package org.apache.ranger.chainedplugin.hdfs.hive;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.model.RangerPolicy;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResource;
import org.apache.ranger.plugin.policyengine.RangerAccessResourceImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
import org.apache.ranger.plugin.policyengine.RangerResourceACLs;
import org.apache.ranger.plugin.policyevaluator.RangerPolicyEvaluator;
import org.apache.ranger.plugin.service.RangerBasePlugin;
import org.apache.ranger.plugin.service.RangerChainedMapperPlugin;
import org.apache.ranger.plugin.util.RangerAccessRequestUtil;
import org.apache.ranger.plugin.util.RangerPerfTracer;
import org.apache.ranger.plugin.util.RangerRMSAccessResourceImpl;

/* loaded from: input_file:org/apache/ranger/chainedplugin/hdfs/hive/RangerHdfsHiveChainedPlugin.class */
public class RangerHdfsHiveChainedPlugin extends RangerChainedMapperPlugin {
    private static final Log LOG = LogFactory.getLog(RangerHdfsHiveChainedPlugin.class);
    private static final Log PERF_CHAINED_PLUGIN_POLICY_EVAL_LOG = RangerPerfTracer.getPerfLogger("chainedplugin.policyeval");
    private static final String PROP_HDFS_TO_HIVE_AUTHORIZE_ONLY_WITH_CHAINED_POLICIES = ".mapping.hive.authorize.with.only.chained.policies";
    private static final String PROP_HDFS_TO_HIVE_TABLE_ACCESSTYPE_MAPPING_READ = ".accesstype.mapping.read";
    private static final String PROP_HDFS_TO_HIVE_TABLE_ACCESSTYPE_MAPPING_WRITE = ".accesstype.mapping.write";
    private static final String PROP_HDFS_TO_HIVE_TABLE_ACCESSTYPE_MAPPING_EXECUTE = ".accesstype.mapping.execute";
    private static final String PROP_HDFS_TO_HIVE_DATABASE_ACCESSTYPE_MAPPING_READ = "db.accesstype.mapping.read";
    private static final String PROP_HDFS_TO_HIVE_DATABASE_ACCESSTYPE_MAPPING_WRITE = "db.accesstype.mapping.write";
    private static final String PROP_HDFS_TO_HIVE_DATABASE_ACCESSTYPE_MAPPING_EXECUTE = "db.accesstype.mapping.execute";
    private static final String CHAINED_SERVICE_TYPE = "hive";
    private static final String HDFS_ACCESS_TYPE_READ = "read";
    private static final String HDFS_ACCESS_TYPE_WRITE = "write";
    private static final String HDFS_ACCESS_TYPE_EXECUTE = "execute";
    private static final String HIVE_ACCESS_TYPE_SELECT = "select";
    private static final String HIVE_ACCESS_TYPE_UPDATE = "update";
    private static final String HIVE_ACCESS_TYPE_ALTER = "alter";
    private static final String HIVE_ACCESS_TYPE_CREATE = "create";
    private static final String HIVE_ACCESS_TYPE_DROP = "drop";
    private static final String ACCESS_TYPE_SEPARATOR = ",";
    private static final String KEY_DATABASE = "database";
    private static final String KEY_TABLE = "table";
    private final Map<String, List<String>> accessTypeMapHdfsToHiveForTable;
    private final Map<String, List<String>> accessTypeMapHdfsToHiveForDatabase;
    private final boolean isAuthorizeOnlyWithChainedPolicies;
    private final List<String> hiveServiceUserNames;
    private final Map<String, String> accessTypeMapHiveToHdfsForTable;
    private final Map<String, String> accessTypeMapHiveToHdfsForDatabase;
    private final List<String> hivePrivilegedUserNames;

    public RangerHdfsHiveChainedPlugin(RangerBasePlugin rangerBasePlugin, String str) {
        super(rangerBasePlugin, CHAINED_SERVICE_TYPE, str);
        this.accessTypeMapHdfsToHiveForTable = new HashMap();
        this.accessTypeMapHdfsToHiveForDatabase = new HashMap();
        this.accessTypeMapHiveToHdfsForTable = new HashMap();
        this.accessTypeMapHiveToHdfsForDatabase = new HashMap();
        initAccessTypesMap(rangerBasePlugin);
        this.isAuthorizeOnlyWithChainedPolicies = rangerBasePlugin.getConfig().getBoolean(rangerBasePlugin.getConfig().getPropertyPrefix() + PROP_HDFS_TO_HIVE_AUTHORIZE_ONLY_WITH_CHAINED_POLICIES, true);
        String str2 = this.plugin.getConfig().get(this.plugin.getConfig().getPropertyPrefix() + ".service.names", "hive,impala");
        this.hiveServiceUserNames = StringUtils.isBlank(str2) ? new ArrayList<>() : StringUtil.toList(str2);
        String str3 = this.plugin.getConfig().get(this.plugin.getConfig().getPropertyPrefix() + ".privileged.user.names", "admin,dpprofiler,hue,beacon,hive,impala");
        this.hivePrivilegedUserNames = StringUtils.isBlank(str3) ? new ArrayList<>() : StringUtil.toList(str3);
        LOG.info("RangerHdfsHiveChainedPlugin(" + this.serviceType + ", " + str + ")");
    }

