package org.apache.doris.mysql.privilege;

import com.google.common.base.Joiner;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import java.io.DataInput;
import java.io.DataOutput;
import java.io.IOException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.stream.Collectors;
import org.apache.commons.collections.CollectionUtils;
import org.apache.doris.analysis.AlterUserStmt;
import org.apache.doris.analysis.CreateRoleStmt;
import org.apache.doris.analysis.CreateUserStmt;
import org.apache.doris.analysis.DropRoleStmt;
import org.apache.doris.analysis.DropUserStmt;
import org.apache.doris.analysis.GrantStmt;
import org.apache.doris.analysis.PasswordOptions;
import org.apache.doris.analysis.RefreshLdapStmt;
import org.apache.doris.analysis.ResourcePattern;
import org.apache.doris.analysis.RevokeStmt;
import org.apache.doris.analysis.SetLdapPassVar;
import org.apache.doris.analysis.SetPassVar;
import org.apache.doris.analysis.SetUserPropertyStmt;
import org.apache.doris.analysis.TablePattern;
import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.analysis.WorkloadGroupPattern;
import org.apache.doris.catalog.Env;
import org.apache.doris.catalog.InfoSchemaDb;
import org.apache.doris.catalog.Resource;
import org.apache.doris.cluster.ClusterNamespace;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.AuthenticationException;
import org.apache.doris.common.AuthorizationException;
import org.apache.doris.common.Config;
import org.apache.doris.common.DdlException;
import org.apache.doris.common.ErrorCode;
import org.apache.doris.common.ErrorReport;
import org.apache.doris.common.FeConstants;
import org.apache.doris.common.LdapConfig;
import org.apache.doris.common.Pair;
import org.apache.doris.common.PatternMatcherException;
import org.apache.doris.common.UserException;
import org.apache.doris.common.io.Writable;
import org.apache.doris.ldap.LdapManager;
import org.apache.doris.ldap.LdapUserInfo;
import org.apache.doris.load.DppConfig;
import org.apache.doris.persist.AlterUserOperationLog;
import org.apache.doris.persist.LdapInfo;
import org.apache.doris.persist.PrivInfo;
import org.apache.doris.qe.ConnectContext;
import org.apache.doris.resource.Tag;
import org.apache.doris.thrift.TPrivilegeStatus;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:org/apache/doris/mysql/privilege/Auth.class */
public class Auth implements Writable {
    private static final Logger LOG = LogManager.getLogger(Auth.class);
    public static final String ROOT_USER = "root";
    public static final String ADMIN_USER = "admin";
    public static final String UNKNOWN_USER = "unknown";
    public static final String DEFAULT_CATALOG = "internal";
    private RoleManager roleManager = new RoleManager();
    private UserManager userManager = new UserManager();
    private UserRoleManager userRoleManager = new UserRoleManager();
    private UserPropertyMgr propertyMgr = new UserPropertyMgr();
    private LdapInfo ldapInfo = new LdapInfo();
    private LdapManager ldapManager = new LdapManager();
    private PasswordPolicyManager passwdPolicyManager = new PasswordPolicyManager();
    private ReentrantReadWriteLock lock = new ReentrantReadWriteLock();

    /* loaded from: input_file:org/apache/doris/mysql/privilege/Auth$PrivLevel.class */
    public enum PrivLevel {
        GLOBAL,
        CATALOG,
        DATABASE,
        TABLE,
        RESOURCE,
        WORKLOAD_GROUP
    }

    private void readLock() {
        this.lock.readLock().lock();
    }

    private void readUnlock() {
        this.lock.readLock().unlock();
    }

    private void writeLock() {
        this.lock.writeLock().lock();
    }

    private void writeUnlock() {
        this.lock.writeLock().unlock();
    }

    public Auth() {
        initUser();
    }

    public LdapInfo getLdapInfo() {
        return this.ldapInfo;
    }

    public void setLdapInfo(LdapInfo ldapInfo) {
        this.ldapInfo = ldapInfo;
    }

    public LdapManager getLdapManager() {
        return this.ldapManager;
    }

    public PasswordPolicyManager getPasswdPolicyManager() {
        return this.passwdPolicyManager;
    }

    public boolean doesRoleExist(String str) {
        return this.roleManager.getRole(str) != null;
    }

    public void mergeRolesNoCheckName(List<String> list, Role role) throws DdlException {
        readLock();
        try {
            for (String str : list) {
                if (doesRoleExist(str)) {
                    role.mergeNotCheck(this.roleManager.getRole(str));
                }
            }
        } finally {
            readUnlock();
        }
    }

    public Role getRoleByName(String str) {
        return this.roleManager.getRole(str);
    }

    public void checkPassword(String str, String str2, byte[] bArr, byte[] bArr2, List<UserIdentity> list) throws AuthenticationException {
        if (("root".equals(str) || ADMIN_USER.equals(str)) && Config.skip_localhost_auth_check && "127.0.0.1".equals(str2)) {
            if (str.equals("root")) {
                list.add(UserIdentity.ROOT);
                return;
            } else {
                list.add(UserIdentity.ADMIN);
                return;
            }
        }
        readLock();
        try {
            this.userManager.checkPassword(str, str2, bArr, bArr2, list);
            readUnlock();
        } catch (Throwable th) {
            readUnlock();
            throw th;
        }
    }

    public boolean checkPlainPasswordForTest(String str, String str2, String str3, List<UserIdentity> list) {
        try {
            checkPlainPassword(str, str2, str3, list);
            return true;
        } catch (AuthenticationException e) {
            return false;
        }
    }

    public Set<String> getRolesByUser(UserIdentity userIdentity, boolean z) {
        readLock();
        try {
            Set<String> rolesByUser = this.userRoleManager.getRolesByUser(userIdentity, z);
            readUnlock();
            return rolesByUser;
        } catch (Throwable th) {
            readUnlock();
            throw th;
        }
    }

    public void checkPlainPassword(String str, String str2, String str3, List<UserIdentity> list) throws AuthenticationException {
        if (this.ldapManager.doesUserExist(str)) {
            if (this.ldapManager.checkUserPasswd(str, str3, str2, list)) {
                return;
            }
            ErrorCode errorCode = ErrorCode.ERR_ACCESS_DENIED_ERROR;
            Object[] objArr = new Object[2];
            objArr[0] = str + Resource.REFERENCE_SPLIT + str2;
            objArr[1] = Strings.isNullOrEmpty(str3) ? "NO" : "YES";
            throw new AuthenticationException(errorCode, objArr);
        }
        readLock();
        try {
            this.userManager.checkPlainPassword(str, str2, str3, list);
            readUnlock();
        } catch (Throwable th) {
            readUnlock();
            throw th;
        }
    }

    public Set<Role> getRolesByUserWithLdap(UserIdentity userIdentity) {
        HashSet newHashSet = Sets.newHashSet();
        Iterator<String> it = this.userRoleManager.getRolesByUser(userIdentity).iterator();
        while (it.hasNext()) {
            newHashSet.add(this.roleManager.getRole(it.next()));
        }
        if (isLdapAuthEnabled()) {
            Set<Role> userRoles = this.ldapManager.getUserRoles(userIdentity.getQualifiedUser());
            if (!CollectionUtils.isEmpty(userRoles)) {
                newHashSet.addAll(userRoles);
            }
        }
        return newHashSet;
    }

    public List<UserIdentity> getUserIdentityForLdap(String str, String str2) {
        return this.userManager.getUserIdentityUncheckPasswd(str, str2);
    }

    public boolean checkGlobalPriv(UserIdentity userIdentity, PrivPredicate privPredicate) {
        readLock();
        try {
            Iterator<Role> it = getRolesByUserWithLdap(userIdentity).iterator();
            while (it.hasNext()) {
                if (it.next().checkGlobalPriv(privPredicate)) {
                    return true;
                }
            }
            readUnlock();
            return false;
        } finally {
            readUnlock();
        }
    }

