package org.apache.hadoop.hbase.security.access;

import java.io.Closeable;
import java.io.IOException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentSkipListMap;
import java.util.concurrent.atomic.AtomicLong;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.AuthUtil;
import org.apache.hadoop.hbase.Cell;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.classification.InterfaceAudience;
import org.apache.hadoop.hbase.exceptions.DeserializationException;
import org.apache.hadoop.hbase.security.Superusers;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.shaded.com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.hbase.shaded.com.google.common.collect.ArrayListMultimap;
import org.apache.hadoop.hbase.shaded.com.google.common.collect.ListMultimap;
import org.apache.hadoop.hbase.shaded.com.google.common.collect.Lists;
import org.apache.hadoop.hbase.shaded.org.apache.zookeeper.KeeperException;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hbase/security/access/TableAuthManager.class */
public class TableAuthManager implements Closeable {
    private volatile PermissionCache<Permission> globalCache;
    private Configuration conf;
    private ZKPermissionWatcher zkperms;
    private static final Log LOG = LogFactory.getLog(TableAuthManager.class);
    private static Map<ZooKeeperWatcher, TableAuthManager> managerMap = new HashMap();
    private static Map<TableAuthManager, Integer> refCount = new HashMap();
    private ConcurrentSkipListMap<TableName, PermissionCache<TablePermission>> tableCache = new ConcurrentSkipListMap<>();
    private ConcurrentSkipListMap<String, PermissionCache<TablePermission>> nsCache = new ConcurrentSkipListMap<>();
    private AtomicLong mtime = new AtomicLong(0);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/hbase/security/access/TableAuthManager$PermissionCache.class */
    public static class PermissionCache<T extends Permission> {
        private ListMultimap<String, T> userCache;
        private ListMultimap<String, T> groupCache;

        private PermissionCache() {
            this.userCache = ArrayListMultimap.create();
            this.groupCache = ArrayListMultimap.create();
        }

        public List<T> getUser(String str) {
            return this.userCache.get((ListMultimap<String, T>) str);
        }

        public void putUser(String str, T t) {
            this.userCache.put(str, t);
        }

        public List<T> replaceUser(String str, Iterable<? extends T> iterable) {
            return this.userCache.replaceValues((ListMultimap<String, T>) str, iterable);
        }

        public List<T> getGroup(String str) {
            return this.groupCache.get((ListMultimap<String, T>) str);
        }

        public void putGroup(String str, T t) {
            this.groupCache.put(str, t);
        }

        public List<T> replaceGroup(String str, Iterable<? extends T> iterable) {
            return this.groupCache.replaceValues((ListMultimap<String, T>) str, iterable);
        }

        public ListMultimap<String, T> getAllPermissions() {
            ArrayListMultimap create = ArrayListMultimap.create();
            create.putAll(this.userCache);
            for (String str : this.groupCache.keySet()) {
                create.putAll(AuthUtil.toGroupEntry(str), this.groupCache.get((ListMultimap<String, T>) str));
            }
            return create;
        }
    }

    private TableAuthManager(ZooKeeperWatcher zooKeeperWatcher, Configuration configuration) throws IOException {
        this.conf = configuration;
        this.globalCache = initGlobal(configuration);
        this.zkperms = new ZKPermissionWatcher(zooKeeperWatcher, this, configuration);
        try {
            this.zkperms.start();
        } catch (KeeperException e) {
            LOG.error("ZooKeeper initialization failed", e);
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        this.zkperms.close();
    }

    private PermissionCache<Permission> initGlobal(Configuration configuration) throws IOException {
        User current = UserProvider.instantiate(configuration).getCurrent();
        if (current == null) {
            throw new IOException("Unable to obtain the current user, authorization checks for internal operations will not work correctly!");
        }
        PermissionCache<Permission> permissionCache = new PermissionCache<>();
        List<String> asList = Lists.asList(current.getShortName(), configuration.getStrings(Superusers.SUPERUSER_CONF_KEY, new String[0]));
        if (asList != null) {
            for (String str : asList) {
                if (AuthUtil.isGroupPrincipal(str)) {
                    permissionCache.putGroup(AuthUtil.getGroupName(str), new Permission(Permission.Action.values()));
                } else {
                    permissionCache.putUser(str, new Permission(Permission.Action.values()));
                }
            }
        }
        return permissionCache;
    }

