package org.apache.hadoop.yarn.server.resourcemanager.security;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.Timer;
import java.util.TimerTask;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.LinkedBlockingQueue;
import java.util.concurrent.ThreadFactory;
import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.hbase.shaded.com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.hbase.shaded.com.google.common.util.concurrent.ThreadFactoryBuilder;
import org.apache.hadoop.hbase.shaded.org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.apache.hadoop.io.DataOutputBuffer;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
import org.apache.hadoop.service.AbstractService;
import org.apache.hadoop.util.StringUtils;
import org.apache.hadoop.util.Time;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.event.AbstractEvent;
import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEvent;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEventType;

@InterfaceAudience.Private
@InterfaceStability.Unstable
/* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer.class */
public class DelegationTokenRenewer extends AbstractService {
    private static final Log LOG = LogFactory.getLog(DelegationTokenRenewer.class);
    public static final String SCHEME = "hdfs";
    private Timer renewalTimer;
    private RMContext rmContext;
    private DelegationTokenCancelThread dtCancelThread;
    private ThreadPoolExecutor renewerService;
    private ConcurrentMap<ApplicationId, Set<DelegationTokenToRenew>> appTokens;
    private ConcurrentMap<Token<?>, DelegationTokenToRenew> allTokens;
    private final ConcurrentMap<ApplicationId, Long> delayedRemovalMap;
    private long tokenRemovalDelayMs;
    private Thread delayedRemovalThread;
    private ReadWriteLock serviceStateLock;
    private volatile boolean isServiceStarted;
    private LinkedBlockingQueue<DelegationTokenRenewerEvent> pendingEventQueue;
    private boolean tokenKeepAliveEnabled;
    private boolean hasProxyUserPrivileges;
    private long credentialsValidTimeRemaining;
    public static final String RM_SYSTEM_CREDENTIALS_VALID_TIME_REMAINING = "yarn.resourcemanager.system-credentials.valid-time-remaining";
    public static final long DEFAULT_RM_SYSTEM_CREDENTIALS_VALID_TIME_REMAINING = 10800000;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer$AbstractDelegationTokenRenewerAppEvent.class */
    public static class AbstractDelegationTokenRenewerAppEvent extends DelegationTokenRenewerEvent {
        private Credentials credentials;
        private boolean shouldCancelAtEnd;
        private String user;

        public AbstractDelegationTokenRenewerAppEvent(ApplicationId applicationId, Credentials credentials, boolean z, String str, DelegationTokenRenewerEventType delegationTokenRenewerEventType) {
            super(applicationId, delegationTokenRenewerEventType);
            this.credentials = credentials;
            this.shouldCancelAtEnd = z;
            this.user = str;
        }

        public Credentials getCredentials() {
            return this.credentials;
        }

        public boolean shouldCancelAtEnd() {
            return this.shouldCancelAtEnd;
        }

        public String getUser() {
            return this.user;
        }
    }

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer$DelayedTokenRemovalRunnable.class */
    private class DelayedTokenRemovalRunnable implements Runnable {
        private long waitTimeMs;

        DelayedTokenRemovalRunnable(Configuration configuration) {
            this.waitTimeMs = configuration.getLong(YarnConfiguration.RM_DELAYED_DELEGATION_TOKEN_REMOVAL_INTERVAL_MS, 30000L);
        }

        @Override // java.lang.Runnable
        public void run() {
            ArrayList<ApplicationId> arrayList = new ArrayList();
            while (!Thread.currentThread().isInterrupted()) {
                arrayList.clear();
                for (Map.Entry entry : DelegationTokenRenewer.this.delayedRemovalMap.entrySet()) {
                    if (((Long) entry.getValue()).longValue() < System.currentTimeMillis()) {
                        arrayList.add(entry.getKey());
                    }
                }
                for (ApplicationId applicationId : arrayList) {
                    DelegationTokenRenewer.this.removeApplicationFromRenewal(applicationId);
                    DelegationTokenRenewer.this.delayedRemovalMap.remove(applicationId);
                }
                synchronized (this) {
                    try {
                        wait(this.waitTimeMs);
                    } catch (InterruptedException e) {
                        DelegationTokenRenewer.LOG.info("Delayed Deletion Thread Interrupted. Shutting it down");
                        return;
                    }
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer$DelegationTokenCancelThread.class */
    public static class DelegationTokenCancelThread extends Thread {
        private LinkedBlockingQueue<TokenWithConf> queue;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer$DelegationTokenCancelThread$TokenWithConf.class */
        public static class TokenWithConf {
            Token<?> token;
            Configuration conf;

