package org.apache.hadoop.hbase.security.access;

import com.google.protobuf.RpcCallback;
import com.google.protobuf.RpcController;
import com.google.protobuf.Service;
import java.io.IOException;
import java.math.BigInteger;
import java.security.PrivilegedAction;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileStatus;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.FileUtil;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.hbase.Coprocessor;
import org.apache.hadoop.hbase.CoprocessorEnvironment;
import org.apache.hadoop.hbase.DoNotRetryIOException;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.classification.InterfaceAudience;
import org.apache.hadoop.hbase.coprocessor.BulkLoadObserver;
import org.apache.hadoop.hbase.coprocessor.CoprocessorService;
import org.apache.hadoop.hbase.coprocessor.ObserverContext;
import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;
import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.protobuf.ResponseConverter;
import org.apache.hadoop.hbase.protobuf.generated.ClientProtos;
import org.apache.hadoop.hbase.protobuf.generated.SecureBulkLoadProtos;
import org.apache.hadoop.hbase.regionserver.Region;
import org.apache.hadoop.hbase.security.SecureBulkLoadUtil;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.hbase.security.token.FsDelegationToken;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.util.FSHDFSUtils;
import org.apache.hadoop.hbase.util.Methods;
import org.apache.hadoop.hbase.util.Pair;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint.class */
public class SecureBulkLoadEndpoint extends SecureBulkLoadProtos.SecureBulkLoadService implements CoprocessorService, Coprocessor {
    public static final long VERSION = 0;
    private static final int RANDOM_WIDTH = 320;
    private static final int RANDOM_RADIX = 32;
    private static final Log LOG = LogFactory.getLog(SecureBulkLoadEndpoint.class);
    private static final FsPermission PERM_ALL_ACCESS = FsPermission.valueOf("-rwxrwxrwx");
    private static final FsPermission PERM_HIDDEN = FsPermission.valueOf("-rwx--x--x");
    private SecureRandom random;
    private FileSystem fs;
    private Configuration conf;
    private Path baseStagingDir;
    private RegionCoprocessorEnvironment env;
    private UserProvider userProvider;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/hbase/security/access/SecureBulkLoadEndpoint$SecureBulkLoadListener.class */
    public static class SecureBulkLoadListener implements Region.BulkLoadListener {
        private FileSystem fs;
        private String stagingDir;
        private Configuration conf;
        private FileSystem srcFs = null;
        private Map<String, FsPermission> origPermissions;

        public SecureBulkLoadListener(FileSystem fileSystem, String str, Configuration configuration) {
            this.origPermissions = null;
            this.fs = fileSystem;
            this.stagingDir = str;
            this.conf = configuration;
            this.origPermissions = new HashMap();
        }

        @Override // org.apache.hadoop.hbase.regionserver.Region.BulkLoadListener
        public String prepareBulkLoad(byte[] bArr, String str) throws IOException {
            Path path = new Path(str);
            Path path2 = new Path(this.stagingDir, new Path(Bytes.toString(bArr), path.getName()));
            if (path.equals(path2)) {
                SecureBulkLoadEndpoint.LOG.debug(path.getName() + " is already available in staging directory. Skipping copy or rename.");
                return path2.toString();
            }
            if (this.srcFs == null) {
                this.srcFs = FileSystem.get(path.toUri(), this.conf);
            }
            if (!isFile(path)) {
                throw new IOException("Path does not reference a file: " + path);
            }
            if (FSHDFSUtils.isSameHdfs(this.conf, this.srcFs, this.fs)) {
                SecureBulkLoadEndpoint.LOG.debug("Moving " + path + " to " + path2);
                this.origPermissions.put(str, this.fs.getFileStatus(path).getPermission());
                if (!this.fs.rename(path, path2)) {
                    throw new IOException("Failed to move HFile: " + path + " to " + path2);
                }
            } else {
                SecureBulkLoadEndpoint.LOG.debug("Bulk-load file " + str + " is on different filesystem than the destination filesystem. Copying file over to destination staging dir.");
                FileUtil.copy(this.srcFs, path, this.fs, path2, false, this.conf);
            }
            this.fs.setPermission(path2, SecureBulkLoadEndpoint.PERM_ALL_ACCESS);
            return path2.toString();
        }

