package org.apache.hadoop.security;

import java.io.File;
import java.io.IOException;
import java.lang.reflect.UndeclaredThrowableException;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumMap;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.ThreadFactory;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicReference;
import javax.security.auth.DestroyFailedException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.apache.commons.configuration2.tree.DefaultExpressionEngineSymbols;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.io.retry.RetryPolicies;
import org.apache.hadoop.io.retry.RetryPolicy;
import org.apache.hadoop.metrics2.MetricsSystem;
import org.apache.hadoop.metrics2.annotation.Metric;
import org.apache.hadoop.metrics2.annotation.Metrics;
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
import org.apache.hadoop.metrics2.lib.MetricsRegistry;
import org.apache.hadoop.metrics2.lib.MutableGaugeInt;
import org.apache.hadoop.metrics2.lib.MutableGaugeLong;
import org.apache.hadoop.metrics2.lib.MutableQuantiles;
import org.apache.hadoop.metrics2.lib.MutableRate;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.thirdparty.com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.util.PlatformName;
import org.apache.hadoop.util.Shell;
import org.apache.hadoop.util.StringUtils;
import org.apache.hadoop.util.Time;
import org.apache.kerby.kerberos.kerb.KrbConstant;
import org.apache.kerby.kerberos.kerb.client.jaas.TokenAuthLoginModule;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Public
@InterfaceStability.Evolving
/* loaded from: input_file:org/apache/hadoop/security/UserGroupInformation.class */
public class UserGroupInformation {

    @VisibleForTesting
    static final Logger LOG;
    private static final float TICKET_RENEW_WINDOW = 0.8f;
    private static boolean shouldRenewImmediatelyForTests;
    static final String HADOOP_USER_NAME = "HADOOP_USER_NAME";
    static final String HADOOP_PROXY_USER = "HADOOP_PROXY_USER";
    static UgiMetrics metrics;
    private static AuthenticationMethod authenticationMethod;
    private static Groups groups;
    private static long kerberosMinSecondsBeforeRelogin;
    private static boolean kerberosKeyTabLoginRenewalEnabled;
    private static Optional<ExecutorService> kerberosLoginRenewalExecutor;
    private static Configuration conf;
    public static final String HADOOP_TOKEN_FILE_LOCATION = "HADOOP_TOKEN_FILE_LOCATION";
    public static final String HADOOP_TOKEN = "HADOOP_TOKEN";
    private static final AtomicReference<UserGroupInformation> loginUserRef;
    private final Subject subject;
    private final User user;
    private static String OS_LOGIN_MODULE_NAME;
    private static Class<? extends Principal> OS_PRINCIPAL_CLASS;
    private static final boolean windows;
    static final /* synthetic */ boolean $assertionsDisabled;

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    /* loaded from: input_file:org/apache/hadoop/security/UserGroupInformation$AuthenticationMethod.class */
    public enum AuthenticationMethod {
        SIMPLE(SaslRpcServer.AuthMethod.SIMPLE, "hadoop-simple"),
        KERBEROS(SaslRpcServer.AuthMethod.KERBEROS, "hadoop-kerberos"),
        TOKEN(SaslRpcServer.AuthMethod.TOKEN),
        CERTIFICATE(null),
        KERBEROS_SSL(null),
        PROXY(null);

        private final SaslRpcServer.AuthMethod authMethod;
        private final String loginAppName;

        AuthenticationMethod(SaslRpcServer.AuthMethod authMethod) {
            this(authMethod, null);
        }

        AuthenticationMethod(SaslRpcServer.AuthMethod authMethod, String str) {
            this.authMethod = authMethod;
            this.loginAppName = str;
        }

        public SaslRpcServer.AuthMethod getAuthMethod() {
            return this.authMethod;
        }

        String getLoginAppName() {
            if (this.loginAppName == null) {
                throw new UnsupportedOperationException(this + " login authentication is not supported");
            }
            return this.loginAppName;
        }

        public static AuthenticationMethod valueOf(SaslRpcServer.AuthMethod authMethod) {
            for (AuthenticationMethod authenticationMethod : values()) {
                if (authenticationMethod.getAuthMethod() == authMethod) {
                    return authenticationMethod;
                }
            }
            throw new IllegalArgumentException("no authentication method for " + authMethod);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @InterfaceAudience.Private
    @VisibleForTesting
    @InterfaceStability.Unstable
    /* loaded from: input_file:org/apache/hadoop/security/UserGroupInformation$AutoRenewalForUserCredsRunnable.class */
    public abstract class AutoRenewalForUserCredsRunnable implements Runnable {
        private KerberosTicket tgt;
        private long nextRefresh;
        private boolean runRenewalLoop = true;
        private RetryPolicy rp = null;

        AutoRenewalForUserCredsRunnable(KerberosTicket kerberosTicket, long j) {
            this.tgt = kerberosTicket;
            this.nextRefresh = j;
        }

        public void setRunRenewalLoop(boolean z) {
            this.runRenewalLoop = z;
        }

        protected abstract void relogin() throws IOException;

        @Override // java.lang.Runnable
        public void run() {
            long now;
            do {
                try {
                    now = Time.now();
                    UserGroupInformation.LOG.debug("Current time is {}, next refresh is {}", Long.valueOf(now), Long.valueOf(this.nextRefresh));
                    if (now < this.nextRefresh) {
                        Thread.sleep(this.nextRefresh - now);
                    }
                    relogin();
                    this.tgt = UserGroupInformation.this.getTGT();
                } catch (IOException e) {
                    UserGroupInformation.metrics.renewalFailuresTotal.incr();
                    long now2 = Time.now();
                    if (this.tgt.isDestroyed()) {
                        UserGroupInformation.LOG.error(String.format("TGT is destroyed. Aborting renew thread for %s.", UserGroupInformation.this.getUserName()), (Throwable) e);
                        return;
                    }
                    try {
                        long time = this.tgt.getEndTime().getTime();
                        UserGroupInformation.LOG.warn("Exception encountered while running the renewal command for {}. (TGT end time:{}, renewalFailures: {}, renewalFailuresTotal: {})", UserGroupInformation.this.getUserName(), Long.valueOf(time), Integer.valueOf(UserGroupInformation.metrics.renewalFailures.value()), Long.valueOf(UserGroupInformation.metrics.renewalFailuresTotal.value()), e);
                        if (this.rp == null) {
                            this.rp = RetryPolicies.exponentialBackoffRetry(62, UserGroupInformation.kerberosMinSecondsBeforeRelogin, TimeUnit.MILLISECONDS);
                        }
                        try {
                            this.nextRefresh = UserGroupInformation.getNextTgtRenewalTime(time, now2, this.rp);
                            UserGroupInformation.metrics.renewalFailures.incr();
                            if (now2 > this.nextRefresh) {
                                UserGroupInformation.LOG.error("TGT is expired. Aborting renew thread for {}.", UserGroupInformation.this.getUserName());
                                return;
                            }
                        } catch (Exception e2) {
                            UserGroupInformation.LOG.error("Exception when calculating next tgt renewal time", (Throwable) e2);
                            return;
                        }
                    } catch (NullPointerException e3) {
                        UserGroupInformation.LOG.error("NPE thrown while getting KerberosTicket endTime. Aborting renew thread for {}.", UserGroupInformation.this.getUserName(), e);
                        return;
                    }
                } catch (InterruptedException e4) {
                    UserGroupInformation.LOG.warn("Terminating renewal thread");
                    return;
                }
                if (this.tgt == null) {
                    UserGroupInformation.LOG.warn("No TGT after renewal. Aborting renew thread for " + UserGroupInformation.this.getUserName());
                    return;
                } else {
                    this.nextRefresh = Math.max(UserGroupInformation.this.getRefreshTime(this.tgt), now + UserGroupInformation.kerberosMinSecondsBeforeRelogin);
                    UserGroupInformation.metrics.renewalFailures.set(0);
                    this.rp = null;
                }
            } while (this.runRenewalLoop);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    @InterfaceAudience.Private
    @InterfaceStability.Unstable
    /* loaded from: input_file:org/apache/hadoop/security/UserGroupInformation$HadoopConfiguration.class */
    public static class HadoopConfiguration extends javax.security.auth.login.Configuration {
        static final String SIMPLE_CONFIG_NAME = "hadoop-simple";
        static final String KERBEROS_CONFIG_NAME = "hadoop-kerberos";
        static final AppConfigurationEntry OS_SPECIFIC_LOGIN;
        static final AppConfigurationEntry HADOOP_LOGIN;
        private final LoginParams params;
        static final String KRB5_LOGIN_MODULE = KerberosUtil.getKrb5LoginModuleName();
        private static final Map<String, String> BASIC_JAAS_OPTIONS = new HashMap();