            TokenWithConf(Token<?> token, Configuration configuration) {
                this.token = token;
                this.conf = configuration;
            }
        }

        public DelegationTokenCancelThread() {
            super("Delegation Token Canceler");
            this.queue = new LinkedBlockingQueue<>();
            setDaemon(true);
        }

        public void cancelToken(Token<?> token, Configuration configuration) {
            TokenWithConf tokenWithConf = new TokenWithConf(token, configuration);
            while (!this.queue.offer(tokenWithConf)) {
                DelegationTokenRenewer.LOG.warn("Unable to add token " + token + " for cancellation. Will retry..");
                try {
                    Thread.sleep(100L);
                } catch (InterruptedException e) {
                    throw new RuntimeException(e);
                }
            }
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            final TokenWithConf tokenWithConf = null;
            while (true) {
                try {
                    tokenWithConf = this.queue.take();
                    if (DelegationTokenRenewer.LOG.isDebugEnabled()) {
                        DelegationTokenRenewer.LOG.debug("Cancelling token " + tokenWithConf.token.getService());
                    }
                    UserGroupInformation.getLoginUser().doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer.DelegationTokenCancelThread.1
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.security.PrivilegedExceptionAction
                        public Void run() throws Exception {
                            tokenWithConf.token.cancel(tokenWithConf.conf);
                            return null;
                        }
                    });
                } catch (IOException e) {
                    DelegationTokenRenewer.LOG.warn("Failed to cancel token " + tokenWithConf.token + " " + StringUtils.stringifyException(e));
                } catch (InterruptedException e2) {
                    return;
                } catch (RuntimeException e3) {
                    DelegationTokenRenewer.LOG.warn("Failed to cancel token " + tokenWithConf.token + " " + StringUtils.stringifyException(e3));
                } catch (Throwable th) {
                    DelegationTokenRenewer.LOG.warn("Got exception " + StringUtils.stringifyException(th) + ". Exiting..");
                    System.exit(-1);
                }
            }
        }
    }

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer$DelegationTokenRenewerAppRecoverEvent.class */
    static class DelegationTokenRenewerAppRecoverEvent extends AbstractDelegationTokenRenewerAppEvent {
        public DelegationTokenRenewerAppRecoverEvent(ApplicationId applicationId, Credentials credentials, boolean z, String str) {
            super(applicationId, credentials, z, str, DelegationTokenRenewerEventType.RECOVER_APPLICATION);
        }
    }

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer$DelegationTokenRenewerAppSubmitEvent.class */
    static class DelegationTokenRenewerAppSubmitEvent extends AbstractDelegationTokenRenewerAppEvent {
        public DelegationTokenRenewerAppSubmitEvent(ApplicationId applicationId, Credentials credentials, boolean z, String str) {
            super(applicationId, credentials, z, str, DelegationTokenRenewerEventType.VERIFY_AND_START_APPLICATION);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer$DelegationTokenRenewerEvent.class */
    public static class DelegationTokenRenewerEvent extends AbstractEvent<DelegationTokenRenewerEventType> {
        private ApplicationId appId;

        public DelegationTokenRenewerEvent(ApplicationId applicationId, DelegationTokenRenewerEventType delegationTokenRenewerEventType) {
            super(delegationTokenRenewerEventType);
            this.appId = applicationId;
        }

        public ApplicationId getApplicationId() {
            return this.appId;
        }
    }

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer$DelegationTokenRenewerEventType.class */
    enum DelegationTokenRenewerEventType {
        VERIFY_AND_START_APPLICATION,
        RECOVER_APPLICATION,
        FINISH_APPLICATION
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer$DelegationTokenRenewerRunnable.class */
    public final class DelegationTokenRenewerRunnable implements Runnable {
        private DelegationTokenRenewerEvent evt;

        public DelegationTokenRenewerRunnable(DelegationTokenRenewerEvent delegationTokenRenewerEvent) {
            this.evt = delegationTokenRenewerEvent;
        }

