package org.apache.hadoop.hive.ql.security.authorization.plugin;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.metastore.Warehouse;
import org.apache.hadoop.hive.metastore.api.Database;
import org.apache.hadoop.hive.metastore.api.HiveObjectPrivilege;
import org.apache.hadoop.hive.metastore.api.HiveObjectRef;
import org.apache.hadoop.hive.metastore.api.HiveObjectType;
import org.apache.hadoop.hive.metastore.api.PrincipalType;
import org.apache.hadoop.hive.metastore.api.PrivilegeBag;
import org.apache.hadoop.hive.metastore.api.PrivilegeGrantInfo;
import org.apache.hadoop.hive.metastore.api.Role;
import org.apache.hadoop.hive.metastore.api.RolePrincipalGrant;
import org.apache.hadoop.hive.ql.metadata.Hive;
import org.apache.hadoop.hive.ql.metadata.HiveException;
import org.apache.hadoop.hive.ql.metadata.Table;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.security.authorization.AuthorizationUtils;
import org.apache.hadoop.hive.ql.security.authorization.PrivilegeScope;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HivePrivilegeObject;
import org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController;
import org.apache.hadoop.hive.ql.session.SessionState;

/* loaded from: input_file:org/apache/hadoop/hive/ql/security/authorization/plugin/HiveV1Authorizer.class */
public class HiveV1Authorizer implements HiveAuthorizer {
    private final HiveConf conf;
    private final Hive hive;

    public HiveV1Authorizer(HiveConf hiveConf, Hive hive) {
        this.conf = hiveConf;
        this.hive = hive;
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public HiveAuthorizer.VERSION getVersion() {
        return HiveAuthorizer.VERSION.V1;
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public void checkPrivileges(HiveOperationType hiveOperationType, List<HivePrivilegeObject> list, List<HivePrivilegeObject> list2, HiveAuthzContext hiveAuthzContext) throws HiveAuthzPluginException, HiveAccessControlException {
        throw new UnsupportedOperationException("Should not be called for v1 authorizer");
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public void grantPrivileges(List<HivePrincipal> list, List<HivePrivilege> list2, HivePrivilegeObject hivePrivilegeObject, HivePrincipal hivePrincipal, boolean z) throws HiveAuthzPluginException, HiveAccessControlException {
        try {
            grantOrRevokePrivs(list, toPrivilegeBag(list2, hivePrivilegeObject, hivePrincipal, z), true, z);
        } catch (Exception e) {
            throw new HiveAuthzPluginException(e);
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public void revokePrivileges(List<HivePrincipal> list, List<HivePrivilege> list2, HivePrivilegeObject hivePrivilegeObject, HivePrincipal hivePrincipal, boolean z) throws HiveAuthzPluginException, HiveAccessControlException {
        try {
            grantOrRevokePrivs(list, toPrivilegeBag(list2, hivePrivilegeObject, hivePrincipal, z), false, z);
        } catch (Exception e) {
            throw new HiveAuthzPluginException(e);
        }
    }

    private void grantOrRevokePrivs(List<HivePrincipal> list, PrivilegeBag privilegeBag, boolean z, boolean z2) throws HiveException {
        for (HivePrincipal hivePrincipal : list) {
            PrincipalType thriftPrincipalType = AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType());
            for (HiveObjectPrivilege hiveObjectPrivilege : privilegeBag.getPrivileges()) {
                hiveObjectPrivilege.setPrincipalName(hivePrincipal.getName());
                hiveObjectPrivilege.setPrincipalType(thriftPrincipalType);
            }
            if (z) {
                this.hive.grantPrivileges(privilegeBag);
            } else {
                this.hive.revokePrivileges(privilegeBag, z2);
            }
        }
    }

