package org.apache.hadoop.hbase.security.access;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hbase.Cell;
import org.apache.hadoop.hbase.CellUtil;
import org.apache.hadoop.hbase.NamespaceDescriptor;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.TableNotFoundException;
import org.apache.hadoop.hbase.client.Admin;
import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder;
import org.apache.hadoop.hbase.client.Connection;
import org.apache.hadoop.hbase.client.Delete;
import org.apache.hadoop.hbase.client.Get;
import org.apache.hadoop.hbase.client.Put;
import org.apache.hadoop.hbase.client.RegionInfo;
import org.apache.hadoop.hbase.client.Result;
import org.apache.hadoop.hbase.client.ResultScanner;
import org.apache.hadoop.hbase.client.Scan;
import org.apache.hadoop.hbase.client.SnapshotDescription;
import org.apache.hadoop.hbase.client.Table;
import org.apache.hadoop.hbase.client.TableDescriptor;
import org.apache.hadoop.hbase.client.TableDescriptorBuilder;
import org.apache.hadoop.hbase.coprocessor.CoreCoprocessor;
import org.apache.hadoop.hbase.coprocessor.HasMasterServices;
import org.apache.hadoop.hbase.coprocessor.MasterCoprocessor;
import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.MasterObserver;
import org.apache.hadoop.hbase.coprocessor.ObserverContext;
import org.apache.hadoop.hbase.master.MasterServices;
import org.apache.hadoop.hbase.mob.MobConstants;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.security.access.SnapshotScannerHDFSAclHelper;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.util.Pair;
import org.apache.hbase.thirdparty.com.google.common.collect.Sets;
import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.LimitedPrivate({"Configuration"})
@CoreCoprocessor
/* loaded from: input_file:org/apache/hadoop/hbase/security/access/SnapshotScannerHDFSAclController.class */
public class SnapshotScannerHDFSAclController implements MasterCoprocessor, MasterObserver {
    private static final Logger LOG = LoggerFactory.getLogger(SnapshotScannerHDFSAclController.class);
    private SnapshotScannerHDFSAclHelper hdfsAclHelper = null;
    private SnapshotScannerHDFSAclHelper.PathHelper pathHelper = null;
    private MasterServices masterServices = null;
    private volatile boolean initialized = false;
    private volatile boolean aclTableInitialized = false;
    private UserProvider userProvider;

    /* renamed from: org.apache.hadoop.hbase.security.access.SnapshotScannerHDFSAclController$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/hadoop/hbase/security/access/SnapshotScannerHDFSAclController$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$hadoop$hbase$security$access$Permission$Scope = new int[Permission.Scope.values().length];

        static {
            try {
                $SwitchMap$org$apache$hadoop$hbase$security$access$Permission$Scope[Permission.Scope.GLOBAL.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hbase$security$access$Permission$Scope[Permission.Scope.NAMESPACE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hbase$security$access$Permission$Scope[Permission.Scope.TABLE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/hadoop/hbase/security/access/SnapshotScannerHDFSAclController$SnapshotScannerHDFSAclStorage.class */
    public static final class SnapshotScannerHDFSAclStorage {
        static final byte[] HDFS_ACL_FAMILY = Bytes.toBytes("m");
        private static final byte[] HDFS_ACL_VALUE = Bytes.toBytes("R");

        SnapshotScannerHDFSAclStorage() {
        }

        static void addUserGlobalHdfsAcl(Table table, String str) throws IOException {
            addUserEntry(table, str, PermissionStorage.ACL_GLOBAL_NAME);
        }

        static void addUserNamespaceHdfsAcl(Table table, String str, String str2) throws IOException {
            addUserEntry(table, str, Bytes.toBytes(PermissionStorage.toNamespaceEntry(str2)));
        }

        static void addUserTableHdfsAcl(Connection connection, Set<String> set, TableName tableName) throws IOException {
            Table table = connection.getTable(PermissionStorage.ACL_TABLE_NAME);
            Throwable th = null;
            try {
                try {
                    Iterator<String> it = set.iterator();
                    while (it.hasNext()) {
                        addUserTableHdfsAcl(table, it.next(), tableName);
                    }
                    if (table != null) {
                        if (0 == 0) {
                            table.close();
                            return;
                        }
                        try {
                            table.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } catch (Throwable th4) {
                if (table != null) {
                    if (th != null) {
                        try {
                            table.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    } else {
                        table.close();
                    }
                }
                throw th4;
            }
        }