    public boolean checkCtlPriv(UserIdentity userIdentity, String str, PrivPredicate privPredicate) {
        if (privPredicate.getPrivs().containsNodePriv()) {
            LOG.debug("should not check NODE priv in catalog level. user: {}, catalog: {}", userIdentity, str);
            return false;
        }
        readLock();
        try {
            Iterator<Role> it = getRolesByUserWithLdap(userIdentity).iterator();
            while (it.hasNext()) {
                if (it.next().checkCtlPriv(str, privPredicate)) {
                    return true;
                }
            }
            readUnlock();
            return false;
        } finally {
            readUnlock();
        }
    }

    public boolean checkDbPriv(UserIdentity userIdentity, String str, String str2, PrivPredicate privPredicate) {
        if (privPredicate.getPrivs().containsNodePriv()) {
            LOG.debug("should not check NODE priv in Database level. user: {}, db: {}", userIdentity, str2);
            return false;
        }
        readLock();
        try {
            Iterator<Role> it = getRolesByUserWithLdap(userIdentity).iterator();
            while (it.hasNext()) {
                if (it.next().checkDbPriv(str, str2, privPredicate)) {
                    return true;
                }
            }
            readUnlock();
            return false;
        } finally {
            readUnlock();
        }
    }

    public boolean checkTblPriv(UserIdentity userIdentity, String str, String str2, String str3, PrivPredicate privPredicate) {
        if (privPredicate.getPrivs().containsNodePriv()) {
            LOG.debug("should check NODE priv in GLOBAL level. user: {}, db: {}, tbl: {}", userIdentity, str2, str3);
            return false;
        }
        readLock();
        try {
            Iterator<Role> it = getRolesByUserWithLdap(userIdentity).iterator();
            while (it.hasNext()) {
                if (it.next().checkTblPriv(str, str2, str3, privPredicate)) {
                    return true;
                }
            }
            readUnlock();
            return false;
        } finally {
            readUnlock();
        }
    }

    public void checkColsPriv(UserIdentity userIdentity, String str, String str2, String str3, Set<String> set, PrivPredicate privPredicate) throws AuthorizationException {
        Set<Role> rolesByUserWithLdap = getRolesByUserWithLdap(userIdentity);
        for (String str4 : set) {
            if (!checkColPriv(str, str2, str3, str4, privPredicate, rolesByUserWithLdap)) {
                throw new AuthorizationException(String.format("Permission denied: user [%s] does not have privilege for [%s] command on [%s].[%s].[%s].[%s]", userIdentity, privPredicate, str, str2, str3, str4));
            }
        }
    }

    private boolean checkColPriv(String str, String str2, String str3, String str4, PrivPredicate privPredicate, Set<Role> set) {
        Iterator<Role> it = set.iterator();
        while (it.hasNext()) {
            if (it.next().checkColPriv(str, str2, str3, str4, privPredicate)) {
                return true;
            }
        }
        return false;
    }

    public boolean checkResourcePriv(UserIdentity userIdentity, String str, PrivPredicate privPredicate) {
        readLock();
        try {
            Iterator<Role> it = getRolesByUserWithLdap(userIdentity).iterator();
            while (it.hasNext()) {
                if (it.next().checkResourcePriv(str, privPredicate)) {
                    return true;
                }
            }
            readUnlock();
            return false;
        } finally {
            readUnlock();
        }
    }

    public boolean checkWorkloadGroupPriv(UserIdentity userIdentity, String str, PrivPredicate privPredicate) {
        readLock();
        try {
            Iterator<Role> it = getRolesByUserWithLdap(userIdentity).iterator();
            while (it.hasNext()) {
                if (it.next().checkWorkloadGroupPriv(str, privPredicate)) {
                    return true;
                }
            }
            readUnlock();
            return false;
        } finally {
            readUnlock();
        }
    }

    public boolean checkHasPriv(ConnectContext connectContext, PrivPredicate privPredicate, PrivLevel... privLevelArr) {
        readLock();
        try {
            Iterator<Role> it = getRolesByUserWithLdap(connectContext.getCurrentUserIdentity()).iterator();
            while (it.hasNext()) {
                if (it.next().checkHasPriv(privPredicate, privLevelArr)) {
                    return true;
                }
            }
            readUnlock();
            return false;
        } finally {
            readUnlock();
        }
    }

    private boolean isLdapAuthEnabled() {
        return LdapConfig.ldap_authentication_enabled;
    }

    public void createUser(CreateUserStmt createUserStmt) throws DdlException {
        createUserInternal(createUserStmt.getUserIdent(), createUserStmt.getQualifiedRole(), createUserStmt.getPassword(), createUserStmt.isIfNotExist(), createUserStmt.getPasswordOptions(), false);
    }

    public void replayCreateUser(PrivInfo privInfo) {
        try {
            createUserInternal(privInfo.getUserIdent(), privInfo.getRole(), privInfo.getPasswd(), false, privInfo.getPasswordOptions(), true);
        } catch (DdlException e) {
            LOG.error("should not happen", e);
        }
    }

    private void createUserInternal(UserIdentity userIdentity, String str, byte[] bArr, boolean z, PasswordOptions passwordOptions, boolean z2) throws DdlException {
        writeLock();
        Role role = null;
        if (str != null) {
            try {
                role = this.roleManager.getRole(str);
                if (role == null) {
                    throw new DdlException("Role: " + str + " does not exist");
                }
            } catch (Throwable th) {
                writeUnlock();
                throw th;
            }
        }
        if (doesUserExist(userIdentity)) {
            if (!z) {
                throw new DdlException("User " + userIdentity + " already exist");
            }
            LOG.info("user exists, ignored to create user: {}, is replay: {}", userIdentity, Boolean.valueOf(z2));
            writeUnlock();
            return;
        }
        try {
            this.userManager.createUser(userIdentity, bArr, null, false);
            if (bArr != null) {
                this.passwdPolicyManager.updatePassword(userIdentity, bArr);
            }
            this.userRoleManager.addUserRole(userIdentity, this.roleManager.createDefaultRole(userIdentity).getRoleName());
            if (role != null) {
                this.userRoleManager.addUserRole(userIdentity, str);
            }
            this.propertyMgr.addUserResource(userIdentity.getQualifiedUser());
            this.passwdPolicyManager.updatePolicy(userIdentity, bArr, passwordOptions);
            if (!z2) {
                Env.getCurrentEnv().getEditLog().logCreateUser(new PrivInfo(userIdentity, (PrivBitSet) null, bArr, str, passwordOptions));
            }
            LOG.info("finished to create user: {}, is replay: {}", userIdentity, Boolean.valueOf(z2));
            writeUnlock();
        } catch (PatternMatcherException e) {
            throw new DdlException("create user failed,", (Throwable) e);
        }
    }

    public void dropUser(DropUserStmt dropUserStmt) throws DdlException {
        dropUserInternal(dropUserStmt.getUserIdentity(), dropUserStmt.isSetIfExists(), false);
    }

    public void replayDropUser(UserIdentity userIdentity) throws DdlException {
        dropUserInternal(userIdentity, false, true);
    }

    private void dropUserInternal(UserIdentity userIdentity, boolean z, boolean z2) throws DdlException {
        writeLock();
        try {
            if (!doesUserExist(userIdentity)) {
                if (!z) {
                    throw new DdlException(String.format("User `%s`@`%s` does not exist.", userIdentity.getQualifiedUser(), userIdentity.getHost()));
                }
                LOG.info("user non exists, ignored to drop user: {}, is replay: {}", userIdentity.getQualifiedUser(), Boolean.valueOf(z2));
                writeUnlock();
                return;
            }
            this.roleManager.removeDefaultRole(userIdentity);
            this.userRoleManager.dropUser(userIdentity);
            this.passwdPolicyManager.dropUser(userIdentity);
            this.userManager.removeUser(userIdentity);
            if (CollectionUtils.isEmpty(this.userManager.getUserByName(userIdentity.getQualifiedUser()))) {
                this.propertyMgr.dropUser(userIdentity);
            }
            if (!z2) {
                Env.getCurrentEnv().getEditLog().logNewDropUser(userIdentity);
            }
            LOG.info("finished to drop user: {}, is replay: {}", userIdentity.getQualifiedUser(), Boolean.valueOf(z2));
            writeUnlock();
        } catch (Throwable th) {
            writeUnlock();
            throw th;
        }
    }

