package org.apache.sentry.provider.db.service.persistent;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import java.io.IOException;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import org.apache.curator.RetryPolicy;
import org.apache.curator.framework.CuratorFramework;
import org.apache.curator.framework.CuratorFrameworkFactory;
import org.apache.curator.framework.api.ACLProvider;
import org.apache.curator.framework.api.BackgroundPathable;
import org.apache.curator.framework.imps.CuratorFrameworkState;
import org.apache.curator.framework.imps.DefaultACLProvider;
import org.apache.curator.retry.RetryNTimes;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.sentry.service.thrift.JaasConfiguration;
import org.apache.sentry.service.thrift.ServiceConstants;
import org.apache.zookeeper.Watcher;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.data.Stat;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sentry/provider/db/service/persistent/HAContext.class */
public class HAContext {
    private static final Logger LOGGER = LoggerFactory.getLogger(HAContext.class);
    private static volatile HAContext serverHAContext = null;
    private static boolean aclChecked = false;
    public static final String SENTRY_SERVICE_REGISTER_NAMESPACE = "sentry-service";
    public static final String SENTRY_ZK_JAAS_NAME = "SentryClient";
    private final String zookeeperQuorum;
    private final int retriesMaxCount;
    private final int sleepMsBetweenRetries;
    private final String namespace;
    private final boolean zkSecure;
    private List<ACL> saslACL;
    private final CuratorFramework curatorFramework;
    private final RetryPolicy retryPolicy;

    /* loaded from: input_file:org/apache/sentry/provider/db/service/persistent/HAContext$SASLOwnerACLProvider.class */
    public class SASLOwnerACLProvider implements ACLProvider {
        public SASLOwnerACLProvider() {
        }

        public List<ACL> getDefaultAcl() {
            return HAContext.this.saslACL;
        }

        public List<ACL> getAclForPath(String str) {
            return HAContext.this.saslACL;
        }
    }

    protected HAContext(Configuration configuration) throws Exception {
        SASLOwnerACLProvider defaultACLProvider;
        this.zookeeperQuorum = configuration.get("sentry.ha.zookeeper.quorum", "localhost:2181");
        this.retriesMaxCount = configuration.getInt(ServiceConstants.ServerConfig.SENTRY_HA_ZOOKEEPER_RETRIES_MAX_COUNT, 3);
        this.sleepMsBetweenRetries = configuration.getInt(ServiceConstants.ServerConfig.SENTRY_HA_ZOOKEEPER_SLEEP_BETWEEN_RETRIES_MS, 100);
        this.namespace = configuration.get("sentry.ha.zookeeper.namespace", "sentry");
        this.zkSecure = configuration.getBoolean(ServiceConstants.ServerConfig.SENTRY_HA_ZOOKEEPER_SECURITY, false);
        validateConf();
        if (this.zkSecure) {
            LOGGER.info("Connecting to ZooKeeper with SASL/Kerberos and using 'sasl' ACLs");
            setJaasConfiguration(configuration);
            System.setProperty("zookeeper.sasl.clientconfig", SENTRY_ZK_JAAS_NAME);
            this.saslACL = Lists.newArrayList();
            this.saslACL.add(new ACL(31, new Id("sasl", getServicePrincipal(configuration, ServiceConstants.ServerConfig.PRINCIPAL))));
            this.saslACL.add(new ACL(31, new Id("sasl", getServicePrincipal(configuration, ServiceConstants.ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_PRINCIPAL))));
            defaultACLProvider = new SASLOwnerACLProvider();
            String str = configuration.get(ServiceConstants.ServerConfig.ALLOW_CONNECT);
            if (!Strings.isNullOrEmpty(str)) {
                for (String str2 : Arrays.asList(str.split("\\s*,\\s*"))) {
                    LOGGER.info("Adding acls for " + str2);
                    this.saslACL.add(new ACL(31, new Id("sasl", str2)));
                }
            }
        } else {
            LOGGER.info("Connecting to ZooKeeper without authentication");
            defaultACLProvider = new DefaultACLProvider();
        }
        this.retryPolicy = new RetryNTimes(this.retriesMaxCount, this.sleepMsBetweenRetries);
        this.curatorFramework = CuratorFrameworkFactory.builder().namespace(this.namespace).connectString(this.zookeeperQuorum).retryPolicy(this.retryPolicy).aclProvider(defaultACLProvider).build();
        startCuratorFramework();
    }

    public static HAContext getHAContext(Configuration configuration) throws Exception {
        if (serverHAContext == null) {
            serverHAContext = new HAContext(configuration);
            Runtime.getRuntime().addShutdownHook(new Thread() { // from class: org.apache.sentry.provider.db.service.persistent.HAContext.1
                @Override // java.lang.Thread, java.lang.Runnable
                public void run() {
                    HAContext.LOGGER.info("ShutdownHook closing curator framework");
                    try {
                        HAContext.clearServerContext();
                    } catch (Throwable th) {
                        HAContext.LOGGER.error("Error stopping SentryService", th);
                    }
                }
            });
        }
        return serverHAContext;
    }

    public static HAContext getHAServerContext(Configuration configuration) throws Exception {
        HAContext hAContext = getHAContext(configuration);
        hAContext.checkAndSetACLs();
        return hAContext;
    }