    private PrivilegeBag toPrivilegeBag(List<HivePrivilege> list, HivePrivilegeObject hivePrivilegeObject, HivePrincipal hivePrincipal, boolean z) throws HiveException {
        PrivilegeBag privilegeBag = new PrivilegeBag();
        if (list.isEmpty()) {
            return privilegeBag;
        }
        String name = hivePrincipal.getName();
        PrincipalType thriftPrincipalType = AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType());
        if (hivePrivilegeObject.getType() == null || hivePrivilegeObject.getType() == HivePrivilegeObject.HivePrivilegeObjectType.GLOBAL) {
            for (HivePrivilege hivePrivilege : list) {
                List<String> columns = hivePrivilege.getColumns();
                if (columns != null && !columns.isEmpty()) {
                    throw new HiveException("For user-level privileges, column sets should be null. columns=" + columns.toString());
                }
                privilegeBag.addToPrivileges(new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.GLOBAL, null, null, null, null), null, null, new PrivilegeGrantInfo(hivePrivilege.getName(), 0, hivePrincipal.getName(), thriftPrincipalType, z)));
            }
            return privilegeBag;
        }
        if (hivePrivilegeObject.getPartKeys() != null && z) {
            throw new HiveException("Grant does not support partition level.");
        }
        Database database = this.hive.getDatabase(hivePrivilegeObject.getDbname());
        if (database == null) {
            throw new HiveException("Database " + hivePrivilegeObject.getDbname() + " does not exists");
        }
        Table table = hivePrivilegeObject.getObjectName() != null ? this.hive.getTable(database.getName(), hivePrivilegeObject.getObjectName()) : null;
        List<String> list2 = null;
        if (table != null) {
            if (!table.isPartitioned() && hivePrivilegeObject.getPartKeys() != null) {
                throw new HiveException("Table is not partitioned, but partition name is present: partSpec=" + hivePrivilegeObject.getPartKeys());
            }
            if (hivePrivilegeObject.getPartKeys() != null) {
                list2 = this.hive.getPartition(table, Warehouse.makeSpecFromValues(table.getPartitionKeys(), hivePrivilegeObject.getPartKeys()), false).getTPartition().getValues();
            }
        }
        for (HivePrivilege hivePrivilege2 : list) {
            List<String> columns2 = hivePrivilege2.getColumns();
            if (columns2 != null && !columns2.isEmpty()) {
                if (!hivePrivilege2.supportsScope(PrivilegeScope.COLUMN_LEVEL_SCOPE)) {
                    throw new HiveException(hivePrivilege2.getName() + " does not support column level privilege.");
                }
                if (table == null) {
                    throw new HiveException("For user-level/database-level privileges, column sets should be null. columns=" + columns2);
                }
                for (int i = 0; i < columns2.size(); i++) {
                    privilegeBag.addToPrivileges(new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.COLUMN, database.getName(), table.getTableName(), list2, columns2.get(i)), null, null, new PrivilegeGrantInfo(hivePrivilege2.getName(), 0, name, thriftPrincipalType, z)));
                }
            } else if (table == null) {
                privilegeBag.addToPrivileges(new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.DATABASE, database.getName(), null, null, null), null, null, new PrivilegeGrantInfo(hivePrivilege2.getName(), 0, name, thriftPrincipalType, z)));
            } else if (list2 == null) {
                privilegeBag.addToPrivileges(new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.TABLE, database.getName(), table.getTableName(), null, null), null, null, new PrivilegeGrantInfo(hivePrivilege2.getName(), 0, name, thriftPrincipalType, z)));
            } else {
                privilegeBag.addToPrivileges(new HiveObjectPrivilege(new HiveObjectRef(HiveObjectType.PARTITION, database.getName(), table.getTableName(), list2, null), null, null, new PrivilegeGrantInfo(hivePrivilege2.getName(), 0, name, thriftPrincipalType, z)));
            }
        }
        return privilegeBag;
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public void createRole(String str, HivePrincipal hivePrincipal) throws HiveAuthzPluginException, HiveAccessControlException {
        try {
            this.hive.createRole(str, hivePrincipal == null ? null : hivePrincipal.getName());
        } catch (HiveException e) {
            throw new HiveAuthzPluginException(e);
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public void dropRole(String str) throws HiveAuthzPluginException, HiveAccessControlException {
        try {
            this.hive.dropRole(str);
        } catch (HiveException e) {
            throw new HiveAuthzPluginException(e);
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public List<HiveRoleGrant> getPrincipalGrantInfoForRole(String str) throws HiveAuthzPluginException, HiveAccessControlException {
        try {
            return SQLStdHiveAccessController.getHiveRoleGrants(this.hive.getMSC(), str);
        } catch (Exception e) {
            throw new HiveAuthzPluginException(e);
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public List<HiveRoleGrant> getRoleGrantInfoForPrincipal(HivePrincipal hivePrincipal) throws HiveAuthzPluginException, HiveAccessControlException {
        PrincipalType thriftPrincipalType = AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType());
        try {
            ArrayList arrayList = new ArrayList();
            Iterator<RolePrincipalGrant> it = this.hive.getRoleGrantInfoForPrincipal(hivePrincipal.getName(), thriftPrincipalType).iterator();
            while (it.hasNext()) {
                arrayList.add(new HiveRoleGrant(it.next()));
            }
            return arrayList;
        } catch (HiveException e) {
            throw new HiveAuthzPluginException(e);
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public void grantRole(List<HivePrincipal> list, List<String> list2, boolean z, HivePrincipal hivePrincipal) throws HiveAuthzPluginException, HiveAccessControlException {
        try {
            grantOrRevokeRole(list, list2, z, hivePrincipal, true);
        } catch (HiveException e) {
            throw new HiveAuthzPluginException(e);
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public void revokeRole(List<HivePrincipal> list, List<String> list2, boolean z, HivePrincipal hivePrincipal) throws HiveAuthzPluginException, HiveAccessControlException {
        try {
            grantOrRevokeRole(list, list2, z, hivePrincipal, false);
        } catch (HiveException e) {
            throw new HiveAuthzPluginException(e);
        }
    }