        @Override // java.lang.Runnable
        public void run() {
            if (this.evt instanceof DelegationTokenRenewerAppSubmitEvent) {
                handleDTRenewerAppSubmitEvent((DelegationTokenRenewerAppSubmitEvent) this.evt);
                return;
            }
            if (this.evt instanceof DelegationTokenRenewerAppRecoverEvent) {
                DelegationTokenRenewer.this.handleDTRenewerAppRecoverEvent((DelegationTokenRenewerAppRecoverEvent) this.evt);
            } else if (this.evt.getType().equals(DelegationTokenRenewerEventType.FINISH_APPLICATION)) {
                DelegationTokenRenewer.this.handleAppFinishEvent(this.evt);
            }
        }

        private void handleDTRenewerAppSubmitEvent(DelegationTokenRenewerAppSubmitEvent delegationTokenRenewerAppSubmitEvent) {
            try {
                DelegationTokenRenewer.this.handleAppSubmitEvent(delegationTokenRenewerAppSubmitEvent);
                DelegationTokenRenewer.this.rmContext.getDispatcher().getEventHandler().handle(new RMAppEvent(delegationTokenRenewerAppSubmitEvent.getApplicationId(), RMAppEventType.START));
            } catch (Throwable th) {
                DelegationTokenRenewer.LOG.warn("Unable to add the application to the delegation token renewer.", th);
                DelegationTokenRenewer.this.rmContext.getDispatcher().getEventHandler().handle(new RMAppEvent(delegationTokenRenewerAppSubmitEvent.getApplicationId(), RMAppEventType.APP_REJECTED, th.getMessage()));
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @VisibleForTesting
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer$DelegationTokenToRenew.class */
    public static class DelegationTokenToRenew {
        public final Token<?> token;
        public final Collection<ApplicationId> referringAppIds;
        public final Configuration conf;
        public long expirationDate;
        public RenewalTimerTask timerTask;
        public volatile boolean shouldCancelAtEnd;
        public long maxDate;
        public String user;

        public DelegationTokenToRenew(Collection<ApplicationId> collection, Token<?> token, Configuration configuration, long j, boolean z, String str) {
            this.token = token;
            this.user = str;
            if (token.getKind().equals(new Text("HDFS_DELEGATION_TOKEN"))) {
                try {
                    this.maxDate = ((AbstractDelegationTokenIdentifier) token.decodeIdentifier()).getMaxDate();
                } catch (IOException e) {
                    throw new YarnRuntimeException(e);
                }
            }
            this.referringAppIds = Collections.synchronizedSet(new HashSet(collection));
            this.conf = configuration;
            this.expirationDate = j;
            this.timerTask = null;
            this.shouldCancelAtEnd = z;
        }

        public void setTimerTask(RenewalTimerTask renewalTimerTask) {
            this.timerTask = renewalTimerTask;
        }

        @VisibleForTesting
        public void cancelTimer() {
            if (this.timerTask != null) {
                this.timerTask.cancel();
            }
        }

        @VisibleForTesting
        public boolean isTimerCancelled() {
            return this.timerTask != null && this.timerTask.cancelled.get();
        }

        public String toString() {
            return this.token + ";exp=" + this.expirationDate + "; apps=" + this.referringAppIds;
        }

        public boolean equals(Object obj) {
            return (obj instanceof DelegationTokenToRenew) && this.token.equals(((DelegationTokenToRenew) obj).token);
        }

        public int hashCode() {
            return this.token.hashCode();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/DelegationTokenRenewer$RenewalTimerTask.class */
    public class RenewalTimerTask extends TimerTask {
        private DelegationTokenToRenew dttr;
        private AtomicBoolean cancelled = new AtomicBoolean(false);

        RenewalTimerTask(DelegationTokenToRenew delegationTokenToRenew) {
            this.dttr = delegationTokenToRenew;
        }

        @Override // java.util.TimerTask, java.lang.Runnable
        public void run() {
            if (this.cancelled.get()) {
                return;
            }
            Token<?> token = this.dttr.token;
            try {
                DelegationTokenRenewer.this.requestNewHdfsDelegationTokenIfNeeded(this.dttr);
                if (this.dttr.isTimerCancelled()) {
                    DelegationTokenRenewer.LOG.info("The token was removed already. Token = [" + this.dttr + DefaultExpressionEngine.DEFAULT_ATTRIBUTE_END);
                } else {
                    DelegationTokenRenewer.this.renewToken(this.dttr);
                    DelegationTokenRenewer.this.setTimerForTokenRenewal(this.dttr);
                }
            } catch (Exception e) {
                DelegationTokenRenewer.LOG.error("Exception renewing token" + token + ". Not rescheduled", e);
                DelegationTokenRenewer.this.removeFailedDelegationToken(this.dttr);
            }
        }

