package org.apache.gobblin.yarn;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Optional;
import com.google.common.base.Strings;
import com.google.common.base.Throwables;
import com.google.common.util.concurrent.AbstractIdleService;
import com.typesafe.config.Config;
import java.io.File;
import java.io.IOException;
import java.util.UUID;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import org.apache.gobblin.cluster.GobblinHelixMessagingService;
import org.apache.gobblin.util.ExecutorsUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.helix.Criteria;
import org.apache.helix.HelixManager;
import org.apache.helix.InstanceType;
import org.apache.helix.model.Message;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/gobblin/yarn/YarnAppSecurityManager.class */
public class YarnAppSecurityManager extends AbstractIdleService {
    private static final Logger LOGGER = LoggerFactory.getLogger(YarnAppSecurityManager.class);
    private final Config config;
    private final HelixManager helixManager;
    private final FileSystem fs;
    private final Path tokenFilePath;
    private UserGroupInformation loginUser;
    private Token<? extends TokenIdentifier> token;
    private final long loginIntervalInMinutes;
    private final long tokenRenewIntervalInMinutes;
    private final ScheduledExecutorService loginExecutor;
    private final ScheduledExecutorService tokenRenewExecutor;
    private Optional<ScheduledFuture<?>> scheduledTokenRenewTask = Optional.absent();
    private volatile boolean firstLogin = true;

    public YarnAppSecurityManager(Config config, HelixManager helixManager, FileSystem fileSystem, Path path) throws IOException {
        this.config = config;
        this.helixManager = helixManager;
        this.fs = fileSystem;
        this.tokenFilePath = path;
        this.fs.makeQualified(path);
        this.loginUser = UserGroupInformation.getLoginUser();
        this.loginIntervalInMinutes = config.getLong(GobblinYarnConfigurationKeys.LOGIN_INTERVAL_IN_MINUTES);
        this.tokenRenewIntervalInMinutes = config.getLong(GobblinYarnConfigurationKeys.TOKEN_RENEW_INTERVAL_IN_MINUTES);
        this.loginExecutor = Executors.newSingleThreadScheduledExecutor(ExecutorsUtils.newThreadFactory(Optional.of(LOGGER), Optional.of("KeytabReLoginExecutor")));
        this.tokenRenewExecutor = Executors.newSingleThreadScheduledExecutor(ExecutorsUtils.newThreadFactory(Optional.of(LOGGER), Optional.of("TokenRenewExecutor")));
    }

    protected void startUp() throws Exception {
        LOGGER.info("Starting the " + YarnAppSecurityManager.class.getSimpleName());
        LOGGER.info(String.format("Scheduling the login task with an interval of %d minute(s)", Long.valueOf(this.loginIntervalInMinutes)));
        this.loginExecutor.scheduleAtFixedRate(new Runnable() { // from class: org.apache.gobblin.yarn.YarnAppSecurityManager.1
            @Override // java.lang.Runnable
            public void run() {
                try {
                    if (YarnAppSecurityManager.this.scheduledTokenRenewTask.isPresent() && ((ScheduledFuture) YarnAppSecurityManager.this.scheduledTokenRenewTask.get()).cancel(true)) {
                        YarnAppSecurityManager.LOGGER.info("Cancelled the token renew task");
                    }
                    YarnAppSecurityManager.this.loginFromKeytab();
                    if (YarnAppSecurityManager.this.firstLogin) {
                        YarnAppSecurityManager.this.firstLogin = false;
                    }
                    YarnAppSecurityManager.this.scheduleTokenRenewTask();
                } catch (IOException e) {
                    YarnAppSecurityManager.LOGGER.error("Failed to login from keytab", e);
                    throw Throwables.propagate(e);
                }
            }
        }, 0L, this.loginIntervalInMinutes, TimeUnit.MINUTES);
    }

