package org.apache.flume.auth;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import java.io.File;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/flume/auth/KerberosAuthenticator.class */
public class KerberosAuthenticator implements FlumeAuthenticator {
    private static final Logger LOG = LoggerFactory.getLogger(KerberosAuthenticator.class);
    private volatile UserGroupInformation ugi;
    private volatile KerberosUser prevUser;
    private volatile PrivilegedExecutor privilegedExecutor;
    private Map<String, PrivilegedExecutor> proxyCache = new HashMap();

    @Override // org.apache.flume.auth.PrivilegedExecutor
    public <T> T execute(PrivilegedAction<T> privilegedAction) {
        return (T) this.privilegedExecutor.execute(privilegedAction);
    }

    @Override // org.apache.flume.auth.PrivilegedExecutor
    public <T> T execute(PrivilegedExceptionAction<T> privilegedExceptionAction) throws Exception {
        return (T) this.privilegedExecutor.execute(privilegedExceptionAction);
    }

    @Override // org.apache.flume.auth.FlumeAuthenticator
    public synchronized PrivilegedExecutor proxyAs(String str) {
        if (str == null || str.isEmpty()) {
            return this;
        }
        if (this.proxyCache.get(str) == null) {
            UserGroupInformation createProxyUser = UserGroupInformation.createProxyUser(str, this.ugi);
            printUGI(createProxyUser);
            this.proxyCache.put(str, new UGIExecutor(createProxyUser));
        }
        return this.proxyCache.get(str);
    }

    @Override // org.apache.flume.auth.FlumeAuthenticator
    public boolean isAuthenticated() {
        return true;
    }

    public synchronized void authenticate(String str, String str2) {
        Preconditions.checkArgument((str == null || str.isEmpty()) ? false : true, "Invalid Kerberos principal: " + String.valueOf(str));
        Preconditions.checkArgument((str2 == null || str2.isEmpty()) ? false : true, "Invalid Kerberos keytab: " + String.valueOf(str2));
        File file = new File(str2);
        Preconditions.checkArgument(file.isFile() && file.canRead(), "Keytab is not a readable file: " + String.valueOf(str2));
        try {
            String serverPrincipal = SecurityUtil.getServerPrincipal(str, "");
            Preconditions.checkNotNull(serverPrincipal, "Resolved Principal must not be null");
            if (!serverPrincipal.contains("@")) {
                try {
                    String defaultRealm = KerberosUtil.getDefaultRealm();
                    if (StringUtils.isNotBlank(defaultRealm)) {
                        serverPrincipal = serverPrincipal + "@" + defaultRealm;
                    }
                } catch (ClassNotFoundException e) {
                    LOG.error("get default realm failed:", e);
                } catch (IllegalAccessException e2) {
                    LOG.error("get default realm failed:", e2);
                } catch (IllegalArgumentException e3) {
                    LOG.error("get default realm failed:", e3);
                } catch (NoSuchMethodException e4) {
                    LOG.error("get default realm failed:", e4);
                } catch (InvocationTargetException e5) {
                    LOG.error("get default realm failed:", e5);
                }
            }
            KerberosUser kerberosUser = new KerberosUser(serverPrincipal, str2);
            Preconditions.checkState(this.prevUser == null || this.prevUser.equals(kerberosUser), "Cannot use multiple kerberos principals in the same agent.  Must restart agent to use new principal or keytab. Previous = %s, New = %s", new Object[]{this.prevUser, kerberosUser});
            if (!UserGroupInformation.isSecurityEnabled()) {
                Configuration configuration = new Configuration(false);
                configuration.set("hadoop.security.authentication", "kerberos");
                UserGroupInformation.setConfiguration(configuration);
            }
            UserGroupInformation userGroupInformation = null;
            try {
                userGroupInformation = UserGroupInformation.getLoginUser();
                if (userGroupInformation != null) {
                    if (!userGroupInformation.hasKerberosCredentials()) {
                        userGroupInformation = null;
                    }
                }
            } catch (IOException e6) {
                LOG.warn("User unexpectedly had no active login. Continuing with authentication", e6);
            }
            try {
                if (this.ugi == null) {
                    LOG.info("Attempting kerberos login as principal ({}) from keytab file ({})", new Object[]{serverPrincipal, str2});
                    UserGroupInformation.loginUserFromKeytab(serverPrincipal, str2);
                    this.ugi = UserGroupInformation.getLoginUser();
                    this.prevUser = new KerberosUser(serverPrincipal, str2);
                    this.privilegedExecutor = new UGIExecutor(this.ugi);
                } else if (userGroupInformation == null || !userGroupInformation.getUserName().equals(this.ugi.getUserName())) {
                    LOG.info("Attempting kerberos Re-login as principal ({}) ", new Object[]{this.ugi.getUserName()});
                    this.ugi.reloginFromKeytab();
                } else {
                    LOG.debug("Using existing principal login: {}", this.ugi);
                }
                printUGI(this.ugi);
            } catch (IOException e7) {
                throw new SecurityException("Authentication error while attempting to login as kerberos principal (" + serverPrincipal + ") using keytab (" + str2 + "). Exception follows.", e7);
            }
        } catch (IOException e8) {
            throw new IllegalArgumentException("Host lookup error resolving kerberos principal (" + str + "). Exception follows.", e8);
        }
    }

    private void printUGI(UserGroupInformation userGroupInformation) {
        if (userGroupInformation != null) {
            UserGroupInformation.AuthenticationMethod authenticationMethod = userGroupInformation.getAuthenticationMethod();
            String property = System.getProperty("line.separator");
            LOG.info(new StringBuffer().append(authenticationMethod.equals(UserGroupInformation.AuthenticationMethod.PROXY) ? "Proxy as: " : "Logged as: ").append(property).append("User: ").append(userGroupInformation.getUserName()).append(property).append("Auth method: ").append(authenticationMethod).append(property).append("Keytab: ").append(userGroupInformation.isFromKeytab()).append(property).toString());
        }
    }

    @Override // org.apache.flume.auth.FlumeAuthenticator
    public void startCredentialRefresher() {
        Executors.newScheduledThreadPool(1).scheduleWithFixedDelay(new Runnable() { // from class: org.apache.flume.auth.KerberosAuthenticator.1
            @Override // java.lang.Runnable
            public void run() {
                try {
                    KerberosAuthenticator.this.ugi.checkTGTAndReloginFromKeytab();
                } catch (IOException e) {
                    KerberosAuthenticator.LOG.warn("Error occured during checkTGTAndReloginFromKeytab() for user " + KerberosAuthenticator.this.ugi.getUserName(), e);
                }
            }
        }, 120, 120, TimeUnit.SECONDS);
    }

    @VisibleForTesting
    String getUserName() {
        if (this.ugi != null) {
            return this.ugi.getUserName();
        }
        return null;
    }
}