        @Override // java.util.TimerTask
        public boolean cancel() {
            this.cancelled.set(true);
            return super.cancel();
        }
    }

    public DelegationTokenRenewer() {
        super(DelegationTokenRenewer.class.getName());
        this.dtCancelThread = new DelegationTokenCancelThread();
        this.appTokens = new ConcurrentHashMap();
        this.allTokens = new ConcurrentHashMap();
        this.delayedRemovalMap = new ConcurrentHashMap();
        this.serviceStateLock = new ReentrantReadWriteLock();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.service.AbstractService
    public void serviceInit(Configuration configuration) throws Exception {
        this.hasProxyUserPrivileges = configuration.getBoolean(YarnConfiguration.RM_PROXY_USER_PRIVILEGES_ENABLED, YarnConfiguration.DEFAULT_RM_PROXY_USER_PRIVILEGES_ENABLED);
        this.tokenKeepAliveEnabled = configuration.getBoolean(YarnConfiguration.LOG_AGGREGATION_ENABLED, false);
        this.tokenRemovalDelayMs = configuration.getInt(YarnConfiguration.RM_NM_EXPIRY_INTERVAL_MS, 600000);
        this.credentialsValidTimeRemaining = configuration.getLong(RM_SYSTEM_CREDENTIALS_VALID_TIME_REMAINING, DEFAULT_RM_SYSTEM_CREDENTIALS_VALID_TIME_REMAINING);
        setLocalSecretManagerAndServiceAddr();
        this.renewerService = createNewThreadPoolService(configuration);
        this.pendingEventQueue = new LinkedBlockingQueue<>();
        this.renewalTimer = new Timer(true);
        super.serviceInit(configuration);
    }

    protected ThreadPoolExecutor createNewThreadPoolService(Configuration configuration) {
        int i = configuration.getInt(YarnConfiguration.RM_DELEGATION_TOKEN_RENEWER_THREAD_COUNT, 50);
        ThreadFactory build = new ThreadFactoryBuilder().setNameFormat("DelegationTokenRenewer #%d").build();
        ThreadPoolExecutor threadPoolExecutor = new ThreadPoolExecutor(i, i, 3L, TimeUnit.SECONDS, new LinkedBlockingQueue());
        threadPoolExecutor.setThreadFactory(build);
        threadPoolExecutor.allowCoreThreadTimeOut(true);
        return threadPoolExecutor;
    }

    private void setLocalSecretManagerAndServiceAddr() {
        RMDelegationTokenIdentifier.Renewer.setSecretManager(this.rmContext.getRMDelegationTokenSecretManager(), this.rmContext.getClientRMService().getBindAddress());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.service.AbstractService
    public void serviceStart() throws Exception {
        this.dtCancelThread.start();
        if (this.tokenKeepAliveEnabled) {
            this.delayedRemovalThread = new Thread(new DelayedTokenRemovalRunnable(getConfig()), "DelayedTokenCanceller");
            this.delayedRemovalThread.start();
        }
        setLocalSecretManagerAndServiceAddr();
        this.serviceStateLock.writeLock().lock();
        this.isServiceStarted = true;
        this.serviceStateLock.writeLock().unlock();
        while (!this.pendingEventQueue.isEmpty()) {
            processDelegationTokenRenewerEvent(this.pendingEventQueue.take());
        }
        super.serviceStart();
    }

    private void processDelegationTokenRenewerEvent(DelegationTokenRenewerEvent delegationTokenRenewerEvent) {
        this.serviceStateLock.readLock().lock();
        try {
            if (this.isServiceStarted) {
                this.renewerService.execute(new DelegationTokenRenewerRunnable(delegationTokenRenewerEvent));
            } else {
                this.pendingEventQueue.add(delegationTokenRenewerEvent);
            }
        } finally {
            this.serviceStateLock.readLock().unlock();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.service.AbstractService
    public void serviceStop() {
        if (this.renewalTimer != null) {
            this.renewalTimer.cancel();
        }
        this.appTokens.clear();
        this.allTokens.clear();
        this.renewerService.shutdown();
        this.dtCancelThread.interrupt();
        try {
            this.dtCancelThread.join(1000L);
        } catch (InterruptedException e) {
            e.printStackTrace();
        }
        if (!this.tokenKeepAliveEnabled || this.delayedRemovalThread == null) {
            return;
        }
        this.delayedRemovalThread.interrupt();
        try {
            this.delayedRemovalThread.join(1000L);
        } catch (InterruptedException e2) {
            LOG.info("Interrupted while joining on delayed removal thread.", e2);
        }
    }

