERATIONS.contains(this.operationName)) {
                    return optimizeOp(this.operationName);
                }
                return null;
            }

            OptimizedAuthzContext optimizeOp(String str) {
                boolean z = -1;
                switch (str.hashCode()) {
                    case -1352294148:
                        if (str.equals(RangerHdfsAuthorizer.OPERATION_NAME_CREATE)) {
                            z = false;
                            break;
                        }
                        break;
                    case -1335458389:
                        if (str.equals(RangerHdfsAuthorizer.OPERATION_NAME_DELETE)) {
                            z = true;
                            break;
                        }
                        break;
                    case -1072489436:
                        if (str.equals(RangerHdfsAuthorizer.OPERATION_NAME_MKDIRS)) {
                            z = 3;
                            break;
                        }
                        break;
                    case -934594754:
                        if (str.equals(RangerHdfsAuthorizer.OPERATION_NAME_RENAME)) {
                            z = 2;
                            break;
                        }
                        break;
                    case 364510768:
                        if (str.equals(RangerHdfsAuthorizer.OPERATION_NAME_LISTSTATUS)) {
                            z = 4;
                            break;
                        }
                        break;
                    case 1046573955:
                        if (str.equals(RangerHdfsAuthorizer.OPERATION_NAME_GETEZFORPATH)) {
                            z = 5;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        return optimizeCreateOp();
                    case true:
                        return optimizeDeleteOp();
                    case true:
                        return optimizeRenameOp();
                    case true:
                        return optimizeMkdirsOp();
                    case true:
                        return optimizeListStatusOp();
                    case true:
                        return optimizeGetEZForPathOp();
                    default:
                        return null;
                }
            }

            private OptimizedAuthzContext optimizeCreateOp() {
                INode iNodeToAuthorize = getINodeToAuthorize();
                if (iNodeToAuthorize == null) {
                    return RangerHdfsAuthorizer.this.OPT_BYPASS_AUTHZ;
                }
                if (iNodeToAuthorize.isDirectory() || this.access != null) {
                    return getOrCreateOptimizedAuthzContext();
                }
                if (!RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                    return null;
                }
                RangerHdfsAuthorizer.LOG.debug("nodeToCheck is not a directory and access is null for a create operation! Optimization skipped");
                return null;
            }

            private OptimizedAuthzContext optimizeDeleteOp() {
                int i = 0;
                if (this.ancestorAccess != null) {
                    i = 0 + 1;
                }
                if (this.parentAccess != null) {
                    i++;
                }
                if (this.access != null) {
                    i++;
                }
                if (this.subAccess != null) {
                    i++;
                }
                if (i == 0) {
                    return RangerHdfsAuthorizer.this.OPT_BYPASS_AUTHZ;
                }
                this.parentAccess = FsAction.WRITE_EXECUTE;
                return getOrCreateOptimizedAuthzContext();
            }

            private OptimizedAuthzContext optimizeRenameOp() {
                INode iNodeToAuthorize = getINodeToAuthorize();
                if (iNodeToAuthorize == null) {
                    return RangerHdfsAuthorizer.this.OPT_BYPASS_AUTHZ;
                }
                if (iNodeToAuthorize.isDirectory()) {
                    return getOrCreateOptimizedAuthzContext();
                }
                if (!RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                    return null;
                }
                RangerHdfsAuthorizer.LOG.debug("nodeToCheck is not a directory for a rename operation! Optimization skipped");
                return null;
            }

            private OptimizedAuthzContext optimizeMkdirsOp() {
                INode iNodeToAuthorize = getINodeToAuthorize();
                if (iNodeToAuthorize == null) {
                    return RangerHdfsAuthorizer.this.OPT_BYPASS_AUTHZ;
                }
                if (iNodeToAuthorize.isDirectory()) {
                    return getOrCreateOptimizedAuthzContext();
                }
                if (!RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                    return null;
                }
                RangerHdfsAuthorizer.LOG.debug("nodeToCheck is not a directory for a mkdirs operation! Optimization skipped");
                return null;
            }

            private OptimizedAuthzContext optimizeListStatusOp() {
                if (this.inode == null || this.inode.isFile()) {
                    if (!RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                        return null;
                    }
                    RangerHdfsAuthorizer.LOG.debug("inode is null or is a file for a listStatus/getEZForPath operation! Optimization skipped");
                    return null;
                }
                if (this.resourcePath.length() > 1 && this.resourcePath.endsWith("/")) {
                    this.resourcePath = this.resourcePath.substring(0, this.resourcePath.length() - 1);
                }
                this.access = FsAction.READ_EXECUTE;
                return getOrCreateOptimizedAuthzContext();
            }

            private OptimizedAuthzContext optimizeGetEZForPathOp() {
                if (this.inode != null && !this.inode.isFile()) {
                    this.access = FsAction.READ_EXECUTE;
                    return getOrCreateOptimizedAuthzContext();
                }
                if (!RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                    return null;
                }
                RangerHdfsAuthorizer.LOG.debug("inode is null or is a file for a listStatus/getEZForPath operation! Optimization skipped");
                return null;
            }

            private INode getINodeToAuthorize() {
                INode iNode = null;
                INode iNode2 = this.inode;
                if (iNode2 == null || iNode2.isFile()) {
                    if (!StringUtils.equals(this.operationName, RangerHdfsAuthorizer.OPERATION_NAME_CREATE) || this.inode == null || this.access == null) {
                        if (this.parent != null) {
                            iNode2 = this.parent;
                            this.resourcePath = this.inodeAttrs.length > 0 ? DFSUtil.byteArray2PathString(this.components, 0, this.inodeAttrs.length - 1) : "/";
                            this.parentAccess = FsAction.WRITE_EXECUTE;
                        } else if (this.ancestor != null) {
                            INodeAttributes iNodeAttributes = this.inodeAttrs.length > this.ancestorIndex ? this.inodeAttrs[this.ancestorIndex] : null;
                            iNode2 = this.ancestor;
                            this.resourcePath = iNodeAttributes != null ? DFSUtil.byteArray2PathString(this.components, 0, this.ancestorIndex + 1) : "/";
                            this.ancestorAccess = FsAction.WRITE_EXECUTE;
                        }
                        if (this.resourcePath.length() > 1 && this.resourcePath.endsWith("/")) {
                            this.resourcePath = this.resourcePath.substring(0, this.resourcePath.length() - 1);
                        }
                    } else if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                        RangerHdfsAuthorizer.LOG.debug("Create operation with non-null access is being authorized. authorize for write access for the file!!");
                    }
                    iNode = iNode2;
                } else if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                    RangerHdfsAuthorizer.LOG.debug("inode is not null and it is not a file for a create/rename/mkdirs operation! Optimization skipped");
                }
                return iNode;
            }

