package org.apache.ranger.authorization.hbase;

import com.google.common.base.Objects;
import com.google.common.collect.Lists;
import com.google.common.collect.MapMaker;
import com.google.protobuf.RpcCallback;
import com.google.protobuf.RpcController;
import com.google.protobuf.Service;
import java.io.IOException;
import java.net.InetAddress;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.NavigableSet;
import java.util.Set;
import java.util.TimeZone;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.Cell;
import org.apache.hadoop.hbase.CoprocessorEnvironment;
import org.apache.hadoop.hbase.HColumnDescriptor;
import org.apache.hadoop.hbase.HRegionInfo;
import org.apache.hadoop.hbase.HTableDescriptor;
import org.apache.hadoop.hbase.NamespaceDescriptor;
import org.apache.hadoop.hbase.ProcedureInfo;
import org.apache.hadoop.hbase.ServerName;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.client.Append;
import org.apache.hadoop.hbase.client.Delete;
import org.apache.hadoop.hbase.client.Durability;
import org.apache.hadoop.hbase.client.Get;
import org.apache.hadoop.hbase.client.Increment;
import org.apache.hadoop.hbase.client.Put;
import org.apache.hadoop.hbase.client.Result;
import org.apache.hadoop.hbase.client.Scan;
import org.apache.hadoop.hbase.coprocessor.CoprocessorException;
import org.apache.hadoop.hbase.coprocessor.CoprocessorService;
import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.ObserverContext;
import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessorEnvironment;
import org.apache.hadoop.hbase.filter.ByteArrayComparable;
import org.apache.hadoop.hbase.filter.CompareFilter;
import org.apache.hadoop.hbase.filter.Filter;
import org.apache.hadoop.hbase.filter.FilterList;
import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.master.procedure.MasterProcedureEnv;
import org.apache.hadoop.hbase.procedure2.ProcedureExecutor;
import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.protobuf.ResponseConverter;
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
import org.apache.hadoop.hbase.protobuf.generated.HBaseProtos;
import org.apache.hadoop.hbase.protobuf.generated.QuotaProtos;
import org.apache.hadoop.hbase.protobuf.generated.SecureBulkLoadProtos;
import org.apache.hadoop.hbase.regionserver.InternalScanner;
import org.apache.hadoop.hbase.regionserver.Region;
import org.apache.hadoop.hbase.regionserver.RegionScanner;
import org.apache.hadoop.hbase.regionserver.ScanType;
import org.apache.hadoop.hbase.regionserver.Store;
import org.apache.hadoop.hbase.regionserver.StoreFile;
import org.apache.hadoop.hbase.regionserver.wal.WALEdit;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.security.access.RangerAccessControlLists;
import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.util.Pair;
import org.apache.hadoop.security.AccessControlException;
import org.apache.ranger.audit.model.AuthzAuditEvent;
import org.apache.ranger.authorization.hadoop.config.RangerConfiguration;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.util.GrantRevokeRequest;

/* loaded from: input_file:org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor.class */
public class RangerAuthorizationCoprocessor extends RangerAuthorizationCoprocessorBase implements AccessControlProtos.AccessControlService.Interface, CoprocessorService {
    private static final String GROUP_PREFIX = "@";
    private static final String WILDCARD = "*";
    private static final String NAMESPACE_SEPARATOR = ":";
    private RegionCoprocessorEnvironment regionEnv;
    private Map<InternalScanner, String> scannerOwners = new MapMaker().weakKeys().makeMap();
    final HbaseFactory _factory = HbaseFactory.getInstance();
    final HbaseUserUtils _userUtils = this._factory.getUserUtils();
    final HbaseAuthUtils _authUtils = this._factory.getAuthUtils();
    private String coprocessorType = "unknown";
    private static final String MASTER_COPROCESSOR_TYPE = "master";
    private static final String REGIONAL_COPROCESSOR_TYPE = "regional";
    private static final String REGIONAL_SERVER_COPROCESSOR_TYPE = "regionalServer";
    private static final Log LOG = LogFactory.getLog(RangerAuthorizationCoprocessor.class.getName());
    private static boolean UpdateRangerPoliciesOnGrantRevoke = true;
    private static final TimeZone gmtTimeZone = TimeZone.getTimeZone("GMT+0");
    private static volatile RangerHBasePlugin hbasePlugin = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessor$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$hadoop$hbase$protobuf$generated$AccessControlProtos$Permission$Type = new int[AccessControlProtos.Permission.Type.values().length];

        static {
            try {
                $SwitchMap$org$apache$hadoop$hbase$protobuf$generated$AccessControlProtos$Permission$Type[AccessControlProtos.Permission.Type.Global.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hbase$protobuf$generated$AccessControlProtos$Permission$Type[AccessControlProtos.Permission.Type.Table.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hbase$protobuf$generated$AccessControlProtos$Permission$Type[AccessControlProtos.Permission.Type.Namespace.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/ranger/authorization/hbase/RangerAuthorizationCoprocessor$ColumnFamilyAccessResult.class */
    public static class ColumnFamilyAccessResult {
        final boolean _everythingIsAccessible;
        final boolean _somethingIsAccessible;
        final List<AuthzAuditEvent> _accessAllowedEvents;
        final List<AuthzAuditEvent> _familyLevelAccessEvents;
        final AuthzAuditEvent _accessDeniedEvent;
        final String _denialReason;
        final RangerAuthorizationFilter _filter;
        final String _clusterName;

        ColumnFamilyAccessResult(boolean z, boolean z2, List<AuthzAuditEvent> list, List<AuthzAuditEvent> list2, AuthzAuditEvent authzAuditEvent, String str, RangerAuthorizationFilter rangerAuthorizationFilter, String str2) {
            this._everythingIsAccessible = z;
            this._somethingIsAccessible = z2;
            this._accessAllowedEvents = list;
            this._familyLevelAccessEvents = list2;
            this._accessDeniedEvent = authzAuditEvent;
            this._denialReason = str;
            this._filter = rangerAuthorizationFilter;
            this._clusterName = str2;
        }

        public String toString() {
            return Objects.toStringHelper(getClass()).add("everythingIsAccessible", this._everythingIsAccessible).add("somethingIsAccessible", this._somethingIsAccessible).add("accessAllowedEvents", this._accessAllowedEvents).add("familyLevelAccessEvents", this._familyLevelAccessEvents).add("accessDeniedEvent", this._accessDeniedEvent).add("denialReason", this._denialReason).add("filter", this._filter).add("clusterName", this._clusterName).toString();
        }
    }

    protected byte[] getTableName(RegionCoprocessorEnvironment regionCoprocessorEnvironment) {
        HRegionInfo regionInfo;
        Region region = regionCoprocessorEnvironment.getRegion();
        byte[] bArr = null;
        if (region != null && (regionInfo = region.getRegionInfo()) != null) {
            bArr = regionInfo.getTable().getName();
        }
        return bArr;
    }

    protected void requireSystemOrSuperUser(Configuration configuration) throws IOException {
        User current = User.getCurrent();
        if (current == null) {
            throw new IOException("Unable to obtain the current user, authorization checks for internal operations will not work correctly!");
        }
        String shortName = current.getShortName();
        User activeUser = getActiveUser();
        if (!Objects.equal(shortName, activeUser.getShortName()) && !this._userUtils.isSuperUser(activeUser)) {
            throw new AccessDeniedException("User '" + current.getShortName() + "is not system or super user.");
        }
    }

