package org.apache.hadoop.hive.metastore;

import java.io.IOException;
import java.util.HashMap;
import javax.security.auth.login.LoginException;
import javax.security.sasl.AuthenticationException;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.metastore.AuthConstants;
import org.apache.hadoop.hive.metastore.MetaStorePlainSaslHelper;
import org.apache.hadoop.hive.metastore.conf.MetastoreConf;
import org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge;
import org.apache.hadoop.hive.metastore.security.MetastoreDelegationTokenManager;
import org.apache.hadoop.hive.metastore.security.TUGIContainingTransport;
import org.apache.hadoop.hive.metastore.utils.MetaStoreUtils;
import org.apache.thrift.transport.TFramedTransport;
import org.apache.thrift.transport.TSaslServerTransport;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportException;
import org.apache.thrift.transport.TTransportFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hive/metastore/AuthFactory.class */
public class AuthFactory {
    private static final Logger LOG = LoggerFactory.getLogger(AuthFactory.class);
    private HadoopThriftAuthBridge.Server saslServer;
    private String authTypeStr;
    private final String transportMode = "binary";
    private String hadoopAuth;
    private MetastoreDelegationTokenManager delegationTokenManager;
    private boolean useFramedTransport;
    private boolean executeSetUGI;
    private Configuration conf;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/hive/metastore/AuthFactory$ChainedTTransportFactory.class */
    public static final class ChainedTTransportFactory extends TTransportFactory {
        private final TTransportFactory parentTransFactory;
        private final TTransportFactory childTransFactory;

        private ChainedTTransportFactory(TTransportFactory tTransportFactory, TTransportFactory tTransportFactory2) {
            this.parentTransFactory = tTransportFactory;
            this.childTransFactory = tTransportFactory2;
        }

        @Override // org.apache.thrift.transport.TTransportFactory
        public TTransport getTransport(TTransport tTransport) {
            return this.childTransFactory.getTransport(this.parentTransFactory.getTransport(tTransport));
        }
    }

