[PR] HDDS-3128. Add support for kdiag and kerbname commands to ozone script [ozone]

Thu, 05 Mar 2026 05:22:11 -0800 


navinko opened a new pull request, #9868:
URL: https://github.com/apache/ozone/pull/9868

   ## What changes were proposed in this pull request?
   HDDS-3128. Add support for kdiag and kerbname commands to ozone script
   
   - Added changes for verifying how Kerberos principals map to local Unix 
users and collecting kerberos diagnostic which is useful when debugging and 
troubleshooting in secure clusters.
   
   1. ozone kdiag - This is useful when troubleshooting authentication failures 
in Ozone services.
      Exposes the Hadoop KDiag diagnostic tool through the Ozone CLI.
   2. ozone kerbname - Added a CLI utility to translate Kerberos principals 
into local user names using the configured           
hadoop.security.auth_to_local rules.
   
   ## What is the link to the Apache JIRA
   https://issues.apache.org/jira/browse/HDDS-3128
   
   ## How was this patch tested?
   
   -   Added test class for ozone kerbname 
   -  Tested both the functionality locally in secure cluster.
   -  CI build - https://github.com/navinko/ozone/actions/runs/22709788702
   
   > bash-5.1$ ozone kerbname om/[email protected]
   Name: om/[email protected] to om
   bash-5.1$ ozone kerbname [email protected]
   Name: [email protected] to om
   bash-5.1$ ozone kerbname om@EXAMPLE_ERORRCASE.COM
   Exception in thread "main" 
org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No 
rules applied to om@EXAMPLE_ERORRCASE.COM
           at 
org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:429)
           at org.apache.hadoop.ozone.kerberos.KerbName.main(KerbName.java:50)
   
   bash-5.1$ ozone kdiag | grep -i login
   JVM Kerberos Login Module = com.sun.security.auth.module.Krb5LoginModule
   java.security.auth.login.config = "(unset)"
   hadoop.kerberos.min.seconds.before.relogin = "60"
   Ticket based login: true
   Keytab based login: false
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to