package org.apache.sentry.provider.db.service.thrift;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import javax.security.auth.callback.CallbackHandler;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.exception.SentryUserException;
import org.apache.sentry.core.model.db.DBModelAuthorizable;
import org.apache.sentry.provider.db.service.thrift.SentryPolicyService;
import org.apache.sentry.service.thrift.SentryServiceUtil;
import org.apache.sentry.service.thrift.ServiceConstants;
import org.apache.sentry.service.thrift.Status;
import org.apache.thrift.TException;
import org.apache.thrift.protocol.TBinaryProtocol;
import org.apache.thrift.protocol.TMultiplexedProtocol;
import org.apache.thrift.transport.TSaslClientTransport;
import org.apache.thrift.transport.TSocket;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl.class */
public class SentryPolicyServiceClientDefaultImpl implements SentryPolicyServiceClient {
    private final Configuration conf;
    private final InetSocketAddress serverAddress;
    private final boolean kerberos;
    private final String[] serverPrincipalParts;
    private SentryPolicyService.Client client;
    private TTransport transport;
    private int connectionTimeout;
    private static final Logger LOGGER = LoggerFactory.getLogger(SentryPolicyServiceClient.class);
    private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occurred ";

    /* loaded from: input_file:org/apache/sentry/provider/db/service/thrift/SentryPolicyServiceClientDefaultImpl$UgiSaslClientTransport.class */
    public static class UgiSaslClientTransport extends TSaslClientTransport {
        protected UserGroupInformation ugi;

        public UgiSaslClientTransport(String str, String str2, String str3, String str4, Map<String, String> map, CallbackHandler callbackHandler, TTransport tTransport, boolean z) throws IOException {
            super(str, str2, str3, str4, map, callbackHandler, tTransport);
            this.ugi = null;
            if (z) {
                this.ugi = UserGroupInformation.getLoginUser();
            }
        }

        public synchronized void open() throws TTransportException {
            if (this.ugi == null) {
                baseOpen();
                return;
            }
            try {
                if (this.ugi.isFromKeytab()) {
                    this.ugi.checkTGTAndReloginFromKeytab();
                }
                this.ugi.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClientDefaultImpl.UgiSaslClientTransport.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws TTransportException {
                        UgiSaslClientTransport.this.baseOpen();
                        return null;
                    }
                });
            } catch (IOException e) {
                throw new TTransportException("Failed to open SASL transport", e);
            } catch (InterruptedException e2) {
                throw new TTransportException("Interrupted while opening underlying transport", e2);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void baseOpen() throws TTransportException {
            super.open();
        }
    }

    public SentryPolicyServiceClientDefaultImpl(Configuration configuration) throws IOException {
        this.conf = configuration;
        Preconditions.checkNotNull(this.conf, "Configuration object cannot be null");
        this.serverAddress = NetUtils.createSocketAddr((String) Preconditions.checkNotNull(configuration.get("sentry.service.client.server.rpc-address"), "Config key sentry.service.client.server.rpc-address is required"), configuration.getInt("sentry.service.client.server.rpc-port", 8038));
        this.connectionTimeout = configuration.getInt("sentry.service.client.server.rpc-connection-timeout", 200000);
        this.kerberos = "kerberos".equalsIgnoreCase(configuration.get("sentry.service.security.mode", "kerberos").trim());
        this.transport = new TSocket(this.serverAddress.getHostName(), this.serverAddress.getPort(), this.connectionTimeout);
        if (this.kerberos) {
            String serverPrincipal = SecurityUtil.getServerPrincipal((String) Preconditions.checkNotNull(configuration.get("sentry.service.server.principal"), "sentry.service.server.principal is required"), this.serverAddress.getAddress());
            LOGGER.debug("Using server kerberos principal: " + serverPrincipal);
            this.serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal);
            Preconditions.checkArgument(this.serverPrincipalParts.length == 3, "Kerberos principal should have 3 parts: " + serverPrincipal);
            this.transport = new UgiSaslClientTransport(SaslRpcServer.AuthMethod.KERBEROS.getMechanismName(), null, this.serverPrincipalParts[0], this.serverPrincipalParts[1], ServiceConstants.ClientConfig.SASL_PROPERTIES, null, this.transport, "true".equalsIgnoreCase(configuration.get("sentry.service.security.use.ugi", "true")));
        } else {
            this.serverPrincipalParts = null;
        }
        try {
            this.transport.open();
            LOGGER.debug("Successfully opened transport: " + this.transport + " to " + this.serverAddress);
            long j = configuration.getLong("sentry.policy.client.thrift.max.message.size", 104857600L);
            this.client = new SentryPolicyService.Client(new TMultiplexedProtocol(new TBinaryProtocol(this.transport, j, j, true, true), "SentryPolicyService"));
            LOGGER.debug("Successfully created client");
        } catch (TTransportException e) {
            throw new IOException("Transport exception while opening transport: " + e.getMessage(), e);
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void createRole(String str, String str2) throws SentryUserException {
        TCreateSentryRoleRequest tCreateSentryRoleRequest = new TCreateSentryRoleRequest();
        tCreateSentryRoleRequest.setProtocol_version(2);
        tCreateSentryRoleRequest.setRequestorUserName(str);
        tCreateSentryRoleRequest.setRoleName(str2);
        try {
            Status.throwIfNotOk(this.client.create_sentry_role(tCreateSentryRoleRequest).getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void dropRole(String str, String str2) throws SentryUserException {
        dropRole(str, str2, false);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void dropRoleIfExists(String str, String str2) throws SentryUserException {
        dropRole(str, str2, true);
    }

