package co.cask.cdap.internal.app.namespace;

import co.cask.cdap.api.Predicate;
import co.cask.cdap.api.annotation.Name;
import co.cask.cdap.api.dataset.DatasetManagementException;
import co.cask.cdap.app.runtime.ProgramRuntimeService;
import co.cask.cdap.common.BadRequestException;
import co.cask.cdap.common.NamespaceAlreadyExistsException;
import co.cask.cdap.common.NamespaceCannotBeCreatedException;
import co.cask.cdap.common.NamespaceCannotBeDeletedException;
import co.cask.cdap.common.NamespaceNotFoundException;
import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.kerberos.SecurityUtil;
import co.cask.cdap.common.namespace.NamespaceAdmin;
import co.cask.cdap.common.security.AuthEnforce;
import co.cask.cdap.common.security.ImpersonationInfo;
import co.cask.cdap.common.security.Impersonator;
import co.cask.cdap.data2.dataset2.DatasetFramework;
import co.cask.cdap.internal.app.runtime.ProgramOptionConstants;
import co.cask.cdap.proto.NamespaceConfig;
import co.cask.cdap.proto.NamespaceMeta;
import co.cask.cdap.proto.ProgramType;
import co.cask.cdap.proto.id.InstanceId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.security.spi.authentication.AuthenticationContext;
import co.cask.cdap.security.spi.authorization.AuthorizationEnforcer;
import co.cask.cdap.security.spi.authorization.PrivilegesManager;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import co.cask.cdap.store.NamespaceStore;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.base.Throwables;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import com.google.inject.Inject;
import com.google.inject.Provider;
import java.io.File;
import java.io.IOException;
import java.nio.file.Paths;
import java.util.EnumSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.regex.Pattern;
import javax.annotation.Nullable;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/internal/app/namespace/DefaultNamespaceAdmin.class */
public final class DefaultNamespaceAdmin implements NamespaceAdmin {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultNamespaceAdmin.class);
    private static final Pattern NAMESPACE_PATTERN = Pattern.compile("[a-zA-Z0-9_]+");
    private final NamespaceStore nsStore;
    private final DatasetFramework dsFramework;
    private final Provider<NamespaceResourceDeleter> resourceDeleter;
    private final Provider<ProgramRuntimeService> runtimeService;
    private final Provider<StorageProviderNamespaceAdmin> storageProviderNamespaceAdmin;
    private final PrivilegesManager privilegesManager;
    private final AuthorizationEnforcer authorizationEnforcer;
    private final AuthenticationContext authenticationContext;
    private final InstanceId instanceId;
    private final Impersonator impersonator;
    private final CConfiguration cConf;
    private final LoadingCache<NamespaceId, NamespaceMeta> namespaceMetaCache = CacheBuilder.newBuilder().build(new CacheLoader<NamespaceId, NamespaceMeta>() { // from class: co.cask.cdap.internal.app.namespace.DefaultNamespaceAdmin.1
        public NamespaceMeta load(NamespaceId namespaceId) throws Exception {
            return DefaultNamespaceAdmin.this.fetchNamespaceMeta(namespaceId);
        }
    });
    private final String masterShortUserName;

    @Inject
    DefaultNamespaceAdmin(NamespaceStore namespaceStore, DatasetFramework datasetFramework, Provider<NamespaceResourceDeleter> provider, Provider<ProgramRuntimeService> provider2, Provider<StorageProviderNamespaceAdmin> provider3, PrivilegesManager privilegesManager, CConfiguration cConfiguration, Impersonator impersonator, AuthorizationEnforcer authorizationEnforcer, AuthenticationContext authenticationContext) {
        this.resourceDeleter = provider;
        this.nsStore = namespaceStore;
        this.dsFramework = datasetFramework;
        this.runtimeService = provider2;
        this.privilegesManager = privilegesManager;
        this.authenticationContext = authenticationContext;
        this.authorizationEnforcer = authorizationEnforcer;
        this.instanceId = createInstanceId(cConfiguration);
        this.storageProviderNamespaceAdmin = provider3;
        this.impersonator = impersonator;
        this.cConf = cConfiguration;
        String str = cConfiguration.get("cdap.master.kerberos.principal");
        try {
            if (SecurityUtil.isKerberosEnabled(cConfiguration)) {
                this.masterShortUserName = new KerberosName(str).getShortName();
            } else {
                this.masterShortUserName = null;
            }
        } catch (IOException e) {
            throw Throwables.propagate(e);
        }
    }

