package org.apache.hadoop.security;

import com.google.common.annotations.VisibleForTesting;
import java.io.File;
import java.io.IOException;
import java.lang.reflect.UndeclaredThrowableException;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.metrics2.MetricsSystem;
import org.apache.hadoop.metrics2.annotation.Metric;
import org.apache.hadoop.metrics2.annotation.Metrics;
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
import org.apache.hadoop.metrics2.lib.MetricsRegistry;
import org.apache.hadoop.metrics2.lib.MutableQuantiles;
import org.apache.hadoop.metrics2.lib.MutableRate;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.util.PlatformName;
import org.apache.hadoop.util.Shell;
import org.apache.hadoop.util.Time;

@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce", "HBase", "Hive", "Oozie"})
@InterfaceStability.Evolving
/* loaded from: input_file:lib/hadoop-common-2.6.2.jar:org/apache/hadoop/security/UserGroupInformation.class */
public class UserGroupInformation {
    private static final float TICKET_RENEW_WINDOW = 0.8f;
    static final String HADOOP_USER_NAME = "HADOOP_USER_NAME";
    static final String HADOOP_PROXY_USER = "HADOOP_PROXY_USER";
    private static AuthenticationMethod authenticationMethod;
    private static Groups groups;
    private static Configuration conf;
    private static final long MIN_TIME_BEFORE_RELOGIN = 600000;
    public static final String HADOOP_TOKEN_FILE_LOCATION = "HADOOP_TOKEN_FILE_LOCATION";
    private final Subject subject;
    private final User user;
    private final boolean isKeytab;
    private final boolean isKrbTkt;
    private static Class<?> KEY_TAB_CLASS;
    private static final Log LOG = LogFactory.getLog(UserGroupInformation.class);
    private static boolean shouldRenewImmediatelyForTests = false;
    static UgiMetrics metrics = UgiMetrics.create();
    private static UserGroupInformation loginUser = null;
    private static String keytabPrincipal = null;
    private static String keytabFile = null;
    private static final boolean windows = System.getProperty("os.name").startsWith("Windows");
    private static final boolean is64Bit = System.getProperty("os.arch").contains("64");
    private static final boolean aix = System.getProperty("os.name").equals("AIX");
    private static String OS_LOGIN_MODULE_NAME = getOSLoginModuleName();
    private static Class<? extends Principal> OS_PRINCIPAL_CLASS = getOsPrincipalClass();

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    /* loaded from: input_file:lib/hadoop-common-2.6.2.jar:org/apache/hadoop/security/UserGroupInformation$AuthenticationMethod.class */
    public enum AuthenticationMethod {
        SIMPLE(SaslRpcServer.AuthMethod.SIMPLE, "hadoop-simple"),
        KERBEROS(SaslRpcServer.AuthMethod.KERBEROS, "hadoop-user-kerberos"),
        TOKEN(SaslRpcServer.AuthMethod.TOKEN),
        CERTIFICATE(null),
        KERBEROS_SSL(null),
        PROXY(null);

        private final SaslRpcServer.AuthMethod authMethod;
        private final String loginAppName;

        AuthenticationMethod(SaslRpcServer.AuthMethod authMethod) {
            this(authMethod, null);
        }

        AuthenticationMethod(SaslRpcServer.AuthMethod authMethod, String str) {
            this.authMethod = authMethod;
            this.loginAppName = str;
        }

        public SaslRpcServer.AuthMethod getAuthMethod() {
            return this.authMethod;
        }

        String getLoginAppName() {
            if (this.loginAppName == null) {
                throw new UnsupportedOperationException(this + " login authentication is not supported");
            }
            return this.loginAppName;
        }

        public static AuthenticationMethod valueOf(SaslRpcServer.AuthMethod authMethod) {
            for (AuthenticationMethod authenticationMethod : values()) {
                if (authenticationMethod.getAuthMethod() == authMethod) {
                    return authenticationMethod;
                }
            }
            throw new IllegalArgumentException("no authentication method for " + authMethod);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/hadoop-common-2.6.2.jar:org/apache/hadoop/security/UserGroupInformation$DynamicConfiguration.class */
    public static class DynamicConfiguration extends javax.security.auth.login.Configuration {
        private AppConfigurationEntry[] ace;

        DynamicConfiguration(AppConfigurationEntry[] appConfigurationEntryArr) {
            this.ace = appConfigurationEntryArr;
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            return this.ace;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/hadoop-common-2.6.2.jar:org/apache/hadoop/security/UserGroupInformation$HadoopConfiguration.class */
    public static class HadoopConfiguration extends javax.security.auth.login.Configuration {
        private static final String SIMPLE_CONFIG_NAME = "hadoop-simple";
        private static final String USER_KERBEROS_CONFIG_NAME = "hadoop-user-kerberos";
        private static final String KEYTAB_KERBEROS_CONFIG_NAME = "hadoop-keytab-kerberos";
        private static final Map<String, String> BASIC_JAAS_OPTIONS = new HashMap();
        private static final AppConfigurationEntry OS_SPECIFIC_LOGIN;
        private static final AppConfigurationEntry HADOOP_LOGIN;
        private static final Map<String, String> USER_KERBEROS_OPTIONS;
        private static final AppConfigurationEntry USER_KERBEROS_LOGIN;
        private static final Map<String, String> KEYTAB_KERBEROS_OPTIONS;
        private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN;
        private static final AppConfigurationEntry[] SIMPLE_CONF;
        private static final AppConfigurationEntry[] USER_KERBEROS_CONF;
        private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF;