    public ZKPermissionWatcher getZKPermissionWatcher() {
        return this.zkperms;
    }

    public void refreshTableCacheFromWritable(TableName tableName, byte[] bArr) throws IOException {
        if (bArr == null || bArr.length <= 0) {
            LOG.debug("Skipping permission cache refresh because writable data is empty");
            return;
        }
        try {
            ListMultimap<String, TablePermission> readPermissions = AccessControlLists.readPermissions(bArr, this.conf);
            if (readPermissions != null) {
                if (Bytes.equals(tableName.getName(), AccessControlLists.ACL_GLOBAL_NAME)) {
                    updateGlobalCache(readPermissions);
                } else {
                    updateTableCache(tableName, readPermissions);
                }
            }
        } catch (DeserializationException e) {
            throw new IOException(e);
        }
    }

    public void refreshNamespaceCacheFromWritable(String str, byte[] bArr) throws IOException {
        if (bArr == null || bArr.length <= 0) {
            LOG.debug("Skipping permission cache refresh because writable data is empty");
            return;
        }
        try {
            ListMultimap<String, TablePermission> readPermissions = AccessControlLists.readPermissions(bArr, this.conf);
            if (readPermissions != null) {
                updateNsCache(str, readPermissions);
            }
        } catch (DeserializationException e) {
            throw new IOException(e);
        }
    }

    private void updateGlobalCache(ListMultimap<String, TablePermission> listMultimap) {
        try {
            PermissionCache<Permission> initGlobal = initGlobal(this.conf);
            for (Map.Entry<String, TablePermission> entry : listMultimap.entries()) {
                if (AuthUtil.isGroupPrincipal(entry.getKey())) {
                    initGlobal.putGroup(AuthUtil.getGroupName(entry.getKey()), new Permission(entry.getValue().getActions()));
                } else {
                    initGlobal.putUser(entry.getKey(), new Permission(entry.getValue().getActions()));
                }
            }
            this.globalCache = initGlobal;
            this.mtime.incrementAndGet();
        } catch (IOException e) {
            LOG.error("Error occurred while updating the global cache", e);
        }
    }

    private void updateTableCache(TableName tableName, ListMultimap<String, TablePermission> listMultimap) {
        PermissionCache<TablePermission> permissionCache = new PermissionCache<>();
        for (Map.Entry<String, TablePermission> entry : listMultimap.entries()) {
            if (AuthUtil.isGroupPrincipal(entry.getKey())) {
                permissionCache.putGroup(AuthUtil.getGroupName(entry.getKey()), entry.getValue());
            } else {
                permissionCache.putUser(entry.getKey(), entry.getValue());
            }
        }
        this.tableCache.put(tableName, permissionCache);
        this.mtime.incrementAndGet();
    }

    private void updateNsCache(String str, ListMultimap<String, TablePermission> listMultimap) {
        PermissionCache<TablePermission> permissionCache = new PermissionCache<>();
        for (Map.Entry<String, TablePermission> entry : listMultimap.entries()) {
            if (AuthUtil.isGroupPrincipal(entry.getKey())) {
                permissionCache.putGroup(AuthUtil.getGroupName(entry.getKey()), entry.getValue());
            } else {
                permissionCache.putUser(entry.getKey(), entry.getValue());
            }
        }
        this.nsCache.put(str, permissionCache);
        this.mtime.incrementAndGet();
    }

    private PermissionCache<TablePermission> getTablePermissions(TableName tableName) {
        if (!this.tableCache.containsKey(tableName)) {
            this.tableCache.putIfAbsent(tableName, new PermissionCache<>());
        }
        return this.tableCache.get(tableName);
    }

    private PermissionCache<TablePermission> getNamespacePermissions(String str) {
        if (!this.nsCache.containsKey(str)) {
            this.nsCache.putIfAbsent(str, new PermissionCache<>());
        }
        return this.nsCache.get(str);
    }

    private boolean authorize(List<Permission> list, Permission.Action action) {
        if (list == null) {
            if (!LOG.isDebugEnabled()) {
                return false;
            }
            LOG.debug("No permissions found for " + action);
            return false;
        }
        Iterator<Permission> it = list.iterator();
        while (it.hasNext()) {
            if (it.next().implies(action)) {
                return true;
            }
        }
        return false;
    }