    public void grant(GrantStmt grantStmt) throws DdlException {
        if (grantStmt.getTblPattern() != null) {
            grantInternal(grantStmt.getUserIdent(), grantStmt.getQualifiedRole(), grantStmt.getTblPattern(), PrivBitSet.of(grantStmt.getPrivileges()), grantStmt.getColPrivileges(), true, false);
        } else if (grantStmt.getResourcePattern() != null) {
            grantInternal(grantStmt.getUserIdent(), grantStmt.getQualifiedRole(), grantStmt.getResourcePattern(), PrivBitSet.of(grantStmt.getPrivileges()), true, false);
        } else if (grantStmt.getWorkloadGroupPattern() == null) {
            grantInternal(grantStmt.getUserIdent(), grantStmt.getRoles(), false);
        } else {
            grantInternal(grantStmt.getUserIdent(), grantStmt.getQualifiedRole(), grantStmt.getWorkloadGroupPattern(), PrivBitSet.of(grantStmt.getPrivileges()), true, false);
        }
    }

    public void replayGrant(PrivInfo privInfo) {
        try {
            if (privInfo.getTblPattern() != null) {
                grantInternal(privInfo.getUserIdent(), privInfo.getRole(), privInfo.getTblPattern(), privInfo.getPrivs(), privInfo.getColPrivileges(), true, true);
            } else if (privInfo.getResourcePattern() != null) {
                grantInternal(privInfo.getUserIdent(), privInfo.getRole(), privInfo.getResourcePattern(), privInfo.getPrivs(), true, true);
            } else if (privInfo.getWorkloadGroupPattern() != null) {
                grantInternal(privInfo.getUserIdent(), privInfo.getRole(), privInfo.getWorkloadGroupPattern(), privInfo.getPrivs(), true, true);
            } else {
                grantInternal(privInfo.getUserIdent(), privInfo.getRoles(), true);
            }
        } catch (DdlException e) {
            LOG.error("should not happen", e);
        }
    }

    private void grantInternal(UserIdentity userIdentity, String str, TablePattern tablePattern, PrivBitSet privBitSet, Map<ColPrivilegeKey, Set<String>> map, boolean z, boolean z2) throws DdlException {
        writeLock();
        if (str == null) {
            try {
                if (!doesUserExist(userIdentity)) {
                    throw new DdlException("user " + userIdentity + " does not exist");
                }
                str = this.roleManager.getUserDefaultRoleName(userIdentity);
            } catch (Throwable th) {
                writeUnlock();
                throw th;
            }
        }
        this.roleManager.addOrMergeRole(new Role(str, tablePattern, privBitSet, map), false);
        if (!z2) {
            Env.getCurrentEnv().getEditLog().logGrantPriv(new PrivInfo(userIdentity, tablePattern, privBitSet, null, str, map));
        }
        LOG.info("finished to grant privilege. is replay: {}", Boolean.valueOf(z2));
        writeUnlock();
    }

    private void grantInternal(UserIdentity userIdentity, String str, ResourcePattern resourcePattern, PrivBitSet privBitSet, boolean z, boolean z2) throws DdlException {
        writeLock();
        if (str == null) {
            try {
                str = this.roleManager.getUserDefaultRoleName(userIdentity);
            } catch (Throwable th) {
                writeUnlock();
                throw th;
            }
        }
        this.roleManager.addOrMergeRole(new Role(str, resourcePattern, privBitSet), false);
        if (!z2) {
            Env.getCurrentEnv().getEditLog().logGrantPriv(new PrivInfo(userIdentity, resourcePattern, privBitSet, (byte[]) null, str));
        }
        LOG.info("finished to grant resource privilege. is replay: {}", Boolean.valueOf(z2));
        writeUnlock();
    }

    private void grantInternal(UserIdentity userIdentity, String str, WorkloadGroupPattern workloadGroupPattern, PrivBitSet privBitSet, boolean z, boolean z2) throws DdlException {
        writeLock();
        if (str == null) {
            try {
                str = this.roleManager.getUserDefaultRoleName(userIdentity);
            } catch (Throwable th) {
                writeUnlock();
                throw th;
            }
        }
        this.roleManager.addOrMergeRole(new Role(str, workloadGroupPattern, privBitSet), false);
        if (!z2) {
            Env.getCurrentEnv().getEditLog().logGrantPriv(new PrivInfo(userIdentity, workloadGroupPattern, privBitSet, (byte[]) null, str));
        }
        LOG.info("finished to grant workload group privilege. is replay: {}", Boolean.valueOf(z2));
        writeUnlock();
    }

    private void grantInternal(UserIdentity userIdentity, List<String> list, boolean z) throws DdlException {
        writeLock();
        try {
            if (this.userManager.getUserByUserIdentity(userIdentity) == null) {
                throw new DdlException("user: " + userIdentity + " does not exist");
            }
            for (String str : list) {
                if (this.roleManager.getRole(str) == null) {
                    throw new DdlException("role:" + str + " does not exist");
                }
            }
            this.userRoleManager.addUserRoles(userIdentity, list);
            if (!z) {
                Env.getCurrentEnv().getEditLog().logGrantPriv(new PrivInfo(userIdentity, list));
            }
            LOG.info("finished to grant role privilege. is replay: {}", Boolean.valueOf(z));
            writeUnlock();
        } catch (Throwable th) {
            writeUnlock();
            throw th;
        }
    }

    public boolean doesUserExist(UserIdentity userIdentity) {
        return this.userManager.userIdentityExist(userIdentity, false);
    }

    public UserIdentity getCurrentUserIdentity(UserIdentity userIdentity) {
        readLock();
        try {
            if (doesUserExist(userIdentity)) {
                return userIdentity;
            }
            return null;
        } finally {
            readUnlock();
        }
    }

    public void revoke(RevokeStmt revokeStmt) throws DdlException {
        if (revokeStmt.getTblPattern() != null) {
            revokeInternal(revokeStmt.getUserIdent(), revokeStmt.getQualifiedRole(), revokeStmt.getTblPattern(), PrivBitSet.of(revokeStmt.getPrivileges()), revokeStmt.getColPrivileges(), true, false);
        } else if (revokeStmt.getResourcePattern() != null) {
            revokeInternal(revokeStmt.getUserIdent(), revokeStmt.getQualifiedRole(), revokeStmt.getResourcePattern(), PrivBitSet.of(revokeStmt.getPrivileges()), true, false);
        } else if (revokeStmt.getWorkloadGroupPattern() == null) {
            revokeInternal(revokeStmt.getUserIdent(), revokeStmt.getRoles(), false);
        } else {
            revokeInternal(revokeStmt.getUserIdent(), revokeStmt.getQualifiedRole(), revokeStmt.getWorkloadGroupPattern(), PrivBitSet.of(revokeStmt.getPrivileges()), true, false);
        }
    }

    public void replayRevoke(PrivInfo privInfo) {
        try {
            if (privInfo.getTblPattern() != null) {
                revokeInternal(privInfo.getUserIdent(), privInfo.getRole(), privInfo.getTblPattern(), privInfo.getPrivs(), privInfo.getColPrivileges(), true, true);
            } else if (privInfo.getResourcePattern() != null) {
                revokeInternal(privInfo.getUserIdent(), privInfo.getRole(), privInfo.getResourcePattern(), privInfo.getPrivs(), true, true);
            } else if (privInfo.getWorkloadGroupPattern() != null) {
                revokeInternal(privInfo.getUserIdent(), privInfo.getRole(), privInfo.getWorkloadGroupPattern(), privInfo.getPrivs(), true, true);
            } else {
                revokeInternal(privInfo.getUserIdent(), privInfo.getRoles(), true);
            }
        } catch (DdlException e) {
            LOG.error("should not happened", e);
        }
    }