    @VisibleForTesting
    public Set<Token<?>> getDelegationTokens() {
        HashSet hashSet = new HashSet();
        Iterator<Set<DelegationTokenToRenew>> it = this.appTokens.values().iterator();
        while (it.hasNext()) {
            Iterator<DelegationTokenToRenew> it2 = it.next().iterator();
            while (it2.hasNext()) {
                hashSet.add(it2.next().token);
            }
        }
        return hashSet;
    }

    public void addApplicationAsync(ApplicationId applicationId, Credentials credentials, boolean z, String str) {
        processDelegationTokenRenewerEvent(new DelegationTokenRenewerAppSubmitEvent(applicationId, credentials, z, str));
    }

    public void addApplicationAsyncDuringRecovery(ApplicationId applicationId, Credentials credentials, boolean z, String str) {
        processDelegationTokenRenewerEvent(new DelegationTokenRenewerAppRecoverEvent(applicationId, credentials, z, str));
    }

    public void addApplicationSync(ApplicationId applicationId, Credentials credentials, boolean z, String str) throws IOException, InterruptedException {
        handleAppSubmitEvent(new DelegationTokenRenewerAppSubmitEvent(applicationId, credentials, z, str));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void handleAppSubmitEvent(AbstractDelegationTokenRenewerAppEvent abstractDelegationTokenRenewerAppEvent) throws IOException, InterruptedException {
        ApplicationId applicationId = abstractDelegationTokenRenewerAppEvent.getApplicationId();
        Credentials credentials = abstractDelegationTokenRenewerAppEvent.getCredentials();
        boolean shouldCancelAtEnd = abstractDelegationTokenRenewerAppEvent.shouldCancelAtEnd();
        if (credentials == null) {
            return;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Registering tokens for renewal for: appId = " + applicationId);
        }
        Collection<Token<? extends TokenIdentifier>> allTokens = credentials.getAllTokens();
        long currentTimeMillis = System.currentTimeMillis();
        this.appTokens.put(applicationId, Collections.synchronizedSet(new HashSet()));
        HashSet<DelegationTokenToRenew> hashSet = new HashSet();
        boolean z = false;
        for (Token<? extends TokenIdentifier> token : allTokens) {
            if (token.isManaged()) {
                if (token.getKind().equals(new Text("HDFS_DELEGATION_TOKEN"))) {
                    LOG.info(applicationId + " found existing hdfs token " + token);
                    z = true;
                }
                DelegationTokenToRenew delegationTokenToRenew = this.allTokens.get(token);
                if (delegationTokenToRenew == null) {
                    delegationTokenToRenew = new DelegationTokenToRenew(Arrays.asList(applicationId), token, getConfig(), currentTimeMillis, shouldCancelAtEnd, abstractDelegationTokenRenewerAppEvent.getUser());
                    try {
                        renewToken(delegationTokenToRenew);
                    } catch (IOException e) {
                        throw new IOException("Failed to renew token: " + delegationTokenToRenew.token, e);
                    }
                }
                hashSet.add(delegationTokenToRenew);
            }
        }
        if (!hashSet.isEmpty()) {
            for (DelegationTokenToRenew delegationTokenToRenew2 : hashSet) {
                DelegationTokenToRenew putIfAbsent = this.allTokens.putIfAbsent(delegationTokenToRenew2.token, delegationTokenToRenew2);
                if (putIfAbsent != null) {
                    putIfAbsent.referringAppIds.add(applicationId);
                    this.appTokens.get(applicationId).add(putIfAbsent);
                } else {
                    this.appTokens.get(applicationId).add(delegationTokenToRenew2);
                    setTimerForTokenRenewal(delegationTokenToRenew2);
                }
            }
        }
        if (z) {
            return;
        }
        requestNewHdfsDelegationToken(Arrays.asList(applicationId), abstractDelegationTokenRenewerAppEvent.getUser(), shouldCancelAtEnd);
    }

