package org.apache.accumulo.server.security;

import com.google.common.base.Charsets;
import java.nio.ByteBuffer;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.accumulo.core.client.AccumuloSecurityException;
import org.apache.accumulo.core.client.NamespaceNotFoundException;
import org.apache.accumulo.core.client.TableNotFoundException;
import org.apache.accumulo.core.client.impl.Namespaces;
import org.apache.accumulo.core.client.impl.SecurityOperationsImpl;
import org.apache.accumulo.core.client.impl.thrift.SecurityErrorCode;
import org.apache.accumulo.core.client.impl.thrift.ThriftSecurityException;
import org.apache.accumulo.core.conf.Property;
import org.apache.accumulo.core.data.thrift.IterInfo;
import org.apache.accumulo.core.data.thrift.TColumn;
import org.apache.accumulo.core.data.thrift.TKeyExtent;
import org.apache.accumulo.core.data.thrift.TRange;
import org.apache.accumulo.core.master.thrift.FateOperation;
import org.apache.accumulo.core.metadata.MetadataTable;
import org.apache.accumulo.core.metadata.RootTable;
import org.apache.accumulo.core.security.Authorizations;
import org.apache.accumulo.core.security.Credentials;
import org.apache.accumulo.core.security.NamespacePermission;
import org.apache.accumulo.core.security.SystemPermission;
import org.apache.accumulo.core.security.TablePermission;
import org.apache.accumulo.core.security.thrift.TCredentials;
import org.apache.accumulo.server.client.HdfsZooInstance;
import org.apache.accumulo.server.conf.ServerConfiguration;
import org.apache.accumulo.server.security.handler.Authenticator;
import org.apache.accumulo.server.security.handler.Authorizor;
import org.apache.accumulo.server.security.handler.PermissionHandler;
import org.apache.accumulo.server.security.handler.ZKAuthenticator;
import org.apache.accumulo.server.security.handler.ZKAuthorizor;
import org.apache.accumulo.server.security.handler.ZKPermHandler;
import org.apache.accumulo.server.zookeeper.ZooCache;
import org.apache.hadoop.io.Text;
import org.apache.log4j.Logger;

/* loaded from: input_file:org/apache/accumulo/server/security/SecurityOperation.class */
public class SecurityOperation {
    protected Authorizor authorizor;
    protected Authenticator authenticator;
    protected PermissionHandler permHandle;
    private final ZooCache zooCache;
    private final String ZKUserPath;
    static SecurityOperation instance;
    private static final Logger log = Logger.getLogger(SecurityOperationsImpl.class);
    private static String rootUserName = null;

    public static synchronized SecurityOperation getInstance() {
        return getInstance(HdfsZooInstance.getInstance().getInstanceID(), false);
    }

    public static synchronized SecurityOperation getInstance(String str, boolean z) {
        if (instance == null) {
            instance = new SecurityOperation(getAuthorizor(str, z), getAuthenticator(str, z), getPermHandler(str, z), str);
        }
        return instance;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static Authorizor getAuthorizor(String str, boolean z) {
        Authorizor authorizor = (Authorizor) ServerConfiguration.getSiteConfiguration().instantiateClassProperty(Property.INSTANCE_SECURITY_AUTHORIZOR, Authorizor.class, ZKAuthorizor.getInstance());
        authorizor.initialize(str, z);
        return authorizor;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static Authenticator getAuthenticator(String str, boolean z) {
        Authenticator authenticator = (Authenticator) ServerConfiguration.getSiteConfiguration().instantiateClassProperty(Property.INSTANCE_SECURITY_AUTHENTICATOR, Authenticator.class, ZKAuthenticator.getInstance());
        authenticator.initialize(str, z);
        return authenticator;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static PermissionHandler getPermHandler(String str, boolean z) {
        PermissionHandler permissionHandler = (PermissionHandler) ServerConfiguration.getSiteConfiguration().instantiateClassProperty(Property.INSTANCE_SECURITY_PERMISSION_HANDLER, PermissionHandler.class, ZKPermHandler.getInstance());
        permissionHandler.initialize(str, z);
        return permissionHandler;
    }

