package org.apache.hadoop.hive.ql.exec;

import com.google.common.base.Preconditions;
import com.google.common.base.Splitter;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Sets;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.io.Serializable;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.hadoop.fs.FSDataOutputStream;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hive.SentryHiveConstants;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.metastore.api.PrincipalType;
import org.apache.hadoop.hive.ql.CompilationOpContext;
import org.apache.hadoop.hive.ql.DriverContext;
import org.apache.hadoop.hive.ql.QueryPlan;
import org.apache.hadoop.hive.ql.QueryState;
import org.apache.hadoop.hive.ql.metadata.AuthorizationException;
import org.apache.hadoop.hive.ql.metadata.HiveException;
import org.apache.hadoop.hive.ql.parse.SemanticException;
import org.apache.hadoop.hive.ql.plan.DDLWork;
import org.apache.hadoop.hive.ql.plan.GrantDesc;
import org.apache.hadoop.hive.ql.plan.GrantRevokeRoleDDL;
import org.apache.hadoop.hive.ql.plan.HiveOperation;
import org.apache.hadoop.hive.ql.plan.PrincipalDesc;
import org.apache.hadoop.hive.ql.plan.PrivilegeDesc;
import org.apache.hadoop.hive.ql.plan.PrivilegeObjectDesc;
import org.apache.hadoop.hive.ql.plan.RevokeDesc;
import org.apache.hadoop.hive.ql.plan.RoleDDLDesc;
import org.apache.hadoop.hive.ql.plan.ShowGrantDesc;
import org.apache.hadoop.hive.ql.plan.api.StageType;
import org.apache.hadoop.hive.ql.security.authorization.PrivilegeType;
import org.apache.hadoop.hive.ql.session.SessionState;
import org.apache.sentry.binding.hive.HiveAuthzBindingSessionHook;
import org.apache.sentry.binding.hive.SentryOnFailureHookContextImpl;
import org.apache.sentry.binding.hive.authz.HiveAuthzBinding;
import org.apache.sentry.binding.hive.authz.HiveAuthzBindingHookBase;
import org.apache.sentry.binding.hive.conf.HiveAuthzConf;
import org.apache.sentry.core.common.ActiveRoleSet;
import org.apache.sentry.core.common.Authorizable;
import org.apache.sentry.core.common.Subject;
import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
import org.apache.sentry.core.common.exception.SentryUserException;
import org.apache.sentry.core.common.utils.PathUtils;
import org.apache.sentry.core.model.db.AccessURI;
import org.apache.sentry.core.model.db.Column;
import org.apache.sentry.core.model.db.Database;
import org.apache.sentry.core.model.db.Server;
import org.apache.sentry.core.model.db.Table;
import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
import org.apache.sentry.provider.db.service.thrift.TSentryGrantOption;
import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
import org.apache.sentry.provider.db.service.thrift.TSentryRole;
import org.apache.sentry.service.thrift.SentryServiceClientFactory;
import org.apache.sentry.service.thrift.ServiceConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask.class */
public class SentryGrantRevokeTask extends Task<DDLWork> implements Serializable {
    private static final int RETURN_CODE_SUCCESS = 0;
    private static final int RETURN_CODE_FAILURE = 1;
    private static final int separator = 9;
    private static final int terminator = 10;
    private static final long serialVersionUID = -7625118066790571999L;
    private HiveConf conf;
    private HiveAuthzBinding hiveAuthzBinding;
    private HiveAuthzConf authzConf;
    private String server;
    private Subject subject;
    private Set<String> subjectGroups;
    private String ipAddress;
    private HiveOperation stmtOperation;
    private static final Logger LOG = LoggerFactory.getLogger(SentryGrantRevokeTask.class);
    private static final Splitter DB_TBL_SPLITTER = Splitter.on(".").omitEmptyStrings().trimResults();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$PrivilegeType = new int[PrivilegeType.values().length];

        static {
            try {
                $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$PrivilegeType[PrivilegeType.ALL.ordinal()] = SentryGrantRevokeTask.RETURN_CODE_FAILURE;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$PrivilegeType[PrivilegeType.SELECT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$PrivilegeType[PrivilegeType.INSERT.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$PrivilegeType[PrivilegeType.CREATE.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$PrivilegeType[PrivilegeType.DROP.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$PrivilegeType[PrivilegeType.ALTER_METADATA.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$PrivilegeType[PrivilegeType.INDEX.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hive$ql$security$authorization$PrivilegeType[PrivilegeType.LOCK.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/hive/ql/exec/SentryGrantRevokeTask$DatabaseTable.class */
    public static class DatabaseTable {
        private final String database;
        private final String table;

        public DatabaseTable(String str, String str2) {
            this.database = str;
            this.table = str2;
        }

        public String getDatabase() {
            return this.database;
        }

        public String getTable() {
            return this.table;
        }
    }

    public void initialize(QueryState queryState, QueryPlan queryPlan, DriverContext driverContext, CompilationOpContext compilationOpContext) {
        super.initialize(queryState, queryPlan, this.driverContext, (CompilationOpContext) null);
        this.conf = queryState.getConf();
    }

