package hex.security;

import java.io.IOException;
import java.time.Duration;
import java.util.List;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import water.AbstractH2OExtension;
import water.H2O;
import water.init.StandaloneKerberosComponent;
import water.persist.PersistHdfs;
import water.persist.security.HdfsDelegationTokenRefresher;
import water.util.Log;

/* loaded from: input_file:hex/security/KerberosExtension.class */
public class KerberosExtension extends AbstractH2OExtension {
    public static String NAME = "KrbStandalone";
    private final H2O.OptArgs _args;

    public KerberosExtension() {
        this(H2O.ARGS);
    }

    KerberosExtension(H2O.OptArgs optArgs) {
        this._args = optArgs;
    }

    public String getExtensionName() {
        return NAME;
    }

    public boolean isEnabled() {
        return isStandalone();
    }

    private boolean isStandalone() {
        return !this._args.launchedWithHadoopJar();
    }

    public void onLocalNodeStarted() {
        UserGroupInformation loginUserFromKeytab;
        Configuration configuration = PersistHdfs.CONF;
        if (configuration == null) {
            return;
        }
        if (!isKerberosEnabled(configuration)) {
            Log.info(new Object[]{"Kerberos not configured"});
            if (this._args.hdfs_token_refresh_interval != null) {
                Log.warn(new Object[]{"Option hdfs_token_refresh_interval ignored because Kerberos is not configured."});
            }
            if (this._args.keytab_path != null) {
                Log.warn(new Object[]{"Option keytab_path ignored because Kerberos is not configured."});
            }
            if (this._args.principal != null) {
                Log.warn(new Object[]{"Option principal ignored because Kerberos is not configured."});
                return;
            }
            return;
        }
        UserGroupInformation.setConfiguration(configuration);
        if (this._args.keytab_path == null && this._args.principal == null) {
            Log.debug(new Object[]{"Kerberos enabled in Hadoop configuration. Trying to login the (default) user."});
            loginUserFromKeytab = loginDefaultUser();
        } else {
            if (this._args.keytab_path == null) {
                throw new RuntimeException("Option keytab_path needs to be specified when option principal is given.");
            }
            if (this._args.principal == null) {
                throw new RuntimeException("Option principal needs to be specified when option keytab_path is given.");
            }
            Log.debug(new Object[]{"Kerberos enabled in Hadoop configuration. Trying to login user from keytab."});
            loginUserFromKeytab = loginUserFromKeytab(this._args.principal, this._args.keytab_path);
        }
        if (loginUserFromKeytab != null) {
            Log.info(new Object[]{"Kerberos subsystem initialized. Using user '" + loginUserFromKeytab.getShortUserName() + "'."});
        }
        if (this._args.hdfs_token_refresh_interval != null) {
            long parseRefreshIntervalToSecs = parseRefreshIntervalToSecs(this._args.hdfs_token_refresh_interval);
            Log.info(new Object[]{"HDFS token will be refreshed every " + parseRefreshIntervalToSecs + "s (user specified " + this._args.hdfs_token_refresh_interval + ")."});
            HdfsDelegationTokenRefresher.startRefresher(configuration, this._args.principal, this._args.keytab_path, parseRefreshIntervalToSecs);
        }
        initComponents(configuration, this._args);
    }

    static void initComponents(Configuration configuration, H2O.OptArgs optArgs) {
        List<StandaloneKerberosComponent> loadAll = StandaloneKerberosComponent.loadAll();
        Log.info(new Object[]{"Standalone Kerberos components: " + ((List) loadAll.stream().map((v0) -> {
            return v0.name();
        }).collect(Collectors.toList()))});
        for (StandaloneKerberosComponent standaloneKerberosComponent : loadAll) {
            Log.info(new Object[]{"Component " + standaloneKerberosComponent.name() + " " + (standaloneKerberosComponent.initComponent(configuration, optArgs) ? "successfully initialized" : "not active") + "."});
        }
    }

    private long parseRefreshIntervalToSecs(String str) {
        try {
            if (!str.contains("P")) {
                str = "PT" + str;
            }
            return Duration.parse(str.toLowerCase()).getSeconds();
        } catch (Exception e) {
            throw new IllegalArgumentException("Unable to parse refresh interval, got " + str + ". Example of correct specification '4H' (token will be refreshed every 4 hours).", e);
        }
    }

    private UserGroupInformation loginDefaultUser() {
        try {
            UserGroupInformation.loginUserFromSubject((Subject) null);
            return UserGroupInformation.getCurrentUser();
        } catch (IOException e) {
            Log.err(new Object[]{"Kerberos initialization FAILED. Kerberos ticket needs to be acquired before starting H2O (run kinit).", e});
            return null;
        }
    }

    private static UserGroupInformation loginUserFromKeytab(String str, String str2) {
        try {
            UserGroupInformation.loginUserFromKeytab(str, str2);
            return UserGroupInformation.getCurrentUser();
        } catch (IOException e) {
            throw new RuntimeException("Failed to login user " + str + " from keytab " + str2);
        }
    }

    private static boolean isKerberosEnabled(Configuration configuration) {
        return "kerberos".equals(configuration.get("hadoop.security.authentication"));
    }
}
