public class KDiag extends Configured implements Tool, Closeable
HADOOP_JAAS_DEBUG=true
Set the log level for org.apache.hadoop.security=DEBUG
Modifier and Type | Class and Description |
---|---|
static class |
KDiag.KerberosDiagsFailure
Diagnostics failures return the exit code 41, "unauthorized".
|
Constructor and Description |
---|
KDiag() |
KDiag(Configuration conf,
PrintWriter out,
File keytab,
String principal,
long minKeyLength,
boolean securityRequired) |
Modifier and Type | Method and Description |
---|---|
void |
close() |
void |
dumpTokens(UserGroupInformation ugi)
Dump all tokens of a UGI.
|
static int |
exec(Configuration conf,
String... argv)
Inner entry point, with no logging or system exits.
|
boolean |
execute()
Execute diagnostics.
|
protected boolean |
isSimpleAuthentication(Configuration conf)
Is the authentication method of this configuration "simple"?
|
static void |
main(String[] argv)
Main entry point.
|
protected void |
printDefaultRealm()
Get the default realm.
|
int |
run(String[] argv)
Execute the command with the given arguments.
|
protected void |
validateKeyLength()
Fail fast on a JVM without JCE installed.
|
protected void |
validateShortName()
Verify whether auth_to_local rules transform a principal name
|
getConf, setConf
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
getConf, setConf
public static final String KRB5_CCNAME
public static final String JAVA_SECURITY_KRB5_CONF
public static final String JAVA_SECURITY_KRB5_REALM
public static final String JAVA_SECURITY_KRB5_KDC_ADDRESS
public static final String SUN_SECURITY_KRB5_DEBUG
public static final String SUN_SECURITY_SPNEGO_DEBUG
public static final String SUN_SECURITY_JAAS_FILE
public static final String KERBEROS_KINIT_COMMAND
public static final String HADOOP_AUTHENTICATION_IS_DISABLED
public static final String UNSET
public static final String NO_DEFAULT_REALM
getDefaultRealm()
exceptions if the user has
no realm: "Cannot locate default realm".public static final int KDIAG_FAILURE
public static final String DFS_DATA_TRANSFER_SASLPROPERTIES_RESOLVER_CLASS
public static final String DFS_DATA_TRANSFER_PROTECTION
public static final String ETC_KRB5_CONF
public static final String ETC_NTP
public static final String HADOOP_JAAS_DEBUG
public static final String CAT_CONFIG
public static final String CAT_JAAS
public static final String CAT_JVM
public static final String CAT_KERBEROS
public static final String CAT_LOGIN
public static final String CAT_OS
public static final String CAT_SASL
public static final String CAT_UGI
public static final String ARG_KEYLEN
public static final String ARG_KEYTAB
public static final String ARG_JAAS
public static final String ARG_NOFAIL
public static final String ARG_NOLOGIN
public static final String ARG_OUTPUT
public static final String ARG_PRINCIPAL
public static final String ARG_RESOURCE
public static final String ARG_SECURE
public static final String ARG_VERIFYSHORTNAME
public KDiag(Configuration conf, PrintWriter out, File keytab, String principal, long minKeyLength, boolean securityRequired)
public KDiag()
public void close() throws IOException
close
in interface Closeable
close
in interface AutoCloseable
IOException
public int run(String[] argv) throws Exception
Tool
public boolean execute() throws Exception
Things it would be nice if UGI made accessible
KDiag.KerberosDiagsFailure
- explicitly raised failureException
- other security problemsprotected boolean isSimpleAuthentication(Configuration conf)
conf
- configuration to checkprotected void validateKeyLength() throws NoSuchAlgorithmException
NoSuchAlgorithmException
protected void validateShortName()
Having a local user name "bar@foo.com" may be harmless, so it is noted at info. However if what was intended is a transformation to "bar" it can be difficult to debug, hence this check.
protected void printDefaultRealm()
Not having a default realm may be harmless, so is noted at info. All other invocation failures are downgraded to warn, as follow-on actions may still work. Failure to invoke the method via introspection is considered a failure, as it's a sign of JVM compatibility issues that may have other consequences
public void dumpTokens(UserGroupInformation ugi)
ugi
- UGI to examinepublic static int exec(Configuration conf, String... argv) throws Exception
conf
- configurationargv
- argument listException
public static void main(String[] argv)
argv
- args listCopyright © 2017 Apache Software Foundation. All Rights Reserved.