    /* JADX WARN: Failed to calculate best type for var: r18v2 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.calculateFromBounds(FixTypesVisitor.java:156)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.setBestType(FixTypesVisitor.java:133)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.deduceType(FixTypesVisitor.java:238)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.tryDeduceTypes(FixTypesVisitor.java:221)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Failed to calculate best type for var: r18v2 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.calculateFromBounds(TypeInferenceVisitor.java:145)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.setBestType(TypeInferenceVisitor.java:123)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.lambda$runTypePropagation$2(TypeInferenceVisitor.java:101)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.runTypePropagation(TypeInferenceVisitor.java:101)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.visit(TypeInferenceVisitor.java:75)
     */
    /* JADX WARN: Failed to calculate best type for var: r19v4 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.calculateFromBounds(FixTypesVisitor.java:156)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.setBestType(FixTypesVisitor.java:133)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.deduceType(FixTypesVisitor.java:238)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.tryDeduceTypes(FixTypesVisitor.java:221)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Failed to calculate best type for var: r19v4 ??
    java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.InsnArg.getType()" because "changeArg" is null
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.moveListener(TypeUpdate.java:439)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.runListeners(TypeUpdate.java:232)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.requestUpdate(TypeUpdate.java:212)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeForSsaVar(TypeUpdate.java:183)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.updateTypeChecked(TypeUpdate.java:112)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:83)
    	at jadx.core.dex.visitors.typeinference.TypeUpdate.apply(TypeUpdate.java:56)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.calculateFromBounds(TypeInferenceVisitor.java:145)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.setBestType(TypeInferenceVisitor.java:123)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.lambda$runTypePropagation$2(TypeInferenceVisitor.java:101)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.runTypePropagation(TypeInferenceVisitor.java:101)
    	at jadx.core.dex.visitors.typeinference.TypeInferenceVisitor.visit(TypeInferenceVisitor.java:75)
     */
    /* JADX WARN: Multi-variable type inference failed. Error: java.lang.NullPointerException: Cannot invoke "jadx.core.dex.instructions.args.RegisterArg.getSVar()" because the return value of "jadx.core.dex.nodes.InsnNode.getResult()" is null
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.collectRelatedVars(AbstractTypeConstraint.java:31)
    	at jadx.core.dex.visitors.typeinference.AbstractTypeConstraint.<init>(AbstractTypeConstraint.java:19)
    	at jadx.core.dex.visitors.typeinference.TypeSearch$1.<init>(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeMoveConstraint(TypeSearch.java:376)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.makeConstraint(TypeSearch.java:361)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.collectConstraints(TypeSearch.java:341)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.typeinference.TypeSearch.run(TypeSearch.java:60)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.runMultiVariableSearch(FixTypesVisitor.java:116)
    	at jadx.core.dex.visitors.typeinference.FixTypesVisitor.visit(FixTypesVisitor.java:91)
     */
    /* JADX WARN: Not initialized variable reg: 18, insn: 0x02a6: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r18 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) A[TRY_LEAVE], block:B:107:0x02a6 */
    /* JADX WARN: Not initialized variable reg: 19, insn: 0x02aa: MOVE (r0 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]) = (r19 I:??[int, float, boolean, short, byte, char, OBJECT, ARRAY]), block:B:109:0x02aa */
    /* JADX WARN: Type inference failed for: r18v2, types: [org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient] */
    /* JADX WARN: Type inference failed for: r19v4, types: [java.lang.Throwable] */
    public int execute(DriverContext driverContext) {
        ?? r18;
        ?? r19;
        try {
            try {
                try {
                    try {
                        SentryPolicyServiceClient create = SentryServiceClientFactory.create(this.authzConf);
                        Throwable th = null;
                        Preconditions.checkNotNull(this.hiveAuthzBinding, "HiveAuthzBinding cannot be null");
                        Preconditions.checkNotNull(this.authzConf, "HiveAuthConf cannot be null");
                        Preconditions.checkNotNull(this.subject, "Subject cannot be null");
                        this.server = (String) Preconditions.checkNotNull(this.authzConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar()), "Config " + HiveAuthzConf.AuthzConfVars.AUTHZ_SERVER_NAME.getVar() + " is required");
                        try {
                            if (this.work.getRoleDDLDesc() != null) {
                                int processRoleDDL = processRoleDDL(this.console, create, this.subject.getName(), this.hiveAuthzBinding, this.work.getRoleDDLDesc());
                                if (create != null) {
                                    if (RETURN_CODE_SUCCESS != 0) {
                                        try {
                                            create.close();
                                        } catch (Throwable th2) {
                                            th.addSuppressed(th2);
                                        }
                                    } else {
                                        create.close();
                                    }
                                }
                                if (this.hiveAuthzBinding != null) {
                                    this.hiveAuthzBinding.close();
                                }
                                return processRoleDDL;
                            }
                            if (this.work.getGrantDesc() != null) {