        HadoopConfiguration(LoginParams loginParams) {
            this.params = loginParams;
        }

        /* renamed from: getParameters, reason: merged with bridge method [inline-methods] */
        public LoginParams m3458getParameters() {
            return this.params;
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            ArrayList arrayList = new ArrayList();
            if (this.params == null || str.equals(SIMPLE_CONFIG_NAME)) {
                arrayList.add(OS_SPECIFIC_LOGIN);
            } else if (str.equals(KERBEROS_CONFIG_NAME)) {
                if (!this.params.containsKey(LoginParam.PRINCIPAL)) {
                    arrayList.add(OS_SPECIFIC_LOGIN);
                }
                arrayList.add(getKerberosEntry());
            }
            arrayList.add(HADOOP_LOGIN);
            return (AppConfigurationEntry[]) arrayList.toArray(new AppConfigurationEntry[0]);
        }

        private AppConfigurationEntry getKerberosEntry() {
            HashMap hashMap = new HashMap(BASIC_JAAS_OPTIONS);
            AppConfigurationEntry.LoginModuleControlFlag loginModuleControlFlag = AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL;
            String str = this.params.get(LoginParam.PRINCIPAL);
            if (str != null) {
                hashMap.put(TokenAuthLoginModule.PRINCIPAL, str);
                loginModuleControlFlag = AppConfigurationEntry.LoginModuleControlFlag.REQUIRED;
            }
            if (!PlatformName.IBM_JAVA) {
                if (this.params.containsKey(LoginParam.KEYTAB)) {
                    hashMap.put("useKeyTab", "true");
                    String str2 = this.params.get(LoginParam.KEYTAB);
                    if (str2 != null) {
                        hashMap.put("keyTab", str2);
                    }
                    hashMap.put("storeKey", "true");
                } else {
                    hashMap.put("useTicketCache", "true");
                    String str3 = this.params.get(LoginParam.CCACHE);
                    if (str3 != null) {
                        hashMap.put("ticketCache", str3);
                    }
                    hashMap.put("renewTGT", "true");
                }
                hashMap.put("doNotPrompt", "true");
            } else if (this.params.containsKey(LoginParam.KEYTAB)) {
                String str4 = this.params.get(LoginParam.KEYTAB);
                if (str4 != null) {
                    hashMap.put("useKeytab", prependFileAuthority(str4));
                } else {
                    hashMap.put("useDefaultKeytab", "true");
                }
                hashMap.put("credsType", "both");
            } else {
                String str5 = this.params.get(LoginParam.CCACHE);
                if (str5 != null) {
                    hashMap.put("useCcache", prependFileAuthority(str5));
                } else {
                    hashMap.put("useDefaultCcache", "true");
                }
                hashMap.put("renewTGT", "true");
            }
            hashMap.put("refreshKrb5Config", "true");
            return new AppConfigurationEntry(KRB5_LOGIN_MODULE, loginModuleControlFlag, hashMap);
        }

        private static String prependFileAuthority(String str) {
            return str.startsWith("file://") ? str : "file://" + str;
        }

        static {
            if ("true".equalsIgnoreCase(System.getenv(KDiag.HADOOP_JAAS_DEBUG))) {
                BASIC_JAAS_OPTIONS.put("debug", "true");
            }
            OS_SPECIFIC_LOGIN = new AppConfigurationEntry(UserGroupInformation.OS_LOGIN_MODULE_NAME, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, BASIC_JAAS_OPTIONS);
            HADOOP_LOGIN = new AppConfigurationEntry(HadoopLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, BASIC_JAAS_OPTIONS);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/security/UserGroupInformation$HadoopLoginContext.class */
    public static class HadoopLoginContext extends LoginContext {
        private final String appName;
        private final HadoopConfiguration conf;
        private AtomicBoolean isLoggedIn;

        HadoopLoginContext(String str, Subject subject, HadoopConfiguration hadoopConfiguration) throws LoginException {
            super(str, subject, (CallbackHandler) null, hadoopConfiguration);
            this.isLoggedIn = new AtomicBoolean();
            this.appName = str;
            this.conf = hadoopConfiguration;
        }

        String getAppName() {
            return this.appName;
        }

        HadoopConfiguration getConfiguration() {
            return this.conf;
        }

        Object getSubjectLock() {
            Subject subject = getSubject();
            return subject == null ? this : subject.getPrivateCredentials();
        }

        public void login() throws LoginException {
            synchronized (getSubjectLock()) {
                MutableRate mutableRate = UserGroupInformation.metrics.loginFailure;
                long monotonicNow = Time.monotonicNow();
                try {
                    super.login();
                    this.isLoggedIn.set(true);
                    mutableRate = UserGroupInformation.metrics.loginSuccess;
                    mutableRate.add(Time.monotonicNow() - monotonicNow);
                } catch (Throwable th) {
                    mutableRate.add(Time.monotonicNow() - monotonicNow);
                    throw th;
                }
            }
        }

        public void logout() throws LoginException {
            synchronized (getSubjectLock()) {
                if (this.isLoggedIn.compareAndSet(true, false)) {
                    super.logout();
                }
            }
        }
    }

