package org.apache.doris.catalog.authorizer;

import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ScheduledThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import org.apache.doris.analysis.SetUserPropertyVar;
import org.apache.doris.analysis.UserIdentity;
import org.apache.doris.catalog.Env;
import org.apache.doris.cluster.ClusterNamespace;
import org.apache.doris.common.AuthorizationException;
import org.apache.doris.common.ThreadPoolManager;
import org.apache.doris.common.util.S3URI;
import org.apache.doris.mysql.privilege.CatalogAccessController;
import org.apache.doris.mysql.privilege.PrivPredicate;
import org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.ranger.plugin.policyengine.RangerAccessRequest;
import org.apache.ranger.plugin.policyengine.RangerAccessRequestImpl;
import org.apache.ranger.plugin.policyengine.RangerAccessResult;

/* loaded from: input_file:org/apache/doris/catalog/authorizer/RangerHiveAccessController.class */
public class RangerHiveAccessController implements CatalogAccessController {
    public static final String CLIENT_TYPE_DORIS = "doris";
    private static final Logger LOG = LogManager.getLogger(RangerHiveAccessController.class);
    private static ScheduledThreadPoolExecutor logFlushTimer = ThreadPoolManager.newDaemonScheduledThreadPool(1, "ranger-hive-audit-log-flusher-timer", true);
    private RangerHivePlugin hivePlugin;
    private RangerHiveAuditHandler auditHandler;

    public RangerHiveAccessController(Map<String, String> map) {
        this.hivePlugin = new RangerHivePlugin(map.get("ranger.service.name"));
        this.auditHandler = new RangerHiveAuditHandler(this.hivePlugin.getConfig());
        logFlushTimer.scheduleAtFixedRate(new RangerHiveAuditLogFlusher(this.auditHandler), 10L, 20L, TimeUnit.SECONDS);
    }

    private RangerAccessRequestImpl createRequest(UserIdentity userIdentity, HiveAccessType hiveAccessType) {
        RangerAccessRequestImpl rangerAccessRequestImpl = new RangerAccessRequestImpl();
        rangerAccessRequestImpl.setUser(ClusterNamespace.getNameFromFullName(userIdentity.getQualifiedUser()));
        rangerAccessRequestImpl.setUserRoles((Set) Env.getCurrentEnv().getAuth().getRolesByUser(userIdentity, false).stream().map(str -> {
            return ClusterNamespace.getNameFromFullName(str);
        }).collect(Collectors.toSet()));
        rangerAccessRequestImpl.setAction(hiveAccessType.name());
        if (hiveAccessType == HiveAccessType.USE) {
            rangerAccessRequestImpl.setAccessType("_any");
        } else {
            rangerAccessRequestImpl.setAccessType(hiveAccessType.name().toLowerCase());
        }
        rangerAccessRequestImpl.setClientIPAddress(userIdentity.getHost());
        rangerAccessRequestImpl.setClusterType("doris");
        rangerAccessRequestImpl.setClientType("doris");
        rangerAccessRequestImpl.setAccessTime(new Date());
        return rangerAccessRequestImpl;
    }

    private void checkPrivileges(UserIdentity userIdentity, HiveAccessType hiveAccessType, List<RangerHiveResource> list) throws AuthorizationException {
        ArrayList arrayList = new ArrayList();
        for (RangerHiveResource rangerHiveResource : list) {
            RangerAccessRequestImpl createRequest = createRequest(userIdentity, hiveAccessType);
            createRequest.setResource(rangerHiveResource);
            arrayList.add(createRequest);
        }
        for (RangerAccessResult rangerAccessResult : this.hivePlugin.isAccessAllowed(arrayList, this.auditHandler)) {
            LOG.debug(String.format("request %s match policy %s", rangerAccessResult.getAccessRequest(), Long.valueOf(rangerAccessResult.getPolicyId())));
            if (!rangerAccessResult.getIsAllowed()) {
                LOG.debug(rangerAccessResult.getReason());
                throw new AuthorizationException(String.format("Permission denied: user [%s] does not have privilege for [%s] command on [%s]", rangerAccessResult.getAccessRequest().getUser(), hiveAccessType.name(), rangerAccessResult.getAccessRequest().getResource().getAsString().replaceAll(S3URI.PATH_DELIM, SetUserPropertyVar.DOT_SEPARATOR)));
            }
        }
    }