                                int processGrantDDL = processGrantDDL(this.console, create, this.subject.getName(), this.server, this.work.getGrantDesc());
                                if (create != null) {
                                    if (RETURN_CODE_SUCCESS != 0) {
                                        try {
                                            create.close();
                                        } catch (Throwable th3) {
                                            th.addSuppressed(th3);
                                        }
                                    } else {
                                        create.close();
                                    }
                                }
                                if (this.hiveAuthzBinding != null) {
                                    this.hiveAuthzBinding.close();
                                }
                                return processGrantDDL;
                            }
                            if (this.work.getRevokeDesc() != null) {
                                int processRevokeDDL = processRevokeDDL(this.console, create, this.subject.getName(), this.server, this.work.getRevokeDesc());
                                if (create != null) {
                                    if (RETURN_CODE_SUCCESS != 0) {
                                        try {
                                            create.close();
                                        } catch (Throwable th4) {
                                            th.addSuppressed(th4);
                                        }
                                    } else {
                                        create.close();
                                    }
                                }
                                if (this.hiveAuthzBinding != null) {
                                    this.hiveAuthzBinding.close();
                                }
                                return processRevokeDDL;
                            }
                            if (this.work.getShowGrantDesc() != null) {
                                int processShowGrantDDL = processShowGrantDDL(this.console, create, this.subject.getName(), this.work.getShowGrantDesc());
                                if (create != null) {
                                    if (RETURN_CODE_SUCCESS != 0) {
                                        try {
                                            create.close();
                                        } catch (Throwable th5) {
                                            th.addSuppressed(th5);
                                        }
                                    } else {
                                        create.close();
                                    }
                                }
                                if (this.hiveAuthzBinding != null) {
                                    this.hiveAuthzBinding.close();
                                }
                                return processShowGrantDDL;
                            }
                            if (this.work.getGrantRevokeRoleDDL() == null) {
                                throw new AssertionError("Unknown command passed to Sentry Grant/Revoke Task");
                            }
                            int processGrantRevokeRoleDDL = processGrantRevokeRoleDDL(this.console, create, this.subject.getName(), this.work.getGrantRevokeRoleDDL());
                            if (create != null) {
                                if (RETURN_CODE_SUCCESS != 0) {
                                    try {
                                        create.close();
                                    } catch (Throwable th6) {
                                        th.addSuppressed(th6);
                                    }
                                } else {
                                    create.close();
                                }
                            }
                            if (this.hiveAuthzBinding != null) {
                                this.hiveAuthzBinding.close();
                            }
                            return processGrantRevokeRoleDDL;
                        } catch (SentryAccessDeniedException e) {
                            HiveAuthzBindingHookBase.runFailureHook(new SentryOnFailureHookContextImpl(this.queryPlan.getQueryString(), new HashSet(), new HashSet(), this.stmtOperation, (Database) null, (Table) null, (List) null, (AccessURI) null, this.subject.getName(), this.ipAddress, new AuthorizationException(e), this.conf), this.authzConf.get(HiveAuthzConf.AuthzConfVars.AUTHZ_ONFAILURE_HOOKS.getVar(), "").trim());
                            throw e;
                        }
                    } catch (Throwable th7) {
                        if (r18 != 0) {
                            if (r19 != 0) {
                                try {
                                    r18.close();
                                } catch (Throwable th8) {
                                    r19.addSuppressed(th8);
                                }
                            } else {
                                r18.close();
                            }
                        }
                        throw th7;
                    }
                } catch (SentryUserException e2) {
                    setException(new Exception(e2.getClass().getSimpleName() + ": " + e2.getReason(), e2));
                    String str = "Error processing Sentry command: " + e2.getReason() + ".";
                    if (e2 instanceof SentryAccessDeniedException) {
                        str = str + "Please grant admin privilege to " + this.subject.getName() + ".";
                    }
                    LOG.error(str, e2);
                    this.console.printError(str);
                    if (this.hiveAuthzBinding != null) {
                        this.hiveAuthzBinding.close();
                    }
                    return RETURN_CODE_FAILURE;
                }
            } catch (Throwable th9) {
                setException(th9);
                String str2 = "Error processing Sentry command: " + th9.getMessage();
                LOG.error(str2, th9);
                this.console.printError(str2);
                if (this.hiveAuthzBinding != null) {
                    this.hiveAuthzBinding.close();
                }
                return RETURN_CODE_FAILURE;
            }
        } catch (Throwable th10) {
            if (this.hiveAuthzBinding != null) {
                this.hiveAuthzBinding.close();
            }
            throw th10;
        }
    }