    private void revokeInternal(UserIdentity userIdentity, String str, TablePattern tablePattern, PrivBitSet privBitSet, Map<ColPrivilegeKey, Set<String>> map, boolean z, boolean z2) throws DdlException {
        writeLock();
        if (str == null) {
            try {
                str = this.roleManager.getUserDefaultRoleName(userIdentity);
            } catch (Throwable th) {
                writeUnlock();
                throw th;
            }
        }
        this.roleManager.revokePrivs(str, tablePattern, privBitSet, map, z);
        if (!z2) {
            Env.getCurrentEnv().getEditLog().logRevokePriv(new PrivInfo(userIdentity, tablePattern, privBitSet, null, str, map));
        }
        LOG.info("finished to revoke privilege. is replay: {}", Boolean.valueOf(z2));
        writeUnlock();
    }

    private void revokeInternal(UserIdentity userIdentity, String str, ResourcePattern resourcePattern, PrivBitSet privBitSet, boolean z, boolean z2) throws DdlException {
        writeLock();
        if (str == null) {
            try {
                str = this.roleManager.getUserDefaultRoleName(userIdentity);
            } catch (Throwable th) {
                writeUnlock();
                throw th;
            }
        }
        this.roleManager.revokePrivs(str, resourcePattern, privBitSet, z);
        if (!z2) {
            Env.getCurrentEnv().getEditLog().logRevokePriv(new PrivInfo(userIdentity, resourcePattern, privBitSet, (byte[]) null, str));
        }
        LOG.info("finished to revoke privilege. is replay: {}", Boolean.valueOf(z2));
        writeUnlock();
    }

    private void revokeInternal(UserIdentity userIdentity, String str, WorkloadGroupPattern workloadGroupPattern, PrivBitSet privBitSet, boolean z, boolean z2) throws DdlException {
        writeLock();
        if (str == null) {
            try {
                str = this.roleManager.getUserDefaultRoleName(userIdentity);
            } catch (Throwable th) {
                writeUnlock();
                throw th;
            }
        }
        this.roleManager.revokePrivs(str, workloadGroupPattern, privBitSet, z);
        if (!z2) {
            Env.getCurrentEnv().getEditLog().logRevokePriv(new PrivInfo(userIdentity, workloadGroupPattern, privBitSet, (byte[]) null, str));
        }
        LOG.info("finished to revoke privilege. is replay: {}", Boolean.valueOf(z2));
        writeUnlock();
    }

    private void revokeInternal(UserIdentity userIdentity, List<String> list, boolean z) throws DdlException {
        writeLock();
        try {
            if (this.userManager.getUserByUserIdentity(userIdentity) == null) {
                throw new DdlException("user: " + userIdentity + " does not exist");
            }
            for (String str : list) {
                if (this.roleManager.getRole(str) == null) {
                    throw new DdlException("role:" + str + " does not exist");
                }
            }
            this.userRoleManager.removeUserRoles(userIdentity, list);
            if (!z) {
                Env.getCurrentEnv().getEditLog().logRevokePriv(new PrivInfo(userIdentity, list));
            }
            LOG.info("finished to revoke role privilege. is replay: {}", Boolean.valueOf(z));
            writeUnlock();
        } catch (Throwable th) {
            writeUnlock();
            throw th;
        }
    }

    public void setPassword(SetPassVar setPassVar) throws DdlException {
        setPasswordInternal(setPassVar.getUserIdent(), setPassVar.getPassword(), null, true, false, false);
    }

    public void replaySetPassword(PrivInfo privInfo) {
        try {
            setPasswordInternal(privInfo.getUserIdent(), privInfo.getPasswd(), null, true, false, true);
        } catch (DdlException e) {
            LOG.error("should not happened", e);
        }
    }

    public void setPasswordInternal(UserIdentity userIdentity, byte[] bArr, UserIdentity userIdentity2, boolean z, boolean z2, boolean z3) throws DdlException {
        Preconditions.checkArgument((z2 && userIdentity2 == null) ? false : true, z2 + ", " + userIdentity2);
        writeLock();
        if (!z3) {
            try {
                if (!this.passwdPolicyManager.checkPasswordHistory(userIdentity, bArr)) {
                    ErrorReport.reportDdlException(ErrorCode.ERR_CREDENTIALS_CONTRADICT_TO_HISTORY, userIdentity.getQualifiedUser(), userIdentity.getHost());
                }
            } finally {
                writeUnlock();
            }
        }
        this.userManager.setPassword(userIdentity, bArr, z);
        if (bArr != null) {
            this.passwdPolicyManager.updatePassword(userIdentity, bArr);
        }
        if (!z3) {
            Env.getCurrentEnv().getEditLog().logSetPassword(new PrivInfo(userIdentity, (PrivBitSet) null, bArr, (String) null, (PasswordOptions) null));
        }
        LOG.info("finished to set password for {}. is replay: {}", userIdentity, Boolean.valueOf(z3));
    }

    public void setLdapPassword(SetLdapPassVar setLdapPassVar) {
        this.ldapInfo = new LdapInfo(setLdapPassVar.getLdapPassword());
        Env.getCurrentEnv().getEditLog().logSetLdapPassword(this.ldapInfo);
        LOG.info("finished to set ldap password.");
    }

    public void replaySetLdapPassword(LdapInfo ldapInfo) {
        this.ldapInfo = ldapInfo;
        LOG.debug("finish replaying ldap admin password.");
    }

    public void refreshLdap(RefreshLdapStmt refreshLdapStmt) {
        this.ldapManager.refresh(refreshLdapStmt.getIsAll(), refreshLdapStmt.getUser());
    }

    public void createRole(CreateRoleStmt createRoleStmt) throws DdlException {
        createRoleInternal(createRoleStmt.getQualifiedRole(), createRoleStmt.isSetIfNotExists(), false);
    }

    public void replayCreateRole(PrivInfo privInfo) {
        try {
            createRoleInternal(privInfo.getRole(), false, true);
        } catch (DdlException e) {
            LOG.error("should not happened", e);
        }
    }

    private void createRoleInternal(String str, boolean z, boolean z2) throws DdlException {
        Role role = new Role(str);
        writeLock();
        if (z) {
            try {
                if (this.roleManager.getRole(str) != null) {
                    LOG.info("role exists, ignored to create role: {}, is replay: {}", str, Boolean.valueOf(z2));
                    writeUnlock();
                    return;
                }
            } finally {
                writeUnlock();
            }
        }
        this.roleManager.addOrMergeRole(role, true);
        if (!z2) {
            Env.getCurrentEnv().getEditLog().logCreateRole(new PrivInfo((UserIdentity) null, (PrivBitSet) null, (byte[]) null, str, (PasswordOptions) null));
        }
        LOG.info("finished to create role: {}, is replay: {}", str, Boolean.valueOf(z2));
    }

    public void dropRole(DropRoleStmt dropRoleStmt) throws DdlException {
        dropRoleInternal(dropRoleStmt.getQualifiedRole(), dropRoleStmt.isSetIfExists(), false);
    }

    public void replayDropRole(PrivInfo privInfo) {
        try {
            dropRoleInternal(privInfo.getRole(), false, true);
        } catch (DdlException e) {
            LOG.error("should not happened", e);
        }
    }

    private void dropRoleInternal(String str, boolean z, boolean z2) throws DdlException {
        writeLock();
        if (z) {
            try {
                if (this.roleManager.getRole(str) == null) {
                    LOG.info("role non exists, ignored to drop role: {}, is replay: {}", str, Boolean.valueOf(z2));
                    writeUnlock();
                    return;
                }
            } finally {
                writeUnlock();
            }
        }
        this.roleManager.dropRole(str, true);
        this.userRoleManager.dropRole(str);
        if (!z2) {
            Env.getCurrentEnv().getEditLog().logDropRole(new PrivInfo((UserIdentity) null, (PrivBitSet) null, (byte[]) null, str, (PasswordOptions) null));
        }
        LOG.info("finished to drop role: {}, is replay: {}", str, Boolean.valueOf(z2));
    }

    public Set<UserIdentity> getRoleUsers(String str) {
        readLock();
        try {
            return this.userRoleManager.getUsersByRole(str);
        } finally {
            readUnlock();
        }
    }

    public void updateUserProperty(SetUserPropertyStmt setUserPropertyStmt) throws UserException {
        updateUserPropertyInternal(setUserPropertyStmt.getUser(), setUserPropertyStmt.getPropertyPairList(), false);
    }

