KDiag (Apache Hadoop Common 2.8.0 API)

java.lang.Object
- org.apache.hadoop.conf.Configured
- - org.apache.hadoop.security.KDiag

All Implemented Interfaces:

Closeable, AutoCloseable, Configurable, Tool
```
public class KDiag
extends Configured
implements Tool, Closeable
```
Kerberos diagnostics This operation expands some of the diagnostic output of the security code, but not all. For completeness Set the environment variable HADOOP_JAAS_DEBUG=true Set the log level for org.apache.hadoop.security=DEBUG

Nested Class Summary

Nested Classes
Modifier and Type Class and Description

static class KDiag.KerberosDiagsFailure
Diagnostics failures return the exit code 41, "unauthorized".

Nested Classes
Modifier and Type	Class and Description
`static class`	`KDiag.KerberosDiagsFailure` Diagnostics failures return the exit code 41, "unauthorized".

Field Summary

Fields
Modifier and Type	Field and Description
`static String`	`ARG_JAAS`
`static String`	`ARG_KEYLEN`
`static String`	`ARG_KEYTAB`
`static String`	`ARG_NOFAIL`
`static String`	`ARG_NOLOGIN`
`static String`	`ARG_OUTPUT`
`static String`	`ARG_PRINCIPAL`
`static String`	`ARG_RESOURCE`
`static String`	`ARG_SECURE`
`static String`	`ARG_VERIFYSHORTNAME`
`static String`	`CAT_CONFIG`
`static String`	`CAT_JAAS`
`static String`	`CAT_JVM`
`static String`	`CAT_KERBEROS`
`static String`	`CAT_LOGIN`
`static String`	`CAT_OS`
`static String`	`CAT_SASL`
`static String`	`CAT_UGI`
`static String`	`DFS_DATA_TRANSFER_PROTECTION`
`static String`	`DFS_DATA_TRANSFER_SASLPROPERTIES_RESOLVER_CLASS`
`static String`	`ETC_KRB5_CONF`
`static String`	`ETC_NTP`
`static String`	`HADOOP_AUTHENTICATION_IS_DISABLED`
`static String`	`HADOOP_JAAS_DEBUG`
`static String`	`JAVA_SECURITY_KRB5_CONF`
`static String`	`JAVA_SECURITY_KRB5_KDC_ADDRESS`
`static String`	`JAVA_SECURITY_KRB5_REALM`
`static int`	`KDIAG_FAILURE` The exit code for a failure of the diagnostics: 41 == HTTP 401 == unauth.
`static String`	`KERBEROS_KINIT_COMMAND`
`static String`	`KRB5_CCNAME` Location of the kerberos ticket cache as passed down via an environment variable.
`static String`	`NO_DEFAULT_REALM` String seen in `getDefaultRealm()` exceptions if the user has no realm: "Cannot locate default realm".
`static String`	`SUN_SECURITY_JAAS_FILE`
`static String`	`SUN_SECURITY_KRB5_DEBUG`
`static String`	`SUN_SECURITY_SPNEGO_DEBUG`
`static String`	`UNSET`

Constructor Summary

Constructors
Constructor and Description
`KDiag()`
`KDiag(Configuration conf, PrintWriter out, File keytab, String principal, long minKeyLength, boolean securityRequired)`

Method Summary

Methods
Modifier and Type	Method and Description
`void`	`close()`
`void`	`dumpTokens(UserGroupInformation ugi)` Dump all tokens of a UGI.
`static int`	`exec(Configuration conf, String... argv)` Inner entry point, with no logging or system exits.
`boolean`	`execute()` Execute diagnostics.
`protected boolean`	`isSimpleAuthentication(Configuration conf)` Is the authentication method of this configuration "simple"?
`static void`	`main(String[] argv)` Main entry point.
`protected void`	`printDefaultRealm()` Get the default realm.
`int`	`run(String[] argv)` Execute the command with the given arguments.
`protected void`	`validateKeyLength()` Fail fast on a JVM without JCE installed.
`protected void`	`validateShortName()` Verify whether auth_to_local rules transform a principal name

Methods inherited from class org.apache.hadoop.conf.Configured
getConf, setConf

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.hadoop.conf.Configurable
getConf, setConf

- Field Detail
  - KRB5_CCNAME
```
public static final String KRB5_CCNAME
```
    Location of the kerberos ticket cache as passed down via an environment variable. This is what kinit will use by default: "KRB5CCNAME"
    
