package org.apache.accumulo.server.security;

import com.google.common.base.Suppliers;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Supplier;
import org.apache.accumulo.core.client.AccumuloSecurityException;
import org.apache.accumulo.core.client.NamespaceNotFoundException;
import org.apache.accumulo.core.client.TableNotFoundException;
import org.apache.accumulo.core.clientImpl.Credentials;
import org.apache.accumulo.core.clientImpl.Namespace;
import org.apache.accumulo.core.clientImpl.thrift.SecurityErrorCode;
import org.apache.accumulo.core.clientImpl.thrift.ThriftSecurityException;
import org.apache.accumulo.core.conf.Property;
import org.apache.accumulo.core.data.NamespaceId;
import org.apache.accumulo.core.data.TableId;
import org.apache.accumulo.core.dataImpl.thrift.IterInfo;
import org.apache.accumulo.core.dataImpl.thrift.TColumn;
import org.apache.accumulo.core.dataImpl.thrift.TKeyExtent;
import org.apache.accumulo.core.dataImpl.thrift.TRange;
import org.apache.accumulo.core.fate.zookeeper.ZooCache;
import org.apache.accumulo.core.manager.thrift.FateOperation;
import org.apache.accumulo.core.metadata.MetadataTable;
import org.apache.accumulo.core.metadata.RootTable;
import org.apache.accumulo.core.replication.ReplicationTable;
import org.apache.accumulo.core.security.Authorizations;
import org.apache.accumulo.core.security.NamespacePermission;
import org.apache.accumulo.core.security.SystemPermission;
import org.apache.accumulo.core.security.TablePermission;
import org.apache.accumulo.core.securityImpl.thrift.TCredentials;
import org.apache.accumulo.server.ServerContext;
import org.apache.accumulo.server.security.handler.Authenticator;
import org.apache.accumulo.server.security.handler.Authorizor;
import org.apache.accumulo.server.security.handler.KerberosAuthenticator;
import org.apache.accumulo.server.security.handler.PermissionHandler;
import org.apache.accumulo.server.security.handler.ZKAuthenticator;
import org.apache.accumulo.server.security.handler.ZKAuthorizor;
import org.apache.accumulo.server.security.handler.ZKPermHandler;
import org.apache.hadoop.io.Text;
import org.apache.zookeeper.Watcher;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/accumulo/server/security/SecurityOperation.class */
public class SecurityOperation {
    private static final Logger log = LoggerFactory.getLogger(SecurityOperation.class);
    private final Authorizor authorizor;
    private final Authenticator authenticator;
    private final PermissionHandler permHandle;
    private final boolean isKerberos;
    private final Supplier<String> rootUserName = Suppliers.memoize(() -> {
        return new String(this.zooCache.get(this.zkUserPath), StandardCharsets.UTF_8);
    });
    private final ZooCache zooCache;
    private final String zkUserPath;
    protected final ServerContext context;

    public static Authorizor getAuthorizor(ServerContext serverContext) {
        Authorizor authorizor = (Authorizor) Property.createInstanceFromPropertyName(serverContext.getConfiguration(), Property.INSTANCE_SECURITY_AUTHORIZOR, Authorizor.class, new ZKAuthorizor());
        authorizor.initialize(serverContext);
        return authorizor;
    }

    public static Authenticator getAuthenticator(ServerContext serverContext) {
        Authenticator authenticator = (Authenticator) Property.createInstanceFromPropertyName(serverContext.getConfiguration(), Property.INSTANCE_SECURITY_AUTHENTICATOR, Authenticator.class, new ZKAuthenticator());
        authenticator.initialize(serverContext);
        return authenticator;
    }

