package org.apache.hadoop.yarn.server.timeline.security;

import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.VisibleForTesting;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.shaded.org.apache.commons.collections.map.LRUMap;
import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
import org.apache.hadoop.yarn.api.records.timeline.TimelineDomain;
import org.apache.hadoop.yarn.api.records.timeline.TimelineEntity;
import org.apache.hadoop.yarn.exceptions.YarnException;
import org.apache.hadoop.yarn.security.AdminACLsManager;
import org.apache.hadoop.yarn.server.timeline.EntityIdentifier;
import org.apache.hadoop.yarn.server.timeline.TimelineStore;
import org.apache.hadoop.yarn.util.StringHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/yarn/server/timeline/security/TimelineACLsManager.class */
public class TimelineACLsManager {
    private static final Logger LOG = LoggerFactory.getLogger(TimelineACLsManager.class);
    private static final int DOMAIN_ACCESS_ENTRY_CACHE_SIZE = 100;
    private AdminACLsManager adminAclsManager;
    private Map<String, AccessControlListExt> aclExts = Collections.synchronizedMap(new LRUMap(100));
    private TimelineStore store;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/timeline/security/TimelineACLsManager$AccessControlListExt.class */
    public static class AccessControlListExt {
        private String owner;
        private Map<ApplicationAccessType, AccessControlList> acls;

        public AccessControlListExt(String str, Map<ApplicationAccessType, AccessControlList> map) {
            this.owner = str;
            this.acls = map;
        }
    }

    public TimelineACLsManager(Configuration configuration) {
        this.adminAclsManager = new AdminACLsManager(configuration);
    }

    public void setTimelineStore(TimelineStore timelineStore) {
        this.store = timelineStore;
    }

    private AccessControlListExt loadDomainFromTimelineStore(String str) throws IOException {
        TimelineDomain domain;
        if (this.store == null || (domain = this.store.getDomain(str)) == null) {
            return null;
        }
        return putDomainIntoCache(domain);
    }

    public void replaceIfExist(TimelineDomain timelineDomain) {
        if (this.aclExts.containsKey(timelineDomain.getId())) {
            putDomainIntoCache(timelineDomain);
        }
    }

    private AccessControlListExt putDomainIntoCache(TimelineDomain timelineDomain) {
        HashMap hashMap = new HashMap(2);
        hashMap.put(ApplicationAccessType.VIEW_APP, new AccessControlList(StringHelper.cjoin(new Object[]{timelineDomain.getReaders()})));
        hashMap.put(ApplicationAccessType.MODIFY_APP, new AccessControlList(StringHelper.cjoin(new Object[]{timelineDomain.getWriters()})));
        AccessControlListExt accessControlListExt = new AccessControlListExt(timelineDomain.getOwner(), hashMap);
        this.aclExts.put(timelineDomain.getId(), accessControlListExt);
        return accessControlListExt;
    }

    public boolean checkAccess(UserGroupInformation userGroupInformation, ApplicationAccessType applicationAccessType, TimelineEntity timelineEntity) throws YarnException, IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Verifying the access of " + (userGroupInformation == null ? null : userGroupInformation.getShortUserName()) + " on the timeline entity " + new EntityIdentifier(timelineEntity.getEntityId(), timelineEntity.getEntityType()));
        }
        if (!this.adminAclsManager.areACLsEnabled()) {
            return true;
        }
        AccessControlListExt accessControlListExt = this.aclExts.get(timelineEntity.getDomainId());
        if (accessControlListExt == null) {
            accessControlListExt = loadDomainFromTimelineStore(timelineEntity.getDomainId());
        }
        if (accessControlListExt == null) {
            throw new YarnException("Domain information of the timeline entity " + new EntityIdentifier(timelineEntity.getEntityId(), timelineEntity.getEntityType()) + " doesn't exist.");
        }
        String str = accessControlListExt.owner;
        AccessControlList accessControlList = (AccessControlList) accessControlListExt.acls.get(applicationAccessType);
        if (accessControlList == null) {
            LOG.debug("ACL not found for access-type {} for domain {} owned by {}. Using default [{}]", new Object[]{applicationAccessType, timelineEntity.getDomainId(), str, " "});
            accessControlList = new AccessControlList(" ");
        }
        if (userGroupInformation != null) {
            return this.adminAclsManager.isAdmin(userGroupInformation) || userGroupInformation.getShortUserName().equals(str) || accessControlList.isUserAllowed(userGroupInformation);
        }
        return false;
    }

    public boolean checkAccess(UserGroupInformation userGroupInformation, TimelineDomain timelineDomain) throws YarnException, IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Verifying the access of " + (userGroupInformation == null ? null : userGroupInformation.getShortUserName()) + " on the timeline domain " + timelineDomain);
        }
        if (!this.adminAclsManager.areACLsEnabled()) {
            return true;
        }
        String owner = timelineDomain.getOwner();
        if (owner == null || owner.length() == 0) {
            throw new YarnException("Owner information of the timeline domain " + timelineDomain.getId() + " is corrupted.");
        }
        if (userGroupInformation != null) {
            return this.adminAclsManager.isAdmin(userGroupInformation) || userGroupInformation.getShortUserName().equals(owner);
        }
        return false;
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public AdminACLsManager setAdminACLsManager(AdminACLsManager adminACLsManager) {
        AdminACLsManager adminACLsManager2 = this.adminAclsManager;
        this.adminAclsManager = adminACLsManager;
        return adminACLsManager2;
    }
}
