package org.apache.sentry.provider.db.service.thrift;

import com.codahale.metrics.MetricRegistry;
import com.codahale.metrics.Timer;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Splitter;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeoutException;
import java.util.regex.Pattern;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.log4j.Logger;
import org.apache.sentry.core.common.exception.SentryAccessDeniedException;
import org.apache.sentry.core.common.exception.SentryAlreadyExistsException;
import org.apache.sentry.core.common.exception.SentryGroupNotFoundException;
import org.apache.sentry.core.common.exception.SentryInvalidInputException;
import org.apache.sentry.core.common.exception.SentryNoSuchObjectException;
import org.apache.sentry.core.common.exception.SentrySiteConfigurationException;
import org.apache.sentry.core.common.exception.SentryThriftAPIMismatchException;
import org.apache.sentry.core.common.exception.SentryUserException;
import org.apache.sentry.hdfs.Updateable;
import org.apache.sentry.provider.common.GroupMappingService;
import org.apache.sentry.provider.db.SentryPolicyStorePlugin;
import org.apache.sentry.provider.db.log.entity.JsonLogEntity;
import org.apache.sentry.provider.db.log.entity.JsonLogEntityFactory;
import org.apache.sentry.provider.db.log.util.Constants;
import org.apache.sentry.provider.db.service.persistent.SentryStore;
import org.apache.sentry.provider.db.service.thrift.SentryPolicyService;
import org.apache.sentry.provider.db.service.thrift.validator.GrantPrivilegeRequestValidator;
import org.apache.sentry.provider.db.service.thrift.validator.RevokePrivilegeRequestValidator;
import org.apache.sentry.service.thrift.SentryServiceUtil;
import org.apache.sentry.service.thrift.ServiceConstants;
import org.apache.sentry.service.thrift.Status;
import org.apache.thrift.TException;

/* loaded from: input_file:org/apache/sentry/provider/db/service/thrift/SentryPolicyStoreProcessor.class */
public class SentryPolicyStoreProcessor implements SentryPolicyService.Iface {
    private static final Logger LOGGER = Logger.getLogger(SentryPolicyStoreProcessor.class);
    private static final Logger AUDIT_LOGGER = Logger.getLogger(Constants.AUDIT_LOGGER_NAME);
    static final String SENTRY_POLICY_SERVICE_NAME = "SentryPolicyService";
    private final String name;
    private final Configuration conf;
    private final SentryStore sentryStore;
    private final NotificationHandlerInvoker notificationHandlerInvoker;
    private final ImmutableSet<String> adminGroups;
    private SentryMetrics sentryMetrics;
    private final Timer hmsWaitTimer = SentryMetrics.getInstance().getTimer(MetricRegistry.name(SentryPolicyStoreProcessor.class, new String[]{"hms", "wait"}));
    private List<SentryPolicyStorePlugin> sentryPlugins = new LinkedList();

    /* JADX INFO: Access modifiers changed from: package-private */
    public SentryPolicyStoreProcessor(String str, Configuration configuration, SentryStore sentryStore) throws Exception {
        this.name = str;
        this.conf = configuration;
        this.sentryStore = sentryStore;
        this.notificationHandlerInvoker = new NotificationHandlerInvoker(configuration, createHandlers(configuration));
        this.adminGroups = ImmutableSet.copyOf(toTrimedLower(Sets.newHashSet(configuration.getStrings(ServiceConstants.ServerConfig.ADMIN_GROUPS, new String[0]))));
        for (String str2 : ServiceConstants.ConfUtilties.CLASS_SPLITTER.split(configuration.get(ServiceConstants.ServerConfig.SENTRY_POLICY_STORE_PLUGINS, "").trim())) {
            Class classByName = configuration.getClassByName(str2);
            if (!SentryPolicyStorePlugin.class.isAssignableFrom(classByName)) {
                throw new IllegalArgumentException("Sentry Plugin [" + str2 + "] is not a " + SentryPolicyStorePlugin.class.getName());
            }
            SentryPolicyStorePlugin sentryPolicyStorePlugin = (SentryPolicyStorePlugin) classByName.newInstance();
            sentryPolicyStorePlugin.initialize(configuration, this.sentryStore);
            this.sentryPlugins.add(sentryPolicyStorePlugin);
        }
        initMetrics();
    }

    private void initMetrics() {
        this.sentryMetrics = SentryMetrics.getInstance();
        this.sentryMetrics.addSentryStoreGauges(this.sentryStore);
        this.sentryMetrics.initReporting(this.conf);
    }

    public void stop() {
        this.sentryStore.stop();
    }

    public void registerPlugin(SentryPolicyStorePlugin sentryPolicyStorePlugin) throws SentryPolicyStorePlugin.SentryPluginException {
        sentryPolicyStorePlugin.initialize(this.conf, this.sentryStore);
        this.sentryPlugins.add(sentryPolicyStorePlugin);
    }

    @VisibleForTesting
    static List<NotificationHandler> createHandlers(Configuration configuration) throws SentrySiteConfigurationException {
        ArrayList newArrayList = Lists.newArrayList();
        for (String str : Splitter.onPattern("[\\s,]").trimResults().omitEmptyStrings().split(configuration.get("sentry.policy.store.notification.handlers", ""))) {
            try {
                Class<?> cls = Class.forName(str);
                if (!NotificationHandler.class.isAssignableFrom(cls)) {
                    throw new SentrySiteConfigurationException("Class " + str + " is not a " + NotificationHandler.class.getName());
                }
                Preconditions.checkNotNull(cls, "Error class cannot be null");
                try {
                    newArrayList.add((NotificationHandler) cls.getConstructor(Configuration.class).newInstance(configuration));
                } catch (Exception e) {
                    throw new SentrySiteConfigurationException("Error attempting to create " + str, e);
                }
            } catch (ClassNotFoundException e2) {
                throw new SentrySiteConfigurationException("Value " + str + " is not a class", e2);
            }
        }
        return newArrayList;
    }

    @VisibleForTesting
    public Configuration getSentryStoreConf() {
        return this.conf;
    }

    private static Set<String> toTrimedLower(Set<String> set) {
        HashSet newHashSet = Sets.newHashSet();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            newHashSet.add(it.next().trim().toLowerCase());
        }
        return newHashSet;
    }

    private boolean inAdminGroups(Set<String> set) {
        return !Sets.intersection(this.adminGroups, toTrimedLower(set)).isEmpty();
    }