    public void init() {
        LOG.info("==> RangerHdfsHiveChainedPlugin.init(" + this.serviceType + ", " + this.serviceName + ")");
        if (getIsInited()) {
            super.init();
            if (LOG.isDebugEnabled()) {
                LOG.debug("Configuration for RangerHdfsHiveChainedPlugin is :[" + this.plugin.getConfig() + "]");
            }
        } else {
            LOG.error("RangerHdfsHiveChainedPlugin for service [" + this.serviceName + "] was not initialized correctly. It will not be operational!");
        }
        LOG.info("<== RangerHdfsHiveChainedPlugin.init(" + this.serviceType + ", " + this.serviceName + ")");
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v132, types: [java.util.Set] */
    /* JADX WARN: Type inference failed for: r0v191, types: [java.util.Set] */
    /* JADX WARN: Type inference failed for: r0v213, types: [java.util.Set] */
    public RangerAccessResult isAccessAllowed(RangerAccessRequest rangerAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsHiveChainedPlugin.isAccessAllowed(" + rangerAccessRequest + ")");
        }
        RangerAccessResult rangerAccessResult = null;
        if (getIsInited()) {
            RangerPerfTracer rangerPerfTracer = null;
            if (RangerPerfTracer.isPerfTraceEnabled(PERF_CHAINED_PLUGIN_POLICY_EVAL_LOG)) {
                rangerPerfTracer = RangerPerfTracer.getPerfTracer(PERF_CHAINED_PLUGIN_POLICY_EVAL_LOG, "RangerHdfsHiveChainedPlugin.isAccessAllowed(resource=" + rangerAccessRequest.getResource().getAsString() + ")");
            }
            List<RangerAccessResource> hiveResources = getHiveResources(rangerAccessRequest);
            List<RangerAccessResource> extractDefaultDatabaseResource = extractDefaultDatabaseResource(hiveResources);
            if (CollectionUtils.isNotEmpty(extractDefaultDatabaseResource) && CollectionUtils.isNotEmpty(hiveResources)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Mapped hive resources contain both default-db-resource and other resources. Excluding default-db-resource for access evaluation");
                    LOG.debug("hiveResources:[" + hiveResources + "], defaultDatabaseResource:[" + extractDefaultDatabaseResource + "]");
                }
            } else if (CollectionUtils.isEmpty(extractDefaultDatabaseResource) && CollectionUtils.isEmpty(hiveResources)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Mapped hive resources do not contain either default-db-resource or other resources");
                }
            } else if (!CollectionUtils.isNotEmpty(hiveResources)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Mapped hive resource is only the default-db-resource:[" + extractDefaultDatabaseResource + "]. Checking default-db-resource for access evaluation");
                }
                hiveResources = extractDefaultDatabaseResource;
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("Mapped hive resources do not contain default-db-resource, mapped hiveResources:[" + hiveResources + "] will be checked for access evaluation");
            }
            if (CollectionUtils.isNotEmpty(hiveResources)) {
                Set requestTagsFromContext = RangerAccessRequestUtil.getRequestTagsFromContext(rangerAccessRequest.getContext());
                HashSet hashSet = requestTagsFromContext == null ? null : new HashSet(requestTagsFromContext);
                boolean z = false;
                Iterator<RangerAccessResource> it = hiveResources.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    RangerAccessResourceImpl rangerAccessResourceImpl = (RangerAccessResource) it.next();
                    RangerAccessResourceImpl rangerAccessResourceImpl2 = rangerAccessResourceImpl;
                    rangerAccessResourceImpl2.setServiceDef(this.plugin.getServiceDef());
                    HashSet hashSet2 = null;
                    String leafName = rangerAccessResourceImpl2.getLeafName();
                    boolean z2 = false;
                    boolean z3 = false;
                    boolean z4 = false;
                    z = true;
                    if (StringUtils.equals(leafName, KEY_DATABASE) || RangerHdfsAuthorizer.isGetAclOperation(rangerAccessRequest.getAction())) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("leafResourceName:[" + leafName + "], action:[" + rangerAccessRequest.getAction() + "]");
                            LOG.debug("Row-filtering and Data-masking policies will not be applied - either resource is not a table or operation is harmless!");
                        }
                        z4 = true;
                        z3 = true;
                        z2 = true;
                    }
                    List<String> hiveAccessTypesForResource = getHiveAccessTypesForResource(rangerAccessRequest, rangerAccessResourceImpl, z4);
                    if (CollectionUtils.isEmpty(hiveAccessTypesForResource)) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("List of access-types to be checked for resource [" + rangerAccessResourceImpl + "] is empty. Denying access!");
                        }
                        rangerAccessResult = null;