            private OptimizedAuthzContext getOrCreateOptimizedAuthzContext() {
                if (RangerAccessControlEnforcer.this.CACHE == null) {
                    RangerAccessControlEnforcer.this.CACHE = new HashMap();
                }
                OptimizedAuthzContext optimizedAuthzContext = (OptimizedAuthzContext) RangerAccessControlEnforcer.this.CACHE.get(this.resourcePath);
                if (optimizedAuthzContext == null) {
                    optimizedAuthzContext = new OptimizedAuthzContext(this.resourcePath, this.ancestorAccess, this.parentAccess, this.access, null);
                    RangerAccessControlEnforcer.this.CACHE.put(this.resourcePath, optimizedAuthzContext);
                    if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                        RangerHdfsAuthorizer.LOG.debug("Added OptimizedAuthzContext:[" + optimizedAuthzContext + "] to cache");
                    }
                }
                return optimizedAuthzContext;
            }
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:org/apache/ranger/authorization/hadoop/RangerHdfsAuthorizer$RangerAccessControlEnforcer$SubAccessData.class */
        public class SubAccessData {
            final INodeDirectory dir;
            final String resourcePath;
            final INode[] inodes;
            final INodeAttributes[] iNodeAttributes;

            SubAccessData(INodeDirectory iNodeDirectory, String str, INode[] iNodeArr, INodeAttributes[] iNodeAttributesArr) {
                this.dir = iNodeDirectory;
                this.resourcePath = str;
                this.iNodeAttributes = iNodeAttributesArr;
                this.inodes = iNodeArr;
            }
        }

        public RangerAccessControlEnforcer(INodeAttributeProvider.AccessControlEnforcer accessControlEnforcer) {
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("==> RangerAccessControlEnforcer.RangerAccessControlEnforcer()");
            }
            this.defaultEnforcer = accessControlEnforcer;
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("<== RangerAccessControlEnforcer.RangerAccessControlEnforcer()");
            }
        }

        public void checkPermissionWithContext(INodeAttributeProvider.AuthorizationContext authorizationContext) throws AccessControlException {
            checkRangerPermission(authorizationContext.getFsOwner(), authorizationContext.getSupergroup(), authorizationContext.getCallerUgi(), authorizationContext.getInodeAttrs(), authorizationContext.getInodes(), authorizationContext.getPathByNameArr(), authorizationContext.getSnapshotId(), authorizationContext.getPath(), authorizationContext.getAncestorIndex(), authorizationContext.isDoCheckOwner(), authorizationContext.getAncestorAccess(), authorizationContext.getParentAccess(), authorizationContext.getAccess(), authorizationContext.getSubAccess(), authorizationContext.isIgnoreEmptyDir(), authorizationContext.getOperationName(), authorizationContext.getCallerContext());
        }

        public void checkPermission(String str, String str2, UserGroupInformation userGroupInformation, INodeAttributes[] iNodeAttributesArr, INode[] iNodeArr, byte[][] bArr, int i, String str3, int i2, boolean z, FsAction fsAction, FsAction fsAction2, FsAction fsAction3, FsAction fsAction4, boolean z2) throws AccessControlException {
            checkRangerPermission(str, str2, userGroupInformation, iNodeAttributesArr, iNodeArr, bArr, i, str3, i2, z, fsAction, fsAction2, fsAction3, fsAction4, z2, null, null);
        }