    @VisibleForTesting
    public static synchronized void clearServerContext() {
        if (serverHAContext != null) {
            serverHAContext.getCuratorFramework().close();
            serverHAContext = null;
        }
    }

    public void startCuratorFramework() {
        if (this.curatorFramework.getState() != CuratorFrameworkState.STARTED) {
            this.curatorFramework.start();
        }
    }

    public CuratorFramework getCuratorFramework() {
        return this.curatorFramework;
    }

    public String getZookeeperQuorum() {
        return this.zookeeperQuorum;
    }

    public static boolean isHaEnabled(Configuration configuration) {
        return configuration.getBoolean("sentry.ha.enabled", false);
    }

    public String getNamespace() {
        return this.namespace;
    }

    public RetryPolicy getRetryPolicy() {
        return this.retryPolicy;
    }

    private void validateConf() {
        Preconditions.checkNotNull(this.zookeeperQuorum, "Zookeeper Quorum should not be null.");
        Preconditions.checkNotNull(this.namespace, "Zookeeper namespace should not be null.");
    }

    protected String getServicePrincipal(Configuration configuration, String str) throws IOException {
        String str2 = configuration.get(str);
        Preconditions.checkNotNull(str2);
        Preconditions.checkArgument(str2.length() != 0, "Server principal is not right.");
        return str2.split("[/@]")[0];
    }

    private void checkAndSetACLs() throws Exception {
        if (!this.zkSecure || aclChecked) {
            return;
        }
        startCuratorFramework();
        String str = "/" + this.curatorFramework.getNamespace();
        if (this.curatorFramework.getZookeeperClient().getZooKeeper().exists(str, (Watcher) null) != null) {
            List acl = this.curatorFramework.getZookeeperClient().getZooKeeper().getACL(str, new Stat());
            if (acl.isEmpty() || !((ACL) acl.get(0)).getId().getScheme().equals("sasl")) {
                LOGGER.info("'sasl' ACLs not set; setting...");
                Iterator it = this.curatorFramework.getZookeeperClient().getZooKeeper().getChildren(str, (Watcher) null).iterator();
                while (it.hasNext()) {
                    checkAndSetACLs("/" + ((String) it.next()));
                }
                this.curatorFramework.getZookeeperClient().getZooKeeper().setACL(str, this.saslACL, -1);
            }
        }
        aclChecked = true;
    }

    private void checkAndSetACLs(String str) throws Exception {
        LOGGER.info("Setting acls on " + str);
        Iterator it = ((List) this.curatorFramework.getChildren().forPath(str)).iterator();
        while (it.hasNext()) {
            checkAndSetACLs(str + "/" + ((String) it.next()));
        }
        ((BackgroundPathable) this.curatorFramework.setACL().withACL(this.saslACL)).forPath(str);
    }

    private void setJaasConfiguration(Configuration configuration) throws IOException {
        if (ServiceConstants.ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_TICKET_CACHE_DEFAULT.equalsIgnoreCase(configuration.get(ServiceConstants.ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_TICKET_CACHE, ServiceConstants.ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_TICKET_CACHE_DEFAULT))) {
            String str = configuration.get(ServiceConstants.ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_KEYTAB);
            Preconditions.checkArgument(str.length() != 0, "Keytab File is not right.");
            String serverPrincipal = SecurityUtil.getServerPrincipal(configuration.get(ServiceConstants.ServerConfig.SERVER_HA_ZOOKEEPER_CLIENT_PRINCIPAL), configuration.get(ServiceConstants.ServerConfig.RPC_ADDRESS, ServiceConstants.ServerConfig.RPC_ADDRESS_DEFAULT));
            Preconditions.checkArgument(serverPrincipal.length() != 0, "Kerberos principal is not right.");
            JaasConfiguration.addEntryForKeytab(SENTRY_ZK_JAAS_NAME, serverPrincipal, str);
        } else {
            JaasConfiguration.addEntryForTicketCache(SENTRY_ZK_JAAS_NAME);
        }
        javax.security.auth.login.Configuration.setConfiguration(JaasConfiguration.getInstance());
    }
}