        private HadoopConfiguration() {
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            if (SIMPLE_CONFIG_NAME.equals(str)) {
                return SIMPLE_CONF;
            }
            if (USER_KERBEROS_CONFIG_NAME.equals(str)) {
                return USER_KERBEROS_CONF;
            }
            if (!KEYTAB_KERBEROS_CONFIG_NAME.equals(str)) {
                return null;
            }
            if (PlatformName.IBM_JAVA) {
                KEYTAB_KERBEROS_OPTIONS.put("useKeytab", UserGroupInformation.prependFileAuthority(UserGroupInformation.keytabFile));
            } else {
                KEYTAB_KERBEROS_OPTIONS.put("keyTab", UserGroupInformation.keytabFile);
            }
            KEYTAB_KERBEROS_OPTIONS.put("principal", UserGroupInformation.keytabPrincipal);
            return KEYTAB_KERBEROS_CONF;
        }

        static {
            String str = System.getenv("HADOOP_JAAS_DEBUG");
            if (str != null && "true".equalsIgnoreCase(str)) {
                BASIC_JAAS_OPTIONS.put("debug", "true");
            }
            OS_SPECIFIC_LOGIN = new AppConfigurationEntry(UserGroupInformation.OS_LOGIN_MODULE_NAME, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, BASIC_JAAS_OPTIONS);
            HADOOP_LOGIN = new AppConfigurationEntry(HadoopLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, BASIC_JAAS_OPTIONS);
            USER_KERBEROS_OPTIONS = new HashMap();
            if (PlatformName.IBM_JAVA) {
                USER_KERBEROS_OPTIONS.put("useDefaultCcache", "true");
            } else {
                USER_KERBEROS_OPTIONS.put("doNotPrompt", "true");
                USER_KERBEROS_OPTIONS.put("useTicketCache", "true");
            }
            String str2 = System.getenv("KRB5CCNAME");
            if (str2 != null) {
                if (PlatformName.IBM_JAVA) {
                    System.setProperty("KRB5CCNAME", str2);
                } else {
                    USER_KERBEROS_OPTIONS.put("ticketCache", str2);
                }
            }
            USER_KERBEROS_OPTIONS.put("renewTGT", "true");
            USER_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
            USER_KERBEROS_LOGIN = new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL, USER_KERBEROS_OPTIONS);
            KEYTAB_KERBEROS_OPTIONS = new HashMap();
            if (PlatformName.IBM_JAVA) {
                KEYTAB_KERBEROS_OPTIONS.put("credsType", "both");
            } else {
                KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true");
                KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
                KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
            }
            KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true");
            KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
            KEYTAB_KERBEROS_LOGIN = new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, KEYTAB_KERBEROS_OPTIONS);
            SIMPLE_CONF = new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, HADOOP_LOGIN};
            USER_KERBEROS_CONF = new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, USER_KERBEROS_LOGIN, HADOOP_LOGIN};
            KEYTAB_KERBEROS_CONF = new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN, HADOOP_LOGIN};
        }
    }

    @InterfaceAudience.Private
    /* loaded from: input_file:lib/hadoop-common-2.6.2.jar:org/apache/hadoop/security/UserGroupInformation$HadoopLoginModule.class */
    public static class HadoopLoginModule implements LoginModule {
        private Subject subject;

        public boolean abort() throws LoginException {
            return true;
        }

        private <T extends Principal> T getCanonicalUser(Class<T> cls) {
            Iterator<T> it = this.subject.getPrincipals(cls).iterator();
            if (it.hasNext()) {
                return it.next();
            }
            return null;
        }

        public boolean commit() throws LoginException {
            if (UserGroupInformation.LOG.isDebugEnabled()) {
                UserGroupInformation.LOG.debug("hadoop login commit");
            }
            if (!this.subject.getPrincipals(User.class).isEmpty()) {
                if (!UserGroupInformation.LOG.isDebugEnabled()) {
                    return true;
                }
                UserGroupInformation.LOG.debug("using existing subject:" + this.subject.getPrincipals());
                return true;
            }
            Principal principal = null;
            if (UserGroupInformation.isAuthenticationMethodEnabled(AuthenticationMethod.KERBEROS)) {
                principal = getCanonicalUser(KerberosPrincipal.class);
                if (UserGroupInformation.LOG.isDebugEnabled()) {
                    UserGroupInformation.LOG.debug("using kerberos user:" + principal);
                }
            }
            if (!UserGroupInformation.isSecurityEnabled() && principal == null) {
                String str = System.getenv(UserGroupInformation.HADOOP_USER_NAME);
                if (str == null) {
                    str = System.getProperty(UserGroupInformation.HADOOP_USER_NAME);
                }
                principal = str == null ? null : new User(str);
            }
            if (principal == null) {
                principal = getCanonicalUser(UserGroupInformation.OS_PRINCIPAL_CLASS);
                if (UserGroupInformation.LOG.isDebugEnabled()) {
                    UserGroupInformation.LOG.debug("using local user:" + principal);
                }
            }
            if (principal == null) {
                UserGroupInformation.LOG.error("Can't find user in " + this.subject);
                throw new LoginException("Can't find user name");
            }
            if (UserGroupInformation.LOG.isDebugEnabled()) {
                UserGroupInformation.LOG.debug("Using user: \"" + principal + "\" with name " + principal.getName());
            }
            try {
                User user = new User(principal.getName());
                if (UserGroupInformation.LOG.isDebugEnabled()) {
                    UserGroupInformation.LOG.debug("User entry: \"" + user.toString() + "\"");
                }
                this.subject.getPrincipals().add(user);
                return true;
            } catch (Exception e) {
                throw ((LoginException) new LoginException(e.toString()).initCause(e));
            }
        }

