package org.apache.sentry.provider.db.service.persistent;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import java.io.IOException;
import java.util.Iterator;
import java.util.List;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.sentry.provider.db.log.util.Constants;
import org.apache.sentry.service.thrift.JaasConfiguration;
import org.apache.zookeeper.Watcher;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.data.Stat;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sentry.org.apache.curator.framework.CuratorFramework;
import sentry.org.apache.curator.framework.CuratorFrameworkFactory;
import sentry.org.apache.curator.framework.api.ACLProvider;
import sentry.org.apache.curator.framework.imps.CuratorFrameworkState;
import sentry.org.apache.curator.framework.imps.DefaultACLProvider;
import sentry.org.apache.curator.framework.recipes.leader.LeaderSelector;
import sentry.org.apache.curator.framework.recipes.leader.LeaderSelectorListener;
import sentry.org.apache.curator.retry.ExponentialBackoffRetry;
import sentry.org.apache.curator.utils.ZKPaths;

/* loaded from: input_file:org/apache/sentry/provider/db/service/persistent/HAContext.class */
public final class HAContext implements AutoCloseable {
    private static final Logger LOGGER = LoggerFactory.getLogger(HAContext.class);
    private static HAContext serverHAContext = null;
    private static boolean aclUnChecked = true;
    private static final String SENTRY_ZK_JAAS_NAME = "SentryClient";
    private static final String SHUTDOWN_THREAD_NAME = "ha-context-shutdown";
    private final String zookeeperQuorum;
    private final String namespace;
    private final boolean zkSecure;
    private final List<ACL> saslACL;
    private final CuratorFramework curatorFramework;

    /* loaded from: input_file:org/apache/sentry/provider/db/service/persistent/HAContext$SASLOwnerACLProvider.class */
    private class SASLOwnerACLProvider implements ACLProvider {
        private SASLOwnerACLProvider() {
        }

        @Override // sentry.org.apache.curator.framework.api.ACLProvider, sentry.org.apache.curator.utils.InternalACLProvider
        public List<ACL> getDefaultAcl() {
            return HAContext.this.saslACL;
        }

        @Override // sentry.org.apache.curator.framework.api.ACLProvider, sentry.org.apache.curator.utils.InternalACLProvider
        public List<ACL> getAclForPath(String str) {
            return HAContext.this.saslACL;
        }
    }

    private HAContext(Configuration configuration) throws IOException {
        ACLProvider defaultACLProvider;
        this.zookeeperQuorum = configuration.get("sentry.ha.zookeeper.quorum", "");
        int i = configuration.getInt("sentry.ha.zookeeper.session.retries.max.count", 3);
        int i2 = configuration.getInt("sentry.ha.zookeeper.session.sleep.between.retries.ms", 100);
        String str = configuration.get("sentry.ha.zookeeper.namespace", "sentry");
        this.namespace = str.startsWith(ZKPaths.PATH_SEPARATOR) ? str.substring(1) : str;
        this.zkSecure = configuration.getBoolean("sentry.ha.zookeeper.security", false);
        validateConf();
        if (this.zkSecure) {
            LOGGER.info("Connecting to ZooKeeper with SASL/Kerberos and using 'sasl' ACLs");
            setJaasConfiguration(configuration);
            System.setProperty("zookeeper.sasl.clientconfig", SENTRY_ZK_JAAS_NAME);
            this.saslACL = Lists.newArrayList();
            this.saslACL.add(new ACL(31, new Id("sasl", getServicePrincipal(configuration, "sentry.service.server.principal"))));
            this.saslACL.add(new ACL(31, new Id("sasl", getServicePrincipal(configuration, "sentry.zookeeper.client.principal"))));
            defaultACLProvider = new SASLOwnerACLProvider();
            String str2 = configuration.get("sentry.service.allow.connect");
            if (!Strings.isNullOrEmpty(str2)) {
                for (String str3 : str2.split("\\s*,\\s*")) {
                    LOGGER.info("Adding acls for {}", str3);
                    this.saslACL.add(new ACL(31, new Id("sasl", str3)));
                }
            }
        } else {
            this.saslACL = null;
            LOGGER.info("Connecting to ZooKeeper without authentication");
            defaultACLProvider = new DefaultACLProvider();
        }
        this.curatorFramework = CuratorFrameworkFactory.builder().namespace(this.namespace).connectString(this.zookeeperQuorum).retryPolicy(new ExponentialBackoffRetry(i2, i)).aclProvider(defaultACLProvider).build();
    }

    private void start() {
        if (this.curatorFramework.getState() != CuratorFrameworkState.STARTED) {
            this.curatorFramework.start();
        }
    }

