package org.apache.phoenix.coprocessor;

import com.google.protobuf.ByteString;
import com.google.protobuf.RpcCallback;
import com.google.protobuf.RpcController;
import java.io.IOException;
import java.io.Serializable;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.AuthUtil;
import org.apache.hadoop.hbase.CoprocessorEnvironment;
import org.apache.hadoop.hbase.DoNotRetryIOException;
import org.apache.hadoop.hbase.NamespaceDescriptor;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.client.ClusterConnection;
import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder;
import org.apache.hadoop.hbase.client.Connection;
import org.apache.hadoop.hbase.client.ConnectionFactory;
import org.apache.hadoop.hbase.client.RegionInfo;
import org.apache.hadoop.hbase.client.TableDescriptor;
import org.apache.hadoop.hbase.client.TableDescriptorBuilder;
import org.apache.hadoop.hbase.coprocessor.MasterCoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.MasterObserver;
import org.apache.hadoop.hbase.coprocessor.ObserverContext;
import org.apache.hadoop.hbase.coprocessor.ObserverContextImpl;
import org.apache.hadoop.hbase.coprocessor.RegionCoprocessor;
import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.UserProvider;
import org.apache.hadoop.hbase.security.access.AccessControlClient;
import org.apache.hadoop.hbase.security.access.AccessControlUtil;
import org.apache.hadoop.hbase.security.access.AccessController;
import org.apache.hadoop.hbase.security.access.AuthResult;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.security.access.UserPermission;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.phoenix.coprocessor.PhoenixMetaDataCoprocessorHost;
import org.apache.phoenix.parse.HintNode;
import org.apache.phoenix.query.QueryServices;
import org.apache.phoenix.schema.PIndexState;
import org.apache.phoenix.schema.PTable;
import org.apache.phoenix.schema.PTableType;
import org.apache.phoenix.util.MetaDataUtil;

/* loaded from: input_file:org/apache/phoenix/coprocessor/PhoenixAccessController.class */
public class PhoenixAccessController extends BaseMetaDataEndpointObserver {
    private PhoenixMetaDataCoprocessorHost.PhoenixMetaDataControllerEnvironment env;
    private ArrayList<MasterObserver> accessControllers;
    private boolean accessCheckEnabled;
    private UserProvider userProvider;
    public static final Log LOG = LogFactory.getLog(PhoenixAccessController.class);
    private static final Log AUDITLOG = LogFactory.getLog("SecurityLogger." + PhoenixAccessController.class.getName());

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/phoenix/coprocessor/PhoenixAccessController$Superusers.class */
    public static final class Superusers {
        private static final Log LOG = LogFactory.getLog(Superusers.class);
        public static final String SUPERUSER_CONF_KEY = "hbase.superuser";
        private static List<String> superUsers;
        private static List<String> superGroups;
        private static User systemUser;

        private Superusers() {
        }

        public static void initialize(Configuration configuration) throws IOException {
            superUsers = new ArrayList();
            superGroups = new ArrayList();
            systemUser = User.getCurrent();
            if (systemUser == null) {
                throw new IllegalStateException("Unable to obtain the current user, authorization checks for internal operations will not work correctly!");
            }
            if (LOG.isTraceEnabled()) {
                LOG.trace("Current user name is " + systemUser.getShortName());
            }
            String shortName = systemUser.getShortName();
            for (String str : configuration.getStrings(SUPERUSER_CONF_KEY, new String[0])) {
                if (AuthUtil.isGroupPrincipal(str)) {
                    superGroups.add(AuthUtil.getGroupName(str));
                } else {
                    superUsers.add(str);
                }
            }
            superUsers.add(shortName);
        }

        public static boolean isSuperUser(User user) {
            if (superUsers == null) {
                throw new IllegalStateException("Super users/super groups lists haven't been initialized properly.");
            }
            if (superUsers.contains(user.getShortName())) {
                return true;
            }
            for (String str : user.getGroupNames()) {
                if (superGroups.contains(str)) {
                    return true;
                }
            }
            return false;
        }

        public static List<String> getSuperUsers() {
            return superUsers;
        }

        public static User getSystemUser() {
            return systemUser;
        }
    }

