adoroszlai commented on code in PR #9868: URL: https://github.com/apache/ozone/pull/9868#discussion_r2983168034
########## hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kdiag/AuthorizationProbe.java: ########## @@ -0,0 +1,54 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.ozone.debug.kdiag; + +import org.apache.hadoop.hdds.conf.OzoneConfiguration; + +/** + * Validates Ozone and Hadoop RPC authorization configuration. + */ +public class AuthorizationProbe implements DiagnosticProbe { + + @Override + public String name() { + return "Authorization Configuration"; + } + + @Override + public boolean run() { + System.out.println("-- Authorization Configuration --"); + OzoneConfiguration conf = new OzoneConfiguration(); + + print(conf, "ozone.acl.enabled"); + print(conf, "ozone.acl.authorizer.class"); + print(conf, "hadoop.security.authorization"); + print(conf, "ozone.om.security.client.protocol.acl"); + + print(conf, "hdds.security.client.datanode.container.protocol.acl"); + print(conf, "hdds.security.client.scm.container.protocol.acl"); + print(conf, "hdds.security.client.scm.block.protocol.acl"); + print(conf, "hdds.security.client.scm.certificate.protocol.acl"); Review Comment: Please use constants from `HddsConfigKeys`, `OzoneConfigKeys` etc. where available. ########## hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kdiag/AuthorizationProbe.java: ########## @@ -0,0 +1,54 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.ozone.debug.kdiag; + +import org.apache.hadoop.hdds.conf.OzoneConfiguration; + +/** + * Validates Ozone and Hadoop RPC authorization configuration. + */ +public class AuthorizationProbe implements DiagnosticProbe { + + @Override + public String name() { + return "Authorization Configuration"; + } + + @Override + public boolean run() { + System.out.println("-- Authorization Configuration --"); Review Comment: All `DiagnosticProbe` implementations have `name()` that could be automatically printed instead of duplicating the title in `run()`. ########## hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kdiag/DiagnosticProbe.java: ########## @@ -0,0 +1,28 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.ozone.debug.kdiag; + +/** + * Interface for a diagnostic probe executed by ozone debug kdiag. + */ +public interface DiagnosticProbe { + + String name(); + + boolean run() throws Exception; Review Comment: I think `test()` would be a better name. ########## hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/authtolocal/KerbNameDebug.java: ########## @@ -0,0 +1,67 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.ozone.debug.authtolocal; + +import java.util.List; +import java.util.concurrent.Callable; +import org.apache.hadoop.hdds.cli.DebugSubcommand; +import org.apache.hadoop.hdds.conf.OzoneConfiguration; +import org.apache.hadoop.security.authentication.util.KerberosName; +import org.kohsuke.MetaInfServices; +import picocli.CommandLine; + +/** + * Debug command to translate Kerberos principals into local user names + * using the configured auth_to_local rules. + * + * Example: + * ozone debug kerbname testuser/[email protected] + */ [email protected]( + name = "kerbname", + description = "Translate Kerberos principal(s) using auth_to_local rules." +) +@MetaInfServices(DebugSubcommand.class) +public class KerbNameDebug implements Callable<Void>, DebugSubcommand { + + @CommandLine.Parameters(arity = "1..*", + description = "Kerberos principal(s) to translate" + ) + private List<String> principals; + + @Override + public Void call() throws Exception { + System.out.println("-- Kerberos Principal Translation --"); + OzoneConfiguration conf = new OzoneConfiguration(); Review Comment: Let `KerbNameDebug extends AbstractSubcommand`, then configuration can be obtained via `getOzoneConf()`. It allows setting specific properties, as well as alternative config files. The same applies to `OzoneKDiag`. ########## hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kdiag/OzoneKDiag.java: ########## @@ -0,0 +1,77 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.ozone.debug.kdiag; + +import java.util.Arrays; +import java.util.List; +import java.util.concurrent.Callable; +import org.apache.hadoop.hdds.cli.DebugSubcommand; +import org.kohsuke.MetaInfServices; +import picocli.CommandLine; + +/** + * Kerberos diagnostic tool for Ozone. + * Usage:Validates each registered probe serially + * and prints diagnostic summary. + * Example: ozone debug kdiag + */ [email protected](name = "kdiag", description = "Diagnose Kerberos configuration issues for Ozone.") +@MetaInfServices(DebugSubcommand.class) +public class OzoneKDiag implements Callable<Void>, DebugSubcommand { + @Override + public Void call() throws Exception { + System.out.println("\n== Ozone Kerberos Diagnostics ==\n"); + List<DiagnosticProbe> probes = + Arrays.asList(new HostProbe(), + new EnvironmentProbe(), + new JvmKerberosProbe(), + new KerberosConfigProbe(), + new KinitProbe(), + new KerberosTicketProbe(), + new PrincipalMappingProbe(), + new OzonePrincipalProbe(), + new KeytabProbe(), + new SecurityConfigProbe(), + new AuthorizationProbe(), + new HttpAuthProbe()); + int pass = 0; + int warn = 0; + int fail = 0; + for (DiagnosticProbe probe : probes) { + try { + boolean result = probe.run(); + if (result) { + pass++; + System.out.println("[PASS] " + probe.name()); + } else { + warn++; + System.out.println("[WARN] " + probe.name()); Review