    public void replayUpdateUserProperty(UserPropertyInfo userPropertyInfo) throws UserException {
        updateUserPropertyInternal(userPropertyInfo.getUser(), userPropertyInfo.getProperties(), true);
    }

    public void updateUserPropertyInternal(String str, List<Pair<String, String>> list, boolean z) throws UserException {
        writeLock();
        try {
            this.propertyMgr.updateUserProperty(str, list);
            if (!z) {
                Env.getCurrentEnv().getEditLog().logUpdateUserProperty(new UserPropertyInfo(str, list));
            }
            LOG.info("finished to set properties for user: {}", str);
            writeUnlock();
        } catch (Throwable th) {
            writeUnlock();
            throw th;
        }
    }

    public long getMaxConn(String str) {
        readLock();
        try {
            long maxConn = this.propertyMgr.getMaxConn(str);
            readUnlock();
            return maxConn;
        } catch (Throwable th) {
            readUnlock();
            throw th;
        }
    }

    public int getQueryTimeout(String str) {
        readLock();
        try {
            return this.propertyMgr.getQueryTimeout(str);
        } finally {
            readUnlock();
        }
    }

    public int getInsertTimeout(String str) {
        readLock();
        try {
            return this.propertyMgr.getInsertTimeout(str);
        } finally {
            readUnlock();
        }
    }

    public long getMaxQueryInstances(String str) {
        readLock();
        try {
            long maxQueryInstances = this.propertyMgr.getMaxQueryInstances(str);
            readUnlock();
            return maxQueryInstances;
        } catch (Throwable th) {
            readUnlock();
            throw th;
        }
    }

    public String[] getSqlBlockRules(String str) {
        readLock();
        try {
            return this.propertyMgr.getSqlBlockRules(str);
        } finally {
            readUnlock();
        }
    }

    public int getCpuResourceLimit(String str) {
        readLock();
        try {
            return this.propertyMgr.getCpuResourceLimit(str);
        } finally {
            readUnlock();
        }
    }

    public Set<Tag> getResourceTags(String str) {
        readLock();
        try {
            return this.propertyMgr.getResourceTags(str);
        } finally {
            readUnlock();
        }
    }

    public long getExecMemLimit(String str) {
        readLock();
        try {
            long execMemLimit = this.propertyMgr.getExecMemLimit(str);
            readUnlock();
            return execMemLimit;
        } catch (Throwable th) {
            readUnlock();
            throw th;
        }
    }

    public String getWorkloadGroup(String str) {
        readLock();
        try {
            return this.propertyMgr.getWorkloadGroup(str);
        } finally {
            readUnlock();
        }
    }

    public Pair<Boolean, String> isWorkloadGroupInUse(String str) {
        readLock();
        try {
            return this.propertyMgr.isWorkloadGroupInUse(str);
        } finally {
            readUnlock();
        }
    }

    public void getAllDomains(Set<String> set) {
        readLock();
        try {
            this.userManager.getAllDomains(set);
        } finally {
            readUnlock();
        }
    }

    public void refreshUserPrivEntriesByResovledIPs(Map<String, Set<String>> map) {
        writeLock();
        try {
            this.userManager.clearEntriesSetByResolver();
            this.userManager.addUserPrivEntriesByResolvedIPs(map);
        } finally {
            writeUnlock();
        }
    }

    public List<List<String>> getAuthInfo(UserIdentity userIdentity) {
        ArrayList newArrayList = Lists.newArrayList();
        readLock();
        try {
            if (userIdentity == null) {
                Iterator<List<User>> it = this.userManager.getNameToUsers().values().iterator();
                while (it.hasNext()) {
                    for (User user : it.next()) {
                        if (!user.isSetByDomainResolver()) {
                            getUserAuthInfo(newArrayList, user.getUserIdentity());
                        }
                    }
                }
            } else {
                getUserAuthInfo(newArrayList, userIdentity);
            }
            return newArrayList;
        } finally {
            readUnlock();
        }
    }

    private void getUserAuthInfo(List<List<String>> list, UserIdentity userIdentity) {
        ArrayList newArrayList = Lists.newArrayList();
        newArrayList.add(userIdentity.toString());
        if (isLdapAuthEnabled() && this.ldapManager.doesUserExist(userIdentity.getQualifiedUser())) {
            LdapUserInfo userInfo = this.ldapManager.getUserInfo(userIdentity.getQualifiedUser());
            newArrayList.add(userInfo.isSetPasswd() ? "Yes" : "No");
            newArrayList.add(userInfo.getPaloRoles().stream().map(role -> {
                return role.getRoleName();
            }).collect(Collectors.joining(",")));
        } else {
            User userByUserIdentity = this.userManager.getUserByUserIdentity(userIdentity);
            if (userByUserIdentity == null) {
                newArrayList.add(FeConstants.null_string);
                newArrayList.add(FeConstants.null_string);
            } else {
                newArrayList.add(userByUserIdentity.hasPassword() ? "Yes" : "No");
                newArrayList.add(Joiner.on(",").join(this.userRoleManager.getRolesByUser(userIdentity, ConnectContext.get().getSessionVariable().showUserDefaultRole)));
            }
        }
        PrivBitSet privBitSet = new PrivBitSet();
        List<PrivEntry> list2 = getUserGlobalPrivTable(userIdentity).entries;
        if (!CollectionUtils.isEmpty(list2)) {
            privBitSet.or(list2.get(0).privSet);
        }
        newArrayList.add(privBitSet.isEmpty() ? FeConstants.null_string : privBitSet.toString());
        String str = (String) getUserCtlPrivTable(userIdentity).entries.stream().map(privEntry -> {
            return String.format("%s: %s", ((CatalogPrivEntry) privEntry).getOrigCtl(), privEntry.privSet);
        }).collect(Collectors.joining("; "));
        if (Strings.isNullOrEmpty(str)) {
            str = FeConstants.null_string;
        }
        newArrayList.add(str);
        ArrayList newArrayList2 = Lists.newArrayList();
        Iterator<PrivEntry> it = getUserDbPrivTable(userIdentity).entries.iterator();
        while (it.hasNext()) {
            DbPrivEntry dbPrivEntry = (DbPrivEntry) it.next();
            newArrayList2.add(String.format("%s.%s: %s", dbPrivEntry.getOrigCtl(), dbPrivEntry.getOrigDb(), dbPrivEntry.getPrivSet().copy()));
        }
        if (newArrayList2.isEmpty()) {
            newArrayList.add(FeConstants.null_string);
        } else {
            newArrayList.add(Joiner.on("; ").join(newArrayList2));
        }
        ArrayList newArrayList3 = Lists.newArrayList();
        Iterator<PrivEntry> it2 = getUserTblPrivTable(userIdentity).entries.iterator();
        while (it2.hasNext()) {
            TablePrivEntry tablePrivEntry = (TablePrivEntry) it2.next();
            newArrayList3.add(String.format("%s.%s.%s: %s", tablePrivEntry.getOrigCtl(), tablePrivEntry.getOrigDb(), tablePrivEntry.getOrigTbl(), tablePrivEntry.getPrivSet().copy()));
        }
        if (newArrayList3.isEmpty()) {
            newArrayList.add(FeConstants.null_string);
        } else {
            newArrayList.add(Joiner.on("; ").join(newArrayList3));
        }
        ArrayList newArrayList4 = Lists.newArrayList();
        for (Map.Entry<ColPrivilegeKey, Set<String>> entry : getUserColPrivMap(userIdentity).entrySet()) {
            newArrayList4.add(String.format("%s.%s.%s: %s%s", entry.getKey().getCtl(), entry.getKey().getDb(), entry.getKey().getTbl(), entry.getKey().getPrivilege(), entry.getValue()));
        }
        if (newArrayList4.isEmpty()) {
            newArrayList.add(FeConstants.null_string);
        } else {
            newArrayList.add(Joiner.on("; ").join(newArrayList4));
        }
        ArrayList newArrayList5 = Lists.newArrayList();
        Iterator<PrivEntry> it3 = getUserResourcePrivTable(userIdentity).entries.iterator();
        while (it3.hasNext()) {
            ResourcePrivEntry resourcePrivEntry = (ResourcePrivEntry) it3.next();
            newArrayList5.add(resourcePrivEntry.getOrigResource() + ": " + resourcePrivEntry.getPrivSet().copy().toString());
        }
        if (newArrayList5.isEmpty()) {
            newArrayList.add(FeConstants.null_string);
        } else {
            newArrayList.add(Joiner.on("; ").join(newArrayList5));
        }
        ArrayList newArrayList6 = Lists.newArrayList();
        Iterator<PrivEntry> it4 = getUserWorkloadGroupPrivTable(userIdentity).entries.iterator();
        while (it4.hasNext()) {
            WorkloadGroupPrivEntry workloadGroupPrivEntry = (WorkloadGroupPrivEntry) it4.next();
            newArrayList6.add(workloadGroupPrivEntry.getOrigWorkloadGroupName() + ": " + workloadGroupPrivEntry.getPrivSet().copy());
        }
        if (newArrayList6.isEmpty()) {
            newArrayList.add(FeConstants.null_string);
        } else {
            newArrayList.add(Joiner.on("; ").join(newArrayList6));
        }
        list.add(newArrayList);
    }

