package org.apache.hadoop.hbase.security.access;

import java.io.IOException;
import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.DoNotRetryIOException;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.client.RegionInfo;
import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.mob.MobConstants;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.Superusers;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.zookeeper.ZKWatcher;
import org.apache.hadoop.security.Groups;
import org.apache.hadoop.security.HadoopKerberosName;
import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hbase/security/access/AccessChecker.class */
public final class AccessChecker {
    private TableAuthManager authManager;
    private static Groups groupService;
    private boolean authorizationEnabled;
    private static final Logger LOG = LoggerFactory.getLogger(AccessChecker.class);
    private static final Logger AUDITLOG = LoggerFactory.getLogger("SecurityLogger." + AccessChecker.class.getName());
    private static final HashMap<String, LogLevel> REQUESTLOGLEVEL = new HashMap<String, LogLevel>() { // from class: org.apache.hadoop.hbase.security.access.AccessChecker.1
        {
            put("shutdown", LogLevel.warn);
            put("stopMaster", LogLevel.warn);
            put("createTable", LogLevel.info);
            put("modifyTable", LogLevel.info);
            put("enableTable", LogLevel.info);
            put("disableTable", LogLevel.info);
            put("deleteTable", LogLevel.info);
            put("snapshot", LogLevel.info);
            put("cloneSnapshot", LogLevel.info);
            put("restoreSnapshot", LogLevel.info);
            put("listSnapshot", LogLevel.info);
            put("deleteSnapshot", LogLevel.info);
            put("incrementColumnValue", LogLevel.info);
            put("append", LogLevel.info);
            put("increment", LogLevel.info);
            put("preBulkLoadHFile", LogLevel.info);
            put("grant", LogLevel.info);
            put("revoke", LogLevel.info);
            put("createNamespace", LogLevel.info);
            put("deleteNamespace", LogLevel.info);
            put("modifyNamespace", LogLevel.info);
            put("balanceSwitch", LogLevel.info);
            put("mergeRegions", LogLevel.info);
            put("hasPermission", LogLevel.info);
            put("setClusterState", LogLevel.info);
            put("abortProcedure", LogLevel.info);
            put("setSplitOrMergeEnabled", LogLevel.info);
            put("clearDeadServers", LogLevel.info);
            put("decommissionRegionServers", LogLevel.info);
            put("recommissionRegionServers", LogLevel.info);
            put("preRollLogWriterRequest", LogLevel.info);
            put("setUserQuota", LogLevel.info);
            put("setUserTableQuota", LogLevel.info);
            put("setTableQuota", LogLevel.info);
            put("setNamespaceQuota", LogLevel.info);
            put("preClearCompactionQueues", LogLevel.info);
            put("addReplicationPeer", LogLevel.info);
            put("removeReplicationPeer", LogLevel.info);
            put("enableReplicationPeer", LogLevel.info);
            put("disableReplicationPeer", LogLevel.info);
            put("updateReplicationPeerConfig", LogLevel.info);
            put("getTableDescriptors", LogLevel.debug);
            put("preClose", LogLevel.debug);
            put("getClusterState", LogLevel.debug);
            put("getReplicationPeerConfig", LogLevel.debug);
            put("getProcedure", LogLevel.debug);
            put("getNamespaceDescriptor", LogLevel.debug);
            put("exists", LogLevel.trace);
            put("get", LogLevel.trace);
            put("scan", LogLevel.trace);
            put("put", LogLevel.trace);
            put("delete", LogLevel.trace);
            put("checkAndPut", LogLevel.trace);
            put("checkAndDelete", LogLevel.trace);
            put("move", LogLevel.trace);
            put("assign", LogLevel.trace);
            put("unassign", LogLevel.trace);
            put("balance", LogLevel.trace);
            put("flush", LogLevel.trace);
            put("split", LogLevel.trace);
            put("compact", LogLevel.trace);
            put("userPermissions", LogLevel.trace);
            put("checkPermissions", LogLevel.trace);
            put("regionOffline", LogLevel.trace);
            put("preOpen", LogLevel.trace);
            put("preStopRegionServer", LogLevel.trace);
        }
    };