    private void grantOrRevokeRole(List<HivePrincipal> list, List<String> list2, boolean z, HivePrincipal hivePrincipal, boolean z2) throws HiveException {
        PrincipalType thriftPrincipalType = AuthorizationUtils.getThriftPrincipalType(hivePrincipal.getType());
        for (HivePrincipal hivePrincipal2 : list) {
            PrincipalType thriftPrincipalType2 = AuthorizationUtils.getThriftPrincipalType(hivePrincipal2.getType());
            String name = hivePrincipal2.getName();
            for (String str : list2) {
                if (z2) {
                    this.hive.grantRole(str, name, thriftPrincipalType2, hivePrincipal.getName(), thriftPrincipalType, z);
                } else {
                    this.hive.revokeRole(str, name, thriftPrincipalType2, z);
                }
            }
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public List<String> getAllRoles() throws HiveAuthzPluginException, HiveAccessControlException {
        try {
            return this.hive.getAllRoleNames();
        } catch (HiveException e) {
            throw new HiveAuthzPluginException(e);
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public List<HivePrivilegeInfo> showPrivileges(HivePrincipal hivePrincipal, HivePrivilegeObject hivePrivilegeObject) throws HiveAuthzPluginException, HiveAccessControlException {
        String name = hivePrincipal == null ? null : hivePrincipal.getName();
        PrincipalType thriftPrincipalType = AuthorizationUtils.getThriftPrincipalType(hivePrincipal == null ? null : hivePrincipal.getType());
        ArrayList arrayList = new ArrayList();
        try {
            if (hivePrivilegeObject == null) {
                arrayList.addAll(this.hive.showPrivilegeGrant(HiveObjectType.GLOBAL, name, thriftPrincipalType, null, null, null, null));
            } else if (hivePrivilegeObject.getDbname() == null) {
                arrayList.addAll(this.hive.showPrivilegeGrant(null, name, thriftPrincipalType, null, null, null, null));
            } else {
                Database database = this.hive.getDatabase(hivePrivilegeObject.getDbname());
                if (database == null) {
                    throw new HiveException("Database " + hivePrivilegeObject.getDbname() + " does not exists");
                }
                Table table = null;
                if (hivePrivilegeObject.getObjectName() != null) {
                    table = this.hive.getTable(database.getName(), hivePrivilegeObject.getObjectName());
                }
                List<String> partKeys = hivePrivilegeObject.getPartKeys();
                if (table == null) {
                    arrayList.addAll(this.hive.showPrivilegeGrant(HiveObjectType.DATABASE, name, thriftPrincipalType, database.getName(), null, null, null));
                } else {
                    List<String> columns = hivePrivilegeObject.getColumns();
                    if (columns != null && !columns.isEmpty()) {
                        Iterator<String> it = columns.iterator();
                        while (it.hasNext()) {
                            arrayList.addAll(this.hive.showPrivilegeGrant(HiveObjectType.COLUMN, name, thriftPrincipalType, database.getName(), table.getTableName(), partKeys, it.next()));
                        }
                    } else if (partKeys == null) {
                        arrayList.addAll(this.hive.showPrivilegeGrant(HiveObjectType.TABLE, name, thriftPrincipalType, database.getName(), table.getTableName(), null, null));
                    } else {
                        arrayList.addAll(this.hive.showPrivilegeGrant(HiveObjectType.PARTITION, name, thriftPrincipalType, database.getName(), table.getTableName(), partKeys, null));
                    }
                }
            }
            return AuthorizationUtils.getPrivilegeInfos(arrayList);
        } catch (Exception e) {
            throw new HiveAuthzPluginException(e);
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public void setCurrentRole(String str) throws HiveAccessControlException, HiveAuthzPluginException {
        throw new HiveAuthzPluginException("Unsupported operation 'setCurrentRole' for V1 auth");
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public List<String> getCurrentRoleNames() throws HiveAuthzPluginException {
        String userName = SessionState.get().getUserName();
        if (userName == null) {
            userName = SessionState.getUserFromAuthenticator();
        }
        if (userName == null) {
            throw new HiveAuthzPluginException("Cannot resolve current user name");
        }
        try {
            ArrayList arrayList = new ArrayList();
            Iterator<Role> it = this.hive.listRoles(userName, PrincipalType.USER).iterator();
            while (it.hasNext()) {
                arrayList.add(it.next().getRoleName());
            }
            return arrayList;
        } catch (HiveException e) {
            throw new HiveAuthzPluginException(e);
        }
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public void applyAuthorizationConfigPolicy(HiveConf hiveConf) {
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public List<HivePrivilegeObject> filterListCmdObjects(List<HivePrivilegeObject> list, HiveAuthzContext hiveAuthzContext) throws HiveAuthzPluginException, HiveAccessControlException {
        return list;
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public boolean needTransform() {
        return false;
    }

    @Override // org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer
    public List<HivePrivilegeObject> applyRowFilterAndColumnMasking(HiveAuthzContext hiveAuthzContext, List<HivePrivilegeObject> list) throws SemanticException {
        return null;
    }
}
