[
https://issues.apache.org/jira/browse/HADOOP-12426?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14901132#comment-14901132
]
Steve Loughran commented on HADOOP-12426:
-----------------------------------------
I'm just looking for some entry point that can be run in bin/hadoop to check
keytab health before you get odd errors; something vaguely useful for end
users, and at least for people fielding support calls.
{code}
bin/hadoop kerberos-check --keytab ~/keys --principal stevel@LOCAL
{code}
this could trigger
# verify keytab is there, readable, contains the named principal
# can actually generate keys the right length with JCE
# KDC is resolvable
# KDC exists (outages may be transient, but stil...)
and there'd be some different negative exit codes for failures.
I don't have the time to do this right now, I just think it'd be good for
preflight checking. If the class to run the tests was also made usable from as
a library, I think checking JCE key length and principal would be useful too
-especially if it could generate some more useful message than those we see
today.
> Add Entry point for Kerberos health check
> -----------------------------------------
>
> Key: HADOOP-12426
> URL: https://issues.apache.org/jira/browse/HADOOP-12426
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Affects Versions: 3.0.0
> Reporter: Steve Loughran
> Priority: Minor
>
> If we a little command line entry point for testing kerberos settings,
> including some automated diagnostics checks, we could simplify fielding the
> client-side support calls.
> Specifically
> * check JRE for having java crypto extensions at full key length.
> * network checks: do you know your own name?
> * Is the user kinited in?
> * if a tgt is specified, does it exist?
> * are hadoop security options consistent?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