        static void addUserTableHdfsAcl(Connection connection, String str, TableName tableName) throws IOException {
            Table table = connection.getTable(PermissionStorage.ACL_TABLE_NAME);
            Throwable th = null;
            try {
                try {
                    addUserTableHdfsAcl(table, str, tableName);
                    if (table != null) {
                        if (0 == 0) {
                            table.close();
                            return;
                        }
                        try {
                            table.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } catch (Throwable th4) {
                if (table != null) {
                    if (th != null) {
                        try {
                            table.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    } else {
                        table.close();
                    }
                }
                throw th4;
            }
        }

        static void addUserTableHdfsAcl(Table table, String str, TableName tableName) throws IOException {
            addUserEntry(table, str, tableName.getName());
        }

        private static void addUserEntry(Table table, String str, byte[] bArr) throws IOException {
            Put put = new Put(bArr);
            put.addColumn(HDFS_ACL_FAMILY, Bytes.toBytes(str), HDFS_ACL_VALUE);
            table.put(put);
        }

        static void deleteUserGlobalHdfsAcl(Table table, String str) throws IOException {
            deleteUserEntry(table, str, PermissionStorage.ACL_GLOBAL_NAME);
        }

        static void deleteUserNamespaceHdfsAcl(Table table, String str, String str2) throws IOException {
            deleteUserEntry(table, str, Bytes.toBytes(PermissionStorage.toNamespaceEntry(str2)));
        }

        static void deleteUserTableHdfsAcl(Table table, String str, TableName tableName) throws IOException {
            deleteUserEntry(table, str, tableName.getName());
        }

        static void deleteUserTableHdfsAcl(Connection connection, Set<String> set, TableName tableName) throws IOException {
            Table table = connection.getTable(PermissionStorage.ACL_TABLE_NAME);
            Throwable th = null;
            try {
                try {
                    Iterator<String> it = set.iterator();
                    while (it.hasNext()) {
                        deleteUserTableHdfsAcl(table, it.next(), tableName);
                    }
                    if (table != null) {
                        if (0 == 0) {
                            table.close();
                            return;
                        }
                        try {
                            table.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } catch (Throwable th4) {
                if (table != null) {
                    if (th != null) {
                        try {
                            table.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    } else {
                        table.close();
                    }
                }
                throw th4;
            }
        }

        private static void deleteUserEntry(Table table, String str, byte[] bArr) throws IOException {
            Delete delete = new Delete(bArr);
            delete.addColumns(HDFS_ACL_FAMILY, Bytes.toBytes(str));
            table.delete(delete);
        }

        static void deleteNamespaceHdfsAcl(Connection connection, String str) throws IOException {
            Table table = connection.getTable(PermissionStorage.ACL_TABLE_NAME);
            Throwable th = null;
            try {
                try {
                    deleteEntry(table, Bytes.toBytes(PermissionStorage.toNamespaceEntry(str)));
                    if (table != null) {
                        if (0 == 0) {
                            table.close();
                            return;
                        }
                        try {
                            table.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } catch (Throwable th4) {
                if (table != null) {
                    if (th != null) {
                        try {
                            table.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    } else {
                        table.close();
                    }
                }
                throw th4;
            }
        }

        static void deleteTableHdfsAcl(Table table, TableName tableName) throws IOException {
            deleteEntry(table, tableName.getName());
        }

        private static void deleteEntry(Table table, byte[] bArr) throws IOException {
            Delete delete = new Delete(bArr);
            delete.addFamily(HDFS_ACL_FAMILY);
            table.delete(delete);
        }

        static Set<String> getTableUsers(Table table, TableName tableName) throws IOException {
            return getEntryUsers(table, tableName.getName());
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static Set<String> getEntryUsers(Table table, byte[] bArr) throws IOException {
            HashSet hashSet = new HashSet();
            Get get = new Get(bArr);
            get.addFamily(HDFS_ACL_FAMILY);
            List<Cell> listCells = table.get(get).listCells();
            if (listCells != null) {
                for (Cell cell : listCells) {
                    if (cell != null) {
                        hashSet.add(Bytes.toString(CellUtil.cloneQualifier(cell)));
                    }
                }
            }
            return hashSet;
        }

