[
https://issues.apache.org/jira/browse/HADOOP-12426?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15106241#comment-15106241
]
Steve Loughran commented on HADOOP-12426:
-----------------------------------------
thx for the comments.
# you should know that I'm stabilising some jenkins-test-run-failures on the
slider branch: that test run is failing if there's no default realm, i.e. you
are testing on a machine that isn't set up for kerberos.
# ...I see what you mean about keytab contents —and that I can get at them.
timestamp would be good
> A try-the-best model might be desired
I see that...it's already handling the situation where security is off in
core-site.xml but has been set on the command line; Checking principals and
keytabs is something you can do without worrying about cluster security.
Maybe the {{failif()}} method could be made something that a {{--nofail}}
option would downgrade to error log; have it return a boolean so that those
followon operations which depend on the condition could be skipped.
{code}
if (failif(!keytab.exists(),CAT_CONF, "no keytab %s", keytab)) {
loginFromkeytab()
}
{code}
of course, I'd have to invert the condition, to something like "require(... )"
Regarding dumping, there's a --out option which can save it to a file. But as
half the log info goes to stderr (all the sun.java stuff), you do need to
capture both streams, ideally interleaved. And while I could briefly cache the
System.out and System.err streams & replace them with something to catch the
output, loggers really hate that.
As for startup, I think services would need to do the login stuff themselves.
You start trying to log in once and not only does UGI lock down, so do bits of
the JVM internal state. (that is, {{UGI.reset()}} doesn't completely reset
things. So I don't think I'd want to have it all there.
What could be possible?
* keylength
* keytab existing
* dump a keytab
* look for principal in a keytab
* All the relevant env vars and properties could be logged
> Add Entry point for Kerberos health check
> -----------------------------------------
>
> Key: HADOOP-12426
> URL: https://issues.apache.org/jira/browse/HADOOP-12426
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Affects Versions: 2.7.1
> Reporter: Steve Loughran
> Assignee: Steve Loughran
> Priority: Minor
> Attachments: HADOOP-12426-001.patch, HADOOP-12426-002.patch,
> HADOOP-12426-003.patch, HADOOP-12426-004.patch
>
>
> If we a little command line entry point for testing kerberos settings,
> including some automated diagnostics checks, we could simplify fielding the
> client-side support calls.
> Specifically
> * check JRE for having java crypto extensions at full key length.
> * network checks: do you know your own name?
> * Is the user kinited in?
> * if a tgt is specified, does it exist?
> * are hadoop security options consistent?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
