package org.apache.hadoop.yarn.server.resourcemanager;

import java.io.IOException;
import java.net.InetSocketAddress;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.ipc.Server;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.Groups;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.security.authorize.PolicyProvider;
import org.apache.hadoop.security.authorize.ProxyUsers;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.exceptions.YarnRemoteException;
import org.apache.hadoop.yarn.factories.RecordFactory;
import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
import org.apache.hadoop.yarn.ipc.RPCUtil;
import org.apache.hadoop.yarn.ipc.YarnRPC;
import org.apache.hadoop.yarn.server.resourcemanager.RMAuditLogger;
import org.apache.hadoop.yarn.server.resourcemanager.api.RMAdminProtocol;
import org.apache.hadoop.yarn.server.resourcemanager.api.protocolrecords.RefreshAdminAclsRequest;
import org.apache.hadoop.yarn.server.resourcemanager.api.protocolrecords.RefreshAdminAclsResponse;
import org.apache.hadoop.yarn.server.resourcemanager.api.protocolrecords.RefreshNodesRequest;
import org.apache.hadoop.yarn.server.resourcemanager.api.protocolrecords.RefreshNodesResponse;
import org.apache.hadoop.yarn.server.resourcemanager.api.protocolrecords.RefreshQueuesRequest;
import org.apache.hadoop.yarn.server.resourcemanager.api.protocolrecords.RefreshQueuesResponse;
import org.apache.hadoop.yarn.server.resourcemanager.api.protocolrecords.RefreshServiceAclsRequest;
import org.apache.hadoop.yarn.server.resourcemanager.api.protocolrecords.RefreshServiceAclsResponse;
import org.apache.hadoop.yarn.server.resourcemanager.api.protocolrecords.RefreshSuperUserGroupsConfigurationRequest;
import org.apache.hadoop.yarn.server.resourcemanager.api.protocolrecords.RefreshSuperUserGroupsConfigurationResponse;
import org.apache.hadoop.yarn.server.resourcemanager.api.protocolrecords.RefreshUserToGroupsMappingsRequest;
import org.apache.hadoop.yarn.server.resourcemanager.api.protocolrecords.RefreshUserToGroupsMappingsResponse;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler;
import org.apache.hadoop.yarn.server.resourcemanager.security.authorize.RMPolicyProvider;
import org.apache.hadoop.yarn.service.AbstractService;

/* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/AdminService.class */
public class AdminService extends AbstractService implements RMAdminProtocol {
    private static final Log LOG = LogFactory.getLog(AdminService.class);
    private final Configuration conf;
    private final ResourceScheduler scheduler;
    private final RMContext rmContext;
    private final NodesListManager nodesListManager;
    private final ClientRMService clientRMService;
    private final ApplicationMasterService applicationMasterService;
    private final ResourceTrackerService resourceTrackerService;
    private Server server;
    private InetSocketAddress masterServiceAddress;
    private AccessControlList adminAcl;
    private final RecordFactory recordFactory;

    public AdminService(Configuration configuration, ResourceScheduler resourceScheduler, RMContext rMContext, NodesListManager nodesListManager, ClientRMService clientRMService, ApplicationMasterService applicationMasterService, ResourceTrackerService resourceTrackerService) {
        super(AdminService.class.getName());
        this.recordFactory = RecordFactoryProvider.getRecordFactory((Configuration) null);
        this.conf = configuration;
        this.scheduler = resourceScheduler;
        this.rmContext = rMContext;
        this.nodesListManager = nodesListManager;
        this.clientRMService = clientRMService;
        this.applicationMasterService = applicationMasterService;
        this.resourceTrackerService = resourceTrackerService;
    }

    public void init(Configuration configuration) {
        super.init(configuration);
        this.masterServiceAddress = configuration.getSocketAddr("yarn.resourcemanager.admin.address", "0.0.0.0:8033", 8033);
        this.adminAcl = new AccessControlList(configuration.get("yarn.admin.acl", "*"));
    }

    public void start() {
        Configuration config = getConfig();
        this.server = YarnRPC.create(config).getServer(RMAdminProtocol.class, this, this.masterServiceAddress, config, (SecretManager) null, config.getInt("yarn.resourcemanager.admin.client.thread-count", 1));
        if (config.getBoolean("hadoop.security.authorization", false)) {
            refreshServiceAcls(config, new RMPolicyProvider());
        }
        this.server.start();
        config.updateConnectAddr("yarn.resourcemanager.admin.address", this.server.getListenerAddress());
        super.start();
    }

    public void stop() {
        if (this.server != null) {
            this.server.stop();
        }
        super.stop();
    }

