package org.apache.falcon.security;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import org.apache.commons.lang.Validate;
import org.apache.commons.lang3.StringUtils;
import org.apache.falcon.FalconException;
import org.apache.falcon.cli.FalconCLI;
import org.apache.falcon.entity.EntityNotRegisteredException;
import org.apache.falcon.entity.EntityUtil;
import org.apache.falcon.entity.v0.AccessControlList;
import org.apache.falcon.entity.v0.Entity;
import org.apache.falcon.entity.v0.EntityType;
import org.apache.falcon.util.StartupProperties;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.oozie.client.OozieClient;
import org.apache.xerces.impl.Constants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/falcon-common-0.9.jar:org/apache/falcon/security/DefaultAuthorizationProvider.class */
public class DefaultAuthorizationProvider implements AuthorizationProvider {
    protected static final String FALCON_PREFIX = "falcon.security.authorization.";
    private static final String ADMIN_USERS_KEY = "falcon.security.authorization.admin.users";
    private static final String ADMIN_GROUPS_KEY = "falcon.security.authorization.admin.groups";
    private static final String SUPER_USER_GROUP_KEY = "falcon.security.authorization.superusergroup";
    private final String superUserGroup = StartupProperties.get().getProperty(SUPER_USER_GROUP_KEY);
    private final Set<String> adminUsers = getAdminNamesFromConfig(ADMIN_USERS_KEY);
    private final Set<String> adminGroups = getAdminNamesFromConfig(ADMIN_GROUPS_KEY);
    private static final Logger LOG = LoggerFactory.getLogger(DefaultAuthorizationProvider.class);
    private static final Set<String> RESOURCES = new HashSet(Arrays.asList("admin", Constants.DOM_ENTITIES, FalconCLI.INSTANCE_CMD, FalconCLI.METADATA_CMD));
    protected static final String SUPER_USER = System.getProperty(OozieClient.USER_NAME);

    private Set<String> getAdminNamesFromConfig(String str) {
        HashSet hashSet = new HashSet();
        String property = StartupProperties.get().getProperty(str);
        if (!StringUtils.isEmpty(property)) {
            hashSet.addAll(Arrays.asList(property.split(",")));
        }
        return Collections.unmodifiableSet(hashSet);
    }

    @Override // org.apache.falcon.security.AuthorizationProvider
    public boolean isSuperUser(UserGroupInformation userGroupInformation) {
        return SUPER_USER.equals(userGroupInformation.getShortUserName()) || (!StringUtils.isEmpty(this.superUserGroup) && isUserInGroup(this.superUserGroup, userGroupInformation));
    }

    @Override // org.apache.falcon.security.AuthorizationProvider
    public boolean shouldProxy(UserGroupInformation userGroupInformation, String str, String str2) throws IOException {
        Validate.notNull(userGroupInformation, "User cannot be empty or null");
        Validate.notEmpty(str, "User cannot be empty or null");
        Validate.notEmpty(str2, "Group cannot be empty or null");
        return isSuperUser(userGroupInformation) || (!isUserACLOwner(userGroupInformation.getShortUserName(), str) && isUserInGroup(str2, userGroupInformation));
    }

    @Override // org.apache.falcon.security.AuthorizationProvider
    public void authorizeResource(String str, String str2, String str3, String str4, UserGroupInformation userGroupInformation) throws AuthorizationException, EntityNotRegisteredException {
        Validate.notEmpty(str, "Resource cannot be empty or null");
        Validate.isTrue(RESOURCES.contains(str), "Illegal resource: " + str);
        Validate.notEmpty(str2, "Action cannot be empty or null");
        try {
            if (isSuperUser(userGroupInformation)) {
                return;
            }
            if ("admin".equals(str)) {
                if (!"version".equals(str2) && !"clearuser".equals(str2) && !"getuser".equals(str2)) {
                    authorizeAdminResource(userGroupInformation, str2);
                }
            } else if (Constants.DOM_ENTITIES.equals(str) || FalconCLI.INSTANCE_CMD.equals(str)) {
                authorizeEntityResource(userGroupInformation, str4, str3, str2);
            } else if (FalconCLI.METADATA_CMD.equals(str)) {
                authorizeMetadataResource(userGroupInformation, str2);
            }
        } catch (IOException e) {
            throw new AuthorizationException(e);
        }
    }

    protected Set<String> getGroupNames(UserGroupInformation userGroupInformation) {
        return new HashSet(Arrays.asList(userGroupInformation.getGroupNames()));
    }