    public static PermissionHandler getPermHandler(ServerContext serverContext) {
        PermissionHandler permissionHandler = (PermissionHandler) Property.createInstanceFromPropertyName(serverContext.getConfiguration(), Property.INSTANCE_SECURITY_PERMISSION_HANDLER, PermissionHandler.class, new ZKPermHandler());
        permissionHandler.initialize(serverContext);
        return permissionHandler;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurityOperation(ServerContext serverContext, Authorizor authorizor, Authenticator authenticator, PermissionHandler permissionHandler) {
        this.context = serverContext;
        this.zkUserPath = "/accumulo/" + serverContext.getInstanceID() + "/users";
        this.zooCache = new ZooCache(serverContext.getZooReader(), (Watcher) null);
        this.authorizor = authorizor;
        this.authenticator = authenticator;
        this.permHandle = permissionHandler;
        if (!this.authorizor.validSecurityHandlers(this.authenticator, permissionHandler) || !this.authenticator.validSecurityHandlers() || !this.permHandle.validSecurityHandlers(authenticator, authorizor)) {
            throw new RuntimeException(this.authorizor + ", " + this.authenticator + ", and " + permissionHandler + " do not play nice with each other. Please choose authentication and authorization mechanisms that are compatible with one another.");
        }
        this.isKerberos = KerberosAuthenticator.class.isAssignableFrom(this.authenticator.getClass());
    }

    public void initializeSecurity(TCredentials tCredentials, String str, byte[] bArr) throws AccumuloSecurityException {
        if (!isSystemUser(tCredentials)) {
            throw new AccumuloSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        this.authenticator.initializeSecurity(str, bArr);
        this.authorizor.initializeSecurity(tCredentials, str);
        this.permHandle.initializeSecurity(tCredentials, str);
        try {
            this.permHandle.grantTablePermission(str, MetadataTable.ID.canonical(), TablePermission.ALTER_TABLE);
        } catch (TableNotFoundException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    private String getRootUsername() {
        return this.rootUserName.get();
    }

    public boolean isSystemUser(TCredentials tCredentials) {
        return this.context.getCredentials().getToken().getClass().getName().equals(tCredentials.getTokenClassName());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void authenticate(TCredentials tCredentials) throws ThriftSecurityException {
        if (!tCredentials.getInstanceId().equals(this.context.getInstanceID().canonical())) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.INVALID_INSTANCEID);
        }
        Credentials fromThrift = Credentials.fromThrift(tCredentials);
        if (isSystemUser(tCredentials)) {
            if (this.isKerberos) {
                if (this.context.getCredentials().getToken().equals(fromThrift.getToken())) {
                    return;
                }
                log.debug("With SASL enabled, System AuthenticationTokens did not match.");
                throw new ThriftSecurityException(fromThrift.getPrincipal(), SecurityErrorCode.BAD_CREDENTIALS);
            }
            if (this.context.getCredentials().equals(fromThrift)) {
                return;
            }
            log.debug("Provided credentials did not match server's expected credentials. Expected {} but got {}", this.context.getCredentials(), fromThrift);
            throw new ThriftSecurityException(fromThrift.getPrincipal(), SecurityErrorCode.BAD_CREDENTIALS);
        }
        if (this.isKerberos && !this.authenticator.userExists(fromThrift.getPrincipal())) {
            try {
                _createUser(tCredentials, fromThrift);
            } catch (ThriftSecurityException e) {
                if (e.getCode() != SecurityErrorCode.USER_EXISTS) {
                    throw e;
                }
            }
        }
        try {
            if (this.authenticator.authenticateUser(fromThrift.getPrincipal(), fromThrift.getToken())) {
            } else {
                throw new ThriftSecurityException(fromThrift.getPrincipal(), SecurityErrorCode.BAD_CREDENTIALS);
            }
        } catch (AccumuloSecurityException e2) {
            log.debug("AccumuloSecurityException", e2);
            throw e2.asThriftException();
        }
    }