    static synchronized HAContext getHAContext(Configuration configuration) throws IOException {
        if (serverHAContext != null) {
            return serverHAContext;
        }
        serverHAContext = new HAContext(configuration);
        serverHAContext.start();
        Runtime.getRuntime().addShutdownHook(new ThreadFactoryBuilder().setDaemon(false).setNameFormat(SHUTDOWN_THREAD_NAME).build().newThread(new Runnable() { // from class: org.apache.sentry.provider.db.service.persistent.HAContext.1
            @Override // java.lang.Runnable
            public void run() {
                HAContext.LOGGER.info("ShutdownHook closing curator framework");
                try {
                    if (HAContext.serverHAContext != null) {
                        HAContext.serverHAContext.close();
                    }
                } catch (Throwable th) {
                    HAContext.LOGGER.error("Error stopping curator framework", th);
                }
            }
        }));
        return serverHAContext;
    }

    public static HAContext getHAServerContext(Configuration configuration) throws Exception {
        HAContext hAContext = getHAContext(configuration);
        hAContext.checkAndSetACLs();
        return hAContext;
    }

    public static void resetHAContext() {
        HAContext hAContext = serverHAContext;
        if (hAContext != null) {
            try {
                hAContext.close();
            } catch (Exception e) {
                LOGGER.error("Failed to close HACOntext", e);
            }
        }
        serverHAContext = null;
    }

    private void validateConf() {
        Preconditions.checkNotNull(this.zookeeperQuorum, "Zookeeper Quorum should not be null.");
        Preconditions.checkNotNull(this.namespace, "Zookeeper namespace should not be null.");
    }

    private static String getServicePrincipal(Configuration configuration, String str) {
        String str2 = (String) Preconditions.checkNotNull(configuration.get(str));
        Preconditions.checkArgument(!str2.isEmpty(), "Server principal is empty.");
        return str2.split("[/@]")[0];
    }

    private void checkAndSetACLs() throws Exception {
        if (this.zkSecure && aclUnChecked) {
            String str = ZKPaths.PATH_SEPARATOR + this.curatorFramework.getNamespace();
            if (this.curatorFramework.getZookeeperClient().getZooKeeper().exists(str, (Watcher) null) != null) {
                List acl = this.curatorFramework.getZookeeperClient().getZooKeeper().getACL(str, new Stat());
                if (acl.isEmpty() || !((ACL) acl.get(0)).getId().getScheme().equals("sasl")) {
                    LOGGER.info("'sasl' ACLs not set; setting...");
                    Iterator it = this.curatorFramework.getZookeeperClient().getZooKeeper().getChildren(str, (Watcher) null).iterator();
                    while (it.hasNext()) {
                        checkAndSetACLs(ZKPaths.PATH_SEPARATOR + ((String) it.next()));
                    }
                    this.curatorFramework.getZookeeperClient().getZooKeeper().setACL(str, this.saslACL, -1);
                }
            }
            aclUnChecked = false;
        }
    }

    private void checkAndSetACLs(String str) throws Exception {
        LOGGER.info("Setting acls on {}", str);
        Iterator<String> it = this.curatorFramework.getChildren().forPath(str).iterator();
        while (it.hasNext()) {
            checkAndSetACLs(str + ZKPaths.PATH_SEPARATOR + it.next());
        }
        this.curatorFramework.setACL().withACL(this.saslACL).forPath(str);
    }

    private void setJaasConfiguration(Configuration configuration) throws IOException {
        if (Constants.FALSE.equalsIgnoreCase(configuration.get("sentry.zookeeper.client.ticketcache", Constants.FALSE))) {
            String str = configuration.get("sentry.zookeeper.client.keytab");
            Preconditions.checkArgument(!str.isEmpty(), "Keytab File is empty.");
            String serverPrincipal = SecurityUtil.getServerPrincipal(configuration.get("sentry.zookeeper.client.principal"), configuration.get("sentry.service.server.rpc-address", "0.0.0.0"));
            Preconditions.checkArgument(!serverPrincipal.isEmpty(), "Kerberos principal is empty.");
            JaasConfiguration.addEntryForKeytab(SENTRY_ZK_JAAS_NAME, serverPrincipal, str);
        } else {
            JaasConfiguration.addEntryForTicketCache(SENTRY_ZK_JAAS_NAME);
        }
        javax.security.auth.login.Configuration.setConfiguration(JaasConfiguration.getInstance());
    }

    public LeaderSelector newLeaderSelector(String str, LeaderSelectorListener leaderSelectorListener) {
        return new LeaderSelector(this.curatorFramework, str, leaderSelectorListener);
    }

    @Override // java.lang.AutoCloseable
    public void close() throws Exception {
        this.curatorFramework.close();
    }
}