    private synchronized void dropRole(String str, String str2, boolean z) throws SentryUserException {
        TDropSentryRoleRequest tDropSentryRoleRequest = new TDropSentryRoleRequest();
        tDropSentryRoleRequest.setProtocol_version(2);
        tDropSentryRoleRequest.setRequestorUserName(str);
        tDropSentryRoleRequest.setRoleName(str2);
        try {
            TDropSentryRoleResponse drop_sentry_role = this.client.drop_sentry_role(tDropSentryRoleRequest);
            Status fromCode = Status.fromCode(drop_sentry_role.getStatus().getValue());
            if (z && fromCode == Status.NO_SUCH_OBJECT) {
                return;
            }
            Status.throwIfNotOk(drop_sentry_role.getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized Set<TSentryRole> listRolesByGroupName(String str, String str2) throws SentryUserException {
        TListSentryRolesRequest tListSentryRolesRequest = new TListSentryRolesRequest();
        tListSentryRolesRequest.setProtocol_version(2);
        tListSentryRolesRequest.setRequestorUserName(str);
        tListSentryRolesRequest.setGroupName(str2);
        HashSet hashSet = new HashSet();
        try {
            TListSentryRolesResponse list_sentry_roles_by_group = this.client.list_sentry_roles_by_group(tListSentryRolesRequest);
            if (Status.fromCode(list_sentry_roles_by_group.getStatus().getValue()) == Status.NO_SUCH_OBJECT) {
                return hashSet;
            }
            Status.throwIfNotOk(list_sentry_roles_by_group.getStatus());
            return list_sentry_roles_by_group.getRoles();
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public Set<TSentryRole> listRolesByUserName(String str, String str2) throws SentryUserException {
        TListSentryRolesForUserRequest tListSentryRolesForUserRequest = new TListSentryRolesForUserRequest();
        tListSentryRolesForUserRequest.setProtocol_version(2);
        tListSentryRolesForUserRequest.setRequestorUserName(str);
        tListSentryRolesForUserRequest.setUserName(str2);
        try {
            TListSentryRolesResponse list_sentry_roles_by_user = this.client.list_sentry_roles_by_user(tListSentryRolesForUserRequest);
            Status.throwIfNotOk(list_sentry_roles_by_user.getStatus());
            return list_sentry_roles_by_user.getRoles();
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized Set<TSentryPrivilege> listAllPrivilegesByRoleName(String str, String str2) throws SentryUserException {
        return listPrivilegesByRoleName(str, str2, null);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized Set<TSentryPrivilege> listPrivilegesByRoleName(String str, String str2, List<? extends Authorizable> list) throws SentryUserException {
        TListSentryPrivilegesRequest tListSentryPrivilegesRequest = new TListSentryPrivilegesRequest();
        tListSentryPrivilegesRequest.setProtocol_version(2);
        tListSentryPrivilegesRequest.setRequestorUserName(str);
        tListSentryPrivilegesRequest.setRoleName(str2);
        if (list != null && !list.isEmpty()) {
            tListSentryPrivilegesRequest.setAuthorizableHierarchy(setupSentryAuthorizable(list));
        }
        try {
            TListSentryPrivilegesResponse list_sentry_privileges_by_role = this.client.list_sentry_privileges_by_role(tListSentryPrivilegesRequest);
            Status.throwIfNotOk(list_sentry_privileges_by_role.getStatus());
            return list_sentry_privileges_by_role.getPrivileges();
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized Set<TSentryRole> listRoles(String str) throws SentryUserException {
        return listRolesByGroupName(str, null);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized Set<TSentryRole> listUserRoles(String str) throws SentryUserException {
        HashSet newHashSet = Sets.newHashSet();
        newHashSet.addAll(listRolesByGroupName(str, "*"));
        newHashSet.addAll(listRolesByUserName(str, str));
        return newHashSet;
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized TSentryPrivilege grantURIPrivilege(String str, String str2, String str3, String str4) throws SentryUserException {
        return grantPrivilege(str, str2, ServiceConstants.PrivilegeScope.URI, str3, str4, null, null, null, "*");
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized TSentryPrivilege grantURIPrivilege(String str, String str2, String str3, String str4, Boolean bool) throws SentryUserException {