        public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
            this.subject = subject;
        }

        public boolean login() throws LoginException {
            if (!UserGroupInformation.LOG.isDebugEnabled()) {
                return true;
            }
            UserGroupInformation.LOG.debug("hadoop login");
            return true;
        }

        public boolean logout() throws LoginException {
            if (!UserGroupInformation.LOG.isDebugEnabled()) {
                return true;
            }
            UserGroupInformation.LOG.debug("hadoop logout");
            return true;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/hadoop-common-2.6.2.jar:org/apache/hadoop/security/UserGroupInformation$RealUser.class */
    public static class RealUser implements Principal {
        private final UserGroupInformation realUser;

        RealUser(UserGroupInformation userGroupInformation) {
            this.realUser = userGroupInformation;
        }

        @Override // java.security.Principal
        public String getName() {
            return this.realUser.getUserName();
        }

        public UserGroupInformation getRealUser() {
            return this.realUser;
        }

        @Override // java.security.Principal
        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            return this.realUser.equals(((RealUser) obj).realUser);
        }

        @Override // java.security.Principal
        public int hashCode() {
            return this.realUser.hashCode();
        }

        @Override // java.security.Principal
        public String toString() {
            return this.realUser.toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/hadoop-common-2.6.2.jar:org/apache/hadoop/security/UserGroupInformation$TestingGroups.class */
    public static class TestingGroups extends Groups {
        private final Map<String, List<String>> userToGroupsMapping;
        private Groups underlyingImplementation;

        private TestingGroups(Groups groups) {
            super(new Configuration());
            this.userToGroupsMapping = new HashMap();
            this.underlyingImplementation = groups;
        }

        @Override // org.apache.hadoop.security.Groups
        public List<String> getGroups(String str) throws IOException {
            List<String> list = this.userToGroupsMapping.get(str);
            if (list == null) {
                list = this.underlyingImplementation.getGroups(str);
            }
            return list;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void setUserGroups(String str, String[] strArr) {
            this.userToGroupsMapping.put(str, Arrays.asList(strArr));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Metrics(about = "User and group related metrics", context = "ugi")
    /* loaded from: input_file:lib/hadoop-common-2.6.2.jar:org/apache/hadoop/security/UserGroupInformation$UgiMetrics.class */
    public static class UgiMetrics {
        final MetricsRegistry registry = new MetricsRegistry("UgiMetrics");

        @Metric({"Rate of successful kerberos logins and latency (milliseconds)"})
        MutableRate loginSuccess;

        @Metric({"Rate of failed kerberos logins and latency (milliseconds)"})
        MutableRate loginFailure;

        @Metric({"GetGroups"})
        MutableRate getGroups;
        MutableQuantiles[] getGroupsQuantiles;

        UgiMetrics() {
        }

        static UgiMetrics create() {
            return (UgiMetrics) DefaultMetricsSystem.instance().register((MetricsSystem) new UgiMetrics());
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void addGetGroups(long j) {
            this.getGroups.add(j);
            if (this.getGroupsQuantiles != null) {
                for (MutableQuantiles mutableQuantiles : this.getGroupsQuantiles) {
                    mutableQuantiles.add(j);
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public static void setShouldRenewImmediatelyForTests(boolean z) {
        shouldRenewImmediatelyForTests = z;
    }

    private static void ensureInitialized() {
        if (conf == null) {
            synchronized (UserGroupInformation.class) {
                if (conf == null) {
                    initialize(new Configuration(), false);
                }
            }
        }
    }

    private static synchronized void initialize(Configuration configuration, boolean z) {
        int[] ints;
        authenticationMethod = SecurityUtil.getAuthenticationMethod(configuration);
        if (z || !HadoopKerberosName.hasRulesBeenSet()) {
            try {
                HadoopKerberosName.setConfiguration(configuration);
            } catch (IOException e) {
                throw new RuntimeException("Problem with Kerberos auth_to_local name configuration", e);
            }
        }
        if (!(groups instanceof TestingGroups)) {
            groups = Groups.getUserToGroupsMappingService(configuration);
        }
        conf = configuration;
        if (metrics.getGroupsQuantiles != null || (ints = configuration.getInts(CommonConfigurationKeys.HADOOP_USER_GROUP_METRICS_PERCENTILES_INTERVALS)) == null || ints.length <= 0) {
            return;
        }
        int length = ints.length;
        MutableQuantiles[] mutableQuantilesArr = new MutableQuantiles[length];
        for (int i = 0; i < length; i++) {
            mutableQuantilesArr[i] = metrics.registry.newQuantiles("getGroups" + ints[i] + "s", "Get groups", "ops", "latency", ints[i]);
        }
        metrics.getGroupsQuantiles = mutableQuantilesArr;
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static void setConfiguration(Configuration configuration) {
        initialize(configuration, true);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @InterfaceAudience.Private
    @VisibleForTesting
    public static void reset() {
        authenticationMethod = null;
        conf = null;
        groups = null;
        setLoginUser(null);
        HadoopKerberosName.setRules(null);
    }

    public static boolean isSecurityEnabled() {
        return !isAuthenticationMethodEnabled(AuthenticationMethod.SIMPLE);
    }