    public boolean authenticateUser(TCredentials tCredentials, TCredentials tCredentials2) throws ThriftSecurityException {
        authenticate(tCredentials);
        if (!tCredentials.getPrincipal().equals(tCredentials2.getPrincipal()) && !hasSystemPermission(tCredentials, SystemPermission.SYSTEM, false)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        if (tCredentials.equals(tCredentials2)) {
            return true;
        }
        try {
            Credentials fromThrift = Credentials.fromThrift(tCredentials2);
            if (this.isKerberos && !this.authenticator.userExists(fromThrift.getPrincipal())) {
                createUser(tCredentials, fromThrift, Authorizations.EMPTY);
            }
            return this.authenticator.authenticateUser(fromThrift.getPrincipal(), fromThrift.getToken());
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    public Authorizations getUserAuthorizations(TCredentials tCredentials, String str) throws ThriftSecurityException {
        authenticate(tCredentials);
        targetUserExists(str);
        if (tCredentials.getPrincipal().equals(str) || hasSystemPermission(tCredentials, SystemPermission.SYSTEM, false) || hasSystemPermission(tCredentials, SystemPermission.ALTER_USER, false)) {
            return this.authorizor.getCachedUserAuthorizations(str);
        }
        throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
    }

    public Authorizations getUserAuthorizations(TCredentials tCredentials) throws ThriftSecurityException {
        if (!isSystemUser(tCredentials)) {
            return getUserAuthorizations(tCredentials, tCredentials.getPrincipal());
        }
        authenticate(tCredentials);
        return Authorizations.EMPTY;
    }

    public boolean authenticatedUserHasAuthorizations(TCredentials tCredentials, List<ByteBuffer> list) {
        return isSystemUser(tCredentials) ? list.isEmpty() : this.authorizor.isValidAuthorizations(tCredentials.getPrincipal(), list);
    }

    private boolean hasSystemPermission(TCredentials tCredentials, SystemPermission systemPermission, boolean z) throws ThriftSecurityException {
        return hasSystemPermissionWithNamespaceId(tCredentials, systemPermission, null, z);
    }

    private boolean hasSystemPermissionWithNamespaceId(TCredentials tCredentials, SystemPermission systemPermission, NamespaceId namespaceId, boolean z) throws ThriftSecurityException {
        if (isSystemUser(tCredentials) || _hasSystemPermission(tCredentials.getPrincipal(), systemPermission, z)) {
            return true;
        }
        if (namespaceId != null) {
            return _hasNamespacePermission(tCredentials.getPrincipal(), namespaceId, NamespacePermission.getEquivalent(systemPermission), z);
        }
        return false;
    }

    private boolean _hasSystemPermission(String str, SystemPermission systemPermission, boolean z) throws ThriftSecurityException {
        if (str.equals(getRootUsername())) {
            return true;
        }
        targetUserExists(str);
        return z ? this.permHandle.hasCachedSystemPermission(str, systemPermission) : this.permHandle.hasSystemPermission(str, systemPermission);
    }

    protected boolean hasTablePermission(TCredentials tCredentials, TableId tableId, NamespaceId namespaceId, TablePermission tablePermission, boolean z) throws ThriftSecurityException {
        return isSystemUser(tCredentials) || _hasTablePermission(tCredentials.getPrincipal(), tableId, tablePermission, z) || _hasNamespacePermission(tCredentials.getPrincipal(), namespaceId, NamespacePermission.getEquivalent(tablePermission), z);
    }

    private boolean _hasTablePermission(String str, TableId tableId, TablePermission tablePermission, boolean z) throws ThriftSecurityException {
        targetUserExists(str);
        TableId tableId2 = ReplicationTable.ID;
        if ((tableId.equals(MetadataTable.ID) || tableId.equals(RootTable.ID) || tableId.equals(tableId2)) && tablePermission.equals(TablePermission.READ)) {
            return true;
        }
        try {
            return z ? this.permHandle.hasCachedTablePermission(str, tableId.canonical(), tablePermission) : this.permHandle.hasTablePermission(str, tableId.canonical(), tablePermission);
        } catch (TableNotFoundException e) {
            throw new ThriftSecurityException(str, SecurityErrorCode.TABLE_DOESNT_EXIST);
        }
    }

    private boolean _hasNamespacePermission(String str, NamespaceId namespaceId, NamespacePermission namespacePermission, boolean z) throws ThriftSecurityException {
        if (namespacePermission == null) {
            return false;
        }
        targetUserExists(str);
        if (namespaceId.equals(Namespace.ACCUMULO.id()) && namespacePermission.equals(NamespacePermission.READ)) {
            return true;
        }
        try {
            return z ? this.permHandle.hasCachedNamespacePermission(str, namespaceId.canonical(), namespacePermission) : this.permHandle.hasNamespacePermission(str, namespaceId.canonical(), namespacePermission);
        } catch (NamespaceNotFoundException e) {
            throw new ThriftSecurityException(str, SecurityErrorCode.NAMESPACE_DOESNT_EXIST);
        }
    }