    protected SecurityOperation(String str) {
        this.ZKUserPath = "/accumulo/" + str + "/users";
        this.zooCache = new ZooCache();
    }

    public SecurityOperation(Authorizor authorizor, Authenticator authenticator, PermissionHandler permissionHandler, String str) {
        this(str);
        this.authorizor = authorizor;
        this.authenticator = authenticator;
        this.permHandle = permissionHandler;
        if (!this.authorizor.validSecurityHandlers(this.authenticator, permissionHandler) || !this.authenticator.validSecurityHandlers(this.authorizor, permissionHandler) || !this.permHandle.validSecurityHandlers(authenticator, authorizor)) {
            throw new RuntimeException(this.authorizor + ", " + this.authenticator + ", and " + permissionHandler + " do not play nice with eachother. Please choose authentication and authorization mechanisms that are compatible with one another.");
        }
    }

    public void initializeSecurity(TCredentials tCredentials, String str, byte[] bArr) throws AccumuloSecurityException, ThriftSecurityException {
        authenticate(tCredentials);
        if (!isSystemUser(tCredentials)) {
            throw new AccumuloSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        this.authenticator.initializeSecurity(tCredentials, str, bArr);
        this.authorizor.initializeSecurity(tCredentials, str);
        this.permHandle.initializeSecurity(tCredentials, str);
        try {
            this.permHandle.grantTablePermission(str, MetadataTable.ID, TablePermission.ALTER_TABLE);
        } catch (TableNotFoundException e) {
            throw new RuntimeException(e);
        }
    }

    public synchronized String getRootUsername() {
        if (rootUserName == null) {
            rootUserName = new String(this.zooCache.get(this.ZKUserPath), Charsets.UTF_8);
        }
        return rootUserName;
    }

    public boolean isSystemUser(TCredentials tCredentials) {
        return SystemCredentials.get().getToken().getClass().getName().equals(tCredentials.getTokenClassName());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void authenticate(TCredentials tCredentials) throws ThriftSecurityException {
        if (!tCredentials.getInstanceId().equals(HdfsZooInstance.getInstance().getInstanceID())) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.INVALID_INSTANCEID);
        }
        Credentials fromThrift = Credentials.fromThrift(tCredentials);
        if (isSystemUser(tCredentials)) {
            if (!SystemCredentials.get().equals(fromThrift)) {
                throw new ThriftSecurityException(fromThrift.getPrincipal(), SecurityErrorCode.BAD_CREDENTIALS);
            }
            return;
        }
        try {
            if (this.authenticator.authenticateUser(fromThrift.getPrincipal(), fromThrift.getToken())) {
            } else {
                throw new ThriftSecurityException(fromThrift.getPrincipal(), SecurityErrorCode.BAD_CREDENTIALS);
            }
        } catch (AccumuloSecurityException e) {
            log.debug(e);
            throw e.asThriftException();
        }
    }

    public boolean canAskAboutUser(TCredentials tCredentials, String str) throws ThriftSecurityException {
        if (canPerformSystemActions(tCredentials) || tCredentials.getPrincipal().equals(str)) {
            return true;
        }
        throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
    }

    public boolean authenticateUser(TCredentials tCredentials, TCredentials tCredentials2) throws ThriftSecurityException {
        canAskAboutUser(tCredentials, tCredentials2.getPrincipal());
        if (tCredentials.equals(tCredentials2)) {
            return true;
        }
        try {
            Credentials fromThrift = Credentials.fromThrift(tCredentials2);
            return this.authenticator.authenticateUser(fromThrift.getPrincipal(), fromThrift.getToken());
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    public Authorizations getUserAuthorizations(TCredentials tCredentials, String str) throws ThriftSecurityException {
        authenticate(tCredentials);
        targetUserExists(str);
        if (!tCredentials.getPrincipal().equals(str) && !hasSystemPermission(tCredentials, SystemPermission.SYSTEM, false)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        try {
            return this.authorizor.getCachedUserAuthorizations(str);
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    public Authorizations getUserAuthorizations(TCredentials tCredentials) throws ThriftSecurityException {
        if (!isSystemUser(tCredentials)) {
            return getUserAuthorizations(tCredentials, tCredentials.getPrincipal());
        }
        authenticate(tCredentials);
        return Authorizations.EMPTY;
    }