    @Override // org.apache.phoenix.coprocessor.PhoenixCoprocessor
    public Optional<MetaDataEndpointObserver> getPhoenixObserver() {
        return Optional.of(this);
    }

    private List<MasterObserver> getAccessControllers() throws IOException {
        if (this.accessControllers == null) {
            synchronized (this) {
                if (this.accessControllers == null) {
                    this.accessControllers = new ArrayList<>();
                    for (MasterObserver masterObserver : this.env.getCoprocessorHost().findCoprocessors(RegionCoprocessor.class)) {
                        if ((masterObserver instanceof AccessControlProtos.AccessControlService.Interface) && (masterObserver instanceof MasterObserver)) {
                            this.accessControllers.add(masterObserver);
                        }
                    }
                }
            }
        }
        return this.accessControllers;
    }

    public ObserverContext<MasterCoprocessorEnvironment> getMasterObsevrverContext() throws IOException {
        return new ObserverContextImpl(getActiveUser());
    }

    @Override // org.apache.phoenix.coprocessor.BaseMetaDataEndpointObserver, org.apache.phoenix.coprocessor.MetaDataEndpointObserver
    public void preGetTable(ObserverContext<PhoenixMetaDataCoprocessorHost.PhoenixMetaDataControllerEnvironment> observerContext, String str, String str2, TableName tableName) throws IOException {
        if (this.accessCheckEnabled) {
            requireAccess("GetTable" + str, tableName, Permission.Action.READ, Permission.Action.EXEC);
        }
    }

    @Override // org.apache.phoenix.coprocessor.BaseMetaDataEndpointObserver
    public void start(CoprocessorEnvironment coprocessorEnvironment) throws IOException {
        this.accessCheckEnabled = coprocessorEnvironment.getConfiguration().getBoolean(QueryServices.PHOENIX_ACLS_ENABLED, false);
        if (!this.accessCheckEnabled) {
            LOG.warn("PhoenixAccessController has been loaded with authorization checks disabled.");
        }
        if (!(coprocessorEnvironment instanceof PhoenixMetaDataCoprocessorHost.PhoenixMetaDataControllerEnvironment)) {
            throw new IllegalArgumentException("Not a valid environment, should be loaded by PhoenixMetaDataControllerEnvironment");
        }
        this.env = (PhoenixMetaDataCoprocessorHost.PhoenixMetaDataControllerEnvironment) coprocessorEnvironment;
        this.userProvider = UserProvider.instantiate(coprocessorEnvironment.getConfiguration());
        Superusers.initialize(coprocessorEnvironment.getConfiguration());
    }

    @Override // org.apache.phoenix.coprocessor.BaseMetaDataEndpointObserver
    public void stop(CoprocessorEnvironment coprocessorEnvironment) throws IOException {
    }

    @Override // org.apache.phoenix.coprocessor.BaseMetaDataEndpointObserver, org.apache.phoenix.coprocessor.MetaDataEndpointObserver
    public void preCreateTable(ObserverContext<PhoenixMetaDataCoprocessorHost.PhoenixMetaDataControllerEnvironment> observerContext, String str, String str2, TableName tableName, TableName tableName2, PTableType pTableType, Set<byte[]> set, Set<TableName> set2) throws IOException {
        if (this.accessCheckEnabled) {
            if (pTableType != PTableType.VIEW) {
                TableDescriptorBuilder newBuilder = TableDescriptorBuilder.newBuilder(tableName);
                Iterator<byte[]> it = set.iterator();
                while (it.hasNext()) {
                    newBuilder.addColumnFamily(ColumnFamilyDescriptorBuilder.newBuilder(it.next()).build());
                }
                TableDescriptor build = newBuilder.build();
                Iterator<MasterObserver> it2 = getAccessControllers().iterator();
                while (it2.hasNext()) {
                    it2.next().preCreateTable(getMasterObsevrverContext(), build, (RegionInfo[]) null);
                }
            }
            HashSet hashSet = new HashSet();
            if (pTableType == PTableType.VIEW || pTableType == PTableType.INDEX) {
                hashSet.add(tableName2);
                requireAccess("Create" + pTableType, tableName2, Permission.Action.READ, Permission.Action.EXEC);
            }
            if (pTableType == PTableType.VIEW) {
                Permission.Action[] actionArr = {Permission.Action.READ, Permission.Action.EXEC};
                for (TableName tableName3 : set2) {
                    if (hashSet.add(tableName3)) {
                        User activeUser = getActiveUser();
                        List<UserPermission> permissionForUser = getPermissionForUser(getUserPermissions(tableName3), Bytes.toBytes(activeUser.getShortName()));
                        HashSet hashSet2 = new HashSet();
                        HashSet hashSet3 = new HashSet();
                        if (permissionForUser != null) {
                            for (UserPermission userPermission : permissionForUser) {
                                for (Permission.Action action : Arrays.asList(actionArr)) {
                                    if (!userPermission.implies(action)) {
                                        hashSet2.add(action);
                                    }
                                }
                            }
                            if (!hashSet2.isEmpty()) {
                                Iterator<UserPermission> it3 = permissionForUser.iterator();
                                while (it3.hasNext()) {
                                    hashSet3.addAll(Arrays.asList(it3.next().getActions()));
                                }
                            }
                        } else {
                            hashSet2.addAll(Arrays.asList(actionArr));
                        }
                        if (!hashSet2.isEmpty()) {
                            handleRequireAccessOnDependentTable("Create" + pTableType, activeUser.getName(), TableName.valueOf(tableName3.getName()), str2, hashSet2, hashSet3);
                        }
                    }
                }
            }
            if (pTableType != PTableType.INDEX || tableName == null || tableName2.equals(tableName) || MetaDataUtil.isViewIndex(tableName.getNameAsString())) {
                return;
            }
            authorizeOrGrantAccessToUsers("Create" + pTableType, tableName2, Arrays.asList(Permission.Action.READ, Permission.Action.WRITE, Permission.Action.CREATE, Permission.Action.EXEC, Permission.Action.ADMIN), tableName);
        }
    }

