package org.apache.flink.runtime.security.modules;

import java.io.File;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.Collection;
import javax.security.auth.Subject;
import org.apache.commons.lang3.StringUtils;
import org.apache.flink.annotation.VisibleForTesting;
import org.apache.flink.runtime.security.SecurityConfiguration;
import org.apache.flink.runtime.security.modules.SecurityModule;
import org.apache.flink.runtime.util.HadoopUtils;
import org.apache.flink.util.Preconditions;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/flink/runtime/security/modules/HadoopModule.class */
public class HadoopModule implements SecurityModule {
    private static final Logger LOG = LoggerFactory.getLogger(HadoopModule.class);
    private final SecurityConfiguration securityConfig;
    private final Configuration hadoopConfiguration;

    public HadoopModule(SecurityConfiguration securityConfiguration, Configuration configuration) {
        this.securityConfig = (SecurityConfiguration) Preconditions.checkNotNull(securityConfiguration);
        this.hadoopConfiguration = (Configuration) Preconditions.checkNotNull(configuration);
    }

    @VisibleForTesting
    public SecurityConfiguration getSecurityConfig() {
        return this.securityConfig;
    }

    @Override // org.apache.flink.runtime.security.modules.SecurityModule
    public void install() throws SecurityModule.SecurityInstallException {
        UserGroupInformation loginUser;
        UserGroupInformation.setConfiguration(this.hadoopConfiguration);
        try {
            if (!UserGroupInformation.isSecurityEnabled() || StringUtils.isBlank(this.securityConfig.getKeytab()) || StringUtils.isBlank(this.securityConfig.getPrincipal())) {
                try {
                    UserGroupInformation.class.getMethod("loginUserFromSubject", Subject.class).invoke(null, (Subject) null);
                } catch (NoSuchMethodException e) {
                    LOG.warn("Could not find method implementations in the shaded jar. Exception: {}", e);
                } catch (InvocationTargetException e2) {
                    throw e2.getTargetException();
                }
                loginUser = UserGroupInformation.getLoginUser();
                if (UserGroupInformation.isSecurityEnabled() && this.securityConfig.useTicketCache() && !loginUser.hasKerberosCredentials() && !HadoopUtils.hasHDFSDelegationToken()) {
                    LOG.warn("Hadoop security is enabled but current login user does not have Kerberos credentials");
                }
                LOG.info("Hadoop user set to {}", loginUser);
            }
            UserGroupInformation.loginUserFromKeytab(this.securityConfig.getPrincipal(), new File(this.securityConfig.getKeytab()).getAbsolutePath());
            loginUser = UserGroupInformation.getLoginUser();
            String str = System.getenv("HADOOP_TOKEN_FILE_LOCATION");
            if (str != null) {
                try {
                    try {
                        Credentials credentials = (Credentials) Credentials.class.getMethod("readTokenStorageFile", File.class, Configuration.class).invoke(null, new File(str), this.hadoopConfiguration);
                        Method method = Credentials.class.getMethod("getAllTokens", new Class[0]);
                        Credentials credentials2 = new Credentials();
                        Text text = new Text("HDFS_DELEGATION_TOKEN");
                        for (Token token : (Collection) method.invoke(credentials, new Object[0])) {
                            if (!token.getKind().equals(text)) {
                                credentials2.addToken(new Text(token.getIdentifier()), token);
                            }
                        }
                        UserGroupInformation.class.getMethod("addCredentials", Credentials.class).invoke(loginUser, credentials2);
                    } catch (InvocationTargetException e3) {
                        throw e3.getTargetException();
                    }
                } catch (NoSuchMethodException e4) {
                    LOG.warn("Could not find method implementations in the shaded jar. Exception: {}", e4);
                }
            }
            if (UserGroupInformation.isSecurityEnabled()) {
                LOG.warn("Hadoop security is enabled but current login user does not have Kerberos credentials");
            }
            LOG.info("Hadoop user set to {}", loginUser);
        } catch (Throwable th) {
            throw new SecurityModule.SecurityInstallException("Unable to set the Hadoop login user", th);
        }
    }

    @Override // org.apache.flink.runtime.security.modules.SecurityModule
    public void uninstall() throws SecurityModule.SecurityInstallException {
        throw new UnsupportedOperationException();
    }
}