    public boolean userHasAuthorizations(TCredentials tCredentials, List<ByteBuffer> list) throws ThriftSecurityException {
        authenticate(tCredentials);
        if (isSystemUser(tCredentials)) {
            return list.isEmpty();
        }
        try {
            return this.authorizor.isValidAuthorizations(tCredentials.getPrincipal(), list);
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    private boolean hasSystemPermission(TCredentials tCredentials, SystemPermission systemPermission, boolean z) throws ThriftSecurityException {
        return hasSystemPermissionWithNamespaceId(tCredentials, systemPermission, null, z);
    }

    private boolean hasSystemPermissionWithNamespaceId(TCredentials tCredentials, SystemPermission systemPermission, String str, boolean z) throws ThriftSecurityException {
        if (isSystemUser(tCredentials) || _hasSystemPermission(tCredentials.getPrincipal(), systemPermission, z)) {
            return true;
        }
        if (str != null) {
            return _hasNamespacePermission(tCredentials.getPrincipal(), str, NamespacePermission.getEquivalent(systemPermission), z);
        }
        return false;
    }

    private boolean _hasSystemPermission(String str, SystemPermission systemPermission, boolean z) throws ThriftSecurityException {
        if (str.equals(getRootUsername())) {
            return true;
        }
        targetUserExists(str);
        try {
            return z ? this.permHandle.hasCachedSystemPermission(str, systemPermission) : this.permHandle.hasSystemPermission(str, systemPermission);
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    protected boolean hasTablePermission(TCredentials tCredentials, String str, String str2, TablePermission tablePermission, boolean z) throws ThriftSecurityException {
        return isSystemUser(tCredentials) || _hasTablePermission(tCredentials.getPrincipal(), str, tablePermission, z) || _hasNamespacePermission(tCredentials.getPrincipal(), str2, NamespacePermission.getEquivalent(tablePermission), z);
    }

    protected boolean _hasTablePermission(String str, String str2, TablePermission tablePermission, boolean z) throws ThriftSecurityException {
        targetUserExists(str);
        if ((str2.equals(MetadataTable.ID) || str2.equals(RootTable.ID)) && tablePermission.equals(TablePermission.READ)) {
            return true;
        }
        try {
            return z ? this.permHandle.hasCachedTablePermission(str, str2, tablePermission) : this.permHandle.hasTablePermission(str, str2, tablePermission);
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        } catch (TableNotFoundException e2) {
            throw new ThriftSecurityException(str, SecurityErrorCode.TABLE_DOESNT_EXIST);
        }
    }

    protected boolean _hasNamespacePermission(String str, String str2, NamespacePermission namespacePermission, boolean z) throws ThriftSecurityException {
        if (namespacePermission == null) {
            return false;
        }
        targetUserExists(str);
        if (str2.equals(Namespaces.ACCUMULO_NAMESPACE_ID) && namespacePermission.equals(NamespacePermission.READ)) {
            return true;
        }
        try {
            return z ? this.permHandle.hasCachedNamespacePermission(str, str2, namespacePermission) : this.permHandle.hasNamespacePermission(str, str2, namespacePermission);
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        } catch (NamespaceNotFoundException e2) {
            throw new ThriftSecurityException(str, SecurityErrorCode.NAMESPACE_DOESNT_EXIST);
        }
    }