                    } else if (this.hivePrivilegedUserNames.contains(rangerAccessRequest.getUser())) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("Requesting user[" + rangerAccessRequest.getUser() + "] is one of the privileged users:[" + this.hivePrivilegedUserNames + "] who are granted all access to Hive resources by Ranger default policies. Returning without evaluating Ranger policies.");
                        }
                        z = false;
                    } else {
                        Iterator<String> it2 = hiveAccessTypesForResource.iterator();
                        while (true) {
                            if (!it2.hasNext()) {
                                break;
                            }
                            String next = it2.next();
                            RangerAccessRequestImpl rangerAccessRequestImpl = new RangerAccessRequestImpl(rangerAccessResourceImpl, next, rangerAccessRequest.getUser(), rangerAccessRequest.getUserGroups(), rangerAccessRequest.getUserRoles());
                            rangerAccessRequestImpl.setClientIPAddress(rangerAccessRequest.getClientIPAddress());
                            rangerAccessRequestImpl.setClientType(rangerAccessRequest.getClientType());
                            rangerAccessRequestImpl.setClusterName(rangerAccessRequest.getClusterName());
                            rangerAccessRequestImpl.setClusterType(rangerAccessRequest.getClusterType());
                            rangerAccessRequestImpl.setAction(rangerAccessRequest.getAction());
                            rangerAccessRequestImpl.setAccessTime(rangerAccessRequest.getAccessTime());
                            rangerAccessRequestImpl.setRemoteIPAddress(rangerAccessRequest.getRemoteIPAddress());
                            rangerAccessRequestImpl.setRequestData(rangerAccessRequest.getRequestData());
                            rangerAccessRequestImpl.setSessionId(rangerAccessRequest.getSessionId());
                            rangerAccessRequestImpl.setContext(rangerAccessRequest.getContext());
                            if (z4) {
                                if (LOG.isDebugEnabled()) {
                                    LOG.debug("Mapped resource is a database, setting resource-match-scope to SELF");
                                }
                                rangerAccessRequestImpl.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF);
                            } else {
                                rangerAccessRequestImpl.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS);
                            }
                            if (!z2) {
                                rangerAccessRequestImpl.setAccessType(HIVE_ACCESS_TYPE_SELECT);
                                RangerAccessResult evalRowFilterPolicies = this.plugin.evalRowFilterPolicies(rangerAccessRequestImpl, (RangerAccessResultProcessor) null);
                                if (LOG.isDebugEnabled()) {
                                    LOG.debug("hiveAccessRequest:[" + rangerAccessRequestImpl + "], Row-filter-result:[" + evalRowFilterPolicies + "]");
                                }
                                z2 = true;
                                hashSet2 = RangerAccessRequestUtil.getRequestTagsFromContext(rangerAccessRequestImpl.getContext());
                                if (evalRowFilterPolicies != null && evalRowFilterPolicies.isRowFilterEnabled()) {
                                    if (rangerAccessResult == null) {
                                        rangerAccessResult = new RangerAccessResult(2, this.plugin.getServiceName(), this.plugin.getServiceDef(), rangerAccessRequestImpl);
                                    }
                                    rangerAccessResult.setIsAllowed(false);
                                    rangerAccessResult.setPolicyId(evalRowFilterPolicies.getPolicyId());
                                    rangerAccessResult.setPolicyVersion(evalRowFilterPolicies.getPolicyVersion());
                                    rangerAccessResult.setPolicyPriority(evalRowFilterPolicies.getPolicyPriority());
                                    rangerAccessResult.setZoneName(evalRowFilterPolicies.getZoneName());
                                }
                            }
                            if (!z3) {
                                rangerAccessRequestImpl.setAccessType(HIVE_ACCESS_TYPE_SELECT);
                                RangerAccessResult evalDataMaskPolicies = this.plugin.evalDataMaskPolicies(rangerAccessRequestImpl, (RangerAccessResultProcessor) null);
                                if (LOG.isDebugEnabled()) {
                                    LOG.debug("hiveAccessRequest:[" + rangerAccessRequestImpl + "], Data-masking-result:[" + evalDataMaskPolicies + "]");
                                }
                                z3 = true;
                                hashSet2 = RangerAccessRequestUtil.getRequestTagsFromContext(rangerAccessRequestImpl.getContext());
                                if (evalDataMaskPolicies != null && StringUtils.isNotEmpty(evalDataMaskPolicies.getMaskType())) {
