package org.apache.druid.security.ranger.authorizer;

import com.fasterxml.jackson.annotation.JacksonInject;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonTypeName;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashSet;
import org.apache.druid.java.util.common.IAE;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.security.ranger.authorizer.guice.Ranger;
import org.apache.druid.server.security.Access;
import org.apache.druid.server.security.Action;
import org.apache.druid.server.security.AuthenticationResult;
import org.apache.druid.server.security.Authorizer;
import org.apache.druid.server.security.Resource;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.service.RangerBasePlugin;

@JsonTypeName("ranger")
/* loaded from: input_file:org/apache/druid/security/ranger/authorizer/RangerAuthorizer.class */
public class RangerAuthorizer implements Authorizer {
    private static final Logger log = new Logger(RangerAuthorizer.class);
    public static final String RANGER_DRUID_SERVICETYPE = "druid";
    public static final String RANGER_DRUID_APPID = "druid";
    private final RangerBasePlugin rangerPlugin;
    private final boolean useUgi;

    @JsonCreator
    public RangerAuthorizer(@JsonProperty("keytab") String str, @JsonProperty("principal") String str2, @JsonProperty("use_ugi") boolean z, @Ranger @JacksonInject Configuration configuration) {
        this.useUgi = z;
        UserGroupInformation.setConfiguration(configuration);
        if (str != null && str2 != null) {
            try {
                UserGroupInformation.loginUserFromKeytab(str2, str);
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        }
        this.rangerPlugin = new RangerBasePlugin("druid", "druid");
        this.rangerPlugin.init();
        this.rangerPlugin.setResultProcessor(new RangerDefaultAuditHandler());
    }

    public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
        if (authenticationResult == null) {
            throw new IAE("authenticationResult is null where it should never be.", new Object[0]);
        }
        HashSet hashSet = null;
        if (this.useUgi) {
            UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser(authenticationResult.getIdentity());
            String[] groupNames = createRemoteUser != null ? createRemoteUser.getGroupNames() : null;
            if (groupNames != null && groupNames.length > 0) {
                hashSet = new HashSet(Arrays.asList(groupNames));
            }
        }
        RangerDruidAccessRequest rangerDruidAccessRequest = new RangerDruidAccessRequest(new RangerDruidResource(resource), authenticationResult.getIdentity(), hashSet, action);
        RangerAccessResult isAccessAllowed = this.rangerPlugin.isAccessAllowed(rangerDruidAccessRequest);
        if (log.isDebugEnabled()) {
            Logger logger = log;
            Object[] objArr = new Object[2];
            objArr[0] = rangerDruidAccessRequest.toString();
            objArr[1] = isAccessAllowed != null ? Boolean.valueOf(isAccessAllowed.getIsAllowed()) : null;
            logger.debug("==> authorize: %s, allowed: %s", objArr);
        }
        return (isAccessAllowed == null || !isAccessAllowed.getIsAllowed()) ? new Access(false) : new Access(true);
    }
}