        return grantPrivilege(str, str2, ServiceConstants.PrivilegeScope.URI, str3, str4, null, null, null, "*", bool);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void grantServerPrivilege(String str, String str2, String str3, String str4) throws SentryUserException {
        if ("ALL".equalsIgnoreCase(str4) || "*".equals(str4)) {
            str4 = "*";
        }
        grantPrivilege(str, str2, ServiceConstants.PrivilegeScope.SERVER, str3, null, null, null, null, str4);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    @Deprecated
    public synchronized TSentryPrivilege grantServerPrivilege(String str, String str2, String str3, Boolean bool) throws SentryUserException {
        return grantServerPrivilege(str, str2, str3, "*", bool);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized TSentryPrivilege grantServerPrivilege(String str, String str2, String str3, String str4, Boolean bool) throws SentryUserException {
        if ("ALL".equalsIgnoreCase(str4) || "*".equals(str4)) {
            str4 = "*";
        }
        return grantPrivilege(str, str2, ServiceConstants.PrivilegeScope.SERVER, str3, null, null, null, null, str4, bool);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized TSentryPrivilege grantDatabasePrivilege(String str, String str2, String str3, String str4, String str5) throws SentryUserException {
        return grantPrivilege(str, str2, ServiceConstants.PrivilegeScope.DATABASE, str3, null, str4, null, null, str5);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized TSentryPrivilege grantDatabasePrivilege(String str, String str2, String str3, String str4, String str5, Boolean bool) throws SentryUserException {
        return grantPrivilege(str, str2, ServiceConstants.PrivilegeScope.DATABASE, str3, null, str4, null, null, str5, bool);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized TSentryPrivilege grantTablePrivilege(String str, String str2, String str3, String str4, String str5, String str6) throws SentryUserException {
        return grantPrivilege(str, str2, ServiceConstants.PrivilegeScope.TABLE, str3, null, str4, str5, null, str6);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized TSentryPrivilege grantTablePrivilege(String str, String str2, String str3, String str4, String str5, String str6, Boolean bool) throws SentryUserException {
        return grantPrivilege(str, str2, ServiceConstants.PrivilegeScope.TABLE, str3, null, str4, str5, null, str6, bool);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized TSentryPrivilege grantColumnPrivilege(String str, String str2, String str3, String str4, String str5, String str6, String str7) throws SentryUserException {
        return grantPrivilege(str, str2, ServiceConstants.PrivilegeScope.COLUMN, str3, null, str4, str5, str6, str7);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized TSentryPrivilege grantColumnPrivilege(String str, String str2, String str3, String str4, String str5, String str6, String str7, Boolean bool) throws SentryUserException {
        return grantPrivilege(str, str2, ServiceConstants.PrivilegeScope.COLUMN, str3, null, str4, str5, str6, str7, bool);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized Set<TSentryPrivilege> grantColumnsPrivileges(String str, String str2, String str3, String str4, String str5, List<String> list, String str6) throws SentryUserException {
        return grantPrivileges(str, str2, ServiceConstants.PrivilegeScope.COLUMN, str3, null, str4, str5, list, str6);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized Set<TSentryPrivilege> grantColumnsPrivileges(String str, String str2, String str3, String str4, String str5, List<String> list, String str6, Boolean bool) throws SentryUserException {
        return grantPrivileges(str, str2, ServiceConstants.PrivilegeScope.COLUMN, str3, null, str4, str5, list, str6, bool);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized Set<TSentryPrivilege> grantPrivileges(String str, String str2, Set<TSentryPrivilege> set) throws SentryUserException {
        return grantPrivilegesCore(str, str2, set);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized TSentryPrivilege grantPrivilege(String str, String str2, TSentryPrivilege tSentryPrivilege) throws SentryUserException {
        return grantPrivilegeCore(str, str2, tSentryPrivilege);
    }