    protected boolean isSpecialTable(HRegionInfo hRegionInfo) {
        return isSpecialTable(hRegionInfo.getTable().getName());
    }

    protected boolean isSpecialTable(byte[] bArr) {
        return isSpecialTable(Bytes.toString(bArr));
    }

    protected boolean isSpecialTable(String str) {
        for (String str2 : new String[]{"hbase:meta", "-ROOT-", ".META."}) {
            if (str2.equals(str)) {
                return true;
            }
        }
        return false;
    }

    protected boolean isAccessForMetaTables(RegionCoprocessorEnvironment regionCoprocessorEnvironment) {
        HRegionInfo regionInfo = regionCoprocessorEnvironment.getRegion().getRegionInfo();
        return regionInfo.isMetaTable() || regionInfo.isMetaRegion();
    }

    private User getActiveUser() {
        User requestUser = RpcServer.getRequestUser();
        if (requestUser == null) {
            try {
                requestUser = User.getCurrent();
            } catch (IOException e) {
                LOG.error("Unable to find the current user");
                requestUser = null;
            }
        }
        return requestUser;
    }

    private String getRemoteAddress() {
        InetAddress remoteAddress = RpcServer.getRemoteAddress();
        if (remoteAddress == null) {
            remoteAddress = RpcServer.getRemoteIp();
        }
        return remoteAddress != null ? remoteAddress.getHostAddress() : null;
    }

    private void requireScannerOwner(InternalScanner internalScanner) throws AccessDeniedException {
        if (RpcServer.isInRpcCallContext()) {
            String requestUserName = RpcServer.getRequestUserName();
            String str = this.scannerOwners.get(internalScanner);
            if (str != null && !str.equals(requestUserName)) {
                throw new AccessDeniedException("User '" + requestUserName + "' is not the scanner owner!");
            }
        }
    }

    Map<String, Set<String>> getColumnFamilies(Map<byte[], ? extends Collection<?>> map) {
        if (map == null) {
            return Collections.emptyMap();
        }
        HashMap hashMap = new HashMap();
        for (Map.Entry<byte[], ? extends Collection<?>> entry : map.entrySet()) {
            String bytes = Bytes.toString(entry.getKey());
            if (bytes == null || bytes.isEmpty()) {
                LOG.error("Unexpected Input: got null or empty column family (key) in families map! Ignoring...");
            } else {
                Collection<?> value = entry.getValue();
                if (CollectionUtils.isEmpty(value)) {
                    hashMap.put(bytes, Collections.emptySet());
                } else {
                    ColumnIterator columnIterator = new ColumnIterator(value);
                    HashSet hashSet = new HashSet();
                    while (columnIterator.hasNext()) {
                        try {
                            hashSet.add(columnIterator.next());
                        } catch (Throwable th) {
                            LOG.error("Exception encountered when converting family-map to set of columns. Ignoring and returning empty set of columns for family[" + bytes + "]", th);
                            LOG.error("Ignoring exception and returning empty set of columns for family[" + bytes + "]");
                            hashSet.clear();
                        }
                    }
                    hashMap.put(bytes, hashSet);
                }
            }
        }
        return hashMap;
    }

