package org.apache.sentry.provider.db.generic.service.thrift;

import com.google.common.base.Preconditions;
import com.google.common.collect.Lists;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.callback.CallbackHandler;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.exception.SentryUserException;
import org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyService;
import org.apache.sentry.service.thrift.ServiceConstants;
import org.apache.sentry.service.thrift.Status;
import org.apache.thrift.TException;
import org.apache.thrift.protocol.TBinaryProtocol;
import org.apache.thrift.protocol.TMultiplexedProtocol;
import org.apache.thrift.transport.TSaslClientTransport;
import org.apache.thrift.transport.TSocket;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl.class */
public class SentryGenericServiceClientDefaultImpl implements SentryGenericServiceClient {
    private final Configuration conf;
    private final InetSocketAddress serverAddress;
    private final boolean kerberos;
    private final String[] serverPrincipalParts;
    private SentryGenericPolicyService.Client client;
    private TTransport transport;
    private int connectionTimeout;
    private static final Logger LOGGER = LoggerFactory.getLogger(SentryGenericServiceClientDefaultImpl.class);
    private static final String THRIFT_EXCEPTION_MESSAGE = "Thrift exception occured ";

    /* loaded from: input_file:org/apache/sentry/provider/db/generic/service/thrift/SentryGenericServiceClientDefaultImpl$UgiSaslClientTransport.class */
    public static class UgiSaslClientTransport extends TSaslClientTransport {
        protected UserGroupInformation ugi;

        public UgiSaslClientTransport(String str, String str2, String str3, String str4, Map<String, String> map, CallbackHandler callbackHandler, TTransport tTransport, boolean z, Configuration configuration) throws IOException {
            super(str, str2, str3, str4, map, callbackHandler, tTransport);
            this.ugi = null;
            if (z) {
                UserGroupInformation.setConfiguration(configuration);
                this.ugi = UserGroupInformation.getLoginUser();
            }
        }

        public void open() throws TTransportException {
            if (this.ugi == null) {
                baseOpen();
                return;
            }
            try {
                if (this.ugi.isFromKeytab()) {
                    this.ugi.checkTGTAndReloginFromKeytab();
                }
                this.ugi.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClientDefaultImpl.UgiSaslClientTransport.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws TTransportException {
                        UgiSaslClientTransport.this.baseOpen();
                        return null;
                    }
                });
            } catch (IOException e) {
                throw new TTransportException("Failed to open SASL transport: " + e.getMessage(), e);
            } catch (InterruptedException e2) {
                throw new TTransportException("Interrupted while opening underlying transport: " + e2.getMessage(), e2);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void baseOpen() throws TTransportException {
            super.open();
        }
    }