    private void authorize(String str, Set<String> set) throws SentryAccessDeniedException {
        if (inAdminGroups(set)) {
            return;
        }
        LOGGER.warn("User: " + str + " is part of " + set + " which does not, intersect admin groups " + this.adminGroups);
        throw new SentryAccessDeniedException("Access denied to " + str);
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TCreateSentryRoleResponse create_sentry_role(TCreateSentryRoleRequest tCreateSentryRoleRequest) throws TException {
        Timer.Context time = this.sentryMetrics.createRoleTimer.time();
        TCreateSentryRoleResponse tCreateSentryRoleResponse = new TCreateSentryRoleResponse();
        try {
            try {
                try {
                    try {
                        validateClientVersion(tCreateSentryRoleRequest.getProtocol_version());
                        authorize(tCreateSentryRoleRequest.getRequestorUserName(), getRequestorGroups(tCreateSentryRoleRequest.getRequestorUserName()));
                        this.sentryStore.createSentryRole(tCreateSentryRoleRequest.getRoleName());
                        tCreateSentryRoleResponse.setStatus(Status.OK());
                        this.notificationHandlerInvoker.create_sentry_role(tCreateSentryRoleRequest, tCreateSentryRoleResponse);
                        time.stop();
                    } catch (Exception e) {
                        String str = "Unknown error for request: " + tCreateSentryRoleRequest + ", message: " + e.getMessage();
                        LOGGER.error(str, e);
                        tCreateSentryRoleResponse.setStatus(Status.RuntimeError(str, e));
                        time.stop();
                    }
                } catch (SentryAlreadyExistsException e2) {
                    LOGGER.error("Role: " + tCreateSentryRoleRequest + " already exists.", e2);
                    tCreateSentryRoleResponse.setStatus(Status.AlreadyExists(e2.getMessage(), e2));
                    time.stop();
                }
            } catch (SentryThriftAPIMismatchException e3) {
                LOGGER.error(e3.getMessage(), e3);
                tCreateSentryRoleResponse.setStatus(Status.THRIFT_VERSION_MISMATCH(e3.getMessage(), e3));
                time.stop();
            } catch (SentryAccessDeniedException e4) {
                LOGGER.error(e4.getMessage(), e4);
                tCreateSentryRoleResponse.setStatus(Status.AccessDenied(e4.getMessage(), e4));
                time.stop();
            }
            try {
                AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(tCreateSentryRoleRequest, tCreateSentryRoleResponse, this.conf).toJsonFormatLog());
            } catch (Exception e5) {
                LOGGER.error("Error creating audit log for create role: " + e5.getMessage(), e5);
            }
            return tCreateSentryRoleResponse;
        } catch (Throwable th) {
            time.stop();
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TAlterSentryRoleGrantPrivilegeResponse alter_sentry_role_grant_privilege(TAlterSentryRoleGrantPrivilegeRequest tAlterSentryRoleGrantPrivilegeRequest) throws TException {
        Timer.Context time = this.sentryMetrics.grantTimer.time();
        TAlterSentryRoleGrantPrivilegeResponse tAlterSentryRoleGrantPrivilegeResponse = new TAlterSentryRoleGrantPrivilegeResponse();
        try {
            try {
                try {
                    try {
                        validateClientVersion(tAlterSentryRoleGrantPrivilegeRequest.getProtocol_version());
                    } catch (Exception e) {
                        String str = "Unknown error for request: " + tAlterSentryRoleGrantPrivilegeRequest + ", message: " + e.getMessage();
                        LOGGER.error(str, e);
                        tAlterSentryRoleGrantPrivilegeResponse.setStatus(Status.RuntimeError(str, e));
                        time.stop();
                    }
                } catch (SentryNoSuchObjectException e2) {
                    String str2 = "Role: " + tAlterSentryRoleGrantPrivilegeRequest.getRoleName() + " doesn't exist";
                    LOGGER.error(str2, e2);
                    tAlterSentryRoleGrantPrivilegeResponse.setStatus(Status.NoSuchObject(str2, e2));
                    time.stop();
                } catch (SentryThriftAPIMismatchException e3) {
                    LOGGER.error(e3.getMessage(), e3);
                    tAlterSentryRoleGrantPrivilegeResponse.setStatus(Status.THRIFT_VERSION_MISMATCH(e3.getMessage(), e3));
                    time.stop();
                }
            } catch (SentryInvalidInputException e4) {
                LOGGER.error(e4.getMessage(), e4);
                tAlterSentryRoleGrantPrivilegeResponse.setStatus(Status.InvalidInput(e4.getMessage(), e4));
                time.stop();
            } catch (SentryAccessDeniedException e5) {
                LOGGER.error(e5.getMessage(), e5);
                tAlterSentryRoleGrantPrivilegeResponse.setStatus(Status.AccessDenied(e5.getMessage(), e5));
                time.stop();
            }
            if (!(tAlterSentryRoleGrantPrivilegeRequest.isSetPrivileges() ^ tAlterSentryRoleGrantPrivilegeRequest.isSetPrivilege())) {
                throw new SentryUserException("SENTRY API version is not right!");
            }
            if (tAlterSentryRoleGrantPrivilegeRequest.isSetPrivilege()) {
                tAlterSentryRoleGrantPrivilegeRequest.setPrivileges(Sets.newHashSet(new TSentryPrivilege[]{tAlterSentryRoleGrantPrivilegeRequest.getPrivilege()}));
            }
            Preconditions.checkState(this.sentryPlugins.size() <= 1);
            HashMap hashMap = new HashMap();
            Iterator<SentryPolicyStorePlugin> it = this.sentryPlugins.iterator();
            while (it.hasNext()) {
                it.next().onAlterSentryRoleGrantPrivilege(tAlterSentryRoleGrantPrivilegeRequest, hashMap);
            }
            if (hashMap.isEmpty()) {
                this.sentryStore.alterSentryRoleGrantPrivileges(tAlterSentryRoleGrantPrivilegeRequest.getRequestorUserName(), tAlterSentryRoleGrantPrivilegeRequest.getRoleName(), tAlterSentryRoleGrantPrivilegeRequest.getPrivileges());
            } else {
                this.sentryStore.alterSentryRoleGrantPrivileges(tAlterSentryRoleGrantPrivilegeRequest.getRequestorUserName(), tAlterSentryRoleGrantPrivilegeRequest.getRoleName(), tAlterSentryRoleGrantPrivilegeRequest.getPrivileges(), hashMap);
            }
            GrantPrivilegeRequestValidator.validate(tAlterSentryRoleGrantPrivilegeRequest);
            tAlterSentryRoleGrantPrivilegeResponse.setStatus(Status.OK());
            tAlterSentryRoleGrantPrivilegeResponse.setPrivileges(tAlterSentryRoleGrantPrivilegeRequest.getPrivileges());
            if (tAlterSentryRoleGrantPrivilegeResponse.isSetPrivileges() && tAlterSentryRoleGrantPrivilegeResponse.getPrivileges().size() == 1) {
                tAlterSentryRoleGrantPrivilegeResponse.setPrivilege(tAlterSentryRoleGrantPrivilegeResponse.getPrivileges().iterator().next());
            }
            this.notificationHandlerInvoker.alter_sentry_role_grant_privilege(tAlterSentryRoleGrantPrivilegeRequest, tAlterSentryRoleGrantPrivilegeResponse);
            time.stop();
            try {
                Iterator<JsonLogEntity> it2 = JsonLogEntityFactory.getInstance().createJsonLogEntitys(tAlterSentryRoleGrantPrivilegeRequest, tAlterSentryRoleGrantPrivilegeResponse, this.conf).iterator();
                while (it2.hasNext()) {
                    AUDIT_LOGGER.info(it2.next().toJsonFormatLog());
                }
            } catch (Exception e6) {
                LOGGER.error("Error creating audit log for grant privilege to role: " + e6.getMessage(), e6);
            }
            return tAlterSentryRoleGrantPrivilegeResponse;
        } catch (Throwable th) {
            time.stop();
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TAlterSentryRoleRevokePrivilegeResponse alter_sentry_role_revoke_privilege(TAlterSentryRoleRevokePrivilegeRequest tAlterSentryRoleRevokePrivilegeRequest) throws TException {
        Timer.Context time = this.sentryMetrics.revokeTimer.time();
        TAlterSentryRoleRevokePrivilegeResponse tAlterSentryRoleRevokePrivilegeResponse = new TAlterSentryRoleRevokePrivilegeResponse();
        try {
            try {
                try {
                    try {
                        validateClientVersion(tAlterSentryRoleRevokePrivilegeRequest.getProtocol_version());
                    } catch (SentryInvalidInputException e) {
                        LOGGER.error(e.getMessage(), e);
                        tAlterSentryRoleRevokePrivilegeResponse.setStatus(Status.InvalidInput(e.getMessage(), e));
                        time.stop();
                    }
                } catch (SentryNoSuchObjectException e2) {
                    StringBuilder sb = new StringBuilder();
                    if (tAlterSentryRoleRevokePrivilegeRequest.getPrivileges().size() > 0) {
                        for (TSentryPrivilege tSentryPrivilege : tAlterSentryRoleRevokePrivilegeRequest.getPrivileges()) {
                            sb.append("Privilege: [server=");
                            sb.append(tSentryPrivilege.getServerName());
                            sb.append(",db=");
                            sb.append(tSentryPrivilege.getDbName());
                            sb.append(",table=");
                            sb.append(tSentryPrivilege.getTableName());
                            sb.append(",URI=");
                            sb.append(tSentryPrivilege.getURI());
                            sb.append(",action=");
                            sb.append(tSentryPrivilege.getAction());
                            sb.append("] ");
                        }
                        sb.append("doesn't exist.");
                    }
                    LOGGER.error(sb.toString(), e2);
                    tAlterSentryRoleRevokePrivilegeResponse.setStatus(Status.NoSuchObject(sb.toString(), e2));
                    time.stop();
                } catch (Exception e3) {
                    String str = "Unknown error for request: " + tAlterSentryRoleRevokePrivilegeRequest + ", message: " + e3.getMessage();
                    LOGGER.error(str, e3);
                    tAlterSentryRoleRevokePrivilegeResponse.setStatus(Status.RuntimeError(str, e3));
                    time.stop();
                }
            } catch (SentryThriftAPIMismatchException e4) {
                LOGGER.error(e4.getMessage(), e4);