    public void handleRequireAccessOnDependentTable(String str, String str2, TableName tableName, String str3, Set<Permission.Action> set, Set<Permission.Action> set2) throws IOException {
        HashSet hashSet = new HashSet();
        hashSet.addAll(set);
        hashSet.addAll(set2);
        AUDITLOG.info(str + ": Automatically granting access to index table during creation of view:" + str3 + authString(str2, tableName, set));
        grantPermissions(str2, tableName.getName(), (Permission.Action[]) hashSet.toArray(new Permission.Action[0]));
    }

    private void grantPermissions(final String str, final byte[] bArr, final Permission.Action... actionArr) throws IOException {
        User.runAsLoginUser(new PrivilegedExceptionAction<Void>() { // from class: org.apache.phoenix.coprocessor.PhoenixAccessController.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                try {
                    Connection createConnection = ConnectionFactory.createConnection(PhoenixAccessController.this.env.getConfiguration());
                    Throwable th = null;
                    try {
                        AccessControlClient.grant(createConnection, TableName.valueOf(bArr), str, (byte[]) null, (byte[]) null, actionArr);
                        if (createConnection != null) {
                            if (0 != 0) {
                                try {
                                    createConnection.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                createConnection.close();
                            }
                        }
                        return null;
                    } finally {
                    }
                } catch (Throwable th3) {
                    new DoNotRetryIOException(th3);
                    return null;
                }
            }
        });
    }

    private void authorizeOrGrantAccessToUsers(final String str, final TableName tableName, final List<Permission.Action> list, final TableName tableName2) throws IOException {
        User.runAsLoginUser(new PrivilegedExceptionAction<Void>() { // from class: org.apache.phoenix.coprocessor.PhoenixAccessController.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws IOException {
                Connection createConnection = ConnectionFactory.createConnection(PhoenixAccessController.this.env.getConfiguration());
                Throwable th = null;
                try {
                    List<UserPermission> userPermissions = PhoenixAccessController.this.getUserPermissions(tableName);
                    List userPermissions2 = PhoenixAccessController.this.getUserPermissions(tableName2);
                    if (userPermissions != null) {
                        for (UserPermission userPermission : userPermissions) {
                            HashSet hashSet = new HashSet();
                            HashSet hashSet2 = new HashSet();
                            List permissionForUser = PhoenixAccessController.this.getPermissionForUser(userPermissions2, userPermission.getUser());
                            for (Permission.Action action : list) {
                                boolean z = false;
                                if (userPermission.implies(action)) {
                                    if (permissionForUser == null) {
                                        hashSet.add(action);
                                    } else {
                                        Iterator it = permissionForUser.iterator();
                                        while (it.hasNext()) {
                                            if (((UserPermission) it.next()).implies(action)) {
                                                z = true;
                                            }
                                        }
                                        if (!z) {
                                            hashSet.add(action);
                                        }
                                    }
                                }
                            }
                            if (permissionForUser != null) {
                                Iterator it2 = permissionForUser.iterator();
                                while (it2.hasNext()) {
                                    hashSet2.addAll(Arrays.asList(((UserPermission) it2.next()).getActions()));
                                }
                            }
                            if (!hashSet.isEmpty()) {
                                if (AuthUtil.isGroupPrincipal(Bytes.toString(userPermission.getUser()))) {
                                    PhoenixAccessController.AUDITLOG.warn("Users of GROUP:" + Bytes.toString(userPermission.getUser()) + " will not have following access " + hashSet + " to the newly created index " + tableName2 + ", Automatic grant is not yet allowed on Groups");
                                } else {
                                    PhoenixAccessController.this.handleRequireAccessOnDependentTable(str, Bytes.toString(userPermission.getUser()), tableName2, tableName2.getNameAsString(), hashSet, hashSet2);
                                }
                            }
                        }
                    }
                    if (createConnection == null) {
                        return null;
                    }
                    if (0 == 0) {
                        createConnection.close();
                        return null;
                    }
                    try {
                        createConnection.close();
                        return null;
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                        return null;
                    }
                } catch (Throwable th3) {
                    if (createConnection != null) {
                        if (0 != 0) {
                            try {
                                createConnection.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            createConnection.close();
                        }
                    }
                    throw th3;
                }
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public List<UserPermission> getPermissionForUser(List<UserPermission> list, byte[] bArr) {
        if (list == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        for (UserPermission userPermission : list) {
            if (Bytes.equals(userPermission.getUser(), bArr)) {
                arrayList.add(userPermission);
            }
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        return arrayList;
    }

