package org.apache.hadoop.hbase.security.token;

import java.io.IOException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.hbase.CoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.BaseEndpointCoprocessor;
import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;
import org.apache.hadoop.hbase.ipc.RequestContext;
import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.ipc.SecureServer;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;

/* loaded from: input_file:org/apache/hadoop/hbase/security/token/TokenProvider.class */
public class TokenProvider extends BaseEndpointCoprocessor implements AuthenticationProtocol {
    public static final long VERSION = 0;
    private static Log LOG = LogFactory.getLog(TokenProvider.class);
    private AuthenticationTokenSecretManager secretManager;

    @Override // org.apache.hadoop.hbase.coprocessor.BaseEndpointCoprocessor, org.apache.hadoop.hbase.Coprocessor
    public void start(CoprocessorEnvironment coprocessorEnvironment) {
        super.start(coprocessorEnvironment);
        if (coprocessorEnvironment instanceof RegionCoprocessorEnvironment) {
            RpcServer rpcServer = ((RegionCoprocessorEnvironment) coprocessorEnvironment).getRegionServerServices().getRpcServer();
            if (rpcServer instanceof SecureServer) {
                SecretManager<? extends TokenIdentifier> secretManager = ((SecureServer) rpcServer).getSecretManager();
                if (secretManager instanceof AuthenticationTokenSecretManager) {
                    this.secretManager = (AuthenticationTokenSecretManager) secretManager;
                }
            }
        }
    }

    @Override // org.apache.hadoop.hbase.security.token.AuthenticationProtocol
    public Token<AuthenticationTokenIdentifier> getAuthenticationToken() throws IOException {
        if (this.secretManager == null) {
            throw new IOException("No secret manager configured for token authentication");
        }
        User requestUser = RequestContext.getRequestUser();
        UserGroupInformation userGroupInformation = null;
        if (requestUser != null) {
            userGroupInformation = requestUser.getUGI();
        }
        if (requestUser == null) {
            throw new AccessDeniedException("No authenticated user for request!");
        }
        if (userGroupInformation.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.KERBEROS) {
            return this.secretManager.generateToken(requestUser.getName());
        }
        LOG.warn("Token generation denied for user=" + requestUser.getName() + ", authMethod=" + userGroupInformation.getAuthenticationMethod());
        throw new AccessDeniedException("Token generation only allowed for Kerberos authenticated clients");
    }

    @Override // org.apache.hadoop.hbase.security.token.AuthenticationProtocol
    public String whoami() {
        return RequestContext.getRequestUserName();
    }

    @Override // org.apache.hadoop.hbase.coprocessor.BaseEndpointCoprocessor, org.apache.hadoop.hbase.ipc.VersionedProtocol
    public long getProtocolVersion(String str, long j) throws IOException {
        if (AuthenticationProtocol.class.getName().equals(str)) {
            return 0L;
        }
        LOG.warn("Unknown protocol requested: " + str);
        return -1L;
    }
}
