package co.cask.cdap.security.authorization;

import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.proto.id.InstanceId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.security.spi.authorization.PrivilegesManager;
import com.google.common.base.Splitter;
import com.google.common.base.Throwables;
import com.google.inject.Inject;
import java.io.IOException;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.hadoop.security.UserGroupInformation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/security/authorization/AuthorizationBootstrapper.class */
public class AuthorizationBootstrapper {
    private static final Logger LOG = LoggerFactory.getLogger(AuthorizationBootstrapper.class);
    private final boolean enabled;
    private final PrivilegesManager privilegesManager;
    private final Principal systemUser;
    private final Set<Principal> adminUsers;
    private final InstanceId instanceId;

    @Inject
    AuthorizationBootstrapper(CConfiguration cConfiguration, PrivilegesManager privilegesManager) {
        this.enabled = cConfiguration.getBoolean("security.enabled") && cConfiguration.getBoolean("security.authorization.enabled");
        try {
            this.systemUser = new Principal(UserGroupInformation.getCurrentUser().getShortUserName(), Principal.PrincipalType.USER);
            this.adminUsers = getAdminUsers(cConfiguration);
            if (this.enabled && this.adminUsers.isEmpty()) {
                LOG.info("Admin users specified by {} is empty.", "security.authorization.admin.users");
            }
            this.instanceId = new InstanceId(cConfiguration.get("instance.name"));
            this.privilegesManager = privilegesManager;
        } catch (IOException e) {
            throw Throwables.propagate(e);
        }
    }

    public void run() {
        if (this.enabled) {
            LOG.debug("Bootstrapping authorization for CDAP instance: {}, system users: {} and admin users: {}", new Object[]{this.instanceId, this.systemUser, this.adminUsers});
            try {
                this.privilegesManager.grant(this.instanceId, this.systemUser, Collections.singleton(Action.ADMIN));
                this.privilegesManager.grant(NamespaceId.SYSTEM, this.systemUser, EnumSet.allOf(Action.class));
                for (Principal principal : this.adminUsers) {
                    this.privilegesManager.grant(this.instanceId, principal, Collections.singleton(Action.ADMIN));
                    this.privilegesManager.grant(NamespaceId.DEFAULT, principal, Collections.singleton(Action.ADMIN));
                }
                LOG.info("Successfully bootstrapped authorization for CDAP instance {}, system user {} and admin users: {}", new Object[]{this.instanceId, this.systemUser, this.adminUsers});
            } catch (Exception e) {
                throw Throwables.propagate(e);
            }
        }
    }

    private Set<Principal> getAdminUsers(CConfiguration cConfiguration) {
        HashSet hashSet = new HashSet();
        String str = cConfiguration.get("security.authorization.admin.users");
        if (str != null) {
            Iterator it = Splitter.on(",").omitEmptyStrings().trimResults().split(str).iterator();
            while (it.hasNext()) {
                hashSet.add(new Principal((String) it.next(), Principal.PrincipalType.USER));
            }
        }
        return hashSet;
    }
}
