package org.apache.hadoop.ozone.om.multitenant;

import com.google.common.base.Preconditions;
import com.sun.jersey.api.client.ClientResponse;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.ozone.OmUtils;
import org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessController;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.RangerClient;
import org.apache.ranger.RangerServiceException;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.model.RangerRole;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/ozone/om/multitenant/RangerClientMultiTenantAccessController.class */
public class RangerClientMultiTenantAccessController implements MultiTenantAccessController {
    private static final Logger LOG = LoggerFactory.getLogger(RangerClientMultiTenantAccessController.class);
    private static final int HTTP_STATUS_CODE_UNAUTHORIZED = 401;
    private static final int HTTP_STATUS_CODE_BAD_REQUEST = 400;
    private final RangerClient client;
    private final String rangerServiceName;
    private final Map<IAccessAuthorizer.ACLType, String> aclToString = MultiTenantAccessController.getRangerAclStrings();
    private final Map<String, IAccessAuthorizer.ACLType> stringToAcl = new HashMap();
    private final String omPrincipal;
    private final String shortName;

    public RangerClientMultiTenantAccessController(OzoneConfiguration ozoneConfiguration) throws IOException {
        String name;
        String str;
        String str2;
        this.aclToString.forEach((aCLType, str3) -> {
            this.stringToAcl.put(str3, aCLType);
        });
        String str4 = ozoneConfiguration.get("ozone.om.ranger.https-address");
        Preconditions.checkNotNull(str4);
        this.rangerServiceName = ozoneConfiguration.get("ozone.om.ranger.service");
        Preconditions.checkNotNull(this.rangerServiceName);
        String str5 = ozoneConfiguration.get("ozone.om.ranger.https.admin.api.user");
        String str6 = ozoneConfiguration.get("ozone.om.ranger.https.admin.api.passwd");
        if (str5 == null || str6 == null) {
            name = UserGroupInformation.AuthenticationMethod.KERBEROS.name();
            String str7 = ozoneConfiguration.get("ozone.om.kerberos.principal");
            Preconditions.checkNotNull(str7);
            this.omPrincipal = SecurityUtil.getServerPrincipal(str7, OmUtils.getOmAddress(ozoneConfiguration).getHostName());
            String str8 = ozoneConfiguration.get("ozone.om.kerberos.keytab.file");
            Preconditions.checkNotNull(str8);
            this.shortName = UserGroupInformation.createRemoteUser(this.omPrincipal).getShortUserName();
            str = this.omPrincipal;
            str2 = str8;
        } else {
            name = UserGroupInformation.AuthenticationMethod.SIMPLE.name();
            str = str5;
            str2 = str6;
            this.omPrincipal = str5;
            this.shortName = str5;
        }
        LOG.info("authType = {}, login user = {}", name, str);
        this.client = new RangerClient(str4, name, str, str2, this.rangerServiceName, "ozone");
    }