    @InterfaceAudience.Private
    /* loaded from: input_file:org/apache/hadoop/security/UserGroupInformation$HadoopLoginModule.class */
    public static class HadoopLoginModule implements LoginModule {
        private Subject subject;

        public boolean abort() throws LoginException {
            return true;
        }

        private <T extends Principal> T getCanonicalUser(Class<T> cls) {
            Iterator<T> it = this.subject.getPrincipals(cls).iterator();
            if (it.hasNext()) {
                return it.next();
            }
            return null;
        }

        public boolean commit() throws LoginException {
            UserGroupInformation.LOG.debug("hadoop login commit");
            if (!this.subject.getPrincipals(User.class).isEmpty()) {
                UserGroupInformation.LOG.debug("Using existing subject: {}", this.subject.getPrincipals());
                return true;
            }
            Principal canonicalUser = getCanonicalUser(KerberosPrincipal.class);
            if (canonicalUser != null) {
                UserGroupInformation.LOG.debug("Using kerberos user: {}", canonicalUser);
            }
            if (!UserGroupInformation.isSecurityEnabled() && canonicalUser == null) {
                String str = System.getenv("HADOOP_USER_NAME");
                if (str == null) {
                    str = System.getProperty("HADOOP_USER_NAME");
                }
                canonicalUser = str == null ? null : new User(str);
            }
            if (canonicalUser == null) {
                canonicalUser = getCanonicalUser(UserGroupInformation.OS_PRINCIPAL_CLASS);
                UserGroupInformation.LOG.debug("Using local user: {}", canonicalUser);
            }
            if (canonicalUser == null) {
                throw new LoginException("Failed to find user in name " + this.subject);
            }
            UserGroupInformation.LOG.debug("Using user: \"{}\" with name: {}", canonicalUser, canonicalUser.getName());
            try {
                User user = new User(canonicalUser.getName(), canonicalUser instanceof KerberosPrincipal ? AuthenticationMethod.KERBEROS : AuthenticationMethod.SIMPLE, null);
                UserGroupInformation.LOG.debug("User entry: \"{}\"", user);
                this.subject.getPrincipals().add(user);
                return true;
            } catch (Exception e) {
                throw ((LoginException) new LoginException(e.toString()).initCause(e));
            }
        }

        public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
            this.subject = subject;
        }

        public boolean login() throws LoginException {
            UserGroupInformation.LOG.debug("Hadoop login");
            return true;
        }

        public boolean logout() throws LoginException {
            UserGroupInformation.LOG.debug("Hadoop logout");
            return true;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @InterfaceAudience.Private
    @VisibleForTesting
    @InterfaceStability.Unstable
    /* loaded from: input_file:org/apache/hadoop/security/UserGroupInformation$KeytabRenewalRunnable.class */
    public final class KeytabRenewalRunnable extends AutoRenewalForUserCredsRunnable {
        KeytabRenewalRunnable(KerberosTicket kerberosTicket, long j) {
            super(kerberosTicket, j);
        }

        @Override // org.apache.hadoop.security.UserGroupInformation.AutoRenewalForUserCredsRunnable
        public void relogin() throws IOException {
            UserGroupInformation.this.reloginFromKeytab();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/hadoop/security/UserGroupInformation$LoginParam.class */
    public enum LoginParam {
        PRINCIPAL,
        KEYTAB,
        CCACHE
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/security/UserGroupInformation$LoginParams.class */
    public static class LoginParams extends EnumMap<LoginParam, String> implements Configuration.Parameters {
        LoginParams() {
            super(LoginParam.class);
        }

        @Override // java.util.AbstractMap, java.util.Map
        public String put(LoginParam loginParam, String str) {
            if ((str == null || containsKey(loginParam)) ? false : true) {
                return (String) super.put((LoginParams) loginParam, (LoginParam) str);
            }
            return null;
        }

        static LoginParams getDefaults() {
            LoginParams loginParams = new LoginParams();
            loginParams.put(LoginParam.PRINCIPAL, System.getenv("KRB5PRINCIPAL"));
            loginParams.put(LoginParam.KEYTAB, System.getenv("KRB5KEYTAB"));
            loginParams.put(LoginParam.CCACHE, System.getenv(KDiag.KRB5_CCNAME));
            return loginParams;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/security/UserGroupInformation$RealUser.class */
    public static class RealUser implements Principal {
        private final UserGroupInformation realUser;

        RealUser(UserGroupInformation userGroupInformation) {
            this.realUser = userGroupInformation;
        }

        @Override // java.security.Principal
        public String getName() {
            return this.realUser.getUserName();
        }

        public UserGroupInformation getRealUser() {
            return this.realUser;
        }

        @Override // java.security.Principal
        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            return this.realUser.equals(((RealUser) obj).realUser);
        }

        @Override // java.security.Principal
        public int hashCode() {
            return this.realUser.hashCode();
        }

        @Override // java.security.Principal
        public String toString() {
            return this.realUser.toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/security/UserGroupInformation$TestingGroups.class */
    public static class TestingGroups extends Groups {
        private final Map<String, List<String>> userToGroupsMapping;
        private Groups underlyingImplementation;

        private TestingGroups(Groups groups) {
            super(new org.apache.hadoop.conf.Configuration());
            this.userToGroupsMapping = new HashMap();
            this.underlyingImplementation = groups;
        }

        @Override // org.apache.hadoop.security.Groups
        public List<String> getGroups(String str) throws IOException {
            List<String> list = this.userToGroupsMapping.get(str);
            if (list == null) {
                list = this.underlyingImplementation.getGroups(str);
            }
            return list;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void setUserGroups(String str, String[] strArr) {
            this.userToGroupsMapping.put(str, Arrays.asList(strArr));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @InterfaceAudience.Private
    @VisibleForTesting
    @InterfaceStability.Unstable
    /* loaded from: input_file:org/apache/hadoop/security/UserGroupInformation$TicketCacheRenewalRunnable.class */
    public final class TicketCacheRenewalRunnable extends AutoRenewalForUserCredsRunnable {
        private String kinitCmd;

        TicketCacheRenewalRunnable(KerberosTicket kerberosTicket, String str, long j) {
            super(kerberosTicket, j);
            this.kinitCmd = str;
        }

        @Override // org.apache.hadoop.security.UserGroupInformation.AutoRenewalForUserCredsRunnable
        public void relogin() throws IOException {
            UserGroupInformation.LOG.debug("Renewed ticket. kinit output: {}", Shell.execCommand(this.kinitCmd, "-R"));
            UserGroupInformation.this.reloginFromTicketCache();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Metrics(about = "User and group related metrics", context = "ugi")
    /* loaded from: input_file:org/apache/hadoop/security/UserGroupInformation$UgiMetrics.class */
    public static class UgiMetrics {
        final MetricsRegistry registry = new MetricsRegistry("UgiMetrics");

        @Metric({"Rate of successful kerberos logins and latency (milliseconds)"})
        MutableRate loginSuccess;

