package org.apache.hadoop.ozone.om;

import com.google.common.base.Optional;
import java.io.File;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collections;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.annotation.InterfaceStability;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.om.helpers.TenantUserList;
import org.apache.hadoop.ozone.om.multitenant.AuthorizerLock;
import org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessController;
import org.apache.hadoop.ozone.om.multitenant.OzoneOwnerPrincipal;
import org.apache.hadoop.ozone.om.multitenant.Tenant;
import org.apache.hadoop.ozone.om.service.OMRangerBGSyncService;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.slf4j.Logger;

@InterfaceStability.Unstable
@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/ozone/om/OMMultiTenantManager.class */
public interface OMMultiTenantManager {
    public static final String OZONE_TENANT_RANGER_POLICY_DESCRIPTION = "Created by Ozone. WARNING: Changes will be lost when this tenant is deleted.";
    public static final String OZONE_TENANT_RANGER_ROLE_DESCRIPTION = "Managed by Ozone. WARNING: Changes will be overridden. Use Ozone tenant CLI to manage users in this tenant role instead.";

    void start() throws IOException;

    void stop() throws IOException;

    OMRangerBGSyncService getOMRangerBGSyncService();

    OMMetadataManager getOmMetadataManager();

    TenantOp getAuthorizerOp();

    TenantOp getCacheOp();

    String getUserNameGivenAccessId(String str);

    static String getDefaultAccessId(String str, String str2) {
        return String.valueOf(str) + "$" + str2;
    }

    boolean isTenantAdmin(UserGroupInformation userGroupInformation, String str, boolean z);

    TenantUserList listUsersInTenant(String str, String str2) throws IOException;

    Optional<String> getTenantForAccessID(String str) throws IOException;

    static String getDefaultUserRoleName(String str) {
        return String.valueOf(str) + "-UserRole";
    }

    static String getDefaultAdminRoleName(String str) {
        return String.valueOf(str) + "-AdminRole";
    }

    static String getDefaultBucketNamespacePolicyName(String str) {
        return String.valueOf(str) + "-VolumeAccess";
    }

    static String getDefaultBucketPolicyName(String str) {
        return String.valueOf(str) + "-BucketAccess";
    }

    void checkAdmin() throws OMException;

    void checkTenantAdmin(String str, boolean z) throws OMException;

    void checkTenantExistence(String str) throws OMException;

    String getTenantVolumeName(String str) throws IOException;

    String getTenantUserRoleName(String str) throws IOException;

    String getTenantAdminRoleName(String str) throws IOException;

    Tenant getTenantFromDBById(String str) throws IOException;

    boolean isUserAccessIdPrincipalOrTenantAdmin(String str, UserGroupInformation userGroupInformation) throws IOException;

    boolean isTenantEmpty(String str) throws IOException;

    static boolean checkAndEnableMultiTenancy(OzoneManager ozoneManager, OzoneConfiguration ozoneConfiguration) {
        Logger logger = OzoneManager.LOG;
        boolean z = ozoneConfiguration.getBoolean("ozone.om.multitenancy.enabled", false);
        boolean z2 = ozoneConfiguration.getBoolean(OMMultiTenantManagerImpl.OZONE_OM_TENANT_DEV_SKIP_RANGER, false);
        if (!z || z2) {
            return z;
        }
        if (!ozoneManager.isSecurityEnabled()) {
            z = false;
            logger.error("Ozone security is required to enable S3 Multi-Tenancy");
        } else if (!SecurityUtil.getAuthenticationMethod(ozoneConfiguration).equals(UserGroupInformation.AuthenticationMethod.KERBEROS)) {
            z = false;
            logger.error("Kerberos authentication is required to enable S3 Multi-Tenancy");
        }
        if (StringUtils.isBlank(ozoneConfiguration.get("ozone.om.ranger.https-address"))) {
            z = false;
            logger.error("{} is required to enable S3 Multi-Tenancy but not set", "ozone.om.ranger.https-address");
        }
        if (StringUtils.isBlank(ozoneConfiguration.get("ozone.om.ranger.service"))) {
            z = false;
            logger.error("{} is required to enable S3 Multi-Tenancy but not set", "ozone.om.ranger.service");
        }
        String str = ozoneConfiguration.get("ozone.om.ranger.https.admin.api.user");
        String str2 = ozoneConfiguration.get("ozone.om.ranger.https.admin.api.passwd");
        if (str == null || str2 == null) {
            if (StringUtils.isBlank(ozoneConfiguration.get("ozone.om.kerberos.principal"))) {
                z = false;
                logger.error("{} is required to enable S3 Multi-Tenancy but not set", "ozone.om.kerberos.principal");
            }
            String str3 = ozoneConfiguration.get("ozone.om.kerberos.keytab.file");
            if (StringUtils.isBlank(str3)) {
                z = false;
                logger.error("{} is required to enable S3 Multi-Tenancy but not set", "ozone.om.kerberos.keytab.file");
            }
            if (!new File(str3).isFile()) {
                logger.error("{} = '{}' file path doesn't exist or is not a file", "ozone.om.kerberos.keytab.file", str3);
            }
        } else {
            logger.warn("Detected clear text username and password override configs. These will be used to authenticate to Ranger Admin Server instead of using the recommended Kerberos principal and keytab authentication method. This is NOT recommended on a production cluster.");
        }
        if (z) {
            return true;
        }
        throw new RuntimeException("Failed to meet one or more requirements to enable S3 Multi-Tenancy");
    }

    static MultiTenantAccessController.Policy getDefaultVolumeAccessPolicy(String str, String str2, String str3, String str4) throws IOException {
        return new MultiTenantAccessController.Policy.Builder().setName(getDefaultBucketNamespacePolicyName(str)).addVolume(str2).setDescription(OZONE_TENANT_RANGER_POLICY_DESCRIPTION).addLabel("OzoneTenant").addRoleAcl(str3, Arrays.asList(MultiTenantAccessController.Acl.allow(IAccessAuthorizer.ACLType.READ), MultiTenantAccessController.Acl.allow(IAccessAuthorizer.ACLType.LIST), MultiTenantAccessController.Acl.allow(IAccessAuthorizer.ACLType.READ_ACL))).addRoleAcl(str4, Collections.singletonList(MultiTenantAccessController.Acl.allow(IAccessAuthorizer.ACLType.ALL))).build();
    }

    static MultiTenantAccessController.Policy getDefaultBucketAccessPolicy(String str, String str2, String str3) throws IOException {
        return new MultiTenantAccessController.Policy.Builder().setName(getDefaultBucketPolicyName(str)).addVolume(str2).addBucket("*").setDescription(OZONE_TENANT_RANGER_POLICY_DESCRIPTION).addLabel("OzoneTenant").addRoleAcl(str3, Collections.singletonList(MultiTenantAccessController.Acl.allow(IAccessAuthorizer.ACLType.CREATE))).addUserAcl(new OzoneOwnerPrincipal().getName(), Collections.singletonList(MultiTenantAccessController.Acl.allow(IAccessAuthorizer.ACLType.ALL))).build();
    }

    AuthorizerLock getAuthorizerLock();
}