    public void setAuthzConf(HiveAuthzConf hiveAuthzConf) {
        Preconditions.checkState(this.authzConf == null, "setAuthzConf should only be called once: " + this.authzConf);
        this.authzConf = hiveAuthzConf;
    }

    public void setHiveAuthzBinding(HiveAuthzBinding hiveAuthzBinding) {
        Preconditions.checkState(this.hiveAuthzBinding == null, "setHiveAuthzBinding should only be called once: " + this.hiveAuthzBinding);
        this.hiveAuthzBinding = hiveAuthzBinding;
    }

    public void setSubject(Subject subject) {
        Preconditions.checkState(this.subject == null, "setSubject should only be called once: " + this.subject);
        this.subject = subject;
    }

    public void setSubjectGroups(Set<String> set) {
        Preconditions.checkState(this.subjectGroups == null, "setSubjectGroups should only be called once: " + this.subjectGroups);
        this.subjectGroups = set;
    }

    public void setIpAddress(String str) {
        this.ipAddress = str;
    }

    public void setOperation(HiveOperation hiveOperation) {
        this.stmtOperation = hiveOperation;
    }

    private int processRoleDDL(SessionState.LogHelper logHelper, SentryPolicyServiceClient sentryPolicyServiceClient, String str, HiveAuthzBinding hiveAuthzBinding, RoleDDLDesc roleDDLDesc) throws SentryUserException {
        Set listRolesByUserName;
        RoleDDLDesc.RoleOperation operation = roleDDLDesc.getOperation();
        String name = roleDDLDesc.getName();
        try {
            try {
                if (operation.equals(RoleDDLDesc.RoleOperation.SET_ROLE)) {
                    hiveAuthzBinding.setActiveRoleSet(name, sentryPolicyServiceClient.listUserRoles(str));
                    closeQuiet(null);
                    return RETURN_CODE_SUCCESS;
                }
                if (operation.equals(RoleDDLDesc.RoleOperation.CREATE_ROLE)) {
                    sentryPolicyServiceClient.createRole(str, name);
                    closeQuiet(null);
                    return RETURN_CODE_SUCCESS;
                }
                if (operation.equals(RoleDDLDesc.RoleOperation.DROP_ROLE)) {
                    sentryPolicyServiceClient.dropRole(str, name);
                    closeQuiet(null);
                    return RETURN_CODE_SUCCESS;
                }
                if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLE_GRANT)) {
                    PrincipalType principalType = roleDDLDesc.getPrincipalType();
                    if (principalType == PrincipalType.GROUP) {
                        listRolesByUserName = sentryPolicyServiceClient.listRolesByGroupName(str, name);
                    } else {
                        if (principalType != PrincipalType.USER) {
                            throw new HiveException("Sentry does not allow privileges to be granted/revoked to/from: " + principalType);
                        }
                        listRolesByUserName = sentryPolicyServiceClient.listRolesByUserName(str, name);
                    }
                    writeToFile(writeRoleGrantsInfo(listRolesByUserName), roleDDLDesc.getResFile());
                    closeQuiet(null);
                    return RETURN_CODE_SUCCESS;
                }
                if (operation.equals(RoleDDLDesc.RoleOperation.SHOW_ROLES)) {
                    writeToFile(writeRolesInfo(sentryPolicyServiceClient.listAllRoles(str)), roleDDLDesc.getResFile());
                    closeQuiet(null);
                    return RETURN_CODE_SUCCESS;
                }
                if (!operation.equals(RoleDDLDesc.RoleOperation.SHOW_CURRENT_ROLE)) {
                    throw new HiveException("Unknown role operation " + operation.getOperationName());
                }
                ActiveRoleSet activeRoleSet = hiveAuthzBinding.getActiveRoleSet();
                if (activeRoleSet.isAll()) {
                    writeToFile(writeRolesInfo(sentryPolicyServiceClient.listUserRoles(str)), roleDDLDesc.getResFile());
                    closeQuiet(null);
                    return RETURN_CODE_SUCCESS;
                }
                writeToFile(writeActiveRolesInfo(activeRoleSet.getRoles()), roleDDLDesc.getResFile());
                closeQuiet(null);
                return RETURN_CODE_SUCCESS;
            } catch (IOException e) {
                String str2 = "IO Error in role operation " + e.getMessage();
                LOG.info(str2, e);
                logHelper.printError(str2);
                closeQuiet(null);
                return RETURN_CODE_FAILURE;
            } catch (HiveException e2) {
                String str3 = "Error in role operation " + operation.getOperationName() + " on role name " + name + ", error message " + e2.getMessage();
                LOG.warn(str3, e2);
                logHelper.printError(str3);
                closeQuiet(null);
                return RETURN_CODE_FAILURE;
            }
        } catch (Throwable th) {
            closeQuiet(null);
            throw th;
        }
    }