        static Pair<Set<String>, Set<TableName>> getUserNamespaceAndTable(Table table, String str) throws IOException {
            HashSet hashSet = new HashSet();
            HashSet hashSet2 = new HashSet();
            for (byte[] bArr : getUserEntries(table, str)) {
                if (PermissionStorage.isNamespaceEntry(bArr)) {
                    hashSet.add(Bytes.toString(PermissionStorage.fromNamespaceEntry(bArr)));
                } else if (PermissionStorage.isTableEntry(bArr)) {
                    hashSet2.add(TableName.valueOf(bArr));
                }
            }
            return new Pair<>(hashSet, hashSet2);
        }

        static List<byte[]> getUserEntries(Table table, String str) throws IOException {
            Scan scan = new Scan();
            scan.addColumn(HDFS_ACL_FAMILY, Bytes.toBytes(str));
            ResultScanner<Result> scanner = table.getScanner(scan);
            ArrayList arrayList = new ArrayList();
            for (Result result : scanner) {
                if (result != null && result.getRow() != null) {
                    arrayList.add(result.getRow());
                }
            }
            return arrayList;
        }

        static boolean hasUserGlobalHdfsAcl(Table table, String str) throws IOException {
            return hasUserEntry(table, str, PermissionStorage.ACL_GLOBAL_NAME);
        }

        static boolean hasUserNamespaceHdfsAcl(Table table, String str, String str2) throws IOException {
            return hasUserEntry(table, str, Bytes.toBytes(PermissionStorage.toNamespaceEntry(str2)));
        }

        static boolean hasUserTableHdfsAcl(Table table, String str, TableName tableName) throws IOException {
            return hasUserEntry(table, str, tableName.getName());
        }