    @Override // org.apache.phoenix.coprocessor.BaseMetaDataEndpointObserver, org.apache.phoenix.coprocessor.MetaDataEndpointObserver
    public void preDropTable(ObserverContext<PhoenixMetaDataCoprocessorHost.PhoenixMetaDataControllerEnvironment> observerContext, String str, String str2, TableName tableName, TableName tableName2, PTableType pTableType, List<PTable> list) throws IOException {
        if (this.accessCheckEnabled) {
            for (MasterObserver masterObserver : getAccessControllers()) {
                if (pTableType != PTableType.VIEW) {
                    masterObserver.preDeleteTable(getMasterObsevrverContext(), tableName);
                }
                if (list != null) {
                    Iterator<PTable> it = list.iterator();
                    while (it.hasNext()) {
                        masterObserver.preDeleteTable(getMasterObsevrverContext(), TableName.valueOf(it.next().getPhysicalName().getBytes()));
                    }
                }
            }
            if (pTableType == PTableType.VIEW || pTableType == PTableType.INDEX) {
                requireAccess("Drop " + pTableType, tableName2, Permission.Action.READ, Permission.Action.EXEC);
            }
        }
    }

    @Override // org.apache.phoenix.coprocessor.BaseMetaDataEndpointObserver, org.apache.phoenix.coprocessor.MetaDataEndpointObserver
    public void preAlterTable(ObserverContext<PhoenixMetaDataCoprocessorHost.PhoenixMetaDataControllerEnvironment> observerContext, String str, String str2, TableName tableName, TableName tableName2, PTableType pTableType) throws IOException {
        if (this.accessCheckEnabled) {
            for (MasterObserver masterObserver : getAccessControllers()) {
                if (pTableType != PTableType.VIEW) {
                    masterObserver.preModifyTable(getMasterObsevrverContext(), tableName, TableDescriptorBuilder.newBuilder(tableName).build());
                }
            }
            if (pTableType == PTableType.VIEW) {
                requireAccess("Alter " + pTableType, tableName2, Permission.Action.READ, Permission.Action.EXEC);
            }
        }
    }

    @Override // org.apache.phoenix.coprocessor.BaseMetaDataEndpointObserver, org.apache.phoenix.coprocessor.MetaDataEndpointObserver
    public void preGetSchema(ObserverContext<PhoenixMetaDataCoprocessorHost.PhoenixMetaDataControllerEnvironment> observerContext, String str) throws IOException {
        if (this.accessCheckEnabled) {
            Iterator<MasterObserver> it = getAccessControllers().iterator();
            while (it.hasNext()) {
                it.next().preListNamespaceDescriptors(getMasterObsevrverContext(), Arrays.asList(NamespaceDescriptor.create(str).build()));
            }
        }
    }

    @Override // org.apache.phoenix.coprocessor.BaseMetaDataEndpointObserver, org.apache.phoenix.coprocessor.MetaDataEndpointObserver
    public void preCreateSchema(ObserverContext<PhoenixMetaDataCoprocessorHost.PhoenixMetaDataControllerEnvironment> observerContext, String str) throws IOException {
        if (this.accessCheckEnabled) {
            Iterator<MasterObserver> it = getAccessControllers().iterator();
            while (it.hasNext()) {
                it.next().preCreateNamespace(getMasterObsevrverContext(), NamespaceDescriptor.create(str).build());
            }
        }
    }

