package org.apache.hadoop.ozone.om;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Optional;
import com.google.common.base.Preconditions;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.utils.db.Table;
import org.apache.hadoop.hdds.utils.db.TableIterator;
import org.apache.hadoop.ipc.ProtobufRpcEngine;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.om.helpers.OmDBAccessIdInfo;
import org.apache.hadoop.ozone.om.helpers.OmDBTenantState;
import org.apache.hadoop.ozone.om.helpers.OmDBUserPrincipalInfo;
import org.apache.hadoop.ozone.om.helpers.TenantUserList;
import org.apache.hadoop.ozone.om.multitenant.AccessPolicy;
import org.apache.hadoop.ozone.om.multitenant.AuthorizerLock;
import org.apache.hadoop.ozone.om.multitenant.AuthorizerLockImpl;
import org.apache.hadoop.ozone.om.multitenant.CachedTenantState;
import org.apache.hadoop.ozone.om.multitenant.InMemoryMultiTenantAccessController;
import org.apache.hadoop.ozone.om.multitenant.MultiTenantAccessController;
import org.apache.hadoop.ozone.om.multitenant.OzoneOwnerPrincipal;
import org.apache.hadoop.ozone.om.multitenant.OzoneTenant;
import org.apache.hadoop.ozone.om.multitenant.RangerAccessPolicy;
import org.apache.hadoop.ozone.om.multitenant.RangerClientMultiTenantAccessController;
import org.apache.hadoop.ozone.om.multitenant.Tenant;
import org.apache.hadoop.ozone.om.service.OMRangerBGSyncService;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
import org.apache.hadoop.ozone.security.acl.OzoneObj;
import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
import org.apache.hadoop.security.UserGroupInformation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl.class */
public class OMMultiTenantManagerImpl implements OMMultiTenantManager {
    private static final Logger LOG = LoggerFactory.getLogger(OMMultiTenantManagerImpl.class);
    public static final String OZONE_OM_TENANT_DEV_SKIP_RANGER = "ozone.om.tenant.dev.skip.ranger";
    private final OzoneManager ozoneManager;
    private final OMMetadataManager omMetadataManager;
    private final OzoneConfiguration conf;
    private final OMRangerBGSyncService omRangerBGSyncService;
    private final MultiTenantAccessController accessController;
    private final TenantOp authorizerOp;
    private final TenantOp cacheOp;
    private final Map<String, CachedTenantState> tenantCache = new ConcurrentHashMap();
    private final ReentrantReadWriteLock tenantCacheLock = new ReentrantReadWriteLock();
    private final AuthorizerLock authorizerLock = new AuthorizerLockImpl();

    /* loaded from: input_file:org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl$AuthorizerOp.class */
    public class AuthorizerOp implements TenantOp {
        private final MultiTenantAccessController accessController;
        private final Map<String, CachedTenantState> tenantCache;
        private final ReentrantReadWriteLock tenantCacheLock;

        AuthorizerOp(MultiTenantAccessController multiTenantAccessController, Map<String, CachedTenantState> map, ReentrantReadWriteLock reentrantReadWriteLock) {
            this.accessController = multiTenantAccessController;
            this.tenantCache = map;
            this.tenantCacheLock = reentrantReadWriteLock;
        }

        private void checkAcquiredAuthorizerWriteLock() throws OMException {
            if (!OMMultiTenantManagerImpl.this.authorizerLock.isWriteLockHeldByCurrentThread()) {
                throw new OMException("Authorizer write lock must have been held before calling this", OMException.ResultCodes.INTERNAL_ERROR);
            }
        }