    private TSentryPrivilege grantPrivilegeCore(String str, String str2, TSentryPrivilege tSentryPrivilege) throws SentryUserException {
        Set<TSentryPrivilege> grantPrivilegesCore = grantPrivilegesCore(str, str2, ImmutableSet.of(tSentryPrivilege));
        return (grantPrivilegesCore == null || grantPrivilegesCore.size() <= 0) ? new TSentryPrivilege() : grantPrivilegesCore.iterator().next();
    }

    private Set<TSentryPrivilege> grantPrivilegesCore(String str, String str2, Set<TSentryPrivilege> set) throws SentryUserException {
        TAlterSentryRoleGrantPrivilegeRequest tAlterSentryRoleGrantPrivilegeRequest = new TAlterSentryRoleGrantPrivilegeRequest();
        tAlterSentryRoleGrantPrivilegeRequest.setProtocol_version(2);
        tAlterSentryRoleGrantPrivilegeRequest.setRequestorUserName(str);
        tAlterSentryRoleGrantPrivilegeRequest.setRoleName(str2);
        tAlterSentryRoleGrantPrivilegeRequest.setPrivileges(set);
        try {
            TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege = this.client.alter_sentry_role_grant_privilege(tAlterSentryRoleGrantPrivilegeRequest);
            Status.throwIfNotOk(alter_sentry_role_grant_privilege.getStatus());
            return alter_sentry_role_grant_privilege.getPrivileges();
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @VisibleForTesting
    public static TSentryAuthorizable setupSentryAuthorizable(List<? extends Authorizable> list) {
        TSentryAuthorizable tSentryAuthorizable = new TSentryAuthorizable();
        for (Authorizable authorizable : list) {
            if (authorizable.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Server.toString())) {
                tSentryAuthorizable.setServer(authorizable.getName());
            } else if (authorizable.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.URI.toString())) {
                tSentryAuthorizable.setUri(authorizable.getName());
            } else if (authorizable.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Db.toString())) {
                tSentryAuthorizable.setDb(authorizable.getName());
            } else if (authorizable.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Table.toString())) {
                tSentryAuthorizable.setTable(authorizable.getName());
            } else if (authorizable.getTypeName().equalsIgnoreCase(DBModelAuthorizable.AuthorizableType.Column.toString())) {
                tSentryAuthorizable.setColumn(authorizable.getName());
            }
        }
        return tSentryAuthorizable;
    }

    private TSentryPrivilege grantPrivilege(String str, String str2, ServiceConstants.PrivilegeScope privilegeScope, String str3, String str4, String str5, String str6, String str7, String str8) throws SentryUserException {
        return grantPrivilege(str, str2, privilegeScope, str3, str4, str5, str6, str7, str8, false);
    }

    private TSentryPrivilege grantPrivilege(String str, String str2, ServiceConstants.PrivilegeScope privilegeScope, String str3, String str4, String str5, String str6, String str7, String str8, Boolean bool) throws SentryUserException {
        return grantPrivilegeCore(str, str2, convertToTSentryPrivilege(privilegeScope, str3, str4, str5, str6, str7, str8, bool));
    }

    private Set<TSentryPrivilege> grantPrivileges(String str, String str2, ServiceConstants.PrivilegeScope privilegeScope, String str3, String str4, String str5, String str6, List<String> list, String str7) throws SentryUserException {
        return grantPrivileges(str, str2, privilegeScope, str3, str4, str5, str6, list, str7, false);
    }

    private Set<TSentryPrivilege> grantPrivileges(String str, String str2, ServiceConstants.PrivilegeScope privilegeScope, String str3, String str4, String str5, String str6, List<String> list, String str7, Boolean bool) throws SentryUserException {
        return grantPrivilegesCore(str, str2, convertColumnPrivileges(privilegeScope, str3, str4, str5, str6, list, str7, bool));
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokePrivileges(String str, String str2, Set<TSentryPrivilege> set) throws SentryUserException {
        revokePrivilegesCore(str, str2, set);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokePrivilege(String str, String str2, TSentryPrivilege tSentryPrivilege) throws SentryUserException {
        revokePrivilegeCore(str, str2, tSentryPrivilege);
    }