    ColumnFamilyAccessResult evaluateAccess(String str, Permission.Action action, RegionCoprocessorEnvironment regionCoprocessorEnvironment, Map<byte[], ? extends Collection<?>> map) throws AccessDeniedException {
        String access = this._authUtils.getAccess(action);
        User activeUser = getActiveUser();
        String userAsString = this._userUtils.getUserAsString(activeUser);
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("evaluateAccess: entered: user[%s], Operation[%s], access[%s], families[%s]", userAsString, str, access, getColumnFamilies(map).toString()));
        }
        byte[] tableName = getTableName(regionCoprocessorEnvironment);
        if (tableName == null || tableName.length == 0) {
            LOG.debug("evaluateAccess: Unexpected: Couldn't get table from RegionCoprocessorEnvironment. Access denied, not audited");
            throw new AccessDeniedException("Insufficient permissions for operation '" + str + "',action: " + action);
        }
        String bytes = Bytes.toString(tableName);
        String clusterName = hbasePlugin.getClusterName();
        if (canSkipAccessCheck(str, access, bytes) || canSkipAccessCheck(str, access, regionCoprocessorEnvironment)) {
            LOG.debug("evaluateAccess: exiting: isKnownAccessPattern returned true: access allowed, not audited");
            ColumnFamilyAccessResult columnFamilyAccessResult = new ColumnFamilyAccessResult(true, true, null, null, null, null, null, null);
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("evaluateAccess: exiting: user[%s], Operation[%s], access[%s], families[%s], verdict[%s]", userAsString, str, access, getColumnFamilies(map).toString(), columnFamilyAccessResult.toString()));
            }
            return columnFamilyAccessResult;
        }
        HbaseAuditHandler auditHandler = this._factory.getAuditHandler();
        AuthorizationSession clusterName2 = new AuthorizationSession(hbasePlugin).operation(str).remoteAddress(getRemoteAddress()).auditHandler(auditHandler).user(activeUser).access(access).table(bytes).clusterName(clusterName);
        Map<String, Set<String>> columnFamilies = getColumnFamilies(map);
        if (LOG.isDebugEnabled()) {
            LOG.debug("evaluateAccess: families to process: " + columnFamilies.toString());
        }
        if (columnFamilies == null || columnFamilies.isEmpty()) {
            LOG.debug("evaluateAccess: Null or empty families collection, ok.  Table level access is desired");
            clusterName2.buildRequest().authorize();
            boolean isAuthorized = clusterName2.isAuthorized();
            String str2 = "";
            if (!isAuthorized) {
                str2 = String.format("Insufficient permissions for user ‘%s',action: %s, tableName:%s, no column families found.", activeUser.getName(), str, bytes);
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("evaluateAccess: table level access granted [" + bytes + "]");
            }
            AuthzAuditEvent andDiscardMostRecentEvent = auditHandler.getAndDiscardMostRecentEvent();
            ColumnFamilyAccessResult columnFamilyAccessResult2 = new ColumnFamilyAccessResult(isAuthorized, isAuthorized, isAuthorized ? Collections.singletonList(andDiscardMostRecentEvent) : null, null, isAuthorized ? null : andDiscardMostRecentEvent, str2, null, clusterName);
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("evaluateAccess: exiting: user[%s], Operation[%s], access[%s], families[%s], verdict[%s]", userAsString, str, access, columnFamilies.toString(), columnFamilyAccessResult2.toString()));
            }
            return columnFamilyAccessResult2;
        }
        LOG.debug("evaluateAccess: Families collection not null.  Skipping table-level check, will do finer level check");
        boolean z = true;
        boolean z2 = false;
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        AuthzAuditEvent authzAuditEvent = null;
        String str3 = null;
        HashMap hashMap = new HashMap();
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        HashSet hashSet3 = new HashSet();
        for (Map.Entry<String, Set<String>> entry : columnFamilies.entrySet()) {
            String key = entry.getKey();
            clusterName2.columnFamily(key);
            if (LOG.isDebugEnabled()) {
                LOG.debug("evaluateAccess: Processing family: " + key);
            }
            Set<String> value = entry.getValue();
            if (value == null || value.isEmpty()) {
                LOG.debug("evaluateAccess: columns collection null or empty, ok.  Family level access is desired.");
                clusterName2.column(null).buildRequest().authorize();
                AuthzAuditEvent andDiscardMostRecentEvent2 = auditHandler.getAndDiscardMostRecentEvent();
                if (clusterName2.isAuthorized()) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("evaluateAccess: has family level access [" + key + "]");
                    }
                    z2 = true;
                    hashSet.add(key);
                    if (andDiscardMostRecentEvent2 != null) {
                        LOG.debug("evaluateAccess: adding to family-level-access-granted-event-set");
                        arrayList2.add(andDiscardMostRecentEvent2);
                    }
                } else {
                    z = false;
                    if (andDiscardMostRecentEvent2 != null && authzAuditEvent == null) {
                        LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure audit event.");
                        authzAuditEvent = andDiscardMostRecentEvent2;
                    }
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("evaluateAccess: no family level access [" + key + "].  Checking if has partial access (of any type)...");
                    }
                    clusterName2.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS).buildRequest().authorize();
                    AuthzAuditEvent andDiscardMostRecentEvent3 = auditHandler.getAndDiscardMostRecentEvent();
                    if (clusterName2.isAuthorized()) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("evaluateAccess: has partial access (of some type) in family [" + key + "]");
                        }
                        z2 = true;
                        hashSet3.add(key);
                    } else {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("evaluateAccess: has no access of [" + access + "] type in family [" + key + "]");
                        }
                        hashSet2.add(key);
                        str3 = String.format("Insufficient permissions for user ‘%s',action: %s, tableName:%s, family:%s.", activeUser.getName(), str, bytes, key);
                        if (andDiscardMostRecentEvent3 != null && authzAuditEvent == null) {
                            LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure audit event.");
                            authzAuditEvent = andDiscardMostRecentEvent3;
                        }
                    }
                    clusterName2.resourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF);
                }
            } else {
                LOG.debug("evaluateAccess: columns collection not empty.  Skipping Family level check, will do finer level access check.");
                HashSet hashSet4 = new HashSet();
                for (String str4 : value) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("evaluateAccess: Processing column: " + str4);
                    }
                    clusterName2.column(str4).buildRequest().authorize();
                    AuthzAuditEvent andDiscardMostRecentEvent4 = auditHandler.getAndDiscardMostRecentEvent();
                    if (clusterName2.isAuthorized()) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("evaluateAccess: has column level access [" + key + ", " + str4 + "]");
                        }
                        z2 = true;
                        hashSet4.add(str4);
                        if (andDiscardMostRecentEvent4 != null) {
                            LOG.debug("evaluateAccess: adding to access-granted-audit-event-set");
                            arrayList.add(andDiscardMostRecentEvent4);
                        }
                    } else {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("evaluateAccess: no column level access [" + key + ", " + str4 + "]");
                        }
                        z = false;
                        str3 = String.format("Insufficient permissions for user ‘%s',action: %s, tableName:%s, family:%s, column: %s", activeUser.getName(), str, bytes, key, str4);
                        if (andDiscardMostRecentEvent4 != null && authzAuditEvent == null) {
                            LOG.debug("evaluateAccess: Setting denied access audit event with last auth failure audit event.");
                            authzAuditEvent = andDiscardMostRecentEvent4;
                        }
                    }
                    if (!hashSet4.isEmpty()) {
                        hashMap.put(key, hashSet4);
                    }
                }
            }
        }
        ColumnFamilyAccessResult columnFamilyAccessResult3 = new ColumnFamilyAccessResult(z, z2, arrayList, arrayList2, authzAuditEvent, str3, new RangerAuthorizationFilter(clusterName2, hashSet, hashSet2, hashSet3, hashMap), clusterName);
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("evaluateAccess: exiting: user[%s], Operation[%s], access[%s], families[%s], verdict[%s]", userAsString, str, access, columnFamilies.toString(), columnFamilyAccessResult3.toString()));
        }
        return columnFamilyAccessResult3;
    }

    Filter authorizeAccess(String str, Permission.Action action, RegionCoprocessorEnvironment regionCoprocessorEnvironment, Map<byte[], NavigableSet<byte[]>> map) throws AccessDeniedException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> authorizeAccess");
        }
        try {
            ColumnFamilyAccessResult evaluateAccess = evaluateAccess(str, action, regionCoprocessorEnvironment, map);
            RangerDefaultAuditHandler rangerDefaultAuditHandler = new RangerDefaultAuditHandler();
            if (evaluateAccess._everythingIsAccessible) {
                rangerDefaultAuditHandler.logAuthzAudits(evaluateAccess._accessAllowedEvents);
                rangerDefaultAuditHandler.logAuthzAudits(evaluateAccess._familyLevelAccessEvents);
                LOG.debug("authorizeAccess: exiting: No filter returned since all access was allowed");
                if (LOG.isDebugEnabled()) {
                    LOG.debug("<== authorizeAccess");
                }
                return null;
            }
            if (!evaluateAccess._somethingIsAccessible) {
                rangerDefaultAuditHandler.logAuthzAudit(evaluateAccess._accessDeniedEvent);
                LOG.debug("authorizeAccess: exiting: Throwing exception since nothing was accessible");
                throw new AccessDeniedException(evaluateAccess._denialReason);
            }
            rangerDefaultAuditHandler.logAuthzAudits(evaluateAccess._accessAllowedEvents);
            LOG.debug("authorizeAccess: exiting: Filter returned since some access was allowed");
            RangerAuthorizationFilter rangerAuthorizationFilter = evaluateAccess._filter;
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== authorizeAccess");
            }
            return rangerAuthorizationFilter;
        } catch (Throwable th) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== authorizeAccess");
            }
            throw th;
        }
    }

    Filter combineFilters(Filter filter, Filter filter2) {
        Filter filter3 = filter;
        if (filter2 != null) {
            filter3 = new FilterList(FilterList.Operator.MUST_PASS_ALL, Lists.newArrayList(new Filter[]{filter, filter2}));
        }
        return filter3;
    }

    void requirePermission(String str, Permission.Action action, RegionCoprocessorEnvironment regionCoprocessorEnvironment, Map<byte[], ? extends Collection<?>> map) throws AccessDeniedException {
        ColumnFamilyAccessResult evaluateAccess = evaluateAccess(str, action, regionCoprocessorEnvironment, map);
        RangerDefaultAuditHandler rangerDefaultAuditHandler = new RangerDefaultAuditHandler();
        if (!evaluateAccess._everythingIsAccessible) {
            rangerDefaultAuditHandler.logAuthzAudit(evaluateAccess._accessDeniedEvent);
            LOG.debug("requirePermission: exiting: throwing exception as everything wasn't accessible");
            throw new AccessDeniedException(evaluateAccess._denialReason);
        }
        rangerDefaultAuditHandler.logAuthzAudits(evaluateAccess._accessAllowedEvents);
        rangerDefaultAuditHandler.logAuthzAudits(evaluateAccess._familyLevelAccessEvents);
        LOG.debug("requirePermission: exiting: all access was allowed");
    }