        @Override // org.apache.hadoop.ozone.om.TenantOp
        public void createTenant(String str, String str2, String str3) throws IOException {
            checkAcquiredAuthorizerWriteLock();
            OzoneTenant ozoneTenant = new OzoneTenant(str);
            try {
                Preconditions.checkState(this.accessController.createRole(new MultiTenantAccessController.Role.Builder().setName(str3).setDescription(OMMultiTenantManager.OZONE_TENANT_RANGER_ROLE_DESCRIPTION).build()).getName().equals(str3));
                ozoneTenant.addTenantAccessRole(str3);
                Preconditions.checkState(this.accessController.createRole(new MultiTenantAccessController.Role.Builder().setName(str2).addRole(str3, true).setDescription(OMMultiTenantManager.OZONE_TENANT_RANGER_ROLE_DESCRIPTION).build()).getName().equals(str2));
                ozoneTenant.addTenantAccessRole(str2);
                Iterator it = ozoneTenant.getTenantBucketNameSpace().getBucketNameSpaceObjects().iterator();
                while (it.hasNext()) {
                    String volumeName = ((OzoneObj) it.next()).getVolumeName();
                    MultiTenantAccessController.Policy createPolicy = this.accessController.createPolicy(OMMultiTenantManager.getDefaultVolumeAccessPolicy(str, volumeName, str2, str3));
                    if (OMMultiTenantManagerImpl.LOG.isDebugEnabled()) {
                        OMMultiTenantManagerImpl.LOG.debug("Created volume policy: {}", createPolicy);
                    }
                    ozoneTenant.addTenantAccessPolicy(createPolicy.getName());
                    MultiTenantAccessController.Policy createPolicy2 = this.accessController.createPolicy(OMMultiTenantManager.getDefaultBucketAccessPolicy(str, volumeName, str2));
                    if (OMMultiTenantManagerImpl.LOG.isDebugEnabled()) {
                        OMMultiTenantManagerImpl.LOG.debug("Created bucket policy: {}", createPolicy2);
                    }
                    ozoneTenant.addTenantAccessPolicy(createPolicy2.getName());
                }
            } catch (IOException e) {
                throw new OMException(e, OMException.ResultCodes.TENANT_AUTHORIZER_ERROR);
            }
        }

        @Override // org.apache.hadoop.ozone.om.TenantOp
        public void deleteTenant(Tenant tenant) throws IOException {
            checkAcquiredAuthorizerWriteLock();
            OMMultiTenantManagerImpl.LOG.info("Deleting tenant policies and roles from Ranger: {}", tenant);
            try {
                Iterator it = tenant.getTenantAccessPolicies().iterator();
                while (it.hasNext()) {
                    this.accessController.deletePolicy((String) it.next());
                }
                Iterator it2 = tenant.getTenantRoles().iterator();
                while (it2.hasNext()) {
                    this.accessController.deleteRole((String) it2.next());
                }
            } catch (IOException e) {
                throw new OMException(e, OMException.ResultCodes.TENANT_AUTHORIZER_ERROR);
            }
        }

        private void checkRoleIdExistence(MultiTenantAccessController.Role role) throws IOException {
            if (role.getId().isPresent()) {
                return;
            }
            String format = String.format("Received no role ID in: %s", role);
            OMMultiTenantManagerImpl.LOG.error(format);
            throw new IOException(format);
        }

        @Override // org.apache.hadoop.ozone.om.TenantOp
        public void assignUserToTenant(String str, String str2, String str3) throws IOException {
            checkAcquiredAuthorizerWriteLock();
            this.tenantCacheLock.readLock().lock();
            try {
                try {
                    Preconditions.checkNotNull(this.tenantCache.get(str2), "Cache entry for tenant '" + str2 + "' does not exist");
                    MultiTenantAccessController.Role role = this.accessController.getRole(this.tenantCache.get(str2).getTenantUserRoleName());
                    checkRoleIdExistence(role);
                    long longValue = role.getId().get().longValue();
                    if (role.getUsersMap().containsKey(str)) {
                        OMMultiTenantManagerImpl.LOG.warn("User '{}' is already assigned to tenant '{}'", str, str2);
                    }
                    MultiTenantAccessController.Role updateRole = this.accessController.updateRole(longValue, new MultiTenantAccessController.Role.Builder(role).addUser(str, false).build());
                    if (OMMultiTenantManagerImpl.LOG.isDebugEnabled()) {
                        OMMultiTenantManagerImpl.LOG.debug("Updated user role: {}", updateRole);
                    }
                } catch (IOException e) {
                    throw new OMException(e, OMException.ResultCodes.TENANT_AUTHORIZER_ERROR);
                }
            } finally {
                this.tenantCacheLock.readLock().unlock();
            }
        }

