Package org.apache.hadoop.security

Class KDiag

java.lang.Object
org.apache.hadoop.conf.Configured
org.apache.hadoop.security.KDiag
All Implemented Interfaces:
Closeable, AutoCloseable, Configurable, Tool
public class KDiag extends Configured implements Tool, Closeable
Kerberos diagnostics This operation expands some of the diagnostic output of the security code, but not all. For completeness Set the environment variable HADOOP_JAAS_DEBUG=true Set the log level for org.apache.hadoop.security=DEBUG

  • Field Details

  • Constructor Details

  • Method Details

    • close

      public void close() throws IOException
      Specified by:
      close in interface AutoCloseable
      Specified by:
      close in interface Closeable
      Throws:
      IOException

    • run

      public int run(String[] argv) throws Exception
      Description copied from interface: Tool
      Execute the command with the given arguments.
      Specified by:
      run in interface Tool
      Parameters:
      argv - command specific arguments.
      Returns:
      exit code.
      Throws:
      Exception - command exception.

    • execute

      public boolean execute() throws Exception
      Execute diagnostics.

      Things it would be nice if UGI made accessible

      1. A way to enable JAAS debug programatically
      2. Access to the TGT
      Returns:
      true if security was enabled and all probes were successful
      Throws:
      KDiag.KerberosDiagsFailure - explicitly raised failure
      Exception - other security problems

    • isSimpleAuthentication

      protected boolean isSimpleAuthentication(Configuration conf)
      Is the authentication method of this configuration "simple"?
      Parameters:
      conf - configuration to check
      Returns:
      true if auth is simple (i.e. not kerberos)

    • validateKeyLength

      protected void validateKeyLength() throws NoSuchAlgorithmException
      Fail fast on a JVM without JCE installed. This is a recurrent problem (that is: it keeps creeping back with JVM updates); a fast failure is the best tactic.
      Throws:
      NoSuchAlgorithmException - when a particular cryptographic algorithm is requested but is not available in the environment.

    • validateShortName

      protected void validateShortName()
      Verify whether auth_to_local rules transform a principal name

      Having a local user name "bar@foo.com" may be harmless, so it is noted at info. However if what was intended is a transformation to "bar" it can be difficult to debug, hence this check.

    • printDefaultRealm

      protected void printDefaultRealm()
      Get the default realm.

      Not having a default realm may be harmless, so is noted at info. All other invocation failures are downgraded to warn, as follow-on actions may still work. Failure to invoke the method via introspection is considered a failure, as it's a sign of JVM compatibility issues that may have other consequences

    • dumpTokens

      public void dumpTokens(UserGroupInformation ugi)
      Dump all tokens of a UGI.
      Parameters:
      ugi - UGI to examine

    • exec

      public static int exec(Configuration conf, String... argv) throws Exception
      Inner entry point, with no logging or system exits.
      Parameters:
      conf - configuration
      argv - argument list
      Returns:
      an exception
      Throws:
      Exception - Exception.

    • main

      public static void main(String[] argv)
      Main entry point.
      Parameters:
      argv - args list