package org.apache.ranger.authorization.yarn.authorizer;

import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.yarn.security.AccessRequest;
import org.apache.hadoop.yarn.security.AccessType;
import org.apache.hadoop.yarn.security.Permission;
import org.apache.hadoop.yarn.security.PrivilegedEntity;
import org.apache.hadoop.yarn.security.YarnAuthorizationProvider;
import org.apache.ranger.authorization.hadoop.config.RangerPluginConfig;
import org.apache.ranger.authorization.utils.StringUtil;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;
import org.apache.ranger.plugin.policyengine.RangerAccessResultProcessor;
import org.apache.ranger.plugin.util.RangerPerfTracer;

/* loaded from: input_file:org/apache/ranger/authorization/yarn/authorizer/RangerYarnAuthorizer.class */
public class RangerYarnAuthorizer extends YarnAuthorizationProvider {
    public static final String ACCESS_TYPE_ADMIN_QUEUE = "admin-queue";
    public static final String ACCESS_TYPE_SUBMIT_APP = "submit-app";
    public static final String ACCESS_TYPE_ADMIN = "admin";
    public static final String KEY_RESOURCE_QUEUE = "queue";
    private static final Log LOG = LogFactory.getLog(RangerYarnAuthorizer.class);
    private static volatile RangerYarnPlugin yarnPlugin = null;
    private boolean yarnAuthEnabled = true;
    private String yarnModuleName = "yarn-acl";
    private AccessControlList admins = null;
    private final ConcurrentMap<PrivilegedEntity, Map<AccessType, AccessControlList>> yarnAcl = new ConcurrentHashMap();

    public void init(Configuration configuration) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerYarnAuthorizer.init()");
        }
        if (yarnPlugin == null) {
            synchronized (RangerYarnAuthorizer.class) {
                if (yarnPlugin == null) {
                    RangerYarnPlugin rangerYarnPlugin = new RangerYarnPlugin();
                    rangerYarnPlugin.init();
                    yarnPlugin = rangerYarnPlugin;
                }
            }
        }
        RangerPluginConfig config = yarnPlugin.getConfig();
        this.yarnAuthEnabled = config.getBoolean("ranger.add-yarn-authorization", true);
        this.yarnModuleName = config.get("ranger.auditlog.yarnAcl.name", "yarn-acl");
        config.setIsFallbackSupported(this.yarnAuthEnabled);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerYarnAuthorizer.init()");
        }
    }

    public boolean checkPermission(AccessRequest accessRequest) {
        boolean z;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerYarnAuthorizer.checkPermission(" + accessRequest + ")");
        }
        RangerYarnPlugin rangerYarnPlugin = yarnPlugin;
        RangerAccessResultProcessor rangerAccessResultProcessor = null;
        RangerAccessResult rangerAccessResult = null;
        if (rangerYarnPlugin != null) {
            RangerYarnAccessRequest rangerYarnAccessRequest = new RangerYarnAccessRequest(accessRequest);
            rangerAccessResultProcessor = new RangerYarnAuditHandler(this.yarnModuleName);
            rangerAccessResult = rangerYarnPlugin.isAccessAllowed(rangerYarnAccessRequest, rangerAccessResultProcessor);
        }
        if (!this.yarnAuthEnabled || (rangerAccessResult != null && rangerAccessResult.getIsAccessDetermined())) {
            z = rangerAccessResult != null && rangerAccessResult.getIsAllowed();
        } else {
            z = isAllowedByYarnAcl(accessRequest, rangerAccessResultProcessor);
        }
        if (rangerAccessResultProcessor != null) {
            rangerAccessResultProcessor.flushAudit();
        }
        RangerPerfTracer.log((RangerPerfTracer) null);
        RangerPerfTracer.log((RangerPerfTracer) null);
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerYarnAuthorizer.checkPermission(" + accessRequest + "): " + z);
        }
        return z;
    }

    public boolean isAdmin(UserGroupInformation userGroupInformation) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerYarnAuthorizer.isAdmin(" + userGroupInformation + ")");
        }
        boolean z = false;
        AccessControlList accessControlList = this.admins;
        if (accessControlList != null) {
            z = accessControlList.isUserAllowed(userGroupInformation);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerYarnAuthorizer.isAdmin(" + userGroupInformation + "): " + z);
        }
        return z;
    }

    public void setAdmins(AccessControlList accessControlList, UserGroupInformation userGroupInformation) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerYarnAuthorizer.setAdmins(" + accessControlList + ", " + userGroupInformation + ")");
        }
        this.admins = accessControlList;
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerYarnAuthorizer.setAdmins(" + accessControlList + ", " + userGroupInformation + ")");
        }
    }

    public void setPermission(List<Permission> list, UserGroupInformation userGroupInformation) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerYarnAuthorizer.setPermission(" + list + ", " + userGroupInformation + ")");
        }
        for (Permission permission : list) {
            this.yarnAcl.put(permission.getTarget(), permission.getAcls());
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerYarnAuthorizer.setPermission(" + list + ", " + userGroupInformation + ")");
        }
    }

    public boolean isAllowedByYarnAcl(AccessRequest accessRequest, RangerYarnAuditHandler rangerYarnAuditHandler) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessRequest + ")");
        }
        boolean z = false;
        AccessType accessType = accessRequest.getAccessType();
        PrivilegedEntity entity = accessRequest.getEntity();
        UserGroupInformation user = accessRequest.getUser();
        Iterator<Map.Entry<PrivilegedEntity, Map<AccessType, AccessControlList>>> it = this.yarnAcl.entrySet().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Map.Entry<PrivilegedEntity, Map<AccessType, AccessControlList>> next = it.next();
            PrivilegedEntity key = next.getKey();
            Map<AccessType, AccessControlList> value = next.getValue();
            AccessControlList accessControlList = value == null ? null : value.get(accessType);
            if (accessControlList != null && accessControlList.isUserAllowed(user) && isSelfOrChildOf(entity, key)) {
                z = true;
                break;
            }
        }
        if (rangerYarnAuditHandler != null) {
            rangerYarnAuditHandler.logYarnAclEvent(z);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== RangerYarnAuthorizer.isAllowedByYarnAcl(" + accessRequest + "): " + z);
        }
        return z;
    }

    private boolean isSelfOrChildOf(PrivilegedEntity privilegedEntity, PrivilegedEntity privilegedEntity2) {
        boolean equals = privilegedEntity.equals(privilegedEntity2);
        if (!equals && privilegedEntity.getType() == PrivilegedEntity.EntityType.QUEUE) {
            String name = privilegedEntity.getName();
            String name2 = privilegedEntity2.getName();
            if (name.contains(".") && !StringUtil.isEmpty(name2)) {
                if (name2.charAt(name2.length() - 1) != '.') {
                    name2 = name2 + ".";
                }
                equals = name.startsWith(name2);
            }
        }
        return equals;
    }
}