    @AuthEnforce(entities = {ProgramOptionConstants.INSTANCE_ID}, enforceOn = InstanceId.class, actions = {Action.ADMIN})
    public synchronized void create(final NamespaceMeta namespaceMeta) throws Exception {
        Preconditions.checkArgument(namespaceMeta != null, "Namespace metadata should not be null.");
        NamespaceId namespaceId = namespaceMeta.getNamespaceId();
        if (exists(namespaceId)) {
            throw new NamespaceAlreadyExistsException(namespaceId);
        }
        if (hasCustomMapping(namespaceMeta)) {
            validateCustomMapping(namespaceMeta);
        }
        this.privilegesManager.grant(namespaceId, this.authenticationContext.getPrincipal(), EnumSet.allOf(Action.class));
        this.privilegesManager.grant(namespaceId, new Principal(SecurityUtil.isKerberosEnabled(this.cConf) ? new KerberosName(new ImpersonationInfo(namespaceMeta, this.cConf).getPrincipal()).getShortName() : UserGroupInformation.getCurrentUser().getShortUserName(), Principal.PrincipalType.USER), EnumSet.allOf(Action.class));
        this.nsStore.create(namespaceMeta);
        try {
            this.impersonator.doAs(namespaceMeta, new Callable<Void>() { // from class: co.cask.cdap.internal.app.namespace.DefaultNamespaceAdmin.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public Void call() throws Exception {
                    ((StorageProviderNamespaceAdmin) DefaultNamespaceAdmin.this.storageProviderNamespaceAdmin.get()).create(namespaceMeta);
                    return null;
                }
            });
        } catch (Throwable th) {
            deleteNamespaceMeta(namespaceMeta.getNamespaceId());
            this.privilegesManager.revoke(namespaceId);
            throw new NamespaceCannotBeCreatedException(namespaceId, th);
        }
    }

    private void validateCustomMapping(NamespaceMeta namespaceMeta) throws Exception {
        for (NamespaceMeta namespaceMeta2 : list()) {
            NamespaceConfig config = namespaceMeta2.getConfig();
            if (!Strings.isNullOrEmpty(namespaceMeta.getConfig().getHbaseNamespace()) && namespaceMeta.getConfig().getHbaseNamespace().equals(config.getHbaseNamespace())) {
                throw new BadRequestException(String.format("A namespace '%s' already exists with the given namespace mapping for hbase namespace '%s'", namespaceMeta2.getName(), config.getHbaseNamespace()));
            }
            if (!Strings.isNullOrEmpty(namespaceMeta.getConfig().getHiveDatabase()) && namespaceMeta.getConfig().getHiveDatabase().equals(config.getHiveDatabase())) {
                throw new BadRequestException(String.format("A namespace '%s' already exists with the given namespace mapping for hive database '%s'", namespaceMeta2.getName(), config.getHiveDatabase()));
            }
            if (!Strings.isNullOrEmpty(namespaceMeta.getConfig().getRootDirectory())) {
                validatePath(namespaceMeta.getName(), namespaceMeta.getConfig().getRootDirectory());
                if (hasSubDirRelationship(config.getRootDirectory(), namespaceMeta.getConfig().getRootDirectory())) {
                    throw new BadRequestException(String.format("Failed to create namespace %s with custom location %s. A namespace '%s' already exists with location '%s' and these two locations are have a subdirectory relationship.", namespaceMeta.getName(), namespaceMeta.getConfig().getRootDirectory(), namespaceMeta2.getName(), config.getRootDirectory()));
                }
            }
        }
    }