        @Override // org.apache.hadoop.ozone.om.TenantOp
        public void revokeUserAccessId(String str, String str2) throws IOException {
            checkAcquiredAuthorizerWriteLock();
            this.tenantCacheLock.readLock().lock();
            try {
                try {
                    OmDBAccessIdInfo omDBAccessIdInfo = (OmDBAccessIdInfo) OMMultiTenantManagerImpl.this.omMetadataManager.getTenantAccessIdTable().get(str);
                    if (omDBAccessIdInfo == null) {
                        throw new OMException(OMException.ResultCodes.INVALID_ACCESS_ID);
                    }
                    Preconditions.checkArgument(omDBAccessIdInfo.getTenantId().equals(str2));
                    String userPrincipal = omDBAccessIdInfo.getUserPrincipal();
                    MultiTenantAccessController.Role role = this.accessController.getRole(this.tenantCache.get(str2).getTenantUserRoleName());
                    checkRoleIdExistence(role);
                    long longValue = role.getId().get().longValue();
                    if (!role.getUsersMap().containsKey(userPrincipal)) {
                        OMMultiTenantManagerImpl.LOG.warn("User '{}' is not assigned to tenant '{}'", userPrincipal, str2);
                    }
                    MultiTenantAccessController.Role updateRole = this.accessController.updateRole(longValue, new MultiTenantAccessController.Role.Builder(role).removeUser(userPrincipal).build());
                    if (OMMultiTenantManagerImpl.LOG.isDebugEnabled()) {
                        OMMultiTenantManagerImpl.LOG.debug("Updated user role: {}", updateRole);
                    }
                } catch (IOException e) {
                    throw new OMException(e, OMException.ResultCodes.TENANT_AUTHORIZER_ERROR);
                }
            } finally {
                this.tenantCacheLock.readLock().unlock();
            }
        }

        @Override // org.apache.hadoop.ozone.om.TenantOp
        public void assignTenantAdmin(String str, boolean z) throws IOException {
            checkAcquiredAuthorizerWriteLock();
            this.tenantCacheLock.readLock().lock();
            try {
                try {
                    String tenantForAccessIDThrowIfNotFound = OMMultiTenantManagerImpl.this.getTenantForAccessIDThrowIfNotFound(str);
                    String tenantAdminRoleName = this.tenantCache.get(tenantForAccessIDThrowIfNotFound).getTenantAdminRoleName();
                    String userNameGivenAccessId = OMMultiTenantManagerImpl.this.getUserNameGivenAccessId(str);
                    MultiTenantAccessController.Role role = this.accessController.getRole(tenantAdminRoleName);
                    checkRoleIdExistence(role);
                    if (role.getUsersMap().containsKey(userNameGivenAccessId)) {
                        OMMultiTenantManagerImpl.LOG.warn("User '{}' is already admin in tenant '{}'", userNameGivenAccessId, tenantForAccessIDThrowIfNotFound);
                    }
                    MultiTenantAccessController.Role updateRole = this.accessController.updateRole(role.getId().get().longValue(), new MultiTenantAccessController.Role.Builder(role).addUser(userNameGivenAccessId, z).build());
                    if (OMMultiTenantManagerImpl.LOG.isDebugEnabled()) {
                        OMMultiTenantManagerImpl.LOG.debug("Updated admin role: {}", updateRole);
                    }
                } catch (IOException e) {
                    throw new OMException(e, OMException.ResultCodes.TENANT_AUTHORIZER_ERROR);
                }
            } finally {
                this.tenantCacheLock.readLock().unlock();
            }
        }

        @Override // org.apache.hadoop.ozone.om.TenantOp
        public void revokeTenantAdmin(String str) throws IOException {
            checkAcquiredAuthorizerWriteLock();
            this.tenantCacheLock.readLock().lock();
            try {
                try {
                    String tenantForAccessIDThrowIfNotFound = OMMultiTenantManagerImpl.this.getTenantForAccessIDThrowIfNotFound(str);
                    String tenantAdminRoleName = this.tenantCache.get(tenantForAccessIDThrowIfNotFound).getTenantAdminRoleName();
                    String userNameGivenAccessId = OMMultiTenantManagerImpl.this.getUserNameGivenAccessId(str);
                    MultiTenantAccessController.Role role = this.accessController.getRole(tenantAdminRoleName);
                    checkRoleIdExistence(role);
                    long longValue = role.getId().get().longValue();
                    if (!role.getUsersMap().containsKey(userNameGivenAccessId)) {
                        OMMultiTenantManagerImpl.LOG.warn("User '{}' is not admin in tenant '{}'", userNameGivenAccessId, tenantForAccessIDThrowIfNotFound);
                    }
                    MultiTenantAccessController.Role updateRole = this.accessController.updateRole(longValue, new MultiTenantAccessController.Role.Builder(role).removeUser(userNameGivenAccessId).build());
                    if (OMMultiTenantManagerImpl.LOG.isDebugEnabled()) {
                        OMMultiTenantManagerImpl.LOG.debug("Updated admin role: {}", updateRole);
                    }
                } catch (IOException e) {
                    throw new OMException(e, OMException.ResultCodes.TENANT_AUTHORIZER_ERROR);
                }
            } finally {
                this.tenantCacheLock.readLock().unlock();
            }
        }
    }