    private void revokePrivilegeCore(String str, String str2, TSentryPrivilege tSentryPrivilege) throws SentryUserException {
        revokePrivilegesCore(str, str2, ImmutableSet.of(tSentryPrivilege));
    }

    private void revokePrivilegesCore(String str, String str2, Set<TSentryPrivilege> set) throws SentryUserException {
        TAlterSentryRoleRevokePrivilegeRequest tAlterSentryRoleRevokePrivilegeRequest = new TAlterSentryRoleRevokePrivilegeRequest();
        tAlterSentryRoleRevokePrivilegeRequest.setProtocol_version(2);
        tAlterSentryRoleRevokePrivilegeRequest.setRequestorUserName(str);
        tAlterSentryRoleRevokePrivilegeRequest.setRoleName(str2);
        tAlterSentryRoleRevokePrivilegeRequest.setPrivileges(set);
        try {
            Status.throwIfNotOk(this.client.alter_sentry_role_revoke_privilege(tAlterSentryRoleRevokePrivilegeRequest).getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokeURIPrivilege(String str, String str2, String str3, String str4) throws SentryUserException {
        revokePrivilege(str, str2, ServiceConstants.PrivilegeScope.URI, str3, str4, null, null, null, "*");
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokeURIPrivilege(String str, String str2, String str3, String str4, Boolean bool) throws SentryUserException {
        revokePrivilege(str, str2, ServiceConstants.PrivilegeScope.URI, str3, str4, null, null, null, "*", bool);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokeServerPrivilege(String str, String str2, String str3, String str4) throws SentryUserException {
        if ("ALL".equalsIgnoreCase(str4) || "*".equals(str4)) {
            str4 = "*";
        }
        revokePrivilege(str, str2, ServiceConstants.PrivilegeScope.SERVER, str3, null, null, null, null, str4);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokeServerPrivilege(String str, String str2, String str3, String str4, Boolean bool) throws SentryUserException {
        if ("ALL".equalsIgnoreCase(str4) || "*".equals(str4)) {
            str4 = "*";
        }
        revokePrivilege(str, str2, ServiceConstants.PrivilegeScope.SERVER, str3, null, null, null, null, str4, bool);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    @Deprecated
    public synchronized void revokeServerPrivilege(String str, String str2, String str3, boolean z) throws SentryUserException {
        revokePrivilege(str, str2, ServiceConstants.PrivilegeScope.SERVER, str3, null, null, null, null, "*", Boolean.valueOf(z));
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokeDatabasePrivilege(String str, String str2, String str3, String str4, String str5) throws SentryUserException {
        revokePrivilege(str, str2, ServiceConstants.PrivilegeScope.DATABASE, str3, null, str4, null, null, str5);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokeDatabasePrivilege(String str, String str2, String str3, String str4, String str5, Boolean bool) throws SentryUserException {
        revokePrivilege(str, str2, ServiceConstants.PrivilegeScope.DATABASE, str3, null, str4, null, null, str5, bool);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokeTablePrivilege(String str, String str2, String str3, String str4, String str5, String str6) throws SentryUserException {
        revokePrivilege(str, str2, ServiceConstants.PrivilegeScope.TABLE, str3, null, str4, str5, null, str6);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokeTablePrivilege(String str, String str2, String str3, String str4, String str5, String str6, Boolean bool) throws SentryUserException {
        revokePrivilege(str, str2, ServiceConstants.PrivilegeScope.TABLE, str3, null, str4, str5, null, str6, bool);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokeColumnPrivilege(String str, String str2, String str3, String str4, String str5, String str6, String str7) throws SentryUserException {
        ImmutableList.Builder builder = ImmutableList.builder();
        builder.add(str6);
        revokePrivilege(str, str2, ServiceConstants.PrivilegeScope.COLUMN, str3, null, str4, str5, builder.build(), str7);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokeColumnPrivilege(String str, String str2, String str3, String str4, String str5, String str6, String str7, Boolean bool) throws SentryUserException {
        ImmutableList.Builder builder = ImmutableList.builder();
        builder.add(str6);
        revokePrivilege(str, str2, ServiceConstants.PrivilegeScope.COLUMN, str3, null, str4, str5, builder.build(), str7, bool);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokeColumnsPrivilege(String str, String str2, String str3, String str4, String str5, List<String> list, String str6) throws SentryUserException {
        revokePrivilege(str, str2, ServiceConstants.PrivilegeScope.COLUMN, str3, null, str4, str5, list, str6);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokeColumnsPrivilege(String str, String str2, String str3, String str4, String str5, List<String> list, String str6, Boolean bool) throws SentryUserException {
        revokePrivilege(str, str2, ServiceConstants.PrivilegeScope.COLUMN, str3, null, str4, str5, list, str6, bool);
    }

