[jira] [Commented] (HADOOP-12426) Add Entry point for Kerberos health check

[Kai Zheng (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-12426?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15106164#comment-15106164
 ] 

Kai Zheng commented on HADOOP-12426:
------------------------------------

Good work and nice tool! Some comments and hope they're helpful.

The tool could be improved further as follow-on tasks.
1. Looks like only Oracle JVM is expected. Not sure how it will behave on other 
JVMs like IBM JDK.
2. {{validateKrb5File}} could also be supported on Windows, since the krb5 conf 
file can be retrieved from JAVA_SECURITY_KRB5_CONF. But when it's null, sure 
it's good to try particularly for non-Windows machines.
3. A {{usage()}} function or the like would be nice to have. I know it's well 
documented here in the JIRA.
4. {{dumpKeytab}} can dump more than the principal names, information about 
keys like key type, key version sometimes is also desired.
5. A try-the-best model might be desired, not aborting immediately when hitting 
errors, but continuing to find more mismatch issues.
6. Wonder if it's tool can also be used in client, services and applications, 
being called at the very beginning, dumping out the troubleshooting messages in 
the log (security log?). If possible or desired, maybe the dump content can be 
returned back instead of {{System.out}} itself.

> Add Entry point for Kerberos health check
> -----------------------------------------
>
>                 Key: HADOOP-12426
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12426
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 2.7.1
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Minor
>         Attachments: HADOOP-12426-001.patch, HADOOP-12426-002.patch, 
> HADOOP-12426-003.patch, HADOOP-12426-004.patch
>
>
> If we a little command line entry point for testing kerberos settings, 
> including some automated diagnostics checks, we could simplify fielding the 
> client-side support calls.
> Specifically
> * check JRE for having java crypto extensions at full key length.
> * network checks: do you know your own name?
> * Is the user kinited in?
> * if a tgt is specified, does it exist?
> * are hadoop security options consistent?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)