package org.apache.hadoop.registry.client.impl.zk;

import java.io.File;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.ListIterator;
import java.util.Locale;
import java.util.concurrent.CopyOnWriteArrayList;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.math3.geometry.VectorFormat;
import org.apache.curator.framework.CuratorFrameworkFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.metrics2.sink.ganglia.AbstractGangliaSink;
import org.apache.hadoop.registry.client.api.RegistryConstants;
import org.apache.hadoop.security.KDiag;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.hadoop.service.AbstractService;
import org.apache.hadoop.service.ServiceStateException;
import org.apache.hadoop.thirdparty.com.google.common.base.Preconditions;
import org.apache.hadoop.thirdparty.com.google.common.base.Splitter;
import org.apache.hadoop.thirdparty.com.google.common.collect.Lists;
import org.apache.hadoop.util.PlatformName;
import org.apache.hadoop.util.ZKUtil;
import org.apache.kerby.kerberos.kerb.client.jaas.TokenAuthLoginModule;
import org.apache.zookeeper.ZooDefs;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/hadoop-registry-3.3.2.jar:org/apache/hadoop/registry/client/impl/zk/RegistrySecurity.class */
public class RegistrySecurity extends AbstractService {
    public static final String E_UNKNOWN_AUTHENTICATION_MECHANISM = "Unknown/unsupported authentication mechanism; ";
    public static final String E_NO_USER_DETERMINED_FOR_ACLS = "No user for ACLs determinable from current user or registry option hadoop.registry.user.accounts";
    public static final String E_NO_KERBEROS = "Registry security is enabled -but Hadoop security is not enabled";
    private AccessPolicy access;
    private String digestAuthUser;
    private String digestAuthPassword;
    private byte[] digestAuthData;
    private boolean secureRegistry;
    public static final List<ACL> WorldReadWriteACL;
    private final List<ACL> systemACLs;
    private boolean usesRealm;
    private final List<ACL> digestACLs;
    private String kerberosRealm;
    private String jaasClientEntry;
    private String jaasClientIdentity;
    private String principal;
    private String keytab;
    private static final String JAAS_ENTRY;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) RegistrySecurity.class);
    public static final ACL ALL_READWRITE_ACCESS = new ACL(31, ZooDefs.Ids.ANYONE_ID_UNSAFE);
    public static final ACL ALL_READ_ACCESS = new ACL(1, ZooDefs.Ids.ANYONE_ID_UNSAFE);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/hadoop-registry-3.3.2.jar:org/apache/hadoop/registry/client/impl/zk/RegistrySecurity$AccessPolicy.class */
    public enum AccessPolicy {
        anon,
        sasl,
        digest,
        simple
    }

    /* loaded from: input_file:WEB-INF/lib/hadoop-registry-3.3.2.jar:org/apache/hadoop/registry/client/impl/zk/RegistrySecurity$AclListInfo.class */
    public static class AclListInfo {
        public final List<ACL> acls;

        public AclListInfo(List<ACL> list) {
            this.acls = list;
        }

        public String toString() {
            return RegistrySecurity.aclsToString(this.acls);
        }
    }

    @InterfaceAudience.Private
    /* loaded from: input_file:WEB-INF/lib/hadoop-registry-3.3.2.jar:org/apache/hadoop/registry/client/impl/zk/RegistrySecurity$JaasConfiguration.class */
    public static class JaasConfiguration extends Configuration {
        private final Configuration baseConfig = Configuration.getConfiguration();
        private static AppConfigurationEntry[] entry;
        private String entryName;

        public JaasConfiguration(String str, String str2, String str3) {
            this.entryName = str;
            HashMap hashMap = new HashMap();
            hashMap.put("keyTab", str3);
            hashMap.put(TokenAuthLoginModule.PRINCIPAL, str2);
            hashMap.put("useKeyTab", "true");
            hashMap.put("storeKey", "true");
            hashMap.put("useTicketCache", "false");
            hashMap.put("refreshKrb5Config", "true");
            String str4 = System.getenv(KDiag.HADOOP_JAAS_DEBUG);
            if (str4 != null && "true".equalsIgnoreCase(str4)) {
                hashMap.put("debug", "true");
            }
            entry = new AppConfigurationEntry[]{new AppConfigurationEntry(getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            if (this.entryName.equals(str)) {
                return entry;
            }
            if (this.baseConfig != null) {
                return this.baseConfig.getAppConfigurationEntry(str);
            }
            return null;
        }

        private String getKrb5LoginModuleName() {
            return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.auth.module.Krb5LoginModule" : "com.sun.security.auth.module.Krb5LoginModule";
        }
    }