        @Metric({"Rate of failed kerberos logins and latency (milliseconds)"})
        MutableRate loginFailure;

        @Metric({"GetGroups"})
        MutableRate getGroups;
        MutableQuantiles[] getGroupsQuantiles;

        @Metric({"Renewal failures since startup"})
        private MutableGaugeLong renewalFailuresTotal;

        @Metric({"Renewal failures since last successful login"})
        private MutableGaugeInt renewalFailures;

        UgiMetrics() {
        }

        static UgiMetrics create() {
            return (UgiMetrics) DefaultMetricsSystem.instance().register((MetricsSystem) new UgiMetrics());
        }

        static void reattach() {
            UserGroupInformation.metrics = create();
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void addGetGroups(long j) {
            this.getGroups.add(j);
            if (this.getGroupsQuantiles != null) {
                for (MutableQuantiles mutableQuantiles : this.getGroupsQuantiles) {
                    mutableQuantiles.add(j);
                }
            }
        }

        MutableGaugeInt getRenewalFailures() {
            return this.renewalFailures;
        }
    }

    @VisibleForTesting
    public static void setShouldRenewImmediatelyForTests(boolean z) {
        shouldRenewImmediatelyForTests = z;
    }

    public static void reattachMetrics() {
        UgiMetrics.reattach();
    }

    public static boolean isInitialized() {
        return conf != null;
    }

    private static void ensureInitialized() {
        if (isInitialized()) {
            return;
        }
        synchronized (UserGroupInformation.class) {
            if (!isInitialized()) {
                initialize(new org.apache.hadoop.conf.Configuration(), false);
            }
        }
    }

    private static synchronized void initialize(org.apache.hadoop.conf.Configuration configuration, boolean z) {
        int[] ints;
        authenticationMethod = SecurityUtil.getAuthenticationMethod(configuration);
        if (z || !HadoopKerberosName.hasRulesBeenSet()) {
            try {
                HadoopKerberosName.setConfiguration(configuration);
            } catch (IOException e) {
                throw new RuntimeException("Problem with Kerberos auth_to_local name configuration", e);
            }
        }
        try {
            kerberosMinSecondsBeforeRelogin = 1000 * configuration.getLong(CommonConfigurationKeysPublic.HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN, 60L);
            kerberosKeyTabLoginRenewalEnabled = configuration.getBoolean(CommonConfigurationKeysPublic.HADOOP_KERBEROS_KEYTAB_LOGIN_AUTORENEWAL_ENABLED, false);
            if (!(groups instanceof TestingGroups)) {
                groups = Groups.getUserToGroupsMappingService(configuration);
            }
            conf = configuration;
            if (metrics.getGroupsQuantiles != null || (ints = configuration.getInts(CommonConfigurationKeys.HADOOP_USER_GROUP_METRICS_PERCENTILES_INTERVALS)) == null || ints.length <= 0) {
                return;
            }
            int length = ints.length;
            MutableQuantiles[] mutableQuantilesArr = new MutableQuantiles[length];
            for (int i = 0; i < length; i++) {
                mutableQuantilesArr[i] = metrics.registry.newQuantiles("getGroups" + ints[i] + "s", "Get groups", "ops", "latency", ints[i]);
            }
            metrics.getGroupsQuantiles = mutableQuantilesArr;
        } catch (NumberFormatException e2) {
            throw new IllegalArgumentException("Invalid attribute value for hadoop.kerberos.min.seconds.before.relogin of " + configuration.get(CommonConfigurationKeysPublic.HADOOP_KERBEROS_MIN_SECONDS_BEFORE_RELOGIN));
        }
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static void setConfiguration(org.apache.hadoop.conf.Configuration configuration) {
        initialize(configuration, true);
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public static void reset() {
        authenticationMethod = null;
        conf = null;
        groups = null;
        kerberosMinSecondsBeforeRelogin = 0L;
        kerberosKeyTabLoginRenewalEnabled = false;
        kerberosLoginRenewalExecutor = Optional.empty();
        setLoginUser(null);
        HadoopKerberosName.setRules(null);
    }

    public static boolean isSecurityEnabled() {
        return !isAuthenticationMethodEnabled(AuthenticationMethod.SIMPLE);
    }

    @InterfaceAudience.Private
    @InterfaceStability.Evolving
    private static boolean isAuthenticationMethodEnabled(AuthenticationMethod authenticationMethod2) {
        ensureInitialized();
        return authenticationMethod == authenticationMethod2;
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    @InterfaceStability.Evolving
    static boolean isKerberosKeyTabLoginRenewalEnabled() {
        ensureInitialized();
        return kerberosKeyTabLoginRenewalEnabled;
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    @InterfaceStability.Evolving
    static Optional<ExecutorService> getKerberosLoginRenewalExecutor() {
        ensureInitialized();
        return kerberosLoginRenewalExecutor;
    }

    private static String getOSLoginModuleName() {
        return PlatformName.IBM_JAVA ? "com.ibm.security.auth.module.JAASLoginModule" : windows ? "com.sun.security.auth.module.NTLoginModule" : "com.sun.security.auth.module.UnixLoginModule";
    }

    private static Class<? extends Principal> getOsPrincipalClass() {
        String str;
        ClassLoader systemClassLoader = ClassLoader.getSystemClassLoader();
        try {
            if (PlatformName.IBM_JAVA) {
                str = "com.ibm.security.auth.UsernamePrincipal";
            } else {
                str = windows ? "com.sun.security.auth.NTUserPrincipal" : "com.sun.security.auth.UnixPrincipal";
            }
            return systemClassLoader.loadClass(str);
        } catch (ClassNotFoundException e) {
            LOG.error("Unable to find JAAS classes:" + e.getMessage());
            return null;
        }
    }

    private static HadoopLoginContext newLoginContext(String str, Subject subject, HadoopConfiguration hadoopConfiguration) throws LoginException {
        Thread currentThread = Thread.currentThread();
        ClassLoader contextClassLoader = currentThread.getContextClassLoader();
        currentThread.setContextClassLoader(HadoopLoginModule.class.getClassLoader());
        try {
            HadoopLoginContext hadoopLoginContext = new HadoopLoginContext(str, subject, hadoopConfiguration);
            currentThread.setContextClassLoader(contextClassLoader);
            return hadoopLoginContext;
        } catch (Throwable th) {
            currentThread.setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    private HadoopLoginContext getLogin() {
        LoginContext login = this.user.getLogin();
        if (login instanceof HadoopLoginContext) {
            return (HadoopLoginContext) login;
        }
        return null;
    }

    private void setLogin(LoginContext loginContext) {
        this.user.setLogin(loginContext);
    }

    private void setLastLogin(long j) {
        this.user.setLastLogin(j);
    }

    UserGroupInformation(Subject subject) {
        this.subject = subject;
        this.user = (User) subject.getPrincipals(User.class).iterator().next();
        if (this.user == null || this.user.getName() == null) {
            throw new IllegalStateException("Subject does not contain a valid User");
        }
    }