    public SentryGenericServiceClientDefaultImpl(Configuration configuration) throws IOException {
        this.conf = new Configuration(configuration);
        Preconditions.checkNotNull(this.conf, "Configuration object cannot be null");
        this.serverAddress = NetUtils.createSocketAddr((String) Preconditions.checkNotNull(configuration.get("sentry.service.client.server.rpc-address"), "Config key sentry.service.client.server.rpc-address is required"), configuration.getInt("sentry.service.client.server.rpc-port", 8038));
        this.connectionTimeout = configuration.getInt("sentry.service.client.server.rpc-connection-timeout", 200000);
        this.kerberos = "kerberos".equalsIgnoreCase(configuration.get("sentry.service.security.mode", "kerberos").trim());
        this.transport = new TSocket(this.serverAddress.getHostName(), this.serverAddress.getPort(), this.connectionTimeout);
        if (this.kerberos) {
            String str = (String) Preconditions.checkNotNull(configuration.get("sentry.service.server.principal"), "sentry.service.server.principal is required");
            configuration.set("hadoop.security.authentication", "kerberos");
            String serverPrincipal = SecurityUtil.getServerPrincipal(str, this.serverAddress.getAddress());
            LOGGER.debug("Using server kerberos principal: " + serverPrincipal);
            this.serverPrincipalParts = SaslRpcServer.splitKerberosName(serverPrincipal);
            Preconditions.checkArgument(this.serverPrincipalParts.length == 3, "Kerberos principal should have 3 parts: " + serverPrincipal);
            this.transport = new UgiSaslClientTransport(SaslRpcServer.AuthMethod.KERBEROS.getMechanismName(), null, this.serverPrincipalParts[0], this.serverPrincipalParts[1], ServiceConstants.ClientConfig.SASL_PROPERTIES, null, this.transport, "true".equalsIgnoreCase(configuration.get("sentry.service.security.use.ugi", "true")), configuration);
        } else {
            this.serverPrincipalParts = null;
        }
        try {
            this.transport.open();
            LOGGER.debug("Successfully opened transport: " + this.transport + " to " + this.serverAddress);
            long j = configuration.getLong("sentry.policy.client.thrift.max.message.size", 104857600L);
            this.client = new SentryGenericPolicyService.Client(new TMultiplexedProtocol(new TBinaryProtocol(this.transport, j, j, true, true), "SentryGenericPolicyService"));
            LOGGER.debug("Successfully created client");
        } catch (TTransportException e) {
            throw new IOException("Transport exception while opening transport: " + e.getMessage(), e);
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public synchronized void createRole(String str, String str2, String str3) throws SentryUserException {
        TCreateSentryRoleRequest tCreateSentryRoleRequest = new TCreateSentryRoleRequest();
        tCreateSentryRoleRequest.setProtocol_version(2);
        tCreateSentryRoleRequest.setRequestorUserName(str);
        tCreateSentryRoleRequest.setRoleName(str2);
        tCreateSentryRoleRequest.setComponent(str3);
        try {
            Status.throwIfNotOk(this.client.create_sentry_role(tCreateSentryRoleRequest).getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public void createRoleIfNotExist(String str, String str2, String str3) throws SentryUserException {
        TCreateSentryRoleRequest tCreateSentryRoleRequest = new TCreateSentryRoleRequest();
        tCreateSentryRoleRequest.setProtocol_version(2);
        tCreateSentryRoleRequest.setRequestorUserName(str);
        tCreateSentryRoleRequest.setRoleName(str2);
        tCreateSentryRoleRequest.setComponent(str3);
        try {
            TCreateSentryRoleResponse create_sentry_role = this.client.create_sentry_role(tCreateSentryRoleRequest);
            if (Status.fromCode(create_sentry_role.getStatus().getValue()) == Status.ALREADY_EXISTS) {
                return;
            }
            Status.throwIfNotOk(create_sentry_role.getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public void dropRole(String str, String str2, String str3) throws SentryUserException {
        dropRole(str, str2, str3, false);
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public void dropRoleIfExists(String str, String str2, String str3) throws SentryUserException {
        dropRole(str, str2, str3, true);
    }