    private boolean checkPrivilege(UserIdentity userIdentity, HiveAccessType hiveAccessType, RangerHiveResource rangerHiveResource) {
        RangerAccessRequest createRequest = createRequest(userIdentity, hiveAccessType);
        createRequest.setResource(rangerHiveResource);
        RangerAccessResult isAccessAllowed = this.hivePlugin.isAccessAllowed(createRequest, this.auditHandler);
        if (isAccessAllowed == null) {
            LOG.warn(String.format("Error getting authorizer result, please check your ranger config. Make sure ranger policy engine is initialized. Request: %s", createRequest));
            return false;
        }
        if (isAccessAllowed.getIsAllowed()) {
            LOG.debug(String.format("request %s match policy %s", createRequest, Long.valueOf(isAccessAllowed.getPolicyId())));
            return true;
        }
        LOG.debug(String.format("Permission denied: user [%s] does not have privilege for [%s] command on [%s]", isAccessAllowed.getAccessRequest().getUser(), hiveAccessType.name(), isAccessAllowed.getAccessRequest().getResource().getAsString()));
        return false;
    }

    public String getFilterExpr(UserIdentity userIdentity, HiveAccessType hiveAccessType, RangerHiveResource rangerHiveResource) throws HiveAccessControlException {
        RangerAccessRequest createRequest = createRequest(userIdentity, hiveAccessType);
        createRequest.setResource(rangerHiveResource);
        return this.hivePlugin.isAccessAllowed(createRequest, this.auditHandler).getFilterExpr();
    }

    public void getColumnMask(UserIdentity userIdentity, HiveAccessType hiveAccessType, RangerHiveResource rangerHiveResource) {
        RangerAccessRequest createRequest = createRequest(userIdentity, hiveAccessType);
        createRequest.setResource(rangerHiveResource);
        RangerAccessResult isAccessAllowed = this.hivePlugin.isAccessAllowed(createRequest, this.auditHandler);
        LOG.debug(String.format("maskType: %s, maskTypeDef: %s, maskedValue: %s", isAccessAllowed.getMaskType(), isAccessAllowed.getMaskTypeDef(), isAccessAllowed.getMaskedValue()));
    }

    public HiveAccessType convertToAccessType(PrivPredicate privPredicate) {
        return privPredicate == PrivPredicate.SHOW ? HiveAccessType.USE : privPredicate == PrivPredicate.SELECT ? HiveAccessType.SELECT : (privPredicate == PrivPredicate.ADMIN || privPredicate == PrivPredicate.ALL) ? HiveAccessType.ALL : privPredicate == PrivPredicate.LOAD ? HiveAccessType.UPDATE : privPredicate == PrivPredicate.ALTER ? HiveAccessType.ALTER : privPredicate == PrivPredicate.CREATE ? HiveAccessType.CREATE : privPredicate == PrivPredicate.DROP ? HiveAccessType.DROP : HiveAccessType.NONE;
    }

    @Override // org.apache.doris.mysql.privilege.CatalogAccessController
    public boolean checkCtlPriv(UserIdentity userIdentity, String str, PrivPredicate privPredicate) {
        return true;
    }

    @Override // org.apache.doris.mysql.privilege.CatalogAccessController
    public boolean checkDbPriv(UserIdentity userIdentity, String str, String str2, PrivPredicate privPredicate) {
        return checkPrivilege(userIdentity, convertToAccessType(privPredicate), new RangerHiveResource(HiveObjectType.DATABASE, ClusterNamespace.getNameFromFullName(str2)));
    }

    @Override // org.apache.doris.mysql.privilege.CatalogAccessController
    public boolean checkTblPriv(UserIdentity userIdentity, String str, String str2, String str3, PrivPredicate privPredicate) {
        return checkPrivilege(userIdentity, convertToAccessType(privPredicate), new RangerHiveResource(HiveObjectType.TABLE, ClusterNamespace.getNameFromFullName(str2), str3));
    }

    @Override // org.apache.doris.mysql.privilege.CatalogAccessController
    public void checkColsPriv(UserIdentity userIdentity, String str, String str2, String str3, Set<String> set, PrivPredicate privPredicate) throws AuthorizationException {
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            arrayList.add(new RangerHiveResource(HiveObjectType.COLUMN, ClusterNamespace.getNameFromFullName(str2), str3, it.next()));
        }
        checkPrivileges(userIdentity, convertToAccessType(privPredicate), arrayList);
    }
}