Comment: I tried introducing problems, e.g. by making `kinit` non-executable, removing permissions from `/etc/krb5.conf`, etc. The probes returned `false`, which resulted only in warnings. But the system is non-functional with this setup. Shouldn't it give errors instead of warnings? ``` -- Kerberos kinit Command -- Executable kinit must be available on PATH PATH = /opt/hadoop/libexec:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/jdk-21.0.2/bin:/opt/hadoop/bin kinit not found on PATH [WARN] Kerberos kinit Command -- Kerberos Ticket -- ERROR checking kerberos credentials: Can't get Kerberos realm [WARN] Kerberos Ticket ``` ########## hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kdiag/KerberosConfigProbe.java: ########## @@ -0,0 +1,57 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.ozone.debug.kdiag; + +import java.io.File; +import org.apache.hadoop.security.authentication.util.KerberosUtil; + +/** + * Validates Kerberos configuration file and realm. + * + * This probe checks: + * - Location of krb5.conf + * - Default Kerberos realm + * - JVM Kerberos system properties used by Java security + */ +public class KerberosConfigProbe implements DiagnosticProbe { + + @Override + public String name() { + return "Kerberos Configuration"; + } + + @Override + public boolean run() { + System.out.println("-- Kerberos Configuration --"); + // Determine krb5.conf location + String path = System.getenv("KRB5_CONFIG"); + if (path == null) { + path = "/etc/krb5.conf"; + } + File file = new File(path); + System.out.println("krb5.conf = " + file); + try { + String realm = KerberosUtil.getDefaultRealm(); + System.out.println("Default realm = " + realm); + } catch (Exception e) { + System.out.println("WARNING: Unable to determine default realm"); Review Comment: I think warnings and errors should be printed to `System.err`. ########## hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kdiag/OzoneKDiag.java: ########## @@ -0,0 +1,77 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.ozone.debug.kdiag; + +import java.util.Arrays; +import java.util.List; +import java.util.concurrent.Callable; +import org.apache.hadoop.hdds.cli.DebugSubcommand; +import org.kohsuke.MetaInfServices; +import picocli.CommandLine; + +/** + * Kerberos diagnostic tool for Ozone. + * Usage:Validates each registered probe serially + * and prints diagnostic summary. + * Example: ozone debug kdiag + */ [email protected](name = "kdiag", description = "Diagnose Kerberos configuration issues for Ozone.") +@MetaInfServices(DebugSubcommand.class) +public class OzoneKDiag implements Callable<Void>, DebugSubcommand { + @Override + public Void call() throws Exception { + System.out.println("\n== Ozone Kerberos Diagnostics ==\n"); + List<DiagnosticProbe> probes = + Arrays.asList(new HostProbe(), + new EnvironmentProbe(), + new JvmKerberosProbe(), + new KerberosConfigProbe(), + new KinitProbe(), + new KerberosTicketProbe(), + new PrincipalMappingProbe(), + new OzonePrincipalProbe(), + new KeytabProbe(), + new SecurityConfigProbe(), + new AuthorizationProbe(), + new HttpAuthProbe()); + int pass = 0; + int warn = 0; + int fail = 0; + for (DiagnosticProbe probe : probes) { + try { + boolean result = probe.run(); + if (result) { + pass++; + System.out.println("[PASS] " + probe.name()); + } else { + warn++; + System.out.println("[WARN] " + probe.name()); + } + } catch (Exception e) { + fail++; + System.out.println("[FAIL] " + probe.name() + " : " + e.getMessage()); + } + System.out.println(); + } + System.out.println("== Diagnostic Summary =="); + System.out.println("PASS : " + pass); + System.out.println("WARN : " + warn); + System.out.println("FAIL : " + fail); + return null; Review Comment: We may want to set non-zero exit code if there are any failures. I think it can be done by using `Callable<Integer>` instead of `Callable<Void>`. ########## hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kdiag/AuthorizationProbe.java: ########## @@ -0,0 +1,54 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.ozone.debug.kdiag; + +import org.apache.hadoop.hdds.conf.OzoneConfiguration; + +/** + * Validates Ozone and Hadoop RPC authorization configuration. + */ +public class AuthorizationProbe implements DiagnosticProbe { + + @Override + public String name() { + return "Authorization Configuration"; + } + + @Override + public boolean run() { + System.out.println("-- Authorization Configuration --"); + OzoneConfiguration conf = new OzoneConfiguration(); + + print(conf, "ozone.acl.enabled"); + print(conf, "ozone.acl.authorizer.class"); + print(conf, "hadoop.security.authorization"); + print(conf, "ozone.om.security.client.protocol.acl"); + + print(conf, "hdds.security.client.datanode.container.protocol.acl"); + print(conf, "hdds.security.client.scm.container.protocol.acl"); + print(conf, "hdds.security.client.scm.block.protocol.acl"); + print(conf, "hdds.security.client.scm.certificate.protocol.acl"); + return true; + } + + private void print(OzoneConfiguration conf, String key) { + String value = conf.get(key); + System.out.println(key + " = " + + (value == null ? "(unset)" : value)); Review Comment: Please reuse code across various probes. The same logic also appears in `HttpAuthProbe`, `OzonePrincipalProbe` and `SecurityConfigProbe`. Maybe a parent class `ConfigProbe`? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