    private void revokePrivilege(String str, String str2, ServiceConstants.PrivilegeScope privilegeScope, String str3, String str4, String str5, String str6, List<String> list, String str7) throws SentryUserException {
        revokePrivilege(str, str2, privilegeScope, str3, str4, str5, str6, list, str7, false);
    }

    private void revokePrivilege(String str, String str2, ServiceConstants.PrivilegeScope privilegeScope, String str3, String str4, String str5, String str6, List<String> list, String str7, Boolean bool) throws SentryUserException {
        revokePrivilegesCore(str, str2, convertColumnPrivileges(privilegeScope, str3, str4, str5, str6, list, str7, bool));
    }

    private Set<TSentryPrivilege> convertColumnPrivileges(ServiceConstants.PrivilegeScope privilegeScope, String str, String str2, String str3, String str4, List<String> list, String str5, Boolean bool) {
        ImmutableSet.Builder builder = ImmutableSet.builder();
        if (list == null || list.isEmpty()) {
            TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
            tSentryPrivilege.setPrivilegeScope(privilegeScope.toString());
            tSentryPrivilege.setServerName(str);
            tSentryPrivilege.setURI(str2);
            tSentryPrivilege.setDbName(str3);
            tSentryPrivilege.setTableName(str4);
            tSentryPrivilege.setColumnName((String) null);
            tSentryPrivilege.setAction(str5);
            tSentryPrivilege.setCreateTime(System.currentTimeMillis());
            tSentryPrivilege.setGrantOption(convertTSentryGrantOption(bool));
            builder.add(tSentryPrivilege);
        } else {
            for (String str6 : list) {
                TSentryPrivilege tSentryPrivilege2 = new TSentryPrivilege();
                tSentryPrivilege2.setPrivilegeScope(privilegeScope.toString());
                tSentryPrivilege2.setServerName(str);
                tSentryPrivilege2.setURI(str2);
                tSentryPrivilege2.setDbName(str3);
                tSentryPrivilege2.setTableName(str4);
                tSentryPrivilege2.setColumnName(str6);
                tSentryPrivilege2.setAction(str5);
                tSentryPrivilege2.setCreateTime(System.currentTimeMillis());
                tSentryPrivilege2.setGrantOption(convertTSentryGrantOption(bool));
                builder.add(tSentryPrivilege2);
            }
        }
        return builder.build();
    }

    private TSentryPrivilege convertToTSentryPrivilege(ServiceConstants.PrivilegeScope privilegeScope, String str, String str2, String str3, String str4, String str5, String str6, Boolean bool) {
        TSentryPrivilege tSentryPrivilege = new TSentryPrivilege();
        tSentryPrivilege.setPrivilegeScope(privilegeScope.toString());
        tSentryPrivilege.setServerName(str);
        tSentryPrivilege.setURI(str2);
        tSentryPrivilege.setDbName(str3);
        tSentryPrivilege.setTableName(str4);
        tSentryPrivilege.setColumnName(str5);
        tSentryPrivilege.setAction(str6);
        tSentryPrivilege.setCreateTime(System.currentTimeMillis());
        tSentryPrivilege.setGrantOption(convertTSentryGrantOption(bool));
        return tSentryPrivilege;
    }

