package org.apache.hadoop.yarn.server.security;

import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.flink.hadoop.shaded.com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.security.AdminACLsManager;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/yarn/server/security/ApplicationACLsManager.class */
public class ApplicationACLsManager {
    private static final Log LOG = LogFactory.getLog(ApplicationACLsManager.class);
    private static AccessControlList DEFAULT_YARN_APP_ACL = new AccessControlList(" ");
    private final Configuration conf;
    private final AdminACLsManager adminAclsManager;
    private final ConcurrentMap<ApplicationId, Map<ApplicationAccessType, AccessControlList>> applicationACLS;

    @VisibleForTesting
    public ApplicationACLsManager() {
        this(new Configuration());
    }

    public ApplicationACLsManager(Configuration configuration) {
        this.applicationACLS = new ConcurrentHashMap();
        this.conf = configuration;
        this.adminAclsManager = new AdminACLsManager(this.conf);
    }

    public boolean areACLsEnabled() {
        return this.adminAclsManager.areACLsEnabled();
    }

    public void addApplication(ApplicationId applicationId, Map<ApplicationAccessType, String> map) {
        HashMap hashMap = new HashMap(map.size());
        for (Map.Entry<ApplicationAccessType, String> entry : map.entrySet()) {
            hashMap.put(entry.getKey(), new AccessControlList(entry.getValue()));
        }
        this.applicationACLS.put(applicationId, hashMap);
    }

    public void removeApplication(ApplicationId applicationId) {
        this.applicationACLS.remove(applicationId);
    }

    public boolean checkAccess(UserGroupInformation userGroupInformation, ApplicationAccessType applicationAccessType, String str, ApplicationId applicationId) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Verifying access-type " + applicationAccessType + " for " + userGroupInformation + " on application " + applicationId + " owned by " + str);
        }
        String shortUserName = userGroupInformation.getShortUserName();
        if (!areACLsEnabled()) {
            return true;
        }
        AccessControlList accessControlList = DEFAULT_YARN_APP_ACL;
        Map<ApplicationAccessType, AccessControlList> map = this.applicationACLS.get(applicationId);
        if (map != null) {
            AccessControlList accessControlList2 = map.get(applicationAccessType);
            if (accessControlList2 != null) {
                accessControlList = accessControlList2;
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("ACL not found for access-type " + applicationAccessType + " for application " + applicationId + " owned by " + str + ". Using default [ ]");
            }
        } else if (LOG.isDebugEnabled()) {
            LOG.debug("ACL not found for application " + applicationId + " owned by " + str + ". Using default [ ]");
        }
        return this.adminAclsManager.isAdmin(userGroupInformation) || shortUserName.equals(str) || accessControlList.isUserAllowed(userGroupInformation);
    }

    public final boolean isAdmin(UserGroupInformation userGroupInformation) {
        return this.adminAclsManager.isAdmin(userGroupInformation);
    }
}