    @VisibleForTesting
    protected void setTimerForTokenRenewal(DelegationTokenToRenew delegationTokenToRenew) throws IOException {
        long currentTimeMillis = delegationTokenToRenew.expirationDate - System.currentTimeMillis();
        long j = delegationTokenToRenew.expirationDate - (currentTimeMillis / 10);
        delegationTokenToRenew.setTimerTask(new RenewalTimerTask(delegationTokenToRenew));
        this.renewalTimer.schedule(delegationTokenToRenew.timerTask, new Date(j));
        LOG.info("Renew " + delegationTokenToRenew + " in " + currentTimeMillis + " ms, appId = " + delegationTokenToRenew.referringAppIds);
    }

    @VisibleForTesting
    protected void renewToken(final DelegationTokenToRenew delegationTokenToRenew) throws IOException {
        try {
            delegationTokenToRenew.expirationDate = ((Long) UserGroupInformation.getLoginUser().doAs(new PrivilegedExceptionAction<Long>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Long run() throws Exception {
                    return Long.valueOf(delegationTokenToRenew.token.renew(delegationTokenToRenew.conf));
                }
            })).longValue();
            LOG.info("Renewed delegation-token= [" + delegationTokenToRenew + "], for " + delegationTokenToRenew.referringAppIds);
        } catch (InterruptedException e) {
            throw new IOException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void requestNewHdfsDelegationTokenIfNeeded(DelegationTokenToRenew delegationTokenToRenew) throws IOException, InterruptedException {
        HashSet hashSet;
        if (this.hasProxyUserPrivileges && delegationTokenToRenew.maxDate - delegationTokenToRenew.expirationDate < this.credentialsValidTimeRemaining && delegationTokenToRenew.token.getKind().equals(new Text("HDFS_DELEGATION_TOKEN"))) {
            synchronized (delegationTokenToRenew.referringAppIds) {
                hashSet = new HashSet(delegationTokenToRenew.referringAppIds);
                delegationTokenToRenew.referringAppIds.clear();
            }
            Iterator<ApplicationId> it = hashSet.iterator();
            while (it.hasNext()) {
                Set<DelegationTokenToRenew> set = this.appTokens.get(it.next());
                if (set != null && !set.isEmpty()) {
                    Iterator<DelegationTokenToRenew> it2 = set.iterator();
                    synchronized (set) {
                        while (it2.hasNext()) {
                            DelegationTokenToRenew next = it2.next();
                            if (next.token.getKind().equals(new Text("HDFS_DELEGATION_TOKEN"))) {
                                it2.remove();
                                this.allTokens.remove(next.token);
                                next.cancelTimer();
                                LOG.info("Removed expiring token " + next);
                            }
                        }
                    }
                }
            }
            LOG.info("Token= (" + delegationTokenToRenew + ") is expiring, request new token.");
            requestNewHdfsDelegationToken(hashSet, delegationTokenToRenew.user, delegationTokenToRenew.shouldCancelAtEnd);
        }
    }

    private void requestNewHdfsDelegationToken(Collection<ApplicationId> collection, String str, boolean z) throws IOException, InterruptedException {
        if (!this.hasProxyUserPrivileges) {
            LOG.info("RM proxy-user privilege is not enabled. Skip requesting hdfs tokens.");
            return;
        }
        Credentials credentials = new Credentials();
        Token<?>[] obtainSystemTokensForUser = obtainSystemTokensForUser(str, credentials);
        LOG.info("Received new tokens for " + collection + ". Received " + obtainSystemTokensForUser.length + " tokens.");
        if (obtainSystemTokensForUser.length > 0) {
            for (Token<?> token : obtainSystemTokensForUser) {
                if (token.isManaged()) {
                    DelegationTokenToRenew delegationTokenToRenew = new DelegationTokenToRenew(collection, token, getConfig(), Time.now(), z, str);
                    renewToken(delegationTokenToRenew);
                    setTimerForTokenRenewal(delegationTokenToRenew);
                    Iterator<ApplicationId> it = collection.iterator();
                    while (it.hasNext()) {
                        this.appTokens.get(it.next()).add(delegationTokenToRenew);
                    }
                    LOG.info("Received new token " + token);
                }
            }
        }
        DataOutputBuffer dataOutputBuffer = new DataOutputBuffer();
        credentials.writeTokenStorageToStream(dataOutputBuffer);
        ByteBuffer wrap = ByteBuffer.wrap(dataOutputBuffer.getData(), 0, dataOutputBuffer.getLength());
        Iterator<ApplicationId> it2 = collection.iterator();
        while (it2.hasNext()) {
            this.rmContext.getSystemCredentialsForApps().put(it2.next(), wrap);
        }
    }

