package org.apache.hadoop.security.authorize;

import java.io.IOException;
import java.net.InetAddress;
import java.util.IdentityHashMap;
import java.util.Map;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.KerberosInfo;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;

@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving
/* loaded from: input_file:WEB-INF/lib/hadoop-common-2.0.1-alpha.jar:org/apache/hadoop/security/authorize/ServiceAuthorizationManager.class */
public class ServiceAuthorizationManager {
    private static final String HADOOP_POLICY_FILE = "hadoop-policy.xml";
    private Map<Class<?>, AccessControlList> protocolToAcl = new IdentityHashMap();

    @Deprecated
    public static final String SERVICE_AUTHORIZATION_CONFIG = "hadoop.security.authorization";
    public static final Log AUDITLOG = LogFactory.getLog("SecurityLogger." + ServiceAuthorizationManager.class.getName());
    private static final String AUTHZ_SUCCESSFUL_FOR = "Authorization successful for ";
    private static final String AUTHZ_FAILED_FOR = "Authorization failed for ";

    public void authorize(UserGroupInformation userGroupInformation, Class<?> cls, Configuration configuration, InetAddress inetAddress) throws AuthorizationException {
        String clientPrincipal;
        AccessControlList accessControlList = this.protocolToAcl.get(cls);
        if (accessControlList == null) {
            throw new AuthorizationException("Protocol " + cls + " is not known.");
        }
        KerberosInfo kerberosInfo = SecurityUtil.getKerberosInfo(cls, configuration);
        String str = null;
        if (kerberosInfo != null && (clientPrincipal = kerberosInfo.clientPrincipal()) != null && !clientPrincipal.equals("")) {
            try {
                str = SecurityUtil.getServerPrincipal(configuration.get(clientPrincipal), inetAddress);
            } catch (IOException e) {
                throw ((AuthorizationException) new AuthorizationException("Can't figure out Kerberos principal name for connection from " + inetAddress + " for user=" + userGroupInformation + " protocol=" + cls).initCause(e));
            }
        }
        if ((str == null || str.equals(userGroupInformation.getUserName())) && accessControlList.isUserAllowed(userGroupInformation)) {
            AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + userGroupInformation + " for protocol=" + cls);
        } else {
            AUDITLOG.warn(AUTHZ_FAILED_FOR + userGroupInformation + " for protocol=" + cls + ", expected client Kerberos principal is " + str);
            throw new AuthorizationException("User " + userGroupInformation + " is not authorized for protocol " + cls + ", expected client Kerberos principal is " + str);
        }
    }

    public synchronized void refresh(Configuration configuration, PolicyProvider policyProvider) {
        String property = System.getProperty("hadoop.policy.file", HADOOP_POLICY_FILE);
        Configuration configuration2 = new Configuration(configuration);
        configuration2.addResource(property);
        IdentityHashMap identityHashMap = new IdentityHashMap();
        Service[] services = policyProvider.getServices();
        if (services != null) {
            for (Service service : services) {
                identityHashMap.put(service.getProtocol(), new AccessControlList(configuration2.get(service.getServiceKey(), "*")));
            }
        }
        this.protocolToAcl = identityHashMap;
    }

    Set<Class<?>> getProtocolsWithAcls() {
        return this.protocolToAcl.keySet();
    }
}