                tAlterSentryRoleRevokePrivilegeResponse.setStatus(Status.THRIFT_VERSION_MISMATCH(e4.getMessage(), e4));
                time.stop();
            } catch (SentryAccessDeniedException e5) {
                LOGGER.error(e5.getMessage(), e5);
                tAlterSentryRoleRevokePrivilegeResponse.setStatus(Status.AccessDenied(e5.getMessage(), e5));
                time.stop();
            }
            if (!(tAlterSentryRoleRevokePrivilegeRequest.isSetPrivileges() ^ tAlterSentryRoleRevokePrivilegeRequest.isSetPrivilege())) {
                throw new SentryUserException("SENTRY API version is not right!");
            }
            if (tAlterSentryRoleRevokePrivilegeRequest.isSetPrivilege()) {
                tAlterSentryRoleRevokePrivilegeRequest.setPrivileges(Sets.newHashSet(new TSentryPrivilege[]{tAlterSentryRoleRevokePrivilegeRequest.getPrivilege()}));
            }
            Preconditions.checkState(this.sentryPlugins.size() <= 1);
            HashMap hashMap = new HashMap();
            Iterator<SentryPolicyStorePlugin> it = this.sentryPlugins.iterator();
            while (it.hasNext()) {
                it.next().onAlterSentryRoleRevokePrivilege(tAlterSentryRoleRevokePrivilegeRequest, hashMap);
            }
            if (hashMap.isEmpty()) {
                this.sentryStore.alterSentryRoleRevokePrivileges(tAlterSentryRoleRevokePrivilegeRequest.getRequestorUserName(), tAlterSentryRoleRevokePrivilegeRequest.getRoleName(), tAlterSentryRoleRevokePrivilegeRequest.getPrivileges());
            } else {
                this.sentryStore.alterSentryRoleRevokePrivileges(tAlterSentryRoleRevokePrivilegeRequest.getRequestorUserName(), tAlterSentryRoleRevokePrivilegeRequest.getRoleName(), tAlterSentryRoleRevokePrivilegeRequest.getPrivileges(), hashMap);
            }
            RevokePrivilegeRequestValidator.validate(tAlterSentryRoleRevokePrivilegeRequest);
            tAlterSentryRoleRevokePrivilegeResponse.setStatus(Status.OK());
            this.notificationHandlerInvoker.alter_sentry_role_revoke_privilege(tAlterSentryRoleRevokePrivilegeRequest, tAlterSentryRoleRevokePrivilegeResponse);
            time.stop();
            try {
                Iterator<JsonLogEntity> it2 = JsonLogEntityFactory.getInstance().createJsonLogEntitys(tAlterSentryRoleRevokePrivilegeRequest, tAlterSentryRoleRevokePrivilegeResponse, this.conf).iterator();
                while (it2.hasNext()) {
                    AUDIT_LOGGER.info(it2.next().toJsonFormatLog());
                }
            } catch (Exception e6) {
                LOGGER.error("Error creating audit log for revoke privilege from role: " + e6.getMessage(), e6);
            }
            return tAlterSentryRoleRevokePrivilegeResponse;
        } catch (Throwable th) {
            time.stop();
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TDropSentryRoleResponse drop_sentry_role(TDropSentryRoleRequest tDropSentryRoleRequest) throws TException {
        Timer.Context time = this.sentryMetrics.dropRoleTimer.time();
        TDropSentryRoleResponse tDropSentryRoleResponse = new TDropSentryRoleResponse();
        try {
            try {
                try {
                    try {
                        try {
                            validateClientVersion(tDropSentryRoleRequest.getProtocol_version());
                            authorize(tDropSentryRoleRequest.getRequestorUserName(), getRequestorGroups(tDropSentryRoleRequest.getRequestorUserName()));
                            Preconditions.checkState(this.sentryPlugins.size() <= 1);
                            Updateable.Update update = null;
                            Iterator<SentryPolicyStorePlugin> it = this.sentryPlugins.iterator();
                            while (it.hasNext()) {
                                update = it.next().onDropSentryRole(tDropSentryRoleRequest);
                            }
                            if (update != null) {
                                this.sentryStore.dropSentryRole(tDropSentryRoleRequest.getRoleName(), update);
                            } else {
                                this.sentryStore.dropSentryRole(tDropSentryRoleRequest.getRoleName());
                            }
                            tDropSentryRoleResponse.setStatus(Status.OK());
                            this.notificationHandlerInvoker.drop_sentry_role(tDropSentryRoleRequest, tDropSentryRoleResponse);
                            time.stop();
                        } catch (SentryNoSuchObjectException e) {
                            String str = "Role :" + tDropSentryRoleRequest + " doesn't exist";
                            LOGGER.error(str, e);
                            tDropSentryRoleResponse.setStatus(Status.NoSuchObject(str, e));
                            time.stop();
                        }
                    } catch (SentryAccessDeniedException e2) {
                        LOGGER.error(e2.getMessage(), e2);
                        tDropSentryRoleResponse.setStatus(Status.AccessDenied(e2.getMessage(), e2));
                        time.stop();
                    }
                } catch (Exception e3) {
                    String str2 = "Unknown error for request: " + tDropSentryRoleRequest + ", message: " + e3.getMessage();
                    LOGGER.error(str2, e3);
                    tDropSentryRoleResponse.setStatus(Status.RuntimeError(str2, e3));
                    time.stop();
                }
            } catch (SentryThriftAPIMismatchException e4) {
                LOGGER.error(e4.getMessage(), e4);
                tDropSentryRoleResponse.setStatus(Status.THRIFT_VERSION_MISMATCH(e4.getMessage(), e4));
                time.stop();
            }
            try {
                AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(tDropSentryRoleRequest, tDropSentryRoleResponse, this.conf).toJsonFormatLog());
            } catch (Exception e5) {
                LOGGER.error("Error creating audit log for drop role: " + e5.getMessage(), e5);
            }
            return tDropSentryRoleResponse;
        } catch (Throwable th) {
            time.stop();
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TAlterSentryRoleAddGroupsResponse alter_sentry_role_add_groups(TAlterSentryRoleAddGroupsRequest tAlterSentryRoleAddGroupsRequest) throws TException {
        Timer.Context time = this.sentryMetrics.grantRoleTimer.time();
        TAlterSentryRoleAddGroupsResponse tAlterSentryRoleAddGroupsResponse = new TAlterSentryRoleAddGroupsResponse();
        try {
            try {
                try {
                    try {
                        try {
                            validateClientVersion(tAlterSentryRoleAddGroupsRequest.getProtocol_version());
                            authorize(tAlterSentryRoleAddGroupsRequest.getRequestorUserName(), getRequestorGroups(tAlterSentryRoleAddGroupsRequest.getRequestorUserName()));
                            Preconditions.checkState(this.sentryPlugins.size() <= 1);
                            Updateable.Update update = null;
                            Iterator<SentryPolicyStorePlugin> it = this.sentryPlugins.iterator();
                            while (it.hasNext()) {
                                update = it.next().onAlterSentryRoleAddGroups(tAlterSentryRoleAddGroupsRequest);
                            }
                            if (update != null) {
                                this.sentryStore.alterSentryRoleAddGroups(tAlterSentryRoleAddGroupsRequest.getRequestorUserName(), tAlterSentryRoleAddGroupsRequest.getRoleName(), tAlterSentryRoleAddGroupsRequest.getGroups(), update);
                            } else {
                                this.sentryStore.alterSentryRoleAddGroups(tAlterSentryRoleAddGroupsRequest.getRequestorUserName(), tAlterSentryRoleAddGroupsRequest.getRoleName(), tAlterSentryRoleAddGroupsRequest.getGroups());
                            }
                            tAlterSentryRoleAddGroupsResponse.setStatus(Status.OK());
                            this.notificationHandlerInvoker.alter_sentry_role_add_groups(tAlterSentryRoleAddGroupsRequest, tAlterSentryRoleAddGroupsResponse);
                            time.stop();
                        } catch (SentryNoSuchObjectException e) {
                            String str = "Role: " + tAlterSentryRoleAddGroupsRequest + " doesn't exist";
                            LOGGER.error(str, e);
                            tAlterSentryRoleAddGroupsResponse.setStatus(Status.NoSuchObject(str, e));
                            time.stop();
                        }
                    } catch (SentryAccessDeniedException e2) {
                        LOGGER.error(e2.getMessage(), e2);
                        tAlterSentryRoleAddGroupsResponse.setStatus(Status.AccessDenied(e2.getMessage(), e2));
                        time.stop();
                    }
                } catch (Exception e3) {
                    String str2 = "Unknown error for request: " + tAlterSentryRoleAddGroupsRequest + ", message: " + e3.getMessage();
                    LOGGER.error(str2, e3);
                    tAlterSentryRoleAddGroupsResponse.setStatus(Status.RuntimeError(str2, e3));
                    time.stop();
                }
            } catch (SentryThriftAPIMismatchException e4) {
                LOGGER.error(e4.getMessage(), e4);
                tAlterSentryRoleAddGroupsResponse.setStatus(Status.THRIFT_VERSION_MISMATCH(e4.getMessage(), e4));
                time.stop();
            }
            try {
                AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(tAlterSentryRoleAddGroupsRequest, tAlterSentryRoleAddGroupsResponse, this.conf).toJsonFormatLog());
            } catch (Exception e5) {
                LOGGER.error("Error creating audit log for add role to group: " + e5.getMessage(), e5);
            }
            return tAlterSentryRoleAddGroupsResponse;
        } catch (Throwable th) {
            time.stop();
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TAlterSentryRoleAddUsersResponse alter_sentry_role_add_users(TAlterSentryRoleAddUsersRequest tAlterSentryRoleAddUsersRequest) throws TException {
        Timer.Context time = this.sentryMetrics.grantRoleTimer.time();
        TAlterSentryRoleAddUsersResponse tAlterSentryRoleAddUsersResponse = new TAlterSentryRoleAddUsersResponse();
        try {
            try {
                try {
                    try {
                        try {
                            validateClientVersion(tAlterSentryRoleAddUsersRequest.getProtocol_version());