    /* loaded from: input_file:WEB-INF/lib/hadoop-registry-3.3.2.jar:org/apache/hadoop/registry/client/impl/zk/RegistrySecurity$UgiInfo.class */
    public static class UgiInfo {
        private final UserGroupInformation ugi;

        public static UgiInfo fromCurrentUser() {
            try {
                return new UgiInfo(UserGroupInformation.getCurrentUser());
            } catch (IOException e) {
                RegistrySecurity.LOG.info("Failed to get current user {}", e, e);
                return new UgiInfo(null);
            }
        }

        public UgiInfo(UserGroupInformation userGroupInformation) {
            this.ugi = userGroupInformation;
        }

        public String toString() {
            if (this.ugi == null) {
                return "(null ugi)";
            }
            StringBuilder sb = new StringBuilder();
            sb.append(this.ugi.getUserName()).append(": ");
            sb.append(this.ugi.toString());
            sb.append(" hasKerberosCredentials=").append(this.ugi.hasKerberosCredentials());
            sb.append(" isFromKeytab=").append(this.ugi.isFromKeytab());
            sb.append(" kerberos is enabled in Hadoop =").append(UserGroupInformation.isSecurityEnabled());
            return sb.toString();
        }
    }

    public RegistrySecurity(String str) {
        super(str);
        this.systemACLs = new ArrayList();
        this.usesRealm = true;
        this.digestACLs = new ArrayList();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.service.AbstractService
    public void serviceInit(org.apache.hadoop.conf.Configuration configuration) throws Exception {
        super.serviceInit(configuration);
        String trimmed = configuration.getTrimmed(RegistryConstants.KEY_REGISTRY_CLIENT_AUTH, "");
        boolean z = -1;
        switch (trimmed.hashCode()) {
            case -1331913276:
                if (trimmed.equals("digest")) {
                    z = true;
                    break;
                }
                break;
            case -902286926:
                if (trimmed.equals("simple")) {
                    z = 3;
                    break;
                }
                break;
            case 0:
                if (trimmed.equals("")) {
                    z = 2;
                    break;
                }
                break;
            case 303053659:
                if (trimmed.equals("kerberos")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                this.access = AccessPolicy.sasl;
                break;
            case true:
                this.access = AccessPolicy.digest;
                break;
            case true:
                this.access = AccessPolicy.anon;
                break;
            case true:
                this.access = AccessPolicy.simple;
                break;
            default:
                throw new ServiceStateException("Unknown/unsupported authentication mechanism; \"" + trimmed + "\"");
        }
        initSecurity();
    }