    private void dropRole(String str, String str2, String str3, boolean z) throws SentryUserException {
        TDropSentryRoleRequest tDropSentryRoleRequest = new TDropSentryRoleRequest();
        tDropSentryRoleRequest.setProtocol_version(2);
        tDropSentryRoleRequest.setRequestorUserName(str);
        tDropSentryRoleRequest.setRoleName(str2);
        tDropSentryRoleRequest.setComponent(str3);
        try {
            TDropSentryRoleResponse drop_sentry_role = this.client.drop_sentry_role(tDropSentryRoleRequest);
            Status fromCode = Status.fromCode(drop_sentry_role.getStatus().getValue());
            if (z && fromCode == Status.NO_SUCH_OBJECT) {
                return;
            }
            Status.throwIfNotOk(drop_sentry_role.getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public void addRoleToGroups(String str, String str2, String str3, Set<String> set) throws SentryUserException {
        TAlterSentryRoleAddGroupsRequest tAlterSentryRoleAddGroupsRequest = new TAlterSentryRoleAddGroupsRequest();
        tAlterSentryRoleAddGroupsRequest.setProtocol_version(2);
        tAlterSentryRoleAddGroupsRequest.setRequestorUserName(str);
        tAlterSentryRoleAddGroupsRequest.setRoleName(str2);
        tAlterSentryRoleAddGroupsRequest.setGroups(set);
        tAlterSentryRoleAddGroupsRequest.setComponent(str3);
        try {
            Status.throwIfNotOk(this.client.alter_sentry_role_add_groups(tAlterSentryRoleAddGroupsRequest).getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public void deleteRoleToGroups(String str, String str2, String str3, Set<String> set) throws SentryUserException {
        TAlterSentryRoleDeleteGroupsRequest tAlterSentryRoleDeleteGroupsRequest = new TAlterSentryRoleDeleteGroupsRequest();
        tAlterSentryRoleDeleteGroupsRequest.setProtocol_version(2);
        tAlterSentryRoleDeleteGroupsRequest.setRequestorUserName(str);
        tAlterSentryRoleDeleteGroupsRequest.setRoleName(str2);
        tAlterSentryRoleDeleteGroupsRequest.setGroups(set);
        tAlterSentryRoleDeleteGroupsRequest.setComponent(str3);
        try {
            Status.throwIfNotOk(this.client.alter_sentry_role_delete_groups(tAlterSentryRoleDeleteGroupsRequest).getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public void grantPrivilege(String str, String str2, String str3, TSentryPrivilege tSentryPrivilege) throws SentryUserException {
        TAlterSentryRoleGrantPrivilegeRequest tAlterSentryRoleGrantPrivilegeRequest = new TAlterSentryRoleGrantPrivilegeRequest();
        tAlterSentryRoleGrantPrivilegeRequest.setProtocol_version(2);
        tAlterSentryRoleGrantPrivilegeRequest.setComponent(str3);
        tAlterSentryRoleGrantPrivilegeRequest.setRoleName(str2);
        tAlterSentryRoleGrantPrivilegeRequest.setRequestorUserName(str);
        tAlterSentryRoleGrantPrivilegeRequest.setPrivilege(tSentryPrivilege);
        try {
            Status.throwIfNotOk(this.client.alter_sentry_role_grant_privilege(tAlterSentryRoleGrantPrivilegeRequest).getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public void revokePrivilege(String str, String str2, String str3, TSentryPrivilege tSentryPrivilege) throws SentryUserException {
        TAlterSentryRoleRevokePrivilegeRequest tAlterSentryRoleRevokePrivilegeRequest = new TAlterSentryRoleRevokePrivilegeRequest();
        tAlterSentryRoleRevokePrivilegeRequest.setProtocol_version(2);
        tAlterSentryRoleRevokePrivilegeRequest.setComponent(str3);
        tAlterSentryRoleRevokePrivilegeRequest.setRequestorUserName(str);
        tAlterSentryRoleRevokePrivilegeRequest.setRoleName(str2);
        tAlterSentryRoleRevokePrivilegeRequest.setPrivilege(tSentryPrivilege);
        try {
            Status.throwIfNotOk(this.client.alter_sentry_role_revoke_privilege(tAlterSentryRoleRevokePrivilegeRequest).getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public void dropPrivilege(String str, String str2, TSentryPrivilege tSentryPrivilege) throws SentryUserException {
        TDropPrivilegesRequest tDropPrivilegesRequest = new TDropPrivilegesRequest();
        tDropPrivilegesRequest.setProtocol_version(2);
        tDropPrivilegesRequest.setComponent(str2);
        tDropPrivilegesRequest.setRequestorUserName(str);
        tDropPrivilegesRequest.setPrivilege(tSentryPrivilege);
        try {
            Status.throwIfNotOk(this.client.drop_sentry_privilege(tDropPrivilegesRequest).getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public void renamePrivilege(String str, String str2, String str3, List<? extends Authorizable> list, List<? extends Authorizable> list2) throws SentryUserException {
        if (list == null || list.isEmpty() || list2 == null || list2.isEmpty()) {
            throw new SentryUserException("oldAuthorizables or newAuthorizables can not be null or empty");
        }
        TRenamePrivilegesRequest tRenamePrivilegesRequest = new TRenamePrivilegesRequest();
        tRenamePrivilegesRequest.setProtocol_version(2);
        tRenamePrivilegesRequest.setComponent(str2);
        tRenamePrivilegesRequest.setRequestorUserName(str);
        tRenamePrivilegesRequest.setServiceName(str3);
        ArrayList newArrayList = Lists.newArrayList();
        ArrayList newArrayList2 = Lists.newArrayList();
        for (Authorizable authorizable : list) {
            newArrayList.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
            tRenamePrivilegesRequest.setOldAuthorizables(newArrayList);
        }
        for (Authorizable authorizable2 : list2) {
            newArrayList2.add(new TAuthorizable(authorizable2.getTypeName(), authorizable2.getName()));
            tRenamePrivilegesRequest.setNewAuthorizables(newArrayList2);
        }
        try {
            Status.throwIfNotOk(this.client.rename_sentry_privilege(tRenamePrivilegesRequest).getStatus());
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public synchronized Set<TSentryRole> listRolesByGroupName(String str, String str2, String str3) throws SentryUserException {