                            authorize(tAlterSentryRoleAddUsersRequest.getRequestorUserName(), getRequestorGroups(tAlterSentryRoleAddUsersRequest.getRequestorUserName()));
                            this.sentryStore.alterSentryRoleAddUsers(tAlterSentryRoleAddUsersRequest.getRoleName(), tAlterSentryRoleAddUsersRequest.getUsers());
                            tAlterSentryRoleAddUsersResponse.setStatus(Status.OK());
                            this.notificationHandlerInvoker.alter_sentry_role_add_users(tAlterSentryRoleAddUsersRequest, tAlterSentryRoleAddUsersResponse);
                            time.stop();
                        } catch (Exception e) {
                            String str = "Unknown error for request: " + tAlterSentryRoleAddUsersRequest + ", message: " + e.getMessage();
                            LOGGER.error(str, e);
                            tAlterSentryRoleAddUsersResponse.setStatus(Status.RuntimeError(str, e));
                            time.stop();
                        }
                    } catch (SentryAccessDeniedException e2) {
                        LOGGER.error(e2.getMessage(), e2);
                        tAlterSentryRoleAddUsersResponse.setStatus(Status.AccessDenied(e2.getMessage(), e2));
                        time.stop();
                    }
                } catch (SentryNoSuchObjectException e3) {
                    String str2 = "Role: " + tAlterSentryRoleAddUsersRequest + " does not exist.";
                    LOGGER.error(str2, e3);
                    tAlterSentryRoleAddUsersResponse.setStatus(Status.NoSuchObject(str2, e3));
                    time.stop();
                }
            } catch (SentryThriftAPIMismatchException e4) {
                LOGGER.error(e4.getMessage(), e4);
                tAlterSentryRoleAddUsersResponse.setStatus(Status.THRIFT_VERSION_MISMATCH(e4.getMessage(), e4));
                time.stop();
            }
            try {
                AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(tAlterSentryRoleAddUsersRequest, tAlterSentryRoleAddUsersResponse, this.conf).toJsonFormatLog());
            } catch (Exception e5) {
                LOGGER.error("Error creating audit log for add role to user: " + e5.getMessage(), e5);
            }
            return tAlterSentryRoleAddUsersResponse;
        } catch (Throwable th) {
            time.stop();
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TAlterSentryRoleDeleteUsersResponse alter_sentry_role_delete_users(TAlterSentryRoleDeleteUsersRequest tAlterSentryRoleDeleteUsersRequest) throws TException {
        Timer.Context time = this.sentryMetrics.grantRoleTimer.time();
        TAlterSentryRoleDeleteUsersResponse tAlterSentryRoleDeleteUsersResponse = new TAlterSentryRoleDeleteUsersResponse();
        try {
            try {
                try {
                    try {
                        try {
                            validateClientVersion(tAlterSentryRoleDeleteUsersRequest.getProtocol_version());
                            authorize(tAlterSentryRoleDeleteUsersRequest.getRequestorUserName(), getRequestorGroups(tAlterSentryRoleDeleteUsersRequest.getRequestorUserName()));
                            this.sentryStore.alterSentryRoleDeleteUsers(tAlterSentryRoleDeleteUsersRequest.getRoleName(), tAlterSentryRoleDeleteUsersRequest.getUsers());
                            tAlterSentryRoleDeleteUsersResponse.setStatus(Status.OK());
                            this.notificationHandlerInvoker.alter_sentry_role_delete_users(tAlterSentryRoleDeleteUsersRequest, tAlterSentryRoleDeleteUsersResponse);
                            time.stop();
                        } catch (Exception e) {
                            String str = "Unknown error for request: " + tAlterSentryRoleDeleteUsersRequest + ", message: " + e.getMessage();
                            LOGGER.error(str, e);
                            tAlterSentryRoleDeleteUsersResponse.setStatus(Status.RuntimeError(str, e));
                            time.stop();
                        }
                    } catch (SentryAccessDeniedException e2) {
                        LOGGER.error(e2.getMessage(), e2);
                        tAlterSentryRoleDeleteUsersResponse.setStatus(Status.AccessDenied(e2.getMessage(), e2));
                        time.stop();
                    }
                } catch (SentryNoSuchObjectException e3) {
                    String str2 = "Role: " + tAlterSentryRoleDeleteUsersRequest + " does not exist.";
                    LOGGER.error(str2, e3);
                    tAlterSentryRoleDeleteUsersResponse.setStatus(Status.NoSuchObject(str2, e3));
                    time.stop();
                }
            } catch (SentryThriftAPIMismatchException e4) {
                LOGGER.error(e4.getMessage(), e4);
                tAlterSentryRoleDeleteUsersResponse.setStatus(Status.THRIFT_VERSION_MISMATCH(e4.getMessage(), e4));
                time.stop();
            }
            try {
                AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(tAlterSentryRoleDeleteUsersRequest, tAlterSentryRoleDeleteUsersResponse, this.conf).toJsonFormatLog());
            } catch (Exception e5) {
                LOGGER.error("Error creating audit log for delete role from user: " + e5.getMessage(), e5);
            }
            return tAlterSentryRoleDeleteUsersResponse;
        } catch (Throwable th) {
            time.stop();
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TAlterSentryRoleDeleteGroupsResponse alter_sentry_role_delete_groups(TAlterSentryRoleDeleteGroupsRequest tAlterSentryRoleDeleteGroupsRequest) throws TException {
        Timer.Context time = this.sentryMetrics.revokeRoleTimer.time();
        TAlterSentryRoleDeleteGroupsResponse tAlterSentryRoleDeleteGroupsResponse = new TAlterSentryRoleDeleteGroupsResponse();
        try {
            try {
                try {
                    try {
                        validateClientVersion(tAlterSentryRoleDeleteGroupsRequest.getProtocol_version());
                        authorize(tAlterSentryRoleDeleteGroupsRequest.getRequestorUserName(), getRequestorGroups(tAlterSentryRoleDeleteGroupsRequest.getRequestorUserName()));
                        Preconditions.checkState(this.sentryPlugins.size() <= 1);
                        Updateable.Update update = null;
                        Iterator<SentryPolicyStorePlugin> it = this.sentryPlugins.iterator();
                        while (it.hasNext()) {
                            update = it.next().onAlterSentryRoleDeleteGroups(tAlterSentryRoleDeleteGroupsRequest);
                        }
                        if (update != null) {
                            this.sentryStore.alterSentryRoleDeleteGroups(tAlterSentryRoleDeleteGroupsRequest.getRoleName(), tAlterSentryRoleDeleteGroupsRequest.getGroups(), update);
                        } else {
                            this.sentryStore.alterSentryRoleDeleteGroups(tAlterSentryRoleDeleteGroupsRequest.getRoleName(), tAlterSentryRoleDeleteGroupsRequest.getGroups());
                        }
                        tAlterSentryRoleDeleteGroupsResponse.setStatus(Status.OK());
                        this.notificationHandlerInvoker.alter_sentry_role_delete_groups(tAlterSentryRoleDeleteGroupsRequest, tAlterSentryRoleDeleteGroupsResponse);
                        time.stop();
                    } catch (SentryAccessDeniedException e) {
                        LOGGER.error(e.getMessage(), e);
                        tAlterSentryRoleDeleteGroupsResponse.setStatus(Status.AccessDenied(e.getMessage(), e));
                        time.stop();
                    }
                } catch (Exception e2) {
                    String str = "Unknown error adding groups to role: " + tAlterSentryRoleDeleteGroupsRequest;
                    LOGGER.error(str, e2);
                    tAlterSentryRoleDeleteGroupsResponse.setStatus(Status.RuntimeError(str, e2));
                    time.stop();
                }
            } catch (SentryThriftAPIMismatchException e3) {
                LOGGER.error(e3.getMessage(), e3);
                tAlterSentryRoleDeleteGroupsResponse.setStatus(Status.THRIFT_VERSION_MISMATCH(e3.getMessage(), e3));
                time.stop();
            } catch (SentryNoSuchObjectException e4) {
                String str2 = "Role: " + tAlterSentryRoleDeleteGroupsRequest + " does not exist.";
                LOGGER.error(str2, e4);
                tAlterSentryRoleDeleteGroupsResponse.setStatus(Status.NoSuchObject(str2, e4));
                time.stop();
            }
            try {
                AUDIT_LOGGER.info(JsonLogEntityFactory.getInstance().createJsonLogEntity(tAlterSentryRoleDeleteGroupsRequest, tAlterSentryRoleDeleteGroupsResponse, this.conf).toJsonFormatLog());
            } catch (Exception e5) {
                LOGGER.error("Error creating audit log for delete role from group: " + e5.getMessage(), e5);
            }
            return tAlterSentryRoleDeleteGroupsResponse;
        } catch (Throwable th) {
            time.stop();
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TListSentryRolesResponse list_sentry_roles_by_group(TListSentryRolesRequest tListSentryRolesRequest) throws TException {
        Timer.Context time = this.sentryMetrics.listRolesByGroupTimer.time();
        TListSentryRolesResponse tListSentryRolesResponse = new TListSentryRolesResponse();
        HashSet hashSet = new HashSet();
        String requestorUserName = tListSentryRolesRequest.getRequestorUserName();
        boolean z = false;
        try {
            try {
                try {
                    try {
                        try {
                            validateClientVersion(tListSentryRolesRequest.getProtocol_version());
                            Set<String> requestorGroups = getRequestorGroups(requestorUserName);
                            if ("*".equalsIgnoreCase(tListSentryRolesRequest.getGroupName())) {
                                z = true;
                            } else {
                                if (!inAdminGroups(requestorGroups) && (tListSentryRolesRequest.getGroupName() == null || !requestorGroups.contains(tListSentryRolesRequest.getGroupName()))) {
                                    throw new SentryAccessDeniedException("Access denied to " + requestorUserName);
                                }
                                requestorGroups.clear();
                                requestorGroups.add(tListSentryRolesRequest.getGroupName());
                            }
                            tListSentryRolesResponse.setRoles(this.sentryStore.getTSentryRolesByGroupName(requestorGroups, z));