    protected void shutDown() throws Exception {
        LOGGER.info("Stopping the " + YarnAppSecurityManager.class.getSimpleName());
        if (this.scheduledTokenRenewTask.isPresent()) {
            ((ScheduledFuture) this.scheduledTokenRenewTask.get()).cancel(true);
        }
        ExecutorsUtils.shutdownExecutorService(this.loginExecutor, Optional.of(LOGGER));
        ExecutorsUtils.shutdownExecutorService(this.tokenRenewExecutor, Optional.of(LOGGER));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void scheduleTokenRenewTask() {
        LOGGER.info(String.format("Scheduling the token renew task with an interval of %d minute(s)", Long.valueOf(this.tokenRenewIntervalInMinutes)));
        this.scheduledTokenRenewTask = Optional.of(this.tokenRenewExecutor.scheduleAtFixedRate(new Runnable() { // from class: org.apache.gobblin.yarn.YarnAppSecurityManager.2
            @Override // java.lang.Runnable
            public void run() {
                try {
                    YarnAppSecurityManager.this.renewDelegationToken();
                } catch (IOException e) {
                    YarnAppSecurityManager.LOGGER.error("Failed to renew delegation token", e);
                    throw Throwables.propagate(e);
                } catch (InterruptedException e2) {
                    YarnAppSecurityManager.LOGGER.error("Token renew task has been interrupted");
                    Thread.currentThread().interrupt();
                }
            }
        }, this.tokenRenewIntervalInMinutes, this.tokenRenewIntervalInMinutes, TimeUnit.MINUTES));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public synchronized void renewDelegationToken() throws IOException, InterruptedException {
        this.token.renew(this.fs.getConf());
        writeDelegationTokenToFile();
        if (this.firstLogin) {
            return;
        }
        sendTokenFileUpdatedMessage(InstanceType.CONTROLLER);
        sendTokenFileUpdatedMessage(InstanceType.PARTICIPANT);
    }

    @VisibleForTesting
    synchronized void getNewDelegationTokenForLoginUser() throws IOException {
        this.token = this.fs.getDelegationToken(this.loginUser.getShortUserName());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void loginFromKeytab() throws IOException {
        String string = this.config.getString(GobblinYarnConfigurationKeys.KEYTAB_FILE_PATH);
        if (Strings.isNullOrEmpty(string)) {
            throw new IOException("Keytab file path is not defined for Kerberos login");
        }
        if (!new File(string).exists()) {
            throw new IOException("Keytab file not found at: " + string);
        }
        String string2 = this.config.getString(GobblinYarnConfigurationKeys.KEYTAB_PRINCIPAL_NAME);
        if (Strings.isNullOrEmpty(string2)) {
            string2 = this.loginUser.getShortUserName() + "/localhost@LOCALHOST";
        }
        Configuration configuration = new Configuration();
        configuration.set("hadoop.security.authentication", UserGroupInformation.AuthenticationMethod.KERBEROS.toString().toLowerCase());
        UserGroupInformation.setConfiguration(configuration);
        UserGroupInformation.loginUserFromKeytab(string2, string);
        LOGGER.info(String.format("Logged in from keytab file %s using principal %s", string, string2));
        this.loginUser = UserGroupInformation.getLoginUser();
        getNewDelegationTokenForLoginUser();
        writeDelegationTokenToFile();
        if (this.firstLogin) {
            return;
        }
        sendTokenFileUpdatedMessage(InstanceType.CONTROLLER);
        sendTokenFileUpdatedMessage(InstanceType.PARTICIPANT);
    }

    @VisibleForTesting
    synchronized void writeDelegationTokenToFile() throws IOException {
        if (this.fs.exists(this.tokenFilePath)) {
            LOGGER.info("Deleting existing token file " + this.tokenFilePath);
            this.fs.delete(this.tokenFilePath, false);
        }
        LOGGER.info("Writing new or renewed token to token file " + this.tokenFilePath);
        YarnHelixUtils.writeTokenToFile(this.token, this.tokenFilePath, this.fs.getConf());
        this.fs.setPermission(this.tokenFilePath, new FsPermission(FsAction.READ_WRITE, FsAction.NONE, FsAction.NONE));
    }

    @VisibleForTesting
    void sendTokenFileUpdatedMessage(InstanceType instanceType) {
        Criteria criteria = new Criteria();
        criteria.setInstanceName("%");
        criteria.setResource("%");
        criteria.setPartition("%");
        criteria.setPartitionState("%");
        criteria.setRecipientInstanceType(instanceType);
        criteria.setSessionSpecific(true);
        Message message = new Message(Message.MessageType.USER_DEFINE_MSG, HelixMessageSubTypes.TOKEN_FILE_UPDATED.toString().toLowerCase() + UUID.randomUUID().toString());
        message.setMsgSubType(HelixMessageSubTypes.TOKEN_FILE_UPDATED.toString());
        message.setMsgState(Message.MessageState.NEW);
        if (instanceType == InstanceType.CONTROLLER) {
            message.setTgtSessionId("*");
        }
        LOGGER.info(String.format("Sent %d token file updated message(s) to the %s", Integer.valueOf(new GobblinHelixMessagingService(this.helixManager).send(criteria, message)), instanceType));
    }
}