    private void initSecurity() throws IOException {
        ACL createSaslACLFromCurrentUser;
        this.secureRegistry = getConfig().getBoolean(RegistryConstants.KEY_REGISTRY_SECURE, false);
        this.systemACLs.clear();
        if (!this.secureRegistry) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Registry has no security");
            }
            this.systemACLs.addAll(WorldReadWriteACL);
            return;
        }
        addSystemACL(ALL_READ_ACCESS);
        this.kerberosRealm = getConfig().get(RegistryConstants.KEY_REGISTRY_KERBEROS_REALM, getDefaultRealmInJVM());
        String orFail = getOrFail(RegistryConstants.KEY_REGISTRY_SYSTEM_ACCOUNTS, RegistryConstants.DEFAULT_REGISTRY_SYSTEM_ACCOUNTS);
        this.usesRealm = orFail.contains("@");
        this.systemACLs.addAll(buildACLs(orFail, this.kerberosRealm, 31));
        LOG.info("Registry default system acls: " + System.lineSeparator() + this.systemACLs);
        List<ACL> buildACLs = buildACLs(getConfig().get(RegistryConstants.KEY_REGISTRY_USER_ACCOUNTS, ""), this.kerberosRealm, 31);
        if (UserGroupInformation.isSecurityEnabled() && (createSaslACLFromCurrentUser = createSaslACLFromCurrentUser(31)) != null) {
            buildACLs.add(createSaslACLFromCurrentUser);
        }
        LOG.info("Registry User ACLs " + System.lineSeparator() + buildACLs);
        switch (this.access) {
            case sasl:
                if (!UserGroupInformation.isSecurityEnabled()) {
                    throw new IOException("Kerberos required for secure registry access");
                }
                UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
                this.jaasClientEntry = getOrFail(RegistryConstants.KEY_REGISTRY_CLIENT_JAAS_CONTEXT, "Client");
                this.jaasClientIdentity = currentUser.getShortUserName();
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Auth is SASL user=\"{}\" JAAS context=\"{}\"", this.jaasClientIdentity, this.jaasClientEntry);
                    break;
                }
                break;
            case digest:
                String orFail2 = getOrFail(RegistryConstants.KEY_REGISTRY_CLIENT_AUTHENTICATION_ID, "");
                String orFail3 = getOrFail(RegistryConstants.KEY_REGISTRY_CLIENT_AUTHENTICATION_PASSWORD, "");
                if (!buildACLs.isEmpty()) {
                    digest(orFail2, orFail3);
                    ACL acl = new ACL(31, toDigestId(orFail2, orFail3));
                    buildACLs.add(acl);
                    this.digestAuthUser = orFail2;
                    this.digestAuthPassword = orFail3;
                    this.digestAuthData = (orFail2 + ":" + orFail3).getBytes("UTF-8");
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Auth is Digest ACL: {}", aclToString(acl));
                        break;
                    }
                } else {
                    throw new ServiceStateException(E_NO_USER_DETERMINED_FOR_ACLS);
                }
                break;
            case anon:
            case simple:
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Auth is anonymous");
                }
                buildACLs = new ArrayList(0);
                break;
        }
        this.systemACLs.addAll(buildACLs);
    }

    public void addSystemACL(ACL acl) {
        this.systemACLs.add(acl);
    }

    public boolean addDigestACL(ACL acl) {
        if (this.secureRegistry) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Added ACL {}", aclToString(acl));
            }
            this.digestACLs.add(acl);
            return true;
        }
        if (!LOG.isDebugEnabled()) {
            return false;
        }
        LOG.debug("Ignoring added ACL - registry is insecure{}", aclToString(acl));
        return false;
    }

    public void resetDigestACLs() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Cleared digest ACLs");
        }
        this.digestACLs.clear();
    }

    public boolean isSecureRegistry() {
        return this.secureRegistry;
    }

    public List<ACL> getSystemACLs() {
        Preconditions.checkNotNull(this.systemACLs, "registry security is uninitialized");
        return Collections.unmodifiableList(this.systemACLs);
    }

    public List<ACL> getClientACLs() {
        ArrayList arrayList = new ArrayList(this.systemACLs);
        arrayList.addAll(this.digestACLs);
        return arrayList;
    }

    public ACL createSaslACLFromCurrentUser(int i) throws IOException {
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        if (currentUser.hasKerberosCredentials()) {
            return createSaslACL(currentUser, i);
        }
        return null;
    }

    public ACL createSaslACL(UserGroupInformation userGroupInformation, int i) {
        return new ACL(i, new Id(ZookeeperConfigOptions.SCHEME_SASL, this.usesRealm ? userGroupInformation.getUserName() : userGroupInformation.getShortUserName()));
    }

    private String getOrFail(String str, String str2) throws IOException {
        String str3 = getConfig().get(str, str2);
        if (StringUtils.isEmpty(str3)) {
            throw new IOException("Missing value for configuration option " + str);
        }
        return str3;
    }