                                    if (rangerAccessResult == null) {
                                        rangerAccessResult = new RangerAccessResult(1, this.plugin.getServiceName(), this.plugin.getServiceDef(), rangerAccessRequestImpl);
                                    }
                                    rangerAccessResult.setIsAllowed(false);
                                    rangerAccessResult.setPolicyId(evalDataMaskPolicies.getPolicyId());
                                    rangerAccessResult.setPolicyVersion(evalDataMaskPolicies.getPolicyVersion());
                                    rangerAccessResult.setPolicyPriority(evalDataMaskPolicies.getPolicyPriority());
                                    rangerAccessResult.setZoneName(evalDataMaskPolicies.getZoneName());
                                }
                            }
                            rangerAccessRequestImpl.setAccessType(next);
                            RangerAccessResult isAccessAllowed = this.plugin.isAccessAllowed(rangerAccessRequestImpl);
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("hiveAccessRequest:[" + rangerAccessRequestImpl + "], Access-result:[" + isAccessAllowed + "]");
                            }
                            hashSet2 = RangerAccessRequestUtil.getRequestTagsFromContext(rangerAccessRequestImpl.getContext());
                            if (isAccessAllowed != null && isAccessAllowed.getIsAccessDetermined() && (isAccessAllowed.getIsAllowed() || isAccessAllowed.getPolicyId() != -1)) {
                                if (z4) {
                                    if (LOG.isDebugEnabled()) {
                                        LOG.debug("Mapped resource is a database, No need to check for resource-matching-scope of SELF again!");
                                    }
                                } else if (isAccessAllowed.getIsAllowed()) {
                                    RangerAccessRequest.ResourceMatchingScope resourceMatchingScope = rangerAccessRequestImpl.getResourceMatchingScope();
                                    rangerAccessRequestImpl.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF);
                                    isAccessAllowed = this.plugin.isAccessAllowed(rangerAccessRequestImpl);
                                    if (LOG.isDebugEnabled()) {
                                        LOG.debug("hiveAccessRequest:[" + rangerAccessRequestImpl + "], Access-result:[" + isAccessAllowed + "]");
                                    }
                                    rangerAccessRequestImpl.setResourceMatchingScope(resourceMatchingScope);
                                    if (isAccessAllowed != null) {
                                        if (isAccessAllowed.getIsAccessDetermined()) {
                                            if (!isAccessAllowed.getIsAllowed() && isAccessAllowed.getPolicyId() == -1) {
                                            }
                                        }
                                    }
                                }
                                boolean z5 = rangerAccessResult == null || isAccessAllowed.getPolicyPriority() > rangerAccessResult.getPolicyPriority();
                                if (!z5 && isAccessAllowed.getPolicyPriority() == rangerAccessResult.getPolicyPriority() && !isAccessAllowed.getIsAllowed()) {
                                    z5 = true;
                                }
                                if (z5) {
                                    rangerAccessResult = isAccessAllowed;
                                } else if (rangerAccessResult != null) {
                                    rangerAccessResult.setZoneName(isAccessAllowed.getZoneName());
                                }
                            }
                        }
                        if (CollectionUtils.isNotEmpty(hashSet2)) {
                            if (CollectionUtils.isEmpty(hashSet)) {
                                hashSet = hashSet2;
                            } else {
                                hashSet.addAll(hashSet2);
                            }
                        }
                    }
                }
                if (this.isAuthorizeOnlyWithChainedPolicies && rangerAccessResult == null && z) {
                    rangerAccessResult = new RangerAccessResult(0, this.plugin.getServiceName(), this.plugin.getServiceDef(), rangerAccessRequest);
                    rangerAccessResult.setIsAllowed(false);
                    rangerAccessResult.setPolicyPriority(1);
                }
                RangerAccessRequestUtil.setRequestTagsInContext(rangerAccessRequest.getContext(), hashSet);
            }
            RangerPerfTracer.logAlways(rangerPerfTracer);
        } else if (LOG.isDebugEnabled()) {
            LOG.debug("isAccessAllowed() is a not operational as the chained plugin was not correctly initialized");
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsHiveChainedPlugin.isAccessAllowed(" + rangerAccessRequest + "): ret=" + rangerAccessResult);
        }
        return rangerAccessResult;
    }