        TListSentryRolesRequest tListSentryRolesRequest = new TListSentryRolesRequest();
        tListSentryRolesRequest.setProtocol_version(2);
        tListSentryRolesRequest.setRequestorUserName(str);
        tListSentryRolesRequest.setGroupName(str2);
        tListSentryRolesRequest.setComponent(str3);
        try {
            TListSentryRolesResponse list_sentry_roles_by_group = this.client.list_sentry_roles_by_group(tListSentryRolesRequest);
            Status.throwIfNotOk(list_sentry_roles_by_group.getStatus());
            return list_sentry_roles_by_group.getRoles();
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public Set<TSentryRole> listUserRoles(String str, String str2) throws SentryUserException {
        return listRolesByGroupName(str, "*", str2);
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public Set<TSentryRole> listAllRoles(String str, String str2) throws SentryUserException {
        return listRolesByGroupName(str, null, str2);
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public Set<TSentryPrivilege> listPrivilegesByRoleName(String str, String str2, String str3, String str4, List<? extends Authorizable> list) throws SentryUserException {
        TListSentryPrivilegesRequest tListSentryPrivilegesRequest = new TListSentryPrivilegesRequest();
        tListSentryPrivilegesRequest.setProtocol_version(2);
        tListSentryPrivilegesRequest.setComponent(str3);
        tListSentryPrivilegesRequest.setServiceName(str4);
        tListSentryPrivilegesRequest.setRequestorUserName(str);
        tListSentryPrivilegesRequest.setRoleName(str2);
        if (list != null && !list.isEmpty()) {
            ArrayList newArrayList = Lists.newArrayList();
            for (Authorizable authorizable : list) {
                newArrayList.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
            }
            tListSentryPrivilegesRequest.setAuthorizables(newArrayList);
        }
        try {
            TListSentryPrivilegesResponse list_sentry_privileges_by_role = this.client.list_sentry_privileges_by_role(tListSentryPrivilegesRequest);
            Status.throwIfNotOk(list_sentry_privileges_by_role.getStatus());
            return list_sentry_privileges_by_role.getPrivileges();
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public Set<TSentryPrivilege> listPrivilegesByRoleName(String str, String str2, String str3, String str4) throws SentryUserException {
        return listPrivilegesByRoleName(str, str2, str3, str4, null);
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public Set<String> listPrivilegesForProvider(String str, String str2, ActiveRoleSet activeRoleSet, Set<String> set, List<? extends Authorizable> list) throws SentryUserException {
        TSentryActiveRoleSet tSentryActiveRoleSet = new TSentryActiveRoleSet(activeRoleSet.isAll(), activeRoleSet.getRoles());
        TListSentryPrivilegesForProviderRequest tListSentryPrivilegesForProviderRequest = new TListSentryPrivilegesForProviderRequest();
        tListSentryPrivilegesForProviderRequest.setProtocol_version(2);
        tListSentryPrivilegesForProviderRequest.setComponent(str);
        tListSentryPrivilegesForProviderRequest.setServiceName(str2);
        tListSentryPrivilegesForProviderRequest.setRoleSet(tSentryActiveRoleSet);
        if (set == null) {
            tListSentryPrivilegesForProviderRequest.setGroups(new HashSet());
        } else {
            tListSentryPrivilegesForProviderRequest.setGroups(set);
        }
        ArrayList newArrayList = Lists.newArrayList();
        if (list != null && !list.isEmpty()) {
            for (Authorizable authorizable : list) {
                newArrayList.add(new TAuthorizable(authorizable.getTypeName(), authorizable.getName()));
            }
            tListSentryPrivilegesForProviderRequest.setAuthorizables(newArrayList);
        }
        try {
            TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider = this.client.list_sentry_privileges_for_provider(tListSentryPrivilegesForProviderRequest);
            Status.throwIfNotOk(list_sentry_privileges_for_provider.getStatus());
            return list_sentry_privileges_for_provider.getPrivileges();
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public Map<String, TSentryPrivilegeMap> listPrivilegsbyAuthorizable(String str, String str2, String str3, Set<String> set, Set<String> set2, ActiveRoleSet activeRoleSet) throws SentryUserException {
        TListSentryPrivilegesByAuthRequest tListSentryPrivilegesByAuthRequest = new TListSentryPrivilegesByAuthRequest();
        tListSentryPrivilegesByAuthRequest.setProtocol_version(2);
        tListSentryPrivilegesByAuthRequest.setComponent(str);
        tListSentryPrivilegesByAuthRequest.setServiceName(str2);
        tListSentryPrivilegesByAuthRequest.setRequestorUserName(str3);
        tListSentryPrivilegesByAuthRequest.setAuthorizablesSet(set);
        if (set2 == null) {
            tListSentryPrivilegesByAuthRequest.setGroups(new HashSet());
        } else {
            tListSentryPrivilegesByAuthRequest.setGroups(set2);
        }
        if (activeRoleSet != null) {
            tListSentryPrivilegesByAuthRequest.setRoleSet(new TSentryActiveRoleSet(activeRoleSet.isAll(), activeRoleSet.getRoles()));
        }
        try {
            TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable = this.client.list_sentry_privileges_by_authorizable(tListSentryPrivilegesByAuthRequest);
            Status.throwIfNotOk(list_sentry_privileges_by_authorizable.getStatus());
            return list_sentry_privileges_by_authorizable.getPrivilegesMapByAuth();
        } catch (TException e) {
            throw new SentryUserException(THRIFT_EXCEPTION_MESSAGE, e);
        }
    }

    @Override // org.apache.sentry.provider.db.generic.service.thrift.SentryGenericServiceClient
    public void close() {
        if (this.transport != null) {
            this.transport.close();
        }
    }
}