    /* JADX INFO: Access modifiers changed from: private */
    @InterfaceAudience.Private
    @InterfaceStability.Evolving
    public static boolean isAuthenticationMethodEnabled(AuthenticationMethod authenticationMethod2) {
        ensureInitialized();
        return authenticationMethod == authenticationMethod2;
    }

    private static String getOSLoginModuleName() {
        return PlatformName.IBM_JAVA ? windows ? is64Bit ? "com.ibm.security.auth.module.Win64LoginModule" : "com.ibm.security.auth.module.NTLoginModule" : aix ? is64Bit ? "com.ibm.security.auth.module.AIX64LoginModule" : "com.ibm.security.auth.module.AIXLoginModule" : "com.ibm.security.auth.module.LinuxLoginModule" : windows ? "com.sun.security.auth.module.NTLoginModule" : "com.sun.security.auth.module.UnixLoginModule";
    }

    private static Class<? extends Principal> getOsPrincipalClass() {
        String str;
        ClassLoader systemClassLoader = ClassLoader.getSystemClassLoader();
        try {
            if (PlatformName.IBM_JAVA) {
                str = is64Bit ? "com.ibm.security.auth.UsernamePrincipal" : windows ? "com.ibm.security.auth.NTUserPrincipal" : aix ? "com.ibm.security.auth.AIXPrincipal" : "com.ibm.security.auth.LinuxPrincipal";
            } else {
                str = windows ? "com.sun.security.auth.NTUserPrincipal" : "com.sun.security.auth.UnixPrincipal";
            }
            return systemClassLoader.loadClass(str);
        } catch (ClassNotFoundException e) {
            LOG.error("Unable to find JAAS classes:" + e.getMessage());
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String prependFileAuthority(String str) {
        return str.startsWith("file://") ? str : "file://" + str;
    }

    private static LoginContext newLoginContext(String str, Subject subject, javax.security.auth.login.Configuration configuration) throws LoginException {
        Thread currentThread = Thread.currentThread();
        ClassLoader contextClassLoader = currentThread.getContextClassLoader();
        currentThread.setContextClassLoader(HadoopLoginModule.class.getClassLoader());
        try {
            LoginContext loginContext = new LoginContext(str, subject, (CallbackHandler) null, configuration);
            currentThread.setContextClassLoader(contextClassLoader);
            return loginContext;
        } catch (Throwable th) {
            currentThread.setContextClassLoader(contextClassLoader);
            throw th;
        }
    }

    private LoginContext getLogin() {
        return this.user.getLogin();
    }

    private void setLogin(LoginContext loginContext) {
        this.user.setLogin(loginContext);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public UserGroupInformation(Subject subject) {
        this.subject = subject;
        this.user = (User) subject.getPrincipals(User.class).iterator().next();
        this.isKeytab = !subject.getPrivateCredentials(KEY_TAB_CLASS).isEmpty();
        this.isKrbTkt = !subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
    }

    public boolean hasKerberosCredentials() {
        return this.isKeytab || this.isKrbTkt;
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static synchronized UserGroupInformation getCurrentUser() throws IOException {
        Subject subject = Subject.getSubject(AccessController.getContext());
        return (subject == null || subject.getPrincipals(User.class).isEmpty()) ? getLoginUser() : new UserGroupInformation(subject);
    }

    public static UserGroupInformation getBestUGI(String str, String str2) throws IOException {
        return str != null ? getUGIFromTicketCache(str, str2) : str2 == null ? getCurrentUser() : createRemoteUser(str2);
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static UserGroupInformation getUGIFromTicketCache(String str, String str2) throws IOException {
        if (!isAuthenticationMethodEnabled(AuthenticationMethod.KERBEROS)) {
            return getBestUGI(null, str2);
        }
        try {
            HashMap hashMap = new HashMap();
            if (PlatformName.IBM_JAVA) {
                hashMap.put("useDefaultCcache", "true");
                System.setProperty("KRB5CCNAME", str);
            } else {
                hashMap.put("doNotPrompt", "true");
                hashMap.put("useTicketCache", "true");
                hashMap.put("useKeyTab", "false");
                hashMap.put("ticketCache", str);
            }
            hashMap.put("renewTGT", "false");
            hashMap.putAll(HadoopConfiguration.BASIC_JAAS_OPTIONS);
            LoginContext newLoginContext = newLoginContext("hadoop-user-kerberos", null, new DynamicConfiguration(new AppConfigurationEntry[]{new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)}));
            newLoginContext.login();
            Subject subject = newLoginContext.getSubject();
            Set<Principal> principals = subject.getPrincipals();
            if (principals.isEmpty()) {
                throw new RuntimeException("No login principals found!");
            }
            if (principals.size() != 1) {
                LOG.warn("found more than one principal in the ticket cache file " + str);
            }
            subject.getPrincipals().add(new User(principals.iterator().next().getName(), AuthenticationMethod.KERBEROS, newLoginContext));
            UserGroupInformation userGroupInformation = new UserGroupInformation(subject);
            userGroupInformation.setLogin(newLoginContext);
            userGroupInformation.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
            return userGroupInformation;
        } catch (LoginException e) {
            throw new IOException("failure to login using ticket cache file " + str, e);
        }
    }