    private TSentryGrantOption convertTSentryGrantOption(Boolean bool) {
        return bool == null ? TSentryGrantOption.UNSET : bool.equals(true) ? TSentryGrantOption.TRUE : bool.equals(false) ? TSentryGrantOption.FALSE : TSentryGrantOption.FALSE;
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized Set<String> listPrivilegesForProvider(Set<String> set, Set<String> set2, ActiveRoleSet activeRoleSet, Authorizable... authorizableArr) throws SentryUserException {
        TListSentryPrivilegesForProviderRequest tListSentryPrivilegesForProviderRequest = new TListSentryPrivilegesForProviderRequest(2, set, new TSentryActiveRoleSet(activeRoleSet.isAll(), activeRoleSet.getRoles()));
        if (authorizableArr != null && authorizableArr.length > 0) {
            tListSentryPrivilegesForProviderRequest.setAuthorizableHierarchy(setupSentryAuthorizable(Lists.newArrayList(authorizableArr)));
        }
        if (set2 != null) {
            tListSentryPrivilegesForProviderRequest.setUsers(set2);
        }
        try {
            TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider = this.client.list_sentry_privileges_for_provider(tListSentryPrivilegesForProviderRequest);
            Status.throwIfNotOk(list_sentry_privileges_for_provider.getStatus());
            return list_sentry_privileges_for_provider.getPrivileges();
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void grantRoleToGroup(String str, String str2, String str3) throws SentryUserException {
        grantRoleToGroups(str, str3, Sets.newHashSet(new String[]{str2}));
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokeRoleFromGroup(String str, String str2, String str3) throws SentryUserException {
        revokeRoleFromGroups(str, str3, Sets.newHashSet(new String[]{str2}));
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void grantRoleToGroups(String str, String str2, Set<String> set) throws SentryUserException {
        try {
            Status.throwIfNotOk(this.client.alter_sentry_role_add_groups(new TAlterSentryRoleAddGroupsRequest(2, str, str2, convert2TGroups(set))).getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokeRoleFromGroups(String str, String str2, Set<String> set) throws SentryUserException {
        try {
            Status.throwIfNotOk(this.client.alter_sentry_role_delete_groups(new TAlterSentryRoleDeleteGroupsRequest(2, str, str2, convert2TGroups(set))).getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void grantRoleToUser(String str, String str2, String str3) throws SentryUserException {
        grantRoleToUsers(str, str3, Sets.newHashSet(new String[]{str2}));
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokeRoleFromUser(String str, String str2, String str3) throws SentryUserException {
        revokeRoleFromUsers(str, str3, Sets.newHashSet(new String[]{str2}));
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void grantRoleToUsers(String str, String str2, Set<String> set) throws SentryUserException {
        try {
            Status.throwIfNotOk(this.client.alter_sentry_role_add_users(new TAlterSentryRoleAddUsersRequest(2, str, str2, set)).getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void revokeRoleFromUsers(String str, String str2, Set<String> set) throws SentryUserException {
        try {
            Status.throwIfNotOk(this.client.alter_sentry_role_delete_users(new TAlterSentryRoleDeleteUsersRequest(2, str, str2, set)).getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    private Set<TSentryGroup> convert2TGroups(Set<String> set) {
        HashSet newHashSet = Sets.newHashSet();
        if (set != null) {
            Iterator<String> it = set.iterator();
            while (it.hasNext()) {
                newHashSet.add(new TSentryGroup(it.next()));
            }
        }
        return newHashSet;
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void dropPrivileges(String str, List<? extends Authorizable> list) throws SentryUserException {
        try {
            Status.throwIfNotOk(this.client.drop_sentry_privilege(new TDropPrivilegesRequest(2, str, setupSentryAuthorizable(list))).getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void renamePrivileges(String str, List<? extends Authorizable> list, List<? extends Authorizable> list2) throws SentryUserException {
        try {
            Status.throwIfNotOk(this.client.rename_sentry_privilege(new TRenamePrivilegesRequest(2, str, setupSentryAuthorizable(list), setupSentryAuthorizable(list2))).getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized Map<TSentryAuthorizable, TSentryPrivilegeMap> listPrivilegsbyAuthorizable(String str, Set<List<? extends Authorizable>> set, Set<String> set2, ActiveRoleSet activeRoleSet) throws SentryUserException {
        TreeSet newTreeSet = Sets.newTreeSet();
        Iterator<List<? extends Authorizable>> it = set.iterator();
        while (it.hasNext()) {
