package co.cask.cdap.common.security;

import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.kerberos.SecurityUtil;
import co.cask.cdap.common.namespace.NamespaceQueryAdmin;
import co.cask.cdap.proto.NamespaceMeta;
import co.cask.cdap.proto.id.NamespaceId;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Throwables;
import com.google.inject.Inject;
import java.io.IOException;
import java.util.concurrent.Callable;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/common/security/DefaultImpersonator.class */
public class DefaultImpersonator implements Impersonator {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultImpersonator.class);
    private final CConfiguration cConf;
    private final NamespaceQueryAdmin namespaceQueryAdmin;
    private final boolean kerberosEnabled;
    private final UGIProvider ugiProvider;

    @VisibleForTesting
    @Inject
    public DefaultImpersonator(CConfiguration cConfiguration, UGIProvider uGIProvider, NamespaceQueryAdmin namespaceQueryAdmin) {
        this.cConf = cConfiguration;
        this.namespaceQueryAdmin = namespaceQueryAdmin;
        this.ugiProvider = uGIProvider;
        this.kerberosEnabled = SecurityUtil.isKerberosEnabled(cConfiguration);
    }

    @Override // co.cask.cdap.common.security.Impersonator
    public <T> T doAs(NamespaceId namespaceId, Callable<T> callable) throws Exception {
        return (T) ImpersonationUtils.doAs(getUGI(namespaceId), callable);
    }

    @Override // co.cask.cdap.common.security.Impersonator
    public <T> T doAs(NamespaceMeta namespaceMeta, Callable<T> callable) throws Exception {
        return (T) ImpersonationUtils.doAs(getUGI(namespaceMeta), callable);
    }

    @Override // co.cask.cdap.common.security.Impersonator
    public UserGroupInformation getUGI(NamespaceId namespaceId) throws IOException {
        if (!this.kerberosEnabled || NamespaceId.SYSTEM.equals(namespaceId)) {
            return UserGroupInformation.getCurrentUser();
        }
        try {
            return getUGI(this.namespaceQueryAdmin.get(namespaceId.toId()));
        } catch (Exception e) {
            Throwables.propagateIfInstanceOf(e, IOException.class);
            throw Throwables.propagate(e);
        }
    }

    private UserGroupInformation getUGI(NamespaceMeta namespaceMeta) throws IOException {
        return (!this.kerberosEnabled || NamespaceId.SYSTEM.equals(namespaceMeta.getNamespaceId())) ? UserGroupInformation.getCurrentUser() : getUGI(new ImpersonationInfo(namespaceMeta, this.cConf));
    }

    private UserGroupInformation getUGI(ImpersonationInfo impersonationInfo) throws IOException {
        if (!UserGroupInformation.getCurrentUser().getShortUserName().equals(new KerberosName(impersonationInfo.getPrincipal()).getShortName())) {
            return this.ugiProvider.getConfiguredUGI(impersonationInfo);
        }
        LOG.debug("Requested UGI {} is same as calling UGI. Simply returning current user: {}", impersonationInfo.getPrincipal(), UserGroupInformation.getCurrentUser());
        return UserGroupInformation.getCurrentUser();
    }
}