    private boolean hasSubDirRelationship(@Nullable String str, String str2) {
        return !Strings.isNullOrEmpty(str) && (Paths.get(str2, new String[0]).startsWith(str) || Paths.get(str, new String[0]).startsWith(str2));
    }

    private boolean hasCustomMapping(NamespaceMeta namespaceMeta) {
        NamespaceConfig config = namespaceMeta.getConfig();
        return (Strings.isNullOrEmpty(config.getRootDirectory()) && Strings.isNullOrEmpty(config.getHbaseNamespace()) && Strings.isNullOrEmpty(config.getHiveDatabase())) ? false : true;
    }

    private void validatePath(String str, String str2) throws IOException {
        File file = new File(str2);
        if (!file.isAbsolute()) {
            throw new IOException(String.format("Cannot create the namespace '%s' with the given custom location %s. Custom location must be absolute path.", str, file));
        }
    }

    @AuthEnforce(entities = {"namespaceId"}, enforceOn = NamespaceId.class, actions = {Action.ADMIN})
    public synchronized void delete(@Name("namespaceId") NamespaceId namespaceId) throws Exception {
        NamespaceMeta namespaceMeta = get(namespaceId);
        if (checkProgramsRunning(namespaceId)) {
            throw new NamespaceCannotBeDeletedException(namespaceId, String.format("Some programs are currently running in namespace '%s', please stop them before deleting namespace", namespaceId));
        }
        LOG.info("Deleting namespace '{}'.", namespaceId);
        try {
            ((NamespaceResourceDeleter) this.resourceDeleter.get()).deleteResources(namespaceMeta);
            if (NamespaceId.DEFAULT.equals(namespaceId)) {
                LOG.info("Keeping the '{}' namespace after removing all data.", NamespaceId.DEFAULT);
            } else {
                deleteNamespaceMeta(namespaceId);
                this.privilegesManager.revoke(namespaceId);
                LOG.info("Namespace '{}' deleted", namespaceId);
            }
        } catch (Exception e) {
            LOG.warn("Error while deleting namespace {}", namespaceId, e);
            throw new NamespaceCannotBeDeletedException(namespaceId, e);
        }
    }

    @AuthEnforce(entities = {"namespaceId"}, enforceOn = NamespaceId.class, actions = {Action.ADMIN})
    public synchronized void deleteDatasets(@Name("namespaceId") NamespaceId namespaceId) throws Exception {
        if (!exists(namespaceId)) {
            throw new NamespaceNotFoundException(namespaceId);
        }
        if (checkProgramsRunning(namespaceId)) {
            throw new NamespaceCannotBeDeletedException(namespaceId, String.format("Some programs are currently running in namespace '%s', please stop them before deleting datasets in the namespace.", namespaceId));
        }
        try {
            this.dsFramework.deleteAllInstances(namespaceId);
            LOG.debug("Deleted datasets in namespace '{}'.", namespaceId);
        } catch (DatasetManagementException | IOException e) {
            LOG.warn("Error while deleting datasets in namespace {}", namespaceId, e);
            throw new NamespaceCannotBeDeletedException(namespaceId, e);
        }
    }

    public synchronized void updateProperties(NamespaceId namespaceId, NamespaceMeta namespaceMeta) throws Exception {
        if (!exists(namespaceId)) {
            throw new NamespaceNotFoundException(namespaceId);
        }
        this.authorizationEnforcer.enforce(namespaceId, this.authenticationContext.getPrincipal(), Action.ADMIN);
        NamespaceMeta namespaceMeta2 = this.nsStore.get(namespaceId);
        Preconditions.checkNotNull(namespaceMeta2);
        NamespaceMeta.Builder builder = new NamespaceMeta.Builder(namespaceMeta2);
        if (namespaceMeta.getDescription() != null) {
            builder.setDescription(namespaceMeta.getDescription());
        }
        NamespaceConfig config = namespaceMeta.getConfig();
        if (config != null && !Strings.isNullOrEmpty(config.getSchedulerQueueName())) {
            builder.setSchedulerQueueName(config.getSchedulerQueueName());
        }
        Set difference = namespaceMeta2.getConfig().getDifference(config);
        if (!difference.isEmpty()) {
            throw new BadRequestException(String.format("Mappings %s for namespace %s cannot be updated once the namespace is created.", difference, namespaceId));
        }
        this.nsStore.update(builder.build());
        this.namespaceMetaCache.refresh(namespaceId);
    }