    private int processGrantDDL(SessionState.LogHelper logHelper, SentryPolicyServiceClient sentryPolicyServiceClient, String str, String str2, GrantDesc grantDesc) throws SentryUserException {
        return processGrantRevokeDDL(logHelper, sentryPolicyServiceClient, str, str2, true, grantDesc.getPrincipals(), grantDesc.getPrivileges(), grantDesc.getPrivilegeSubjectDesc(), Boolean.valueOf(grantDesc.isGrantOption()));
    }

    private int processRevokeDDL(SessionState.LogHelper logHelper, SentryPolicyServiceClient sentryPolicyServiceClient, String str, String str2, RevokeDesc revokeDesc) throws SentryUserException {
        return processGrantRevokeDDL(logHelper, sentryPolicyServiceClient, str, str2, false, revokeDesc.getPrincipals(), revokeDesc.getPrivileges(), revokeDesc.getPrivilegeSubjectDesc(), null);
    }

    private int processShowGrantDDL(SessionState.LogHelper logHelper, SentryPolicyServiceClient sentryPolicyServiceClient, String str, ShowGrantDesc showGrantDesc) throws SentryUserException {
        Set listPrivilegesByRoleName;
        PrincipalDesc principalDesc = showGrantDesc.getPrincipalDesc();
        PrivilegeObjectDesc hiveObj = showGrantDesc.getHiveObj();
        String name = principalDesc.getName();
        try {
            if (principalDesc.getType() != PrincipalType.ROLE) {
                throw new HiveException("Sentry does not allow privileges to be granted/revoked to/from: " + principalDesc.getType());
            }
            if (hiveObj == null) {
                listPrivilegesByRoleName = sentryPolicyServiceClient.listPrivilegesByRoleName(str, name, (List) null);
            } else {
                SentryHivePrivilegeObjectDesc sentryHivePrivilegeObjectDesc = toSentryHivePrivilegeObjectDesc(hiveObj);
                List<Authorizable> authorizable = toAuthorizable(sentryHivePrivilegeObjectDesc);
                if (sentryHivePrivilegeObjectDesc.getColumns() == null || sentryHivePrivilegeObjectDesc.getColumns().isEmpty()) {
                    listPrivilegesByRoleName = sentryPolicyServiceClient.listPrivilegesByRoleName(str, name, authorizable);
                } else {
                    List<List<Authorizable>> parseColumnToAuthorizable = parseColumnToAuthorizable(authorizable, sentryHivePrivilegeObjectDesc);
                    ImmutableSet.Builder builder = new ImmutableSet.Builder();
                    Iterator<List<Authorizable>> it = parseColumnToAuthorizable.iterator();
                    while (it.hasNext()) {
                        builder.addAll(sentryPolicyServiceClient.listPrivilegesByRoleName(str, name, it.next()));
                    }
                    listPrivilegesByRoleName = builder.build();
                }
            }
            writeToFile(writeGrantInfo(listPrivilegesByRoleName, name), showGrantDesc.getResFile());
            return RETURN_CODE_SUCCESS;
        } catch (IOException e) {
            String str2 = "IO Error in show grant " + e.getMessage();
            LOG.info(str2, e);
            logHelper.printError(str2);
            return RETURN_CODE_FAILURE;
        } catch (HiveException e2) {
            String str3 = "Error in show grant operation, error message " + e2.getMessage();
            LOG.warn(str3, e2);
            logHelper.printError(str3);
            return RETURN_CODE_FAILURE;
        }
    }

    private List<Authorizable> toAuthorizable(SentryHivePrivilegeObjectDesc sentryHivePrivilegeObjectDesc) throws HiveException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new Server(this.server));
        if (sentryHivePrivilegeObjectDesc.getTable()) {
            DatabaseTable parseDBTable = parseDBTable(sentryHivePrivilegeObjectDesc.getObject());
            String database = parseDBTable.getDatabase();
            arrayList.add(new Table(parseDBTable.getTable()));
            arrayList.add(new Database(database));
        } else if (sentryHivePrivilegeObjectDesc.getUri()) {
            try {
                arrayList.add(new AccessURI(PathUtils.parseDFSURI(this.conf.getVar(HiveConf.ConfVars.METASTOREWAREHOUSE), sentryHivePrivilegeObjectDesc.getObject())));
            } catch (URISyntaxException e) {
                throw new HiveException(e.getMessage(), e);
            }
        } else {
            arrayList.add(new Database(sentryHivePrivilegeObjectDesc.getObject()));
        }
        return arrayList;
    }

