package org.apache.ranger.authorization.ozone.authorizer;

import com.google.common.collect.Sets;
import java.util.Date;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
import org.apache.hadoop.ozone.security.acl.IOzoneObj;
import org.apache.hadoop.ozone.security.acl.OzoneObj;
import org.apache.hadoop.ozone.security.acl.RequestContext;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.audit.provider.MiscUtil;
import org.apache.ranger.plugin.audit.RangerDefaultAuditHandler;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.util.RangerPerfTracer;

/* loaded from: input_file:org/apache/ranger/authorization/ozone/authorizer/RangerOzoneAuthorizer.class */
public class RangerOzoneAuthorizer implements IAccessAuthorizer {
    public static final String ACCESS_TYPE_READ = "read";
    public static final String ACCESS_TYPE_WRITE = "write";
    public static final String ACCESS_TYPE_CREATE = "create";
    public static final String ACCESS_TYPE_LIST = "list";
    public static final String ACCESS_TYPE_DELETE = "delete";
    public static final String KEY_RESOURCE_VOLUME = "volume";
    public static final String KEY_RESOURCE_BUCKET = "bucket";
    public static final String KEY_RESOURCE_KEY = "key";
    private static final Log PERF_OZONEAUTH_REQUEST_LOG = RangerPerfTracer.getPerfLogger("ozoneauth.request");
    private static final Log LOG = LogFactory.getLog(RangerOzoneAuthorizer.class);
    private static volatile RangerBasePlugin rangerPlugin = null;
    RangerDefaultAuditHandler auditHandler;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.ranger.authorization.ozone.authorizer.RangerOzoneAuthorizer$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/ranger/authorization/ozone/authorizer/RangerOzoneAuthorizer$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$hadoop$ozone$security$acl$IAccessAuthorizer$ACLType = new int[IAccessAuthorizer.ACLType.values().length];

        static {
            try {
                $SwitchMap$org$apache$hadoop$ozone$security$acl$IAccessAuthorizer$ACLType[IAccessAuthorizer.ACLType.READ.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$hadoop$ozone$security$acl$IAccessAuthorizer$ACLType[IAccessAuthorizer.ACLType.WRITE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$hadoop$ozone$security$acl$IAccessAuthorizer$ACLType[IAccessAuthorizer.ACLType.CREATE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$hadoop$ozone$security$acl$IAccessAuthorizer$ACLType[IAccessAuthorizer.ACLType.DELETE.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apache$hadoop$ozone$security$acl$IAccessAuthorizer$ACLType[IAccessAuthorizer.ACLType.LIST.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    public RangerOzoneAuthorizer() {
        this.auditHandler = null;
        rangerPlugin = new RangerBasePlugin("ozone", "ozone");
        rangerPlugin.init();
        this.auditHandler = new RangerDefaultAuditHandler();
        rangerPlugin.setResultProcessor(this.auditHandler);
    }