    /* loaded from: input_file:org/apache/hadoop/hbase/security/access/AccessChecker$InputUser.class */
    public static class InputUser extends User {
        private String name;
        private String shortName = null;
        private String[] groups;

        public InputUser(String str, String[] strArr) {
            this.name = str;
            this.groups = strArr;
        }

        public String getShortName() {
            if (this.shortName == null) {
                try {
                    this.shortName = new HadoopKerberosName(this.name).getShortName();
                } catch (IOException e) {
                    throw new IllegalArgumentException("Illegal principal name " + this.name + ": " + e.toString(), e);
                }
            }
            return this.shortName;
        }

        public String getName() {
            return this.name;
        }

        public String[] getGroupNames() {
            return this.groups;
        }

        public <T> T runAs(PrivilegedAction<T> privilegedAction) {
            throw new UnsupportedOperationException("Method not supported, this class has limited implementation");
        }

        public <T> T runAs(PrivilegedExceptionAction<T> privilegedExceptionAction) throws IOException, InterruptedException {
            throw new UnsupportedOperationException("Method not supported, this class has limited implementation");
        }

        public String toString() {
            return this.name;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/hbase/security/access/AccessChecker$LogLevel.class */
    public enum LogLevel {
        trace,
        debug,
        info,
        warn,
        error
    }

    public static boolean isAuthorizationSupported(Configuration configuration) {
        return configuration.getBoolean("hbase.security.authorization", false);
    }

    public AccessChecker(Configuration configuration, ZKWatcher zKWatcher) throws RuntimeException {
        if (zKWatcher == null) {
            throw new NullPointerException("Error obtaining AccessChecker, zk found null.");
        }
        try {
            this.authManager = TableAuthManager.getOrCreate(zKWatcher, configuration);
            this.authorizationEnabled = isAuthorizationSupported(configuration);
            initGroupService(configuration);
        } catch (IOException e) {
            throw new RuntimeException("Error obtaining AccessChecker", e);
        }
    }

    public void stop() {
        TableAuthManager.release(this.authManager);
    }

    public TableAuthManager getAuthManager() {
        return this.authManager;
    }

    private static LogLevel getRequestLogLevel(AuthResult authResult) {
        LogLevel logLevel = REQUESTLOGLEVEL.get(authResult.getRequest().split(" ")[0]);
        return logLevel == null ? LogLevel.trace : logLevel;
    }

    private static boolean isLogLevelEnabled(Logger logger, LogLevel logLevel) {
        boolean z = false;
        switch (logLevel) {
            case trace:
                z = logger.isTraceEnabled();
                break;
            case debug:
                z = logger.isDebugEnabled();
                break;
            case info:
                z = logger.isInfoEnabled();
                break;
            case warn:
                z = logger.isWarnEnabled();
                break;
            case error:
                z = logger.isErrorEnabled();
                break;
        }
        return z;
    }

    public void requireAccess(User user, String str, TableName tableName, Permission.Action... actionArr) throws IOException {
        if (this.authorizationEnabled) {
            AuthResult authResult = null;
            int length = actionArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Permission.Action action = actionArr[i];
                if (this.authManager.hasAccess(user, tableName, action)) {
                    authResult = AuthResult.allow(str, "Table permission granted", user, action, tableName, null, null);
                    break;
                } else {
                    authResult = AuthResult.deny(str, "Insufficient permissions", user, action, tableName, null, null);
                    i++;
                }
            }
            logResult(authResult);
            if (!authResult.isAllowed()) {
                throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
            }
        }
    }

    public void requirePermission(User user, String str, String str2, Permission.Action action) throws IOException {
        requireGlobalPermission(user, str, action, null, null, str2);
    }

    public void requireGlobalPermission(User user, String str, Permission.Action action, TableName tableName, Map<byte[], ? extends Collection<byte[]>> map, String str2) throws IOException {
        if (this.authorizationEnabled) {
            AuthResult allow = this.authManager.authorize(user, action) ? AuthResult.allow(str, "Global check allowed", user, action, tableName, map) : AuthResult.deny(str, "Global check failed", user, action, tableName, map);
            allow.getParams().setTableName(tableName).setFamilies(map);
            allow.getParams().addExtraParam("filterUser", str2);
            logResult(allow);
            if (allow.isAllowed()) {
            } else {
                throw new AccessDeniedException("Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") + "' (global, action=" + action.toString() + ")");
            }
        }
    }