    /* loaded from: input_file:org/apache/hadoop/ozone/om/OMMultiTenantManagerImpl$CacheOp.class */
    public class CacheOp implements TenantOp {
        private final Map<String, CachedTenantState> tenantCache;
        private final ReentrantReadWriteLock tenantCacheLock;

        CacheOp(Map<String, CachedTenantState> map, ReentrantReadWriteLock reentrantReadWriteLock) {
            this.tenantCache = map;
            this.tenantCacheLock = reentrantReadWriteLock;
        }

        @Override // org.apache.hadoop.ozone.om.TenantOp
        public void createTenant(String str, String str2, String str3) {
            this.tenantCacheLock.writeLock().lock();
            try {
                if (this.tenantCache.containsKey(str)) {
                    OMMultiTenantManagerImpl.LOG.warn("Cache entry for tenant '{}' already exists, will be overwritten", str);
                }
                this.tenantCache.put(str, new CachedTenantState(str, str2, str3));
            } finally {
                this.tenantCacheLock.writeLock().unlock();
            }
        }

        @Override // org.apache.hadoop.ozone.om.TenantOp
        public void deleteTenant(Tenant tenant) throws IOException {
            String tenantName = tenant.getTenantName();
            this.tenantCacheLock.writeLock().lock();
            try {
                if (!this.tenantCache.containsKey(tenantName)) {
                    throw new OMException("Tenant does not exist in cache: " + tenantName, OMException.ResultCodes.INTERNAL_ERROR);
                }
                OMMultiTenantManagerImpl.LOG.info("Removing tenant from in-memory cache: {}", tenantName);
                this.tenantCache.remove(tenantName);
            } finally {
                this.tenantCacheLock.writeLock().unlock();
            }
        }

        @Override // org.apache.hadoop.ozone.om.TenantOp
        public void assignUserToTenant(String str, String str2, String str3) {
            CachedTenantState.CachedAccessIdInfo cachedAccessIdInfo = new CachedTenantState.CachedAccessIdInfo(str, false);
            this.tenantCacheLock.writeLock().lock();
            try {
                CachedTenantState cachedTenantState = this.tenantCache.get(str2);
                Preconditions.checkNotNull(cachedTenantState, "Cache entry for tenant '" + str2 + "' does not exist");
                OMMultiTenantManagerImpl.LOG.info("Adding to cache: user '{}' accessId '{}' in tenant '{}'", new Object[]{str, str3, str2});
                cachedTenantState.getAccessIdInfoMap().put(str3, cachedAccessIdInfo);
            } finally {
                this.tenantCacheLock.writeLock().unlock();
            }
        }

        @Override // org.apache.hadoop.ozone.om.TenantOp
        public void revokeUserAccessId(String str, String str2) throws IOException {
            this.tenantCacheLock.writeLock().lock();
            try {
                OMMultiTenantManagerImpl.LOG.info("Removing from cache: accessId '{}' in tenant '{}'", str, str2);
                if (!this.tenantCache.get(str2).getAccessIdInfoMap().containsKey(str)) {
                    throw new OMException("accessId '" + str + "' doesn't exist in tenant cache!", OMException.ResultCodes.INTERNAL_ERROR);
                }
                this.tenantCache.get(str2).getAccessIdInfoMap().remove(str);
            } finally {
                this.tenantCacheLock.writeLock().unlock();
            }
        }

        @Override // org.apache.hadoop.ozone.om.TenantOp
        public void assignTenantAdmin(String str, boolean z) throws IOException {
            this.tenantCacheLock.writeLock().lock();
            try {
                CachedTenantState cachedTenantState = this.tenantCache.get(OMMultiTenantManagerImpl.this.getTenantForAccessIDThrowIfNotFound(str));
                OMMultiTenantManagerImpl.LOG.info("Updating cache: accessId '{}' isAdmin '{}' isDelegated '{}'", new Object[]{str, true, Boolean.valueOf(z)});
                cachedTenantState.getAccessIdInfoMap().get(str).setIsAdmin(true);
            } finally {
                this.tenantCacheLock.writeLock().unlock();
            }
        }