    public boolean hasKerberosCredentials() {
        return this.user.getAuthenticationMethod() == AuthenticationMethod.KERBEROS;
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static UserGroupInformation getCurrentUser() throws IOException {
        ensureInitialized();
        Subject subject = Subject.getSubject(AccessController.getContext());
        return (subject == null || subject.getPrincipals(User.class).isEmpty()) ? getLoginUser() : new UserGroupInformation(subject);
    }

    public static UserGroupInformation getBestUGI(String str, String str2) throws IOException {
        return str != null ? getUGIFromTicketCache(str, str2) : str2 == null ? getCurrentUser() : createRemoteUser(str2);
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static UserGroupInformation getUGIFromTicketCache(String str, String str2) throws IOException {
        if (!isAuthenticationMethodEnabled(AuthenticationMethod.KERBEROS)) {
            return getBestUGI(null, str2);
        }
        LoginParams loginParams = new LoginParams();
        loginParams.put(LoginParam.PRINCIPAL, str2);
        loginParams.put(LoginParam.CCACHE, str);
        return doSubjectLogin(null, loginParams);
    }

    public static UserGroupInformation getUGIFromSubject(Subject subject) throws IOException {
        if (subject == null) {
            throw new KerberosAuthException(UGIExceptionMessages.SUBJECT_MUST_NOT_BE_NULL);
        }
        if (subject.getPrincipals(KerberosPrincipal.class).isEmpty()) {
            throw new KerberosAuthException(UGIExceptionMessages.SUBJECT_MUST_CONTAIN_PRINCIPAL);
        }
        return doSubjectLogin(subject, null);
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static UserGroupInformation getLoginUser() throws IOException {
        ensureInitialized();
        UserGroupInformation userGroupInformation = loginUserRef.get();
        if (userGroupInformation == null) {
            UserGroupInformation createLoginUser = createLoginUser(null);
            do {
                if (loginUserRef.compareAndSet(null, createLoginUser)) {
                    userGroupInformation = createLoginUser;
                    userGroupInformation.spawnAutoRenewalThreadForUserCreds(false);
                } else {
                    userGroupInformation = loginUserRef.get();
                }
            } while (userGroupInformation == null);
        }
        return userGroupInformation;
    }

    public static String trimLoginMethod(String str) {
        int indexOf = str.indexOf(32);
        if (indexOf >= 0) {
            str = str.substring(0, indexOf);
        }
        return str;
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static void loginUserFromSubject(Subject subject) throws IOException {
        setLoginUser(createLoginUser(subject));
    }

    private static UserGroupInformation createLoginUser(Subject subject) throws IOException {
        UserGroupInformation doSubjectLogin = doSubjectLogin(subject, null);
        try {
            String str = System.getenv(HADOOP_PROXY_USER);
            if (str == null) {
                str = System.getProperty(HADOOP_PROXY_USER);
            }
            UserGroupInformation createProxyUser = str == null ? doSubjectLogin : createProxyUser(str, doSubjectLogin);
            LinkedHashSet<String> linkedHashSet = new LinkedHashSet();
            linkedHashSet.addAll(StringUtils.getTrimmedStringCollection(System.getProperty(CommonConfigurationKeysPublic.HADOOP_TOKEN_FILES)));
            linkedHashSet.addAll(StringUtils.getTrimmedStringCollection(conf.get(CommonConfigurationKeysPublic.HADOOP_TOKEN_FILES)));
            linkedHashSet.addAll(StringUtils.getTrimmedStringCollection(System.getenv("HADOOP_TOKEN_FILE_LOCATION")));
            for (String str2 : linkedHashSet) {
                if (str2 != null && str2.length() > 0) {
                    File file = new File(str2);
                    LOG.debug("Reading credentials from location {}", file.getCanonicalPath());
                    if (file.exists() && file.isFile()) {
                        Credentials readTokenStorageFile = Credentials.readTokenStorageFile(file, conf);
                        LOG.debug("Loaded {} tokens from {}", Integer.valueOf(readTokenStorageFile.numberOfTokens()), file.getCanonicalPath());
                        createProxyUser.addCredentials(readTokenStorageFile);
                    } else {
                        LOG.info("Token file {} does not exist", file.getCanonicalPath());
                    }
                }
            }
            LinkedHashSet<String> linkedHashSet2 = new LinkedHashSet();
            linkedHashSet2.addAll(StringUtils.getTrimmedStringCollection(System.getProperty(CommonConfigurationKeysPublic.HADOOP_TOKENS)));
            linkedHashSet2.addAll(StringUtils.getTrimmedStringCollection(conf.get(CommonConfigurationKeysPublic.HADOOP_TOKENS)));
            linkedHashSet2.addAll(StringUtils.getTrimmedStringCollection(System.getenv(HADOOP_TOKEN)));
            int i = 0;
            for (String str3 : linkedHashSet2) {
                if (str3 != null && str3.length() > 0) {
                    try {
                        Token<? extends TokenIdentifier> token = new Token<>();
                        token.decodeFromUrlString(str3);
                        Credentials credentials = new Credentials();
                        credentials.addToken(token.getService(), token);
                        createProxyUser.addCredentials(credentials);
                        i++;
                    } catch (IOException e) {
                        LOG.error("Cannot add token {}: {}", str3, e.getMessage());
                    }
                }
            }
            if (i > 0) {
                LOG.debug("Loaded {} base64 tokens", Integer.valueOf(i));
            }
            LOG.debug("UGI loginUser: {}", createProxyUser);
            return createProxyUser;
        } catch (IOException e2) {
            LOG.debug("Failure to load login credentials", (Throwable) e2);
            throw e2;
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    @InterfaceStability.Unstable
    public static void setLoginUser(UserGroupInformation userGroupInformation) {
        loginUserRef.set(userGroupInformation);
    }

    private String getKeytab() {
        HadoopLoginContext login = getLogin();
        if (login != null) {
            return login.getConfiguration().m3458getParameters().get(LoginParam.KEYTAB);
        }
        return null;
    }

    private boolean isHadoopLogin() {
        return getLogin() != null;
    }

    public boolean isFromKeytab() {
        return hasKerberosCredentials() && isHadoopLogin() && getKeytab() != null;
    }

    private boolean isFromTicket() {
        return hasKerberosCredentials() && isHadoopLogin() && getKeytab() == null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public KerberosTicket getTGT() {
        for (KerberosTicket kerberosTicket : this.subject.getPrivateCredentials(KerberosTicket.class)) {
            if (SecurityUtil.isOriginalTGT(kerberosTicket)) {
                return kerberosTicket;
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public long getRefreshTime(KerberosTicket kerberosTicket) {
        return kerberosTicket.getStartTime().getTime() + (((float) (kerberosTicket.getEndTime().getTime() - r0)) * TICKET_RENEW_WINDOW);
    }

