package org.apache.hadoop.mapred;

import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.mapreduce.JobACL;
import org.apache.hadoop.mapreduce.MRConfig;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.yarn.api.ApplicationClientProtocol;
import org.apache.hadoop.yarn.api.protocolrecords.GetRoleOfUserRequest;
import org.apache.hadoop.yarn.api.protocolrecords.GetRoleOfUserResponse;
import org.apache.hadoop.yarn.api.protocolrecords.UserRole;
import org.apache.hadoop.yarn.client.ClientRMProxy;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.exceptions.YarnException;
import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/mapred/JobACLsManager.class */
public class JobACLsManager {
    Configuration conf;
    private final AccessControlList adminAcl;
    private boolean jobStrictView;
    private static volatile YarnExceptionDetail yarnException;
    static final Log LOG = LogFactory.getLog(JobACLsManager.class);

    @VisibleForTesting
    static UserRoleCache userRoleCache = new UserRoleCache();
    private static volatile long timeStamp = 0;
    private static long cacheInvalidDuration = 10000;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/hadoop/mapred/JobACLsManager$UserRoleCache.class */
    public static class UserRoleCache {
        static List<String> EMPTY_LIST = new LinkedList();
        List<String> yarnAdminCache = Collections.synchronizedList(new LinkedList());
        List<String> yarnUserCache = Collections.synchronizedList(new LinkedList());
        Map<String, List<String>> yarnQueueAdminCache = new ConcurrentHashMap();

        UserRoleCache() {
        }

        public UserRole contains(String str) {
            return this.yarnUserCache.contains(str) ? UserRole.USER : this.yarnAdminCache.contains(str) ? UserRole.YARN_ADMIN : this.yarnQueueAdminCache.containsKey(str) ? UserRole.QUEUE_ADMIN : UserRole.UNKNOWN;
        }

        public List<String> getQueues(String str) {
            if (str != null) {
                return this.yarnQueueAdminCache.get(str);
            }
            return null;
        }

        public boolean addAdmin(String str) {
            if (str == null || str.isEmpty()) {
                return false;
            }
            this.yarnAdminCache.add(str);
            return true;
        }

        public boolean addUser(String str) {
            if (str == null || str.isEmpty()) {
                return false;
            }
            this.yarnUserCache.add(str);
            return true;
        }

        public boolean addQueueAdmin(String str, List<String> list) {
            if (str == null || str.isEmpty()) {
                return false;
            }
            if (list == null) {
                list = EMPTY_LIST;
            }
            this.yarnQueueAdminCache.put(str, list);
            return true;
        }
    }

    /* loaded from: input_file:org/apache/hadoop/mapred/JobACLsManager$YarnExceptionDetail.class */
    public static class YarnExceptionDetail {
        long timeStamp;
        Exception e;

        YarnExceptionDetail(long j, Exception exc) {
            this.timeStamp = j;
            this.e = exc;
            if (exc != null) {
                JobACLsManager.LOG.info("Check access failed from Yarn: " + exc.getMessage());
            }
        }

        public long getTimeStamp() {
            return this.timeStamp;
        }

        public Exception getException() {
            return this.e;
        }
    }

    public JobACLsManager(Configuration configuration) {
        this.jobStrictView = false;
        this.adminAcl = new AccessControlList(configuration.get(MRConfig.MR_ADMINS, " "));
        this.conf = configuration;
        this.jobStrictView = configuration.getBoolean(MRConfig.MR_JOB_STRICT_VIEW, false);
    }

    public boolean areACLsEnabled() {
        return this.conf.getBoolean(MRConfig.MR_ACLS_ENABLED, false);
    }

    public Map<JobACL, AccessControlList> constructJobACLs(Configuration configuration) {
        return constructJobACLs(configuration, null);
    }

    public Map<JobACL, AccessControlList> constructJobACLs(Configuration configuration, String str) {
        HashMap hashMap = new HashMap();
        if (!areACLsEnabled()) {
            return hashMap;
        }
        for (JobACL jobACL : JobACL.values()) {
            String str2 = configuration.get(jobACL.getAclName());
            if (str2 == null) {
                str2 = " ";
            }
            hashMap.put(jobACL, new AccessControlList(str2));
        }
        return hashMap;
    }

    boolean isMRAdmin(UserGroupInformation userGroupInformation) {
        return this.adminAcl.isUserAllowed(userGroupInformation);
    }

    public boolean checkAdminAccess(UserGroupInformation userGroupInformation) {
        return isMRAdmin(userGroupInformation);
    }