    private boolean canAskAboutOtherUsers(TCredentials tCredentials, String str) throws ThriftSecurityException {
        authenticate(tCredentials);
        return tCredentials.getPrincipal().equals(str) || hasSystemPermission(tCredentials, SystemPermission.SYSTEM, false) || hasSystemPermission(tCredentials, SystemPermission.CREATE_USER, false) || hasSystemPermission(tCredentials, SystemPermission.ALTER_USER, false) || hasSystemPermission(tCredentials, SystemPermission.DROP_USER, false);
    }

    private void targetUserExists(String str) throws ThriftSecurityException {
        if (str.equals(getRootUsername())) {
            return;
        }
        try {
            if (this.authenticator.userExists(str)) {
            } else {
                throw new ThriftSecurityException(str, SecurityErrorCode.USER_DOESNT_EXIST);
            }
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    public boolean canScan(TCredentials tCredentials, String str, String str2) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasTablePermission(tCredentials, str, str2, TablePermission.READ, true);
    }

    public boolean canScan(TCredentials tCredentials, String str, String str2, TRange tRange, List<TColumn> list, List<IterInfo> list2, Map<String, Map<String, String>> map, List<ByteBuffer> list3) throws ThriftSecurityException {
        return canScan(tCredentials, str, str2);
    }

    public boolean canScan(TCredentials tCredentials, String str, String str2, Map<TKeyExtent, List<TRange>> map, List<TColumn> list, List<IterInfo> list2, Map<String, Map<String, String>> map2, List<ByteBuffer> list3) throws ThriftSecurityException {
        return canScan(tCredentials, str, str2);
    }

    public boolean canWrite(TCredentials tCredentials, String str, String str2) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasTablePermission(tCredentials, str, str2, TablePermission.WRITE, true);
    }

    public boolean canConditionallyUpdate(TCredentials tCredentials, String str, String str2, List<ByteBuffer> list) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasTablePermission(tCredentials, str, str2, TablePermission.WRITE, true) && hasTablePermission(tCredentials, str, str2, TablePermission.READ, true);
    }

    public boolean canSplitTablet(TCredentials tCredentials, String str, String str2) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_TABLE, str2, false) || hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.SYSTEM, str2, false) || hasTablePermission(tCredentials, str, str2, TablePermission.ALTER_TABLE, false);
    }

    public boolean canPerformSystemActions(TCredentials tCredentials) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermission(tCredentials, SystemPermission.SYSTEM, false);
    }

    public boolean canFlush(TCredentials tCredentials, String str, String str2) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasTablePermission(tCredentials, str, str2, TablePermission.WRITE, false) || hasTablePermission(tCredentials, str, str2, TablePermission.ALTER_TABLE, false);
    }

    public boolean canAlterTable(TCredentials tCredentials, String str, String str2) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasTablePermission(tCredentials, str, str2, TablePermission.ALTER_TABLE, false) || hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_TABLE, str2, false);
    }

    public boolean canCreateTable(TCredentials tCredentials, String str, String str2) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.CREATE_TABLE, str2, false);
    }

    public boolean canRenameTable(TCredentials tCredentials, String str, String str2, String str3, String str4) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_TABLE, str4, false) || hasTablePermission(tCredentials, str, str4, TablePermission.ALTER_TABLE, false);
    }

    public boolean canCloneTable(TCredentials tCredentials, String str, String str2, String str3, String str4) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.CREATE_TABLE, str3, false) && hasTablePermission(tCredentials, str, str4, TablePermission.READ, false);
    }

    public boolean canDeleteTable(TCredentials tCredentials, String str, String str2) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.DROP_TABLE, str2, false) || hasTablePermission(tCredentials, str, str2, TablePermission.DROP_TABLE, false);
    }

    public boolean canOnlineOfflineTable(TCredentials tCredentials, String str, FateOperation fateOperation, String str2) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.SYSTEM, str2, false) || hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_TABLE, str2, false) || hasTablePermission(tCredentials, str, str2, TablePermission.ALTER_TABLE, false);
    }

