package org.apache.sentry.hdfs;

import com.google.common.base.Preconditions;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.atomic.AtomicBoolean;
import org.apache.hadoop.conf.Configuration;
import org.apache.sentry.core.common.exception.SentryInvalidInputException;
import org.apache.sentry.core.common.utils.PubSub;
import org.apache.sentry.core.common.utils.SigUtils;
import org.apache.sentry.hdfs.ServiceConstants;
import org.apache.sentry.hdfs.Updateable;
import org.apache.sentry.hdfs.service.thrift.TPrivilegeChanges;
import org.apache.sentry.hdfs.service.thrift.TRoleChanges;
import org.apache.sentry.provider.db.SentryPolicyStorePlugin;
import org.apache.sentry.provider.db.service.persistent.SentryStore;
import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleAddGroupsRequest;
import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleDeleteGroupsRequest;
import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleGrantPrivilegeRequest;
import org.apache.sentry.provider.db.service.thrift.TAlterSentryRoleRevokePrivilegeRequest;
import org.apache.sentry.provider.db.service.thrift.TDropPrivilegesRequest;
import org.apache.sentry.provider.db.service.thrift.TDropSentryRoleRequest;
import org.apache.sentry.provider.db.service.thrift.TRenamePrivilegesRequest;
import org.apache.sentry.provider.db.service.thrift.TSentryGroup;
import org.apache.sentry.provider.db.service.thrift.TSentryPrivilege;
import org.apache.sentry.service.thrift.SentryServiceUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sentry/hdfs/SentryPlugin.class */
public class SentryPlugin implements SentryPolicyStorePlugin, SigUtils.SigListener, PubSub.Subscriber {
    private static final Logger LOGGER = LoggerFactory.getLogger(SentryPlugin.class);
    private static final String FULL_UPDATE_TRIGGER = "FULL UPDATE TRIGGER: ";
    private final AtomicBoolean fullUpdateNN = new AtomicBoolean(false);
    public static volatile SentryPlugin instance;
    private DBUpdateForwarder<PathsUpdate> pathsUpdater;
    private DBUpdateForwarder<PermissionsUpdate> permsUpdater;

    public void initialize(Configuration configuration, SentryStore sentryStore) throws SentryPolicyStorePlugin.SentryPluginException {
        String[] strings = configuration.getStrings("sentry.hdfs.integration.path.prefixes", ServiceConstants.ServerConfig.SENTRY_HDFS_INTEGRATION_PATH_PREFIXES_DEFAULT);
        PermImageRetriever permImageRetriever = new PermImageRetriever(sentryStore);
        PathImageRetriever pathImageRetriever = new PathImageRetriever(sentryStore, strings);
        PermDeltaRetriever permDeltaRetriever = new PermDeltaRetriever(sentryStore);
        this.pathsUpdater = new DBUpdateForwarder<>(pathImageRetriever, new PathDeltaRetriever(sentryStore));
        this.permsUpdater = new DBUpdateForwarder<>(permImageRetriever, permDeltaRetriever);
        LOGGER.info("Sentry HDFS plugin initialized !!");
        instance = this;
        String[] strings2 = configuration.getStrings("sentry.hdfs.sync.full-update-signal", (String[]) null);
        if (strings2 != null && strings2.length != 0) {
            for (String str : strings2) {
                try {
                    LOGGER.info("SIGNAL HANDLING: Registering Signal Handler For " + str);
                    SigUtils.registerSigListener(str, this);
                } catch (Exception e) {
                    LOGGER.error("SIGNAL HANDLING: Signal Handle Registration Failure", e);
                }
            }
        }
        if (configuration.getBoolean("sentry.hdfs.sync.full-update-pubsub", false)) {
            LOGGER.info("FULL UPDATE TRIGGER: subscribing to topic " + PubSub.Topic.HDFS_SYNC_NN.getName());
            PubSub.getInstance().subscribe(PubSub.Topic.HDFS_SYNC_NN, this);
        }
    }