    private void decodeRSEStatusCodes(RangerServiceException rangerServiceException) {
        ClientResponse.Status status = rangerServiceException.getStatus();
        if (status == null) {
            LOG.error("Request failure with no status provided.", rangerServiceException);
            return;
        }
        switch (status.getStatusCode()) {
            case HTTP_STATUS_CODE_BAD_REQUEST /* 400 */:
                LOG.error("Request failure. If this is an assign-user operation, check if the user name exists in Ranger.");
                return;
            case HTTP_STATUS_CODE_UNAUTHORIZED /* 401 */:
                LOG.error("Auth failure. Please double check Ranger-related configs");
                return;
            default:
                LOG.error("Other request failure. Status: {}", status);
                return;
        }
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessController
    public MultiTenantAccessController.Policy createPolicy(MultiTenantAccessController.Policy policy) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Sending create request for policy {} to Ranger.", policy.getName());
        }
        try {
            return fromRangerPolicy(this.client.createPolicy(toRangerPolicy(policy)));
        } catch (RangerServiceException e) {
            decodeRSEStatusCodes(e);
            throw new IOException((Throwable) e);
        }
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessController
    public MultiTenantAccessController.Policy getPolicy(String str) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Sending get request for policy {} to Ranger.", str);
        }
        try {
            return fromRangerPolicy(this.client.getPolicy(this.rangerServiceName, str));
        } catch (RangerServiceException e) {
            decodeRSEStatusCodes(e);
            throw new IOException((Throwable) e);
        }
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessController
    public List<MultiTenantAccessController.Policy> getLabeledPolicies(String str) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Sending get request for policies with label {} to Ranger.", str);
        }
        HashMap hashMap = new HashMap();
        hashMap.put("serviceName", this.rangerServiceName);
        hashMap.put("policyLabelsPartial", str);
        try {
            return (List) this.client.findPolicies(hashMap).stream().map(this::fromRangerPolicy).collect(Collectors.toList());
        } catch (RangerServiceException e) {
            decodeRSEStatusCodes(e);
            throw new IOException((Throwable) e);
        }
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessController
    public MultiTenantAccessController.Policy updatePolicy(MultiTenantAccessController.Policy policy) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Sending update request for policy {} to Ranger.", policy.getName());
        }
        try {
            return fromRangerPolicy(this.client.updatePolicy(this.rangerServiceName, policy.getName(), toRangerPolicy(policy)));
        } catch (RangerServiceException e) {
            decodeRSEStatusCodes(e);
            throw new IOException((Throwable) e);
        }
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessController
    public void deletePolicy(String str) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Sending delete request for policy {} to Ranger.", str);
        }
        try {
            this.client.deletePolicy(this.rangerServiceName, str);
        } catch (RangerServiceException e) {
            decodeRSEStatusCodes(e);
            throw new IOException((Throwable) e);
        }
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessController
    public MultiTenantAccessController.Role createRole(MultiTenantAccessController.Role role) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Sending create request for role {} to Ranger.", role.getName());
        }
        try {
            return fromRangerRole(this.client.createRole(this.rangerServiceName, toRangerRole(role, this.shortName)));
        } catch (RangerServiceException e) {
            decodeRSEStatusCodes(e);
            throw new IOException((Throwable) e);
        }
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessController
    public MultiTenantAccessController.Role getRole(String str) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Sending get request for role {} to Ranger.", str);
        }
        try {
            return fromRangerRole(this.client.getRole(str, this.shortName, this.rangerServiceName));
        } catch (RangerServiceException e) {
            decodeRSEStatusCodes(e);
            throw new IOException((Throwable) e);
        }
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessController
    public MultiTenantAccessController.Role updateRole(long j, MultiTenantAccessController.Role role) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Sending update request for role ID {} to Ranger.", Long.valueOf(j));
        }
        try {
            return fromRangerRole(this.client.updateRole(j, toRangerRole(role, this.shortName)));
        } catch (RangerServiceException e) {
            decodeRSEStatusCodes(e);
            throw new IOException((Throwable) e);
        }
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessController
    public void deleteRole(String str) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Sending delete request for role {} to Ranger.", str);
        }
        try {
            this.client.deleteRole(str, this.shortName, this.rangerServiceName);
        } catch (RangerServiceException e) {
            decodeRSEStatusCodes(e);
            throw new IOException((Throwable) e);
        }
    }

    @Override // org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessController
    public long getRangerServicePolicyVersion() throws IOException {
        try {
            Long policyVersion = this.client.getService(this.rangerServiceName).getPolicyVersion();
            if (policyVersion == null) {
                return -1L;
            }
            return policyVersion.longValue();
        } catch (RangerServiceException e) {
            decodeRSEStatusCodes(e);
            throw new IOException((Throwable) e);
        }
    }

    private static List<RangerRole.RoleMember> toRangerRoleMembers(Map<String, Boolean> map) {
        return (List) map.entrySet().stream().map(entry -> {
            return new RangerRole.RoleMember((String) entry.getKey(), ((Boolean) entry.getValue()).booleanValue());
        }).collect(Collectors.toList());
    }

    private static List<String> fromRangerRoleMembers(Collection<RangerRole.RoleMember> collection) {
        return (List) collection.stream().map(roleMember -> {
            return roleMember.getName();
        }).collect(Collectors.toList());
    }

    private static MultiTenantAccessController.Role fromRangerRole(RangerRole rangerRole) {
        return new MultiTenantAccessController.Role.Builder().setID(rangerRole.getId().longValue()).setName(rangerRole.getName()).setDescription(rangerRole.getDescription()).addUsers(fromRangerRoleMembers(rangerRole.getUsers())).setCreatedByUser(rangerRole.getCreatedByUser()).build();
    }

    private static RangerRole toRangerRole(MultiTenantAccessController.Role role, String str) {
        RangerRole rangerRole = new RangerRole();
        rangerRole.setName(role.getName());
        rangerRole.setCreatedByUser(str);
        if (!role.getUsersMap().isEmpty()) {
            rangerRole.setUsers(toRangerRoleMembers(role.getUsersMap()));
        }
        if (!role.getRolesMap().isEmpty()) {
            rangerRole.setRoles(toRangerRoleMembers(role.getRolesMap()));
        }
        if (role.getDescription().isPresent()) {
            rangerRole.setDescription(role.getDescription().get());
        }
        return rangerRole;
    }