                            tListSentryRolesResponse.setStatus(Status.OK());
                            time.stop();
                        } catch (Exception e) {
                            String str = "Unknown error for request: " + tListSentryRolesRequest + ", message: " + e.getMessage();
                            LOGGER.error(str, e);
                            tListSentryRolesResponse.setStatus(Status.RuntimeError(str, e));
                            time.stop();
                        }
                    } catch (SentryAccessDeniedException e2) {
                        LOGGER.error(e2.getMessage(), e2);
                        tListSentryRolesResponse.setStatus(Status.AccessDenied(e2.getMessage(), e2));
                        time.stop();
                    }
                } catch (SentryThriftAPIMismatchException e3) {
                    LOGGER.error(e3.getMessage(), e3);
                    tListSentryRolesResponse.setStatus(Status.THRIFT_VERSION_MISMATCH(e3.getMessage(), e3));
                    time.stop();
                }
            } catch (SentryNoSuchObjectException e4) {
                tListSentryRolesResponse.setRoles(hashSet);
                String str2 = "Request: " + tListSentryRolesRequest + " couldn't be completed, message: " + e4.getMessage();
                LOGGER.error(str2, e4);
                tListSentryRolesResponse.setStatus(Status.NoSuchObject(str2, e4));
                time.stop();
            }
            return tListSentryRolesResponse;
        } catch (Throwable th) {
            time.stop();
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TListSentryRolesResponse list_sentry_roles_by_user(TListSentryRolesForUserRequest tListSentryRolesForUserRequest) throws TException {
        Timer.Context time = this.sentryMetrics.listRolesByGroupTimer.time();
        TListSentryRolesResponse tListSentryRolesResponse = new TListSentryRolesResponse();
        HashSet hashSet = new HashSet();
        String requestorUserName = tListSentryRolesForUserRequest.getRequestorUserName();
        String userName = tListSentryRolesForUserRequest.getUserName();
        try {
            try {
                try {
                    try {
                        validateClientVersion(tListSentryRolesForUserRequest.getProtocol_version());
                    } catch (SentryNoSuchObjectException e) {
                        tListSentryRolesResponse.setRoles(hashSet);
                        String str = "Role: " + tListSentryRolesForUserRequest + " couldn't be retrieved.";
                        LOGGER.error(str, e);
                        tListSentryRolesResponse.setStatus(Status.NoSuchObject(str, e));
                        time.stop();
                    }
                } catch (SentryGroupNotFoundException e2) {
                    LOGGER.error(e2.getMessage(), e2);
                    tListSentryRolesResponse.setStatus(Status.AccessDenied("Group couldn't be retrieved for " + requestorUserName + " or " + userName + ".", e2));
                    time.stop();
                } catch (Exception e3) {
                    String str2 = "Unknown error for request: " + tListSentryRolesForUserRequest + ", message: " + e3.getMessage();
                    LOGGER.error(str2, e3);
                    tListSentryRolesResponse.setStatus(Status.RuntimeError(str2, e3));
                    time.stop();
                }
            } catch (SentryAccessDeniedException e4) {
                LOGGER.error(e4.getMessage(), e4);
                tListSentryRolesResponse.setStatus(Status.AccessDenied(e4.getMessage(), e4));
                time.stop();
            } catch (SentryThriftAPIMismatchException e5) {
                LOGGER.error(e5.getMessage(), e5);
                tListSentryRolesResponse.setStatus(Status.THRIFT_VERSION_MISMATCH(e5.getMessage(), e5));
                time.stop();
            }
            if (StringUtils.isEmpty(userName)) {
                throw new SentryAccessDeniedException("The user name can't be empty.");
            }
            Set<String> requestorGroups = getRequestorGroups(requestorUserName);
            getRequestorGroups(userName);
            if (!inAdminGroups(requestorGroups) && !userName.equals(requestorUserName)) {
                throw new SentryAccessDeniedException("Access denied to list the roles for " + userName);
            }
            tListSentryRolesResponse.setRoles(this.sentryStore.getTSentryRolesByUserNames(Sets.newHashSet(new String[]{userName})));
            tListSentryRolesResponse.setStatus(Status.OK());
            time.stop();
            return tListSentryRolesResponse;
        } catch (Throwable th) {
            time.stop();
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TListSentryPrivilegesResponse list_sentry_privileges_by_role(TListSentryPrivilegesRequest tListSentryPrivilegesRequest) throws TException {
        Set<String> requestorGroups;
        Set<TSentryPrivilege> allTSentryPrivilegesByRoleName;
        Timer.Context time = this.sentryMetrics.listPrivilegesByRoleTimer.time();
        TListSentryPrivilegesResponse tListSentryPrivilegesResponse = new TListSentryPrivilegesResponse();
        HashSet hashSet = new HashSet();
        String requestorUserName = tListSentryPrivilegesRequest.getRequestorUserName();
        try {
            try {
                try {
                    try {
                        validateClientVersion(tListSentryPrivilegesRequest.getProtocol_version());
                        requestorGroups = getRequestorGroups(requestorUserName);
                    } catch (SentryAccessDeniedException e) {
                        LOGGER.error(e.getMessage(), e);
                        tListSentryPrivilegesResponse.setStatus(Status.AccessDenied(e.getMessage(), e));
                        time.stop();
                    }
                } catch (SentryNoSuchObjectException e2) {
                    tListSentryPrivilegesResponse.setPrivileges(hashSet);
                    String str = "Privilege: " + tListSentryPrivilegesRequest + " couldn't be retrieved.";
                    LOGGER.error(str, e2);
                    tListSentryPrivilegesResponse.setStatus(Status.NoSuchObject(str, e2));
                    time.stop();
                }
            } catch (Exception e3) {
                String str2 = "Unknown error for request: " + tListSentryPrivilegesRequest + ", message: " + e3.getMessage();
                LOGGER.error(str2, e3);
                tListSentryPrivilegesResponse.setStatus(Status.RuntimeError(str2, e3));
                time.stop();
            } catch (SentryThriftAPIMismatchException e4) {
                LOGGER.error(e4.getMessage(), e4);
                tListSentryPrivilegesResponse.setStatus(Status.THRIFT_VERSION_MISMATCH(e4.getMessage(), e4));
                time.stop();
            }
            if (!Boolean.valueOf(inAdminGroups(requestorGroups)).booleanValue() && !toTrimedLower(this.sentryStore.getRoleNamesForGroups(requestorGroups)).contains(tListSentryPrivilegesRequest.getRoleName().trim().toLowerCase())) {
                throw new SentryAccessDeniedException("Access denied to " + requestorUserName);
            }
            if (tListSentryPrivilegesRequest.isSetAuthorizableHierarchy()) {
                allTSentryPrivilegesByRoleName = this.sentryStore.getTSentryPrivileges(Sets.newHashSet(new String[]{tListSentryPrivilegesRequest.getRoleName()}), tListSentryPrivilegesRequest.getAuthorizableHierarchy());
            } else {
                allTSentryPrivilegesByRoleName = this.sentryStore.getAllTSentryPrivilegesByRoleName(tListSentryPrivilegesRequest.getRoleName());
            }
            tListSentryPrivilegesResponse.setPrivileges(allTSentryPrivilegesByRoleName);
            tListSentryPrivilegesResponse.setStatus(Status.OK());
            time.stop();
            return tListSentryPrivilegesResponse;
        } catch (Throwable th) {
            time.stop();
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TListSentryPrivilegesForProviderResponse list_sentry_privileges_for_provider(TListSentryPrivilegesForProviderRequest tListSentryPrivilegesForProviderRequest) throws TException {
        Timer.Context time = this.sentryMetrics.listPrivilegesForProviderTimer.time();
        TListSentryPrivilegesForProviderResponse tListSentryPrivilegesForProviderResponse = new TListSentryPrivilegesForProviderResponse();
        tListSentryPrivilegesForProviderResponse.setPrivileges(new HashSet());
        try {
            try {
                validateClientVersion(tListSentryPrivilegesForProviderRequest.getProtocol_version());
                Set<String> listSentryPrivilegesForProvider = this.sentryStore.listSentryPrivilegesForProvider(tListSentryPrivilegesForProviderRequest.getGroups(), tListSentryPrivilegesForProviderRequest.getUsers(), tListSentryPrivilegesForProviderRequest.getRoleSet(), tListSentryPrivilegesForProviderRequest.getAuthorizableHierarchy());
                tListSentryPrivilegesForProviderResponse.setPrivileges(listSentryPrivilegesForProvider);
                if (listSentryPrivilegesForProvider == null || (listSentryPrivilegesForProvider.size() == 0 && tListSentryPrivilegesForProviderRequest.getAuthorizableHierarchy() != null && this.sentryStore.hasAnyServerPrivileges(tListSentryPrivilegesForProviderRequest.getGroups(), tListSentryPrivilegesForProviderRequest.getUsers(), tListSentryPrivilegesForProviderRequest.getRoleSet(), tListSentryPrivilegesForProviderRequest.getAuthorizableHierarchy().getServer()))) {
                    tListSentryPrivilegesForProviderResponse.setPrivileges(Sets.newHashSet(new String[]{"server=+"}));
                }
                tListSentryPrivilegesForProviderResponse.setStatus(Status.OK());
                time.stop();
            } catch (Exception e) {
                String str = "Unknown error for request: " + tListSentryPrivilegesForProviderRequest + ", message: " + e.getMessage();
                LOGGER.error(str, e);
                tListSentryPrivilegesForProviderResponse.setStatus(Status.RuntimeError(str, e));
                time.stop();
            } catch (SentryThriftAPIMismatchException e2) {
                LOGGER.error(e2.getMessage(), e2);
                tListSentryPrivilegesForProviderResponse.setStatus(Status.THRIFT_VERSION_MISMATCH(e2.getMessage(), e2));
                time.stop();
            }
            return tListSentryPrivilegesForProviderResponse;
        } catch (Throwable th) {
            time.stop();
            throw th;
        }
    }