    public static UserGroupInformation getUGIFromSubject(Subject subject) throws IOException {
        if (subject == null) {
            throw new IOException("Subject must not be null");
        }
        if (subject.getPrincipals(KerberosPrincipal.class).isEmpty()) {
            throw new IOException("Provided Subject must contain a KerberosPrincipal");
        }
        subject.getPrincipals().add(new User(((KerberosPrincipal) subject.getPrincipals(KerberosPrincipal.class).iterator().next()).getName(), AuthenticationMethod.KERBEROS, null));
        UserGroupInformation userGroupInformation = new UserGroupInformation(subject);
        userGroupInformation.setLogin(null);
        userGroupInformation.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
        return userGroupInformation;
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static synchronized UserGroupInformation getLoginUser() throws IOException {
        if (loginUser == null) {
            loginUserFromSubject(null);
        }
        return loginUser;
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static synchronized void loginUserFromSubject(Subject subject) throws IOException {
        ensureInitialized();
        if (subject == null) {
            try {
                subject = new Subject();
            } catch (LoginException e) {
                LOG.debug("failure to login", e);
                throw new IOException("failure to login", e);
            }
        }
        LoginContext newLoginContext = newLoginContext(authenticationMethod.getLoginAppName(), subject, new HadoopConfiguration());
        newLoginContext.login();
        UserGroupInformation userGroupInformation = new UserGroupInformation(subject);
        userGroupInformation.setLogin(newLoginContext);
        userGroupInformation.setAuthenticationMethod(authenticationMethod);
        UserGroupInformation userGroupInformation2 = new UserGroupInformation(newLoginContext.getSubject());
        String str = System.getenv(HADOOP_PROXY_USER);
        if (str == null) {
            str = System.getProperty(HADOOP_PROXY_USER);
        }
        loginUser = str == null ? userGroupInformation2 : createProxyUser(str, userGroupInformation2);
        String str2 = System.getenv("HADOOP_TOKEN_FILE_LOCATION");
        if (str2 != null) {
            loginUser.addCredentials(Credentials.readTokenStorageFile(new File(str2), conf));
        }
        loginUser.spawnAutoRenewalThreadForUserCreds();
        if (LOG.isDebugEnabled()) {
            LOG.debug("UGI loginUser:" + loginUser);
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    @InterfaceStability.Unstable
    public static synchronized void setLoginUser(UserGroupInformation userGroupInformation) {
        loginUser = userGroupInformation;
    }

    public boolean isFromKeytab() {
        return this.isKeytab;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public synchronized KerberosTicket getTGT() {
        for (KerberosTicket kerberosTicket : this.subject.getPrivateCredentials(KerberosTicket.class)) {
            if (SecurityUtil.isOriginalTGT(kerberosTicket)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Found tgt " + kerberosTicket);
                }
                return kerberosTicket;
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public long getRefreshTime(KerberosTicket kerberosTicket) {
        return kerberosTicket.getStartTime().getTime() + (((float) (kerberosTicket.getEndTime().getTime() - r0)) * TICKET_RENEW_WINDOW);
    }

