package org.apache.storm.hive.security;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.util.Collection;
import java.util.Iterator;
import java.util.Map;
import org.apache.commons.math3.util.Pair;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.mapreduce.security.token.delegation.DelegationTokenIdentifier;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hive.hcatalog.api.HCatClient;
import org.apache.hive.hcatalog.common.HCatException;
import org.apache.storm.common.AbstractHadoopNimbusPluginAutoCreds;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/storm/hive/security/AutoHiveNimbus.class */
public class AutoHiveNimbus extends AbstractHadoopNimbusPluginAutoCreds {
    private static final Logger LOG = LoggerFactory.getLogger(AutoHiveNimbus.class);
    public String hiveKeytab;
    public String hivePrincipal;
    public String metaStoreURI;

    @Override // org.apache.storm.common.AbstractHadoopNimbusPluginAutoCreds
    public void doPrepare(Map<String, Object> map) {
        if (map.containsKey(HiveSecurityUtil.HIVE_KEYTAB_FILE_KEY) && map.containsKey(HiveSecurityUtil.HIVE_PRINCIPAL_KEY)) {
            this.hiveKeytab = (String) map.get(HiveSecurityUtil.HIVE_KEYTAB_FILE_KEY);
            this.hivePrincipal = (String) map.get(HiveSecurityUtil.HIVE_PRINCIPAL_KEY);
            this.metaStoreURI = (String) map.get(HiveConf.ConfVars.METASTOREURIS.varname);
        }
    }

    @Override // org.apache.storm.common.AbstractHadoopNimbusPluginAutoCreds
    protected String getConfigKeyString() {
        return HiveSecurityUtil.HIVE_CREDENTIALS_CONFIG_KEYS;
    }

    public void shutdown() {
    }

    @Override // org.apache.storm.common.AbstractHadoopNimbusPluginAutoCreds
    protected byte[] getHadoopCredentials(Map<String, Object> map, String str, String str2) {
        return getHadoopCredentials(map, getHadoopConfiguration(map, str), str2);
    }

    @Override // org.apache.storm.common.AbstractHadoopNimbusPluginAutoCreds
    protected byte[] getHadoopCredentials(Map<String, Object> map, String str) {
        return getHadoopCredentials(map, new Configuration(), str);
    }

    protected byte[] getHadoopCredentials(Map<String, Object> map, Configuration configuration, String str) {
        try {
            if (!UserGroupInformation.isSecurityEnabled()) {
                throw new RuntimeException("Security is not enabled for Hadoop");
            }
            String metaStoreUri = getMetaStoreUri(configuration);
            String metaStorePrincipal = getMetaStorePrincipal(configuration);
            HiveConf createHiveConf = createHiveConf(metaStoreUri, metaStorePrincipal);
            login(configuration);
            UserGroupInformation createProxyUser = UserGroupInformation.createProxyUser(str, UserGroupInformation.getCurrentUser());
            try {
                createProxyUser.addToken(getDelegationToken(createHiveConf, metaStorePrincipal, str));
                LOG.info("Obtained Hive tokens, adding to user credentials.");
                Credentials credentials = createProxyUser.getCredentials();
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
                credentials.write(objectOutputStream);
                objectOutputStream.flush();
                objectOutputStream.close();
                return byteArrayOutputStream.toByteArray();
            } catch (Exception e) {
                LOG.debug(" Exception" + e.getMessage());
                throw e;
            }
        } catch (Exception e2) {
            throw new RuntimeException("Failed to get delegation tokens.", e2);
        }
    }

    private Configuration getHadoopConfiguration(Map<String, Object> map, String str) {
        Configuration configuration = new Configuration();
        fillHadoopConfiguration(map, str, configuration);
        return configuration;
    }

    public HiveConf createHiveConf(String str, String str2) throws IOException {
        HiveConf hiveConf = new HiveConf();
        hiveConf.setVar(HiveConf.ConfVars.METASTOREURIS, str);
        hiveConf.setIntVar(HiveConf.ConfVars.METASTORETHRIFTCONNECTIONRETRIES, 3);
        hiveConf.setBoolVar(HiveConf.ConfVars.HIVE_SUPPORT_CONCURRENCY, false);
        hiveConf.setBoolVar(HiveConf.ConfVars.METASTORE_USE_THRIFT_SASL, true);
        hiveConf.set(HiveConf.ConfVars.METASTORE_KERBEROS_PRINCIPAL.varname, str2);
        return hiveConf;
    }