    public List<PathsUpdate> getAllPathsUpdatesFrom(long j, long j2) throws Exception {
        if (!this.fullUpdateNN.get()) {
            LOGGER.debug("Sending partial PATH update to NameNode for pathSeqNum {} and pathImgNum {}", Long.valueOf(j), Long.valueOf(j2));
            return this.pathsUpdater.getAllUpdatesFrom(j, j2);
        }
        LOGGER.info("FULL UPDATE TRIGGER: sending full PATH update to NameNode");
        this.fullUpdateNN.set(false);
        List<PathsUpdate> allUpdatesFrom = this.pathsUpdater.getAllUpdatesFrom(-1L, 0L);
        if (allUpdatesFrom == null) {
            LOGGER.warn("FULL UPDATE TRIGGER: returned NULL instead of full PATH update to NameNode  for pathSeqNum {} and pathImgNum {} (???)", Long.valueOf(j), Long.valueOf(j2));
        } else if (allUpdatesFrom.isEmpty()) {
            LOGGER.warn("FULL UPDATE TRIGGER: Sending empty instead of full PATH update to NameNode  for pathSeqNum {} and pathImgNum {} (???)", Long.valueOf(j), Long.valueOf(j2));
        } else if (allUpdatesFrom.get(0).hasFullImage()) {
            LOGGER.info("FULL UPDATE TRIGGER: Confirmed full PATH update to NameNode for pathSeqNum {} and pathImgNum {}", Long.valueOf(j), Long.valueOf(j2));
        } else {
            LOGGER.warn("FULL UPDATE TRIGGER: Sending partial instead of full PATH update to NameNode  for pathSeqNum {} and pathImgNum {} (???)", Long.valueOf(j), Long.valueOf(j2));
        }
        return allUpdatesFrom;
    }

    public List<PermissionsUpdate> getAllPermsUpdatesFrom(long j) throws Exception {
        LOGGER.debug("Sending partial PERM update to NameNode for permSeqNum {}", Long.valueOf(j));
        return this.permsUpdater.getAllUpdatesFrom(j, -1L);
    }

    public Updateable.Update onAlterSentryRoleAddGroups(TAlterSentryRoleAddGroupsRequest tAlterSentryRoleAddGroupsRequest) throws SentryPolicyStorePlugin.SentryPluginException {
        PermissionsUpdate permissionsUpdate = new PermissionsUpdate();
        TRoleChanges addRoleUpdate = permissionsUpdate.addRoleUpdate(tAlterSentryRoleAddGroupsRequest.getRoleName());
        Iterator it = tAlterSentryRoleAddGroupsRequest.getGroups().iterator();
        while (it.hasNext()) {
            addRoleUpdate.addToAddGroups(((TSentryGroup) it.next()).getGroupName());
        }
        LOGGER.debug(String.format("onAlterSentryRoleAddGroups, Authz Perm preUpdate[ %s ]", tAlterSentryRoleAddGroupsRequest.getRoleName()));
        return permissionsUpdate;
    }

    public Updateable.Update onAlterSentryRoleDeleteGroups(TAlterSentryRoleDeleteGroupsRequest tAlterSentryRoleDeleteGroupsRequest) throws SentryPolicyStorePlugin.SentryPluginException {
        PermissionsUpdate permissionsUpdate = new PermissionsUpdate();
        TRoleChanges addRoleUpdate = permissionsUpdate.addRoleUpdate(tAlterSentryRoleDeleteGroupsRequest.getRoleName());
        Iterator it = tAlterSentryRoleDeleteGroupsRequest.getGroups().iterator();
        while (it.hasNext()) {
            addRoleUpdate.addToDelGroups(((TSentryGroup) it.next()).getGroupName());
        }
        LOGGER.debug(String.format("onAlterSentryRoleDeleteGroups, Authz Perm preUpdate [ %s ]", tAlterSentryRoleDeleteGroupsRequest.getRoleName()));
        return permissionsUpdate;
    }