    private UserGroupInformation checkAcls(String str) throws YarnRemoteException {
        try {
            UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
            if (this.adminAcl.isUserAllowed(currentUser)) {
                LOG.info("RM Admin: " + str + " invoked by user " + currentUser.getShortUserName());
                return currentUser;
            }
            LOG.warn("User " + currentUser.getShortUserName() + " doesn't have permission to call '" + str + "'");
            RMAuditLogger.logFailure(currentUser.getShortUserName(), str, this.adminAcl.toString(), "AdminService", RMAuditLogger.AuditConstants.UNAUTHORIZED_USER);
            throw RPCUtil.getRemoteException(new AccessControlException("User " + currentUser.getShortUserName() + " doesn't have permission to call '" + str + "'"));
        } catch (IOException e) {
            LOG.warn("Couldn't get current user", e);
            RMAuditLogger.logFailure("UNKNOWN", str, this.adminAcl.toString(), "AdminService", "Couldn't get current user");
            throw RPCUtil.getRemoteException(e);
        }
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.api.RMAdminProtocol
    public RefreshQueuesResponse refreshQueues(RefreshQueuesRequest refreshQueuesRequest) throws YarnRemoteException {
        UserGroupInformation checkAcls = checkAcls("refreshQueues");
        try {
            this.scheduler.reinitialize(this.conf, this.rmContext);
            RMAuditLogger.logSuccess(checkAcls.getShortUserName(), "refreshQueues", "AdminService");
            return (RefreshQueuesResponse) this.recordFactory.newRecordInstance(RefreshQueuesResponse.class);
        } catch (IOException e) {
            LOG.info("Exception refreshing queues ", e);
            RMAuditLogger.logFailure(checkAcls.getShortUserName(), "refreshQueues", this.adminAcl.toString(), "AdminService", "Exception refreshing queues");
            throw RPCUtil.getRemoteException(e);
        }
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.api.RMAdminProtocol
    public RefreshNodesResponse refreshNodes(RefreshNodesRequest refreshNodesRequest) throws YarnRemoteException {
        UserGroupInformation checkAcls = checkAcls("refreshNodes");
        try {
            this.nodesListManager.refreshNodes(new YarnConfiguration());
            RMAuditLogger.logSuccess(checkAcls.getShortUserName(), "refreshNodes", "AdminService");
            return (RefreshNodesResponse) this.recordFactory.newRecordInstance(RefreshNodesResponse.class);
        } catch (IOException e) {
            LOG.info("Exception refreshing nodes ", e);
            RMAuditLogger.logFailure(checkAcls.getShortUserName(), "refreshNodes", this.adminAcl.toString(), "AdminService", "Exception refreshing nodes");
            throw RPCUtil.getRemoteException(e);
        }
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.api.RMAdminProtocol
    public RefreshSuperUserGroupsConfigurationResponse refreshSuperUserGroupsConfiguration(RefreshSuperUserGroupsConfigurationRequest refreshSuperUserGroupsConfigurationRequest) throws YarnRemoteException {
        UserGroupInformation checkAcls = checkAcls("refreshSuperUserGroupsConfiguration");
        ProxyUsers.refreshSuperUserGroupsConfiguration(new Configuration());
        RMAuditLogger.logSuccess(checkAcls.getShortUserName(), "refreshSuperUserGroupsConfiguration", "AdminService");
        return (RefreshSuperUserGroupsConfigurationResponse) this.recordFactory.newRecordInstance(RefreshSuperUserGroupsConfigurationResponse.class);
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.api.RMAdminProtocol
    public RefreshUserToGroupsMappingsResponse refreshUserToGroupsMappings(RefreshUserToGroupsMappingsRequest refreshUserToGroupsMappingsRequest) throws YarnRemoteException {
        UserGroupInformation checkAcls = checkAcls("refreshUserToGroupsMappings");
        Groups.getUserToGroupsMappingService().refresh();
        RMAuditLogger.logSuccess(checkAcls.getShortUserName(), "refreshUserToGroupsMappings", "AdminService");
        return (RefreshUserToGroupsMappingsResponse) this.recordFactory.newRecordInstance(RefreshUserToGroupsMappingsResponse.class);
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.api.RMAdminProtocol
    public RefreshAdminAclsResponse refreshAdminAcls(RefreshAdminAclsRequest refreshAdminAclsRequest) throws YarnRemoteException {
        UserGroupInformation checkAcls = checkAcls("refreshAdminAcls");
        this.adminAcl = new AccessControlList(new Configuration().get("yarn.admin.acl", "*"));
        RMAuditLogger.logSuccess(checkAcls.getShortUserName(), "refreshAdminAcls", "AdminService");
        return (RefreshAdminAclsResponse) this.recordFactory.newRecordInstance(RefreshAdminAclsResponse.class);
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.api.RMAdminProtocol
    public RefreshServiceAclsResponse refreshServiceAcls(RefreshServiceAclsRequest refreshServiceAclsRequest) throws YarnRemoteException {
        Configuration configuration = new Configuration();
        if (!configuration.getBoolean("hadoop.security.authorization", false)) {
            throw RPCUtil.getRemoteException(new IOException("Service Authorization (hadoop.security.authorization) not enabled."));
        }
        RMPolicyProvider rMPolicyProvider = new RMPolicyProvider();
        refreshServiceAcls(configuration, rMPolicyProvider);
        this.clientRMService.refreshServiceAcls(configuration, rMPolicyProvider);
        this.applicationMasterService.refreshServiceAcls(configuration, rMPolicyProvider);
        this.resourceTrackerService.refreshServiceAcls(configuration, rMPolicyProvider);
        return (RefreshServiceAclsResponse) this.recordFactory.newRecordInstance(RefreshServiceAclsResponse.class);
    }

    void refreshServiceAcls(Configuration configuration, PolicyProvider policyProvider) {
        this.server.refreshServiceAcl(configuration, policyProvider);
    }
}