    @InterfaceAudience.Private
    @InterfaceStability.Unstable
    public boolean shouldRelogin() {
        return hasKerberosCredentials() && isHadoopLogin();
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    @InterfaceStability.Unstable
    void spawnAutoRenewalThreadForUserCreds(boolean z) {
        KerberosTicket tgt;
        if ((z || (shouldRelogin() && !isFromKeytab())) && (tgt = getTGT()) != null) {
            executeAutoRenewalTask(getUserName(), new TicketCacheRenewalRunnable(tgt, conf.get(KDiag.KERBEROS_KINIT_COMMAND, "kinit"), getRefreshTime(tgt)));
        }
    }

    private void spawnAutoRenewalThreadForKeytab() {
        KerberosTicket tgt;
        if (!shouldRelogin() || isFromTicket() || (tgt = getTGT()) == null) {
            return;
        }
        executeAutoRenewalTask(getUserName(), new KeytabRenewalRunnable(tgt, getRefreshTime(tgt)));
    }

    private void executeAutoRenewalTask(final String str, AutoRenewalForUserCredsRunnable autoRenewalForUserCredsRunnable) {
        kerberosLoginRenewalExecutor = Optional.of(Executors.newSingleThreadExecutor(new ThreadFactory() { // from class: org.apache.hadoop.security.UserGroupInformation.1
            @Override // java.util.concurrent.ThreadFactory
            public Thread newThread(Runnable runnable) {
                Thread thread = new Thread(runnable);
                thread.setDaemon(true);
                thread.setName("TGT Renewer for " + str);
                return thread;
            }
        }));
        kerberosLoginRenewalExecutor.get().submit(autoRenewalForUserCredsRunnable);
    }

    @VisibleForTesting
    static long getNextTgtRenewalTime(long j, long j2, RetryPolicy retryPolicy) throws Exception {
        return Math.min(j - kerberosMinSecondsBeforeRelogin, j2 + retryPolicy.shouldRetry(null, metrics.renewalFailures.value(), 0, false).delayMillis);
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static void loginUserFromKeytab(String str, String str2) throws IOException {
        if (isSecurityEnabled()) {
            UserGroupInformation loginUserFromKeytabAndReturnUGI = loginUserFromKeytabAndReturnUGI(str, str2);
            if (isKerberosKeyTabLoginRenewalEnabled()) {
                loginUserFromKeytabAndReturnUGI.spawnAutoRenewalThreadForKeytab();
            }
            setLoginUser(loginUserFromKeytabAndReturnUGI);
            LOG.info("Login successful for user {} using keytab file {}. Keytab auto renewal enabled : {}", str, new File(str2).getName(), Boolean.valueOf(isKerberosKeyTabLoginRenewalEnabled()));
        }
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public void logoutUserFromKeytab() throws IOException {
        if (hasKerberosCredentials()) {
            if (getKerberosLoginRenewalExecutor().isPresent()) {
                getKerberosLoginRenewalExecutor().get().shutdownNow();
            }
            HadoopLoginContext login = getLogin();
            String keytab = getKeytab();
            if (login == null || keytab == null) {
                throw new KerberosAuthException(UGIExceptionMessages.MUST_FIRST_LOGIN_FROM_KEYTAB);
            }
            try {
                LOG.debug("Initiating logout for {}", getUserName());
                login.logout();
                LOG.info("Logout successful for user " + getUserName() + " using keytab file " + keytab);
            } catch (LoginException e) {
                KerberosAuthException kerberosAuthException = new KerberosAuthException(UGIExceptionMessages.LOGOUT_FAILURE, e);
                kerberosAuthException.setUser(this.user.toString());
                kerberosAuthException.setKeytabFile(keytab);
                throw kerberosAuthException;
            }
        }
    }

    public void checkTGTAndReloginFromKeytab() throws IOException {
        reloginFromKeytab(true);
    }

    @VisibleForTesting
    void fixKerberosTicketOrder() {
        Set<Object> privateCredentials = getSubject().getPrivateCredentials();
        synchronized (privateCredentials) {
            Iterator<Object> it = privateCredentials.iterator();
            while (it.hasNext()) {
                Object next = it.next();
                if (next instanceof KerberosTicket) {
                    KerberosTicket kerberosTicket = (KerberosTicket) next;
                    if (kerberosTicket.isDestroyed() || kerberosTicket.getServer() == null) {
                        LOG.warn("Ticket is already destroyed, remove it.");
                        it.remove();
                    } else {
                        if (kerberosTicket.getServer().getName().startsWith(KrbConstant.TGS_PRINCIPAL)) {
                            return;
                        }
                        LOG.warn("The first kerberos ticket is not TGT(the server principal is {}), remove and destroy it.", kerberosTicket.getServer());
                        it.remove();
                        try {
                            kerberosTicket.destroy();
                        } catch (DestroyFailedException e) {
                            LOG.warn("destroy ticket failed", (Throwable) e);
                        }
                    }
                }
            }
            LOG.warn("Warning, no kerberos ticket found while attempting to renew ticket");
        }
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public void reloginFromKeytab() throws IOException {
        reloginFromKeytab(false);
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public void forceReloginFromKeytab() throws IOException {
        reloginFromKeytab(false, true);
    }

    private void reloginFromKeytab(boolean z) throws IOException {
        reloginFromKeytab(z, false);
    }

    private void reloginFromKeytab(boolean z, boolean z2) throws IOException {
        KerberosTicket tgt;
        if (shouldRelogin() && isFromKeytab()) {
            HadoopLoginContext login = getLogin();
            if (login == null) {
                throw new KerberosAuthException(UGIExceptionMessages.MUST_FIRST_LOGIN_FROM_KEYTAB);
            }
            if (!z || (tgt = getTGT()) == null || shouldRenewImmediatelyForTests || Time.now() >= getRefreshTime(tgt)) {
                relogin(login, z2);
            }
        }
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public void reloginFromTicketCache() throws IOException {
        if (shouldRelogin() && isFromTicket()) {
            HadoopLoginContext login = getLogin();
            if (login == null) {
                throw new KerberosAuthException(UGIExceptionMessages.MUST_FIRST_LOGIN);
            }
            relogin(login, false);
        }
    }

    private void relogin(HadoopLoginContext hadoopLoginContext, boolean z) throws IOException {
        synchronized (hadoopLoginContext.getSubjectLock()) {
            if (hadoopLoginContext == getLogin()) {
                unprotectedRelogin(hadoopLoginContext, z);
            }
        }
    }