    public void requireGlobalPermission(User user, String str, Permission.Action action, String str2) throws IOException {
        if (this.authorizationEnabled) {
            if (this.authManager.authorize(user, action)) {
                AuthResult allow = AuthResult.allow(str, "Global check allowed", user, action, null);
                allow.getParams().setNamespace(str2);
                logResult(allow);
            } else {
                AuthResult deny = AuthResult.deny(str, "Global check failed", user, action, null);
                deny.getParams().setNamespace(str2);
                logResult(deny);
                throw new AccessDeniedException("Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") + "' (global, action=" + action.toString() + ")");
            }
        }
    }

    public void requireGlobalPermission(User user, String str, Permission.Action action, String str2, String str3) throws IOException {
        if (this.authorizationEnabled) {
            AuthResult allow = this.authManager.authorize(user, action) ? AuthResult.allow(str, "Global check allowed", user, action, null, null) : AuthResult.deny(str, "Global check failed", user, action, null, null);
            allow.getParams().addExtraParam(str2, str3);
            logResult(allow);
            if (allow.isAllowed()) {
            } else {
                throw new AccessDeniedException("Insufficient permissions for user '" + (user != null ? user.getShortName() : "null") + "' (global, action=" + action.toString() + ")");
            }
        }
    }

    public void requireNamespacePermission(User user, String str, String str2, String str3, Permission.Action... actionArr) throws IOException {
        if (this.authorizationEnabled) {
            AuthResult authResult = null;
            int length = actionArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Permission.Action action = actionArr[i];
                if (this.authManager.authorize(user, str2, action)) {
                    authResult = AuthResult.allow(str, "Namespace permission granted", user, action, str2);
                    break;
                } else {
                    authResult = AuthResult.deny(str, "Insufficient permissions", user, action, str2);
                    i++;
                }
            }
            authResult.getParams().addExtraParam("filterUser", str3);
            logResult(authResult);
            if (!authResult.isAllowed()) {
                throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
            }
        }
    }

    public void requireNamespacePermission(User user, String str, String str2, TableName tableName, Map<byte[], ? extends Collection<byte[]>> map, Permission.Action... actionArr) throws IOException {
        if (this.authorizationEnabled) {
            AuthResult authResult = null;
            int length = actionArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Permission.Action action = actionArr[i];
                if (this.authManager.authorize(user, str2, action)) {
                    authResult = AuthResult.allow(str, "Namespace permission granted", user, action, str2);
                    authResult.getParams().setTableName(tableName).setFamilies(map);
                    break;
                } else {
                    authResult = AuthResult.deny(str, "Insufficient permissions", user, action, str2);
                    authResult.getParams().setTableName(tableName).setFamilies(map);
                    i++;
                }
            }
            logResult(authResult);
            if (!authResult.isAllowed()) {
                throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
            }
        }
    }

    public void requirePermission(User user, String str, TableName tableName, byte[] bArr, byte[] bArr2, String str2, Permission.Action... actionArr) throws IOException {
        if (this.authorizationEnabled) {
            AuthResult authResult = null;
            int length = actionArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Permission.Action action = actionArr[i];
                if (this.authManager.authorize(user, tableName, bArr, bArr2, action)) {
                    authResult = AuthResult.allow(str, "Table permission granted", user, action, tableName, bArr, bArr2);
                    break;
                } else {
                    authResult = AuthResult.deny(str, "Insufficient permissions", user, action, tableName, bArr, bArr2);
                    i++;
                }
            }
            authResult.getParams().addExtraParam("filterUser", str2);
            logResult(authResult);
            if (!authResult.isAllowed()) {
                throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
            }
        }
    }

    public void requireTablePermission(User user, String str, TableName tableName, byte[] bArr, byte[] bArr2, Permission.Action... actionArr) throws IOException {
        if (this.authorizationEnabled) {
            AuthResult authResult = null;
            int length = actionArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                Permission.Action action = actionArr[i];
                if (this.authManager.authorize(user, tableName, (byte[]) null, (byte[]) null, action)) {
                    authResult = AuthResult.allow(str, "Table permission granted", user, action, tableName, null, null);
                    authResult.getParams().setFamily(bArr).setQualifier(bArr2);
                    break;
                } else {
                    authResult = AuthResult.deny(str, "Insufficient permissions", user, action, tableName, bArr, bArr2);
                    authResult.getParams().setFamily(bArr).setQualifier(bArr2);
                    i++;
                }
            }
            logResult(authResult);
            if (!authResult.isAllowed()) {
                throw new AccessDeniedException("Insufficient permissions " + authResult.toContextString());
            }
        }
    }