    private boolean canAskAboutOtherUsers(TCredentials tCredentials, String str) throws ThriftSecurityException {
        authenticate(tCredentials);
        return tCredentials.getPrincipal().equals(str) || hasSystemPermission(tCredentials, SystemPermission.SYSTEM, false) || hasSystemPermission(tCredentials, SystemPermission.CREATE_USER, false) || hasSystemPermission(tCredentials, SystemPermission.ALTER_USER, false) || hasSystemPermission(tCredentials, SystemPermission.DROP_USER, false);
    }

    private void targetUserExists(String str) throws ThriftSecurityException {
        if (!str.equals(getRootUsername()) && !this.authenticator.userExists(str)) {
            throw new ThriftSecurityException(str, SecurityErrorCode.USER_DOESNT_EXIST);
        }
    }

    public boolean canScan(TCredentials tCredentials, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.READ, true);
    }

    public boolean canScan(TCredentials tCredentials, TableId tableId, NamespaceId namespaceId, TRange tRange, List<TColumn> list, List<IterInfo> list2, Map<String, Map<String, String>> map, List<ByteBuffer> list3) throws ThriftSecurityException {
        return canScan(tCredentials, tableId, namespaceId);
    }

    public boolean canScan(TCredentials tCredentials, TableId tableId, NamespaceId namespaceId, Map<TKeyExtent, List<TRange>> map, List<TColumn> list, List<IterInfo> list2, Map<String, Map<String, String>> map2, List<ByteBuffer> list3) throws ThriftSecurityException {
        return canScan(tCredentials, tableId, namespaceId);
    }

    public boolean canWrite(TCredentials tCredentials, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.WRITE, true);
    }

    public boolean canConditionallyUpdate(TCredentials tCredentials, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.WRITE, true) && hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.READ, true);
    }

    public boolean canSplitTablet(TCredentials tCredentials, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_TABLE, namespaceId, false) || hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.SYSTEM, namespaceId, false) || hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.ALTER_TABLE, false);
    }

    public boolean canPerformSystemActions(TCredentials tCredentials) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermission(tCredentials, SystemPermission.SYSTEM, false);
    }

    public boolean canFlush(TCredentials tCredentials, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.WRITE, false) || hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.ALTER_TABLE, false);
    }

    public boolean canAlterTable(TCredentials tCredentials, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.ALTER_TABLE, false) || hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_TABLE, namespaceId, false);
    }

    public boolean canCreateTable(TCredentials tCredentials, String str, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.CREATE_TABLE, namespaceId, false);
    }

    public boolean canRenameTable(TCredentials tCredentials, TableId tableId, String str, String str2, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_TABLE, namespaceId, false) || hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.ALTER_TABLE, false);
    }

    public boolean canCloneTable(TCredentials tCredentials, TableId tableId, String str, NamespaceId namespaceId, NamespaceId namespaceId2) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.CREATE_TABLE, namespaceId, false) && hasTablePermission(tCredentials, tableId, namespaceId2, TablePermission.READ, false);
    }

    public boolean canDeleteTable(TCredentials tCredentials, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.DROP_TABLE, namespaceId, false) || hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.DROP_TABLE, false);
    }

    public boolean canOnlineOfflineTable(TCredentials tCredentials, TableId tableId, FateOperation fateOperation, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.SYSTEM, namespaceId, false) || hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_TABLE, namespaceId, false) || hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.ALTER_TABLE, false);
    }

    public boolean canMerge(TCredentials tCredentials, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.SYSTEM, namespaceId, false) || hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_TABLE, namespaceId, false) || hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.ALTER_TABLE, false);
    }

    public boolean canDeleteRange(TCredentials tCredentials, TableId tableId, String str, Text text, Text text2, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.SYSTEM, namespaceId, false) || hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.WRITE, false);
    }