    private void spawnAutoRenewalThreadForUserCreds() {
        if (isSecurityEnabled() && this.user.getAuthenticationMethod() == AuthenticationMethod.KERBEROS && !this.isKeytab) {
            Thread thread = new Thread(new Runnable() { // from class: org.apache.hadoop.security.UserGroupInformation.1
                @Override // java.lang.Runnable
                public void run() {
                    String str = UserGroupInformation.conf.get("hadoop.kerberos.kinit.command", "kinit");
                    KerberosTicket tgt = UserGroupInformation.this.getTGT();
                    if (tgt == null) {
                        return;
                    }
                    long refreshTime = UserGroupInformation.this.getRefreshTime(tgt);
                    while (true) {
                        try {
                            long now = Time.now();
                            if (UserGroupInformation.LOG.isDebugEnabled()) {
                                UserGroupInformation.LOG.debug("Current time is " + now);
                                UserGroupInformation.LOG.debug("Next refresh is " + refreshTime);
                            }
                            if (now < refreshTime) {
                                Thread.sleep(refreshTime - now);
                            }
                            Shell.execCommand(str, "-R");
                            if (UserGroupInformation.LOG.isDebugEnabled()) {
                                UserGroupInformation.LOG.debug("renewed ticket");
                            }
                            UserGroupInformation.this.reloginFromTicketCache();
                            KerberosTicket tgt2 = UserGroupInformation.this.getTGT();
                            if (tgt2 == null) {
                                UserGroupInformation.LOG.warn("No TGT after renewal. Aborting renew thread for " + UserGroupInformation.this.getUserName());
                                return;
                            }
                            refreshTime = Math.max(UserGroupInformation.this.getRefreshTime(tgt2), now + 600000);
                        } catch (IOException e) {
                            UserGroupInformation.LOG.warn("Exception encountered while running the renewal command. Aborting renew thread. " + e);
                            return;
                        } catch (InterruptedException e2) {
                            UserGroupInformation.LOG.warn("Terminating renewal thread");
                            return;
                        }
                    }
                }
            });
            thread.setDaemon(true);
            thread.setName("TGT Renewer for " + getUserName());
            thread.start();
        }
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static synchronized void loginUserFromKeytab(String str, String str2) throws IOException {
        if (isSecurityEnabled()) {
            keytabFile = str2;
            keytabPrincipal = str;
            Subject subject = new Subject();
            long j = 0;
            try {
                LoginContext newLoginContext = newLoginContext("hadoop-keytab-kerberos", subject, new HadoopConfiguration());
                j = Time.now();
                newLoginContext.login();
                metrics.loginSuccess.add(Time.now() - j);
                loginUser = new UserGroupInformation(subject);
                loginUser.setLogin(newLoginContext);
                loginUser.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
                LOG.info("Login successful for user " + keytabPrincipal + " using keytab file " + keytabFile);
            } catch (LoginException e) {
                if (j > 0) {
                    metrics.loginFailure.add(Time.now() - j);
                }
                throw new IOException("Login failure for " + str + " from keytab " + str2 + ": " + e, e);
            }
        }
    }

    public synchronized void checkTGTAndReloginFromKeytab() throws IOException {
        if (isSecurityEnabled() && this.user.getAuthenticationMethod() == AuthenticationMethod.KERBEROS && this.isKeytab) {
            KerberosTicket tgt = getTGT();
            if (tgt == null || shouldRenewImmediatelyForTests || Time.now() >= getRefreshTime(tgt)) {
                reloginFromKeytab();
            }
        }
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public synchronized void reloginFromKeytab() throws IOException {
        if (isSecurityEnabled() && this.user.getAuthenticationMethod() == AuthenticationMethod.KERBEROS && this.isKeytab) {
            long now = Time.now();
            if (shouldRenewImmediatelyForTests || hasSufficientTimeElapsed(now)) {
                KerberosTicket tgt = getTGT();
                if (tgt == null || shouldRenewImmediatelyForTests || now >= getRefreshTime(tgt)) {
                    LoginContext login = getLogin();
                    if (login == null || keytabFile == null) {
                        throw new IOException("loginUserFromKeyTab must be done first");
                    }
                    long j = 0;
                    this.user.setLastLogin(now);
                    try {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("Initiating logout for " + getUserName());
                        }
                        synchronized (UserGroupInformation.class) {
                            login.logout();
                            LoginContext newLoginContext = newLoginContext("hadoop-keytab-kerberos", getSubject(), new HadoopConfiguration());
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("Initiating re-login for " + keytabPrincipal);
                            }
                            j = Time.now();
                            newLoginContext.login();
                            metrics.loginSuccess.add(Time.now() - j);
                            setLogin(newLoginContext);
                        }
                    } catch (LoginException e) {
                        if (j > 0) {
                            metrics.loginFailure.add(Time.now() - j);
                        }
                        throw new IOException("Login failure for " + keytabPrincipal + " from keytab " + keytabFile, e);
                    }
                }
            }
        }
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public synchronized void reloginFromTicketCache() throws IOException {
        if (isSecurityEnabled() && this.user.getAuthenticationMethod() == AuthenticationMethod.KERBEROS && this.isKrbTkt) {
            LoginContext login = getLogin();
            if (login == null) {
                throw new IOException("login must be done first");
            }
            long now = Time.now();
            if (hasSufficientTimeElapsed(now)) {
                this.user.setLastLogin(now);
                try {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Initiating logout for " + getUserName());
                    }
                    login.logout();
                    LoginContext newLoginContext = newLoginContext("hadoop-user-kerberos", getSubject(), new HadoopConfiguration());
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Initiating re-login for " + getUserName());
                    }
                    newLoginContext.login();
                    setLogin(newLoginContext);
                } catch (LoginException e) {
                    throw new IOException("Login failure for " + getUserName(), e);
                }
            }
        }
    }

    public static synchronized UserGroupInformation loginUserFromKeytabAndReturnUGI(String str, String str2) throws IOException {
        if (!isSecurityEnabled()) {
            return getCurrentUser();
        }
        String str3 = null;
        String str4 = null;
        long j = 0;
        try {
            try {
                str3 = keytabFile;
                str4 = keytabPrincipal;
                keytabFile = str2;
                keytabPrincipal = str;
                Subject subject = new Subject();
                LoginContext newLoginContext = newLoginContext("hadoop-keytab-kerberos", subject, new HadoopConfiguration());
                j = Time.now();
                newLoginContext.login();
                metrics.loginSuccess.add(Time.now() - j);
                UserGroupInformation userGroupInformation = new UserGroupInformation(subject);
                userGroupInformation.setLogin(newLoginContext);
                userGroupInformation.setAuthenticationMethod(AuthenticationMethod.KERBEROS);
                if (str3 != null) {
                    keytabFile = str3;
                }
                if (str4 != null) {
                    keytabPrincipal = str4;
                }
                return userGroupInformation;
            } catch (LoginException e) {
                if (j > 0) {
                    metrics.loginFailure.add(Time.now() - j);
                }
                throw new IOException("Login failure for " + str + " from keytab " + str2, e);
            }
        } catch (Throwable th) {
            if (str3 != null) {
                keytabFile = str3;
            }
            if (str4 != null) {
                keytabPrincipal = str4;
            }
            throw th;
        }
    }