    public void onAlterSentryRoleGrantPrivilege(TAlterSentryRoleGrantPrivilegeRequest tAlterSentryRoleGrantPrivilegeRequest, Map<TSentryPrivilege, Updateable.Update> map) throws SentryPolicyStorePlugin.SentryPluginException {
        PermissionsUpdate onAlterSentryRoleGrantPrivilegeCore;
        if (tAlterSentryRoleGrantPrivilegeRequest.isSetPrivileges()) {
            String roleName = tAlterSentryRoleGrantPrivilegeRequest.getRoleName();
            for (TSentryPrivilege tSentryPrivilege : tAlterSentryRoleGrantPrivilegeRequest.getPrivileges()) {
                if (!"COLUMN".equalsIgnoreCase(tSentryPrivilege.getPrivilegeScope()) && (onAlterSentryRoleGrantPrivilegeCore = onAlterSentryRoleGrantPrivilegeCore(roleName, tSentryPrivilege)) != null && map != null) {
                    map.put(tSentryPrivilege, onAlterSentryRoleGrantPrivilegeCore);
                }
            }
        }
    }

    private PermissionsUpdate onAlterSentryRoleGrantPrivilegeCore(String str, TSentryPrivilege tSentryPrivilege) throws SentryPolicyStorePlugin.SentryPluginException {
        String authzObj = getAuthzObj(tSentryPrivilege);
        if (authzObj == null) {
            return null;
        }
        PermissionsUpdate permissionsUpdate = new PermissionsUpdate();
        permissionsUpdate.addPrivilegeUpdate(authzObj).putToAddPrivileges(str, tSentryPrivilege.getAction().toUpperCase());
        LOGGER.debug(String.format("onAlterSentryRoleGrantPrivilegeCore, Authz Perm preUpdate [ %s ]", authzObj));
        return permissionsUpdate;
    }

    public Updateable.Update onRenameSentryPrivilege(TRenamePrivilegesRequest tRenamePrivilegesRequest) throws SentryPolicyStorePlugin.SentryPluginException, SentryInvalidInputException {
        try {
            String authzObj = SentryServiceUtil.getAuthzObj(tRenamePrivilegesRequest.getOldAuthorizable());
            String authzObj2 = SentryServiceUtil.getAuthzObj(tRenamePrivilegesRequest.getNewAuthorizable());
            PermissionsUpdate permissionsUpdate = new PermissionsUpdate();
            TPrivilegeChanges addPrivilegeUpdate = permissionsUpdate.addPrivilegeUpdate("__RENAME_PRIV__");
            addPrivilegeUpdate.putToAddPrivileges(authzObj2, authzObj2);
            addPrivilegeUpdate.putToDelPrivileges(authzObj, authzObj);
            LOGGER.debug("onRenameSentryPrivilege, Authz Perm preUpdate [ {} ]", authzObj);
            return permissionsUpdate;
        } catch (SentryInvalidInputException e) {
            LOGGER.error("onRenameSentryPrivilege, Could not rename sentry privilege ", e);
            throw e;
        }
    }

    public void onAlterSentryRoleRevokePrivilege(TAlterSentryRoleRevokePrivilegeRequest tAlterSentryRoleRevokePrivilegeRequest, Map<TSentryPrivilege, Updateable.Update> map) throws SentryPolicyStorePlugin.SentryPluginException {
        PermissionsUpdate onAlterSentryRoleRevokePrivilegeCore;
        if (tAlterSentryRoleRevokePrivilegeRequest.isSetPrivileges()) {
            String roleName = tAlterSentryRoleRevokePrivilegeRequest.getRoleName();
            for (TSentryPrivilege tSentryPrivilege : tAlterSentryRoleRevokePrivilegeRequest.getPrivileges()) {
                if (!"COLUMN".equalsIgnoreCase(tSentryPrivilege.getPrivilegeScope()) && (onAlterSentryRoleRevokePrivilegeCore = onAlterSentryRoleRevokePrivilegeCore(roleName, tSentryPrivilege)) != null && map != null) {
                    map.put(tSentryPrivilege, onAlterSentryRoleRevokePrivilegeCore);
                }
            }
        }
    }