    @VisibleForTesting
    protected Token<?>[] obtainSystemTokensForUser(String str, final Credentials credentials) throws IOException, InterruptedException {
        return (Token[]) UserGroupInformation.createProxyUser(str, UserGroupInformation.getLoginUser()).doAs(new PrivilegedExceptionAction<Token<?>[]>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.security.DelegationTokenRenewer.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Token<?>[] run() throws Exception {
                FileSystem fileSystem = FileSystem.get(DelegationTokenRenewer.this.getConfig());
                try {
                    return fileSystem.addDelegationTokens(UserGroupInformation.getLoginUser().getUserName(), credentials);
                } finally {
                    fileSystem.close();
                }
            }
        });
    }

    private void cancelToken(DelegationTokenToRenew delegationTokenToRenew) {
        if (delegationTokenToRenew.shouldCancelAtEnd) {
            this.dtCancelThread.cancelToken(delegationTokenToRenew.token, delegationTokenToRenew.conf);
        } else {
            LOG.info("Did not cancel " + delegationTokenToRenew);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void removeFailedDelegationToken(DelegationTokenToRenew delegationTokenToRenew) {
        Collection<ApplicationId> collection = delegationTokenToRenew.referringAppIds;
        synchronized (collection) {
            LOG.error("removing failed delegation token for appid=" + collection + ";t=" + delegationTokenToRenew.token.getService());
            Iterator<ApplicationId> it = collection.iterator();
            while (it.hasNext()) {
                this.appTokens.get(it.next()).remove(delegationTokenToRenew);
            }
        }
        this.allTokens.remove(delegationTokenToRenew.token);
        delegationTokenToRenew.cancelTimer();
    }

    public void applicationFinished(ApplicationId applicationId) {
        processDelegationTokenRenewerEvent(new DelegationTokenRenewerEvent(applicationId, DelegationTokenRenewerEventType.FINISH_APPLICATION));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void handleAppFinishEvent(DelegationTokenRenewerEvent delegationTokenRenewerEvent) {
        if (this.tokenKeepAliveEnabled) {
            this.delayedRemovalMap.put(delegationTokenRenewerEvent.getApplicationId(), Long.valueOf(System.currentTimeMillis() + this.tokenRemovalDelayMs));
        } else {
            removeApplicationFromRenewal(delegationTokenRenewerEvent.getApplicationId());
        }
    }

    public void updateKeepAliveApplications(List<ApplicationId> list) {
        if (!this.tokenKeepAliveEnabled || list == null || list.size() <= 0) {
            return;
        }
        Iterator<ApplicationId> it = list.iterator();
        while (it.hasNext()) {
            this.delayedRemovalMap.put(it.next(), Long.valueOf(System.currentTimeMillis() + this.tokenRemovalDelayMs));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void removeApplicationFromRenewal(ApplicationId applicationId) {
        this.rmContext.getSystemCredentialsForApps().remove(applicationId);
        Set<DelegationTokenToRenew> remove = this.appTokens.remove(applicationId);
        if (remove == null || remove.isEmpty()) {
            return;
        }
        synchronized (remove) {
            for (DelegationTokenToRenew delegationTokenToRenew : remove) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Removing delegation token for appId=" + applicationId + "; token=" + delegationTokenToRenew.token.getService());
                }
                synchronized (delegationTokenToRenew.referringAppIds) {
                    delegationTokenToRenew.referringAppIds.remove(applicationId);
                    if (delegationTokenToRenew.referringAppIds.isEmpty()) {
                        delegationTokenToRenew.cancelTimer();
                        cancelToken(delegationTokenToRenew);
                        this.allTokens.remove(delegationTokenToRenew.token);
                    }
                }
            }
        }
    }

    public void setRMContext(RMContext rMContext) {
        this.rmContext = rMContext;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void handleDTRenewerAppRecoverEvent(DelegationTokenRenewerAppRecoverEvent delegationTokenRenewerAppRecoverEvent) {
        try {
            handleAppSubmitEvent(delegationTokenRenewerAppRecoverEvent);
        } catch (Throwable th) {
            LOG.warn("Unable to add the application to the delegation token renewer.", th);
        }
    }

    protected ConcurrentMap<Token<?>, DelegationTokenToRenew> getAllTokens() {
        return this.allTokens;
    }
}