    public boolean canBulkImport(TCredentials tCredentials, TableId tableId, String str, String str2, String str3, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.BULK_IMPORT, false);
    }

    public boolean canCompact(TCredentials tCredentials, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_TABLE, namespaceId, false) || hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.ALTER_TABLE, false) || hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.WRITE, false);
    }

    public boolean canChangeAuthorizations(TCredentials tCredentials, String str) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermission(tCredentials, SystemPermission.ALTER_USER, false);
    }

    public boolean canChangePassword(TCredentials tCredentials, String str) throws ThriftSecurityException {
        authenticate(tCredentials);
        return tCredentials.getPrincipal().equals(str) || hasSystemPermission(tCredentials, SystemPermission.ALTER_USER, false);
    }

    public boolean canCreateUser(TCredentials tCredentials, String str) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermission(tCredentials, SystemPermission.CREATE_USER, false);
    }

    public boolean canDropUser(TCredentials tCredentials, String str) throws ThriftSecurityException {
        authenticate(tCredentials);
        if (str.equals(getRootUsername())) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        return hasSystemPermission(tCredentials, SystemPermission.DROP_USER, false);
    }

    public boolean canGrantSystem(TCredentials tCredentials, String str, SystemPermission systemPermission) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermission(tCredentials, SystemPermission.GRANT, false);
    }

    public boolean canGrantTable(TCredentials tCredentials, String str, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_TABLE, namespaceId, false) || hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.GRANT, false);
    }

    public boolean canGrantNamespace(TCredentials tCredentials, NamespaceId namespaceId) throws ThriftSecurityException {
        return canModifyNamespacePermission(tCredentials, namespaceId);
    }

    private boolean canModifyNamespacePermission(TCredentials tCredentials, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_NAMESPACE, namespaceId, false) || hasNamespacePermission(tCredentials, tCredentials.principal, namespaceId, NamespacePermission.GRANT);
    }

    public boolean canRevokeSystem(TCredentials tCredentials, String str, SystemPermission systemPermission) throws ThriftSecurityException {
        authenticate(tCredentials);
        if (str.equals(getRootUsername())) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        return hasSystemPermission(tCredentials, SystemPermission.GRANT, false);
    }

    public boolean canRevokeTable(TCredentials tCredentials, String str, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_TABLE, namespaceId, false) || hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.GRANT, false);
    }

    public boolean canRevokeNamespace(TCredentials tCredentials, NamespaceId namespaceId) throws ThriftSecurityException {
        return canModifyNamespacePermission(tCredentials, namespaceId);
    }

    public void changeAuthorizations(TCredentials tCredentials, String str, Authorizations authorizations) throws ThriftSecurityException {
        if (!canChangeAuthorizations(tCredentials, str)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        targetUserExists(str);
        try {
            this.authorizor.changeAuthorizations(str, authorizations);
            log.info("Changed authorizations for user {} at the request of user {}", str, tCredentials.getPrincipal());
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    public void changePassword(TCredentials tCredentials, Credentials credentials) throws ThriftSecurityException {
        if (!canChangePassword(tCredentials, credentials.getPrincipal())) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        try {
            this.authenticator.changePassword(credentials.getPrincipal(), credentials.getToken());
            log.info("Changed password for user {} at the request of user {}", credentials.getPrincipal(), tCredentials.getPrincipal());
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    public void createUser(TCredentials tCredentials, Credentials credentials, Authorizations authorizations) throws ThriftSecurityException {
        if (!canCreateUser(tCredentials, credentials.getPrincipal())) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        _createUser(tCredentials, credentials);
        if (canChangeAuthorizations(tCredentials, credentials.getPrincipal())) {
            try {
                this.authorizor.changeAuthorizations(credentials.getPrincipal(), authorizations);
            } catch (AccumuloSecurityException e) {
                throw e.asThriftException();
            }
        }
    }