    private boolean hasSufficientTimeElapsed(long j) {
        if (j - this.user.getLastLogin() >= 600000) {
            return true;
        }
        LOG.warn("Not attempting to re-login since the last re-login was attempted less than 600 seconds before.");
        return false;
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static synchronized boolean isLoginKeytabBased() throws IOException {
        return getLoginUser().isKeytab;
    }

    public static boolean isLoginTicketBased() throws IOException {
        return getLoginUser().isKrbTkt;
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static UserGroupInformation createRemoteUser(String str) {
        return createRemoteUser(str, SaslRpcServer.AuthMethod.SIMPLE);
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static UserGroupInformation createRemoteUser(String str, SaslRpcServer.AuthMethod authMethod) {
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("Null user");
        }
        Subject subject = new Subject();
        subject.getPrincipals().add(new User(str));
        UserGroupInformation userGroupInformation = new UserGroupInformation(subject);
        userGroupInformation.setAuthenticationMethod(authMethod);
        return userGroupInformation;
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static UserGroupInformation createProxyUser(String str, UserGroupInformation userGroupInformation) {
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("Null user");
        }
        if (userGroupInformation == null) {
            throw new IllegalArgumentException("Null real user");
        }
        Subject subject = new Subject();
        Set<Principal> principals = subject.getPrincipals();
        principals.add(new User(str));
        principals.add(new RealUser(userGroupInformation));
        UserGroupInformation userGroupInformation2 = new UserGroupInformation(subject);
        userGroupInformation2.setAuthenticationMethod(AuthenticationMethod.PROXY);
        return userGroupInformation2;
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public UserGroupInformation getRealUser() {
        Iterator it = this.subject.getPrincipals(RealUser.class).iterator();
        if (it.hasNext()) {
            return ((RealUser) it.next()).getRealUser();
        }
        return null;
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static UserGroupInformation createUserForTesting(String str, String[] strArr) {
        ensureInitialized();
        UserGroupInformation createRemoteUser = createRemoteUser(str);
        if (!(groups instanceof TestingGroups)) {
            groups = new TestingGroups(groups);
        }
        ((TestingGroups) groups).setUserGroups(createRemoteUser.getShortUserName(), strArr);
        return createRemoteUser;
    }

    public static UserGroupInformation createProxyUserForTesting(String str, UserGroupInformation userGroupInformation, String[] strArr) {
        ensureInitialized();
        UserGroupInformation createProxyUser = createProxyUser(str, userGroupInformation);
        if (!(groups instanceof TestingGroups)) {
            groups = new TestingGroups(groups);
        }
        ((TestingGroups) groups).setUserGroups(createProxyUser.getShortUserName(), strArr);
        return createProxyUser;
    }

    public String getShortUserName() {
        Iterator it = this.subject.getPrincipals(User.class).iterator();
        if (it.hasNext()) {
            return ((User) it.next()).getShortName();
        }
        return null;
    }

    public String getPrimaryGroupName() throws IOException {
        String[] groupNames = getGroupNames();
        if (groupNames.length == 0) {
            throw new IOException("There is no primary group for UGI " + this);
        }
        return groupNames[0];
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public String getUserName() {
        return this.user.getName();
    }

    public synchronized boolean addTokenIdentifier(TokenIdentifier tokenIdentifier) {
        return this.subject.getPublicCredentials().add(tokenIdentifier);
    }

    public synchronized Set<TokenIdentifier> getTokenIdentifiers() {
        return this.subject.getPublicCredentials(TokenIdentifier.class);
    }

    public boolean addToken(Token<? extends TokenIdentifier> token) {
        if (token != null) {
            return addToken(token.getService(), token);
        }
        return false;
    }

    public boolean addToken(Text text, Token<? extends TokenIdentifier> token) {
        synchronized (this.subject) {
            getCredentialsInternal().addToken(text, token);
        }
        return true;
    }

    public Collection<Token<? extends TokenIdentifier>> getTokens() {
        Collection<Token<? extends TokenIdentifier>> unmodifiableCollection;
        synchronized (this.subject) {
            unmodifiableCollection = Collections.unmodifiableCollection(new ArrayList(getCredentialsInternal().getAllTokens()));
        }
        return unmodifiableCollection;
    }

    public Credentials getCredentials() {
        Credentials credentials;
        synchronized (this.subject) {
            credentials = new Credentials(getCredentialsInternal());
            Iterator<Token<? extends TokenIdentifier>> it = credentials.getAllTokens().iterator();
            while (it.hasNext()) {
                if (it.next() instanceof Token.PrivateToken) {
                    it.remove();
                }
            }
        }
        return credentials;
    }