    private Token<DelegationTokenIdentifier> getDelegationToken(HiveConf hiveConf, String str, String str2) throws IOException {
        LOG.info("Creating delegation tokens for principal={}", str);
        HCatClient hCatClient = null;
        try {
            hCatClient = HCatClient.create(hiveConf);
            String delegationToken = hCatClient.getDelegationToken(str2, str);
            Token<DelegationTokenIdentifier> token = new Token<>();
            token.decodeFromUrlString(delegationToken);
            DelegationTokenIdentifier delegationTokenIdentifier = new DelegationTokenIdentifier();
            delegationTokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(token.getIdentifier())));
            LOG.info("Created Delegation Token for : " + delegationTokenIdentifier.getUser());
            if (hCatClient != null) {
                hCatClient.close();
            }
            return token;
        } catch (Throwable th) {
            if (hCatClient != null) {
                hCatClient.close();
            }
            throw th;
        }
    }

    private String getMetaStoreUri(Configuration configuration) {
        return configuration.get(HiveConf.ConfVars.METASTOREURIS.varname) == null ? this.metaStoreURI : configuration.get(HiveConf.ConfVars.METASTOREURIS.varname);
    }

    private String getMetaStorePrincipal(Configuration configuration) {
        return configuration.get(HiveSecurityUtil.HIVE_PRINCIPAL_KEY) == null ? this.hivePrincipal : configuration.get(HiveSecurityUtil.HIVE_PRINCIPAL_KEY);
    }

    private void login(Configuration configuration) throws IOException {
        if (configuration.get(HiveSecurityUtil.HIVE_KEYTAB_FILE_KEY) == null) {
            configuration.set(HiveSecurityUtil.HIVE_KEYTAB_FILE_KEY, this.hiveKeytab);
        }
        if (configuration.get(HiveSecurityUtil.HIVE_PRINCIPAL_KEY) == null) {
            configuration.set(HiveSecurityUtil.HIVE_PRINCIPAL_KEY, this.hivePrincipal);
        }
        SecurityUtil.login(configuration, HiveSecurityUtil.HIVE_KEYTAB_FILE_KEY, HiveSecurityUtil.HIVE_PRINCIPAL_KEY);
        LOG.info("Logged into hive with principal {}", configuration.get(HiveSecurityUtil.HIVE_PRINCIPAL_KEY));
    }

    @Override // org.apache.storm.common.AbstractHadoopNimbusPluginAutoCreds
    public void doRenew(Map<String, String> map, Map<String, Object> map2, String str) {
        for (Pair<String, Credentials> pair : getCredentials(map, getConfigKeys(map2))) {
            try {
                Configuration hadoopConfiguration = getHadoopConfiguration(map2, (String) pair.getFirst());
                String metaStoreUri = getMetaStoreUri(hadoopConfiguration);
                String metaStorePrincipal = getMetaStorePrincipal(hadoopConfiguration);
                Collection allTokens = ((Credentials) pair.getSecond()).getAllTokens();
                login(hadoopConfiguration);
                if (allTokens == null || allTokens.isEmpty()) {
                    LOG.debug("No tokens found for credentials, skipping renewal.");
                } else {
                    Iterator it = allTokens.iterator();
                    while (it.hasNext()) {
                        LOG.info("Hive delegation token renewed, new expiration time {}", Long.valueOf(renewToken((Token) it.next(), metaStoreUri, metaStorePrincipal)));
                    }
                }
            } catch (Exception e) {
                LOG.warn("could not renew the credentials, one of the possible reason is tokens are beyond renewal period so attempting to get new tokens.", e);
                populateCredentials(map, map2);
            }
        }
    }

    private long renewToken(Token token, String str, String str2) {
        HCatClient hCatClient = null;
        try {
            if (!UserGroupInformation.isSecurityEnabled()) {
                throw new RuntimeException("Security is not enabled for Hadoop");
            }
            try {
                String encodeToUrlString = token.encodeToUrlString();
                HiveConf createHiveConf = createHiveConf(str, str2);
                LOG.debug("renewing delegation tokens for principal={}", str2);
                hCatClient = HCatClient.create(createHiveConf);
                Long valueOf = Long.valueOf(hCatClient.renewDelegationToken(encodeToUrlString));
                LOG.info("Renewed delegation token. new expiryTime={}", valueOf);
                long longValue = valueOf.longValue();
                if (hCatClient != null) {
                    try {
                        hCatClient.close();
                    } catch (HCatException e) {
                        LOG.error(" Exception", e);
                    }
                }
                return longValue;
            } catch (Exception e2) {
                throw new RuntimeException("Failed to renew delegation tokens.", e2);
            }
        } catch (Throwable th) {
            if (hCatClient != null) {
                try {
                    hCatClient.close();
                } catch (HCatException e3) {
                    LOG.error(" Exception", e3);
                }
            }
            throw th;
        }
    }

    @Override // org.apache.storm.common.CredentialKeyProvider
    public String getCredentialKey(String str) {
        return HiveSecurityUtil.HIVE_CREDENTIALS + str;
    }
}