    private Set<String> getRequestorGroups(String str) throws SentryUserException {
        return getGroupsFromUserName(this.conf, str);
    }

    public static Set<String> getGroupsFromUserName(Configuration configuration, String str) throws SentryUserException {
        String str2 = configuration.get(ServiceConstants.ServerConfig.SENTRY_STORE_GROUP_MAPPING, "org.apache.sentry.provider.common.HadoopGroupMappingService");
        String str3 = configuration.get(ServiceConstants.ServerConfig.SENTRY_STORE_GROUP_MAPPING_RESOURCE);
        try {
            Constructor<?> declaredConstructor = Class.forName(str2).getDeclaredConstructor(Configuration.class, String.class);
            declaredConstructor.setAccessible(true);
            return ((GroupMappingService) declaredConstructor.newInstance(configuration, str3)).getGroups(str);
        } catch (ClassNotFoundException e) {
            throw new SentryUserException("Unable to instantiate group mapping", e);
        } catch (IllegalAccessException e2) {
            throw new SentryUserException("Unable to instantiate group mapping", e2);
        } catch (IllegalArgumentException e3) {
            throw new SentryUserException("Unable to instantiate group mapping", e3);
        } catch (InstantiationException e4) {
            throw new SentryUserException("Unable to instantiate group mapping", e4);
        } catch (NoSuchMethodException e5) {
            throw new SentryUserException("Unable to instantiate group mapping", e5);
        } catch (SecurityException e6) {
            throw new SentryUserException("Unable to instantiate group mapping", e6);
        } catch (InvocationTargetException e7) {
            throw new SentryUserException("Unable to instantiate group mapping", e7);
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TDropPrivilegesResponse drop_sentry_privilege(TDropPrivilegesRequest tDropPrivilegesRequest) throws TException {
        Timer.Context time = this.sentryMetrics.dropPrivilegeTimer.time();
        TDropPrivilegesResponse tDropPrivilegesResponse = new TDropPrivilegesResponse();
        try {
            try {
                try {
                    validateClientVersion(tDropPrivilegesRequest.getProtocol_version());
                    authorize(tDropPrivilegesRequest.getRequestorUserName(), this.adminGroups);
                    Preconditions.checkState(this.sentryPlugins.size() <= 1);
                    Updateable.Update update = null;
                    Iterator<SentryPolicyStorePlugin> it = this.sentryPlugins.iterator();
                    while (it.hasNext()) {
                        update = it.next().onDropSentryPrivilege(tDropPrivilegesRequest);
                    }
                    if (update != null) {
                        this.sentryStore.dropPrivilege(tDropPrivilegesRequest.getAuthorizable(), update);
                    } else {
                        this.sentryStore.dropPrivilege(tDropPrivilegesRequest.getAuthorizable());
                    }
                    tDropPrivilegesResponse.setStatus(Status.OK());
                    time.stop();
                } catch (Exception e) {
                    String str = "Unknown error for request: " + tDropPrivilegesRequest + ", message: " + e.getMessage();
                    LOGGER.error(str, e);
                    tDropPrivilegesResponse.setStatus(Status.RuntimeError(str, e));
                    time.stop();
                }
            } catch (SentryThriftAPIMismatchException e2) {
                LOGGER.error(e2.getMessage(), e2);
                tDropPrivilegesResponse.setStatus(Status.THRIFT_VERSION_MISMATCH(e2.getMessage(), e2));
                time.stop();
            } catch (SentryAccessDeniedException e3) {
                LOGGER.error(e3.getMessage(), e3);
                tDropPrivilegesResponse.setStatus(Status.AccessDenied(e3.getMessage(), e3));
                time.stop();
            }
            return tDropPrivilegesResponse;
        } catch (Throwable th) {
            time.stop();
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TRenamePrivilegesResponse rename_sentry_privilege(TRenamePrivilegesRequest tRenamePrivilegesRequest) throws TException {
        Timer.Context time = this.sentryMetrics.renamePrivilegeTimer.time();
        TRenamePrivilegesResponse tRenamePrivilegesResponse = new TRenamePrivilegesResponse();
        try {
            try {
                try {
                    try {
                        try {
                            validateClientVersion(tRenamePrivilegesRequest.getProtocol_version());
                            authorize(tRenamePrivilegesRequest.getRequestorUserName(), this.adminGroups);
                            Preconditions.checkState(this.sentryPlugins.size() <= 1);
                            Updateable.Update update = null;
                            Iterator<SentryPolicyStorePlugin> it = this.sentryPlugins.iterator();
                            while (it.hasNext()) {
                                update = it.next().onRenameSentryPrivilege(tRenamePrivilegesRequest);
                            }
                            if (update != null) {
                                this.sentryStore.renamePrivilege(tRenamePrivilegesRequest.getOldAuthorizable(), tRenamePrivilegesRequest.getNewAuthorizable(), update);
                            } else {
                                this.sentryStore.renamePrivilege(tRenamePrivilegesRequest.getOldAuthorizable(), tRenamePrivilegesRequest.getNewAuthorizable());
                            }
                            tRenamePrivilegesResponse.setStatus(Status.OK());
                            time.close();
                        } catch (SentryInvalidInputException e) {
                            tRenamePrivilegesResponse.setStatus(Status.InvalidInput(e.getMessage(), e));
                            time.close();
                        }
                    } catch (SentryThriftAPIMismatchException e2) {
                        LOGGER.error(e2.getMessage(), e2);
                        tRenamePrivilegesResponse.setStatus(Status.THRIFT_VERSION_MISMATCH(e2.getMessage(), e2));
                        time.close();
                    }
                } catch (SentryAccessDeniedException e3) {
                    LOGGER.error(e3.getMessage(), e3);
                    tRenamePrivilegesResponse.setStatus(Status.AccessDenied(e3.getMessage(), e3));
                    time.close();
                }
            } catch (Exception e4) {
                String str = "Unknown error for request: " + tRenamePrivilegesRequest + ", message: " + e4.getMessage();
                LOGGER.error(str, e4);
                tRenamePrivilegesResponse.setStatus(Status.RuntimeError(str, e4));
                time.close();
            }
            return tRenamePrivilegesResponse;
        } catch (Throwable th) {
            time.close();
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TListSentryPrivilegesByAuthResponse list_sentry_privileges_by_authorizable(TListSentryPrivilegesByAuthRequest tListSentryPrivilegesByAuthRequest) throws TException {
        Timer.Context time = this.sentryMetrics.listPrivilegesByAuthorizableTimer.time();
        TListSentryPrivilegesByAuthResponse tListSentryPrivilegesByAuthResponse = new TListSentryPrivilegesByAuthResponse();
        HashMap newHashMap = Maps.newHashMap();
        String requestorUserName = tListSentryPrivilegesByAuthRequest.getRequestorUserName();
        Set<String> groups = tListSentryPrivilegesByAuthRequest.getGroups();
        TSentryActiveRoleSet roleSet = tListSentryPrivilegesByAuthRequest.getRoleSet();
        try {
            try {
                try {
                    try {
                        validateClientVersion(tListSentryPrivilegesByAuthRequest.getProtocol_version());
                        Set<String> requestorGroups = getRequestorGroups(requestorUserName);
                        if (!inAdminGroups(requestorGroups)) {
                            if (groups == null || groups.isEmpty()) {
                                groups = requestorGroups;
                            } else {
                                Iterator<String> it = groups.iterator();
                                while (it.hasNext()) {
                                    if (!requestorGroups.contains(it.next())) {
                                        throw new SentryAccessDeniedException("Access denied to " + requestorUserName);
                                    }
                                }
                            }
                            if (roleSet != null && !roleSet.isAll()) {
                                Set<String> trimedLower = toTrimedLower(this.sentryStore.getRoleNamesForGroups(requestorGroups));
                                Iterator<String> it2 = toTrimedLower(roleSet.getRoles()).iterator();
                                while (it2.hasNext()) {
                                    if (!trimedLower.contains(it2.next())) {
                                        throw new SentryAccessDeniedException("Access denied to " + requestorUserName);
                                    }
                                }
                            }
                        }
                        for (TSentryAuthorizable tSentryAuthorizable : tListSentryPrivilegesByAuthRequest.getAuthorizableSet()) {
                            newHashMap.put(tSentryAuthorizable, this.sentryStore.listSentryPrivilegesByAuthorizable(groups, tListSentryPrivilegesByAuthRequest.getRoleSet(), tSentryAuthorizable, inAdminGroups(requestorGroups)));
                        }
                        tListSentryPrivilegesByAuthResponse.setPrivilegesMapByAuth(newHashMap);
                        tListSentryPrivilegesByAuthResponse.setStatus(Status.OK());
                        time.stop();
                    } catch (SentryThriftAPIMismatchException e) {
                        LOGGER.error(e.getMessage(), e);
                        tListSentryPrivilegesByAuthResponse.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
                        time.stop();
                    }
                } catch (SentryAccessDeniedException e2) {
                    LOGGER.error(e2.getMessage(), e2);
                    tListSentryPrivilegesByAuthResponse.setStatus(Status.AccessDenied(e2.getMessage(), e2));
                    time.stop();
                }
            } catch (Exception e3) {
                String str = "Unknown error for request: " + tListSentryPrivilegesByAuthRequest + ", message: " + e3.getMessage();
                LOGGER.error(str, e3);
                tListSentryPrivilegesByAuthResponse.setStatus(Status.RuntimeError(str, e3));
                time.stop();
            }
            return tListSentryPrivilegesByAuthResponse;
        } catch (Throwable th) {
            time.stop();
            throw th;
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TSentryConfigValueResponse get_sentry_config_value(TSentryConfigValueRequest tSentryConfigValueRequest) throws TException {
        TSentryConfigValueResponse tSentryConfigValueResponse = new TSentryConfigValueResponse();
        String propertyName = tSentryConfigValueRequest.getPropertyName();
        try {
            validateClientVersion(tSentryConfigValueRequest.getProtocol_version());
        } catch (SentryThriftAPIMismatchException e) {
            LOGGER.error(e.getMessage(), e);
            tSentryConfigValueResponse.setStatus(Status.THRIFT_VERSION_MISMATCH(e.getMessage(), e));
        }
        if (Pattern.matches("^sentry\\..*", propertyName) && !Pattern.matches(".*keytab.*|.*\\.jdbc\\..*|.*password.*", propertyName)) {
            tSentryConfigValueResponse.setValue(this.conf.get(propertyName, tSentryConfigValueRequest.getDefaultValue()));
            tSentryConfigValueResponse.setStatus(Status.OK());
            return tSentryConfigValueResponse;
        }
        String str = "Attempted access of the configuration property " + propertyName + " was denied";
        LOGGER.error(str);
        tSentryConfigValueResponse.setStatus(Status.AccessDenied(str, new SentryAccessDeniedException(str)));
        return tSentryConfigValueResponse;
    }