    public List<NamespaceMeta> list() throws Exception {
        List list = this.nsStore.list();
        final Predicate createFilter = this.authorizationEnforcer.createFilter(this.authenticationContext.getPrincipal());
        return Lists.newArrayList(Iterables.filter(list, new com.google.common.base.Predicate<NamespaceMeta>() { // from class: co.cask.cdap.internal.app.namespace.DefaultNamespaceAdmin.3
            public boolean apply(NamespaceMeta namespaceMeta) {
                return createFilter.apply(namespaceMeta.getNamespaceId());
            }
        }));
    }

    public NamespaceMeta get(NamespaceId namespaceId) throws Exception {
        try {
            NamespaceMeta namespaceMeta = (NamespaceMeta) this.namespaceMetaCache.get(namespaceId);
            Principal principal = this.authenticationContext.getPrincipal();
            if ((this.masterShortUserName == null || !this.masterShortUserName.equals(principal.getName())) && !this.authorizationEnforcer.createFilter(principal).apply(namespaceId)) {
                throw new UnauthorizedException(principal, namespaceId);
            }
            return namespaceMeta;
        } catch (ExecutionException e) {
            Throwable cause = e.getCause();
            if ((cause instanceof NamespaceNotFoundException) || (cause instanceof IOException) || (cause instanceof UnauthorizedException)) {
                throw ((Exception) cause);
            }
            throw e;
        }
    }

    public boolean exists(NamespaceId namespaceId) throws Exception {
        try {
            this.namespaceMetaCache.get(namespaceId);
            return true;
        } catch (ExecutionException e) {
            if (e.getCause() instanceof NamespaceNotFoundException) {
                return false;
            }
            throw e;
        }
    }

    @VisibleForTesting
    Map<NamespaceId, NamespaceMeta> getCache() {
        return this.namespaceMetaCache.asMap();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public NamespaceMeta fetchNamespaceMeta(NamespaceId namespaceId) throws Exception {
        NamespaceMeta namespaceMeta = this.nsStore.get(namespaceId);
        if (namespaceMeta == null) {
            throw new NamespaceNotFoundException(namespaceId);
        }
        return namespaceMeta;
    }

    private boolean checkProgramsRunning(final NamespaceId namespaceId) {
        return !Iterables.isEmpty(Iterables.filter(((ProgramRuntimeService) this.runtimeService.get()).listAll(ProgramType.values()), new com.google.common.base.Predicate<ProgramRuntimeService.RuntimeInfo>() { // from class: co.cask.cdap.internal.app.namespace.DefaultNamespaceAdmin.4
            public boolean apply(ProgramRuntimeService.RuntimeInfo runtimeInfo) {
                return runtimeInfo.getProgramId().getNamespaceId().equals(namespaceId);
            }
        }));
    }

    private InstanceId createInstanceId(CConfiguration cConfiguration) {
        String str = cConfiguration.get("instance.name");
        Preconditions.checkArgument(NAMESPACE_PATTERN.matcher(str).matches(), "CDAP instance name specified by '%s' in cdap-site.xml should be alphanumeric (underscores allowed). Its current invalid value is '%s'", new Object[]{"instance.name", str});
        return new InstanceId(str);
    }

    private void deleteNamespaceMeta(NamespaceId namespaceId) {
        this.nsStore.delete(namespaceId);
        this.namespaceMetaCache.invalidate(namespaceId);
    }
}