    public Collection<RangerAccessResult> isAccessAllowed(Collection<RangerAccessRequest> collection) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsHiveChainedPlugin.isAccessAllowed(" + collection + ")");
        }
        ArrayList arrayList = new ArrayList();
        Iterator<RangerAccessRequest> it = collection.iterator();
        while (it.hasNext()) {
            arrayList.add(isAccessAllowed(it.next()));
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsHiveChainedPlugin.isAccessAllowed(" + collection + "): ret=" + arrayList);
        }
        return arrayList;
    }

    public RangerResourceACLs getResourceACLs(RangerAccessRequest rangerAccessRequest) {
        return getResourceACLs(rangerAccessRequest, 0);
    }

    public RangerResourceACLs getResourceACLs(RangerAccessRequest rangerAccessRequest, Integer num) {
        RangerResourceACLs mapHiveACLsToHdfsACLs;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsHiveChainedPlugin.getResourceACLs(" + rangerAccessRequest + ", policyType=" + num + ")");
        }
        RangerResourceACLs rangerResourceACLs = null;
        List<RangerAccessResource> hiveResources = getHiveResources(rangerAccessRequest);
        if (!CollectionUtils.isEmpty(hiveResources)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(hiveResources.size() + " Mapped Hive-Resources for HDFS resource:[" + rangerAccessRequest.getResource().getAsString() + "]");
            }
            rangerResourceACLs = new RangerResourceACLs();
            Iterator<RangerAccessResource> it = hiveResources.iterator();
            while (it.hasNext()) {
                RangerRMSAccessResourceImpl rangerRMSAccessResourceImpl = (RangerAccessResource) it.next();
                RangerAccessRequestImpl rangerAccessRequestImpl = new RangerAccessRequestImpl(rangerRMSAccessResourceImpl, "_any", (String) null, (Set) null, (Set) null);
                RangerResourceACLs resourceACLs = this.plugin.getResourceACLs(rangerAccessRequestImpl, 0);
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Hive ACLs for resource:[" + rangerRMSAccessResourceImpl.getAsString() + "] are [" + resourceACLs + "]");
                }
                if (StringUtils.equals(rangerRMSAccessResourceImpl.getLeafName(), KEY_TABLE)) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Hive-Resource is a table - Row-filtering and Data-masking policies will be applied.");
                    }
                    rangerAccessRequestImpl.setResourceMatchingScope(RangerAccessRequest.ResourceMatchingScope.SELF_OR_DESCENDANTS);
                    rangerAccessRequestImpl.setAccessType("read");
                    RangerResourceACLs resourceACLs2 = this.plugin.getResourceACLs(rangerAccessRequestImpl, 2);
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Hive row-masking ACLs for resource:[" + rangerRMSAccessResourceImpl.getAsString() + "] are [" + resourceACLs2 + "]");
                    }
                    RangerResourceACLs resourceACLs3 = this.plugin.getResourceACLs(rangerAccessRequestImpl, 1);
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Hive row-masking ACLs for resource:[" + rangerRMSAccessResourceImpl.getAsString() + "] are [" + resourceACLs3 + "]");
                    }
                    boolean z = true;
                    if (rangerRMSAccessResourceImpl instanceof RangerRMSAccessResourceImpl) {
                        Map additionalInfo = rangerRMSAccessResourceImpl.getAdditionalInfo();
                        if (MapUtils.isNotEmpty(additionalInfo)) {
                            z = StringUtils.equals((String) additionalInfo.get("tableType"), "EXTERNAL_TABLE");
                        }
                    }
                    mapHiveACLsToHdfsACLs = mapHiveACLsToHdfsACLs(resourceACLs, resourceACLs2, resourceACLs3, false, z);
                } else {
                    RangerResourceACLs rangerResourceACLs2 = new RangerResourceACLs();
                    mapHiveACLsToHdfsACLs = mapHiveACLsToHdfsACLs(resourceACLs, rangerResourceACLs2, rangerResourceACLs2, true, false);
                }
                RangerBasePlugin.getMergedResourceACLs(rangerResourceACLs, mapHiveACLsToHdfsACLs);
            }
        } else if (LOG.isDebugEnabled()) {
            LOG.debug("No Mapped Hive-Resources for HDFS resource:[" + rangerAccessRequest.getResource().getAsString() + "]");
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsHiveChainedPlugin.getResourceACLs(policyType=" + num + ") : ret :[" + rangerResourceACLs + "]");
        }
        return rangerResourceACLs;
    }

    public boolean isAuthorizeOnlyWithChainedPlugin() {
        return this.isAuthorizeOnlyWithChainedPolicies;
    }

    private List<RangerAccessResource> getHiveResources(RangerAccessRequest rangerAccessRequest) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsHiveChainedPlugin.getHiveResources(" + rangerAccessRequest + ")");
        }
        List<RangerAccessResource> list = null;
        if (isNotWhitelisted(rangerAccessRequest)) {
            if (rangerAccessRequest.getResource() != null) {
                list = this.mappingProvider.getMappedResources(rangerAccessRequest);
            } else {
                LOG.warn("Unexpected null resource found in the request, ignoring");
            }
        } else if (LOG.isDebugEnabled()) {
            LOG.debug("user/groups are whitelisted :[" + rangerAccessRequest + "]");
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsHiveChainedPlugin.getHiveResources(" + rangerAccessRequest + "): ret=" + list);
        }
        return list;
    }

    private List<RangerAccessResource> extractDefaultDatabaseResource(List<RangerAccessResource> list) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsHiveChainedPlugin.extractDefaultDatabaseResource(" + list + ")");
        }
        ArrayList arrayList = null;
        if (CollectionUtils.isNotEmpty(list) && list.size() > 1) {
            Iterator<RangerAccessResource> it = list.iterator();
            while (it.hasNext()) {
                RangerAccessResourceImpl rangerAccessResourceImpl = (RangerAccessResource) it.next();
                RangerAccessResourceImpl rangerAccessResourceImpl2 = rangerAccessResourceImpl;
                rangerAccessResourceImpl2.setServiceDef(this.plugin.getServiceDef());
                if (StringUtils.equals(rangerAccessResourceImpl2.getLeafName(), KEY_DATABASE)) {
                    Object value = rangerAccessResourceImpl2.getValue(KEY_DATABASE);
                    if (!new ArrayList().getClass().isAssignableFrom(value.getClass())) {
                        LOG.warn("Could not cast values to List of Strings, returning null!!");
                        return null;
                    }
                    if (((List) value).contains("default")) {
                        if (arrayList == null) {
                            arrayList = new ArrayList();
                        }
                        arrayList.add(rangerAccessResourceImpl);
                        it.remove();
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsHiveChainedPlugin.extractDefaultDatabaseResource(" + list + ") : " + (CollectionUtils.isEmpty(arrayList) ? "No default db/table resources" : "[" + arrayList.size() + " defauult db/table resources found"));
        }
        return arrayList;
    }