    private GlobalPrivTable getUserGlobalPrivTable(UserIdentity userIdentity) {
        GlobalPrivTable globalPrivTable = new GlobalPrivTable();
        Iterator<Role> it = getRolesByUserWithLdap(userIdentity).iterator();
        while (it.hasNext()) {
            globalPrivTable.merge(it.next().getGlobalPrivTable());
        }
        return globalPrivTable;
    }

    private CatalogPrivTable getUserCtlPrivTable(UserIdentity userIdentity) {
        CatalogPrivTable catalogPrivTable = new CatalogPrivTable();
        Iterator<Role> it = getRolesByUserWithLdap(userIdentity).iterator();
        while (it.hasNext()) {
            catalogPrivTable.merge(it.next().getCatalogPrivTable());
        }
        return catalogPrivTable;
    }

    private DbPrivTable getUserDbPrivTable(UserIdentity userIdentity) {
        DbPrivTable dbPrivTable = new DbPrivTable();
        Iterator<Role> it = getRolesByUserWithLdap(userIdentity).iterator();
        while (it.hasNext()) {
            dbPrivTable.merge(it.next().getDbPrivTable());
        }
        return dbPrivTable;
    }

    private TablePrivTable getUserTblPrivTable(UserIdentity userIdentity) {
        TablePrivTable tablePrivTable = new TablePrivTable();
        Iterator<Role> it = getRolesByUserWithLdap(userIdentity).iterator();
        while (it.hasNext()) {
            tablePrivTable.merge(it.next().getTablePrivTable());
        }
        return tablePrivTable;
    }

    private Map<ColPrivilegeKey, Set<String>> getUserColPrivMap(UserIdentity userIdentity) {
        HashMap newHashMap = Maps.newHashMap();
        Iterator<Role> it = getRolesByUserWithLdap(userIdentity).iterator();
        while (it.hasNext()) {
            Role.mergeColPrivMap(newHashMap, it.next().getColPrivMap());
        }
        return newHashMap;
    }

    private ResourcePrivTable getUserResourcePrivTable(UserIdentity userIdentity) {
        ResourcePrivTable resourcePrivTable = new ResourcePrivTable();
        Iterator<Role> it = getRolesByUserWithLdap(userIdentity).iterator();
        while (it.hasNext()) {
            resourcePrivTable.merge(it.next().getResourcePrivTable());
        }
        return resourcePrivTable;
    }

    private WorkloadGroupPrivTable getUserWorkloadGroupPrivTable(UserIdentity userIdentity) {
        WorkloadGroupPrivTable workloadGroupPrivTable = new WorkloadGroupPrivTable();
        Iterator<Role> it = getRolesByUserWithLdap(userIdentity).iterator();
        while (it.hasNext()) {
            workloadGroupPrivTable.merge(it.next().getWorkloadGroupPrivTable());
        }
        return workloadGroupPrivTable;
    }

    public List<List<String>> getUserProperties(String str) {
        readLock();
        try {
            try {
                List<List<String>> fetchUserProperty = this.propertyMgr.fetchUserProperty(str);
                readUnlock();
                return fetchUserProperty;
            } catch (AnalysisException e) {
                ArrayList newArrayList = Lists.newArrayList();
                readUnlock();
                return newArrayList;
            }
        } catch (Throwable th) {
            readUnlock();
            throw th;
        }
    }

    public void dropUserOfCluster(String str, boolean z) throws DdlException {
        writeLock();
        try {
            Iterator<List<User>> it = this.userManager.getNameToUsers().values().iterator();
            while (it.hasNext()) {
                for (User user : it.next()) {
                    if (user.getUserIdentity().getQualifiedUser().startsWith(str)) {
                        dropUserInternal(user.getUserIdentity(), false, z);
                    }
                }
            }
        } finally {
            writeUnlock();
        }
    }

    public Pair<String, DppConfig> getLoadClusterInfo(String str, String str2) throws DdlException {
        readLock();
        try {
            Pair<String, DppConfig> loadClusterInfo = this.propertyMgr.getLoadClusterInfo(str, str2);
            readUnlock();
            return loadClusterInfo;
        } catch (Throwable th) {
            readUnlock();
            throw th;
        }
    }

    public boolean checkCanEnterCluster(ConnectContext connectContext, String str) {
        readLock();
        try {
            Iterator<String> it = this.userRoleManager.getRolesByUser(connectContext.getCurrentUserIdentity()).iterator();
            while (it.hasNext()) {
                if (this.roleManager.getRole(it.next()).checkCanEnterCluster(str)) {
                    return true;
                }
            }
            readUnlock();
            return false;
        } finally {
            readUnlock();
        }
    }

    private void initUser() {
        try {
            UserIdentity userIdentity = new UserIdentity("root", UserManager.ANY_HOST);
            userIdentity.setIsAnalyzed();
            createUserInternal(userIdentity, Role.OPERATOR_ROLE, new byte[0], false, PasswordOptions.UNSET_OPTION, true);
            UserIdentity userIdentity2 = new UserIdentity(ADMIN_USER, UserManager.ANY_HOST);
            userIdentity2.setIsAnalyzed();
            createUserInternal(userIdentity2, Role.ADMIN_ROLE, new byte[0], false, PasswordOptions.UNSET_OPTION, true);
        } catch (DdlException e) {
            LOG.error("should not happened", e);
        }
    }

    public List<List<String>> getRoleInfo() {
        readLock();
        try {
            ArrayList newArrayList = Lists.newArrayList();
            this.roleManager.getRoleInfo(newArrayList);
            return newArrayList;
        } finally {
            readUnlock();
        }
    }

    public void getTablePrivStatus(List<TPrivilegeStatus> list, UserIdentity userIdentity) {
        readLock();
        try {
            Iterator<List<User>> it = this.userManager.getNameToUsers().values().iterator();
            while (it.hasNext()) {
                for (User user : it.next()) {
                    if (!user.isSetByDomainResolver()) {
                        TablePrivTable userTblPrivTable = getUserTblPrivTable(user.getUserIdentity());
                        if (!userTblPrivTable.isEmpty()) {
                            Iterator<PrivEntry> it2 = userTblPrivTable.getEntries().iterator();
                            while (it2.hasNext()) {
                                TablePrivEntry tablePrivEntry = (TablePrivEntry) it2.next();
                                String nameFromFullName = ClusterNamespace.getNameFromFullName(tablePrivEntry.getOrigDb());
                                String origTbl = tablePrivEntry.getOrigTbl();
                                if (!InfoSchemaDb.DATABASE_NAME.equals(nameFromFullName) && checkTblPriv(userIdentity, "internal", tablePrivEntry.getOrigDb(), origTbl, PrivPredicate.SHOW)) {
                                    String concat = new String("'").concat(ClusterNamespace.getNameFromFullName(user.getUserIdentity().getQualifiedUser())).concat("'@'").concat(user.getUserIdentity().getHost()).concat("'");
                                    String str = tablePrivEntry.getPrivSet().get(2) ? "YES" : "NO";
                                    for (Privilege privilege : tablePrivEntry.getPrivSet().toPrivilegeList()) {
                                        if (Privilege.privInDorisToMysql.containsKey(privilege)) {
                                            TPrivilegeStatus tPrivilegeStatus = new TPrivilegeStatus();
                                            tPrivilegeStatus.setTableName(origTbl);
                                            tPrivilegeStatus.setPrivilegeType(Privilege.privInDorisToMysql.get(privilege));
                                            tPrivilegeStatus.setGrantee(concat);
                                            tPrivilegeStatus.setSchema(nameFromFullName);
                                            tPrivilegeStatus.setIsGrantable(str);
                                            list.add(tPrivilegeStatus);
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        } finally {
            readUnlock();
        }
    }

