package org.apache.hadoop.yarn.server.timelineservice.reader.security;

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.server.timelineservice.reader.TimelineReaderWebServicesUtils;
import org.apache.hadoop.yarn.webapp.ForbiddenException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/yarn/server/timelineservice/reader/security/TimelineReaderWhitelistAuthorizationFilter.class */
public class TimelineReaderWhitelistAuthorizationFilter implements Filter {
    public static final String EMPTY_STRING = "";
    private static final Logger LOG = LoggerFactory.getLogger(TimelineReaderWhitelistAuthorizationFilter.class);
    private boolean isWhitelistReadAuthEnabled = false;
    private AccessControlList allowedUsersAclList;
    private AccessControlList adminAclList;

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (this.isWhitelistReadAuthEnabled) {
            UserGroupInformation callerUserGroupInformation = TimelineReaderWebServicesUtils.getCallerUserGroupInformation((HttpServletRequest) servletRequest, true);
            if (callerUserGroupInformation == null) {
                throw new AuthorizationException("Unable to obtain user name, user not authenticated");
            }
            if (!this.adminAclList.isUserAllowed(callerUserGroupInformation) && !this.allowedUsersAclList.isUserAllowed(callerUserGroupInformation)) {
                String shortUserName = callerUserGroupInformation.getShortUserName();
                Response.status(Response.Status.FORBIDDEN).entity("User " + shortUserName + " is not allowed to read TimelineService V2 data.").build();
                throw new ForbiddenException("user " + shortUserName + " is not allowed to read TimelineService V2 data");
            }
        }
        if (filterChain != null) {
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        String initParameter = filterConfig.getInitParameter("yarn.timeline-service.read.authentication.enabled");
        if (initParameter == null) {
            this.isWhitelistReadAuthEnabled = YarnConfiguration.DEFAULT_TIMELINE_SERVICE_READ_AUTH_ENABLED.booleanValue();
        } else {
            this.isWhitelistReadAuthEnabled = Boolean.valueOf(initParameter).booleanValue();
        }
        if (this.isWhitelistReadAuthEnabled) {
            String initParameter2 = filterConfig.getInitParameter("yarn.timeline-service.read.allowed.users");
            if (StringUtils.isEmpty(initParameter2)) {
                initParameter2 = EMPTY_STRING;
            }
            LOG.info("listAllowedUsers=" + initParameter2);
            this.allowedUsersAclList = new AccessControlList(initParameter2);
            LOG.info("allowedUsersAclList=" + this.allowedUsersAclList.getUsers());
            String initParameter3 = filterConfig.getInitParameter("yarn.admin.acl");
            if (StringUtils.isEmpty(initParameter3)) {
                initParameter3 = EMPTY_STRING;
                LOG.info("adminAclList not set, hence setting it to \"\"");
            }
            this.adminAclList = new AccessControlList(initParameter3);
            LOG.info("adminAclList=" + this.adminAclList.getUsers());
        }
    }
}