    public boolean checkAccess(IOzoneObj iOzoneObj, RequestContext requestContext) {
        boolean z = false;
        if (iOzoneObj == null) {
            LOG.error("Ozone object is null!!");
            return false;
        }
        OzoneObj ozoneObj = (OzoneObj) iOzoneObj;
        UserGroupInformation clientUgi = requestContext.getClientUgi();
        IAccessAuthorizer.ACLType aclRights = requestContext.getAclRights();
        String path = ozoneObj.getPath();
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerOzoneAuthorizer.checkAccess with operation = " + aclRights + ", resource = " + path + ", store type = " + OzoneObj.StoreType.values() + ", ugi = " + clientUgi + ", ip = " + requestContext.getIp() + ")");
        }
        if (rangerPlugin == null) {
            MiscUtil.logErrorMessageByInterval(LOG, "Authorizer is still not initialized");
            return false;
        }
        if (ozoneObj.getStoreType() == OzoneObj.StoreType.S3 && ozoneObj.getResourceType() == OzoneObj.ResourceType.VOLUME) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("If store type is s3 and resource is volume, then we allow it by default!  Returning true");
            }
            LOG.warn("Allowing access by default since source type is S3 and resource type is Volume!!");
            return true;
        }
        RangerPerfTracer rangerPerfTracer = null;
        if (RangerPerfTracer.isPerfTraceEnabled(PERF_OZONEAUTH_REQUEST_LOG)) {
            rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_OZONEAUTH_REQUEST_LOG, "RangerOzoneAuthorizer.authorize(resource=" + path + ")");
        }
        Date date = new Date();
        String mapToRangerAccessType = mapToRangerAccessType(aclRights);
        if (mapToRangerAccessType == null) {
            MiscUtil.logErrorMessageByInterval(LOG, "Unsupported access type. operation=" + aclRights);
            LOG.fatal("Unsupported access type. operation=" + aclRights + ", resource=" + path);
            return false;
        }
        String clusterName = rangerPlugin.getClusterName();
        RangerAccessRequestImpl rangerAccessRequestImpl = new RangerAccessRequestImpl();
        rangerAccessRequestImpl.setUser(clientUgi.getShortUserName());
        rangerAccessRequestImpl.setUserGroups(Sets.newHashSet(clientUgi.getGroupNames()));
        rangerAccessRequestImpl.setClientIPAddress(requestContext.getIp().getHostAddress());
        rangerAccessRequestImpl.setRemoteIPAddress(requestContext.getIp().getHostAddress());
        rangerAccessRequestImpl.setAccessTime(date);
        RangerAccessResourceImpl rangerAccessResourceImpl = new RangerAccessResourceImpl();
        rangerAccessRequestImpl.setResource(rangerAccessResourceImpl);
        rangerAccessRequestImpl.setAccessType(mapToRangerAccessType);
        rangerAccessRequestImpl.setAction(mapToRangerAccessType);
        rangerAccessRequestImpl.setRequestData(path);
        rangerAccessRequestImpl.setClusterName(clusterName);
        if (ozoneObj.getStoreType() == OzoneObj.StoreType.S3) {
            rangerAccessResourceImpl.setValue(KEY_RESOURCE_VOLUME, "s3Vol");
        } else {
            rangerAccessResourceImpl.setValue(KEY_RESOURCE_VOLUME, ozoneObj.getVolumeName());
        }
        if (ozoneObj.getResourceType() == OzoneObj.ResourceType.BUCKET) {
            rangerAccessResourceImpl.setValue(KEY_RESOURCE_BUCKET, ozoneObj.getBucketName());
        } else {
            if (ozoneObj.getResourceType() != OzoneObj.ResourceType.KEY) {
                LOG.fatal("Unsupported resource = " + path);
                MiscUtil.logErrorMessageByInterval(LOG, "Unsupported resource = " + path + ", request=" + rangerAccessRequestImpl);
                return false;
            }
            rangerAccessResourceImpl.setValue(KEY_RESOURCE_BUCKET, ozoneObj.getBucketName());
            rangerAccessResourceImpl.setValue(KEY_RESOURCE_KEY, ozoneObj.getKeyName());
        }
        try {
            RangerAccessResult isAccessAllowed = rangerPlugin.isAccessAllowed(rangerAccessRequestImpl);
            if (isAccessAllowed == null) {
                LOG.error("Ranger Plugin returned null. Returning false");
            } else {
                z = isAccessAllowed.getIsAllowed();
            }
        } catch (Throwable th) {
            LOG.error("Error while calling isAccessAllowed(). request=" + rangerAccessRequestImpl, th);
        }
        RangerPerfTracer.log(rangerPerfTracer);
        if (LOG.isDebugEnabled()) {
            LOG.debug("rangerRequest=" + rangerAccessRequestImpl + ", return=" + z);
        }
        return z;
    }

    private String mapToRangerAccessType(IAccessAuthorizer.ACLType aCLType) {
        String str = null;
        switch (AnonymousClass1.$SwitchMap$org$apache$hadoop$ozone$security$acl$IAccessAuthorizer$ACLType[aCLType.ordinal()]) {
            case 1:
                str = ACCESS_TYPE_READ;
                break;
            case 2:
                str = ACCESS_TYPE_WRITE;
                break;
            case 3:
                str = ACCESS_TYPE_CREATE;
                break;
            case 4:
                str = ACCESS_TYPE_DELETE;
                break;
            case 5:
                str = ACCESS_TYPE_LIST;
                break;
        }
        return str;
    }
}