    See Also:
    Constant Field Values
  - JAVA_SECURITY_KRB5_CONF
```
public static final String JAVA_SECURITY_KRB5_CONF
```
    See Also:
    Constant Field Values
  - JAVA_SECURITY_KRB5_REALM
```
public static final String JAVA_SECURITY_KRB5_REALM
```
    See Also:
    Constant Field Values
  - JAVA_SECURITY_KRB5_KDC_ADDRESS
```
public static final String JAVA_SECURITY_KRB5_KDC_ADDRESS
```
    See Also:
    Constant Field Values
  - SUN_SECURITY_KRB5_DEBUG
```
public static final String SUN_SECURITY_KRB5_DEBUG
```
    See Also:
    Constant Field Values
  - SUN_SECURITY_SPNEGO_DEBUG
```
public static final String SUN_SECURITY_SPNEGO_DEBUG
```
    See Also:
    Constant Field Values
  - SUN_SECURITY_JAAS_FILE
```
public static final String SUN_SECURITY_JAAS_FILE
```
    See Also:
    Constant Field Values
  - KERBEROS_KINIT_COMMAND
```
public static final String KERBEROS_KINIT_COMMAND
```
    See Also:
    Constant Field Values
  - HADOOP_AUTHENTICATION_IS_DISABLED
```
public static final String HADOOP_AUTHENTICATION_IS_DISABLED
```
    See Also:
    Constant Field Values
  - UNSET
```
public static final String UNSET
```
    See Also:
    Constant Field Values
  - NO_DEFAULT_REALM
```
public static final String NO_DEFAULT_REALM
```
    String seen in getDefaultRealm() exceptions if the user has no realm: "Cannot locate default realm".
    
    See Also:
    Constant Field Values
  - KDIAG_FAILURE
```
public static final int KDIAG_FAILURE
```
    The exit code for a failure of the diagnostics: 41 == HTTP 401 == unauth.
    
    See Also:
    Constant Field Values
  - DFS_DATA_TRANSFER_SASLPROPERTIES_RESOLVER_CLASS
```
public static final String DFS_DATA_TRANSFER_SASLPROPERTIES_RESOLVER_CLASS
```
    See Also:
    Constant Field Values
  - DFS_DATA_TRANSFER_PROTECTION
```
public static final String DFS_DATA_TRANSFER_PROTECTION
```
    See Also:
    Constant Field Values
  - ETC_KRB5_CONF
```
public static final String ETC_KRB5_CONF
```
    See Also:
    Constant Field Values
  - ETC_NTP
```
public static final String ETC_NTP
```
    See Also:
    Constant Field Values
  - HADOOP_JAAS_DEBUG
```
public static final String HADOOP_JAAS_DEBUG
```
    See Also:
    Constant Field Values
  - CAT_CONFIG
```
public static final String CAT_CONFIG
```
    See Also:
    Constant Field Values
  - CAT_JAAS
```
public static final String CAT_JAAS
```
    See Also:
    Constant Field Values
  - CAT_JVM
```
public static final String CAT_JVM
```
    See Also:
    Constant Field Values
  - CAT_KERBEROS
```
public static final String CAT_KERBEROS
```
    See Also:
    Constant Field Values
  - CAT_LOGIN
```
public static final String CAT_LOGIN
```
    See Also:
    Constant Field Values
  - CAT_OS
```
public static final String CAT_OS
```
    See Also:
    Constant Field Values
  - CAT_SASL
```
public static final String CAT_SASL
```
    See Also:
    Constant Field Values
  - CAT_UGI
```
public static final String CAT_UGI
```
    See Also:
    Constant Field Values
  - ARG_KEYLEN
```
public static final String ARG_KEYLEN
```
    See Also:
    Constant Field Values
  - ARG_KEYTAB
```
public static final String ARG_KEYTAB
```
    See Also:
    Constant Field Values
  - ARG_JAAS
```
public static final String ARG_JAAS
```
    See Also:
    Constant Field Values
  - ARG_NOFAIL
```
public static final String ARG_NOFAIL
```
    See Also:
    Constant Field Values
  - ARG_NOLOGIN
```
public static final String ARG_NOLOGIN
```
    See Also:
    Constant Field Values
  - ARG_OUTPUT
```
public static final String ARG_OUTPUT
```
    See Also:
    Constant Field Values
  - ARG_PRINCIPAL
```
public static final String ARG_PRINCIPAL
```
    See Also:
    Constant Field Values
  - ARG_RESOURCE
```
public static final String ARG_RESOURCE
```
    See Also:
    Constant Field Values
  - ARG_SECURE
```
public static final String ARG_SECURE
```
    See Also:
    Constant Field Values
  - ARG_VERIFYSHORTNAME
```
public static final String ARG_VERIFYSHORTNAME
```
    See Also:
    Constant Field Values
- Constructor Detail
  - KDiag
```
public KDiag(Configuration conf,
     PrintWriter out,
     File keytab,
     String principal,
     long minKeyLength,
     boolean securityRequired)
```
  - KDiag
```
public KDiag()
```
- Method Detail
  - close
```
public void close()
           throws IOException
```
    Specified by:
    
    close in interface Closeable
    
    Specified by:
    
    close in interface AutoCloseable
    
    Throws:
    
    IOException
  - run
```
public int run(String[] argv)
        throws Exception
```
    Description copied from interface: Tool
    
    Execute the command with the given arguments.
    