    private List<String> getHiveAccessTypes(String str, RangerAccessResource rangerAccessResource, boolean z) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsHiveChainedPlugin.getHiveAccessTypes(" + str + ", " + rangerAccessResource + ", " + z + ")");
        }
        List<String> list = z ? this.accessTypeMapHdfsToHiveForDatabase.get(str) : this.accessTypeMapHdfsToHiveForTable.get(str);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsHiveChainedPlugin.getHiveAccessTypes(" + str + ", " + rangerAccessResource + ", " + z + ") : ret:[" + list + "]");
        }
        return list;
    }

    private List<String> getHiveAccessTypesForResource(RangerAccessRequest rangerAccessRequest, RangerAccessResource rangerAccessResource, boolean z) {
        List<String> hiveAccessTypes = getHiveAccessTypes(rangerAccessRequest.getAccessType(), rangerAccessResource, z);
        String user = rangerAccessRequest.getUser();
        if (!this.hiveServiceUserNames.contains(user) && (rangerAccessResource instanceof RangerRMSAccessResourceImpl)) {
            Map additionalInfo = ((RangerRMSAccessResourceImpl) rangerAccessResource).getAdditionalInfo();
            if (MapUtils.isNotEmpty(additionalInfo)) {
                String str = (String) additionalInfo.get("tableType");
                if (!z && !StringUtils.equals(str, "EXTERNAL_TABLE") && rangerAccessRequest.getAccessType().equals(HDFS_ACCESS_TYPE_WRITE)) {
                    LOG.error("User [" + user + "] is allowed only [read or " + HDFS_ACCESS_TYPE_EXECUTE + "] access to " + rangerAccessRequest.getResource().getAsString() + " which maps to table of type [" + str + "]. Access is not allowed.]");
                    hiveAccessTypes = Collections.emptyList();
                }
            }
        }
        return hiveAccessTypes;
    }

    private void initAccessTypesMap(RangerBasePlugin rangerBasePlugin) {
        String str = rangerBasePlugin.getConfig().get(rangerBasePlugin.getConfig().getPropertyPrefix() + PROP_HDFS_TO_HIVE_TABLE_ACCESSTYPE_MAPPING_READ, HIVE_ACCESS_TYPE_SELECT);
        String str2 = rangerBasePlugin.getConfig().get(rangerBasePlugin.getConfig().getPropertyPrefix() + PROP_HDFS_TO_HIVE_TABLE_ACCESSTYPE_MAPPING_WRITE, "update,alter");
        String str3 = rangerBasePlugin.getConfig().get(rangerBasePlugin.getConfig().getPropertyPrefix() + PROP_HDFS_TO_HIVE_TABLE_ACCESSTYPE_MAPPING_EXECUTE, "_any");
        this.accessTypeMapHdfsToHiveForTable.put("read", Arrays.asList(str.split(ACCESS_TYPE_SEPARATOR)));
        this.accessTypeMapHdfsToHiveForTable.put(HDFS_ACCESS_TYPE_WRITE, Arrays.asList(str2.split(ACCESS_TYPE_SEPARATOR)));
        this.accessTypeMapHdfsToHiveForTable.put(HDFS_ACCESS_TYPE_EXECUTE, Arrays.asList(str3.split(ACCESS_TYPE_SEPARATOR)));
        this.accessTypeMapHdfsToHiveForTable.put("_any", Collections.singletonList("_any"));
        for (String str4 : str.split(ACCESS_TYPE_SEPARATOR)) {
            this.accessTypeMapHiveToHdfsForTable.put(str4, "read");
        }
        for (String str5 : str2.split(ACCESS_TYPE_SEPARATOR)) {
            this.accessTypeMapHiveToHdfsForTable.put(str5, HDFS_ACCESS_TYPE_WRITE);
        }
        String str6 = rangerBasePlugin.getConfig().get(rangerBasePlugin.getConfig().getPropertyPrefix() + PROP_HDFS_TO_HIVE_DATABASE_ACCESSTYPE_MAPPING_READ, "_any");
        String str7 = rangerBasePlugin.getConfig().get(rangerBasePlugin.getConfig().getPropertyPrefix() + PROP_HDFS_TO_HIVE_DATABASE_ACCESSTYPE_MAPPING_WRITE, "create,drop,alter");
        String str8 = rangerBasePlugin.getConfig().get(rangerBasePlugin.getConfig().getPropertyPrefix() + PROP_HDFS_TO_HIVE_DATABASE_ACCESSTYPE_MAPPING_EXECUTE, "_any");
        this.accessTypeMapHdfsToHiveForDatabase.put("read", Arrays.asList(str6.split(ACCESS_TYPE_SEPARATOR)));
        this.accessTypeMapHdfsToHiveForDatabase.put(HDFS_ACCESS_TYPE_WRITE, Arrays.asList(str7.split(ACCESS_TYPE_SEPARATOR)));
        this.accessTypeMapHdfsToHiveForDatabase.put(HDFS_ACCESS_TYPE_EXECUTE, Arrays.asList(str8.split(ACCESS_TYPE_SEPARATOR)));
        this.accessTypeMapHdfsToHiveForDatabase.put("_any", Collections.singletonList("_any"));
        for (String str9 : str6.split(ACCESS_TYPE_SEPARATOR)) {
            this.accessTypeMapHiveToHdfsForDatabase.put(str9, "read");
        }
        for (String str10 : str7.split(ACCESS_TYPE_SEPARATOR)) {
            this.accessTypeMapHiveToHdfsForDatabase.put(str10, HDFS_ACCESS_TYPE_WRITE);
        }
    }