    public void addCredentials(Credentials credentials) {
        synchronized (this.subject) {
            getCredentialsInternal().addAll(credentials);
        }
    }

    private synchronized Credentials getCredentialsInternal() {
        Credentials credentials;
        Set privateCredentials = this.subject.getPrivateCredentials(Credentials.class);
        if (privateCredentials.isEmpty()) {
            credentials = new Credentials();
            this.subject.getPrivateCredentials().add(credentials);
        } else {
            credentials = (Credentials) privateCredentials.iterator().next();
        }
        return credentials;
    }

    public synchronized String[] getGroupNames() {
        ensureInitialized();
        try {
            LinkedHashSet linkedHashSet = new LinkedHashSet(groups.getGroups(getShortUserName()));
            return (String[]) linkedHashSet.toArray(new String[linkedHashSet.size()]);
        } catch (IOException e) {
            LOG.warn("No groups available for user " + getShortUserName());
            return new String[0];
        }
    }

    public String toString() {
        StringBuilder sb = new StringBuilder(getUserName());
        sb.append(" (auth:" + getAuthenticationMethod() + ")");
        if (getRealUser() != null) {
            sb.append(" via ").append(getRealUser().toString());
        }
        return sb.toString();
    }

    public synchronized void setAuthenticationMethod(AuthenticationMethod authenticationMethod2) {
        this.user.setAuthenticationMethod(authenticationMethod2);
    }

    public void setAuthenticationMethod(SaslRpcServer.AuthMethod authMethod) {
        this.user.setAuthenticationMethod(AuthenticationMethod.valueOf(authMethod));
    }

    public synchronized AuthenticationMethod getAuthenticationMethod() {
        return this.user.getAuthenticationMethod();
    }

    public synchronized AuthenticationMethod getRealAuthenticationMethod() {
        UserGroupInformation realUser = getRealUser();
        if (realUser == null) {
            realUser = this;
        }
        return realUser.getAuthenticationMethod();
    }

    public static AuthenticationMethod getRealAuthenticationMethod(UserGroupInformation userGroupInformation) {
        AuthenticationMethod authenticationMethod2 = userGroupInformation.getAuthenticationMethod();
        if (authenticationMethod2 == AuthenticationMethod.PROXY) {
            authenticationMethod2 = userGroupInformation.getRealUser().getAuthenticationMethod();
        }
        return authenticationMethod2;
    }

    public boolean equals(Object obj) {
        if (obj == this) {
            return true;
        }
        return obj != null && getClass() == obj.getClass() && this.subject == ((UserGroupInformation) obj).subject;
    }

    public int hashCode() {
        return System.identityHashCode(this.subject);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Subject getSubject() {
        return this.subject;
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public <T> T doAs(PrivilegedAction<T> privilegedAction) {
        logPrivilegedAction(this.subject, privilegedAction);
        return (T) Subject.doAs(this.subject, privilegedAction);
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public <T> T doAs(PrivilegedExceptionAction<T> privilegedExceptionAction) throws IOException, InterruptedException {
        try {
            logPrivilegedAction(this.subject, privilegedExceptionAction);
            return (T) Subject.doAs(this.subject, privilegedExceptionAction);
        } catch (PrivilegedActionException e) {
            Throwable cause = e.getCause();
            if (LOG.isDebugEnabled()) {
                LOG.debug("PrivilegedActionException as:" + this + " cause:" + cause);
            }
            if (cause instanceof IOException) {
                throw ((IOException) cause);
            }
            if (cause instanceof Error) {
                throw ((Error) cause);
            }
            if (cause instanceof RuntimeException) {
                throw ((RuntimeException) cause);
            }
            if (cause instanceof InterruptedException) {
                throw ((InterruptedException) cause);
            }
            throw new UndeclaredThrowableException(cause);
        }
    }

    private void logPrivilegedAction(Subject subject, Object obj) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("PrivilegedAction as:" + this + " from:" + new Throwable().getStackTrace()[2].toString());
        }
    }

    private void print() throws IOException {
        System.out.println("User: " + getUserName());
        System.out.print("Group Ids: ");
        System.out.println();
        String[] groupNames = getGroupNames();
        System.out.print("Groups: ");
        for (String str : groupNames) {
            System.out.print(str + " ");
        }
        System.out.println();
    }

    public static void main(String[] strArr) throws Exception {
        System.out.println("Getting UGI for current user");
        UserGroupInformation currentUser = getCurrentUser();
        currentUser.print();
        System.out.println("UGI: " + currentUser);
        System.out.println("Auth method " + currentUser.user.getAuthenticationMethod());
        System.out.println("Keytab " + currentUser.isKeytab);
        System.out.println("============================================================");
        if (strArr.length == 2) {
            System.out.println("Getting UGI from keytab....");
            loginUserFromKeytab(strArr[0], strArr[1]);
            getCurrentUser().print();
            System.out.println("Keytab: " + currentUser);
            System.out.println("Auth method " + loginUser.user.getAuthenticationMethod());
            System.out.println("Keytab " + loginUser.isKeytab);
        }
    }

    static {
        KEY_TAB_CLASS = KerberosKey.class;
        try {
            KEY_TAB_CLASS = Class.forName("javax.security.auth.kerberos.KeyTab");
        } catch (ClassNotFoundException e) {
        }
    }
}