    public void getSchemaPrivStatus(List<TPrivilegeStatus> list, UserIdentity userIdentity) {
        readLock();
        try {
            Iterator<List<User>> it = this.userManager.getNameToUsers().values().iterator();
            while (it.hasNext()) {
                for (User user : it.next()) {
                    if (!user.isSetByDomainResolver()) {
                        DbPrivTable userDbPrivTable = getUserDbPrivTable(user.getUserIdentity());
                        if (!userDbPrivTable.isEmpty()) {
                            Iterator<PrivEntry> it2 = userDbPrivTable.getEntries().iterator();
                            while (it2.hasNext()) {
                                DbPrivEntry dbPrivEntry = (DbPrivEntry) it2.next();
                                String origDb = dbPrivEntry.getOrigDb();
                                String nameFromFullName = ClusterNamespace.getNameFromFullName(dbPrivEntry.getOrigDb());
                                if (!InfoSchemaDb.DATABASE_NAME.equals(nameFromFullName) && checkDbPriv(userIdentity, "internal", origDb, PrivPredicate.SHOW)) {
                                    String concat = new String("'").concat(ClusterNamespace.getNameFromFullName(user.getUserIdentity().getQualifiedUser())).concat("'@'").concat(user.getUserIdentity().getHost()).concat("'");
                                    String str = dbPrivEntry.getPrivSet().get(2) ? "YES" : "NO";
                                    for (Privilege privilege : dbPrivEntry.getPrivSet().toPrivilegeList()) {
                                        if (Privilege.privInDorisToMysql.containsKey(privilege)) {
                                            TPrivilegeStatus tPrivilegeStatus = new TPrivilegeStatus();
                                            tPrivilegeStatus.setPrivilegeType(Privilege.privInDorisToMysql.get(privilege));
                                            tPrivilegeStatus.setGrantee(concat);
                                            tPrivilegeStatus.setSchema(nameFromFullName);
                                            tPrivilegeStatus.setIsGrantable(str);
                                            list.add(tPrivilegeStatus);
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }
        } finally {
            readUnlock();
        }
    }

    public void getGlobalPrivStatus(List<TPrivilegeStatus> list, UserIdentity userIdentity) {
        readLock();
        try {
            if (checkGlobalPriv(userIdentity, PrivPredicate.SHOW)) {
                Iterator<List<User>> it = this.userManager.getNameToUsers().values().iterator();
                while (it.hasNext()) {
                    for (User user : it.next()) {
                        if (!user.isSetByDomainResolver()) {
                            GlobalPrivTable userGlobalPrivTable = getUserGlobalPrivTable(user.getUserIdentity());
                            if (!userGlobalPrivTable.isEmpty()) {
                                PrivEntry privEntry = userGlobalPrivTable.entries.get(0);
                                if (!privEntry.getPrivSet().isEmpty()) {
                                    String concat = new String("'").concat(ClusterNamespace.getNameFromFullName(user.getUserIdentity().getQualifiedUser())).concat("'@'").concat(user.getUserIdentity().getHost()).concat("'");
                                    String str = privEntry.getPrivSet().get(2) ? "YES" : "NO";
                                    Iterator<Privilege> it2 = privEntry.getPrivSet().toPrivilegeList().iterator();
                                    while (true) {
                                        if (!it2.hasNext()) {
                                            break;
                                        }
                                        Privilege next = it2.next();
                                        if (next == Privilege.ADMIN_PRIV) {
                                            for (String str2 : Privilege.privInDorisToMysql.values()) {
                                                TPrivilegeStatus tPrivilegeStatus = new TPrivilegeStatus();
                                                tPrivilegeStatus.setPrivilegeType(str2);
                                                tPrivilegeStatus.setGrantee(concat);
                                                tPrivilegeStatus.setIsGrantable("YES");
                                                list.add(tPrivilegeStatus);
                                            }
                                        } else if (Privilege.privInDorisToMysql.containsKey(next)) {
                                            TPrivilegeStatus tPrivilegeStatus2 = new TPrivilegeStatus();
                                            tPrivilegeStatus2.setPrivilegeType(Privilege.privInDorisToMysql.get(next));
                                            tPrivilegeStatus2.setGrantee(concat);
                                            tPrivilegeStatus2.setIsGrantable(str);
                                            list.add(tPrivilegeStatus2);
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
                readUnlock();
            }
        } finally {
            readUnlock();
        }
    }

    public List<List<String>> getPasswdPolicyInfo(UserIdentity userIdentity) {
        return this.passwdPolicyManager.getPolicyInfo(userIdentity);
    }

    public void alterUser(AlterUserStmt alterUserStmt) throws DdlException {
        alterUserInternal(alterUserStmt.isIfExist(), alterUserStmt.getOpType(), alterUserStmt.getUserIdent(), alterUserStmt.getPassword(), alterUserStmt.getRole(), alterUserStmt.getPasswordOptions(), false);
    }

    public void replayAlterUser(AlterUserOperationLog alterUserOperationLog) {
        try {
            alterUserInternal(true, alterUserOperationLog.getOp(), alterUserOperationLog.getUserIdent(), alterUserOperationLog.getPassword(), alterUserOperationLog.getRole(), alterUserOperationLog.getPasswordOptions(), true);
        } catch (DdlException e) {
            LOG.error("should not happen", e);
        }
    }

    private void alterUserInternal(boolean z, AlterUserStmt.OpType opType, UserIdentity userIdentity, byte[] bArr, String str, PasswordOptions passwordOptions, boolean z2) throws DdlException {
        writeLock();
        try {
            if (!doesUserExist(userIdentity)) {
                if (!z) {
                    throw new DdlException("User " + userIdentity + " does not exist");
                }
                return;
            }
            switch (opType) {
                case SET_PASSWORD:
                    setPasswordInternal(userIdentity, bArr, null, false, false, z2);
                    break;
                case SET_ROLE:
                    setRoleToUser(userIdentity, str);
                    break;
                case SET_PASSWORD_POLICY:
                    this.passwdPolicyManager.updatePolicy(userIdentity, null, passwordOptions);
                    break;
                case UNLOCK_ACCOUNT:
                    this.passwdPolicyManager.unlockUser(userIdentity);
                    break;
                default:
                    throw new DdlException("Unknown alter user operation type: " + opType.name());
            }
            if (opType != AlterUserStmt.OpType.SET_PASSWORD && !z2) {
                Env.getCurrentEnv().getEditLog().logAlterUser(new AlterUserOperationLog(opType, userIdentity, bArr, str, passwordOptions));
            }
            writeUnlock();
        } finally {
            writeUnlock();
        }
    }

    private void setRoleToUser(UserIdentity userIdentity, String str) throws DdlException {
        if (this.roleManager.getRole(str) == null) {
            throw new DdlException("Role " + str + " does not exist");
        }
        this.userRoleManager.dropUser(userIdentity);
        this.userRoleManager.addUserRole(userIdentity, str);
        this.userRoleManager.addUserRole(userIdentity, this.roleManager.getUserDefaultRoleName(userIdentity));
    }

    public Set<String> getAllUser() {
        return this.userManager.getNameToUsers().keySet();
    }

    public void rectifyPrivs() {
        this.roleManager.rectifyPrivs();
    }

    public void write(DataOutput dataOutput) throws IOException {
        this.roleManager.write(dataOutput);
        this.userManager.write(dataOutput);
        this.userRoleManager.write(dataOutput);
        this.propertyMgr.write(dataOutput);
        this.ldapInfo.write(dataOutput);
        this.passwdPolicyManager.write(dataOutput);
    }