    @Override // org.apache.falcon.security.AuthorizationProvider
    public void authorizeEntity(String str, String str2, AccessControlList accessControlList, String str3, UserGroupInformation userGroupInformation) throws AuthorizationException {
        try {
            LOG.info("Authorizing authenticatedUser={}, action={}, entity={}, type{}", userGroupInformation.getShortUserName(), str3, str, str2);
            if (isSuperUser(userGroupInformation)) {
                return;
            }
            checkUser(str, accessControlList.getOwner(), accessControlList.getGroup(), str3, userGroupInformation);
        } catch (IOException e) {
            throw new AuthorizationException(e);
        }
    }

    protected void checkUser(String str, String str2, String str3, String str4, UserGroupInformation userGroupInformation) throws AuthorizationException {
        String shortUserName = userGroupInformation.getShortUserName();
        if (isUserACLOwner(shortUserName, str2) || isUserInGroup(str3, userGroupInformation)) {
            return;
        }
        StringBuilder sb = new StringBuilder("Permission denied: authenticatedUser=");
        sb.append(shortUserName);
        sb.append(!shortUserName.equals(str2) ? " not entity owner=" + str2 : " not in group=" + str3);
        sb.append(", entity=").append(str).append(", action=").append(str4);
        LOG.error(sb.toString());
        throw new AuthorizationException(sb.toString());
    }

    protected boolean isUserACLOwner(String str, String str2) {
        return str.equals(str2);
    }

    protected boolean isUserInGroup(String str, UserGroupInformation userGroupInformation) {
        return getGroupNames(userGroupInformation).contains(str);
    }

    protected void authorizeAdminResource(UserGroupInformation userGroupInformation, String str) throws AuthorizationException {
        String shortUserName = userGroupInformation.getShortUserName();
        LOG.debug("Authorizing user={} for admin, action={}", shortUserName, str);
        if (this.adminUsers.contains(shortUserName) || isUserInAdminGroups(userGroupInformation)) {
            return;
        }
        LOG.error("Permission denied: user {} does not have admin privilege for action={}", shortUserName, str);
        throw new AuthorizationException("Permission denied: user=" + shortUserName + " does not have admin privilege for action=" + str);
    }

    protected boolean isUserInAdminGroups(UserGroupInformation userGroupInformation) {
        Set<String> groupNames = getGroupNames(userGroupInformation);
        groupNames.retainAll(this.adminGroups);
        return !groupNames.isEmpty();
    }

    protected void authorizeEntityResource(UserGroupInformation userGroupInformation, String str, String str2, String str3) throws AuthorizationException, EntityNotRegisteredException {
        Validate.notEmpty(str2, "Entity type cannot be empty or null");
        LOG.debug("Authorizing authenticatedUser={} against entity/instance action={}, entity name={}, entity type={}", userGroupInformation.getShortUserName(), str3, str, str2);
        if (str == null) {
            LOG.info("Authorization for action={} will be done in the API", str3);
        } else {
            Entity entity = getEntity(str, str2);
            authorizeEntity(entity.getName(), entity.getEntityType().name(), entity.getACL(), str3, userGroupInformation);
        }
    }

    private Entity getEntity(String str, String str2) throws EntityNotRegisteredException, AuthorizationException {
        try {
            return EntityUtil.getEntity(EntityType.getEnum(str2), str);
        } catch (FalconException e) {
            if (e instanceof EntityNotRegisteredException) {
                throw ((EntityNotRegisteredException) e);
            }
            throw new AuthorizationException(e);
        }
    }

    protected void authorizeMetadataResource(UserGroupInformation userGroupInformation, String str) throws AuthorizationException {
        LOG.debug("User {} authorized for action {} ", userGroupInformation.getShortUserName(), str);
    }
}