    void authorizeAccess(String str, String str2, Permission.Action action, String str3, String str4, String str5) throws AccessDeniedException {
        String access = this._authUtils.getAccess(action);
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("authorizeAccess: %s: Operation[%s], Info[%s], access[%s], table[%s], columnFamily[%s], column[%s]", "Entering", str, str2, access, str3, str4, str5));
        }
        if (canSkipAccessCheck(str, access, str3)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("authorizeAccess: %s: Operation[%s], Info[%s], access[%s], table[%s], columnFamily[%s], column[%s], allowed[%s], reason[%s]", "Exiting", str, str2, access, str3, str4, str5, true, "can skip auth check"));
            }
        } else {
            AuthorizationSession authorize = new AuthorizationSession(hbasePlugin).operation(str).otherInformation(str2).remoteAddress(getRemoteAddress()).auditHandler(this._factory.getAuditHandler()).user(getActiveUser()).access(access).table(str3).columnFamily(str4).column(str5).clusterName(hbasePlugin.getClusterName()).buildRequest().authorize();
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("authorizeAccess: %s: Operation[%s], Info[%s], access[%s], table[%s], columnFamily[%s], column[%s], allowed[%s], reason[%s]", "Exiting", str, str2, access, str3, str4, str5, Boolean.valueOf(authorize.isAuthorized()), authorize.getDenialReason()));
            }
            authorize.publishResults();
        }
    }

    boolean canSkipAccessCheck(String str, String str2, String str3) throws AccessDeniedException {
        boolean z = false;
        if (getActiveUser() == null) {
            LOG.warn("canSkipAccessCheck: exitingUnexpeceted: User is null: access denied, not audited!");
            throw new AccessDeniedException("No user associated with request (" + str + ") for action: " + str2 + "on table:" + str3);
        }
        if (isAccessForMetadataRead(str2, str3)) {
            LOG.debug("canSkipAccessCheck: true: metadata read access always allowed, not audited");
            z = true;
        } else {
            LOG.debug("Can't skip access checks");
        }
        return z;
    }

    boolean canSkipAccessCheck(String str, String str2, RegionCoprocessorEnvironment regionCoprocessorEnvironment) throws AccessDeniedException {
        String clusterName = hbasePlugin.getClusterName();
        User activeUser = getActiveUser();
        if (isAccessForMetaTables(regionCoprocessorEnvironment) && this._authUtils.isReadAccess(str2)) {
            LOG.debug("isKnownAccessPattern: exiting: Read access for metadata tables allowed, not audited!");
            return true;
        }
        if (!this._authUtils.isWriteAccess(str2) || !isAccessForMetaTables(regionCoprocessorEnvironment)) {
            return false;
        }
        if (!new AuthorizationSession(hbasePlugin).operation(str).remoteAddress(getRemoteAddress()).user(activeUser).access(this._authUtils.getAccess(Permission.Action.CREATE)).clusterName(clusterName).buildRequest().authorize().isAuthorized()) {
            return false;
        }
        LOG.debug("isKnownAccessPattern: exiting: User has global create access, allowed!");
        return true;
    }

    boolean isAccessForMetadataRead(String str, String str2) {
        if (!this._authUtils.isReadAccess(str) || !isSpecialTable(str2)) {
            return false;
        }
        LOG.debug("isAccessForMetadataRead: Metadata tables read: access allowed!");
        return true;
    }

    protected void requireGlobalPermission(String str, String str2, Permission.Action action) throws AccessDeniedException {
        authorizeAccess(str, str2, action, null, null, null);
    }

    protected void requirePermission(String str, Permission.Action action) throws AccessDeniedException {
        requirePermission(str, null, action);
    }

    protected void requirePermission(String str, byte[] bArr, Permission.Action action) throws AccessDeniedException {
        authorizeAccess(str, null, action, Bytes.toString(bArr), null, null);
    }

    protected void requirePermission(String str, byte[] bArr, byte[] bArr2, byte[] bArr3, Permission.Action action) throws AccessDeniedException {
        authorizeAccess(str, null, action, Bytes.toString(bArr), Bytes.toString(bArr2), Bytes.toString(bArr3));
    }

    protected void requirePermission(String str, Permission.Action action, RegionCoprocessorEnvironment regionCoprocessorEnvironment, Collection<byte[]> collection) throws IOException {
        HashMap hashMap = new HashMap();
        if (collection != null) {
            Iterator<byte[]> it = collection.iterator();
            while (it.hasNext()) {
                hashMap.put(it.next(), null);
            }
        }
        requirePermission(str, action, regionCoprocessorEnvironment, hashMap);
    }

    public void postScannerClose(ObserverContext<RegionCoprocessorEnvironment> observerContext, InternalScanner internalScanner) throws IOException {
        this.scannerOwners.remove(internalScanner);
    }

    public RegionScanner postScannerOpen(ObserverContext<RegionCoprocessorEnvironment> observerContext, Scan scan, RegionScanner regionScanner) throws IOException {
        User activeUser = getActiveUser();
        if (activeUser != null && activeUser.getShortName() != null) {
            this.scannerOwners.put(regionScanner, activeUser.getShortName());
        }
        return regionScanner;
    }

    public void postStartMaster(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        if (UpdateRangerPoliciesOnGrantRevoke) {
            RangerAccessControlLists.init(observerContext.getEnvironment().getMasterServices());
        }
    }

    public void preAddColumn(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, HColumnDescriptor hColumnDescriptor) throws IOException {
        requirePermission("addColumn", tableName.getName(), null, null, Permission.Action.CREATE);
    }

    public Result preAppend(ObserverContext<RegionCoprocessorEnvironment> observerContext, Append append) throws IOException {
        requirePermission("append", Permission.Action.WRITE, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), append.getFamilyCellMap());
        return null;
    }

    public void preAssign(ObserverContext<MasterCoprocessorEnvironment> observerContext, HRegionInfo hRegionInfo) throws IOException {
        requirePermission("assign", hRegionInfo.getTable().getName(), null, null, Permission.Action.ADMIN);
    }

    public void preBalance(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission("balance", Permission.Action.ADMIN);
    }

    public boolean preBalanceSwitch(ObserverContext<MasterCoprocessorEnvironment> observerContext, boolean z) throws IOException {
        requirePermission("balanceSwitch", Permission.Action.ADMIN);
        return z;
    }