    private void unprotectedRelogin(HadoopLoginContext hadoopLoginContext, boolean z) throws IOException {
        if (!$assertionsDisabled && !Thread.holdsLock(hadoopLoginContext.getSubjectLock())) {
            throw new AssertionError();
        }
        long now = Time.now();
        if (hasSufficientTimeElapsed(now) || z) {
            this.user.setLastLogin(now);
            try {
                LOG.debug("Initiating logout for {}", getUserName());
                hadoopLoginContext.logout();
                HadoopLoginContext newLoginContext = newLoginContext(hadoopLoginContext.getAppName(), hadoopLoginContext.getSubject(), hadoopLoginContext.getConfiguration());
                LOG.debug("Initiating re-login for {}", getUserName());
                newLoginContext.login();
                fixKerberosTicketOrder();
                setLogin(newLoginContext);
            } catch (LoginException e) {
                KerberosAuthException kerberosAuthException = new KerberosAuthException(UGIExceptionMessages.LOGIN_FAILURE, e);
                kerberosAuthException.setUser(getUserName());
                throw kerberosAuthException;
            }
        }
    }

    public static UserGroupInformation loginUserFromKeytabAndReturnUGI(String str, String str2) throws IOException {
        if (!isSecurityEnabled()) {
            return getCurrentUser();
        }
        LoginParams loginParams = new LoginParams();
        loginParams.put(LoginParam.PRINCIPAL, str);
        loginParams.put(LoginParam.KEYTAB, str2);
        return doSubjectLogin(null, loginParams);
    }

    private boolean hasSufficientTimeElapsed(long j) {
        if (shouldRenewImmediatelyForTests || j - this.user.getLastLogin() >= kerberosMinSecondsBeforeRelogin) {
            return true;
        }
        LOG.warn("Not attempting to re-login since the last re-login was attempted less than " + (kerberosMinSecondsBeforeRelogin / 1000) + " seconds before. Last Login=" + this.user.getLastLogin());
        return false;
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static boolean isLoginKeytabBased() throws IOException {
        return getLoginUser().isFromKeytab();
    }

    public static boolean isLoginTicketBased() throws IOException {
        return getLoginUser().isFromTicket();
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static UserGroupInformation createRemoteUser(String str) {
        return createRemoteUser(str, SaslRpcServer.AuthMethod.SIMPLE);
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static UserGroupInformation createRemoteUser(String str, SaslRpcServer.AuthMethod authMethod) {
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("Null user");
        }
        Subject subject = new Subject();
        subject.getPrincipals().add(new User(str));
        UserGroupInformation userGroupInformation = new UserGroupInformation(subject);
        userGroupInformation.setAuthenticationMethod(authMethod);
        return userGroupInformation;
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static UserGroupInformation createProxyUser(String str, UserGroupInformation userGroupInformation) {
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("Null user");
        }
        if (userGroupInformation == null) {
            throw new IllegalArgumentException("Null real user");
        }
        Subject subject = new Subject();
        Set<Principal> principals = subject.getPrincipals();
        principals.add(new User(str, AuthenticationMethod.PROXY, null));
        principals.add(new RealUser(userGroupInformation));
        return new UserGroupInformation(subject);
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public UserGroupInformation getRealUser() {
        Iterator it = this.subject.getPrincipals(RealUser.class).iterator();
        if (it.hasNext()) {
            return ((RealUser) it.next()).getRealUser();
        }
        return null;
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static UserGroupInformation createUserForTesting(String str, String[] strArr) {
        ensureInitialized();
        UserGroupInformation createRemoteUser = createRemoteUser(str);
        if (!(groups instanceof TestingGroups)) {
            groups = new TestingGroups(groups);
        }
        ((TestingGroups) groups).setUserGroups(createRemoteUser.getShortUserName(), strArr);
        return createRemoteUser;
    }

    public static UserGroupInformation createProxyUserForTesting(String str, UserGroupInformation userGroupInformation, String[] strArr) {
        ensureInitialized();
        UserGroupInformation createProxyUser = createProxyUser(str, userGroupInformation);
        if (!(groups instanceof TestingGroups)) {
            groups = new TestingGroups(groups);
        }
        ((TestingGroups) groups).setUserGroups(createProxyUser.getShortUserName(), strArr);
        return createProxyUser;
    }

    public String getShortUserName() {
        return this.user.getShortName();
    }

    public String getPrimaryGroupName() throws IOException {
        List<String> groups2 = getGroups();
        if (groups2.isEmpty()) {
            throw new IOException("There is no primary group for UGI " + this);
        }
        return groups2.get(0);
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public String getUserName() {
        return this.user.getName();
    }

    public synchronized boolean addTokenIdentifier(TokenIdentifier tokenIdentifier) {
        return this.subject.getPublicCredentials().add(tokenIdentifier);
    }

    public synchronized Set<TokenIdentifier> getTokenIdentifiers() {
        return this.subject.getPublicCredentials(TokenIdentifier.class);
    }

    public boolean addToken(Token<? extends TokenIdentifier> token) {
        if (token != null) {
            return addToken(token.getService(), token);
        }
        return false;
    }

    public boolean addToken(Text text, Token<? extends TokenIdentifier> token) {
        synchronized (this.subject) {
            getCredentialsInternal().addToken(text, token);
        }
        return true;
    }

    public Collection<Token<? extends TokenIdentifier>> getTokens() {
        Collection<Token<? extends TokenIdentifier>> unmodifiableCollection;
        synchronized (this.subject) {
            unmodifiableCollection = Collections.unmodifiableCollection(new ArrayList(getCredentialsInternal().getAllTokens()));
        }
        return unmodifiableCollection;
    }

    public Credentials getCredentials() {
        Credentials credentials;
        synchronized (this.subject) {
            credentials = new Credentials(getCredentialsInternal());
            Iterator<Token<? extends TokenIdentifier>> it = credentials.getAllTokens().iterator();
            while (it.hasNext()) {
                if (it.next().isPrivate()) {
                    it.remove();
                }
            }
        }
        return credentials;
    }

    public void addCredentials(Credentials credentials) {
        synchronized (this.subject) {
            getCredentialsInternal().addAll(credentials);
        }
    }

    private synchronized Credentials getCredentialsInternal() {
        Credentials credentials;
        Set privateCredentials = this.subject.getPrivateCredentials(Credentials.class);
        if (privateCredentials.isEmpty()) {
            credentials = new Credentials();
            this.subject.getPrivateCredentials().add(credentials);
        } else {
            credentials = (Credentials) privateCredentials.iterator().next();
        }
        return credentials;
    }

    public String[] getGroupNames() {
        List<String> groups2 = getGroups();
        return (String[]) groups2.toArray(new String[groups2.size()]);
    }

    public List<String> getGroups() {
        ensureInitialized();
        try {
            return groups.getGroups(getShortUserName());
        } catch (IOException e) {
            LOG.debug("Failed to get groups for user {}", getShortUserName(), e);
            return Collections.emptyList();
        }
    }

    public String toString() {
        StringBuilder sb = new StringBuilder(getUserName());
        sb.append(" (auth:" + getAuthenticationMethod() + DefaultExpressionEngineSymbols.DEFAULT_INDEX_END);
        if (getRealUser() != null) {
            sb.append(" via ").append(getRealUser().toString());
        }
        return sb.toString();
    }

    public synchronized void setAuthenticationMethod(AuthenticationMethod authenticationMethod2) {
        this.user.setAuthenticationMethod(authenticationMethod2);
    }