    private void _createUser(TCredentials tCredentials, Credentials credentials) throws ThriftSecurityException {
        try {
            this.authenticator.createUser(credentials.getPrincipal(), credentials.getToken());
            this.authorizor.initUser(credentials.getPrincipal());
            this.permHandle.initUser(credentials.getPrincipal());
            log.info("Created user {} at the request of user {}", credentials.getPrincipal(), tCredentials.getPrincipal());
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    public void dropUser(TCredentials tCredentials, String str) throws ThriftSecurityException {
        if (!canDropUser(tCredentials, str)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        try {
            this.authorizor.dropUser(str);
            this.authenticator.dropUser(str);
            this.permHandle.cleanUser(str);
            log.info("Deleted user {} at the request of user {}", str, tCredentials.getPrincipal());
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    public void grantSystemPermission(TCredentials tCredentials, String str, SystemPermission systemPermission) throws ThriftSecurityException {
        if (!canGrantSystem(tCredentials, str, systemPermission)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        targetUserExists(str);
        try {
            this.permHandle.grantSystemPermission(str, systemPermission);
            log.info("Granted system permission {} for user {} at the request of user {}", new Object[]{systemPermission, str, tCredentials.getPrincipal()});
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    public void grantTablePermission(TCredentials tCredentials, String str, TableId tableId, TablePermission tablePermission, NamespaceId namespaceId) throws ThriftSecurityException {
        if (!canGrantTable(tCredentials, str, tableId, namespaceId)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        targetUserExists(str);
        try {
            this.permHandle.grantTablePermission(str, tableId.canonical(), tablePermission);
            log.info("Granted table permission {} for user {} on the table {} at the request of user {}", new Object[]{tablePermission, str, tableId, tCredentials.getPrincipal()});
        } catch (TableNotFoundException e) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.TABLE_DOESNT_EXIST);
        } catch (AccumuloSecurityException e2) {
            throw e2.asThriftException();
        }
    }

    public void grantNamespacePermission(TCredentials tCredentials, String str, NamespaceId namespaceId, NamespacePermission namespacePermission) throws ThriftSecurityException {
        if (!canGrantNamespace(tCredentials, namespaceId)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        targetUserExists(str);
        try {
            this.permHandle.grantNamespacePermission(str, namespaceId.canonical(), namespacePermission);
            log.info("Granted namespace permission {} for user {} on the namespace {} at the request of user {}", new Object[]{namespacePermission, str, namespaceId, tCredentials.getPrincipal()});
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        } catch (NamespaceNotFoundException e2) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.NAMESPACE_DOESNT_EXIST);
        }
    }

    public void revokeSystemPermission(TCredentials tCredentials, String str, SystemPermission systemPermission) throws ThriftSecurityException {
        if (!canRevokeSystem(tCredentials, str, systemPermission)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        targetUserExists(str);
        try {
            this.permHandle.revokeSystemPermission(str, systemPermission);
            log.info("Revoked system permission {} for user {} at the request of user {}", new Object[]{systemPermission, str, tCredentials.getPrincipal()});
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        }
    }

    public void revokeTablePermission(TCredentials tCredentials, String str, TableId tableId, TablePermission tablePermission, NamespaceId namespaceId) throws ThriftSecurityException {
        if (!canRevokeTable(tCredentials, str, tableId, namespaceId)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        targetUserExists(str);
        try {
            this.permHandle.revokeTablePermission(str, tableId.canonical(), tablePermission);
            log.info("Revoked table permission {} for user {} on the table {} at the request of user {}", new Object[]{tablePermission, str, tableId, tCredentials.getPrincipal()});
        } catch (TableNotFoundException e) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.TABLE_DOESNT_EXIST);
        } catch (AccumuloSecurityException e2) {
            throw e2.asThriftException();
        }
    }

    public void revokeNamespacePermission(TCredentials tCredentials, String str, NamespaceId namespaceId, NamespacePermission namespacePermission) throws ThriftSecurityException {
        if (!canRevokeNamespace(tCredentials, namespaceId)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        targetUserExists(str);
        try {
            this.permHandle.revokeNamespacePermission(str, namespaceId.canonical(), namespacePermission);
            log.info("Revoked namespace permission {} for user {} on the namespace {} at the request of user {}", new Object[]{namespacePermission, str, namespaceId, tCredentials.getPrincipal()});
        } catch (AccumuloSecurityException e) {
            throw e.asThriftException();
        } catch (NamespaceNotFoundException e2) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.NAMESPACE_DOESNT_EXIST);
        }
    }