    @Override // org.apache.phoenix.coprocessor.BaseMetaDataEndpointObserver, org.apache.phoenix.coprocessor.MetaDataEndpointObserver
    public void preDropSchema(ObserverContext<PhoenixMetaDataCoprocessorHost.PhoenixMetaDataControllerEnvironment> observerContext, String str) throws IOException {
        if (this.accessCheckEnabled) {
            Iterator<MasterObserver> it = getAccessControllers().iterator();
            while (it.hasNext()) {
                it.next().preDeleteNamespace(getMasterObsevrverContext(), str);
            }
        }
    }

    @Override // org.apache.phoenix.coprocessor.BaseMetaDataEndpointObserver, org.apache.phoenix.coprocessor.MetaDataEndpointObserver
    public void preIndexUpdate(ObserverContext<PhoenixMetaDataCoprocessorHost.PhoenixMetaDataControllerEnvironment> observerContext, String str, String str2, TableName tableName, TableName tableName2, PIndexState pIndexState) throws IOException {
        if (this.accessCheckEnabled) {
            Iterator<MasterObserver> it = getAccessControllers().iterator();
            while (it.hasNext()) {
                it.next().preModifyTable(getMasterObsevrverContext(), tableName, TableDescriptorBuilder.newBuilder(tableName).build());
            }
            if (pIndexState == PIndexState.BUILDING) {
                requireAccess("Rebuild:", tableName2, Permission.Action.READ, Permission.Action.EXEC);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public List<UserPermission> getUserPermissions(final TableName tableName) throws IOException {
        return (List) User.runAsLoginUser(new PrivilegedExceptionAction<List<UserPermission>>() { // from class: org.apache.phoenix.coprocessor.PhoenixAccessController.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public List<UserPermission> run() throws Exception {
                ArrayList arrayList = new ArrayList();
                try {
                    Connection createConnection = ConnectionFactory.createConnection(PhoenixAccessController.this.env.getConfiguration());
                    Throwable th = null;
                    try {
                        try {
                            Iterator it = PhoenixAccessController.this.accessControllers.iterator();
                            while (it.hasNext()) {
                                MasterObserver masterObserver = (MasterObserver) it.next();
                                if (masterObserver.getClass().getName().equals(AccessController.class.getName())) {
                                    arrayList.addAll(AccessControlClient.getUserPermissions(createConnection, tableName.getNameAsString()));
                                    arrayList.addAll(AccessControlClient.getUserPermissions(createConnection, AuthUtil.toGroupEntry(tableName.getNamespaceAsString())));
                                } else {
                                    getUserPermsFromUserDefinedAccessController(arrayList, createConnection, (AccessControlProtos.AccessControlService.Interface) masterObserver);
                                }
                            }
                            if (createConnection != null) {
                                if (0 != 0) {
                                    try {
                                        createConnection.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                } else {
                                    createConnection.close();
                                }
                            }
                            return arrayList;
                        } finally {
                        }
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (th3 instanceof Exception) {
                        throw ((Exception) th3);
                    }
                    if (th3 instanceof Error) {
                        throw ((Error) th3);
                    }
                    throw new Exception(th3);
                }
            }

            private void getUserPermsFromUserDefinedAccessController(List<UserPermission> list, Connection connection, AccessControlProtos.AccessControlService.Interface r9) {
                RpcController rpcController = (RpcController) ((ClusterConnection) connection).getRpcControllerFactory().newController();
                AccessControlProtos.GetUserPermissionsRequest.Builder newBuilder = AccessControlProtos.GetUserPermissionsRequest.newBuilder();
                newBuilder.setTableName(ProtobufUtil.toProtoTableName(tableName));
                newBuilder.setType(AccessControlProtos.Permission.Type.Table);
                callGetUserPermissionsRequest(list, r9, newBuilder.build(), rpcController);
                AccessControlProtos.GetUserPermissionsRequest.Builder newBuilder2 = AccessControlProtos.GetUserPermissionsRequest.newBuilder();
                newBuilder2.setNamespaceName(ByteString.copyFrom(tableName.getNamespace()));
                newBuilder2.setType(AccessControlProtos.Permission.Type.Namespace);
                callGetUserPermissionsRequest(list, r9, newBuilder2.build(), rpcController);
            }