    private List<List<Authorizable>> parseColumnToAuthorizable(List<Authorizable> list, SentryHivePrivilegeObjectDesc sentryHivePrivilegeObjectDesc) {
        ImmutableList.Builder builder = ImmutableList.builder();
        List<String> columns = sentryHivePrivilegeObjectDesc.getColumns();
        if (columns != null && !columns.isEmpty()) {
            for (String str : columns) {
                ImmutableList.Builder builder2 = ImmutableList.builder();
                builder2.addAll(list);
                builder2.add(new Column(str));
                builder.add(builder2.build());
            }
        }
        return builder.build();
    }

    private void writeToFile(String str, String str2) throws IOException {
        Path path = new Path(str2);
        FSDataOutputStream create = path.getFileSystem(this.conf).create(path);
        if (str != null) {
            try {
                if (!str.isEmpty()) {
                    OutputStreamWriter outputStreamWriter = new OutputStreamWriter((OutputStream) create, "UTF-8");
                    Throwable th = RETURN_CODE_SUCCESS;
                    try {
                        try {
                            outputStreamWriter.write(str);
                            outputStreamWriter.write(terminator);
                            outputStreamWriter.flush();
                            if (outputStreamWriter != null) {
                                if (th != null) {
                                    try {
                                        outputStreamWriter.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                } else {
                                    outputStreamWriter.close();
                                }
                            }
                        } finally {
                        }
                    } finally {
                    }
                }
            } finally {
                closeQuiet(create);
            }
        }
    }

    private int processGrantRevokeRoleDDL(SessionState.LogHelper logHelper, SentryPolicyServiceClient sentryPolicyServiceClient, String str, GrantRevokeRoleDDL grantRevokeRoleDDL) throws SentryUserException {
        try {
            boolean grant = grantRevokeRoleDDL.getGrant();
            List<PrincipalDesc> principalDesc = grantRevokeRoleDDL.getPrincipalDesc();
            List<String> roles = grantRevokeRoleDDL.getRoles();
            HashSet newHashSet = Sets.newHashSet();
            HashSet newHashSet2 = Sets.newHashSet();
            for (PrincipalDesc principalDesc2 : principalDesc) {
                if (principalDesc2.getType() == PrincipalType.GROUP) {
                    newHashSet.add(principalDesc2.getName());
                } else {
                    if (principalDesc2.getType() != PrincipalType.USER) {
                        throw new HiveException("Sentry does not allow privileges to be granted/revoked to/from: " + principalDesc2.getType());
                    }
                    newHashSet2.add(principalDesc2.getName());
                }
            }
            for (String str2 : roles) {
                if (grant) {
                    if (newHashSet.size() > 0) {
                        sentryPolicyServiceClient.grantRoleToGroups(str, str2, newHashSet);
                    }
                    if (newHashSet2.size() > 0) {
                        sentryPolicyServiceClient.grantRoleToUsers(str, str2, newHashSet2);
                    }
                } else {
                    if (newHashSet.size() > 0) {
                        sentryPolicyServiceClient.revokeRoleFromGroups(str, str2, newHashSet);
                    }
                    if (newHashSet2.size() > 0) {
                        sentryPolicyServiceClient.revokeRoleFromUsers(str, str2, newHashSet2);
                    }
                }
            }
            return RETURN_CODE_SUCCESS;
        } catch (HiveException e) {
            String str3 = "Error in grant/revoke operation, error message " + e.getMessage();
            LOG.warn(str3, e);
            logHelper.printError(str3);
            return RETURN_CODE_FAILURE;
        }
    }

    static String writeGrantInfo(Set<TSentryPrivilege> set, String str) {
        if (set == null || set.isEmpty()) {
            return "";
        }
        StringBuilder sb = new StringBuilder();
        for (TSentryPrivilege tSentryPrivilege : set) {
            if (ServiceConstants.PrivilegeScope.URI.name().equalsIgnoreCase(tSentryPrivilege.getPrivilegeScope())) {
                appendNonNull(sb, tSentryPrivilege.getURI(), true);
            } else if (ServiceConstants.PrivilegeScope.SERVER.name().equalsIgnoreCase(tSentryPrivilege.getPrivilegeScope())) {
                appendNonNull(sb, HiveAuthzBindingSessionHook.WILDCARD_ACL_VALUE, true);
            } else {
                appendNonNull(sb, tSentryPrivilege.getDbName(), true);
            }
            appendNonNull(sb, tSentryPrivilege.getTableName());
            appendNonNull(sb, null);
            appendNonNull(sb, tSentryPrivilege.getColumnName());
            appendNonNull(sb, str);
            appendNonNull(sb, "ROLE");
            appendNonNull(sb, tSentryPrivilege.getAction());
            appendNonNull(sb, Boolean.valueOf(TSentryGrantOption.TRUE.equals(tSentryPrivilege.getGrantOption())));
            appendNonNull(sb, Long.valueOf(tSentryPrivilege.getCreateTime() * 1000));
            appendNonNull(sb, "--");
        }
        LOG.info("builder.toString(): " + sb.toString());
        return sb.toString();
    }