    public boolean canMerge(TCredentials tCredentials, String str, String str2) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.SYSTEM, str2, false) || hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_TABLE, str2, false) || hasTablePermission(tCredentials, str, str2, TablePermission.ALTER_TABLE, false);
    }

    public boolean canDeleteRange(TCredentials tCredentials, String str, String str2, Text text, Text text2, String str3) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.SYSTEM, str3, false) || hasTablePermission(tCredentials, str, str3, TablePermission.WRITE, false);
    }

    public boolean canBulkImport(TCredentials tCredentials, String str, String str2, String str3, String str4, String str5) throws ThriftSecurityException {
        return canBulkImport(tCredentials, str, str5);
    }

    public boolean canBulkImport(TCredentials tCredentials, String str, String str2) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasTablePermission(tCredentials, str, str2, TablePermission.BULK_IMPORT, false);
    }

    public boolean canCompact(TCredentials tCredentials, String str, String str2) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_TABLE, str2, false) || hasTablePermission(tCredentials, str, str2, TablePermission.ALTER_TABLE, false) || hasTablePermission(tCredentials, str, str2, TablePermission.WRITE, false);
    }

    public boolean canChangeAuthorizations(TCredentials tCredentials, String str) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermission(tCredentials, SystemPermission.ALTER_USER, false);
    }

    public boolean canChangePassword(TCredentials tCredentials, String str) throws ThriftSecurityException {
        authenticate(tCredentials);
        return tCredentials.getPrincipal().equals(str) || hasSystemPermission(tCredentials, SystemPermission.ALTER_USER, false);
    }

    public boolean canCreateUser(TCredentials tCredentials, String str) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermission(tCredentials, SystemPermission.CREATE_USER, false);
    }

    public boolean canDropUser(TCredentials tCredentials, String str) throws ThriftSecurityException {
        authenticate(tCredentials);
        if (str.equals(getRootUsername())) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        return hasSystemPermission(tCredentials, SystemPermission.DROP_USER, false);
    }

    public boolean canGrantSystem(TCredentials tCredentials, String str, SystemPermission systemPermission) throws ThriftSecurityException {
        authenticate(tCredentials);
        if (systemPermission.equals(SystemPermission.GRANT)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.GRANT_INVALID);
        }
        return hasSystemPermission(tCredentials, SystemPermission.GRANT, false);
    }

    public boolean canGrantTable(TCredentials tCredentials, String str, String str2, String str3) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_TABLE, str3, false) || hasTablePermission(tCredentials, str2, str3, TablePermission.GRANT, false);
    }

    public boolean canGrantNamespace(TCredentials tCredentials, String str, String str2) throws ThriftSecurityException {
        return canModifyNamespacePermission(tCredentials, str, str2);
    }

    private boolean canModifyNamespacePermission(TCredentials tCredentials, String str, String str2) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_NAMESPACE, str2, false) || hasNamespacePermission(tCredentials, tCredentials.principal, str2, NamespacePermission.GRANT);
    }

    public boolean canRevokeSystem(TCredentials tCredentials, String str, SystemPermission systemPermission) throws ThriftSecurityException {
        authenticate(tCredentials);
        if (str.equals(getRootUsername())) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        if (systemPermission.equals(SystemPermission.GRANT)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.GRANT_INVALID);
        }
        return hasSystemPermission(tCredentials, SystemPermission.GRANT, false);
    }

    public boolean canRevokeTable(TCredentials tCredentials, String str, String str2, String str3) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_TABLE, str3, false) || hasTablePermission(tCredentials, str2, str3, TablePermission.GRANT, false);
    }

    public boolean canRevokeNamespace(TCredentials tCredentials, String str, String str2) throws ThriftSecurityException {
        return canModifyNamespacePermission(tCredentials, str, str2);
    }