    public void preBulkLoadHFile(ObserverContext<RegionCoprocessorEnvironment> observerContext, List<Pair<byte[], String>> list) throws IOException {
        LinkedList linkedList = new LinkedList();
        Iterator<Pair<byte[], String>> it = list.iterator();
        while (it.hasNext()) {
            linkedList.add(it.next().getFirst());
        }
        requirePermission("bulkLoadHFile", Permission.Action.WRITE, observerContext.getEnvironment(), linkedList);
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [byte[], java.lang.Object[]] */
    public boolean preCheckAndDelete(ObserverContext<RegionCoprocessorEnvironment> observerContext, byte[] bArr, byte[] bArr2, byte[] bArr3, CompareFilter.CompareOp compareOp, ByteArrayComparable byteArrayComparable, Delete delete, boolean z) throws IOException {
        List asList = Arrays.asList(new byte[]{bArr2});
        requirePermission("checkAndDelete", Permission.Action.READ, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), asList);
        requirePermission("checkAndDelete", Permission.Action.WRITE, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), asList);
        return z;
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [byte[], java.lang.Object[]] */
    public boolean preCheckAndPut(ObserverContext<RegionCoprocessorEnvironment> observerContext, byte[] bArr, byte[] bArr2, byte[] bArr3, CompareFilter.CompareOp compareOp, ByteArrayComparable byteArrayComparable, Put put, boolean z) throws IOException {
        List asList = Arrays.asList(new byte[]{bArr2});
        requirePermission("checkAndPut", Permission.Action.READ, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), asList);
        requirePermission("checkAndPut", Permission.Action.WRITE, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), asList);
        return z;
    }

    public void preCloneSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, HBaseProtos.SnapshotDescription snapshotDescription, HTableDescriptor hTableDescriptor) throws IOException {
        requirePermission("cloneSnapshot", hTableDescriptor.getTableName().getName(), Permission.Action.ADMIN);
    }

    public void preClose(ObserverContext<RegionCoprocessorEnvironment> observerContext, boolean z) throws IOException {
        requirePermission("close", getTableName((RegionCoprocessorEnvironment) observerContext.getEnvironment()), Permission.Action.ADMIN);
    }

    public InternalScanner preCompact(ObserverContext<RegionCoprocessorEnvironment> observerContext, Store store, InternalScanner internalScanner, ScanType scanType) throws IOException {
        requirePermission("compact", getTableName((RegionCoprocessorEnvironment) observerContext.getEnvironment()), null, null, Permission.Action.CREATE);
        return internalScanner;
    }

    public void preCompactSelection(ObserverContext<RegionCoprocessorEnvironment> observerContext, Store store, List<StoreFile> list) throws IOException {
        requirePermission("compactSelection", getTableName((RegionCoprocessorEnvironment) observerContext.getEnvironment()), null, null, Permission.Action.CREATE);
    }

    public void preCreateTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, HTableDescriptor hTableDescriptor, HRegionInfo[] hRegionInfoArr) throws IOException {
        requirePermission("createTable", hTableDescriptor.getTableName().getName(), Permission.Action.CREATE);
    }

    public void preDelete(ObserverContext<RegionCoprocessorEnvironment> observerContext, Delete delete, WALEdit wALEdit, Durability durability) throws IOException {
        requirePermission("delete", Permission.Action.WRITE, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), delete.getFamilyCellMap());
    }

    public void preDeleteColumn(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, byte[] bArr) throws IOException {
        requirePermission("deleteColumn", tableName.getName(), null, null, Permission.Action.CREATE);
    }

    public void preDeleteSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, HBaseProtos.SnapshotDescription snapshotDescription) throws IOException {
        requirePermission("deleteSnapshot", Permission.Action.ADMIN);
    }

    public void preDeleteTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
        requirePermission("deleteTable", tableName.getName(), null, null, Permission.Action.CREATE);
    }

    public void preDisableTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
        requirePermission("disableTable", tableName.getName(), null, null, Permission.Action.CREATE);
    }

    public void preEnableTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
        requirePermission("enableTable", tableName.getName(), null, null, Permission.Action.CREATE);
    }

    public boolean preExists(ObserverContext<RegionCoprocessorEnvironment> observerContext, Get get, boolean z) throws IOException {
        requirePermission("exists", Permission.Action.READ, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), get.familySet());
        return z;
    }

    public void preFlush(ObserverContext<RegionCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission("flush", getTableName((RegionCoprocessorEnvironment) observerContext.getEnvironment()), null, null, Permission.Action.CREATE);
    }

    /* JADX WARN: Type inference failed for: r4v4, types: [byte[], java.lang.Object[]] */
    public void preGetClosestRowBefore(ObserverContext<RegionCoprocessorEnvironment> observerContext, byte[] bArr, byte[] bArr2, Result result) throws IOException {
        requirePermission("getClosestRowBefore", Permission.Action.READ, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), bArr2 != null ? Lists.newArrayList((Object[]) new byte[]{bArr2}) : null);
    }

    public Result preIncrement(ObserverContext<RegionCoprocessorEnvironment> observerContext, Increment increment) throws IOException {
        requirePermission("increment", Permission.Action.WRITE, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), increment.getFamilyCellMap().keySet());
        return null;
    }

    /* JADX WARN: Type inference failed for: r4v1, types: [byte[], java.lang.Object[]] */
    /* JADX WARN: Type inference failed for: r4v4, types: [byte[], java.lang.Object[]] */
    public long preIncrementColumnValue(ObserverContext<RegionCoprocessorEnvironment> observerContext, byte[] bArr, byte[] bArr2, byte[] bArr3, long j, boolean z) throws IOException {
        requirePermission("incrementColumnValue", Permission.Action.READ, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), Arrays.asList(new byte[]{bArr2}));
        requirePermission("incrementColumnValue", Permission.Action.WRITE, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), Arrays.asList(new byte[]{bArr2}));
        return -1L;
    }

    public void preModifyColumn(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, HColumnDescriptor hColumnDescriptor) throws IOException {
        requirePermission("modifyColumn", tableName.getName(), null, null, Permission.Action.CREATE);
    }

    public void preModifyTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, HTableDescriptor hTableDescriptor) throws IOException {
        requirePermission("modifyTable", tableName.getName(), null, null, Permission.Action.CREATE);
    }

    public void preMove(ObserverContext<MasterCoprocessorEnvironment> observerContext, HRegionInfo hRegionInfo, ServerName serverName, ServerName serverName2) throws IOException {
        requirePermission("move", hRegionInfo.getTable().getName(), null, null, Permission.Action.ADMIN);
    }

    public void preAbortProcedure(ObserverContext<MasterCoprocessorEnvironment> observerContext, ProcedureExecutor<MasterProcedureEnv> procedureExecutor, long j) throws IOException {
        if (procedureExecutor.isProcedureOwner(j, getActiveUser())) {
            return;
        }
        requirePermission("abortProcedure", Permission.Action.ADMIN);
    }

    public void postListProcedures(ObserverContext<MasterCoprocessorEnvironment> observerContext, List<ProcedureInfo> list) throws IOException {
        if (list.isEmpty()) {
            return;
        }
        Iterator<ProcedureInfo> it = list.iterator();
        User activeUser = getActiveUser();
        while (it.hasNext()) {
            try {
                if (!ProcedureInfo.isProcedureOwner(it.next(), activeUser)) {
                    requirePermission("listProcedures", Permission.Action.ADMIN);
                }
            } catch (AccessDeniedException e) {
                it.remove();
            }
        }
    }

    public void preOpen(ObserverContext<RegionCoprocessorEnvironment> observerContext) throws IOException {
        Region region = observerContext.getEnvironment().getRegion();
        if (region == null) {
            LOG.error("NULL region from RegionCoprocessorEnvironment in preOpen()");
        } else if (isSpecialTable(region.getRegionInfo())) {
            requireSystemOrSuperUser(this.regionEnv.getConfiguration());
        } else {
            requirePermission("open", getTableName((RegionCoprocessorEnvironment) observerContext.getEnvironment()), Permission.Action.ADMIN);
        }
    }