        private static boolean hasUserEntry(Table table, String str, byte[] bArr) throws IOException {
            Get get = new Get(bArr);
            get.addColumn(HDFS_ACL_FAMILY, Bytes.toBytes(str));
            return table.exists(get);
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterCoprocessor
    public Optional<MasterObserver> getMasterObserver() {
        return Optional.of(this);
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preMasterInitialization(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        if (!observerContext.getEnvironment().getConfiguration().getBoolean(SnapshotScannerHDFSAclHelper.ACL_SYNC_TO_HDFS_ENABLE, false)) {
            LOG.warn("Try to initialize the coprocessor SnapshotScannerHDFSAclController but failure because the config hbase.acl.sync.to.hdfs.enable is false.");
            return;
        }
        MasterCoprocessorEnvironment environment = observerContext.getEnvironment();
        if (!(environment instanceof HasMasterServices)) {
            throw new IOException("Does not implement HMasterServices");
        }
        this.masterServices = ((HasMasterServices) environment).getMasterServices();
        this.hdfsAclHelper = new SnapshotScannerHDFSAclHelper(this.masterServices.getConfiguration(), this.masterServices.getConnection());
        this.pathHelper = this.hdfsAclHelper.getPathHelper();
        this.hdfsAclHelper.setCommonDirectoryPermission();
        this.initialized = true;
        this.userProvider = UserProvider.instantiate(observerContext.getEnvironment().getConfiguration());
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postStartMaster(ObserverContext<MasterCoprocessorEnvironment> observerContext) throws IOException {
        if (this.initialized) {
            Admin admin = observerContext.getEnvironment().getConnection().getAdmin();
            Throwable th = null;
            try {
                if (!admin.tableExists(PermissionStorage.ACL_TABLE_NAME)) {
                    throw new TableNotFoundException("Table " + PermissionStorage.ACL_TABLE_NAME + " is not created yet. Please check if " + getClass().getName() + " is configured after " + AccessController.class.getName());
                }
                TableDescriptor descriptor = admin.getDescriptor(PermissionStorage.ACL_TABLE_NAME);
                if (!Arrays.stream(descriptor.getColumnFamilies()).anyMatch(columnFamilyDescriptor -> {
                    return Bytes.equals(columnFamilyDescriptor.getName(), SnapshotScannerHDFSAclStorage.HDFS_ACL_FAMILY);
                })) {
                    admin.modifyTable(TableDescriptorBuilder.newBuilder(descriptor).setColumnFamily(ColumnFamilyDescriptorBuilder.newBuilder(SnapshotScannerHDFSAclStorage.HDFS_ACL_FAMILY).build()).build());
                }
                this.aclTableInitialized = true;
                if (admin != null) {
                    if (0 == 0) {
                        admin.close();
                        return;
                    }
                    try {
                        admin.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                if (admin != null) {
                    if (0 != 0) {
                        try {
                            admin.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        admin.close();
                    }
                }
                throw th3;
            }
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void preStopMaster(ObserverContext<MasterCoprocessorEnvironment> observerContext) {
        if (this.initialized) {
            this.hdfsAclHelper.close();
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postCompletedCreateTableAction(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableDescriptor tableDescriptor, RegionInfo[] regionInfoArr) throws IOException {
        if (needHandleTableHdfsAcl(tableDescriptor, "createTable " + tableDescriptor.getTableName())) {
            TableName tableName = tableDescriptor.getTableName();
            this.hdfsAclHelper.createTableDirectories(tableName);
            String shortName = getActiveUser(observerContext).getShortName();
            this.hdfsAclHelper.addTableAcl(tableName, Sets.newHashSet(new String[]{shortName}), "create");
            SnapshotScannerHDFSAclStorage.addUserTableHdfsAcl(observerContext.getEnvironment().getConnection(), shortName, tableName);
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postCreateNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, NamespaceDescriptor namespaceDescriptor) throws IOException {
        if (checkInitialized("createNamespace " + namespaceDescriptor.getName())) {
            Iterator<Path> it = this.hdfsAclHelper.getNamespaceRootPaths(namespaceDescriptor.getName()).iterator();
            while (it.hasNext()) {
                this.hdfsAclHelper.createDirIfNotExist(it.next());
            }
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postCompletedSnapshotAction(ObserverContext<MasterCoprocessorEnvironment> observerContext, SnapshotDescription snapshotDescription, TableDescriptor tableDescriptor) throws IOException {
        if (needHandleTableHdfsAcl(tableDescriptor, "snapshot " + snapshotDescription.getName())) {
            this.hdfsAclHelper.snapshotAcl(snapshotDescription);
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postCompletedTruncateTableAction(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
        if (needHandleTableHdfsAcl(tableName, "truncateTable " + tableName)) {
            this.hdfsAclHelper.createTableDirectories(tableName);
            this.hdfsAclHelper.addTableAcl(tableName, this.hdfsAclHelper.getUsersWithTableReadAction(tableName, false, false), "truncate");
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postCompletedDeleteTableAction(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName) throws IOException {
        if (tableName.isSystemTable() || !checkInitialized("deleteTable " + tableName)) {
            return;
        }
        Table table = observerContext.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
        Throwable th = null;
        try {
            try {
                Set<String> tableUsers = SnapshotScannerHDFSAclStorage.getTableUsers(table, tableName);
                if (tableUsers.size() > 0) {
                    this.hdfsAclHelper.removeTableDefaultAcl(tableName, tableUsers);
                    SnapshotScannerHDFSAclStorage.deleteTableHdfsAcl(table, tableName);
                    Set<String> filterUsersToRemoveNsAccessAcl = filterUsersToRemoveNsAccessAcl(table, tableName, tableUsers);
                    if (filterUsersToRemoveNsAccessAcl.size() > 0) {
                        this.hdfsAclHelper.removeNamespaceAccessAcl(tableName, filterUsersToRemoveNsAccessAcl, "delete");
                    }
                }
                if (table != null) {
                    if (0 == 0) {
                        table.close();
                        return;
                    }
                    try {
                        table.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (table != null) {
                if (th != null) {
                    try {
                        table.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    table.close();
                }
            }
            throw th4;
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postModifyTable(ObserverContext<MasterCoprocessorEnvironment> observerContext, TableName tableName, TableDescriptor tableDescriptor, TableDescriptor tableDescriptor2) throws IOException {
        Table table = observerContext.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
        Throwable th = null;
        try {
            if (needHandleTableHdfsAcl(tableDescriptor2, "modifyTable " + tableName) && !this.hdfsAclHelper.isAclSyncToHdfsEnabled(tableDescriptor)) {
                this.hdfsAclHelper.createTableDirectories(tableName);
                Set<String> usersWithTableReadAction = this.hdfsAclHelper.getUsersWithTableReadAction(tableName, false, false);
                Set<String> usersWithNamespaceReadAction = this.hdfsAclHelper.getUsersWithNamespaceReadAction(tableName.getNamespaceAsString(), true);
                usersWithNamespaceReadAction.addAll(usersWithTableReadAction);