    private RangerResourceACLs mapHiveACLsToHdfsACLs(RangerResourceACLs rangerResourceACLs, RangerResourceACLs rangerResourceACLs2, RangerResourceACLs rangerResourceACLs3, boolean z, boolean z2) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerHdfsHiveChainedPlugin.mapHiveACLsToHdfsAcls(hiveACLs [" + rangerResourceACLs + "] )");
        }
        RangerResourceACLs rangerResourceACLs4 = new RangerResourceACLs();
        for (Map.Entry entry : rangerResourceACLs.getUserACLs().entrySet()) {
            boolean z3 = false;
            RangerPolicy rangerPolicy = null;
            String str = (String) entry.getKey();
            for (Map.Entry entry2 : ((Map) entry.getValue()).entrySet()) {
                if (((RangerResourceACLs.AccessResult) entry2.getValue()).getResult() == RangerPolicyEvaluator.ACCESS_ALLOWED.intValue() || ((RangerResourceACLs.AccessResult) entry2.getValue()).getResult() == RangerPolicyEvaluator.ACCESS_DENIED.intValue()) {
                    String str2 = (String) entry2.getKey();
                    String str3 = z ? this.accessTypeMapHiveToHdfsForDatabase.get(str2) : this.accessTypeMapHiveToHdfsForTable.get(str2);
                    int result = ((RangerResourceACLs.AccessResult) entry2.getValue()).getResult();
                    RangerPolicy policy = ((RangerResourceACLs.AccessResult) entry2.getValue()).getPolicy();
                    if (str3 != null && str3.equals(HDFS_ACCESS_TYPE_WRITE) && !z && !z2 && !this.hiveServiceUserNames.contains(str)) {
                        RangerPolicy rangerPolicy2 = new RangerPolicy();
                        rangerPolicy2.updateFrom(policy);
                        rangerPolicy2.setId(policy.getId());
                        rangerPolicy2.setGuid(policy.getGuid());
                        rangerPolicy2.setVersion(policy.getVersion());
                        rangerPolicy2.setServiceType(policy.getServiceType());
                        rangerPolicy2.setPolicyPriority(Integer.MAX_VALUE);
                        policy = rangerPolicy2;
                        result = RangerPolicyEvaluator.ACCESS_DENIED.intValue();
                    }
                    if (!z3 && result == RangerPolicyEvaluator.ACCESS_ALLOWED.intValue()) {
                        z3 = true;
                        rangerPolicy = policy;
                    }
                    if (str3 != null) {
                        rangerResourceACLs4.setUserAccessInfo(str, str3, Integer.valueOf(result), policy);
                    }
                }
            }
            if (z3) {
                rangerResourceACLs4.setUserAccessInfo(str, HDFS_ACCESS_TYPE_EXECUTE, RangerPolicyEvaluator.ACCESS_ALLOWED, rangerPolicy);
                if (z) {
                    rangerResourceACLs4.setUserAccessInfo(str, "read", RangerPolicyEvaluator.ACCESS_ALLOWED, rangerPolicy);
                }
            }
        }
        for (Map.Entry entry3 : rangerResourceACLs.getGroupACLs().entrySet()) {
            boolean z4 = false;
            RangerPolicy rangerPolicy3 = null;
            String str4 = (String) entry3.getKey();
            for (Map.Entry entry4 : ((Map) entry3.getValue()).entrySet()) {
                if (((RangerResourceACLs.AccessResult) entry4.getValue()).getResult() == RangerPolicyEvaluator.ACCESS_ALLOWED.intValue() || ((RangerResourceACLs.AccessResult) entry4.getValue()).getResult() == RangerPolicyEvaluator.ACCESS_DENIED.intValue()) {
                    String str5 = (String) entry4.getKey();
                    String str6 = z ? this.accessTypeMapHiveToHdfsForDatabase.get(str5) : this.accessTypeMapHiveToHdfsForTable.get(str5);
                    if (!z4 && ((RangerResourceACLs.AccessResult) entry4.getValue()).getResult() == RangerPolicyEvaluator.ACCESS_ALLOWED.intValue()) {
                        z4 = true;
                        rangerPolicy3 = ((RangerResourceACLs.AccessResult) entry4.getValue()).getPolicy();
                    }
                    if (str6 != null) {
                        rangerResourceACLs4.setGroupAccessInfo(str4, str6, Integer.valueOf(((RangerResourceACLs.AccessResult) entry4.getValue()).getResult()), ((RangerResourceACLs.AccessResult) entry4.getValue()).getPolicy());
                    }
                }
                if (z4) {
                    rangerResourceACLs4.setGroupAccessInfo(str4, HDFS_ACCESS_TYPE_EXECUTE, RangerPolicyEvaluator.ACCESS_ALLOWED, rangerPolicy3);
                    if (z) {
                        rangerResourceACLs4.setGroupAccessInfo(str4, "read", RangerPolicyEvaluator.ACCESS_ALLOWED, rangerPolicy3);
                    }
                }
            }
        }
        overrideReadAccess(rangerResourceACLs4.getUserACLs(), getRowFilteredUsersOrGroups(rangerResourceACLs2.getRowFilters(), true));
        overrideReadAccess(rangerResourceACLs4.getUserACLs(), getRowFilteredUsersOrGroups(rangerResourceACLs2.getRowFilters(), false));
        overrideReadAccess(rangerResourceACLs4.getUserACLs(), getMaskedUsersOrGroups(rangerResourceACLs3.getDataMasks(), true));
        overrideReadAccess(rangerResourceACLs4.getUserACLs(), getMaskedUsersOrGroups(rangerResourceACLs3.getDataMasks(), false));
        rangerResourceACLs4.finalizeAcls();
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerHdfsHiveChainedPlugin.mapHiveACLsToHdfsAcls() : ret :[" + rangerResourceACLs4 + "]");
        }
        return rangerResourceACLs4;
    }