    public void readFields(DataInput dataInput) throws IOException {
        CatalogPrivTable degradeToInternalCatalogPriv;
        this.roleManager = RoleManager.read(dataInput);
        if (Env.getCurrentEnvJournalVersion() >= 116) {
            this.userManager = UserManager.read(dataInput);
            this.userRoleManager = UserRoleManager.read(dataInput);
            this.propertyMgr = UserPropertyMgr.read(dataInput);
        } else {
            this.userManager = new UserManager();
            this.userRoleManager = new UserRoleManager();
            UserPrivTable userPrivTable = (UserPrivTable) PrivTable.read(dataInput);
            if (Env.getCurrentEnvJournalVersion() >= 111) {
                degradeToInternalCatalogPriv = (CatalogPrivTable) PrivTable.read(dataInput);
            } else {
                degradeToInternalCatalogPriv = userPrivTable.degradeToInternalCatalogPriv();
                LOG.info("Load auth from meta version < {}, degrade UserPrivTable to CatalogPrivTable", 111);
            }
            DbPrivTable dbPrivTable = (DbPrivTable) PrivTable.read(dataInput);
            TablePrivTable tablePrivTable = (TablePrivTable) PrivTable.read(dataInput);
            ResourcePrivTable resourcePrivTable = (ResourcePrivTable) PrivTable.read(dataInput);
            this.propertyMgr = UserPropertyMgr.read(dataInput);
            try {
                upgradeToVersion116(userPrivTable, degradeToInternalCatalogPriv, dbPrivTable, tablePrivTable, resourcePrivTable);
            } catch (Exception e) {
                LOG.warn("upgrade failed,", e);
            }
        }
        if (Env.getCurrentEnvJournalVersion() >= 106) {
            this.ldapInfo = LdapInfo.read(dataInput);
        }
        if (this.userManager.getNameToUsers().isEmpty()) {
            initUser();
        }
        if (Env.getCurrentEnvJournalVersion() >= 113) {
            this.passwdPolicyManager = PasswordPolicyManager.read(dataInput);
        } else {
            this.passwdPolicyManager = new PasswordPolicyManager();
        }
    }

    private void upgradeToVersion116(UserPrivTable userPrivTable, CatalogPrivTable catalogPrivTable, DbPrivTable dbPrivTable, TablePrivTable tablePrivTable, ResourcePrivTable resourcePrivTable) throws AnalysisException, DdlException, PatternMatcherException {
        initUser();
        for (Map.Entry<String, UserProperty> entry : this.propertyMgr.propertyMap.entrySet()) {
            for (Map.Entry<String, byte[]> entry2 : entry.getValue().getWhiteList().getPasswordMap().entrySet()) {
                User createUser = this.userManager.createUser(UserIdentity.createAnalyzedUserIdentWithDomain(entry.getKey(), entry2.getKey()), entry2.getValue(), null, false);
                this.userRoleManager.addUserRole(createUser.getUserIdentity(), this.roleManager.createDefaultRole(createUser.getUserIdentity()).getRoleName());
            }
        }
        Iterator<PrivEntry> it = userPrivTable.getEntries().iterator();
        while (it.hasNext()) {
            GlobalPrivEntry globalPrivEntry = (GlobalPrivEntry) it.next();
            User createUser2 = this.userManager.createUser(globalPrivEntry.userIdentity, globalPrivEntry.password, globalPrivEntry.domainUserIdent, globalPrivEntry.isSetByDomainResolver);
            this.userRoleManager.addUserRole(createUser2.getUserIdentity(), this.roleManager.createDefaultRole(createUser2.getUserIdentity()).getRoleName());
            if (!globalPrivEntry.privSet.isEmpty()) {
                if (globalPrivEntry.privSet.containsResourcePriv()) {
                    this.roleManager.addOrMergeRole(new Role(this.roleManager.getUserDefaultRoleName(createUser2.getUserIdentity()), ResourcePattern.ALL, PrivBitSet.of(Privilege.USAGE_PRIV)), false);
                }
                PrivBitSet copy = globalPrivEntry.privSet.copy();
                copy.unset(Privilege.USAGE_PRIV.getIdx());
                if (!copy.isEmpty()) {
                    this.roleManager.addOrMergeRole(new Role(this.roleManager.getUserDefaultRoleName(createUser2.getUserIdentity()), TablePattern.ALL, copy), false);
                }
            }
        }
        for (Role role : this.roleManager.getRoles().values()) {
            Iterator<UserIdentity> it2 = role.getUsers().iterator();
            while (it2.hasNext()) {
                this.userRoleManager.addUserRole(it2.next(), role.getRoleName());
            }
        }
        Iterator<PrivEntry> it3 = catalogPrivTable.getEntries().iterator();
        while (it3.hasNext()) {
            CatalogPrivEntry catalogPrivEntry = (CatalogPrivEntry) it3.next();
            TablePattern tablePattern = new TablePattern(ClusterNamespace.getNameFromFullName(catalogPrivEntry.origCtl), "*", "*");
            String clusterNameFromFullName = ClusterNamespace.getClusterNameFromFullName(catalogPrivEntry.origCtl);
            tablePattern.analyze(clusterNameFromFullName == null ? "default_cluster" : clusterNameFromFullName);
            this.roleManager.addOrMergeRole(new Role(this.roleManager.getUserDefaultRoleName(catalogPrivEntry.userIdentity), tablePattern, catalogPrivEntry.privSet), false);
        }
        Iterator<PrivEntry> it4 = dbPrivTable.getEntries().iterator();
        while (it4.hasNext()) {
            DbPrivEntry dbPrivEntry = (DbPrivEntry) it4.next();
            TablePattern tablePattern2 = new TablePattern(ClusterNamespace.getNameFromFullName(dbPrivEntry.origCtl), ClusterNamespace.getNameFromFullName(dbPrivEntry.origDb), "*");
            String clusterNameFromFullName2 = ClusterNamespace.getClusterNameFromFullName(dbPrivEntry.origCtl);
            tablePattern2.analyze(clusterNameFromFullName2 == null ? "default_cluster" : clusterNameFromFullName2);
            this.roleManager.addOrMergeRole(new Role(this.roleManager.getUserDefaultRoleName(dbPrivEntry.userIdentity), tablePattern2, dbPrivEntry.privSet), false);
        }
        Iterator<PrivEntry> it5 = tablePrivTable.getEntries().iterator();
        while (it5.hasNext()) {
            TablePrivEntry tablePrivEntry = (TablePrivEntry) it5.next();
            TablePattern tablePattern3 = new TablePattern(ClusterNamespace.getNameFromFullName(tablePrivEntry.origCtl), ClusterNamespace.getNameFromFullName(tablePrivEntry.origDb), ClusterNamespace.getNameFromFullName(tablePrivEntry.getOrigTbl()));
            String clusterNameFromFullName3 = ClusterNamespace.getClusterNameFromFullName(tablePrivEntry.origCtl);
            tablePattern3.analyze(clusterNameFromFullName3 == null ? "default_cluster" : clusterNameFromFullName3);
            this.roleManager.addOrMergeRole(new Role(this.roleManager.getUserDefaultRoleName(tablePrivEntry.userIdentity), tablePattern3, tablePrivEntry.privSet), false);
        }
        Iterator<PrivEntry> it6 = resourcePrivTable.getEntries().iterator();
        while (it6.hasNext()) {
            ResourcePrivEntry resourcePrivEntry = (ResourcePrivEntry) it6.next();
            ResourcePattern resourcePattern = new ResourcePattern(ClusterNamespace.getNameFromFullName(resourcePrivEntry.origResource));
            resourcePattern.analyze();
            this.roleManager.addOrMergeRole(new Role(this.roleManager.getUserDefaultRoleName(resourcePrivEntry.userIdentity), resourcePattern, resourcePrivEntry.privSet), false);
        }
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append(this.userManager).append("\n");
        sb.append(this.userRoleManager).append("\n");
        sb.append(this.roleManager).append("\n");
        sb.append(this.propertyMgr).append("\n");
        sb.append(this.ldapInfo).append("\n");
        return sb.toString();
    }
}