    public boolean hasSystemPermission(TCredentials tCredentials, String str, SystemPermission systemPermission) throws ThriftSecurityException {
        if (canAskAboutOtherUsers(tCredentials, str)) {
            return _hasSystemPermission(str, systemPermission, false);
        }
        throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
    }

    public boolean hasTablePermission(TCredentials tCredentials, String str, TableId tableId, TablePermission tablePermission) throws ThriftSecurityException {
        if (canAskAboutOtherUsers(tCredentials, str)) {
            return _hasTablePermission(str, tableId, tablePermission, false);
        }
        throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
    }

    public boolean hasNamespacePermission(TCredentials tCredentials, String str, NamespaceId namespaceId, NamespacePermission namespacePermission) throws ThriftSecurityException {
        if (canAskAboutOtherUsers(tCredentials, str)) {
            return _hasNamespacePermission(str, namespaceId, namespacePermission, false);
        }
        throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
    }

    public Set<String> listUsers(TCredentials tCredentials) throws ThriftSecurityException {
        authenticate(tCredentials);
        return this.authenticator.listUsers();
    }

    public void deleteTable(TCredentials tCredentials, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException {
        if (!canDeleteTable(tCredentials, tableId, namespaceId)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        try {
            this.permHandle.cleanTablePermissions(tableId.canonical());
        } catch (AccumuloSecurityException e) {
            e.setUser(tCredentials.getPrincipal());
            throw e.asThriftException();
        } catch (TableNotFoundException e2) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.TABLE_DOESNT_EXIST);
        }
    }

    public void deleteNamespace(TCredentials tCredentials, NamespaceId namespaceId) throws ThriftSecurityException {
        if (!canDeleteNamespace(tCredentials, namespaceId)) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.PERMISSION_DENIED);
        }
        try {
            this.permHandle.cleanNamespacePermissions(namespaceId.canonical());
        } catch (NamespaceNotFoundException e) {
            throw new ThriftSecurityException(tCredentials.getPrincipal(), SecurityErrorCode.NAMESPACE_DOESNT_EXIST);
        } catch (AccumuloSecurityException e2) {
            e2.setUser(tCredentials.getPrincipal());
            throw e2.asThriftException();
        }
    }

    public boolean canExport(TCredentials tCredentials, TableId tableId, String str, String str2, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.READ, false);
    }

    public boolean canImport(TCredentials tCredentials, String str, Set<String> set, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.CREATE_TABLE, namespaceId, false);
    }

    public boolean canAlterNamespace(TCredentials tCredentials, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_NAMESPACE, namespaceId, false);
    }

    public boolean canCreateNamespace(TCredentials tCredentials) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermission(tCredentials, SystemPermission.CREATE_NAMESPACE, false);
    }

    public boolean canDeleteNamespace(TCredentials tCredentials, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.DROP_NAMESPACE, namespaceId, false);
    }

    public boolean canRenameNamespace(TCredentials tCredentials, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermissionWithNamespaceId(tCredentials, SystemPermission.ALTER_NAMESPACE, namespaceId, false);
    }

    public boolean canObtainDelegationToken(TCredentials tCredentials) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasSystemPermission(tCredentials, SystemPermission.OBTAIN_DELEGATION_TOKEN, false);
    }

    public boolean canGetSummaries(TCredentials tCredentials, TableId tableId, NamespaceId namespaceId) throws ThriftSecurityException {
        authenticate(tCredentials);
        return hasTablePermission(tCredentials, tableId, namespaceId, TablePermission.GET_SUMMARIES, false);
    }

    public boolean validateStoredUserCreditentials() {
        return ((this.authenticator instanceof ZKAuthenticator) && ((ZKAuthenticator) this.authenticator).hasOutdatedHashes()) ? false : true;
    }
}