    @VisibleForTesting
    static void validateClientVersion(int i) throws SentryThriftAPIMismatchException {
        if (2 != i) {
            throw new SentryThriftAPIMismatchException("Sentry thrift API protocol version mismatch: Client thrift version is: " + i + " , server thrift verion is 2");
        }
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TSentryExportMappingDataResponse export_sentry_mapping_data(TSentryExportMappingDataRequest tSentryExportMappingDataRequest) throws TException {
        String requestorUserName;
        Set<String> requestorGroups;
        String str;
        String str2;
        TSentryExportMappingDataResponse tSentryExportMappingDataResponse = new TSentryExportMappingDataResponse();
        try {
            requestorUserName = tSentryExportMappingDataRequest.getRequestorUserName();
            requestorGroups = getRequestorGroups(requestorUserName);
            Map<String, String> parseObjectPath = SentryServiceUtil.parseObjectPath(tSentryExportMappingDataRequest.getObjectPath());
            str = parseObjectPath.get("db");
            str2 = parseObjectPath.get("table");
        } catch (Exception e) {
            String str3 = "Unknown error for request: " + tSentryExportMappingDataRequest + ", message: " + e.getMessage();
            LOGGER.error(str3, e);
            tSentryExportMappingDataResponse.setMappingData(new TSentryMappingData());
            tSentryExportMappingDataResponse.setStatus(Status.RuntimeError(str3, e));
        }
        if (!inAdminGroups(requestorGroups)) {
            throw new SentryAccessDeniedException("Access denied to " + requestorUserName + " for export the metadata of sentry.");
        }
        TSentryMappingData tSentryMappingData = new TSentryMappingData();
        Map<String, Set<TSentryPrivilege>> roleNameTPrivilegesMap = this.sentryStore.getRoleNameTPrivilegesMap(str, str2);
        tSentryMappingData.setRolePrivilegesMap(roleNameTPrivilegesMap);
        Set<String> keySet = roleNameTPrivilegesMap.keySet();
        if (str == null && str2 == null) {
            keySet = null;
        }
        List<Map<String, Set<String>>> groupUserRoleMapList = this.sentryStore.getGroupUserRoleMapList(keySet);
        tSentryMappingData.setGroupRolesMap(groupUserRoleMapList.get(0));
        tSentryMappingData.setUserRolesMap(groupUserRoleMapList.get(1));
        tSentryExportMappingDataResponse.setMappingData(tSentryMappingData);
        tSentryExportMappingDataResponse.setStatus(Status.OK());
        return tSentryExportMappingDataResponse;
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TSentryImportMappingDataResponse import_sentry_mapping_data(TSentryImportMappingDataRequest tSentryImportMappingDataRequest) throws TException {
        String requestorUserName;
        TSentryImportMappingDataResponse tSentryImportMappingDataResponse = new TSentryImportMappingDataResponse();
        try {
            requestorUserName = tSentryImportMappingDataRequest.getRequestorUserName();
        } catch (SentryInvalidInputException e) {
            LOGGER.error("Invalid input privilege object", e);
            tSentryImportMappingDataResponse.setStatus(Status.InvalidInput("Invalid input privilege object", e));
        } catch (Exception e2) {
            String str = "Unknown error for request: " + tSentryImportMappingDataRequest + ", message: " + e2.getMessage();
            LOGGER.error(str, e2);
            tSentryImportMappingDataResponse.setStatus(Status.RuntimeError(str, e2));
        }
        if (!inAdminGroups(getRequestorGroups(requestorUserName))) {
            throw new SentryAccessDeniedException("Access denied to " + requestorUserName + " for import the metadata of sentry.");
        }
        this.sentryStore.importSentryMetaData(tSentryImportMappingDataRequest.getMappingData(), tSentryImportMappingDataRequest.isOverwriteRole());
        tSentryImportMappingDataResponse.setStatus(Status.OK());
        return tSentryImportMappingDataResponse;
    }