    public void setAuthenticationMethod(SaslRpcServer.AuthMethod authMethod) {
        this.user.setAuthenticationMethod(AuthenticationMethod.valueOf(authMethod));
    }

    public synchronized AuthenticationMethod getAuthenticationMethod() {
        return this.user.getAuthenticationMethod();
    }

    public synchronized AuthenticationMethod getRealAuthenticationMethod() {
        UserGroupInformation realUser = getRealUser();
        if (realUser == null) {
            realUser = this;
        }
        return realUser.getAuthenticationMethod();
    }

    public static AuthenticationMethod getRealAuthenticationMethod(UserGroupInformation userGroupInformation) {
        AuthenticationMethod authenticationMethod2 = userGroupInformation.getAuthenticationMethod();
        if (authenticationMethod2 == AuthenticationMethod.PROXY) {
            authenticationMethod2 = userGroupInformation.getRealUser().getAuthenticationMethod();
        }
        return authenticationMethod2;
    }

    public boolean equals(Object obj) {
        if (obj == this) {
            return true;
        }
        return obj != null && getClass() == obj.getClass() && this.subject == ((UserGroupInformation) obj).subject;
    }

    public int hashCode() {
        return System.identityHashCode(this.subject);
    }

    protected Subject getSubject() {
        return this.subject;
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public <T> T doAs(PrivilegedAction<T> privilegedAction) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("PrivilegedAction [as: {}][action: {}]", this, privilegedAction, new Exception());
        }
        return (T) Subject.doAs(this.subject, privilegedAction);
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public <T> T doAs(PrivilegedExceptionAction<T> privilegedExceptionAction) throws IOException, InterruptedException {
        try {
            if (LOG.isDebugEnabled()) {
                LOG.debug("PrivilegedAction [as: {}][action: {}]", this, privilegedExceptionAction, new Exception());
            }
            return (T) Subject.doAs(this.subject, privilegedExceptionAction);
        } catch (PrivilegedActionException e) {
            Throwable cause = e.getCause();
            LOG.debug("PrivilegedActionException as: {}", this, cause);
            if (cause == null) {
                throw new RuntimeException("PrivilegedActionException with no underlying cause. UGI [" + this + "]: " + e, e);
            }
            if (cause instanceof IOException) {
                throw ((IOException) cause);
            }
            if (cause instanceof Error) {
                throw ((Error) cause);
            }
            if (cause instanceof RuntimeException) {
                throw ((RuntimeException) cause);
            }
            if (cause instanceof InterruptedException) {
                throw ((InterruptedException) cause);
            }
            throw new UndeclaredThrowableException(cause);
        }
    }

    @InterfaceAudience.LimitedPrivate({"HDFS", "KMS"})
    @InterfaceStability.Unstable
    public static void logUserInfo(Logger logger, String str, UserGroupInformation userGroupInformation) throws IOException {
        if (logger.isDebugEnabled()) {
            logger.debug(str + " UGI: " + userGroupInformation);
            Iterator<Token<? extends TokenIdentifier>> it = userGroupInformation.getTokens().iterator();
            while (it.hasNext()) {
                logger.debug("+token:" + it.next());
            }
        }
    }

    @InterfaceAudience.LimitedPrivate({"HDFS", "KMS"})
    @InterfaceStability.Unstable
    public static void logAllUserInfo(Logger logger, UserGroupInformation userGroupInformation) throws IOException {
        if (logger.isDebugEnabled()) {
            logUserInfo(logger, "Current", getCurrentUser());
            if (userGroupInformation.getRealUser() != null) {
                logUserInfo(logger, "Real", userGroupInformation.getRealUser());
            }
            logUserInfo(logger, "Login", getLoginUser());
        }
    }

    public static void logAllUserInfo(UserGroupInformation userGroupInformation) throws IOException {
        logAllUserInfo(LOG, userGroupInformation);
    }

    private void print() throws IOException {
        System.out.println("User: " + getUserName());
        System.out.print("Group Ids: ");
        System.out.println();
        String[] groupNames = getGroupNames();
        System.out.print("Groups: ");
        for (String str : groupNames) {
            System.out.print(str + " ");
        }
        System.out.println();
    }

    private static UserGroupInformation doSubjectLogin(Subject subject, LoginParams loginParams) throws IOException {
        ensureInitialized();
        if (subject == null && loginParams == null) {
            loginParams = LoginParams.getDefaults();
        }
        try {
            HadoopLoginContext newLoginContext = newLoginContext(authenticationMethod.getLoginAppName(), subject, new HadoopConfiguration(loginParams));
            newLoginContext.login();
            UserGroupInformation userGroupInformation = new UserGroupInformation(newLoginContext.getSubject());
            if (subject == null) {
                loginParams.put(LoginParam.PRINCIPAL, userGroupInformation.getUserName());
                userGroupInformation.setLogin(newLoginContext);
                userGroupInformation.setLastLogin(Time.now());
            }
            return userGroupInformation;
        } catch (LoginException e) {
            KerberosAuthException kerberosAuthException = new KerberosAuthException(UGIExceptionMessages.FAILURE_TO_LOGIN, e);
            if (loginParams != null) {
                kerberosAuthException.setPrincipal(loginParams.get(LoginParam.PRINCIPAL));
                kerberosAuthException.setKeytabFile(loginParams.get(LoginParam.KEYTAB));
                kerberosAuthException.setTicketCacheFile(loginParams.get(LoginParam.CCACHE));
            }
            throw kerberosAuthException;
        }
    }

    public static void main(String[] strArr) throws Exception {
        System.out.println("Getting UGI for current user");
        UserGroupInformation currentUser = getCurrentUser();
        currentUser.print();
        System.out.println("UGI: " + currentUser);
        System.out.println("Auth method " + currentUser.user.getAuthenticationMethod());
        System.out.println("Keytab " + currentUser.isFromKeytab());
        System.out.println("============================================================");
        if (strArr.length == 2) {
            System.out.println("Getting UGI from keytab....");
            loginUserFromKeytab(strArr[0], strArr[1]);
            getCurrentUser().print();
            System.out.println("Keytab: " + currentUser);
            UserGroupInformation loginUser = getLoginUser();
            System.out.println("Auth method " + loginUser.getAuthenticationMethod());
            System.out.println("Keytab " + loginUser.isFromKeytab());
        }
    }

    static {
        $assertionsDisabled = !UserGroupInformation.class.desiredAssertionStatus();
        LOG = LoggerFactory.getLogger((Class<?>) UserGroupInformation.class);
        shouldRenewImmediatelyForTests = false;
        metrics = UgiMetrics.create();
        kerberosLoginRenewalExecutor = Optional.empty();
        loginUserRef = new AtomicReference<>();
        windows = System.getProperty("os.name").startsWith("Windows");
        OS_LOGIN_MODULE_NAME = getOSLoginModuleName();
        OS_PRINCIPAL_CLASS = getOsPrincipalClass();
    }
}