    public boolean authorize(User user, Permission.Action action) {
        if (user == null) {
            return false;
        }
        if (authorize(this.globalCache.getUser(user.getShortName()), action)) {
            return true;
        }
        String[] groupNames = user.getGroupNames();
        if (groupNames == null) {
            return false;
        }
        for (String str : groupNames) {
            if (authorize(this.globalCache.getGroup(str), action)) {
                return true;
            }
        }
        return false;
    }

    private boolean authorize(List<TablePermission> list, TableName tableName, byte[] bArr, byte[] bArr2, Permission.Action action) {
        if (list == null) {
            if (!LOG.isDebugEnabled()) {
                return false;
            }
            LOG.debug("No permissions found for table=" + tableName);
            return false;
        }
        Iterator<TablePermission> it = list.iterator();
        while (it.hasNext()) {
            if (it.next().implies(tableName, bArr, bArr2, action)) {
                return true;
            }
        }
        return false;
    }

    private boolean hasAccess(List<TablePermission> list, TableName tableName, Permission.Action action) {
        if (list == null) {
            if (!LOG.isDebugEnabled()) {
                return false;
            }
            LOG.debug("No permissions found for table=" + tableName);
            return false;
        }
        Iterator<TablePermission> it = list.iterator();
        while (it.hasNext()) {
            if (it.next().implies(action)) {
                return true;
            }
        }
        return false;
    }

    public boolean authorize(User user, TableName tableName, Cell cell, Permission.Action action) {
        try {
            List<Permission> cellPermissionsForUser = AccessControlLists.getCellPermissionsForUser(user, cell);
            if (LOG.isTraceEnabled()) {
                LOG.trace("Perms for user " + user.getShortName() + " in cell " + cell + ": " + (cellPermissionsForUser != null ? cellPermissionsForUser : ""));
            }
            if (cellPermissionsForUser != null) {
                Iterator<Permission> it = cellPermissionsForUser.iterator();
                while (it.hasNext()) {
                    if (it.next().implies(action)) {
                        return true;
                    }
                }
            }
            return false;
        } catch (IOException e) {
            LOG.error("Failed parse of ACL tag in cell " + cell);
            return false;
        }
    }

    public boolean authorize(User user, String str, Permission.Action action) {
        if (authorize(user, action)) {
            return true;
        }
        PermissionCache<TablePermission> permissionCache = this.nsCache.get(str);
        if (permissionCache == null) {
            return false;
        }
        if (authorize(permissionCache.getUser(user.getShortName()), str, action)) {
            return true;
        }
        String[] groupNames = user.getGroupNames();
        if (groupNames == null) {
            return false;
        }
        for (String str2 : groupNames) {
            if (authorize(permissionCache.getGroup(str2), str, action)) {
                return true;
            }
        }
        return false;
    }

    private boolean authorize(List<TablePermission> list, String str, Permission.Action action) {
        if (list == null) {
            if (!LOG.isDebugEnabled()) {
                return false;
            }
            LOG.debug("No permissions for authorize() check, table=" + str);
            return false;
        }
        Iterator<TablePermission> it = list.iterator();
        while (it.hasNext()) {
            if (it.next().implies(str, action)) {
                return true;
            }
        }
        return false;
    }

    public boolean authorizeUser(User user, TableName tableName, byte[] bArr, Permission.Action action) {
        return authorizeUser(user, tableName, bArr, null, action);
    }

    public boolean authorizeUser(User user, TableName tableName, byte[] bArr, byte[] bArr2, Permission.Action action) {
        if (tableName == null) {
            tableName = AccessControlLists.ACL_TABLE_NAME;
        }
        if (authorize(user, tableName.getNamespaceAsString(), action)) {
            return true;
        }
        return authorize(getTablePermissions(tableName).getUser(user.getShortName()), tableName, bArr, bArr2, action);
    }

    public boolean userHasAccess(User user, TableName tableName, Permission.Action action) {
        if (tableName == null) {
            tableName = AccessControlLists.ACL_TABLE_NAME;
        }
        if (authorize(user, tableName.getNamespaceAsString(), action)) {
            return true;
        }
        return hasAccess(getTablePermissions(tableName).getUser(user.getShortName()), tableName, action);
    }