            private void callGetUserPermissionsRequest(final List<UserPermission> list, AccessControlProtos.AccessControlService.Interface r10, AccessControlProtos.GetUserPermissionsRequest getUserPermissionsRequest, RpcController rpcController) {
                r10.getUserPermissions(rpcController, getUserPermissionsRequest, new RpcCallback<AccessControlProtos.GetUserPermissionsResponse>() { // from class: org.apache.phoenix.coprocessor.PhoenixAccessController.3.1
                    public void run(AccessControlProtos.GetUserPermissionsResponse getUserPermissionsResponse) {
                        if (getUserPermissionsResponse != null) {
                            Iterator it = getUserPermissionsResponse.getUserPermissionList().iterator();
                            while (it.hasNext()) {
                                list.add(AccessControlUtil.toUserPermission((AccessControlProtos.UserPermission) it.next()));
                            }
                        }
                    }
                });
            }
        });
    }

    private void requireAccess(String str, TableName tableName, Permission.Action... actionArr) throws IOException {
        User activeUser = getActiveUser();
        AuthResult authResult = null;
        ArrayList arrayList = new ArrayList();
        for (Permission.Action action : actionArr) {
            if (hasAccess(getUserPermissions(tableName), tableName, action, activeUser)) {
                authResult = AuthResult.allow(str, "Table permission granted", activeUser, action, tableName, (byte[]) null, (byte[]) null);
            } else {
                authResult = AuthResult.deny(str, "Insufficient permissions", activeUser, action, tableName, (byte[]) null, (byte[]) null);
                arrayList.add(action);
            }
            logResult(authResult);
        }
        if (!arrayList.isEmpty()) {
            authResult = AuthResult.deny(str, "Insufficient permissions", activeUser, (Permission.Action) arrayList.get(0), tableName, (byte[]) null, (byte[]) null);
        }
        if (!authResult.isAllowed()) {
            throw new AccessDeniedException("Insufficient permissions " + authString(activeUser.getName(), tableName, new HashSet(Arrays.asList(actionArr))));
        }
    }

    private boolean hasAccess(List<UserPermission> list, TableName tableName, Permission.Action action, User user) {
        if (Superusers.isSuperUser(user)) {
            return true;
        }
        if (list == null) {
            if (!LOG.isDebugEnabled()) {
                return false;
            }
            LOG.debug("No permissions found for table=" + tableName + " or namespace=" + tableName.getNamespaceAsString());
            return false;
        }
        List<UserPermission> permissionForUser = getPermissionForUser(list, user.getShortName().getBytes());
        if (permissionForUser != null) {
            Iterator<UserPermission> it = permissionForUser.iterator();
            while (it.hasNext()) {
                if (it.next().implies(action)) {
                    return true;
                }
            }
        }
        String[] groupNames = user.getGroupNames();
        if (groupNames == null) {
            return false;
        }
        for (String str : groupNames) {
            List<UserPermission> permissionForUser2 = getPermissionForUser(list, AuthUtil.toGroupEntry(str).getBytes());
            if (permissionForUser2 != null) {
                Iterator<UserPermission> it2 = permissionForUser2.iterator();
                while (it2.hasNext()) {
                    if (it2.next().implies(action)) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private User getActiveUser() throws IOException {
        Optional requestUser = RpcServer.getRequestUser();
        return !requestUser.isPresent() ? this.userProvider.getCurrent() : (User) requestUser.get();
    }

    private void logResult(AuthResult authResult) {
        if (AUDITLOG.isTraceEnabled()) {
            Optional remoteAddress = RpcServer.getRemoteAddress();
            AUDITLOG.trace("Access " + (authResult.isAllowed() ? "allowed" : "denied") + " for user " + (authResult.getUser() != null ? authResult.getUser().getShortName() : "UNKNOWN") + "; reason: " + authResult.getReason() + "; remote address: " + (remoteAddress.isPresent() ? (Serializable) remoteAddress.get() : "") + "; request: " + authResult.getRequest() + "; context: " + authResult.toContextString());
        }
    }

    public String authString(String str, TableName tableName, Set<Permission.Action> set) {
        StringBuilder sb = new StringBuilder();
        sb.append(" (user=").append(str != null ? str : "UNKNOWN").append(", ");
        sb.append("scope=").append(tableName == null ? "GLOBAL" : tableName.getNameWithNamespaceInclAsString()).append(", ");
        sb.append(set.size() > 1 ? "actions=" : "action=").append(set != null ? set.toString() : "").append(HintNode.SUFFIX);
        return sb.toString();
    }
}