        @Override // org.apache.hadoop.hbase.regionserver.Region.BulkLoadListener
        public void doneBulkLoad(byte[] bArr, String str) throws IOException {
            SecureBulkLoadEndpoint.LOG.debug("Bulk Load done for: " + str);
        }

        @Override // org.apache.hadoop.hbase.regionserver.Region.BulkLoadListener
        public void failedBulkLoad(byte[] bArr, String str) throws IOException {
            if (FSHDFSUtils.isSameHdfs(this.conf, this.srcFs, this.fs)) {
                Path path = new Path(str);
                Path path2 = new Path(this.stagingDir, new Path(Bytes.toString(bArr), path.getName()));
                if (path.equals(path2)) {
                    SecureBulkLoadEndpoint.LOG.debug(path.getName() + " is already available in source directory. Skipping rename.");
                    return;
                }
                SecureBulkLoadEndpoint.LOG.debug("Moving " + path2 + " back to " + path);
                if (!this.fs.rename(path2, path)) {
                    throw new IOException("Failed to move HFile: " + path2 + " to " + path);
                }
                if (this.origPermissions.containsKey(str)) {
                    this.fs.setPermission(path, this.origPermissions.get(str));
                } else {
                    SecureBulkLoadEndpoint.LOG.warn("Can't find previous permission for path=" + str);
                }
            }
        }

        private boolean isFile(Path path) throws IOException {
            boolean z;
            FileStatus fileStatus = this.srcFs.getFileStatus(path);
            boolean z2 = !fileStatus.isDirectory();
            if (z2) {
                if (!((Boolean) Methods.call(FileStatus.class, fileStatus, "isSymlink", (Class[]) null, (Object[]) null)).booleanValue()) {
                    z = true;
                    z2 = z;
                    return z2;
                }
            }
            z = false;
            z2 = z;
            return z2;
        }
    }

    public void start(CoprocessorEnvironment coprocessorEnvironment) {
        this.env = (RegionCoprocessorEnvironment) coprocessorEnvironment;
        this.random = new SecureRandom();
        this.conf = coprocessorEnvironment.getConfiguration();
        this.baseStagingDir = SecureBulkLoadUtil.getBaseStagingDir(this.conf);
        this.userProvider = UserProvider.instantiate(this.conf);
        try {
            this.fs = FileSystem.get(this.conf);
            this.fs.mkdirs(this.baseStagingDir, PERM_HIDDEN);
            this.fs.setPermission(this.baseStagingDir, PERM_HIDDEN);
            this.fs.mkdirs(new Path(this.baseStagingDir, "DONOTERASE"), PERM_HIDDEN);
            FileStatus fileStatus = this.fs.getFileStatus(this.baseStagingDir);
            if (fileStatus == null) {
                throw new IllegalStateException("Failed to create staging directory");
            }
            if (!fileStatus.getPermission().equals(PERM_HIDDEN)) {
                throw new IllegalStateException("Directory already exists but permissions aren't set to '-rwx--x--x' ");
            }
        } catch (IOException e) {
            throw new IllegalStateException("Failed to get FileSystem instance", e);
        }
    }

    public void stop(CoprocessorEnvironment coprocessorEnvironment) throws IOException {
    }

    public void prepareBulkLoad(RpcController rpcController, SecureBulkLoadProtos.PrepareBulkLoadRequest prepareBulkLoadRequest, RpcCallback<SecureBulkLoadProtos.PrepareBulkLoadResponse> rpcCallback) {
        try {
            List<BulkLoadObserver> bulkLoadObservers = getBulkLoadObservers();
            if (bulkLoadObservers != null) {
                ObserverContext<RegionCoprocessorEnvironment> observerContext = new ObserverContext<>();
                observerContext.prepare(this.env);
                Iterator<BulkLoadObserver> it = bulkLoadObservers.iterator();
                while (it.hasNext()) {
                    it.next().prePrepareBulkLoad(observerContext, prepareBulkLoadRequest);
                }
            }
            rpcCallback.run(SecureBulkLoadProtos.PrepareBulkLoadResponse.newBuilder().setBulkToken(createStagingDir(this.baseStagingDir, getActiveUser(), ProtobufUtil.toTableName(prepareBulkLoadRequest.getTableName())).toString()).build());
        } catch (IOException e) {
            ResponseConverter.setControllerException(rpcController, e);
        }
        rpcCallback.run((Object) null);
    }