    static String writeRoleGrantsInfo(Set<TSentryRole> set) {
        if (set == null || set.isEmpty()) {
            return "";
        }
        StringBuilder sb = new StringBuilder();
        Iterator<TSentryRole> it = set.iterator();
        while (it.hasNext()) {
            appendNonNull(sb, it.next().getRoleName(), true);
            appendNonNull(sb, false);
            appendNonNull(sb, null);
            appendNonNull(sb, "--");
        }
        return sb.toString();
    }

    static String writeRolesInfo(Set<TSentryRole> set) {
        if (set == null || set.isEmpty()) {
            return "";
        }
        StringBuilder sb = new StringBuilder();
        Iterator<TSentryRole> it = set.iterator();
        while (it.hasNext()) {
            appendNonNull(sb, it.next().getRoleName(), true);
        }
        return sb.toString();
    }

    static String writeActiveRolesInfo(Set<String> set) {
        if (set == null || set.isEmpty()) {
            return "";
        }
        StringBuilder sb = new StringBuilder();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            appendNonNull(sb, it.next(), true);
        }
        return sb.toString();
    }

    static StringBuilder appendNonNull(StringBuilder sb, Object obj) {
        return appendNonNull(sb, obj, false);
    }

    static StringBuilder appendNonNull(StringBuilder sb, Object obj, boolean z) {
        if (!z) {
            sb.append('\t');
        } else if (sb.length() > 0) {
            sb.append('\n');
        }
        if (obj != null) {
            sb.append(obj);
        }
        return sb;
    }

    private static int processGrantRevokeDDL(SessionState.LogHelper logHelper, SentryPolicyServiceClient sentryPolicyServiceClient, String str, String str2, boolean z, List<PrincipalDesc> list, List<PrivilegeDesc> list2, PrivilegeObjectDesc privilegeObjectDesc, Boolean bool) throws SentryUserException {
        if (list2 == null || list2.size() == 0) {
            logHelper.printError("No privilege found.");
            return RETURN_CODE_FAILURE;
        }
        String str3 = RETURN_CODE_SUCCESS;
        String str4 = RETURN_CODE_SUCCESS;
        List list3 = RETURN_CODE_SUCCESS;
        String str5 = RETURN_CODE_SUCCESS;
        String str6 = RETURN_CODE_SUCCESS;
        try {
            SentryHivePrivilegeObjectDesc sentryHivePrivilegeObjectDesc = toSentryHivePrivilegeObjectDesc(privilegeObjectDesc);
            if (sentryHivePrivilegeObjectDesc == null) {
                throw new HiveException("Privilege subject cannot be null");
            }
            if (sentryHivePrivilegeObjectDesc.getPartSpec() != null) {
                throw new HiveException("Sentry does not support partition level authorization");
            }
            String object = sentryHivePrivilegeObjectDesc.getObject();
            if (sentryHivePrivilegeObjectDesc.getTable()) {
                DatabaseTable parseDBTable = parseDBTable(object);
                str3 = parseDBTable.getDatabase();
                str4 = parseDBTable.getTable();
            } else if (sentryHivePrivilegeObjectDesc.getUri()) {
                str5 = sentryHivePrivilegeObjectDesc.getObject();
            } else if (sentryHivePrivilegeObjectDesc.getServer()) {
                str6 = sentryHivePrivilegeObjectDesc.getObject();
            } else {
                str3 = sentryHivePrivilegeObjectDesc.getObject();
            }
            for (PrivilegeDesc privilegeDesc : list2) {
                List columns = privilegeDesc.getColumns();
                if (columns != null && !columns.isEmpty()) {
                    list3 = columns;
                }
                if (!SentryHiveConstants.ALLOWED_PRIVS.contains(privilegeDesc.getPrivilege().getPriv())) {
                    throw new HiveException("Sentry does not support privilege: " + privilegeDesc.getPrivilege().getPriv());
                }
                if (list3 != null && (privilegeDesc.getPrivilege().getPriv().equals(PrivilegeType.INSERT) || privilegeDesc.getPrivilege().getPriv().equals(PrivilegeType.ALL))) {
                    throw new SemanticException("Sentry does not support privilege: " + privilegeDesc.getPrivilege().getPriv() + " on Column");
                }
            }
            for (PrincipalDesc principalDesc : list) {
                if (principalDesc.getType() != PrincipalType.ROLE) {
                    throw new HiveException("Sentry does not allow privileges to be granted/revoked to/from: " + principalDesc.getType());
                }
                for (PrivilegeDesc privilegeDesc2 : list2) {
                    if (z) {
                        if (str6 != null) {
                            sentryPolicyServiceClient.grantServerPrivilege(str, principalDesc.getName(), str6, toSentryAction(privilegeDesc2.getPrivilege().getPriv()), bool);
                        } else if (str5 != null) {
                            sentryPolicyServiceClient.grantURIPrivilege(str, principalDesc.getName(), str2, str5, bool);
                        } else if (str4 == null) {
                            sentryPolicyServiceClient.grantDatabasePrivilege(str, principalDesc.getName(), str2, str3, toDbSentryAction(privilegeDesc2.getPrivilege().getPriv()), bool);
                        } else if (list3 == null) {
                            sentryPolicyServiceClient.grantTablePrivilege(str, principalDesc.getName(), str2, str3, str4, toSentryAction(privilegeDesc2.getPrivilege().getPriv()), bool);
                        } else {
                            sentryPolicyServiceClient.grantColumnsPrivileges(str, principalDesc.getName(), str2, str3, str4, list3, toSentryAction(privilegeDesc2.getPrivilege().getPriv()), bool);
                        }
                    } else if (str6 != null) {
                        sentryPolicyServiceClient.revokeServerPrivilege(str, principalDesc.getName(), str6, toSentryAction(privilegeDesc2.getPrivilege().getPriv()), bool);
                    } else if (str5 != null) {
                        sentryPolicyServiceClient.revokeURIPrivilege(str, principalDesc.getName(), str2, str5, bool);
                    } else if (str4 == null) {
                        sentryPolicyServiceClient.revokeDatabasePrivilege(str, principalDesc.getName(), str2, str3, toDbSentryAction(privilegeDesc2.getPrivilege().getPriv()), bool);
                    } else if (list3 == null) {
                        sentryPolicyServiceClient.revokeTablePrivilege(str, principalDesc.getName(), str2, str3, str4, toSentryAction(privilegeDesc2.getPrivilege().getPriv()), bool);
                    } else {
                        sentryPolicyServiceClient.revokeColumnsPrivilege(str, principalDesc.getName(), str2, str3, str4, list3, toSentryAction(privilegeDesc2.getPrivilege().getPriv()), bool);
                    }
                }
            }
            return RETURN_CODE_SUCCESS;
        } catch (HiveException e) {
            String str7 = "Error in grant/revoke operation, error message " + e.getMessage();
            LOG.warn(str7, e);
            logHelper.printError(str7);
            return RETURN_CODE_FAILURE;
        }
    }

