package org.apache.sentry.binding.hive;

import com.google.common.base.Joiner;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.ql.security.HiveAuthenticationProvider;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessController;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizationValidator;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizer;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerFactory;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthorizerImpl;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzSessionContext;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveMetastoreClientFactory;
import org.apache.hive.service.cli.HiveSQLException;
import org.apache.hive.service.cli.session.HiveSessionHook;
import org.apache.hive.service.cli.session.HiveSessionHookContext;

/* loaded from: input_file:org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook.class */
public class HiveAuthzBindingSessionHook implements HiveSessionHook {
    public static final String SEMANTIC_HOOK = "org.apache.sentry.binding.hive.HiveAuthzBindingHook";
    public static final String FILTER_HOOK = "org.apache.sentry.binding.hive.HiveAuthzBindingHook";
    public static final String SCRATCH_DIR_PERMISSIONS = "700";
    public static final String ACCESS_RESTRICT_LIST = Joiner.on(",").join(HiveConf.ConfVars.SEMANTIC_ANALYZER_HOOK.varname, HiveConf.ConfVars.PREEXECHOOKS.varname, new Object[]{HiveConf.ConfVars.SCRATCHDIR.varname, HiveConf.ConfVars.LOCALSCRATCHDIR.varname, HiveConf.ConfVars.METASTOREURIS.varname, HiveConf.ConfVars.METASTORECONNECTURLKEY.varname, HiveConf.ConfVars.HADOOPBIN.varname, HiveConf.ConfVars.HIVESESSIONID.varname, HiveConf.ConfVars.HIVEAUXJARS.varname, HiveConf.ConfVars.HIVESTATSDBCONNECTIONSTRING.varname, HiveConf.ConfVars.SCRATCHDIRPERMISSION.varname, HiveConf.ConfVars.HIVE_SECURITY_COMMAND_WHITELIST.varname, HiveConf.ConfVars.HIVE_AUTHORIZATION_TASK_FACTORY.varname, HiveConf.ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY.varname, HiveConf.ConfVars.HIVERELOADABLEJARS.varname, "hive.access.conf.url", "hive.sentry.conf.url", "hive.access.subject.name", "hive.sentry.subject.name", "hive.sentry.active.role.set"});

    /* loaded from: input_file:org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook$SentryHiveAuthorizerFactory.class */
    public static class SentryHiveAuthorizerFactory implements HiveAuthorizerFactory {
        public HiveAuthorizer createHiveAuthorizer(HiveMetastoreClientFactory hiveMetastoreClientFactory, HiveConf hiveConf, HiveAuthenticationProvider hiveAuthenticationProvider, HiveAuthzSessionContext hiveAuthzSessionContext) throws HiveAuthzPluginException {
            return new SentryHiveAuthorizerImpl(null, null);
        }
    }

    /* loaded from: input_file:org/apache/sentry/binding/hive/HiveAuthzBindingSessionHook$SentryHiveAuthorizerImpl.class */
    public static class SentryHiveAuthorizerImpl extends HiveAuthorizerImpl {
        public SentryHiveAuthorizerImpl(HiveAccessController hiveAccessController, HiveAuthorizationValidator hiveAuthorizationValidator) {
            super(hiveAccessController, hiveAuthorizationValidator);
        }

        public void applyAuthorizationConfigPolicy(HiveConf hiveConf) {
        }
    }

    public void run(HiveSessionHookContext hiveSessionHookContext) throws HiveSQLException {
        HiveConf sessionConf = hiveSessionHookContext.getSessionConf();
        appendConfVar(sessionConf, HiveConf.ConfVars.SEMANTIC_ANALYZER_HOOK.varname, "org.apache.sentry.binding.hive.HiveAuthzBindingHook");
        sessionConf.setVar(HiveConf.ConfVars.HIVE_SECURITY_COMMAND_WHITELIST, HiveAuthzBindingHookBase.loadAuthzConf(sessionConf).get("hive.sentry.security.command.whitelist", "set,reset,reload"));
        sessionConf.setVar(HiveConf.ConfVars.SCRATCHDIRPERMISSION, SCRATCH_DIR_PERMISSIONS);
        sessionConf.setBoolVar(HiveConf.ConfVars.HIVE_CAPTURE_TRANSFORM_ENTITY, true);
        sessionConf.set("hive.access.subject.name", hiveSessionHookContext.getSessionUser());
        sessionConf.set("hive.sentry.subject.name", hiveSessionHookContext.getSessionUser());
        sessionConf.setVar(HiveConf.ConfVars.HIVE_AUTHORIZATION_MANAGER, "org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook$SentryHiveAuthorizerFactory");
        appendConfVar(sessionConf, "mapreduce.job.acl-view-job", hiveSessionHookContext.getSessionUser());
        appendConfVar(sessionConf, "mapreduce.job.acl-modify-job", hiveSessionHookContext.getSessionUser());
        sessionConf.addToRestrictList(ACCESS_RESTRICT_LIST);
    }

    private void appendConfVar(HiveConf hiveConf, String str, String str2) {
        String trim = hiveConf.get(str, "").trim();
        hiveConf.set(str, trim.isEmpty() ? str2 : str2 + "," + trim);
    }
}