    public void checkLockPermissions(User user, String str, TableName tableName, RegionInfo[] regionInfoArr, String str2) throws IOException {
        if (str != null && !str.isEmpty()) {
            requireNamespacePermission(user, str2, str, null, Permission.Action.ADMIN, Permission.Action.CREATE);
        } else {
            if (tableName == null && (regionInfoArr == null || regionInfoArr.length <= 0)) {
                throw new DoNotRetryIOException("Invalid lock level when requesting permissions.");
            }
            requireTablePermission(user, str2, tableName != null ? tableName : regionInfoArr[0].getTable(), null, null, Permission.Action.ADMIN, Permission.Action.CREATE);
        }
    }

    public static void logResult(AuthResult authResult) {
        LogLevel requestLogLevel = getRequestLogLevel(authResult);
        if (isLogLevelEnabled(AUDITLOG, requestLogLevel)) {
            String str = (String) RpcServer.getRemoteAddress().map((v0) -> {
                return v0.toString();
            }).orElse(MobConstants.EMPTY_STRING);
            StringBuilder sb = new StringBuilder();
            sb.append("Access ");
            if (authResult.isAllowed()) {
                sb.append("allowed");
            } else {
                sb.append("denied");
            }
            sb.append(" for user ");
            if (authResult.getUser() != null) {
                sb.append(authResult.getUser().getShortName());
            } else {
                sb.append("UNKNOWN");
            }
            sb.append("; reason: ").append(authResult.getReason()).append("; remote address: ").append(str).append("; request: ").append(authResult.getRequest()).append("; context: ").append(authResult.toContextString());
            switch (requestLogLevel) {
                case trace:
                    AUDITLOG.trace(sb.toString());
                    return;
                case debug:
                    AUDITLOG.debug(sb.toString());
                    return;
                case info:
                    AUDITLOG.info(sb.toString());
                    return;
                case warn:
                    AUDITLOG.warn(sb.toString());
                    return;
                case error:
                    AUDITLOG.error(sb.toString());
                    return;
                default:
                    return;
            }
        }
    }

    public User validateCallerWithFilterUser(User user, TablePermission tablePermission, String str) throws IOException {
        User user2;
        if (user.getShortName().equals(str)) {
            logResult(AuthResult.allow("hasPermission", "Self user validation allowed", user, null, tablePermission.getTableName(), tablePermission.getFamily(), tablePermission.getQualifier()));
            user2 = user;
        } else {
            requirePermission(user, "hasPermission", tablePermission.getTableName(), tablePermission.getFamily(), tablePermission.getQualifier(), str, Permission.Action.ADMIN);
            List<String> userGroups = getUserGroups(str);
            user2 = new InputUser(str, (String[]) userGroups.toArray(new String[userGroups.size()]));
        }
        return user2;
    }

    private void initGroupService(Configuration configuration) {
        if (groupService == null) {
            groupService = Groups.getUserToGroupsMappingService(configuration);
        }
    }

    public static List<String> getUserGroups(String str) {
        try {
            return groupService.getGroups(str);
        } catch (IOException e) {
            LOG.error("Error occured while retrieving group for " + str, e);
            return new ArrayList();
        }
    }

    public void checkClusterStateAllowed(User user, String str, String str2) throws IOException {
        if (this.authorizationEnabled) {
            if (!Superusers.isSuperUser(user)) {
                logResult(AuthResult.deny(str, "Super user check failed", user, null, MobConstants.EMPTY_STRING));
                throw new AccessDeniedException("Insufficient Permission: User '" + (user != null ? user.getShortName() : "null") + "' is not system or super user. Cluster state access denied.");
            }
            AuthResult allow = AuthResult.allow(str, "Super user check allowed", user, null, MobConstants.EMPTY_STRING);
            if (str2 != null) {
                allow.getParams().addExtraParam("enable", str2);
            }
            logResult(allow);
        }
    }
}