    public AuthFactory(HadoopThriftAuthBridge hadoopThriftAuthBridge, Configuration configuration, Object obj) throws HiveMetaException, TTransportException {
        this.delegationTokenManager = null;
        this.conf = configuration;
        this.authTypeStr = MetastoreConf.getVar(configuration, MetastoreConf.ConfVars.THRIFT_METASTORE_AUTHENTICATION);
        this.useFramedTransport = MetastoreConf.getBoolVar(configuration, MetastoreConf.ConfVars.USE_THRIFT_FRAMED_TRANSPORT);
        this.executeSetUGI = MetastoreConf.getBoolVar(configuration, MetastoreConf.ConfVars.EXECUTE_SET_UGI);
        if (StringUtils.isBlank(this.authTypeStr)) {
            this.authTypeStr = AuthConstants.AuthTypes.NOSASL.getAuthName();
        }
        if (MetastoreConf.getBoolVar(configuration, MetastoreConf.ConfVars.USE_THRIFT_SASL)) {
            this.hadoopAuth = "kerberos";
            if (this.authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.NOSASL.getAuthName())) {
                this.authTypeStr = AuthConstants.AuthTypes.KERBEROS.getAuthName();
            }
        } else {
            this.hadoopAuth = "simple";
        }
        LOG.info("Using authentication " + this.authTypeStr + " with kerberos authentication " + (isSASLWithKerberizedHadoop() ? "enabled." : "disabled"));
        if (isSASLWithKerberizedHadoop()) {
            if (this.useFramedTransport) {
                throw new HiveMetaException("Framed transport is not supported with SASL enabled.");
            }
            this.saslServer = hadoopThriftAuthBridge.createServer(MetastoreConf.getVar(configuration, MetastoreConf.ConfVars.KERBEROS_KEYTAB_FILE), MetastoreConf.getVar(configuration, MetastoreConf.ConfVars.KERBEROS_PRINCIPAL), MetastoreConf.getVar(configuration, MetastoreConf.ConfVars.CLIENT_KERBEROS_PRINCIPAL));
            this.delegationTokenManager = new MetastoreDelegationTokenManager();
            try {
                this.delegationTokenManager.startDelegationTokenSecretManager(configuration, obj, HadoopThriftAuthBridge.Server.ServerMode.METASTORE);
                this.saslServer.setSecretManager(this.delegationTokenManager.getSecretManager());
            } catch (IOException e) {
                throw new TTransportException("Failed to start token manager", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TTransportFactory getAuthTransFactory(boolean z, Configuration configuration) throws LoginException {
        TTransportFactory wrapTransportFactoryInClientUGI;
        if (isSASLWithKerberizedHadoop()) {
            try {
                if (this.useFramedTransport) {
                    throw new LoginException("Framed transport is not supported with SASL enabled.");
                }
                TSaslServerTransport.Factory createSaslServerTransportFactory = this.saslServer.createSaslServerTransportFactory(MetaStoreUtils.getMetaStoreSaslProperties(configuration, z));
                wrapTransportFactoryInClientUGI = this.saslServer.wrapTransportFactoryInClientUGI(createSaslServerTransportFactory);
                if (!this.authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.KERBEROS.getAuthName())) {
                    if (!this.authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.NONE.getAuthName()) && !this.authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.LDAP.getAuthName()) && !this.authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.PAM.getAuthName()) && !this.authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.CUSTOM.getAuthName()) && !this.authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.CONFIG.getAuthName())) {
                        throw new LoginException("Unsupported authentication type " + this.authTypeStr);
                    }
                    try {
                        MetaStorePlainSaslHelper.init();
                        LOG.debug("Adding server definition for PLAIN SaSL with authentication " + this.authTypeStr + " to transport factory " + createSaslServerTransportFactory);
                        createSaslServerTransportFactory.addServerDefinition(MetaStorePlainSaslServer.PLAIN_METHOD, this.authTypeStr, null, new HashMap(), new MetaStorePlainSaslHelper.PlainServerCallbackHandler(this.authTypeStr, configuration));
                    } catch (AuthenticationException e) {
                        throw new LoginException("Error setting callback handler" + e);
                    }
                }
            } catch (TTransportException e2) {
                throw new LoginException(e2.getMessage());
            }
        } else if (this.authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.NONE.getAuthName()) || this.authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.LDAP.getAuthName()) || this.authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.PAM.getAuthName()) || this.authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.CUSTOM.getAuthName()) || this.authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.CONFIG.getAuthName())) {
            if (this.useFramedTransport) {
                throw new LoginException("Framed transport is not supported with password based authentication enabled.");
            }
            if (this.executeSetUGI) {
                throw new LoginException("Setting " + MetastoreConf.ConfVars.EXECUTE_SET_UGI + " is not supported with password based authentication enabled.");
            }
            LOG.info("Using plain SASL transport factory with " + this.authTypeStr + " authentication");
            wrapTransportFactoryInClientUGI = MetaStorePlainSaslHelper.getPlainTransportFactory(this.authTypeStr, configuration);
        } else {
            if (!this.authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.NOSASL.getAuthName())) {
                throw new LoginException("Unsupported authentication type " + this.authTypeStr);
            }
            if (this.executeSetUGI) {
                wrapTransportFactoryInClientUGI = this.useFramedTransport ? new ChainedTTransportFactory(new TFramedTransport.Factory(), new TUGIContainingTransport.Factory()) : new TUGIContainingTransport.Factory();
            } else {
                wrapTransportFactoryInClientUGI = this.useFramedTransport ? new TFramedTransport.Factory() : new TTransportFactory();
            }
        }
        return wrapTransportFactoryInClientUGI;
    }

    public HadoopThriftAuthBridge.Server getSaslServer() throws IllegalStateException {
        if (!isSASLWithKerberizedHadoop() || null == this.saslServer) {
            throw new IllegalStateException("SASL server is not setup");
        }
        return this.saslServer;
    }

    public MetastoreDelegationTokenManager getDelegationTokenManager() throws IllegalStateException {
        if (!isSASLWithKerberizedHadoop() || null == this.saslServer) {
            throw new IllegalStateException("SASL server is not setup");
        }
        return this.delegationTokenManager;
    }

    public boolean isSASLWithKerberizedHadoop() {
        return "kerberos".equalsIgnoreCase(this.hadoopAuth) && !this.authTypeStr.equalsIgnoreCase(AuthConstants.AuthTypes.NOSASL.getAuthName());
    }
}