    Specified by:
    
    run in interface Tool
    
    Parameters:
    argv - command specific arguments.
    
    Returns:
    exit code.
    
    Throws:
    
    Exception
  - execute
```
public boolean execute()
                throws Exception
```
    Execute diagnostics.
    Things it would be nice if UGI made accessible
    1. A way to enable JAAS debug programatically
    2. Access to the TGT
    Returns:
    true if security was enabled and all probes were successful
    
    Throws:
    
    KDiag.KerberosDiagsFailure - explicitly raised failure
    
    Exception - other security problems
  - isSimpleAuthentication
```
protected boolean isSimpleAuthentication(Configuration conf)
```
    Is the authentication method of this configuration "simple"?
    
    Parameters:
    conf - configuration to check
    
    Returns:
    true if auth is simple (i.e. not kerberos)
  - validateKeyLength
```
protected void validateKeyLength()
                          throws NoSuchAlgorithmException
```
    Fail fast on a JVM without JCE installed. This is a recurrent problem (that is: it keeps creeping back with JVM updates); a fast failure is the best tactic.
    
    Throws:
    
    NoSuchAlgorithmException
  - validateShortName
```
protected void validateShortName()
```
    Verify whether auth_to_local rules transform a principal name
    Having a local user name "bar@foo.com" may be harmless, so it is noted at info. However if what was intended is a transformation to "bar" it can be difficult to debug, hence this check.
  - printDefaultRealm
```
protected void printDefaultRealm()
```
    Get the default realm.
    Not having a default realm may be harmless, so is noted at info. All other invocation failures are downgraded to warn, as follow-on actions may still work. Failure to invoke the method via introspection is considered a failure, as it's a sign of JVM compatibility issues that may have other consequences
  - dumpTokens
```
public void dumpTokens(UserGroupInformation ugi)
```
    Dump all tokens of a UGI.
    
    Parameters:
    ugi - UGI to examine
  - exec
```
public static int exec(Configuration conf,
       String... argv)
                throws Exception
```
    Inner entry point, with no logging or system exits.
    
    Parameters:
    conf - configuration
    argv - argument list
    
    Returns:
    an exception
    
    Throws:
    
    Exception
  - main
```
public static void main(String[] argv)
```
    Main entry point.
    
    Parameters:
    argv - args list

Class KDiag

Nested Class Summary

Field Summary

Constructor Summary

Method Summary

Methods inherited from class org.apache.hadoop.conf.Configured

Methods inherited from class java.lang.Object

Methods inherited from interface org.apache.hadoop.conf.Configurable

Field Detail

KRB5_CCNAME

JAVA_SECURITY_KRB5_CONF

JAVA_SECURITY_KRB5_REALM

JAVA_SECURITY_KRB5_KDC_ADDRESS

SUN_SECURITY_KRB5_DEBUG

SUN_SECURITY_SPNEGO_DEBUG

SUN_SECURITY_JAAS_FILE

KERBEROS_KINIT_COMMAND

HADOOP_AUTHENTICATION_IS_DISABLED

UNSET

NO_DEFAULT_REALM

KDIAG_FAILURE

DFS_DATA_TRANSFER_SASLPROPERTIES_RESOLVER_CLASS

DFS_DATA_TRANSFER_PROTECTION

ETC_KRB5_CONF

ETC_NTP

HADOOP_JAAS_DEBUG

CAT_CONFIG

CAT_JAAS

CAT_JVM

CAT_KERBEROS

CAT_LOGIN

CAT_OS

CAT_SASL

CAT_UGI

ARG_KEYLEN

ARG_KEYTAB

ARG_JAAS

ARG_NOFAIL

ARG_NOLOGIN

ARG_OUTPUT

ARG_PRINCIPAL

ARG_RESOURCE

ARG_SECURE

ARG_VERIFYSHORTNAME

Constructor Detail

KDiag

KDiag

Method Detail

close

run

execute

isSimpleAuthentication

validateKeyLength

validateShortName

printDefaultRealm

dumpTokens

exec

main