    public boolean checkAccess(UserGroupInformation userGroupInformation, JobACL jobACL, String str, String str2, AccessControlList accessControlList) {
        return checkAccess(userGroupInformation, jobACL, str, str, str2, accessControlList);
    }

    public boolean checkAccess(UserGroupInformation userGroupInformation, JobACL jobACL, String str, String str2, String str3, AccessControlList accessControlList) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("checkAccess job acls, jobOwner: " + str + " jobacl: " + jobACL.toString() + " user: " + userGroupInformation.getShortUserName());
        }
        String shortUserName = userGroupInformation.getShortUserName();
        if (!areACLsEnabled()) {
            return true;
        }
        if ((accessControlList == null && !this.jobStrictView) || isMRAdmin(userGroupInformation) || shortUserName.equals(str) || shortUserName.equals(str2)) {
            return true;
        }
        if (accessControlList != null && accessControlList.isUserAllowed(userGroupInformation)) {
            return true;
        }
        if (!this.jobStrictView) {
            return false;
        }
        if (System.currentTimeMillis() - timeStamp < cacheInvalidDuration) {
            switch (userRoleCache.contains(shortUserName)) {
                case YARN_ADMIN:
                    return true;
                case QUEUE_ADMIN:
                    List<String> queues = userRoleCache.getQueues(shortUserName);
                    return queues != null && queues.contains(str3);
                case USER:
                    return false;
            }
        }
        renewUserRoleCache();
        GetRoleOfUserResponse queryUserRoleFromRM = queryUserRoleFromRM(userGroupInformation);
        if (queryUserRoleFromRM == null) {
            return false;
        }
        switch (queryUserRoleFromRM.getRoleOfUser()) {
            case YARN_ADMIN:
                userRoleCache.addAdmin(shortUserName);
                return true;
            case QUEUE_ADMIN:
                List<String> queues2 = queryUserRoleFromRM.getQueues();
                userRoleCache.addQueueAdmin(shortUserName, queues2);
                return queues2 != null && queues2.contains(str3);
            case USER:
                userRoleCache.addUser(shortUserName);
                return false;
            default:
                return false;
        }
    }

    public static void renewUserRoleCache() {
        userRoleCache = new UserRoleCache();
        timeStamp = System.currentTimeMillis();
    }

    public static YarnExceptionDetail getYarnExceptionDetail() {
        return yarnException;
    }

    public static void setYarnExceptionDetail(YarnExceptionDetail yarnExceptionDetail) {
        yarnException = yarnExceptionDetail;
    }

    GetRoleOfUserResponse queryUserRoleFromRM(UserGroupInformation userGroupInformation) {
        try {
            return (GetRoleOfUserResponse) userGroupInformation.doAs(new PrivilegedExceptionAction<GetRoleOfUserResponse>() { // from class: org.apache.hadoop.mapred.JobACLsManager.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public GetRoleOfUserResponse run() {
                    try {
                        GetRoleOfUserRequest newInstance = GetRoleOfUserRequest.newInstance();
                        Configuration configuration = new Configuration();
                        configuration.set(YarnConfiguration.RESOURCEMANAGER_CONNECT_MAX_WAIT_MS, "2000");
                        configuration.set(YarnConfiguration.RESOURCEMANAGER_CONNECT_RETRY_INTERVAL_MS, "1000");
                        configuration.set(YarnConfiguration.CLIENT_FAILOVER_MAX_ATTEMPTS, "2");
                        try {
                            return ((ApplicationClientProtocol) ClientRMProxy.createRMProxy(configuration, ApplicationClientProtocol.class)).getRoleOfUser(newInstance);
                        } catch (IOException | YarnException e) {
                            JobACLsManager.setYarnExceptionDetail(new YarnExceptionDetail(System.currentTimeMillis(), new YarnRuntimeException(e.getCause())));
                            return null;
                        }
                    } catch (IOException e2) {
                        JobACLsManager.setYarnExceptionDetail(new YarnExceptionDetail(System.currentTimeMillis(), new YarnRuntimeException("User authorization check: create rmClient failed.", e2.getCause())));
                        return null;
                    }
                }
            });
        } catch (IOException | InterruptedException e) {
            setYarnExceptionDetail(new YarnExceptionDetail(System.currentTimeMillis(), new YarnRuntimeException("User authorization check: user info could not be queried from RM temporally.", e.getCause())));
            return null;
        }
    }
}