    public boolean isValid(String str) {
        String[] split = str.split(":");
        return (split.length != 2 || StringUtils.isEmpty(split[0]) || StringUtils.isEmpty(split[1])) ? false : true;
    }

    public String getKerberosRealm() {
        return this.kerberosRealm;
    }

    public String digest(String str) throws IOException {
        if (StringUtils.isEmpty(str) || !isValid(str)) {
            throw new IOException("Invalid id:password");
        }
        try {
            return DigestAuthenticationProvider.generateDigest(str);
        } catch (NoSuchAlgorithmException e) {
            throw new IOException(e.toString(), e);
        }
    }

    public String digest(String str, String str2) throws IOException {
        return digest(str + ":" + str2);
    }

    public Id toDigestId(String str) {
        return new Id("digest", str);
    }

    public Id toDigestId(String str, String str2) throws IOException {
        return toDigestId(digest(str, str2));
    }

    public List<String> splitAclPairs(String str, String str2) {
        ArrayList newArrayList = Lists.newArrayList(Splitter.on(',').omitEmptyStrings().trimResults().split(str));
        ListIterator listIterator = newArrayList.listIterator();
        while (listIterator.hasNext()) {
            String str3 = (String) listIterator.next();
            if (str3.startsWith("sasl:") && str3.endsWith("@")) {
                listIterator.set(str3 + str2);
            }
        }
        return newArrayList;
    }

    public Id parse(String str, String str2) {
        int indexOf = str.indexOf(58);
        int lastIndexOf = str.lastIndexOf(58);
        if (indexOf == -1 || lastIndexOf == -1 || indexOf != lastIndexOf) {
            throw new IllegalArgumentException("ACL '" + str + "' not of expected form scheme:id");
        }
        String substring = str.substring(0, indexOf);
        String substring2 = str.substring(indexOf + 1);
        if (substring2.endsWith("@")) {
            Preconditions.checkArgument(StringUtils.isNotEmpty(str2), "@ suffixed account but no realm %s", substring2);
            substring2 = substring2 + str2;
        }
        return new Id(substring, substring2);
    }

    public List<ACL> buildACLs(String str, String str2, int i) throws IOException {
        List<String> splitAclPairs = splitAclPairs(str, str2);
        ArrayList arrayList = new ArrayList(splitAclPairs.size());
        for (String str3 : splitAclPairs) {
            ACL acl = new ACL();
            acl.setId(parse(str3, str2));
            acl.setPerms(i);
            arrayList.add(acl);
        }
        return arrayList;
    }

    public List<ACL> parseACLs(String str) throws IOException {
        try {
            return ZKUtil.parseACLs(ZKUtil.resolveConfIndirection(str));
        } catch (ZKUtil.BadAclFormatException e) {
            throw new IOException("Parsing " + str + " :" + e, e);
        }
    }

    public static String getKerberosAuthModuleForJVM() {
        return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.auth.module.Krb5LoginModule" : "com.sun.security.auth.module.Krb5LoginModule";
    }

    public String createJAASEntry(String str, String str2, File file) {
        Preconditions.checkArgument(StringUtils.isNotEmpty(str2), "invalid principal");
        Preconditions.checkArgument(StringUtils.isNotEmpty(str), "invalid context");
        Preconditions.checkArgument(file != null && file.isFile(), "Keytab null or missing: ");
        return String.format(Locale.ENGLISH, JAAS_ENTRY, str, getKerberosAuthModuleForJVM(), file.getAbsolutePath().replace('\\', '/'), str2);
    }

    public static void bindJVMtoJAASFile(File file) {
        String absolutePath = file.getAbsolutePath();
        if (LOG.isDebugEnabled()) {
            LOG.debug("Binding {} to {}", "java.security.auth.login.config", absolutePath);
        }
        System.setProperty("java.security.auth.login.config", absolutePath);
    }

    public static void bindZKToServerJAASContext(String str) {
        System.setProperty("zookeeper.sasl.serverconfig", str);
    }

    public static void clearJaasSystemProperties() {
        System.clearProperty("java.security.auth.login.config");
    }