    private MultiTenantAccessController.Policy fromRangerPolicy(RangerPolicy rangerPolicy) {
        MultiTenantAccessController.Policy.Builder builder = new MultiTenantAccessController.Policy.Builder();
        for (RangerPolicy.RangerPolicyItem rangerPolicyItem : rangerPolicy.getPolicyItems()) {
            ArrayList arrayList = new ArrayList();
            for (RangerPolicy.RangerPolicyItemAccess rangerPolicyItemAccess : rangerPolicyItem.getAccesses()) {
                if (rangerPolicyItemAccess.getIsAllowed().booleanValue()) {
                    arrayList.add(MultiTenantAccessController.Acl.allow(this.stringToAcl.get(rangerPolicyItemAccess.getType())));
                } else {
                    arrayList.add(MultiTenantAccessController.Acl.deny(this.stringToAcl.get(rangerPolicyItemAccess.getType())));
                }
            }
            Iterator it = rangerPolicyItem.getRoles().iterator();
            while (it.hasNext()) {
                builder.addRoleAcl((String) it.next(), arrayList);
            }
        }
        for (Map.Entry entry : rangerPolicy.getResources().entrySet()) {
            String str = (String) entry.getKey();
            List values = ((RangerPolicy.RangerPolicyResource) entry.getValue()).getValues();
            switch (str.hashCode()) {
                case -1378203158:
                    if (str.equals("bucket")) {
                        builder.addBuckets(values);
                        break;
                    } else {
                        break;
                    }
                case -810883302:
                    if (str.equals("volume")) {
                        builder.addVolumes(values);
                        break;
                    } else {
                        break;
                    }
                case 106079:
                    if (str.equals("key")) {
                        builder.addKeys(values);
                        break;
                    } else {
                        break;
                    }
            }
            LOG.warn("Pulled Ranger policy with unknown resource type '{}' with names '{}'", str, String.join(",", values));
        }
        builder.setName(rangerPolicy.getName()).setId(rangerPolicy.getId()).setDescription(rangerPolicy.getDescription()).addLabels(rangerPolicy.getPolicyLabels());
        return builder.build();
    }

    private RangerPolicy toRangerPolicy(MultiTenantAccessController.Policy policy) {
        RangerPolicy rangerPolicy = new RangerPolicy();
        rangerPolicy.setName(policy.getName());
        rangerPolicy.setService(this.rangerServiceName);
        rangerPolicy.setPolicyLabels(new ArrayList(policy.getLabels()));
        HashMap hashMap = new HashMap();
        if (!policy.getVolumes().isEmpty()) {
            RangerPolicy.RangerPolicyResource rangerPolicyResource = new RangerPolicy.RangerPolicyResource();
            rangerPolicyResource.setValues(new ArrayList(policy.getVolumes()));
            hashMap.put("volume", rangerPolicyResource);
        }
        if (!policy.getBuckets().isEmpty()) {
            RangerPolicy.RangerPolicyResource rangerPolicyResource2 = new RangerPolicy.RangerPolicyResource();
            rangerPolicyResource2.setValues(new ArrayList(policy.getBuckets()));
            hashMap.put("bucket", rangerPolicyResource2);
        }
        if (!policy.getKeys().isEmpty()) {
            RangerPolicy.RangerPolicyResource rangerPolicyResource3 = new RangerPolicy.RangerPolicyResource();
            rangerPolicyResource3.setValues(new ArrayList(policy.getKeys()));
            hashMap.put("key", rangerPolicyResource3);
        }
        rangerPolicy.setService(this.rangerServiceName);
        rangerPolicy.setResources(hashMap);
        if (policy.getDescription().isPresent()) {
            rangerPolicy.setDescription(policy.getDescription().get());
        }
        for (Map.Entry<String, Collection<MultiTenantAccessController.Acl>> entry : policy.getUserAcls().entrySet()) {
            RangerPolicy.RangerPolicyItem rangerPolicyItem = new RangerPolicy.RangerPolicyItem();
            rangerPolicyItem.setUsers(Collections.singletonList(entry.getKey()));
            for (MultiTenantAccessController.Acl acl : entry.getValue()) {
                RangerPolicy.RangerPolicyItemAccess rangerPolicyItemAccess = new RangerPolicy.RangerPolicyItemAccess();
                rangerPolicyItemAccess.setIsAllowed(Boolean.valueOf(acl.isAllowed()));
                rangerPolicyItemAccess.setType(this.aclToString.get(acl.getAclType()));
                rangerPolicyItem.getAccesses().add(rangerPolicyItemAccess);
            }
            rangerPolicy.getPolicyItems().add(rangerPolicyItem);
        }
        for (Map.Entry<String, Collection<MultiTenantAccessController.Acl>> entry2 : policy.getRoleAcls().entrySet()) {
            RangerPolicy.RangerPolicyItem rangerPolicyItem2 = new RangerPolicy.RangerPolicyItem();
            rangerPolicyItem2.setRoles(Collections.singletonList(entry2.getKey()));
            for (MultiTenantAccessController.Acl acl2 : entry2.getValue()) {
                RangerPolicy.RangerPolicyItemAccess rangerPolicyItemAccess2 = new RangerPolicy.RangerPolicyItemAccess();
                rangerPolicyItemAccess2.setIsAllowed(Boolean.valueOf(acl2.isAllowed()));
                rangerPolicyItemAccess2.setType(this.aclToString.get(acl2.getAclType()));
                rangerPolicyItem2.getAccesses().add(rangerPolicyItemAccess2);
            }
            rangerPolicy.getPolicyItems().add(rangerPolicyItem2);
        }
        return rangerPolicy;
    }
}