    public void changeAuthorizations(TCredentials tCredentials, String str, Authorizations authorizations) throws ThriftSecurityException {
        if (!canChangeAuthorizations(tCredentials, str)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        targetUserExists(str);
        try {
            this.authorizor.changeAuthorizations(str, authorizations);
            log.info("Changed authorizations for user " + str + " at the request of user " + tCredentials.getPrincipal());
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    public void changePassword(TCredentials tCredentials, Credentials credentials) throws ThriftSecurityException {
        if (!canChangePassword(tCredentials, credentials.getPrincipal())) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        try {
            this.authenticator.changePassword(credentials.getPrincipal(), credentials.getToken());
            log.info("Changed password for user " + credentials.getPrincipal() + " at the request of user " + tCredentials.getPrincipal());
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    public void createUser(TCredentials tCredentials, Credentials credentials, Authorizations authorizations) throws ThriftSecurityException {
        if (!canCreateUser(tCredentials, credentials.getPrincipal())) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        try {
            this.authenticator.createUser(credentials.getPrincipal(), credentials.getToken());
            this.authorizor.initUser(credentials.getPrincipal());
            this.permHandle.initUser(credentials.getPrincipal());
            log.info("Created user " + credentials.getPrincipal() + " at the request of user " + tCredentials.getPrincipal());
            if (canChangeAuthorizations(tCredentials, credentials.getPrincipal())) {
                this.authorizor.changeAuthorizations(credentials.getPrincipal(), authorizations);
            }
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    public void dropUser(TCredentials tCredentials, String str) throws ThriftSecurityException {
        if (!canDropUser(tCredentials, str)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        try {
            this.authorizor.dropUser(str);
            this.authenticator.dropUser(str);
            this.permHandle.cleanUser(str);
            log.info("Deleted user " + str + " at the request of user " + tCredentials.getPrincipal());
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    public void grantSystemPermission(TCredentials tCredentials, String str, SystemPermission systemPermission) throws ThriftSecurityException {
        if (!canGrantSystem(tCredentials, str, systemPermission)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        targetUserExists(str);
        try {
            this.permHandle.grantSystemPermission(str, systemPermission);
            log.info("Granted system permission " + systemPermission + " for user " + str + " at the request of user " + tCredentials.getPrincipal());
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    public void grantTablePermission(TCredentials tCredentials, String str, String str2, TablePermission tablePermission, String str3) throws ThriftSecurityException {
        if (!canGrantTable(tCredentials, str, str2, str3)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        targetUserExists(str);
        try {
            this.permHandle.grantTablePermission(str, str2, tablePermission);
            log.info("Granted table permission " + tablePermission + " for user " + str + " on the table " + str2 + " at the request of user " + tCredentials.getPrincipal());
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        } catch (TableNotFoundException e2) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.TABLE_DOESNT_EXIST);
        }
    }

    public void grantNamespacePermission(TCredentials tCredentials, String str, String str2, NamespacePermission namespacePermission) throws ThriftSecurityException {
        if (!canGrantNamespace(tCredentials, str, str2)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        targetUserExists(str);
        try {
            this.permHandle.grantNamespacePermission(str, str2, namespacePermission);
            log.info("Granted namespace permission " + namespacePermission + " for user " + str + " on the namespace " + str2 + " at the request of user " + tCredentials.getPrincipal());
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        } catch (NamespaceNotFoundException e2) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.NAMESPACE_DOESNT_EXIST);
        }
    }

    public void revokeSystemPermission(TCredentials tCredentials, String str, SystemPermission systemPermission) throws ThriftSecurityException {
        if (!canRevokeSystem(tCredentials, str, systemPermission)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        targetUserExists(str);
        try {
            this.permHandle.revokeSystemPermission(str, systemPermission);
            log.info("Revoked system permission " + systemPermission + " for user " + str + " at the request of user " + tCredentials.getPrincipal());
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    public void revokeTablePermission(TCredentials tCredentials, String str, String str2, TablePermission tablePermission, String str3) throws ThriftSecurityException {
        if (!canRevokeTable(tCredentials, str, str2, str3)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        targetUserExists(str);
        try {
            this.permHandle.revokeTablePermission(str, str2, tablePermission);
            log.info("Revoked table permission " + tablePermission + " for user " + str + " on the table " + str2 + " at the request of user " + tCredentials.getPrincipal());
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        } catch (TableNotFoundException e2) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.TABLE_DOESNT_EXIST);
        }
    }