                this.hdfsAclHelper.addTableAcl(tableName, usersWithNamespaceReadAction, "modify");
                SnapshotScannerHDFSAclStorage.addUserTableHdfsAcl(observerContext.getEnvironment().getConnection(), usersWithTableReadAction, tableName);
            } else if (needHandleTableHdfsAcl(tableDescriptor, "modifyTable " + tableName) && !this.hdfsAclHelper.isAclSyncToHdfsEnabled(tableDescriptor2)) {
                Iterator<Path> it = this.hdfsAclHelper.getTableRootPaths(tableName, false).iterator();
                while (it.hasNext()) {
                    this.hdfsAclHelper.deleteEmptyDir(it.next());
                }
                Set<String> usersWithTableReadAction2 = this.hdfsAclHelper.getUsersWithTableReadAction(tableName, false, false);
                Set<String> usersWithNamespaceReadAction2 = this.hdfsAclHelper.getUsersWithNamespaceReadAction(tableName.getNamespaceAsString(), true);
                usersWithNamespaceReadAction2.addAll(usersWithTableReadAction2);
                this.hdfsAclHelper.removeTableAcl(tableName, usersWithNamespaceReadAction2);
                this.hdfsAclHelper.removeNamespaceAccessAcl(tableName, filterUsersToRemoveNsAccessAcl(table, tableName, usersWithTableReadAction2), "modify");
                SnapshotScannerHDFSAclStorage.deleteUserTableHdfsAcl(observerContext.getEnvironment().getConnection(), usersWithTableReadAction2, tableName);
            }
            if (table != null) {
                if (0 == 0) {
                    table.close();
                    return;
                }
                try {
                    table.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (table != null) {
                if (0 != 0) {
                    try {
                        table.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    table.close();
                }
            }
            throw th3;
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postDeleteNamespace(ObserverContext<MasterCoprocessorEnvironment> observerContext, String str) throws IOException {
        if (checkInitialized("deleteNamespace " + str)) {
            Table table = observerContext.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
            Throwable th = null;
            try {
                try {
                    this.hdfsAclHelper.removeNamespaceDefaultAcl(str, SnapshotScannerHDFSAclStorage.getEntryUsers(table, PermissionStorage.toNamespaceEntry(Bytes.toBytes(str))));
                    SnapshotScannerHDFSAclStorage.deleteNamespaceHdfsAcl(observerContext.getEnvironment().getConnection(), str);
                    this.hdfsAclHelper.deleteEmptyDir(this.pathHelper.getTmpNsDir(str));
                    if (table != null) {
                        if (0 == 0) {
                            table.close();
                            return;
                        }
                        try {
                            table.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } catch (Throwable th4) {
                if (table != null) {
                    if (th != null) {
                        try {
                            table.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    } else {
                        table.close();
                    }
                }
                throw th4;
            }
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postGrant(ObserverContext<MasterCoprocessorEnvironment> observerContext, UserPermission userPermission, boolean z) throws IOException {
        if (checkInitialized("grant " + userPermission + ", merge existing permissions " + z)) {
            Table table = observerContext.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
            Throwable th = null;
            try {
                Configuration configuration = observerContext.getEnvironment().getConfiguration();
                String user = userPermission.getUser();
                switch (AnonymousClass1.$SwitchMap$org$apache$hadoop$hbase$security$access$Permission$Scope[userPermission.getAccessScope().ordinal()]) {
                    case 1:
                        UserPermission userGlobalPermission = getUserGlobalPermission(configuration, user);
                        if (userGlobalPermission != null && this.hdfsAclHelper.containReadAction(userGlobalPermission)) {
                            if (!isHdfsAclSet(table, user)) {
                                Pair<Set<String>, Set<TableName>> userNamespaceAndTable = SnapshotScannerHDFSAclStorage.getUserNamespaceAndTable(table, user);
                                Set<String> set = (Set) userNamespaceAndTable.getFirst();
                                this.hdfsAclHelper.grantAcl(userPermission, set, (Set) ((Set) userNamespaceAndTable.getSecond()).stream().filter(tableName -> {
                                    return !set.contains(tableName.getNamespaceAsString());
                                }).collect(Collectors.toSet()));
                                SnapshotScannerHDFSAclStorage.addUserGlobalHdfsAcl(table, user);
                                break;
                            }
                        } else {
                            removeUserGlobalHdfsAcl(table, user, userPermission);
                            break;
                        }
                        break;
                    case 2:
                        String namespace = userPermission.getPermission().getNamespace();
                        UserPermission userNamespacePermission = getUserNamespacePermission(configuration, user, namespace);
                        if (userNamespacePermission != null && this.hdfsAclHelper.containReadAction(userNamespacePermission)) {
                            if (!isHdfsAclSet(table, user, namespace)) {
                                this.hdfsAclHelper.grantAcl(userPermission, new HashSet(0), (Set) SnapshotScannerHDFSAclStorage.getUserNamespaceAndTable(table, user).getSecond());
                            }
                            SnapshotScannerHDFSAclStorage.addUserNamespaceHdfsAcl(table, user, namespace);
                            break;
                        } else {
                            removeUserNamespaceHdfsAcl(table, user, namespace, userPermission);
                            break;
                        }
                    case 3:
                        TablePermission tablePermission = (TablePermission) userPermission.getPermission();
                        if (needHandleTableHdfsAcl(tablePermission)) {
                            TableName tableName2 = tablePermission.getTableName();
                            UserPermission userTablePermission = getUserTablePermission(configuration, user, tableName2);
                            if (userTablePermission == null || !this.hdfsAclHelper.containReadAction(userTablePermission)) {
                                removeUserTableHdfsAcl(table, user, tableName2, userPermission);
                            } else {
                                if (!isHdfsAclSet(table, user, tableName2)) {
                                    this.hdfsAclHelper.createTableDirectories(tableName2);
                                    this.hdfsAclHelper.grantAcl(userPermission, new HashSet(0), new HashSet(0));
                                }
                                SnapshotScannerHDFSAclStorage.addUserTableHdfsAcl(table, user, tableName2);
                            }
                            break;
                        }
                        break;
                    default:
                        throw new IllegalArgumentException("Illegal user permission scope " + userPermission.getAccessScope());
                }
                if (table != null) {
                    if (0 == 0) {
                        table.close();
                        return;
                    }
                    try {
                        table.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                if (table != null) {
                    if (0 != 0) {
                        try {
                            table.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        table.close();
                    }
                }
                throw th3;
            }
        }
    }