    public boolean authorizeGroup(String str, Permission.Action action) {
        List<Permission> group = this.globalCache.getGroup(str);
        if (LOG.isDebugEnabled()) {
            LOG.debug("authorizing " + ((group == null || group.isEmpty()) ? "" : group.get(0)) + " for " + action);
        }
        return authorize(group, action);
    }

    public boolean authorizeGroup(String str, TableName tableName, byte[] bArr, byte[] bArr2, Permission.Action action) {
        if (authorizeGroup(str, action)) {
            return true;
        }
        if (tableName == null) {
            tableName = AccessControlLists.ACL_TABLE_NAME;
        }
        String namespaceAsString = tableName.getNamespaceAsString();
        if (authorize(getNamespacePermissions(namespaceAsString).getGroup(str), namespaceAsString, action)) {
            return true;
        }
        List<TablePermission> group = getTablePermissions(tableName).getGroup(str);
        if (LOG.isDebugEnabled()) {
            LOG.debug("authorizing " + ((group == null || group.isEmpty()) ? "" : group.get(0)) + " for " + str + " on " + tableName + "." + Bytes.toString(bArr) + "." + Bytes.toString(bArr2) + " with " + action);
        }
        return authorize(group, tableName, bArr, bArr2, action);
    }

    public boolean groupHasAccess(String str, TableName tableName, Permission.Action action) {
        if (authorizeGroup(str, action)) {
            return true;
        }
        if (tableName == null) {
            tableName = AccessControlLists.ACL_TABLE_NAME;
        }
        if (hasAccess(getNamespacePermissions(tableName.getNamespaceAsString()).getGroup(str), tableName, action)) {
            return true;
        }
        return hasAccess(getTablePermissions(tableName).getGroup(str), tableName, action);
    }

    public boolean authorize(User user, TableName tableName, byte[] bArr, byte[] bArr2, Permission.Action action) {
        if (authorizeUser(user, tableName, bArr, bArr2, action)) {
            return true;
        }
        String[] groupNames = user.getGroupNames();
        if (groupNames == null) {
            return false;
        }
        for (String str : groupNames) {
            if (authorizeGroup(str, tableName, bArr, bArr2, action)) {
                return true;
            }
        }
        return false;
    }

    public boolean hasAccess(User user, TableName tableName, Permission.Action action) {
        if (userHasAccess(user, tableName, action)) {
            return true;
        }
        String[] groupNames = user.getGroupNames();
        if (groupNames == null) {
            return false;
        }
        for (String str : groupNames) {
            if (groupHasAccess(str, tableName, action)) {
                return true;
            }
        }
        return false;
    }

    public boolean authorize(User user, TableName tableName, byte[] bArr, Permission.Action action) {
        return authorize(user, tableName, bArr, (byte[]) null, action);
    }

    public boolean matchPermission(User user, TableName tableName, byte[] bArr, Permission.Action action) {
        PermissionCache<TablePermission> permissionCache = this.tableCache.get(tableName);
        if (permissionCache == null) {
            return false;
        }
        List<TablePermission> user2 = permissionCache.getUser(user.getShortName());
        if (user2 != null) {
            Iterator<TablePermission> it = user2.iterator();
            while (it.hasNext()) {
                if (it.next().matchesFamily(tableName, bArr, action)) {
                    return true;
                }
            }
        }
        String[] groupNames = user.getGroupNames();
        if (groupNames == null) {
            return false;
        }
        for (String str : groupNames) {
            List<TablePermission> group = permissionCache.getGroup(str);
            if (group != null) {
                Iterator<TablePermission> it2 = group.iterator();
                while (it2.hasNext()) {
                    if (it2.next().matchesFamily(tableName, bArr, action)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    public boolean matchPermission(User user, TableName tableName, byte[] bArr, byte[] bArr2, Permission.Action action) {
        PermissionCache<TablePermission> permissionCache = this.tableCache.get(tableName);
        if (permissionCache == null) {
            return false;
        }
        List<TablePermission> user2 = permissionCache.getUser(user.getShortName());
        if (user2 != null) {
            Iterator<TablePermission> it = user2.iterator();
            while (it.hasNext()) {
                if (it.next().matchesFamilyQualifier(tableName, bArr, bArr2, action)) {
                    return true;
                }
            }
        }
        String[] groupNames = user.getGroupNames();
        if (groupNames == null) {
            return false;
        }
        for (String str : groupNames) {
            List<TablePermission> group = permissionCache.getGroup(str);
            if (group != null) {
                Iterator<TablePermission> it2 = group.iterator();
                while (it2.hasNext()) {
                    if (it2.next().matchesFamilyQualifier(tableName, bArr, bArr2, action)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    public void removeNamespace(byte[] bArr) {
        this.nsCache.remove(Bytes.toString(bArr));
    }