        /* JADX WARN: Multi-variable type inference failed */
        /* JADX WARN: Type inference failed for: r0v69, types: [byte[], byte[][]] */
        private void checkRangerPermission(String str, String str2, UserGroupInformation userGroupInformation, INodeAttributes[] iNodeAttributesArr, INode[] iNodeArr, byte[][] bArr, int i, String str3, int i2, boolean z, FsAction fsAction, FsAction fsAction2, FsAction fsAction3, FsAction fsAction4, boolean z2, String str4, CallerContext callerContext) throws AccessControlException {
            INodeDirectory iNodeDirectory;
            INode[] iNodeArr2;
            INodeAttributes[] iNodeAttributesArr2;
            int length;
            INode iNode;
            INode iNode2;
            byte[][] pathComponents;
            AuthzStatus authzStatus = AuthzStatus.NOT_DETERMINED;
            String str5 = str3;
            AuthzContext authzContext = new AuthzContext(RangerHdfsAuthorizer.this.rangerPlugin, userGroupInformation, str4, fsAction3 == null && fsAction2 == null && fsAction == null && fsAction4 == null);
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("==> RangerAccessControlEnforcer.checkRangerPermission(fsOwner=" + str + "; superGroup=" + str2 + ", inodesCount=" + (iNodeArr != null ? iNodeArr.length : 0) + ", snapshotId=" + i + ", user=" + authzContext.user + ", provided-path=" + str3 + ", ancestorIndex=" + i2 + ", doCheckOwner=" + z + ", ancestorAccess=" + fsAction + ", parentAccess=" + fsAction2 + ", access=" + fsAction3 + ", subAccess=" + fsAction4 + ", ignoreEmptyDir=" + z2 + ", operationName=" + str4 + ", callerContext=" + callerContext + ")");
            }
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.info("operationName={}, path={}, user={}, ancestorIndex={}, ancestorAccess={}, parentAccess={}, access={}, subAccess={}", new Object[]{authzContext.operationName, str3, authzContext.user, Integer.valueOf(i2), fsAction, fsAction2, fsAction3, fsAction4});
            }
            OptimizedAuthzContext optimizedAuthzContext = null;
            RangerPerfTracer perfTracer = RangerPerfTracer.isPerfTraceEnabled(RangerHdfsAuthorizer.PERF_HDFSAUTH_REQUEST_LOG) ? RangerPerfTracer.getPerfTracer(RangerHdfsAuthorizer.PERF_HDFSAUTH_REQUEST_LOG, "RangerHdfsAuthorizer.checkRangerPermission(provided-path=" + str3 + ")") : null;
            try {
                INode iNode3 = null;
                INode iNode4 = null;
                INode iNode5 = null;
                boolean z3 = false;
                boolean z4 = false;
                if (authzContext.plugin != null && !ArrayUtils.isEmpty(iNodeArr)) {
                    int length2 = iNodeAttributesArr.length;
                    if (RangerHdfsAuthorizer.LOG.isTraceEnabled()) {
                        RangerHdfsAuthorizer.LOG.trace("Size of INodeAttrs array:[" + length2 + "]");
                        RangerHdfsAuthorizer.LOG.trace("Size of INodes array:[" + iNodeArr.length + "]");
                    }
                    ?? r0 = new byte[length2];
                    int i3 = 0;
                    while (i3 < length2 && iNodeAttributesArr[i3] != null) {
                        r0[i3] = iNodeAttributesArr[i3].getLocalNameBytes();
                        i3++;
                    }
                    if (i3 != length2 && RangerHdfsAuthorizer.LOG.isTraceEnabled()) {
                        RangerHdfsAuthorizer.LOG.trace("Input INodeAttributes array contains null at position " + i3);
                        RangerHdfsAuthorizer.LOG.trace("Will use only first [" + i3 + "] components");
                    }
                    if (length2 == 1 && iNodeArr.length == 1 && iNodeArr[0].getParent() != null) {
                        z4 = true;
                        if (RangerHdfsAuthorizer.LOG.isTraceEnabled()) {
                            RangerHdfsAuthorizer.LOG.trace("Using the only inode in the array to figure out path to resource. No audit record will be generated for this authorization request");
                        }
                        str5 = iNodeArr[0].getFullPathName();
                        if (i != 2147483646) {
                            z3 = true;
                            if (RangerHdfsAuthorizer.LOG.isTraceEnabled()) {
                                RangerHdfsAuthorizer.LOG.trace("path:[" + str5 + "] is for a snapshot, id=[" + i + "], default Authorizer will be used to authorize this request");
                            }
                        } else if (RangerHdfsAuthorizer.LOG.isTraceEnabled()) {
                            RangerHdfsAuthorizer.LOG.trace("path:[" + str5 + "] is not for a snapshot, id=[" + i + "]. It will be used to authorize this request");
                        }
                    } else if (i != 2147483646) {
                        str5 = DFSUtil.byteArray2PathString(bArr);
                        if (RangerHdfsAuthorizer.LOG.isTraceEnabled()) {
                            RangerHdfsAuthorizer.LOG.trace("pathByNameArr array is used to figure out path to resource, resourcePath:[" + str5 + "]");
                        }
                    } else {
                        str5 = DFSUtil.byteArray2PathString((byte[][]) r0, 0, i3);
                        if (RangerHdfsAuthorizer.LOG.isTraceEnabled()) {
                            RangerHdfsAuthorizer.LOG.trace("INodeAttributes array is used to figure out path to resource, resourcePath:[" + str5 + "]");
                        }
                    }
                    if (i2 >= iNodeArr.length) {
                        i2 = iNodeArr.length - 1;
                    }
                    while (i2 >= 0 && iNodeArr[i2] == null) {
                        i2--;
                    }
                    iNode3 = (iNodeArr.length <= i2 || i2 < 0) ? null : iNodeArr[i2];
                    iNode4 = iNodeArr.length > 1 ? iNodeArr[iNodeArr.length - 2] : null;
                    iNode5 = iNodeArr[iNodeArr.length - 1];
                    optimizedAuthzContext = new OperationOptimizer(str4, str5, fsAction, fsAction2, fsAction3, fsAction4, r0, iNodeAttributesArr, i2, iNode3, iNode4, iNode5).optimize();
                    if (optimizedAuthzContext == RangerHdfsAuthorizer.this.OPT_BYPASS_AUTHZ) {
                        AuthzStatus authzStatus2 = AuthzStatus.ALLOW;
                        if (authzContext.auditHandler != null) {
                            authzContext.auditHandler.flushAudit();
                        }
                        if (optimizedAuthzContext != null && optimizedAuthzContext != RangerHdfsAuthorizer.this.OPT_BYPASS_AUTHZ) {
                            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                                RangerHdfsAuthorizer.LOG.debug("Updating OptimizedAuthzContext:[" + optimizedAuthzContext + "] with authzStatus=" + authzStatus2.name() + "]");
                            }
                            optimizedAuthzContext.authzStatus = authzStatus2;
                        }
                        RangerPerfTracer.log(perfTracer);
                        if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                            RangerHdfsAuthorizer.LOG.debug("<== RangerAccessControlEnforcer.checkRangerPermission(" + str5 + ", " + fsAction3 + ", user=" + authzContext.user + ") : " + authzStatus2);
                            return;
                        }
                        return;
                    }
                    if (optimizedAuthzContext != null && optimizedAuthzContext.authzStatus != null) {
                        AuthzStatus authzStatus3 = optimizedAuthzContext.authzStatus;
                        if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                            RangerHdfsAuthorizer.LOG.debug("OperationOptimizer.optimize() returned " + authzStatus3 + ", operationName=" + str4 + " has been pre-computed. Returning without any access evaluation!");
                        }
                        if (authzStatus3 != AuthzStatus.ALLOW) {
                            throw new RangerAccessControlException("Permission denied: user=" + authzContext.user + ", access=" + (fsAction3 != null ? fsAction3 : fsAction2 != null ? fsAction2 : fsAction != null ? fsAction : FsAction.EXECUTE) + ", inode=\"" + str5 + "\"");
                        }
                        if (authzContext.auditHandler != null) {
                            authzContext.auditHandler.flushAudit();
                        }
                        if (optimizedAuthzContext != null && optimizedAuthzContext != RangerHdfsAuthorizer.this.OPT_BYPASS_AUTHZ) {
                            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                                RangerHdfsAuthorizer.LOG.debug("Updating OptimizedAuthzContext:[" + optimizedAuthzContext + "] with authzStatus=" + authzStatus3.name() + "]");
                            }
                            optimizedAuthzContext.authzStatus = authzStatus3;
                        }
                        RangerPerfTracer.log(perfTracer);
                        if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                            RangerHdfsAuthorizer.LOG.debug("<== RangerAccessControlEnforcer.checkRangerPermission(" + str5 + ", " + fsAction3 + ", user=" + authzContext.user + ") : " + authzStatus3);
                            return;
                        }
                        return;
                    }
                    authzStatus = z3 ? AuthzStatus.NOT_DETERMINED : AuthzStatus.ALLOW;
                    if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                        RangerHdfsAuthorizer.LOG.debug("OperationOptimizer.optimize() returned null, operationName=" + str4 + " needs to be evaluated!");
                    }
                    if (optimizedAuthzContext != null) {
                        fsAction3 = optimizedAuthzContext.access;
                        fsAction2 = optimizedAuthzContext.parentAccess;
                        fsAction = optimizedAuthzContext.ancestorAccess;
                    }
                    authzContext.isTraverseOnlyCheck = fsAction2 == null && fsAction == null && fsAction3 == null && fsAction4 == null;
                    authzContext.auditHandler = z4 ? null : new RangerHdfsAuditHandler(str3, authzContext.isTraverseOnlyCheck, authzContext.plugin.getHadoopModuleName(), authzContext.plugin.getExcludedUsers(), callerContext != null ? callerContext.toString() : null);
                    if (authzStatus == AuthzStatus.ALLOW && authzContext.isTraverseOnlyCheck) {
                        authzStatus = traverseOnlyCheck(iNode5, iNodeAttributesArr, str5, r0, iNode4, iNode3, i2, authzContext);
                    }
                    if (authzStatus == AuthzStatus.ALLOW && fsAction2 != null && fsAction2.implies(FsAction.WRITE) && iNode4 != null && iNode5 != null && iNode4.getFsPermission() != null && iNode4.getFsPermission().getStickyBit()) {
                        authzStatus = (StringUtils.equals(iNode4.getUserName(), authzContext.user) || StringUtils.equals(iNode5.getUserName(), authzContext.user)) ? AuthzStatus.ALLOW : AuthzStatus.NOT_DETERMINED;
                    }
                    if (authzStatus == AuthzStatus.ALLOW && fsAction != null && iNode3 != null) {
                        INodeAttributes iNodeAttributes = iNodeAttributesArr.length > i2 ? iNodeAttributesArr[i2] : null;
                        authzStatus = isAccessAllowed(iNode3, iNodeAttributes, iNodeAttributes != null ? DFSUtil.byteArray2PathString((byte[][]) r0, 0, i2 + 1) : null, fsAction, authzContext);
                        if (authzStatus == AuthzStatus.NOT_DETERMINED) {
                            authzStatus = checkDefaultEnforcer(str, str2, userGroupInformation, iNodeAttributesArr, iNodeArr, bArr, i, str3, i2, z, fsAction, null, null, null, z2, iNode3, iNode4, iNode5, authzContext);
                        }
                    }
                    if (authzStatus == AuthzStatus.ALLOW && fsAction2 != null && iNode4 != null) {
                        INodeAttributes iNodeAttributes2 = iNodeAttributesArr.length > 1 ? iNodeAttributesArr[iNodeAttributesArr.length - 2] : null;
                        authzStatus = isAccessAllowed(iNode4, iNodeAttributes2, iNodeAttributes2 != null ? DFSUtil.byteArray2PathString((byte[][]) r0, 0, iNodeAttributesArr.length - 1) : null, fsAction2, authzContext);
                        if (authzStatus == AuthzStatus.NOT_DETERMINED) {
                            authzStatus = checkDefaultEnforcer(str, str2, userGroupInformation, iNodeAttributesArr, iNodeArr, bArr, i, str3, i2, z, null, fsAction2, null, null, z2, iNode3, iNode4, iNode5, authzContext);
                        }
                    }
                    if (authzStatus == AuthzStatus.ALLOW && fsAction3 != null && iNode5 != null) {
                        authzStatus = isAccessAllowed(iNode5, iNodeAttributesArr.length > 0 ? iNodeAttributesArr[iNodeAttributesArr.length - 1] : null, str5, fsAction3, authzContext);
                        if (authzStatus == AuthzStatus.NOT_DETERMINED) {
                            authzStatus = checkDefaultEnforcer(str, str2, userGroupInformation, iNodeAttributesArr, iNodeArr, bArr, i, str3, i2, z, null, null, fsAction3, null, z2, iNode3, iNode4, iNode5, authzContext);
                        }
                    }
                    if (authzStatus == AuthzStatus.ALLOW && fsAction4 != null && iNode5 != null && iNode5.isDirectory()) {
                        Stack stack = new Stack();
                        stack.push(new SubAccessData(iNode5.asDirectory(), str5, iNodeArr, iNodeAttributesArr));
                        while (!stack.isEmpty()) {
                            SubAccessData subAccessData = (SubAccessData) stack.pop();
                            ReadOnlyList<INode> childrenList = subAccessData.dir.getChildrenList(i);
                            if (!childrenList.isEmpty() || !z2) {
                                INodeDirectoryAttributes snapshotINode = subAccessData.dir.getSnapshotINode(i);
                                authzStatus = isAccessAllowed(subAccessData.dir, snapshotINode, subAccessData.resourcePath, fsAction4, authzContext);
                                if (subAccessData.dir.equals(iNode5)) {
                                    iNodeDirectory = iNode5.asDirectory();
                                    iNodeAttributesArr2 = iNodeAttributesArr;
                                    iNodeArr2 = iNodeArr;
                                    length = i2;
                                    iNode = iNode3;
                                    iNode2 = iNode4;
                                    pathComponents = bArr;
                                } else {
                                    iNodeDirectory = subAccessData.dir;
                                    INodeAttributes[] iNodeAttributesArr3 = subAccessData.iNodeAttributes;
                                    INode[] iNodeArr3 = subAccessData.inodes;
                                    iNodeArr2 = new INode[iNodeArr3.length + 1];
                                    int i4 = 0;
                                    while (i4 < iNodeArr3.length) {
                                        iNodeArr2[i4] = iNodeArr3[i4];
                                        i4++;
                                    }
                                    iNodeArr2[i4] = iNodeDirectory;
                                    iNodeAttributesArr2 = new INodeAttributes[iNodeAttributesArr3.length + 1];
                                    int i5 = 0;
                                    while (i5 < iNodeAttributesArr3.length) {
                                        iNodeAttributesArr2[i5] = iNodeAttributesArr3[i5];
                                        i5++;
                                    }
                                    iNodeAttributesArr2[i5] = snapshotINode;
                                    length = iNodeArr2.length - 1;
                                    while (length >= 0 && iNodeArr2[length] == null) {
                                        length--;
                                    }
                                    iNode = (iNodeArr2.length <= length || length < 0) ? null : iNodeArr2[length];
                                    iNode2 = iNodeArr2.length > 1 ? iNodeArr2[iNodeArr2.length - 2] : null;
                                    pathComponents = iNodeDirectory.getPathComponents();
                                }
                                if (authzStatus == AuthzStatus.NOT_DETERMINED && !RangerHdfsAuthorizer.this.rangerPlugin.isUseLegacySubAccessAuthorization()) {
                                    if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                                        if (subAccessData.dir.equals(iNode5)) {
                                            RangerHdfsAuthorizer.LOG.debug("Top level directory being processed for default authorizer call, [" + subAccessData.resourcePath + "]");
                                        } else {
                                            RangerHdfsAuthorizer.LOG.debug("Sub directory being processed for default authorizer call, [" + subAccessData.resourcePath + "]");
                                        }
                                        RangerHdfsAuthorizer.LOG.debug("Calling default authorizer for hierarchy/subaccess with the following parameters");
                                        RangerHdfsAuthorizer.LOG.debug("fsOwner=" + str + "; superGroup=" + str2 + ", inodesCount=" + (iNodeArr2 != null ? iNodeArr2.length : 0) + ", snapshotId=" + i + ", user=" + (userGroupInformation != null ? userGroupInformation.getShortUserName() : null) + ", provided-path=" + subAccessData.resourcePath + ", ancestorIndex=" + length + ", doCheckOwner=" + z + ", ancestorAccess=null, parentAccess=null, access=null, subAccess=null, ignoreEmptyDir=" + z2 + ", operationName=" + str4 + ", callerContext=null");
                                    }
                                    authzStatus = checkDefaultEnforcer(str, str2, userGroupInformation, iNodeAttributesArr2, iNodeArr2, pathComponents, i, subAccessData.resourcePath, length, z, null, null, null, null, z2, iNode, iNode2, iNodeDirectory, authzContext);
                                    if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                                        RangerHdfsAuthorizer.LOG.debug("Default authorizer call returned : [" + authzStatus + "]");
                                    }
                                }
                                if (authzStatus != AuthzStatus.ALLOW) {
                                    break;
                                }
                                AuthzStatus authzStatus4 = AuthzStatus.NOT_DETERMINED;
                                if (RangerHdfsAuthorizer.this.rangerPlugin.isOptimizeSubAccessAuthEnabled()) {
                                    authzStatus4 = isAccessAllowedForHierarchy(subAccessData.dir, snapshotINode, subAccessData.resourcePath, fsAction4, authzContext);
                                }
                                if (authzStatus4 != AuthzStatus.ALLOW) {
                                    for (INode iNode6 : childrenList) {
                                        if (iNode6.isDirectory()) {
                                            if (subAccessData.resourcePath.endsWith("/")) {
                                                stack.push(new SubAccessData(iNode6.asDirectory(), subAccessData.resourcePath + iNode6.getLocalName(), iNodeArr2, iNodeAttributesArr2));
                                            } else {
                                                stack.push(new SubAccessData(iNode6.asDirectory(), subAccessData.resourcePath + '/' + iNode6.getLocalName(), iNodeArr2, iNodeAttributesArr2));
                                            }
                                        }
                                    }
                                }
                            }
                        }
                        if (authzStatus == AuthzStatus.NOT_DETERMINED) {
                            authzStatus = checkDefaultEnforcer(str, str2, userGroupInformation, iNodeAttributesArr, iNodeArr, bArr, i, str3, i2, z, null, null, null, fsAction4, z2, iNode3, iNode4, iNode5, authzContext);
                        }
                    }
                    if (authzStatus == AuthzStatus.ALLOW && z) {
                        INodeAttributes iNodeAttributes3 = iNodeAttributesArr.length > 0 ? iNodeAttributesArr[iNodeAttributesArr.length - 1] : null;
                        authzStatus = StringUtils.equals(authzContext.user, iNodeAttributes3 != null ? iNodeAttributes3.getUserName() : null) ? AuthzStatus.ALLOW : AuthzStatus.NOT_DETERMINED;
                    }
                }
                if (authzStatus == AuthzStatus.NOT_DETERMINED) {
                    authzStatus = checkDefaultEnforcer(str, str2, userGroupInformation, iNodeAttributesArr, iNodeArr, bArr, i, str3, i2, z, fsAction, fsAction2, fsAction3, fsAction4, z2, iNode3, iNode4, iNode5, authzContext);
                }
                if (authzStatus != AuthzStatus.ALLOW) {
                    FsAction fsAction5 = fsAction3;
                    if (fsAction5 == null) {
                        fsAction5 = fsAction2 != null ? fsAction2 : fsAction != null ? fsAction : FsAction.EXECUTE;
                    }
                    throw new RangerAccessControlException("Permission denied: user=" + authzContext.user + ", access=" + fsAction5 + ", inode=\"" + str5 + "\"");
                }
                if (authzContext.auditHandler != null) {
                    authzContext.auditHandler.flushAudit();
                }
                if (optimizedAuthzContext != null && optimizedAuthzContext != RangerHdfsAuthorizer.this.OPT_BYPASS_AUTHZ) {
                    if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                        RangerHdfsAuthorizer.LOG.debug("Updating OptimizedAuthzContext:[" + optimizedAuthzContext + "] with authzStatus=" + authzStatus.name() + "]");
                    }
                    optimizedAuthzContext.authzStatus = authzStatus;
                }
                RangerPerfTracer.log(perfTracer);
                if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                    RangerHdfsAuthorizer.LOG.debug("<== RangerAccessControlEnforcer.checkRangerPermission(" + str5 + ", " + fsAction3 + ", user=" + authzContext.user + ") : " + authzStatus);
                }
            } catch (Throwable th) {
                if (authzContext.auditHandler != null) {
                    authzContext.auditHandler.flushAudit();
                }
                if (0 != 0 && null != RangerHdfsAuthorizer.this.OPT_BYPASS_AUTHZ) {
                    if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                        RangerHdfsAuthorizer.LOG.debug("Updating OptimizedAuthzContext:[" + ((Object) null) + "] with authzStatus=" + authzStatus.name() + "]");
                    }
                    null.authzStatus = authzStatus;
                }
                RangerPerfTracer.log(perfTracer);
                if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                    RangerHdfsAuthorizer.LOG.debug("<== RangerAccessControlEnforcer.checkRangerPermission(" + str5 + ", " + fsAction3 + ", user=" + authzContext.user + ") : " + authzStatus);
                }
                throw th;
            }
        }