    public static AppConfigurationEntry[] validateContext(String str) {
        if (str == null) {
            throw new RuntimeException("Null context argument");
        }
        if (str.isEmpty()) {
            throw new RuntimeException("Empty context argument");
        }
        AppConfigurationEntry[] appConfigurationEntry = Configuration.getConfiguration().getAppConfigurationEntry(str);
        if (appConfigurationEntry == null) {
            throw new RuntimeException(String.format("Entry \"%s\" not found; JAAS config = %s", str, describeProperty("java.security.auth.login.config")));
        }
        return appConfigurationEntry;
    }

    public void applySecurityEnvironment(CuratorFrameworkFactory.Builder builder) throws IOException {
        if (isSecureRegistry()) {
            switch (this.access) {
                case sasl:
                    String property = System.getProperty("java.security.auth.login.config");
                    if (property != null && !property.isEmpty()) {
                        LOG.info("Using existing ZK sasl configuration: jaasClientEntry = " + System.getProperty("zookeeper.sasl.clientconfig", "Client") + ", sasl client = " + System.getProperty("zookeeper.sasl.client", "true") + ", jaas = " + property);
                        return;
                    }
                    if (this.principal == null || this.keytab == null) {
                        throw new IOException("SASL is configured for registry, but neither keytab/principal nor java.security.auth.login.config system property are specified");
                    }
                    LOG.info("Enabling ZK sasl client: jaasClientEntry = " + this.jaasClientEntry + ", principal = " + this.principal + ", keytab = " + this.keytab);
                    Configuration.setConfiguration(new JaasConfiguration(this.jaasClientEntry, this.principal, this.keytab));
                    setSystemPropertyIfUnset("zookeeper.sasl.client", "true");
                    setSystemPropertyIfUnset("zookeeper.sasl.clientconfig", this.jaasClientEntry);
                    return;
                case digest:
                    clearZKSaslClientProperties();
                    builder.authorization("digest", this.digestAuthData);
                    return;
                case anon:
                    clearZKSaslClientProperties();
                    return;
                default:
                    clearZKSaslClientProperties();
                    return;
            }
        }
    }

    public void setKerberosPrincipalAndKeytab(String str, String str2) {
        this.principal = str;
        this.keytab = str2;
    }

    public static void setZKSaslClientProperties(String str, String str2) {
        validateContext(str2);
        enableZookeeperClientSASL();
        setSystemPropertyIfUnset("zookeeper.sasl.client.username", str);
        setSystemPropertyIfUnset("zookeeper.sasl.clientconfig", str2);
    }

    private static void setSystemPropertyIfUnset(String str, String str2) {
        String property = System.getProperty(str);
        if (property == null || property.isEmpty()) {
            System.setProperty(str, str2);
        }
    }

    public static void clearZKSaslClientProperties() {
        disableZookeeperClientSASL();
        System.clearProperty("zookeeper.sasl.clientconfig");
        System.clearProperty("zookeeper.sasl.client.username");
    }

    protected static void enableZookeeperClientSASL() {
        System.setProperty("zookeeper.sasl.client", "true");
    }

    public static void disableZookeeperClientSASL() {
        System.setProperty("zookeeper.sasl.client", "false");
    }

    public static boolean isClientSASLEnabled() {
        return Boolean.parseBoolean(System.getProperty("zookeeper.sasl.client", "true"));
    }

    public void logCurrentHadoopUser() {
        try {
            UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
            LOG.info("Current user = {}", currentUser);
            LOG.info("Real User = {}", currentUser.getRealUser());
        } catch (IOException e) {
            LOG.warn("Failed to get current user, {}", (Throwable) e);
        }
    }

    public static String aclsToString(List<ACL> list) {
        StringBuilder sb = new StringBuilder();
        if (list == null) {
            sb.append("null ACL");
        } else {
            sb.append('\n');
            Iterator<ACL> it = list.iterator();
            while (it.hasNext()) {
                sb.append(aclToString(it.next())).append(" ");
            }
        }
        return sb.toString();
    }

    public static String aclToString(ACL acl) {
        return String.format(Locale.ENGLISH, "0x%02x: %s", Integer.valueOf(acl.getPerms()), idToString(acl.getId()));
    }