    @Override // org.apache.hadoop.hbase.coprocessor.MasterObserver
    public void postRevoke(ObserverContext<MasterCoprocessorEnvironment> observerContext, UserPermission userPermission) throws IOException {
        if (checkInitialized("revoke " + userPermission)) {
            Table table = observerContext.getEnvironment().getConnection().getTable(PermissionStorage.ACL_TABLE_NAME);
            Throwable th = null;
            try {
                String user = userPermission.getUser();
                Configuration configuration = observerContext.getEnvironment().getConfiguration();
                switch (AnonymousClass1.$SwitchMap$org$apache$hadoop$hbase$security$access$Permission$Scope[userPermission.getAccessScope().ordinal()]) {
                    case 1:
                        UserPermission userGlobalPermission = getUserGlobalPermission(configuration, user);
                        if (userGlobalPermission == null || !this.hdfsAclHelper.containReadAction(userGlobalPermission)) {
                            removeUserGlobalHdfsAcl(table, user, userPermission);
                            break;
                        }
                        break;
                    case 2:
                        NamespacePermission permission = userPermission.getPermission();
                        UserPermission userNamespacePermission = getUserNamespacePermission(configuration, user, permission.getNamespace());
                        if (userNamespacePermission == null || !this.hdfsAclHelper.containReadAction(userNamespacePermission)) {
                            removeUserNamespaceHdfsAcl(table, user, permission.getNamespace(), userPermission);
                            break;
                        }
                        break;
                    case 3:
                        TablePermission tablePermission = (TablePermission) userPermission.getPermission();
                        if (needHandleTableHdfsAcl(tablePermission)) {
                            TableName tableName = tablePermission.getTableName();
                            UserPermission userTablePermission = getUserTablePermission(configuration, user, tableName);
                            if (userTablePermission == null || !this.hdfsAclHelper.containReadAction(userTablePermission)) {
                                removeUserTableHdfsAcl(table, user, tableName, userPermission);
                            }
                            break;
                        }
                        break;
                    default:
                        throw new IllegalArgumentException("Illegal user permission scope " + userPermission.getAccessScope());
                }
                if (table != null) {
                    if (0 == 0) {
                        table.close();
                        return;
                    }
                    try {
                        table.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                if (table != null) {
                    if (0 != 0) {
                        try {
                            table.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        table.close();
                    }
                }
                throw th3;
            }
        }
    }