        private AuthzStatus traverseOnlyCheck(INode iNode, INodeAttributes[] iNodeAttributesArr, String str, byte[][] bArr, INode iNode2, INode iNode3, int i, AuthzContext authzContext) {
            AuthzStatus authzStatus;
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("==> RangerAccessControlEnforcer.traverseOnlyCheck(path=" + str + ", user=" + authzContext.user + ", groups=" + authzContext.userGroups + ", operationName=" + authzContext.operationName + ")");
            }
            INode iNode4 = iNode;
            INodeAttributes iNodeAttributes = iNodeAttributesArr.length > 0 ? iNodeAttributesArr[iNodeAttributesArr.length - 1] : null;
            boolean z = false;
            String str2 = str;
            if (iNode4 == null || iNode4.isFile()) {
                z = true;
                if (iNode2 != null) {
                    iNode4 = iNode2;
                    iNodeAttributes = iNodeAttributesArr.length > 1 ? iNodeAttributesArr[iNodeAttributesArr.length - 2] : null;
                    str2 = iNodeAttributesArr.length > 0 ? DFSUtil.byteArray2PathString(bArr, 0, iNodeAttributesArr.length - 1) : "/";
                } else if (iNode3 != null) {
                    iNode4 = iNode3;
                    iNodeAttributes = iNodeAttributesArr.length > i ? iNodeAttributesArr[i] : null;
                    str2 = iNodeAttributes != null ? DFSUtil.byteArray2PathString(bArr, 0, i + 1) : "/";
                }
            }
            if (iNode4 != null) {
                if (str2.length() > 1 && str2.endsWith("/")) {
                    str2 = str2.substring(0, str2.length() - 1);
                }
                authzStatus = isAccessAllowedForTraversal(iNode4, iNodeAttributes, str2, z, authzContext, authzContext.operationName);
            } else {
                authzStatus = AuthzStatus.ALLOW;
            }
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("<== RangerAccessControlEnforcer.traverseOnlyCheck(path=" + str + ", resourcePath=" + str2 + ", user=" + authzContext.user + ", groups=" + authzContext.userGroups + ", operationName=" + authzContext.operationName + ") : " + authzStatus);
            }
            return authzStatus;
        }