    public void revokeNamespacePermission(TCredentials tCredentials, String str, String str2, NamespacePermission namespacePermission) throws ThriftSecurityException {
        if (!canRevokeNamespace(tCredentials, str, str2)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        targetUserExists(str);
        try {
            this.permHandle.revokeNamespacePermission(str, str2, namespacePermission);
            log.info("Revoked namespace permission " + namespacePermission + " for user " + str + " on the namespace " + str2 + " at the request of user " + tCredentials.getPrincipal());
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        } catch (NamespaceNotFoundException e2) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.NAMESPACE_DOESNT_EXIST);
        }
    }

    public boolean hasSystemPermission(TCredentials tCredentials, String str, SystemPermission systemPermission) throws ThriftSecurityException {
        if (canAskAboutOtherUsers(tCredentials, str)) {
            return _hasSystemPermission(str, systemPermission, false);
        }
        throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
    }

    public boolean hasTablePermission(TCredentials tCredentials, String str, String str2, TablePermission tablePermission) throws ThriftSecurityException {
        if (canAskAboutOtherUsers(tCredentials, str)) {
            return _hasTablePermission(str, str2, tablePermission, false);
        }
        throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
    }

    public boolean hasNamespacePermission(TCredentials tCredentials, String str, String str2, NamespacePermission namespacePermission) throws ThriftSecurityException {
        if (canAskAboutOtherUsers(tCredentials, str)) {
            return _hasNamespacePermission(str, str2, namespacePermission, false);
        }
        throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
    }

    public Set<String> listUsers(TCredentials tCredentials) throws ThriftSecurityException {
        authenticate(tCredentials);
        try {
            return this.authenticator.listUsers();
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    public void deleteTable(TCredentials tCredentials, String str, String str2) throws ThriftSecurityException {
        if (!canDeleteTable(tCredentials, str, str2)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        try {
            this.permHandle.cleanTablePermissions(str);
        } catch (AccumuloSecurityException e) {
            e.setUser(tCredentials.getPrincipal());
            throw e.asThriftException();
        } catch (TableNotFoundException e2) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.TABLE_DOESNT_EXIST);
        }
    }

    public void deleteNamespace(TCredentials tCredentials, String str) throws ThriftSecurityException {
        if (!canDeleteNamespace(tCredentials, str)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        try {
            this.permHandle.cleanNamespacePermissions(str);
        } catch (AccumuloSecurityException e) {
            e.setUser(tCredentials.getPrincipal());
            throw e.asThriftException();
        } catch (NamespaceNotFoundException e2) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.NAMESPACE_DOESNT_EXIST);
        }
    }

    public boolean canExport(TCredentials tCredentials, String str, String str2, String str3, String str4) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasTablePermission(tCredentials, str, str4, TablePermission.READ, false);
    }

    public boolean canImport(TCredentials tCredentials, String str, String str2, String str3) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.CREATE_TABLE, str3, false);
    }

    public boolean canAlterNamespace(TCredentials tCredentials, String str) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_NAMESPACE, str, false);
    }

    public boolean canCreateNamespace(TCredentials tCredentials, String str) throws ThriftSecurityException {
        return canCreateNamespace(tCredentials);
    }

    private boolean canCreateNamespace(TCredentials tCredentials) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermission(tCredentials, SystemPermission.CREATE_NAMESPACE, false);
    }

    public boolean canDeleteNamespace(TCredentials tCredentials, String str) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.DROP_NAMESPACE, str, false);
    }

    public boolean canRenameNamespace(TCredentials tCredentials, String str, String str2, String str3) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_NAMESPACE, str, false);
    }
}