    private void removeUserGlobalHdfsAcl(Table table, String str, UserPermission userPermission) throws IOException {
        if (SnapshotScannerHDFSAclStorage.hasUserGlobalHdfsAcl(table, str)) {
            Pair<Set<String>, Set<TableName>> userNamespaceAndTable = SnapshotScannerHDFSAclStorage.getUserNamespaceAndTable(table, str);
            Set<String> set = (Set) userNamespaceAndTable.getFirst();
            this.hdfsAclHelper.revokeAcl(userPermission, set, (Set) ((Set) userNamespaceAndTable.getSecond()).stream().filter(tableName -> {
                return !set.contains(tableName.getNamespaceAsString());
            }).collect(Collectors.toSet()));
            SnapshotScannerHDFSAclStorage.deleteUserGlobalHdfsAcl(table, str);
        }
    }

    private void removeUserNamespaceHdfsAcl(Table table, String str, String str2, UserPermission userPermission) throws IOException {
        if (SnapshotScannerHDFSAclStorage.hasUserNamespaceHdfsAcl(table, str, str2)) {
            if (!SnapshotScannerHDFSAclStorage.hasUserGlobalHdfsAcl(table, str)) {
                this.hdfsAclHelper.revokeAcl(userPermission, new HashSet(), (Set) SnapshotScannerHDFSAclStorage.getUserNamespaceAndTable(table, str).getSecond());
            }
            SnapshotScannerHDFSAclStorage.deleteUserNamespaceHdfsAcl(table, str, str2);
        }
    }

    private void removeUserTableHdfsAcl(Table table, String str, TableName tableName, UserPermission userPermission) throws IOException {
        if (SnapshotScannerHDFSAclStorage.hasUserTableHdfsAcl(table, str, tableName)) {
            if (!SnapshotScannerHDFSAclStorage.hasUserGlobalHdfsAcl(table, str) && !SnapshotScannerHDFSAclStorage.hasUserNamespaceHdfsAcl(table, str, tableName.getNamespaceAsString())) {
                this.hdfsAclHelper.revokeAcl(userPermission, new HashSet(0), new HashSet(0));
            }
            SnapshotScannerHDFSAclStorage.deleteUserTableHdfsAcl(table, str, tableName);
        }
    }

    private UserPermission getUserGlobalPermission(Configuration configuration, String str) throws IOException {
        List<UserPermission> userPermissions = PermissionStorage.getUserPermissions(configuration, PermissionStorage.ACL_GLOBAL_NAME, null, null, str, true);
        if (userPermissions.size() > 0) {
            return userPermissions.get(0);
        }
        return null;
    }

    private UserPermission getUserNamespacePermission(Configuration configuration, String str, String str2) throws IOException {
        List<UserPermission> userNamespacePermissions = PermissionStorage.getUserNamespacePermissions(configuration, str2, str, true);
        if (userNamespacePermissions.size() > 0) {
            return userNamespacePermissions.get(0);
        }
        return null;
    }