        private AuthzStatus isAccessAllowedForTraversal(INode iNode, INodeAttributes iNodeAttributes, String str, boolean z, AuthzContext authzContext, String str2) {
            String userName = iNodeAttributes != null ? iNodeAttributes.getUserName() : null;
            FsAction fsAction = FsAction.EXECUTE;
            if (userName == null) {
                userName = iNode.getUserName();
            }
            if ("".equals(str)) {
                str = "/";
            }
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("==> RangerAccessControlEnforcer.isAccessAllowedForTraversal(" + str + ", " + fsAction + ", " + authzContext.user + ", " + z + ", " + authzContext.operationName + ")");
            }
            RangerAccessRequest rangerHdfsAccessRequest = new RangerHdfsAccessRequest(iNode, str, userName, fsAction, "execute", str2, authzContext.user, authzContext.userGroups);
            RangerAccessResult isAccessAllowed = authzContext.plugin.isAccessAllowed(rangerHdfsAccessRequest, null);
            authzContext.saveResult(isAccessAllowed);
            AuthzStatus authzStatus = (isAccessAllowed == null || !isAccessAllowed.getIsAccessDetermined() || isAccessAllowed.getIsAllowed()) ? AuthzStatus.ALLOW : AuthzStatus.DENY;
            if (authzStatus == AuthzStatus.ALLOW && RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("This request is for the first time allowed by Ranger policies. request:[" + rangerHdfsAccessRequest + "]");
            }
            if ((authzStatus == AuthzStatus.DENY || (!z && isAccessAllowed != null && isAccessAllowed.getIsAccessDetermined())) && authzContext.auditHandler != null) {
                authzContext.auditHandler.processResult(isAccessAllowed);
            }
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("<== RangerAccessControlEnforcer.isAccessAllowedForTraversal(" + str + ", " + fsAction + ", " + authzContext.user + ", " + z + ", " + authzContext.operationName + "): " + authzStatus);
            }
            return authzStatus;
        }