        @Override // org.apache.hadoop.ozone.om.TenantOp
        public void revokeTenantAdmin(String str) throws IOException {
            this.tenantCacheLock.writeLock().lock();
            try {
                CachedTenantState cachedTenantState = this.tenantCache.get(OMMultiTenantManagerImpl.this.getTenantForAccessIDThrowIfNotFound(str));
                OMMultiTenantManagerImpl.LOG.info("Updating cache: accessId '{}' isAdmin '{}' isDelegated '{}'", new Object[]{str, false, false});
                cachedTenantState.getAccessIdInfoMap().get(str).setIsAdmin(false);
            } finally {
                this.tenantCacheLock.writeLock().unlock();
            }
        }
    }

    public OMMultiTenantManagerImpl(OzoneManager ozoneManager, OzoneConfiguration ozoneConfiguration) throws IOException {
        this.conf = ozoneConfiguration;
        this.ozoneManager = ozoneManager;
        this.omMetadataManager = ozoneManager.getMetadataManager();
        loadTenantCacheFromDB();
        if (ozoneConfiguration.getBoolean(OZONE_OM_TENANT_DEV_SKIP_RANGER, false)) {
            this.accessController = new InMemoryMultiTenantAccessController();
        } else {
            this.accessController = new RangerClientMultiTenantAccessController(ozoneConfiguration);
        }
        this.cacheOp = new CacheOp(this.tenantCache, this.tenantCacheLock);
        this.authorizerOp = new AuthorizerOp(this.accessController, this.tenantCache, this.tenantCacheLock);
        TimeUnit timeUnit = TimeUnit.SECONDS;
        this.omRangerBGSyncService = new OMRangerBGSyncService(ozoneManager, this, this.accessController, ozoneManager.getConfiguration().getTimeDuration("ozone.om.multitenancy.ranger.sync.interval", OMConfigKeys.OZONE_OM_MULTITENANCY_RANGER_SYNC_INTERVAL_DEFAULT.getDuration(), OMConfigKeys.OZONE_OM_MULTITENANCY_RANGER_SYNC_INTERVAL_DEFAULT.getUnit(), timeUnit), timeUnit, ozoneManager.getConfiguration().getTimeDuration("ozone.om.multitenancy.ranger.sync.timeout", OMConfigKeys.OZONE_OM_MULTITENANCY_RANGER_SYNC_TIMEOUT_DEFAULT.getDuration(), OMConfigKeys.OZONE_OM_MULTITENANCY_RANGER_SYNC_TIMEOUT_DEFAULT.getUnit(), timeUnit));
        start();
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public OMRangerBGSyncService getOMRangerBGSyncService() {
        return this.omRangerBGSyncService;
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public void start() throws IOException {
        this.omRangerBGSyncService.start();
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public void stop() throws IOException {
        this.omRangerBGSyncService.shutdown();
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public OMMetadataManager getOmMetadataManager() {
        return this.omMetadataManager;
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public TenantOp getAuthorizerOp() {
        return this.authorizerOp;
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public TenantOp getCacheOp() {
        return this.cacheOp;
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public String getUserNameGivenAccessId(String str) {
        Preconditions.checkNotNull(str);
        this.tenantCacheLock.readLock().lock();
        try {
            OmDBAccessIdInfo omDBAccessIdInfo = (OmDBAccessIdInfo) this.omMetadataManager.getTenantAccessIdTable().get(str);
            if (omDBAccessIdInfo == null) {
                return null;
            }
            String userPrincipal = omDBAccessIdInfo.getUserPrincipal();
            LOG.debug("Username for accessId {} = {}", str, userPrincipal);
            return userPrincipal;
        } catch (IOException e) {
            LOG.error("Unexpected error while obtaining DB Access Info for {}", str, e);
            return null;
        } finally {
            this.tenantCacheLock.readLock().unlock();
        }
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public boolean isTenantAdmin(UserGroupInformation userGroupInformation, String str, boolean z) {
        if (userGroupInformation == null) {
            return false;
        }
        return isTenantAdmin(userGroupInformation.getShortUserName(), str, z) || isTenantAdmin(userGroupInformation.getUserName(), str, z) || this.ozoneManager.isAdmin(userGroupInformation);
    }