    public static String idToString(Id id) {
        String id2;
        if (id.getScheme().equals("digest")) {
            String id3 = id.getId();
            int indexOf = id3.indexOf(58);
            if (indexOf > 0) {
                id3 = id3.substring(indexOf + 3);
            }
            id2 = "digest: " + id3;
        } else {
            id2 = id.toString();
        }
        return id2;
    }

    public String buildSecurityDiagnostics() {
        StringBuilder sb = new StringBuilder();
        sb.append(this.secureRegistry ? "secure registry; " : "insecure registry; ");
        sb.append("Curator service access policy: ").append(this.access);
        sb.append("; System ACLs: ").append(aclsToString(this.systemACLs));
        sb.append("User: ").append(UgiInfo.fromCurrentUser());
        sb.append("; Kerberos Realm: ").append(this.kerberosRealm);
        sb.append(describeProperty("java.security.auth.login.config"));
        boolean parseBoolean = Boolean.parseBoolean(System.getProperty("zookeeper.sasl.client", "true"));
        sb.append(describeProperty("zookeeper.sasl.client", "true"));
        if (parseBoolean) {
            sb.append("; JAAS Client Identity").append(AbstractGangliaSink.EQUAL).append(this.jaasClientIdentity).append(VectorFormat.DEFAULT_SEPARATOR);
            sb.append(RegistryConstants.KEY_REGISTRY_CLIENT_JAAS_CONTEXT).append(AbstractGangliaSink.EQUAL).append(this.jaasClientEntry).append(VectorFormat.DEFAULT_SEPARATOR);
            sb.append(describeProperty("zookeeper.sasl.client.username"));
            sb.append(describeProperty("zookeeper.sasl.clientconfig"));
        }
        sb.append(describeProperty(ZookeeperConfigOptions.PROP_ZK_ALLOW_FAILED_SASL_CLIENTS, "(undefined but defaults to true)"));
        sb.append(describeProperty(ZookeeperConfigOptions.PROP_ZK_SERVER_MAINTAIN_CONNECTION_DESPITE_SASL_FAILURE));
        return sb.toString();
    }

    private static String describeProperty(String str) {
        return describeProperty(str, "(undefined)");
    }

    private static String describeProperty(String str, String str2) {
        return VectorFormat.DEFAULT_SEPARATOR + str + AbstractGangliaSink.EQUAL + System.getProperty(str, str2);
    }

    public static String getDefaultRealmInJVM() {
        String defaultRealmProtected = KerberosUtil.getDefaultRealmProtected();
        if (defaultRealmProtected == null) {
            defaultRealmProtected = "";
        }
        return defaultRealmProtected;
    }

    public ACL createACLForUser(UserGroupInformation userGroupInformation, int i) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Creating ACL For ", new UgiInfo(userGroupInformation));
        }
        return !this.secureRegistry ? ALL_READWRITE_ACCESS : createACLfromUsername(userGroupInformation.getUserName(), i);
    }

    public ACL createACLfromUsername(String str, int i) {
        if (this.usesRealm && !str.contains("@")) {
            str = str + "@" + this.kerberosRealm;
            if (LOG.isDebugEnabled()) {
                LOG.debug("Appending kerberos realm to make {}", str);
            }
        }
        return new ACL(i, new Id(ZookeeperConfigOptions.SCHEME_SASL, str));
    }

    static {
        ArrayList arrayList = new ArrayList();
        arrayList.add(ALL_READWRITE_ACCESS);
        WorldReadWriteACL = new CopyOnWriteArrayList(arrayList);
        JAAS_ENTRY = PlatformName.IBM_JAVA ? "%s { %n %s required%n useKeytab=\"%s\"%n debug=true%n principal=\"%s\"%n credsType=both%n refreshKrb5Config=true;%n}; %n" : "%s { %n %s required%n keyTab=\"%s\"%n debug=true%n principal=\"%s\"%n useKeyTab=true%n useTicketCache=false%n doNotPrompt=true%n storeKey=true;%n}; %n";
    }
}