        private AuthzStatus checkDefaultEnforcer(String str, String str2, UserGroupInformation userGroupInformation, INodeAttributes[] iNodeAttributesArr, INode[] iNodeArr, byte[][] bArr, int i, String str3, int i2, boolean z, FsAction fsAction, FsAction fsAction2, FsAction fsAction3, FsAction fsAction4, boolean z2, INode iNode, INode iNode2, INode iNode3, AuthzContext authzContext) throws AccessControlException {
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("==> RangerAccessControlEnforcer.checkDefaultEnforcer(fsOwner=" + str + "; superGroup=" + str2 + ", inodesCount=" + (iNodeArr != null ? iNodeArr.length : 0) + ", snapshotId=" + i + ", path=" + str3 + ", ancestorIndex=" + i2 + ", doCheckOwner=" + z + ", ancestorAccess=" + fsAction + ", parentAccess=" + fsAction2 + ", access=" + fsAction3 + ", subAccess=" + fsAction4 + ", ignoreEmptyDir=" + z2 + ", isTraverseOnlyCheck=" + authzContext.isTraverseOnlyCheck + ",ancestor=" + (iNode == null ? null : iNode.getFullPathName()) + ", parent=" + (iNode2 == null ? null : iNode2.getFullPathName()) + ", inode=" + (iNode3 == null ? null : iNode3.getFullPathName()) + ")");
            }
            AuthzStatus authzStatus = AuthzStatus.NOT_DETERMINED;
            if (RangerHdfsAuthorizer.this.rangerPlugin.isHadoopAuthEnabled() && this.defaultEnforcer != null) {
                RangerPerfTracer rangerPerfTracer = null;
                if (RangerPerfTracer.isPerfTraceEnabled(RangerHdfsAuthorizer.PERF_HDFSAUTH_REQUEST_LOG)) {
                    rangerPerfTracer = RangerPerfTracer.getPerfTracer(RangerHdfsAuthorizer.PERF_HDFSAUTH_REQUEST_LOG, "RangerAccessControlEnforcer.checkDefaultEnforcer(path=" + str3 + ")");
                }
                try {
                    this.defaultEnforcer.checkPermission(str, str2, userGroupInformation, iNodeAttributesArr, iNodeArr, bArr, i, str3, i2, z, fsAction, fsAction2, fsAction3, fsAction4, z2);
                    authzStatus = AuthzStatus.ALLOW;
                    if (authzContext.auditHandler != null) {
                        INode iNode4 = iNode3;
                        FsAction fsAction5 = fsAction3;
                        if (authzContext.isTraverseOnlyCheck) {
                            if (iNode4 == null || iNode4.isFile()) {
                                if (iNode2 != null) {
                                    iNode4 = iNode2;
                                } else if (iNode != null) {
                                    iNode4 = iNode;
                                }
                            }
                            fsAction5 = FsAction.EXECUTE;
                        } else if (fsAction5 == null || fsAction5 == FsAction.NONE) {
                            if (fsAction2 != null && fsAction2 != FsAction.NONE) {
                                iNode4 = iNode2;
                                fsAction5 = fsAction2;
                            } else if (fsAction != null && fsAction != FsAction.NONE) {
                                iNode4 = iNode;
                                fsAction5 = fsAction;
                            } else if (fsAction4 != null && fsAction4 != FsAction.NONE) {
                                fsAction5 = fsAction4;
                            }
                        }
                        String fullPathName = iNode4 != null ? iNode4.getFullPathName() : str3;
                        boolean z3 = authzStatus == AuthzStatus.ALLOW;
                        RangerAccessResult lastResult = authzContext.getLastResult();
                        if (lastResult != null) {
                            lastResult.setIsAllowed(z3);
                            lastResult.setIsAccessDetermined(true);
                            authzContext.plugin.evalAuditPolicies(lastResult);
                            authzContext.auditHandler.processResult(lastResult);
                        }
                        authzContext.auditHandler.logHadoopEvent(fullPathName, fsAction5, z3);
                    }
                    RangerPerfTracer.log(rangerPerfTracer);
                } catch (Throwable th) {
                    if (authzContext.auditHandler != null) {
                        INode iNode5 = iNode3;
                        FsAction fsAction6 = fsAction3;
                        if (authzContext.isTraverseOnlyCheck) {
                            if (iNode5 == null || iNode5.isFile()) {
                                if (iNode2 != null) {
                                    iNode5 = iNode2;
                                } else if (iNode != null) {
                                    iNode5 = iNode;
                                }
                            }
                            fsAction6 = FsAction.EXECUTE;
                        } else if (fsAction6 == null || fsAction6 == FsAction.NONE) {
                            if (fsAction2 != null && fsAction2 != FsAction.NONE) {
                                iNode5 = iNode2;
                                fsAction6 = fsAction2;
                            } else if (fsAction != null && fsAction != FsAction.NONE) {
                                iNode5 = iNode;
                                fsAction6 = fsAction;
                            } else if (fsAction4 != null && fsAction4 != FsAction.NONE) {
                                fsAction6 = fsAction4;
                            }
                        }
                        String fullPathName2 = iNode5 != null ? iNode5.getFullPathName() : str3;
                        boolean z4 = authzStatus == AuthzStatus.ALLOW;
                        RangerAccessResult lastResult2 = authzContext.getLastResult();
                        if (lastResult2 != null) {
                            lastResult2.setIsAllowed(z4);
                            lastResult2.setIsAccessDetermined(true);
                            authzContext.plugin.evalAuditPolicies(lastResult2);
                            authzContext.auditHandler.processResult(lastResult2);
                        }
                        authzContext.auditHandler.logHadoopEvent(fullPathName2, fsAction6, z4);
                    }
                    RangerPerfTracer.log(rangerPerfTracer);
                    throw th;
                }
            }
            RangerHdfsAuthorizer.LOG.debug("<== RangerAccessControlEnforcer.checkDefaultEnforcer(fsOwner=" + str + "; superGroup=" + str2 + ", inodesCount=" + (iNodeArr != null ? iNodeArr.length : 0) + ", snapshotId=" + i + ", path=" + str3 + ", ancestorIndex=" + i2 + ", doCheckOwner=" + z + ", ancestorAccess=" + fsAction + ", parentAccess=" + fsAction2 + ", access=" + fsAction3 + ", subAccess=" + fsAction4 + ", ignoreEmptyDir=" + z2 + ", isTraverseOnlyCheck=" + authzContext.isTraverseOnlyCheck + ",ancestor=" + (iNode == null ? null : iNode.getFullPathName()) + ", parent=" + (iNode2 == null ? null : iNode2.getFullPathName()) + ", inode=" + (iNode3 == null ? null : iNode3.getFullPathName()) + ") : " + authzStatus);
            return authzStatus;
        }