    private boolean isTenantAdmin(String str, String str2, boolean z) {
        if (StringUtils.isEmpty(str) || StringUtils.isEmpty(str2)) {
            return false;
        }
        try {
            OmDBUserPrincipalInfo omDBUserPrincipalInfo = (OmDBUserPrincipalInfo) this.omMetadataManager.getPrincipalToAccessIdsTable().get(str);
            if (omDBUserPrincipalInfo == null) {
                return false;
            }
            Iterator it = omDBUserPrincipalInfo.getAccessIds().iterator();
            while (it.hasNext()) {
                OmDBAccessIdInfo omDBAccessIdInfo = (OmDBAccessIdInfo) this.omMetadataManager.getTenantAccessIdTable().get((String) it.next());
                if (omDBAccessIdInfo == null) {
                    return false;
                }
                if (str2.equals(omDBAccessIdInfo.getTenantId())) {
                    return !z ? omDBAccessIdInfo.getIsAdmin() : omDBAccessIdInfo.getIsAdmin() && omDBAccessIdInfo.getIsDelegatedAdmin();
                }
            }
            return false;
        } catch (IOException unused) {
            LOG.error("Error while retrieving value for key '" + str + "' in PrincipalToAccessIdsTable");
            return false;
        }
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public TenantUserList listUsersInTenant(String str, String str2) throws IOException {
        ArrayList arrayList = new ArrayList();
        this.tenantCacheLock.readLock().lock();
        try {
            if (!this.omMetadataManager.getTenantStateTable().isExist(str)) {
                throw new IOException("Tenant '" + str + "' not found!");
            }
            CachedTenantState cachedTenantState = this.tenantCache.get(str);
            if (cachedTenantState == null) {
                throw new IOException("Inconsistent in memory Tenant cache '" + str + "' not found in cache, but present in OM DB!");
            }
            cachedTenantState.getAccessIdInfoMap().entrySet().stream().filter(entry -> {
                return StringUtils.isEmpty(str2) || ((CachedTenantState.CachedAccessIdInfo) entry.getValue()).getUserPrincipal().startsWith(str2);
            }).forEach(entry2 -> {
                arrayList.add(OzoneManagerProtocolProtos.UserAccessIdInfo.newBuilder().setUserPrincipal(((CachedTenantState.CachedAccessIdInfo) entry2.getValue()).getUserPrincipal()).setAccessId((String) entry2.getKey()).build());
            });
            this.tenantCacheLock.readLock().unlock();
            return new TenantUserList(arrayList);
        } catch (Throwable th) {
            this.tenantCacheLock.readLock().unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public Optional<String> getTenantForAccessID(String str) throws IOException {
        OmDBAccessIdInfo omDBAccessIdInfo = (OmDBAccessIdInfo) this.omMetadataManager.getTenantAccessIdTable().get(str);
        return omDBAccessIdInfo == null ? Optional.absent() : Optional.of(omDBAccessIdInfo.getTenantId());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getTenantForAccessIDThrowIfNotFound(String str) throws IOException {
        Optional<String> tenantForAccessID = getTenantForAccessID(str);
        if (tenantForAccessID.isPresent()) {
            return (String) tenantForAccessID.get();
        }
        throw new OMException("No tenant found for access ID: " + str, OMException.ResultCodes.INVALID_ACCESS_ID);
    }

    private AccessPolicy newDefaultKeyAccessPolicy(String str, String str2) throws IOException {
        RangerAccessPolicy rangerAccessPolicy = new RangerAccessPolicy(String.valueOf(str) + "-KeyAccess");
        rangerAccessPolicy.addAccessPolicyElem(OzoneObjInfo.Builder.newBuilder().setResType(OzoneObj.ResourceType.KEY).setStoreType(OzoneObj.StoreType.OZONE).setVolumeName(str).setBucketName("*").setKeyName("*").build(), new OzoneOwnerPrincipal(), IAccessAuthorizer.ACLType.ALL, AccessPolicy.AccessGrantType.ALLOW);
        return rangerAccessPolicy;
    }