    private List<String> getMaskedUsersOrGroups(List<RangerResourceACLs.DataMaskResult> list, boolean z) {
        ArrayList arrayList = null;
        for (RangerResourceACLs.DataMaskResult dataMaskResult : list) {
            if (!StringUtils.equals(dataMaskResult.getMaskInfo().getDataMaskType(), "MASK_NONE")) {
                if (arrayList == null) {
                    arrayList = new ArrayList();
                }
                arrayList.addAll(z ? dataMaskResult.getUsers() : dataMaskResult.getGroups());
            }
        }
        return arrayList;
    }

    private List<String> getRowFilteredUsersOrGroups(List<RangerResourceACLs.RowFilterResult> list, boolean z) {
        ArrayList arrayList = null;
        for (RangerResourceACLs.RowFilterResult rowFilterResult : list) {
            if (StringUtils.isNotEmpty(rowFilterResult.getFilterInfo().getFilterExpr())) {
                if (arrayList == null) {
                    arrayList = new ArrayList();
                }
                arrayList.addAll(z ? rowFilterResult.getUsers() : rowFilterResult.getGroups());
            }
        }
        return arrayList;
    }

    private void overrideReadAccess(Map<String, Map<String, RangerResourceACLs.AccessResult>> map, List<String> list) {
        if (CollectionUtils.isNotEmpty(list)) {
            for (String str : list) {
                Map<String, RangerResourceACLs.AccessResult> map2 = map.get(str);
                if (map2 == null) {
                    HashMap hashMap = new HashMap();
                    RangerResourceACLs.AccessResult accessResult = new RangerResourceACLs.AccessResult();
                    accessResult.setResult(RangerPolicyEvaluator.ACCESS_DENIED.intValue());
                    accessResult.setPolicy((RangerPolicy) null);
                    hashMap.put("read", accessResult);
                    map.put(str, hashMap);
                } else {
                    RangerResourceACLs.AccessResult accessResult2 = map2.get("read");
                    if (accessResult2 == null) {
                        RangerResourceACLs.AccessResult accessResult3 = new RangerResourceACLs.AccessResult();
                        accessResult3.setResult(RangerPolicyEvaluator.ACCESS_DENIED.intValue());
                        accessResult3.setPolicy((RangerPolicy) null);
                        map2.put("read", accessResult3);
                    } else if (accessResult2.getResult() != RangerPolicyEvaluator.ACCESS_DENIED.intValue()) {
                        accessResult2.setResult(RangerPolicyEvaluator.ACCESS_DENIED.intValue());
                        accessResult2.setPolicy((RangerPolicy) null);
                    }
                }
            }
        }
    }
}