        private AuthzStatus isAccessAllowed(INode iNode, INodeAttributes iNodeAttributes, String str, FsAction fsAction, AuthzContext authzContext) {
            AuthzStatus authzStatus = null;
            String userName = iNodeAttributes != null ? iNodeAttributes.getUserName() : null;
            if (userName == null && iNode != null) {
                userName = iNode.getUserName();
            }
            if ("".equals(str)) {
                str = "/";
            }
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("==> RangerAccessControlEnforcer.isAccessAllowed(" + str + ", " + fsAction + ", " + authzContext.user + ")");
            }
            Set set = (Set) RangerHdfsAuthorizer.this.access2ActionListMapper.get(fsAction);
            if (set == null) {
                RangerHdfsAuthorizer.LOG.warn("RangerAccessControlEnforcer.isAccessAllowed(" + str + ", " + fsAction + ", " + authzContext.user + "): no Ranger accessType found for " + fsAction);
                set = (Set) RangerHdfsAuthorizer.this.access2ActionListMapper.get(FsAction.NONE);
            }
            if (set.size() > 0) {
                RangerAccessRequest rangerHdfsAccessRequest = new RangerHdfsAccessRequest(iNode, str, userName, fsAction, (String) set.iterator().next(), authzContext.operationName, authzContext.user, authzContext.userGroups);
                if (set.size() > 1) {
                    RangerAccessRequestUtil.setAllRequestedAccessTypeGroups(rangerHdfsAccessRequest, (Set) set.stream().map((v0) -> {
                        return Collections.singleton(v0);
                    }).collect(Collectors.toSet()));
                    RangerAccessRequestUtil.setAllRequestedAccessTypes(rangerHdfsAccessRequest.getContext(), set);
                    if (set.contains("execute")) {
                        RangerAccessRequestUtil.setIgnoreIfNotDeniedAccessTypes(rangerHdfsAccessRequest.getContext(), (Set) RangerHdfsAuthorizer.this.access2ActionListMapper.get(FsAction.EXECUTE));
                    }
                }
                RangerAccessResult isAccessAllowed = authzContext.plugin.isAccessAllowed(rangerHdfsAccessRequest, authzContext.auditHandler);
                authzContext.saveResult(isAccessAllowed);
                authzStatus = (isAccessAllowed == null || !isAccessAllowed.getIsAccessDetermined()) ? AuthzStatus.NOT_DETERMINED : !isAccessAllowed.getIsAllowed() ? AuthzStatus.DENY : AuthzStatus.ALLOW;
                if (authzStatus == AuthzStatus.ALLOW && RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                    RangerHdfsAuthorizer.LOG.debug("This request is for the first time allowed by Ranger policies. request:[" + rangerHdfsAccessRequest + "]");
                }
            }
            if (authzStatus == null) {
                authzStatus = AuthzStatus.NOT_DETERMINED;
            }
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("<== RangerAccessControlEnforcer.isAccessAllowed(" + str + ", " + fsAction + ", " + authzContext.user + "): " + authzStatus);
            }
            return authzStatus;
        }

