package org.apache.hadoop.hive.ql.exec.tez;

import java.io.IOException;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.URL;
import jodd.util.StringPool;
import org.apache.commons.io.IOUtils;
import org.apache.flink.hive.shaded.com.google.common.base.Preconditions;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.ql.metadata.HiveException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.json.JSONException;
import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hive/ql/exec/tez/YarnQueueHelper.class */
public class YarnQueueHelper {
    private static final Logger LOG = LoggerFactory.getLogger(YarnQueueHelper.class);
    private static final String PERMISSION_PATH = "/ws/v1/cluster/queues/%s/access?user=%s";
    private final String[] rmNodes;
    private int lastKnownGoodUrl;

    public YarnQueueHelper(HiveConf hiveConf) {
        this.rmNodes = hiveConf.getTrimmedStrings("yarn.resourcemanager.webapp.address");
        Preconditions.checkArgument(this.rmNodes != null && this.rmNodes.length > 0, "yarn.resourcemanager.webapp.address must be set to enable queue access checks");
        this.lastKnownGoodUrl = 0;
    }

    public void checkQueueAccess(String str, String str2) throws IOException, HiveException {
        String format = String.format(PERMISSION_PATH, str, str2);
        int i = this.lastKnownGoodUrl;
        int length = (i == 0 ? this.rmNodes.length : i) - 1;
        Exception exc = null;
        while (true) {
            String str3 = this.rmNodes[i];
            String str4 = null;
            boolean z = false;
            try {
                str4 = checkQueueAccessFromSingleRm("http://" + str3 + format);
                z = true;
            } catch (Exception e) {
                LOG.warn("Cannot check queue access against RM " + str3, e);
                if (exc == null) {
                    exc = e;
                }
            }
            if (z) {
                this.lastKnownGoodUrl = i;
                if (str4 == null) {
                    return;
                } else {
                    throw new HiveException(str4.isEmpty() ? str2 + " has no access to " + str : str4);
                }
            } else {
                if (i == length) {
                    throw new IOException("Cannot access any RM service; first error", exc);
                }
                i = (i + 1) % this.rmNodes.length;
            }
        }
    }

    private String checkQueueAccessFromSingleRm(String str) throws IOException {
        URL url = new URL(str);
        HttpURLConnection secureConnection = UserGroupInformation.isSecurityEnabled() ? getSecureConnection(url) : (HttpURLConnection) url.openConnection();
        int responseCode = secureConnection.getResponseCode();
        switch (responseCode) {
            case 200:
                return processResponse(secureConnection);
            case 403:
                throw new IOException(handleUnexpectedStatusCode(secureConnection, responseCode, "check that the HiveServer2 principal is in the administrator list of the root YARN queue"));
            default:
                throw new IOException(handleUnexpectedStatusCode(secureConnection, responseCode, null));
        }
    }

    private String processResponse(HttpURLConnection httpURLConnection) throws IOException {
        InputStream inputStream = httpURLConnection.getInputStream();
        if (inputStream == null) {
            throw new IOException(handleUnexpectedStatusCode(httpURLConnection, 200, "No input on successful API call"));
        }
        String iOUtils = IOUtils.toString(inputStream);
        try {
            JSONObject jSONObject = new JSONObject(iOUtils);
            if (jSONObject.getBoolean("allowed")) {
                return null;
            }
            String string = jSONObject.getString("diagnostics");
            return string == null ? "" : string;
        } catch (JSONException e) {
            LOG.error("Couldn't parse " + iOUtils, e);
            throw e;
        }
    }

    private HttpURLConnection getSecureConnection(URL url) throws IOException {
        try {
            return new AuthenticatedURL().openConnection(url, new AuthenticatedURL.Token());
        } catch (AuthenticationException e) {
            throw new IOException((Throwable) e);
        }
    }

    public String handleUnexpectedStatusCode(HttpURLConnection httpURLConnection, int i, String str) throws IOException {
        InputStream errorStream = httpURLConnection.getErrorStream();
        String str2 = "Received " + i + (str == null ? "" : " (" + str + StringPool.RIGHT_BRACKET);
        if (errorStream != null) {
            str2 = str2 + ": " + IOUtils.toString(errorStream);
        } else {
            InputStream inputStream = httpURLConnection.getInputStream();
            if (inputStream != null) {
                str2 = str2 + ": " + IOUtils.toString(inputStream);
            }
        }
        return str2;
    }
}