    public void removeTable(TableName tableName) {
        this.tableCache.remove(tableName);
    }

    public void setTableUserPermissions(String str, TableName tableName, List<TablePermission> list) {
        PermissionCache<TablePermission> tablePermissions = getTablePermissions(tableName);
        tablePermissions.replaceUser(str, list);
        writeTableToZooKeeper(tableName, tablePermissions);
    }

    public void setTableGroupPermissions(String str, TableName tableName, List<TablePermission> list) {
        PermissionCache<TablePermission> tablePermissions = getTablePermissions(tableName);
        tablePermissions.replaceGroup(str, list);
        writeTableToZooKeeper(tableName, tablePermissions);
    }

    public void setNamespaceUserPermissions(String str, String str2, List<TablePermission> list) {
        PermissionCache<TablePermission> namespacePermissions = getNamespacePermissions(str2);
        namespacePermissions.replaceUser(str, list);
        writeNamespaceToZooKeeper(str2, namespacePermissions);
    }

    public void setNamespaceGroupPermissions(String str, String str2, List<TablePermission> list) {
        PermissionCache<TablePermission> namespacePermissions = getNamespacePermissions(str2);
        namespacePermissions.replaceGroup(str, list);
        writeNamespaceToZooKeeper(str2, namespacePermissions);
    }

    public void writeTableToZooKeeper(TableName tableName, PermissionCache<TablePermission> permissionCache) {
        byte[] bArr = new byte[0];
        if (permissionCache != null) {
            bArr = AccessControlLists.writePermissionsAsBytes(permissionCache.getAllPermissions(), this.conf);
        }
        this.zkperms.writeToZookeeper(tableName.getName(), bArr);
    }

    public void writeNamespaceToZooKeeper(String str, PermissionCache<TablePermission> permissionCache) {
        byte[] bArr = new byte[0];
        if (permissionCache != null) {
            bArr = AccessControlLists.writePermissionsAsBytes(permissionCache.getAllPermissions(), this.conf);
        }
        this.zkperms.writeToZookeeper(Bytes.toBytes(AccessControlLists.toNamespaceEntry(str)), bArr);
    }

    public long getMTime() {
        return this.mtime.get();
    }

    public static synchronized TableAuthManager getOrCreate(ZooKeeperWatcher zooKeeperWatcher, Configuration configuration) throws IOException {
        TableAuthManager tableAuthManager = managerMap.get(zooKeeperWatcher);
        if (tableAuthManager == null) {
            tableAuthManager = new TableAuthManager(zooKeeperWatcher, configuration);
            managerMap.put(zooKeeperWatcher, tableAuthManager);
        }
        refCount.put(tableAuthManager, Integer.valueOf((refCount.get(tableAuthManager) == null ? 0 : refCount.get(tableAuthManager).intValue()) + 1));
        return tableAuthManager;
    }

    @VisibleForTesting
    public static int getTotalRefCount() {
        int i = 0;
        Iterator<Integer> it = refCount.values().iterator();
        while (it.hasNext()) {
            i += it.next().intValue();
        }
        return i;
    }

    public static synchronized void release(TableAuthManager tableAuthManager) {
        if (refCount.get(tableAuthManager) == null || refCount.get(tableAuthManager).intValue() < 1) {
            String str = "Something wrong with the TableAuthManager reference counting: " + tableAuthManager + " whose count is " + refCount.get(tableAuthManager);
            LOG.fatal(str);
            tableAuthManager.close();
            managerMap.remove(tableAuthManager.getZKPermissionWatcher().getWatcher());
            tableAuthManager.getZKPermissionWatcher().getWatcher().abort(str, null);
            return;
        }
        int intValue = refCount.get(tableAuthManager).intValue();
        refCount.put(tableAuthManager, Integer.valueOf(intValue - 1));
        if (intValue - 1 == 0) {
            tableAuthManager.close();
            managerMap.remove(tableAuthManager.getZKPermissionWatcher().getWatcher());
            refCount.remove(tableAuthManager);
        }
    }
}