    public void cleanupBulkLoad(RpcController rpcController, SecureBulkLoadProtos.CleanupBulkLoadRequest cleanupBulkLoadRequest, RpcCallback<SecureBulkLoadProtos.CleanupBulkLoadResponse> rpcCallback) {
        try {
            List<BulkLoadObserver> bulkLoadObservers = getBulkLoadObservers();
            if (bulkLoadObservers != null) {
                ObserverContext<RegionCoprocessorEnvironment> observerContext = new ObserverContext<>();
                observerContext.prepare(this.env);
                Iterator<BulkLoadObserver> it = bulkLoadObservers.iterator();
                while (it.hasNext()) {
                    it.next().preCleanupBulkLoad(observerContext, cleanupBulkLoadRequest);
                }
            }
            this.fs.delete(new Path(cleanupBulkLoadRequest.getBulkToken()), true);
            rpcCallback.run(SecureBulkLoadProtos.CleanupBulkLoadResponse.newBuilder().build());
        } catch (IOException e) {
            ResponseConverter.setControllerException(rpcController, e);
        }
        rpcCallback.run((Object) null);
    }

    public void secureBulkLoadHFiles(RpcController rpcController, SecureBulkLoadProtos.SecureBulkLoadHFilesRequest secureBulkLoadHFilesRequest, RpcCallback<SecureBulkLoadProtos.SecureBulkLoadHFilesResponse> rpcCallback) {
        final ArrayList arrayList = new ArrayList();
        for (ClientProtos.BulkLoadHFileRequest.FamilyPath familyPath : secureBulkLoadHFilesRequest.getFamilyPathList()) {
            arrayList.add(new Pair(familyPath.getFamily().toByteArray(), familyPath.getPath()));
        }
        Token token = this.userProvider.isHadoopSecurityEnabled() ? new Token(secureBulkLoadHFilesRequest.getFsToken().getIdentifier().toByteArray(), secureBulkLoadHFilesRequest.getFsToken().getPassword().toByteArray(), new Text(secureBulkLoadHFilesRequest.getFsToken().getKind()), new Text(secureBulkLoadHFilesRequest.getFsToken().getService())) : null;
        final String bulkToken = secureBulkLoadHFilesRequest.getBulkToken();
        final UserGroupInformation ugi = getActiveUser().getUGI();
        if (token != null) {
            ugi.addToken(token);
        } else if (this.userProvider.isHadoopSecurityEnabled()) {
            ResponseConverter.setControllerException(rpcController, new DoNotRetryIOException("User token cannot be null"));
            rpcCallback.run(SecureBulkLoadProtos.SecureBulkLoadHFilesResponse.newBuilder().setLoaded(false).build());
            return;
        }
        Region region = this.env.getRegion();
        boolean z = false;
        if (region.getCoprocessorHost() != null) {
            try {
                z = region.getCoprocessorHost().preBulkLoadHFile(arrayList);
            } catch (IOException e) {
                ResponseConverter.setControllerException(rpcController, e);
                rpcCallback.run(SecureBulkLoadProtos.SecureBulkLoadHFilesResponse.newBuilder().setLoaded(false).build());
                return;
            }
        }
        boolean z2 = false;
        if (!z) {
            if (this.userProvider.isHadoopSecurityEnabled()) {
                FsDelegationToken fsDelegationToken = new FsDelegationToken(this.userProvider, "renewer");
                try {
                    fsDelegationToken.acquireDelegationToken(this.fs);
                    Token<?> userToken = fsDelegationToken.getUserToken();
                    if (userToken != null && (token == null || !userToken.getService().equals(token.getService()))) {
                        ugi.addToken(userToken);
                    }
                } catch (IOException e2) {
                    ResponseConverter.setControllerException(rpcController, e2);
                    rpcCallback.run(SecureBulkLoadProtos.SecureBulkLoadHFilesResponse.newBuilder().setLoaded(false).build());
                    return;
                }
            }
            z2 = ((Boolean) ugi.doAs(new PrivilegedAction<Boolean>() { // from class: org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public Boolean run() {
                    FileSystem fileSystem = null;
                    try {
                        try {
                            Configuration configuration = SecureBulkLoadEndpoint.this.env.getConfiguration();
                            fileSystem = FileSystem.get(configuration);
                            Iterator it = arrayList.iterator();
                            while (it.hasNext()) {