    public void preRestoreSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, HBaseProtos.SnapshotDescription snapshotDescription, HTableDescriptor hTableDescriptor) throws IOException {
        requirePermission("restoreSnapshot", hTableDescriptor.getTableName().getName(), Permission.Action.ADMIN);
    }

    public void preScannerClose(ObserverContext<RegionCoprocessorEnvironment> observerContext, InternalScanner internalScanner) throws IOException {
        requireScannerOwner(internalScanner);
    }

    public boolean preScannerNext(ObserverContext<RegionCoprocessorEnvironment> observerContext, InternalScanner internalScanner, List<Result> list, int i, boolean z) throws IOException {
        requireScannerOwner(internalScanner);
        return z;
    }

    public RegionScanner preScannerOpen(ObserverContext<RegionCoprocessorEnvironment> observerContext, Scan scan, RegionScanner regionScanner) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> preScannerOpen");
        }
        try {
            Filter authorizeAccess = authorizeAccess("scannerOpen", Permission.Action.READ, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), scan.getFamilyMap());
            if (authorizeAccess != null) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("preScannerOpen: Access allowed for some of the families/column. New filter added.");
                }
                scan.setFilter(combineFilters(authorizeAccess, scan.getFilter()));
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("preScannerOpen: Access allowed for all families/column.  No filter added");
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== preScannerOpen");
            }
            return regionScanner;
        } catch (Throwable th) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== preScannerOpen");
            }
            throw th;
        }
    }

    public void preShutdown(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission("shutdown", Permission.Action.ADMIN);
    }

    public void preSnapshot(ObserverContext<MasterCoprocessorEnvironment> observerContext, HBaseProtos.SnapshotDescription snapshotDescription, HTableDescriptor hTableDescriptor) throws IOException {
        requirePermission("snapshot", hTableDescriptor.getTableName().getName(), Permission.Action.ADMIN);
    }

    public void preSplit(ObserverContext<RegionCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission("split", getTableName((RegionCoprocessorEnvironment) observerContext.getEnvironment()), null, null, Permission.Action.ADMIN);
    }

    public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission("stopMaster", Permission.Action.ADMIN);
    }

    public void preStopRegionServer(ObserverContext<RegionServerCoprocessorEnvironment> observerContext) throws IOException {
        requirePermission("stop", Permission.Action.ADMIN);
    }

    public void preUnassign(ObserverContext<MasterCoprocessorEnvironment> observerContext, HRegionInfo hRegionInfo, boolean z) throws IOException {
        requirePermission("unassign", hRegionInfo.getTable().getName(), null, null, Permission.Action.ADMIN);
    }

    @Override // org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessorBase
    public void preSetUserQuota(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, QuotaProtos.Quotas quotas) throws IOException {
        requireGlobalPermission("setUserQuota", null, Permission.Action.ADMIN);
    }

    @Override // org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessorBase
    public void preSetUserQuota(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, TableName tableName, QuotaProtos.Quotas quotas) throws IOException {
        requirePermission("setUserTableQuota", tableName.getName(), null, null, Permission.Action.ADMIN);
    }

    @Override // org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessorBase
    public void preSetUserQuota(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, String str2, QuotaProtos.Quotas quotas) throws IOException {
        requireGlobalPermission("setUserNamespaceQuota", str2, Permission.Action.ADMIN);
    }

    @Override // org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessorBase
    public void preSetTableQuota(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, QuotaProtos.Quotas quotas) throws IOException {
        requirePermission("setTableQuota", tableName.getName(), null, null, Permission.Action.ADMIN);
    }

    @Override // org.apache.ranger.authorization.hbase.RangerAuthorizationCoprocessorBase
    public void preSetNamespaceQuota(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str, QuotaProtos.Quotas quotas) throws IOException {
        requireGlobalPermission("setNamespaceQuota", str, Permission.Action.ADMIN);
    }

    public void start(CoprocessorEnvironment coprocessorEnvironment) throws IOException {
        String str = "unknown";
        if (coprocessorEnvironment instanceof MasterCoprocessorEnvironment) {
            this.coprocessorType = MASTER_COPROCESSOR_TYPE;
            str = "hbaseMaster";
        } else if (coprocessorEnvironment instanceof RegionServerCoprocessorEnvironment) {
            this.coprocessorType = REGIONAL_SERVER_COPROCESSOR_TYPE;
            str = "hbaseRegional";
        } else if (coprocessorEnvironment instanceof RegionCoprocessorEnvironment) {
            this.regionEnv = (RegionCoprocessorEnvironment) coprocessorEnvironment;
            this.coprocessorType = REGIONAL_COPROCESSOR_TYPE;
            str = "hbaseRegional";
        }
        HbaseFactory.initialize(coprocessorEnvironment.getConfiguration());
        if (hbasePlugin == null) {
            synchronized (RangerAuthorizationCoprocessor.class) {
                if (hbasePlugin == null) {
                    RangerHBasePlugin rangerHBasePlugin = new RangerHBasePlugin(str);
                    rangerHBasePlugin.init();
                    UpdateRangerPoliciesOnGrantRevoke = RangerConfiguration.getInstance().getBoolean("xasecure.hbase.update.xapolicies.on.grant.revoke", true);
                    hbasePlugin = rangerHBasePlugin;
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Start of Coprocessor: [" + this.coprocessorType + "]");
        }
    }

    public void prePut(ObserverContext<RegionCoprocessorEnvironment> observerContext, Put put, WALEdit wALEdit, Durability durability) throws IOException {
        requirePermission("put", Permission.Action.WRITE, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), put.getFamilyCellMap());
    }

    public void preGetOp(ObserverContext<RegionCoprocessorEnvironment> observerContext, Get get, List<Cell> list) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> preGetOp");
        }
        try {
            Filter authorizeAccess = authorizeAccess("get", Permission.Action.READ, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), get.getFamilyMap());
            if (authorizeAccess != null) {
                get.setFilter(combineFilters(authorizeAccess, get.getFilter()));
                if (LOG.isDebugEnabled()) {
                    LOG.debug("preGetOp: partial access, new filter added");
                }
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("preGetOp: all access allowed, no filter returned");
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== preGetOp");
            }
        } catch (Throwable th) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("<== preGetOp");
            }
            throw th;
        }
    }

    public void preRegionOffline(ObserverContext<MasterCoprocessorEnvironment> observerContext, HRegionInfo hRegionInfo) throws IOException {
        requirePermission("regionOffline", hRegionInfo.getTable().getName(), null, null, Permission.Action.ADMIN);
    }

    public void preCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, NamespaceDescriptor namespaceDescriptor) throws IOException {
        requireGlobalPermission("createNamespace", namespaceDescriptor.getName(), Permission.Action.ADMIN);
    }

    public void preDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str) throws IOException {
        requireGlobalPermission("deleteNamespace", str, Permission.Action.ADMIN);
    }

    public void preModifyNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, NamespaceDescriptor namespaceDescriptor) throws IOException {
        requireGlobalPermission("modifyNamespace", namespaceDescriptor.getName(), Permission.Action.ADMIN);
    }