            newTreeSet.add(setupSentryAuthorizable(it.next()));
        }
        TListSentryPrivilegesByAuthRequest tListSentryPrivilegesByAuthRequest = new TListSentryPrivilegesByAuthRequest(2, str, newTreeSet);
        if (set2 != null) {
            tListSentryPrivilegesByAuthRequest.setGroups(set2);
        }
        if (activeRoleSet != null) {
            tListSentryPrivilegesByAuthRequest.setRoleSet(new TSentryActiveRoleSet(activeRoleSet.isAll(), activeRoleSet.getRoles()));
        }
        try {
            TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable = this.client.list_sentry_privileges_by_authorizable(tListSentryPrivilegesByAuthRequest);
            Status.throwIfNotOk(list_sentry_privileges_by_authorizable.getStatus());
            return list_sentry_privileges_by_authorizable.getPrivilegesMapByAuth();
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized String getConfigValue(String str, String str2) throws SentryUserException {
        TSentryConfigValueRequest tSentryConfigValueRequest = new TSentryConfigValueRequest(2, str);
        if (str2 != null) {
            tSentryConfigValueRequest.setDefaultValue(str2);
        }
        try {
            TSentryConfigValueResponse tSentryConfigValueResponse = this.client.get_sentry_config_value(tSentryConfigValueRequest);
            Status.throwIfNotOk(tSentryConfigValueResponse.getStatus());
            return tSentryConfigValueResponse.getValue();
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void close() {
        if (this.transport != null) {
            this.transport.close();
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized void importPolicy(Map<String, Map<String, Set<String>>> map, String str, boolean z) throws SentryUserException {
        try {
            TSentryMappingData tSentryMappingData = new TSentryMappingData();
            tSentryMappingData.setGroupRolesMap(map.get("groups"));
            tSentryMappingData.setUserRolesMap(map.get("userroles"));
            tSentryMappingData.setRolePrivilegesMap(convertRolePrivilegesMapForSentryDB(map.get("roles")));
            Status.throwIfNotOk(this.client.import_sentry_mapping_data(new TSentryImportMappingDataRequest(2, str, z, tSentryMappingData)).getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    private Map<String, Set<TSentryPrivilege>> convertRolePrivilegesMapForSentryDB(Map<String, Set<String>> map) {
        HashMap newHashMap = Maps.newHashMap();
        if (map != null) {
            for (Map.Entry<String, Set<String>> entry : map.entrySet()) {
                HashSet newHashSet = Sets.newHashSet();
                Iterator<String> it = entry.getValue().iterator();
                while (it.hasNext()) {
                    newHashSet.add(SentryServiceUtil.convertToTSentryPrivilege(it.next()));
                }
                newHashMap.put(entry.getKey(), newHashSet);
            }
        }
        return newHashMap;
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient
    public synchronized Map<String, Map<String, Set<String>>> exportPolicy(String str, String str2) throws SentryUserException {
        TSentryExportMappingDataRequest tSentryExportMappingDataRequest = new TSentryExportMappingDataRequest(2, str);
        tSentryExportMappingDataRequest.setObjectPath(str2);
        try {
            TSentryExportMappingDataResponse export_sentry_mapping_data = this.client.export_sentry_mapping_data(tSentryExportMappingDataRequest);
            Status.throwIfNotOk(export_sentry_mapping_data.getStatus());
            TSentryMappingData mappingData = export_sentry_mapping_data.getMappingData();
            HashMap newHashMap = Maps.newHashMap();
            newHashMap.put("userroles", mappingData.getUserRolesMap());
            newHashMap.put("groups", mappingData.getGroupRolesMap());
            newHashMap.put("roles", convertRolePrivilegesMapForPolicyFile(mappingData.getRolePrivilegesMap()));
            return newHashMap;
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    private Map<String, Set<String>> convertRolePrivilegesMapForPolicyFile(Map<String, Set<TSentryPrivilege>> map) {
        HashMap newHashMap = Maps.newHashMap();
        if (map != null) {
            for (Map.Entry<String, Set<TSentryPrivilege>> entry : map.entrySet()) {
                Set<TSentryPrivilege> value = entry.getValue();
                HashSet newHashSet = Sets.newHashSet();
                Iterator<TSentryPrivilege> it = value.iterator();
                while (it.hasNext()) {
                    String convertTSentryPrivilegeToStr = SentryServiceUtil.convertTSentryPrivilegeToStr(it.next());
                    if (!StringUtils.isEmpty(convertTSentryPrivilegeToStr)) {
                        newHashSet.add(convertTSentryPrivilegeToStr);
                    }
                }
                newHashMap.put(entry.getKey(), newHashSet);
            }
        }
        return newHashMap;
    }
}