    private static String toDbSentryAction(PrivilegeType privilegeType) throws SentryUserException {
        switch (AnonymousClass1.$SwitchMap$org$apache$hadoop$hive$ql$security$authorization$PrivilegeType[privilegeType.ordinal()]) {
            case RETURN_CODE_FAILURE /* 1 */:
                return HiveAuthzBindingSessionHook.WILDCARD_ACL_VALUE;
            case 2:
                return "select";
            case 3:
                return "insert";
            case 4:
                return "create";
            case 5:
                return "drop";
            case 6:
                return "alter";
            case 7:
                return "index";
            case 8:
                return "lock";
            default:
                throw new SentryUserException("Unknown privilege type: " + privilegeType);
        }
    }

    private static SentryHivePrivilegeObjectDesc toSentryHivePrivilegeObjectDesc(PrivilegeObjectDesc privilegeObjectDesc) throws HiveException {
        if (privilegeObjectDesc instanceof SentryHivePrivilegeObjectDesc) {
            return (SentryHivePrivilegeObjectDesc) privilegeObjectDesc;
        }
        throw new HiveException("Privilege subject not parsed correctly by Sentry");
    }

    private static String toSentryAction(PrivilegeType privilegeType) {
        return PrivilegeType.ALL.equals(privilegeType) ? HiveAuthzBindingSessionHook.WILDCARD_ACL_VALUE : privilegeType.toString();
    }

    private static DatabaseTable parseDBTable(String str) throws HiveException {
        String[] strArr = (String[]) Iterables.toArray(DB_TBL_SPLITTER.split(str), String.class);
        if (strArr.length == 2) {
            return new DatabaseTable(strArr[RETURN_CODE_SUCCESS], strArr[RETURN_CODE_FAILURE]);
        }
        if (strArr.length == RETURN_CODE_FAILURE) {
            return new DatabaseTable(SessionState.get().getCurrentDatabase(), str);
        }
        throw new HiveException("Malformed database.table '" + str + "'");
    }

    private static DataOutputStream close(DataOutputStream dataOutputStream) throws IOException {
        if (dataOutputStream == null) {
            return null;
        }
        dataOutputStream.close();
        return null;
    }

    private static void closeQuiet(DataOutputStream dataOutputStream) {
        try {
            close(dataOutputStream);
        } catch (IOException e) {
            LOG.warn("Error closing output stream", e);
        }
    }

    public boolean requireLock() {
        return false;
    }

    public StageType getType() {
        return StageType.DDL;
    }

    public String getName() {
        return "SENTRY";
    }
}