    public void postGetTableDescriptors(ObserverContext<MasterCoprocessorEnvironment> observerContext, List<TableName> list, List<HTableDescriptor> list2, String str) throws IOException {
        if (LOG.isDebugEnabled()) {
            Log log = LOG;
            Object[] objArr = new Object[3];
            objArr[0] = Integer.valueOf(list == null ? 0 : list.size());
            objArr[1] = Integer.valueOf(list2 == null ? 0 : list2.size());
            objArr[2] = str;
            log.debug(String.format("==> postGetTableDescriptors(count(tableNamesList)=%s, count(descriptors)=%s, regex=%s)", objArr));
        }
        String clusterName = hbasePlugin.getClusterName();
        if (CollectionUtils.isNotEmpty(list2)) {
            User activeUser = getActiveUser();
            String access = this._authUtils.getAccess(Permission.Action.CREATE);
            HbaseAuditHandler auditHandler = this._factory.getAuditHandler();
            AuthorizationSession clusterName2 = new AuthorizationSession(hbasePlugin).operation("getTableDescriptors").otherInformation("regex=" + str).remoteAddress(getRemoteAddress()).auditHandler(auditHandler).user(activeUser).access(access).clusterName(clusterName);
            Iterator<HTableDescriptor> it = list2.iterator();
            while (it.hasNext()) {
                clusterName2.table(it.next().getTableName().getNameAsString()).buildRequest().authorize();
                if (!clusterName2.isAuthorized()) {
                    ArrayList arrayList = null;
                    it.remove();
                    AuthzAuditEvent andDiscardMostRecentEvent = auditHandler.getAndDiscardMostRecentEvent();
                    if (andDiscardMostRecentEvent != null) {
                        arrayList = Lists.newArrayList(new AuthzAuditEvent[]{andDiscardMostRecentEvent});
                    }
                    auditHandler.logAuthzAudits(arrayList);
                }
            }
            if (list2.size() > 0) {
                clusterName2.logCapturedEvents();
            }
        }
        if (LOG.isDebugEnabled()) {
            Log log2 = LOG;
            Object[] objArr2 = new Object[3];
            objArr2[0] = Integer.valueOf(list == null ? 0 : list.size());
            objArr2[1] = Integer.valueOf(list2 == null ? 0 : list2.size());
            objArr2[2] = str;
            log2.debug(String.format("<== postGetTableDescriptors(count(tableNamesList)=%s, count(descriptors)=%s, regex=%s)", objArr2));
        }
    }

    public void preMerge(ObserverContext<RegionServerCoprocessorEnvironment> observerContext, Region region, Region region2) throws IOException {
        requirePermission("mergeRegions", region.getTableDesc().getTableName().getName(), null, null, Permission.Action.ADMIN);
    }

    public void prePrepareBulkLoad(ObserverContext<RegionCoprocessorEnvironment> observerContext, SecureBulkLoadProtos.PrepareBulkLoadRequest prepareBulkLoadRequest) throws IOException {
        requirePermission("prePrepareBulkLoad", Permission.Action.WRITE, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), (Collection<byte[]>) null);
    }

    public void preCleanupBulkLoad(ObserverContext<RegionCoprocessorEnvironment> observerContext, SecureBulkLoadProtos.CleanupBulkLoadRequest cleanupBulkLoadRequest) throws IOException {
        requirePermission("preCleanupBulkLoad", Permission.Action.WRITE, (RegionCoprocessorEnvironment) observerContext.getEnvironment(), (Collection<byte[]>) null);
    }

    public static Date getUTCDate() {
        Calendar calendar = Calendar.getInstance();
        int offset = calendar.getTimeZone().getOffset(calendar.getTimeInMillis());
        GregorianCalendar gregorianCalendar = new GregorianCalendar(gmtTimeZone);
        gregorianCalendar.setTimeInMillis(calendar.getTimeInMillis());
        gregorianCalendar.add(14, -offset);
        return gregorianCalendar.getTime();
    }

    public void grant(RpcController rpcController, AccessControlProtos.GrantRequest grantRequest, RpcCallback<AccessControlProtos.GrantResponse> rpcCallback) {
        boolean z = false;
        if (UpdateRangerPoliciesOnGrantRevoke) {
            try {
                GrantRevokeRequest createGrantData = createGrantData(grantRequest);
                RangerHBasePlugin rangerHBasePlugin = hbasePlugin;
                if (rangerHBasePlugin != null) {
                    createGrantData.setClusterName(rangerHBasePlugin.getClusterName());
                    rangerHBasePlugin.grantAccess(createGrantData, new RangerDefaultAuditHandler());
                    z = true;
                }
            } catch (AccessControlException e) {
                LOG.warn("grant() failed", e);
                ResponseConverter.setControllerException(rpcController, new AccessDeniedException(e));
            } catch (IOException e2) {
                LOG.warn("grant() failed", e2);
                ResponseConverter.setControllerException(rpcController, e2);
            } catch (Exception e3) {
                LOG.warn("grant() failed", e3);
                ResponseConverter.setControllerException(rpcController, new CoprocessorException(e3.getMessage()));
            }
        }
        rpcCallback.run(z ? AccessControlProtos.GrantResponse.getDefaultInstance() : null);
    }

    public void revoke(RpcController rpcController, AccessControlProtos.RevokeRequest revokeRequest, RpcCallback<AccessControlProtos.RevokeResponse> rpcCallback) {
        boolean z = false;
        if (UpdateRangerPoliciesOnGrantRevoke) {
            try {
                GrantRevokeRequest createRevokeData = createRevokeData(revokeRequest);
                RangerHBasePlugin rangerHBasePlugin = hbasePlugin;
                if (rangerHBasePlugin != null) {
                    createRevokeData.setClusterName(rangerHBasePlugin.getClusterName());
                    rangerHBasePlugin.revokeAccess(createRevokeData, new RangerDefaultAuditHandler());
                    z = true;
                }
            } catch (AccessControlException e) {
                LOG.warn("revoke() failed", e);
                ResponseConverter.setControllerException(rpcController, new AccessDeniedException(e));
            } catch (IOException e2) {
                LOG.warn("revoke() failed", e2);
                ResponseConverter.setControllerException(rpcController, e2);
            } catch (Exception e3) {
                LOG.warn("revoke() failed", e3);
                ResponseConverter.setControllerException(rpcController, new CoprocessorException(e3.getMessage()));
            }
        }
        rpcCallback.run(z ? AccessControlProtos.RevokeResponse.getDefaultInstance() : null);
    }

    public void checkPermissions(RpcController rpcController, AccessControlProtos.CheckPermissionsRequest checkPermissionsRequest, RpcCallback<AccessControlProtos.CheckPermissionsResponse> rpcCallback) {
        LOG.debug("checkPermissions(): ");
    }

    public void getUserPermissions(RpcController rpcController, AccessControlProtos.GetUserPermissionsRequest getUserPermissionsRequest, RpcCallback<AccessControlProtos.GetUserPermissionsResponse> rpcCallback) {
        LOG.debug("getUserPermissions(): ");
    }

    public Service getService() {
        return AccessControlProtos.AccessControlService.newReflectiveService(this);
    }