    private UserPermission getUserTablePermission(Configuration configuration, String str, TableName tableName) throws IOException {
        List list = (List) PermissionStorage.getUserTablePermissions(configuration, tableName, null, null, str, true).stream().filter(userPermission -> {
            return this.hdfsAclHelper.isNotFamilyOrQualifierPermission((TablePermission) userPermission.getPermission());
        }).collect(Collectors.toList());
        if (list.size() > 0) {
            return (UserPermission) list.get(0);
        }
        return null;
    }

    private boolean isHdfsAclSet(Table table, String str) throws IOException {
        return isHdfsAclSet(table, str, null, null);
    }

    private boolean isHdfsAclSet(Table table, String str, String str2) throws IOException {
        return isHdfsAclSet(table, str, str2, null);
    }

    private boolean isHdfsAclSet(Table table, String str, TableName tableName) throws IOException {
        return isHdfsAclSet(table, str, null, tableName);
    }

    private boolean isHdfsAclSet(Table table, String str, String str2, TableName tableName) throws IOException {
        boolean hasUserGlobalHdfsAcl = SnapshotScannerHDFSAclStorage.hasUserGlobalHdfsAcl(table, str);
        if (str2 != null) {
            hasUserGlobalHdfsAcl = hasUserGlobalHdfsAcl || SnapshotScannerHDFSAclStorage.hasUserNamespaceHdfsAcl(table, str, str2);
        }
        if (tableName != null) {
            hasUserGlobalHdfsAcl = hasUserGlobalHdfsAcl || SnapshotScannerHDFSAclStorage.hasUserNamespaceHdfsAcl(table, str, tableName.getNamespaceAsString()) || SnapshotScannerHDFSAclStorage.hasUserTableHdfsAcl(table, str, tableName);
        }
        return hasUserGlobalHdfsAcl;
    }

    @InterfaceAudience.Private
    boolean checkInitialized(String str) {
        if (!this.initialized) {
            return false;
        }
        if (this.aclTableInitialized) {
            return true;
        }
        LOG.warn("Skip set HDFS acls because acl table is not initialized when {}", str);
        return false;
    }

    private boolean needHandleTableHdfsAcl(TablePermission tablePermission) throws IOException {
        return needHandleTableHdfsAcl(tablePermission.getTableName(), MobConstants.EMPTY_STRING) && this.hdfsAclHelper.isNotFamilyOrQualifierPermission(tablePermission);
    }

    private boolean needHandleTableHdfsAcl(TableName tableName, String str) throws IOException {
        return !tableName.isSystemTable() && checkInitialized(str) && this.hdfsAclHelper.isAclSyncToHdfsEnabled(this.masterServices.getTableDescriptors().get(tableName));
    }

    private boolean needHandleTableHdfsAcl(TableDescriptor tableDescriptor, String str) {
        return !tableDescriptor.getTableName().isSystemTable() && checkInitialized(str) && this.hdfsAclHelper.isAclSyncToHdfsEnabled(tableDescriptor);
    }

    private User getActiveUser(ObserverContext<?> observerContext) throws IOException {
        Optional<User> caller = observerContext.getCaller();
        return caller.isPresent() ? caller.get() : this.userProvider.getCurrent();
    }

    private Set<String> filterUsersToRemoveNsAccessAcl(Table table, TableName tableName, Set<String> set) throws IOException {
        HashSet hashSet = new HashSet();
        byte[] namespace = tableName.getNamespace();
        for (String str : set) {
            boolean z = true;
            for (byte[] bArr : SnapshotScannerHDFSAclStorage.getUserEntries(table, str)) {
                if (PermissionStorage.isGlobalEntry(bArr) || ((PermissionStorage.isNamespaceEntry(bArr) && Bytes.equals(PermissionStorage.fromNamespaceEntry(bArr), namespace)) || (PermissionStorage.isTableEntry(bArr) && !Bytes.equals(tableName.getName(), bArr) && Bytes.equals(TableName.valueOf(bArr).getNamespace(), namespace)))) {
                    z = false;
                    break;
                }
            }
            if (z) {
                hashSet.add(str);
            }
        }
        return hashSet;
    }
}