    public OzoneConfiguration getConf() {
        return this.conf;
    }

    /* JADX WARN: Finally extract failed */
    private void loadTenantCacheFromDB() {
        Throwable th;
        Throwable th2 = null;
        try {
            try {
                TableIterator it = this.omMetadataManager.getTenantStateTable().iterator();
                while (it.hasNext()) {
                    try {
                        Table.KeyValue keyValue = (Table.KeyValue) it.next();
                        String str = (String) keyValue.getKey();
                        OmDBTenantState omDBTenantState = (OmDBTenantState) keyValue.getValue();
                        this.tenantCache.put(str, new CachedTenantState(str, omDBTenantState.getUserRoleName(), omDBTenantState.getAdminRoleName()));
                    } catch (Throwable th3) {
                        if (it != null) {
                            it.close();
                        }
                        throw th3;
                    }
                }
                if (it != null) {
                    it.close();
                }
                int i = 0;
                th2 = null;
                try {
                    try {
                        TableIterator it2 = this.omMetadataManager.getTenantAccessIdTable().iterator();
                        while (it2.hasNext()) {
                            try {
                                Table.KeyValue keyValue2 = (Table.KeyValue) it2.next();
                                String str2 = (String) keyValue2.getKey();
                                OmDBAccessIdInfo omDBAccessIdInfo = (OmDBAccessIdInfo) keyValue2.getValue();
                                String tenantId = omDBAccessIdInfo.getTenantId();
                                String userPrincipal = omDBAccessIdInfo.getUserPrincipal();
                                boolean isAdmin = omDBAccessIdInfo.getIsAdmin();
                                CachedTenantState cachedTenantState = this.tenantCache.get(tenantId);
                                Preconditions.checkNotNull(cachedTenantState, "OmDBTenantState should have existed for " + tenantId);
                                cachedTenantState.getAccessIdInfoMap().put(str2, new CachedTenantState.CachedAccessIdInfo(userPrincipal, isAdmin));
                                i++;
                            } catch (Throwable th4) {
                                if (it2 != null) {
                                    it2.close();
                                }
                                throw th4;
                            }
                        }
                        LOG.info("Loaded {} tenants and {} tenant users from the database", Integer.valueOf(this.tenantCache.size()), Integer.valueOf(i));
                        if (it2 != null) {
                            it2.close();
                        }
                    } finally {
                    }
                } catch (IOException e) {
                    throw new RuntimeException("Error while building tenant user cache from DB.", e);
                }
            } catch (IOException e2) {
                throw new RuntimeException("Error while building tenant state cache from DB.", e2);
            }
        } finally {
        }
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public void checkAdmin() throws OMException {
        UserGroupInformation remoteUser = ProtobufRpcEngine.Server.getRemoteUser();
        if (!this.ozoneManager.isAdmin(remoteUser)) {
            throw new OMException("User '" + remoteUser.getShortUserName() + "' is not an Ozone admin", OMException.ResultCodes.PERMISSION_DENIED);
        }
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public void checkTenantAdmin(String str, boolean z) throws OMException {
        UserGroupInformation remoteUser = ProtobufRpcEngine.Server.getRemoteUser();
        if (!isTenantAdmin(remoteUser, str, z)) {
            throw new OMException("User '" + remoteUser.getUserName() + "' is neither an Ozone admin nor a delegated admin of tenant '" + str + "'.", OMException.ResultCodes.PERMISSION_DENIED);
        }
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public void checkTenantExistence(String str) throws OMException {
        try {
            if (this.omMetadataManager.getTenantStateTable().isExist(str)) {
            } else {
                throw new OMException("Tenant '" + str + "' doesn't exist.", OMException.ResultCodes.TENANT_NOT_FOUND);
            }
        } catch (IOException e) {
            if (e instanceof OMException) {
                OMException oMException = e;
                if (oMException.getResult().equals(OMException.ResultCodes.TENANT_NOT_FOUND)) {
                    throw oMException;
                }
            }
            throw new OMException("Error while retrieving OmDBTenantInfo for tenant '" + str + "': " + e.getMessage(), OMException.ResultCodes.METADATA_ERROR);
        }
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public String getTenantVolumeName(String str) throws IOException {
        OmDBTenantState omDBTenantState = (OmDBTenantState) this.omMetadataManager.getTenantStateTable().get(str);
        if (omDBTenantState == null) {
            throw new OMException("Tenant '" + str + "' does not exist", OMException.ResultCodes.TENANT_NOT_FOUND);
        }
        String bucketNamespaceName = omDBTenantState.getBucketNamespaceName();
        if (bucketNamespaceName == null) {
            throw new OMException("Volume for tenant '" + str + "' is not set!", OMException.ResultCodes.VOLUME_NOT_FOUND);
        }
        return bucketNamespaceName;
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public String getTenantUserRoleName(String str) throws IOException {
        this.tenantCacheLock.readLock().lock();
        try {
            CachedTenantState cachedTenantState = this.tenantCache.get(str);
            if (cachedTenantState == null) {
                throw new OMException("Tenant not found in cache: " + str, OMException.ResultCodes.TENANT_NOT_FOUND);
            }
            return cachedTenantState.getTenantUserRoleName();
        } finally {
            this.tenantCacheLock.readLock().unlock();
        }
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public String getTenantAdminRoleName(String str) throws IOException {
        this.tenantCacheLock.readLock().lock();
        try {
            CachedTenantState cachedTenantState = this.tenantCache.get(str);
            if (cachedTenantState == null) {
                throw new OMException("Tenant not found in cache: " + str, OMException.ResultCodes.TENANT_NOT_FOUND);
            }
            return cachedTenantState.getTenantAdminRoleName();
        } finally {
            this.tenantCacheLock.readLock().unlock();
        }
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public Tenant getTenantFromDBById(String str) throws IOException {
        OmDBTenantState omDBTenantState = (OmDBTenantState) this.omMetadataManager.getTenantStateTable().get(str);
        if (omDBTenantState == null) {
            throw new OMException("Tenant '" + str + "' does not exist", OMException.ResultCodes.TENANT_NOT_FOUND);
        }
        OzoneTenant ozoneTenant = new OzoneTenant(omDBTenantState.getTenantId());
        ozoneTenant.addTenantAccessPolicy(omDBTenantState.getBucketNamespacePolicyName());
        ozoneTenant.addTenantAccessPolicy(omDBTenantState.getBucketPolicyName());
        ozoneTenant.addTenantAccessRole(omDBTenantState.getUserRoleName());
        ozoneTenant.addTenantAccessRole(omDBTenantState.getAdminRoleName());
        return ozoneTenant;
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public boolean isUserAccessIdPrincipalOrTenantAdmin(String str, UserGroupInformation userGroupInformation) throws IOException {
        OmDBAccessIdInfo omDBAccessIdInfo = (OmDBAccessIdInfo) this.omMetadataManager.getTenantAccessIdTable().get(str);
        if (omDBAccessIdInfo == null) {
            return false;
        }
        String tenantId = omDBAccessIdInfo.getTenantId();
        if (tenantId == null) {
            throw new OMException("Unexpected error: OmDBAccessIdInfo tenantId field should not have been null", OMException.ResultCodes.METADATA_ERROR);
        }
        String userPrincipal = omDBAccessIdInfo.getUserPrincipal();
        if (userPrincipal == null) {
            throw new OMException("Unexpected error: OmDBAccessIdInfo kerberosPrincipal field should not have been null", OMException.ResultCodes.METADATA_ERROR);
        }
        return userGroupInformation.getShortUserName().equals(userPrincipal) || isTenantAdmin(userGroupInformation, tenantId, false);
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public boolean isTenantEmpty(String str) throws IOException {
        if (this.tenantCache.containsKey(str)) {
            return this.tenantCache.get(str).isTenantEmpty();
        }
        throw new OMException("Tenant does not exist for tenantId: " + str, OMException.ResultCodes.TENANT_NOT_FOUND);
    }