    private GrantRevokeRequest createGrantData(AccessControlProtos.GrantRequest grantRequest) throws Exception {
        AccessControlProtos.UserPermission userPermission = grantRequest.getUserPermission();
        AccessControlProtos.Permission permission = userPermission == null ? null : userPermission.getPermission();
        UserPermission userPermission2 = userPermission == null ? null : ProtobufUtil.toUserPermission(userPermission);
        Permission.Action[] actions = userPermission2 == null ? null : userPermission2.getActions();
        String bytes = userPermission2 == null ? null : Bytes.toString(userPermission2.getUser());
        String str = null;
        String str2 = null;
        String str3 = null;
        String str4 = null;
        if (permission == null) {
            throw new Exception("grant(): invalid data - permission is null");
        }
        if (StringUtil.isEmpty(bytes)) {
            throw new Exception("grant(): invalid data - username empty");
        }
        if (actions == null || actions.length == 0) {
            throw new Exception("grant(): invalid data - no action specified");
        }
        switch (AnonymousClass1.$SwitchMap$org$apache$hadoop$hbase$protobuf$generated$AccessControlProtos$Permission$Type[permission.getType().ordinal()]) {
            case 1:
                str4 = WILDCARD;
                str3 = WILDCARD;
                str2 = WILDCARD;
                break;
            case 2:
                str2 = Bytes.toString(userPermission2.getTableName().getName());
                str3 = Bytes.toString(userPermission2.getFamily());
                str4 = Bytes.toString(userPermission2.getQualifier());
                break;
            case 3:
                str = userPermission2.getNamespace();
                break;
        }
        if (StringUtil.isEmpty(str) && StringUtil.isEmpty(str2) && StringUtil.isEmpty(str3) && StringUtil.isEmpty(str4)) {
            throw new Exception("grant(): namespace/table/columnFamily/columnQualifier not specified");
        }
        String str5 = StringUtil.isEmpty(str2) ? WILDCARD : str2;
        String str6 = StringUtil.isEmpty(str3) ? WILDCARD : str3;
        String str7 = StringUtil.isEmpty(str4) ? WILDCARD : str4;
        if (!StringUtil.isEmpty(str)) {
            str5 = str + NAMESPACE_SEPARATOR + str5;
        }
        User activeUser = getActiveUser();
        String shortName = activeUser != null ? activeUser.getShortName() : null;
        HashMap hashMap = new HashMap();
        hashMap.put("table", str5);
        hashMap.put("column-family", str6);
        hashMap.put("column", str7);
        GrantRevokeRequest grantRevokeRequest = new GrantRevokeRequest();
        grantRevokeRequest.setGrantor(shortName);
        grantRevokeRequest.setDelegateAdmin(Boolean.FALSE);
        grantRevokeRequest.setEnableAudit(Boolean.TRUE);
        grantRevokeRequest.setReplaceExistingPermissions(Boolean.TRUE);
        grantRevokeRequest.setResource(hashMap);
        grantRevokeRequest.setClientIPAddress(getRemoteAddress());
        if (bytes.startsWith(GROUP_PREFIX)) {
            grantRevokeRequest.getGroups().add(bytes.substring(GROUP_PREFIX.length()));
        } else {
            grantRevokeRequest.getUsers().add(bytes);
        }
        for (int i = 0; i < actions.length; i++) {
            switch (actions[i].code()) {
                case 65:
                    grantRevokeRequest.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_ADMIN);
                    grantRevokeRequest.setDelegateAdmin(Boolean.TRUE);
                    break;
                case 67:
                    grantRevokeRequest.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_CREATE);
                    break;
                case 82:
                    grantRevokeRequest.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_READ);
                    break;
                case 87:
                    grantRevokeRequest.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_WRITE);
                    break;
                default:
                    LOG.warn("grant(): ignoring action '" + actions[i].name() + "' for user '" + bytes + "'");
                    break;
            }
        }
        return grantRevokeRequest;
    }

    private GrantRevokeRequest createRevokeData(AccessControlProtos.RevokeRequest revokeRequest) throws Exception {
        AccessControlProtos.UserPermission userPermission = revokeRequest.getUserPermission();
        AccessControlProtos.Permission permission = userPermission == null ? null : userPermission.getPermission();
        UserPermission userPermission2 = userPermission == null ? null : ProtobufUtil.toUserPermission(userPermission);
        String bytes = userPermission2 == null ? null : Bytes.toString(userPermission2.getUser());
        String str = null;
        String str2 = null;
        String str3 = null;
        String str4 = null;
        if (permission == null) {
            throw new Exception("revoke(): invalid data - permission is null");
        }
        if (StringUtil.isEmpty(bytes)) {
            throw new Exception("revoke(): invalid data - username empty");
        }
        switch (AnonymousClass1.$SwitchMap$org$apache$hadoop$hbase$protobuf$generated$AccessControlProtos$Permission$Type[permission.getType().ordinal()]) {
            case 1:
                str4 = WILDCARD;
                str3 = WILDCARD;
                str2 = WILDCARD;
                break;
            case 2:
                str2 = Bytes.toString(userPermission2.getTableName().getName());
                str3 = Bytes.toString(userPermission2.getFamily());
                str4 = Bytes.toString(userPermission2.getQualifier());
                break;
            case 3:
                str = userPermission2.getNamespace();
                break;
        }
        if (StringUtil.isEmpty(str) && StringUtil.isEmpty(str2) && StringUtil.isEmpty(str3) && StringUtil.isEmpty(str4)) {
            throw new Exception("revoke(): table/columnFamily/columnQualifier not specified");
        }
        String str5 = StringUtil.isEmpty(str2) ? WILDCARD : str2;
        String str6 = StringUtil.isEmpty(str3) ? WILDCARD : str3;
        String str7 = StringUtil.isEmpty(str4) ? WILDCARD : str4;
        if (!StringUtil.isEmpty(str)) {
            str5 = str + NAMESPACE_SEPARATOR + str5;
        }
        User activeUser = getActiveUser();
        String shortName = activeUser != null ? activeUser.getShortName() : null;
        HashMap hashMap = new HashMap();
        hashMap.put("table", str5);
        hashMap.put("column-family", str6);
        hashMap.put("column", str7);
        GrantRevokeRequest grantRevokeRequest = new GrantRevokeRequest();
        grantRevokeRequest.setGrantor(shortName);
        grantRevokeRequest.setDelegateAdmin(Boolean.TRUE);
        grantRevokeRequest.setEnableAudit(Boolean.TRUE);
        grantRevokeRequest.setReplaceExistingPermissions(Boolean.TRUE);
        grantRevokeRequest.setResource(hashMap);
        grantRevokeRequest.setClientIPAddress(getRemoteAddress());
        if (bytes.startsWith(GROUP_PREFIX)) {
            grantRevokeRequest.getGroups().add(bytes.substring(GROUP_PREFIX.length()));
        } else {
            grantRevokeRequest.getUsers().add(bytes);
        }
        grantRevokeRequest.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_READ);
        grantRevokeRequest.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_WRITE);
        grantRevokeRequest.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_CREATE);
        grantRevokeRequest.getAccessTypes().add(HbaseAuthUtils.ACCESS_TYPE_ADMIN);
        return grantRevokeRequest;
    }
}
