package org.apache.ranger.authorization.yarn.authorizer;

import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.yarn.security.AccessType;
import org.apache.hadoop.yarn.security.PrivilegedEntity;
import org.apache.hadoop.yarn.security.YarnAuthorizationProvider;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
import org.apache.ranger.plugin.util.RangerPerfTracer;

/* loaded from: input_file:org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.class */
public class RangerYarnAuthorizer extends YarnAuthorizationProvider {
    public static final String ACCESS_TYPE_ADMIN_QUEUE = "admin-queue";
    public static final String ACCESS_TYPE_SUBMIT_APP = "submit-app";
    public static final String ACCESS_TYPE_ADMIN = "admin";
    public static final String KEY_RESOURCE_QUEUE = "queue";
    private static boolean yarnAuthEnabled = true;
    private static final Log LOG = LogFactory.getLog(RangerYarnAuthorizer.class);
    private static final Log PERF_YARNAUTH_REQUEST_LOG = RangerPerfTracer.getPerfLogger("yarnauth.request");
    private static volatile RangerYarnPlugin yarnPlugin = null;
    private AccessControlList admins = null;
    private Map<PrivilegedEntity, Map<AccessType, AccessControlList>> yarnAcl = new HashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.ranger.authorization.yarn.authorizer.RangerYarnAuthorizer$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$hadoop$yarn$security$AccessType = new int[AccessType.values().length];

        static {
            try {
                $SwitchMap$org$apache$hadoop$yarn$security$AccessType[AccessType.ADMINISTER_QUEUE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$hadoop$yarn$security$AccessType[AccessType.SUBMIT_APP.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public void init(Configuration configuration) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerYarnAuthorizer.init()");
        }
        if (yarnPlugin == null) {
            synchronized (RangerYarnAuthorizer.class) {
                if (yarnPlugin == null) {
                    RangerYarnPlugin rangerYarnPlugin = new RangerYarnPlugin();
                    rangerYarnPlugin.init();
                    yarnPlugin = rangerYarnPlugin;
                }
            }
        }
        yarnAuthEnabled = RangerConfiguration.getInstance().getBoolean("ranger.add-yarn-authorization", true);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerYarnAuthorizer.init()");
        }
    }

    public boolean checkPermission(AccessType accessType, PrivilegedEntity privilegedEntity, UserGroupInformation userGroupInformation) {
        boolean z;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerYarnAuthorizer.checkPermission(" + accessType + ", " + toString(privilegedEntity) + ", " + userGroupInformation + ")");
        }
        RangerYarnPlugin rangerYarnPlugin = yarnPlugin;
        RangerAccessResultProcessor rangerAccessResultProcessor = null;
        RangerAccessResult rangerAccessResult = null;
        String clusterName = yarnPlugin.getClusterName();
        RangerPerfTracer rangerPerfTracer = null;
        RangerPerfTracer rangerPerfTracer2 = null;
        if (rangerYarnPlugin != null) {
            if (RangerPerfTracer.isPerfTraceEnabled(PERF_YARNAUTH_REQUEST_LOG)) {
                rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_YARNAUTH_REQUEST_LOG, "RangerYarnAuthorizer.checkPermission(entity=" + privilegedEntity + ")");
            }
            RangerYarnAccessRequest rangerYarnAccessRequest = new RangerYarnAccessRequest(privilegedEntity, getRangerAccessType(accessType), accessType.name(), userGroupInformation, clusterName);
            rangerAccessResultProcessor = new RangerYarnAuditHandler();
            rangerAccessResult = rangerYarnPlugin.isAccessAllowed(rangerYarnAccessRequest, rangerAccessResultProcessor);
        }
        if (!yarnAuthEnabled || (rangerAccessResult != null && rangerAccessResult.getIsAccessDetermined())) {
            z = rangerAccessResult != null && rangerAccessResult.getIsAllowed();
        } else {
            if (RangerPerfTracer.isPerfTraceEnabled(PERF_YARNAUTH_REQUEST_LOG)) {
                rangerPerfTracer2 = RangerPerfTracer.getPerfTracer(PERF_YARNAUTH_REQUEST_LOG, "RangerYarnNativeAuthorizer.isAllowedByYarnAcl(entity=" + privilegedEntity + ")");
            }
            z = isAllowedByYarnAcl(accessType, privilegedEntity, userGroupInformation, rangerAccessResultProcessor);
        }
        if (rangerAccessResultProcessor != null) {
            rangerAccessResultProcessor.flushAudit();
        }
        RangerPerfTracer.log(rangerPerfTracer2);
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerYarnAuthorizer.checkPermission(" + accessType + ", " + toString(privilegedEntity) + ", " + userGroupInformation + "): " + z);
        }
        return z;
    }