    @VisibleForTesting
    public Map<String, CachedTenantState> getTenantCache() {
        return this.tenantCache;
    }

    public HashMap<String, HashSet<String>> getAllRolesFromCache() {
        HashMap<String, HashSet<String>> hashMap = new HashMap<>();
        this.tenantCacheLock.readLock().lock();
        try {
            Iterator<Map.Entry<String, CachedTenantState>> it = this.tenantCache.entrySet().iterator();
            while (it.hasNext()) {
                CachedTenantState value = it.next().getValue();
                String tenantUserRoleName = value.getTenantUserRoleName();
                hashMap.computeIfAbsent(tenantUserRoleName, str -> {
                    return new HashSet();
                });
                String tenantAdminRoleName = value.getTenantAdminRoleName();
                hashMap.computeIfAbsent(tenantAdminRoleName, str2 -> {
                    return new HashSet();
                });
                Iterator<Map.Entry<String, CachedTenantState.CachedAccessIdInfo>> it2 = value.getAccessIdInfoMap().entrySet().iterator();
                while (it2.hasNext()) {
                    CachedTenantState.CachedAccessIdInfo value2 = it2.next().getValue();
                    String userPrincipal = value2.getUserPrincipal();
                    boolean isAdmin = value2.getIsAdmin();
                    addUserToMtRoles(hashMap, tenantUserRoleName, userPrincipal);
                    if (isAdmin) {
                        addUserToMtRoles(hashMap, tenantAdminRoleName, userPrincipal);
                    }
                }
            }
            return hashMap;
        } finally {
            this.tenantCacheLock.readLock().unlock();
        }
    }

    private void addUserToMtRoles(HashMap<String, HashSet<String>> hashMap, String str, String str2) {
        if (hashMap.containsKey(str)) {
            hashMap.get(str).add(str2);
        } else {
            hashMap.put(str, new HashSet<>(Collections.singletonList(str2)));
        }
    }

    @Override // org.apache.hadoop.ozone.om.OMMultiTenantManager
    public AuthorizerLock getAuthorizerLock() {
        return this.authorizerLock;
    }
}