                                Path path = new Path(bulkToken, Bytes.toString((byte[]) ((Pair) it.next()).getFirst()));
                                if (!fileSystem.exists(path)) {
                                    fileSystem.mkdirs(path);
                                    fileSystem.setPermission(path, SecureBulkLoadEndpoint.PERM_ALL_ACCESS);
                                }
                            }
                            Boolean valueOf = Boolean.valueOf(SecureBulkLoadEndpoint.this.env.getRegion().bulkLoadHFiles(arrayList, true, new SecureBulkLoadListener(fileSystem, bulkToken, configuration)));
                            if (fileSystem != null) {
                                try {
                                    if (!UserGroupInformation.getLoginUser().equals(ugi)) {
                                        FileSystem.closeAllForUGI(ugi);
                                    }
                                } catch (IOException e3) {
                                    SecureBulkLoadEndpoint.LOG.error("Failed to close FileSystem for " + ugi.getUserName(), e3);
                                }
                            }
                            return valueOf;
                        } catch (Exception e4) {
                            SecureBulkLoadEndpoint.LOG.error("Failed to complete bulk load", e4);
                            if (fileSystem != null) {
                                try {
                                    if (!UserGroupInformation.getLoginUser().equals(ugi)) {
                                        FileSystem.closeAllForUGI(ugi);
                                    }
                                } catch (IOException e5) {
                                    SecureBulkLoadEndpoint.LOG.error("Failed to close FileSystem for " + ugi.getUserName(), e5);
                                }
                            }
                            return false;
                        }
                    } catch (Throwable th) {
                        if (fileSystem != null) {
                            try {
                                if (!UserGroupInformation.getLoginUser().equals(ugi)) {
                                    FileSystem.closeAllForUGI(ugi);
                                }
                            } catch (IOException e6) {
                                SecureBulkLoadEndpoint.LOG.error("Failed to close FileSystem for " + ugi.getUserName(), e6);
                            }
                        }
                        throw th;
                    }
                }
            })).booleanValue();
        }
        if (region.getCoprocessorHost() != null) {
            try {
                z2 = region.getCoprocessorHost().postBulkLoadHFile(arrayList, z2);
            } catch (IOException e3) {
                ResponseConverter.setControllerException(rpcController, e3);
                rpcCallback.run(SecureBulkLoadProtos.SecureBulkLoadHFilesResponse.newBuilder().setLoaded(false).build());
                return;
            }
        }
        rpcCallback.run(SecureBulkLoadProtos.SecureBulkLoadHFilesResponse.newBuilder().setLoaded(z2).build());
    }

    private List<BulkLoadObserver> getBulkLoadObservers() {
        return this.env.getRegion().getCoprocessorHost().findCoprocessors(BulkLoadObserver.class);
    }

    private Path createStagingDir(Path path, User user, TableName tableName) throws IOException {
        return createStagingDir(path, user, user.getShortName() + "__" + tableName.getNameAsString().replace(":", "_") + "__" + new BigInteger(RANDOM_WIDTH, this.random).toString(RANDOM_RADIX));
    }

    private Path createStagingDir(Path path, User user, String str) throws IOException {
        Path path2 = new Path(path, str);
        this.fs.mkdirs(path2, PERM_ALL_ACCESS);
        this.fs.setPermission(path2, PERM_ALL_ACCESS);
        return path2;
    }

    private User getActiveUser() {
        User requestUser = RpcServer.getRequestUser();
        if (requestUser == null) {
            return null;
        }
        return (this.userProvider.isHadoopSecurityEnabled() && "simple".equalsIgnoreCase(this.conf.get("hbase.security.authentication"))) ? User.createUserForTesting(this.conf, requestUser.getShortName(), new String[0]) : requestUser;
    }

    @Override // org.apache.hadoop.hbase.coprocessor.CoprocessorService
    public Service getService() {
        return this;
    }
}
