package org.apache.nifi.processors.iceberg;

import java.io.IOException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.nifi.annotation.lifecycle.OnScheduled;
import org.apache.nifi.annotation.lifecycle.OnStopped;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.flowfile.FlowFile;
import org.apache.nifi.hadoop.SecurityUtil;
import org.apache.nifi.kerberos.KerberosUserService;
import org.apache.nifi.processor.AbstractProcessor;
import org.apache.nifi.processor.ProcessContext;
import org.apache.nifi.processor.ProcessSession;
import org.apache.nifi.processor.Relationship;
import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.security.krb.KerberosLoginException;
import org.apache.nifi.security.krb.KerberosUser;
import org.apache.nifi.services.iceberg.IcebergCatalogService;

/* loaded from: input_file:org/apache/nifi/processors/iceberg/AbstractIcebergProcessor.class */
public abstract class AbstractIcebergProcessor extends AbstractProcessor {
    public static final PropertyDescriptor CATALOG = new PropertyDescriptor.Builder().name("catalog-service").displayName("Catalog Service").description("Specifies the Controller Service to use for handling references to table’s metadata files.").identifiesControllerService(IcebergCatalogService.class).required(true).build();
    public static final PropertyDescriptor KERBEROS_USER_SERVICE = new PropertyDescriptor.Builder().name("kerberos-user-service").displayName("Kerberos User Service").description("Specifies the Kerberos User Controller Service that should be used for authenticating with Kerberos.").identifiesControllerService(KerberosUserService.class).build();
    public static final Relationship REL_FAILURE = new Relationship.Builder().name("failure").description("A FlowFile is routed to this relationship if the operation failed and retrying the operation will also fail, such as an invalid data or schema.").build();
    private volatile KerberosUser kerberosUser;
    private volatile UserGroupInformation ugi;

    @OnScheduled
    public final void onScheduled(ProcessContext processContext) {
        IcebergCatalogService asControllerService = processContext.getProperty(CATALOG).asControllerService(IcebergCatalogService.class);
        KerberosUserService asControllerService2 = processContext.getProperty(KERBEROS_USER_SERVICE).asControllerService(KerberosUserService.class);
        if (asControllerService2 != null) {
            this.kerberosUser = asControllerService2.createKerberosUser();
            try {
                this.ugi = SecurityUtil.getUgiForKerberosUser(asControllerService.getConfiguration(), this.kerberosUser);
            } catch (IOException e) {
                throw new ProcessException("Kerberos Authentication failed", e);
            }
        }
    }

    @OnStopped
    public final void onStopped() {
        try {
        } catch (KerberosLoginException e) {
            getLogger().error("Error logging out kerberos user", e);
        } finally {
            this.kerberosUser = null;
            this.ugi = null;
        }
        if (this.kerberosUser != null) {
            this.kerberosUser.logout();
        }
    }

    public void onTrigger(ProcessContext processContext, ProcessSession processSession) throws ProcessException {
        FlowFile flowFile = processSession.get();
        if (flowFile == null) {
            return;
        }
        if (this.kerberosUser == null) {
            doOnTrigger(processContext, processSession, flowFile);
            return;
        }
        try {
            getUgi().doAs(() -> {
                doOnTrigger(processContext, processSession, flowFile);
                return null;
            });
        } catch (Exception e) {
            getLogger().error("Privileged action failed with kerberos user " + this.kerberosUser, e);
            processSession.transfer(processSession.penalize(flowFile), REL_FAILURE);
        }
    }

    private UserGroupInformation getUgi() {
        try {
            this.kerberosUser.checkTGTAndRelogin();
            return this.ugi;
        } catch (KerberosLoginException e) {
            throw new ProcessException("Unable to re-login with kerberos credentials for " + this.kerberosUser.getPrincipal(), e);
        }
    }

    protected abstract void doOnTrigger(ProcessContext processContext, ProcessSession processSession, FlowFile flowFile) throws ProcessException;
}