    @Override // org.apache.sentry.provider.db.service.thrift.SentryPolicyService.Iface
    public TSentrySyncIDResponse sentry_sync_notifications(TSentrySyncIDRequest tSentrySyncIDRequest) throws TException {
        TSentrySyncIDResponse tSentrySyncIDResponse = new TSentrySyncIDResponse();
        try {
            Timer.Context time = this.hmsWaitTimer.time();
            Throwable th = null;
            try {
                try {
                    tSentrySyncIDResponse.setId(this.sentryStore.getCounterWait().waitFor(tSentrySyncIDRequest.getId()));
                    tSentrySyncIDResponse.setStatus(Status.OK());
                    if (time != null) {
                        if (0 != 0) {
                            try {
                                time.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            time.close();
                        }
                    }
                } finally {
                }
            } catch (Throwable th3) {
                if (time != null) {
                    if (th != null) {
                        try {
                            time.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        time.close();
                    }
                }
                throw th3;
            }
        } catch (InterruptedException e) {
            String format = String.format("wait request for id %d is interrupted", Long.valueOf(tSentrySyncIDRequest.getId()));
            LOGGER.error(format, e);
            tSentrySyncIDResponse.setId(0L);
            tSentrySyncIDResponse.setStatus(Status.RuntimeError(format, e));
            Thread.currentThread().interrupt();
        } catch (TimeoutException e2) {
            String format2 = String.format("timed out wait request for id %d", Long.valueOf(tSentrySyncIDRequest.getId()));
            LOGGER.warn(format2, e2);
            tSentrySyncIDResponse.setId(0L);
            tSentrySyncIDResponse.setStatus(Status.RuntimeError(format2, e2));
        }
        return tSentrySyncIDResponse;
    }
}