    private PermissionsUpdate onAlterSentryRoleRevokePrivilegeCore(String str, TSentryPrivilege tSentryPrivilege) throws SentryPolicyStorePlugin.SentryPluginException {
        String authzObj = getAuthzObj(tSentryPrivilege);
        if (authzObj == null) {
            return null;
        }
        PermissionsUpdate permissionsUpdate = new PermissionsUpdate();
        permissionsUpdate.addPrivilegeUpdate(authzObj).putToDelPrivileges(str, tSentryPrivilege.getAction().toUpperCase());
        LOGGER.debug("onAlterSentryRoleRevokePrivilegeCore, Authz Perm preUpdate [ {} ]", authzObj);
        return permissionsUpdate;
    }

    public Updateable.Update onDropSentryRole(TDropSentryRoleRequest tDropSentryRoleRequest) throws SentryPolicyStorePlugin.SentryPluginException {
        PermissionsUpdate permissionsUpdate = new PermissionsUpdate();
        permissionsUpdate.addPrivilegeUpdate("__ALL_AUTHZ_OBJ__").putToDelPrivileges(tDropSentryRoleRequest.getRoleName(), "__ALL_AUTHZ_OBJ__");
        permissionsUpdate.addRoleUpdate(tDropSentryRoleRequest.getRoleName()).addToDelGroups("__ALL_GROUPS__");
        LOGGER.debug("onDropSentryRole, Authz Perm preUpdate [ {} ]", tDropSentryRoleRequest.getRoleName());
        return permissionsUpdate;
    }

    public Updateable.Update onDropSentryPrivilege(TDropPrivilegesRequest tDropPrivilegesRequest) throws SentryPolicyStorePlugin.SentryPluginException {
        PermissionsUpdate permissionsUpdate = new PermissionsUpdate();
        try {
            String authzObj = SentryServiceUtil.getAuthzObj(tDropPrivilegesRequest.getAuthorizable());
            permissionsUpdate.addPrivilegeUpdate(authzObj).putToDelPrivileges("__ALL_ROLES__", "__ALL_ROLES__");
            LOGGER.debug("onDropSentryPrivilege, Authz Perm preUpdate [ {} ]", authzObj);
            return permissionsUpdate;
        } catch (SentryInvalidInputException e) {
            LOGGER.error("onDropSentryPrivilege, Could not drop sentry privilege " + e.toString(), e);
            throw new SentryPolicyStorePlugin.SentryPluginException(e.getMessage(), e);
        }
    }

    public void onSignal(String str) {
        LOGGER.info("SIGNAL HANDLING: Received signal " + str + ", triggering full update");
        this.fullUpdateNN.set(true);
    }

    public void onMessage(PubSub.Topic topic, String str) {
        Preconditions.checkArgument(topic == PubSub.Topic.HDFS_SYNC_NN, "Unexpected topic %s instead of %s", new Object[]{topic, PubSub.Topic.HDFS_SYNC_NN});
        LOGGER.info("FULL UPDATE TRIGGER: Received [{}, {}] notification", topic, str);
        this.fullUpdateNN.set(true);
    }

    private String getAuthzObj(TSentryPrivilege tSentryPrivilege) {
        String str = null;
        if (!SentryStore.isNULL(tSentryPrivilege.getDbName())) {
            String dbName = tSentryPrivilege.getDbName();
            String tableName = tSentryPrivilege.getTableName();
            str = SentryStore.isNULL(tableName) ? dbName : dbName + "." + tableName;
        }
        if (str == null) {
            return null;
        }
        return str.toLowerCase();
    }
}