    public boolean isAdmin(UserGroupInformation userGroupInformation) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerYarnAuthorizer.isAdmin(" + userGroupInformation + ")");
        }
        boolean z = false;
        AccessControlList accessControlList = this.admins;
        if (accessControlList != null) {
            z = accessControlList.isUserAllowed(userGroupInformation);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerYarnAuthorizer.isAdmin(" + userGroupInformation + "): " + z);
        }
        return z;
    }

    public void setAdmins(AccessControlList accessControlList, UserGroupInformation userGroupInformation) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerYarnAuthorizer.setAdmins(" + accessControlList + ", " + userGroupInformation + ")");
        }
        this.admins = accessControlList;
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerYarnAuthorizer.setAdmins(" + accessControlList + ", " + userGroupInformation + ")");
        }
    }

    public void setPermission(PrivilegedEntity privilegedEntity, Map<AccessType, AccessControlList> map, UserGroupInformation userGroupInformation) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerYarnAuthorizer.setPermission(" + toString(privilegedEntity) + ", " + map + ", " + userGroupInformation + ")");
        }
        this.yarnAcl.put(privilegedEntity, map);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerYarnAuthorizer.setPermission(" + toString(privilegedEntity) + ", " + map + ", " + userGroupInformation + ")");
        }
    }

    public boolean isAllowedByYarnAcl(AccessType accessType, PrivilegedEntity privilegedEntity, UserGroupInformation userGroupInformation, RangerYarnAuditHandler rangerYarnAuditHandler) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessType + ", " + toString(privilegedEntity) + ", " + userGroupInformation + ")");
        }
        boolean z = false;
        Iterator<Map.Entry<PrivilegedEntity, Map<AccessType, AccessControlList>>> it = this.yarnAcl.entrySet().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Map.Entry<PrivilegedEntity, Map<AccessType, AccessControlList>> next = it.next();
            PrivilegedEntity key = next.getKey();
            Map<AccessType, AccessControlList> value = next.getValue();
            AccessControlList accessControlList = value == null ? null : value.get(accessType);
            if (accessControlList != null && accessControlList.isUserAllowed(userGroupInformation) && isSelfOrChildOf(privilegedEntity, key)) {
                z = true;
                break;
            }
        }
        if (rangerYarnAuditHandler != null) {
            rangerYarnAuditHandler.logYarnAclEvent(z);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessType + ", " + toString(privilegedEntity) + ", " + userGroupInformation + "): " + z);
        }
        return z;
    }

    private static String getRangerAccessType(AccessType accessType) {
        String str = null;
        switch (AnonymousClass1.$SwitchMap$org$apache$hadoop$yarn$security$AccessType[accessType.ordinal()]) {
            case 1:
                str = ACCESS_TYPE_ADMIN_QUEUE;
                break;
            case 2:
                str = ACCESS_TYPE_SUBMIT_APP;
                break;
        }
        return str;
    }

    private boolean isSelfOrChildOf(PrivilegedEntity privilegedEntity, PrivilegedEntity privilegedEntity2) {
        boolean equals = privilegedEntity.equals(privilegedEntity2);
        if (!equals && privilegedEntity.getType() == PrivilegedEntity.EntityType.QUEUE) {
            String name = privilegedEntity.getName();
            String name2 = privilegedEntity2.getName();
            if (name.contains(".") && !StringUtil.isEmpty(name2)) {
                if (name2.charAt(name2.length() - 1) != '.') {
                    name2 = name2 + ".";
                }
                equals = name.startsWith(name2);
            }
        }
        return equals;
    }

    private String toString(PrivilegedEntity privilegedEntity) {
        return privilegedEntity != null ? "{name=" + privilegedEntity.getName() + "; type=" + privilegedEntity.getType() + "}" : "null";
    }
}