        private AuthzStatus isAccessAllowedForHierarchy(INode iNode, INodeAttributes iNodeAttributes, String str, FsAction fsAction, AuthzContext authzContext) {
            AuthzStatus authzStatus = null;
            String userName = iNodeAttributes != null ? iNodeAttributes.getUserName() : null;
            if (userName == null && iNode != null) {
                userName = iNode.getUserName();
            }
            if ("".equals(str)) {
                str = "/";
            }
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("==> RangerAccessControlEnforcer.isAccessAllowedForHierarchy(" + str + ", " + fsAction + ", " + authzContext.user + ")");
            }
            if (str != null) {
                Set set = (Set) RangerHdfsAuthorizer.this.access2ActionListMapper.get(fsAction);
                if (set == null) {
                    RangerHdfsAuthorizer.LOG.warn("RangerAccessControlEnforcer.isAccessAllowedForHierarchy(" + str + ", " + fsAction + ", " + authzContext.user + "): no Ranger accessType found for " + fsAction);
                    set = (Set) RangerHdfsAuthorizer.this.access2ActionListMapper.get(FsAction.NONE);
                }
                String str2 = str;
                if (str2.charAt(str2.length() - 1) != '/') {
                    str2 = str2 + Character.toString('/');
                }
                String str3 = str2 + RangerHdfsAuthorizer.this.rangerPlugin.getRandomizedWildcardPathName();
                if (set.size() > 0) {
                    RangerAccessRequest rangerHdfsAccessRequest = new RangerHdfsAccessRequest(null, str3, userName, fsAction, (String) set.iterator().next(), authzContext.operationName, authzContext.user, authzContext.userGroups);
                    if (set.size() > 1) {
                        RangerAccessRequestUtil.setAllRequestedAccessTypeGroups(rangerHdfsAccessRequest, (Set) set.stream().map((v0) -> {
                            return Collections.singleton(v0);
                        }).collect(Collectors.toSet()));
                        RangerAccessRequestUtil.setAllRequestedAccessTypes(rangerHdfsAccessRequest.getContext(), set);
                        if (set.contains("execute")) {
                            RangerAccessRequestUtil.setIgnoreIfNotDeniedAccessTypes(rangerHdfsAccessRequest.getContext(), (Set) RangerHdfsAuthorizer.this.access2ActionListMapper.get(FsAction.EXECUTE));
                        }
                    }
                    RangerAccessResult isAccessAllowed = authzContext.plugin.isAccessAllowed(rangerHdfsAccessRequest, null);
                    authzContext.saveResult(isAccessAllowed);
                    authzStatus = (isAccessAllowed == null || !isAccessAllowed.getIsAccessDetermined()) ? AuthzStatus.NOT_DETERMINED : !isAccessAllowed.getIsAllowed() ? AuthzStatus.DENY : AuthzStatus.ALLOW;
                }
            }
            if (authzStatus == null) {
                authzStatus = AuthzStatus.NOT_DETERMINED;
            }
            if (RangerHdfsAuthorizer.LOG.isDebugEnabled()) {
                RangerHdfsAuthorizer.LOG.debug("<== RangerAccessControlEnforcer.isAccessAllowedForHierarchy(" + str + ", " + fsAction + ", " + authzContext.user + "): " + authzStatus);
            }
            return authzStatus;
        }
    }

    public RangerHdfsAuthorizer() {
        this(null);
    }

    public RangerHdfsAuthorizer(Path path) {
        this.rangerPlugin = null;
        this.access2ActionListMapper = new HashMap();
        this.AUTHZ_OPTIMIZATION_ENABLED = true;
        this.OPT_BYPASS_AUTHZ = new OptimizedAuthzContext("", FsAction.NONE, FsAction.NONE, FsAction.NONE, AuthzStatus.ALLOW);
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsAuthorizer.RangerHdfsAuthorizer()");
        }
        this.addlConfigFile = path;
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsAuthorizer.RangerHdfsAuthorizer()");
        }
    }

    public void start() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsAuthorizer.start()");
        }
        RangerHdfsPlugin rangerHdfsPlugin = new RangerHdfsPlugin(this.addlConfigFile);
        rangerHdfsPlugin.init();
        if (rangerHdfsPlugin.isOptimizeSubAccessAuthEnabled()) {
            LOG.info("ranger.optimize-subaccess-authorization is enabled");
        }
        LOG.info("Legacy way of authorizing sub-access requests will " + (rangerHdfsPlugin.isUseLegacySubAccessAuthorization() ? "" : "not ") + "be used");
        this.access2ActionListMapper.put(FsAction.NONE, new TreeSet());
        this.access2ActionListMapper.put(FsAction.ALL, (Set) Stream.of((Object[]) new String[]{RangerServiceHdfs.ACCESS_TYPE_READ, "write", "execute"}).collect(Collectors.toCollection(() -> {
            return new TreeSet(String.CASE_INSENSITIVE_ORDER);
        })));
        this.access2ActionListMapper.put(FsAction.READ, (Set) Stream.of(RangerServiceHdfs.ACCESS_TYPE_READ).collect(Collectors.toCollection(() -> {
            return new TreeSet(String.CASE_INSENSITIVE_ORDER);
        })));
        this.access2ActionListMapper.put(FsAction.READ_WRITE, (Set) Stream.of((Object[]) new String[]{RangerServiceHdfs.ACCESS_TYPE_READ, "write"}).collect(Collectors.toCollection(() -> {
            return new TreeSet(String.CASE_INSENSITIVE_ORDER);
        })));
        this.access2ActionListMapper.put(FsAction.READ_EXECUTE, (Set) Stream.of((Object[]) new String[]{RangerServiceHdfs.ACCESS_TYPE_READ, "execute"}).collect(Collectors.toCollection(() -> {
            return new TreeSet(String.CASE_INSENSITIVE_ORDER);
        })));
        this.access2ActionListMapper.put(FsAction.WRITE, (Set) Stream.of("write").collect(Collectors.toCollection(() -> {
            return new TreeSet(String.CASE_INSENSITIVE_ORDER);
        })));
        this.access2ActionListMapper.put(FsAction.WRITE_EXECUTE, (Set) Stream.of((Object[]) new String[]{"write", "execute"}).collect(Collectors.toCollection(() -> {
            return new TreeSet(String.CASE_INSENSITIVE_ORDER);
        })));
        this.access2ActionListMapper.put(FsAction.EXECUTE, (Set) Stream.of("execute").collect(Collectors.toCollection(() -> {
            return new TreeSet(String.CASE_INSENSITIVE_ORDER);
        })));
        this.rangerPlugin = rangerHdfsPlugin;
        this.AUTHZ_OPTIMIZATION_ENABLED = rangerHdfsPlugin.getConfig().getBoolean("ranger.hdfs.authz.enable.optimization", false);
        LOG.info("AUTHZ_OPTIMIZATION_ENABLED:[" + this.AUTHZ_OPTIMIZATION_ENABLED + "]");
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsAuthorizer.start()");
        }
    }

    public void stop() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsAuthorizer.stop()");
        }
        RangerHdfsPlugin rangerHdfsPlugin = this.rangerPlugin;
        this.rangerPlugin = null;
        if (rangerHdfsPlugin != null) {
            rangerHdfsPlugin.cleanup();
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsAuthorizer.stop()");
        }
    }

    public INodeAttributes getAttributes(String str, INodeAttributes iNodeAttributes) {
        return iNodeAttributes;
    }

    public INodeAttributes getAttributes(String[] strArr, INodeAttributes iNodeAttributes) {
        return iNodeAttributes;
    }

    public INodeAttributeProvider.AccessControlEnforcer getExternalAccessControlEnforcer(INodeAttributeProvider.AccessControlEnforcer accessControlEnforcer) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsAuthorizer.getExternalAccessControlEnforcer()");
        }
        RangerAccessControlEnforcer rangerAccessControlEnforcer = new RangerAccessControlEnforcer(accessControlEnforcer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsAuthorizer.getExternalAccessControlEnforcer()");
        }
        return rangerAccessControlEnforcer;
    }

    public Configuration getConfig() {
        return this.rangerPlugin.getConfig();
    }
}
