org.apache.hadoop.security

Class KDiag

java.lang.Object

org.apache.hadoop.conf.Configured

org.apache.hadoop.security.KDiag

All Implemented Interfaces:

Closeable, AutoCloseable, Configurable, Tool

public class KDiag
extends Configured
implements Tool, Closeable

Kerberos diagnostics This operation expands some of the diagnostic output of the security code, but not all. For completeness Set the environment variable HADOOP_JAAS_DEBUG=true Set the log level for org.apache.hadoop.security=DEBUG

Nested Class Summary

Nested Classes

Modifier and Type	Class and Description
static class	KDiag.KerberosDiagsFailure Diagnostics failures return the exit code 41, "unauthorized".

Field Summary

Fields

Modifier and Type	Field and Description
static String	ARG_JAAS
static String	ARG_KEYLEN
static String	ARG_KEYTAB
static String	ARG_NOFAIL
static String	ARG_NOLOGIN
static String	ARG_OUTPUT
static String	ARG_PRINCIPAL
static String	ARG_RESOURCE
static String	ARG_SECURE
static String	ARG_VERIFYSHORTNAME
static String	CAT_CONFIG
static String	CAT_JAAS
static String	CAT_JVM
static String	CAT_KERBEROS
static String	CAT_LOGIN
static String	CAT_OS
static String	CAT_SASL
static String	CAT_TOKEN
static String	CAT_UGI
static String	DFS_DATA_TRANSFER_PROTECTION
static String	DFS_DATA_TRANSFER_SASLPROPERTIES_RESOLVER_CLASS
static String	ETC_KRB5_CONF
static String	ETC_NTP
static String	HADOOP_AUTHENTICATION_IS_DISABLED
static String	HADOOP_JAAS_DEBUG
static String	JAVA_SECURITY_KRB5_CONF
static String	JAVA_SECURITY_KRB5_KDC_ADDRESS
static String	JAVA_SECURITY_KRB5_REALM
static int	KDIAG_FAILURE The exit code for a failure of the diagnostics: 41 == HTTP 401 == unauth.
static String	KERBEROS_KINIT_COMMAND
static String	KRB5_CCNAME Location of the kerberos ticket cache as passed down via an environment variable.
static String	NO_DEFAULT_REALM String seen in getDefaultRealm() exceptions if the user has no realm: "Cannot locate default realm".
static String	SUN_SECURITY_JAAS_FILE
static String	SUN_SECURITY_KRB5_DEBUG
static String	SUN_SECURITY_SPNEGO_DEBUG
static String	UNSET

Constructor Summary

Constructors

Constructor and Description
KDiag()
KDiag(Configuration conf, PrintWriter out, File keytab, String principal, long minKeyLength, boolean securityRequired)

Method Summary

Methods

Modifier and Type	Method and Description
void	close()
void	dumpTokens(UserGroupInformation ugi) Dump all tokens of a UGI.
static int	exec(Configuration conf, String... argv) Inner entry point, with no logging or system exits.
boolean	execute() Execute diagnostics.
protected boolean	isSimpleAuthentication(Configuration conf) Is the authentication method of this configuration "simple"?
static void	main(String[] argv) Main entry point.
protected void	printDefaultRealm() Get the default realm.
int	run(String[] argv) Execute the command with the given arguments.
protected void	validateKeyLength() Fail fast on a JVM without JCE installed.
protected void	validateShortName() Verify whether auth_to_local rules transform a principal name

Methods inherited from class org.apache.hadoop.conf.Configured

getConf, setConf

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.hadoop.conf.Configurable

getConf, setConf

Field Detail

KRB5_CCNAME

public static final String KRB5_CCNAME

Location of the kerberos ticket cache as passed down via an environment variable. This is what kinit will use by default: "KRB5CCNAME"

See Also:

Constant Field Values

JAVA_SECURITY_KRB5_CONF

public static final String JAVA_SECURITY_KRB5_CONF

See Also:

Constant Field Values

JAVA_SECURITY_KRB5_REALM

public static final String JAVA_SECURITY_KRB5_REALM

See Also:

Constant Field Values

JAVA_SECURITY_KRB5_KDC_ADDRESS

public static final String JAVA_SECURITY_KRB5_KDC_ADDRESS

See Also:

Constant Field Values

SUN_SECURITY_KRB5_DEBUG

public static final String SUN_SECURITY_KRB5_DEBUG

See Also:

Constant Field Values

SUN_SECURITY_SPNEGO_DEBUG

public static final String SUN_SECURITY_SPNEGO_DEBUG

See Also:

Constant Field Values

SUN_SECURITY_JAAS_FILE

public static final String SUN_SECURITY_JAAS_FILE

See Also:

Constant Field Values

KERBEROS_KINIT_COMMAND

public static final String KERBEROS_KINIT_COMMAND

See Also:

Constant Field Values

HADOOP_AUTHENTICATION_IS_DISABLED

public static final String HADOOP_AUTHENTICATION_IS_DISABLED

See Also:

Constant Field Values

UNSET

public static final String UNSET

See Also:

Constant Field Values

NO_DEFAULT_REALM

public static final String NO_DEFAULT_REALM

String seen in getDefaultRealm() exceptions if the user has no realm: "Cannot locate default realm".

See Also:

Constant Field Values

KDIAG_FAILURE

public static final int KDIAG_FAILURE

The exit code for a failure of the diagnostics: 41 == HTTP 401 == unauth.

See Also:

Constant Field Values

DFS_DATA_TRANSFER_SASLPROPERTIES_RESOLVER_CLASS

public static final String DFS_DATA_TRANSFER_SASLPROPERTIES_RESOLVER_CLASS

See Also:

Constant Field Values

DFS_DATA_TRANSFER_PROTECTION

public static final String DFS_DATA_TRANSFER_PROTECTION

See Also:

Constant Field Values

ETC_KRB5_CONF

public static final String ETC_KRB5_CONF

See Also:

Constant Field Values

ETC_NTP

public static final String ETC_NTP

See Also:

Constant Field Values

HADOOP_JAAS_DEBUG

public static final String HADOOP_JAAS_DEBUG

See Also:

Constant Field Values

CAT_CONFIG

public static final String CAT_CONFIG

See Also:

Constant Field Values

CAT_JAAS

public static final String CAT_JAAS

See Also:

Constant Field Values

CAT_JVM

public static final String CAT_JVM

See Also:

Constant Field Values

CAT_KERBEROS

public static final String CAT_KERBEROS

See Also:

Constant Field Values

CAT_LOGIN

public static final String CAT_LOGIN

See Also:

Constant Field Values

CAT_OS

public static final String CAT_OS

See Also:

Constant Field Values

CAT_SASL

public static final String CAT_SASL

See Also:

Constant Field Values

CAT_UGI

public static final String CAT_UGI

See Also:

Constant Field Values

CAT_TOKEN

public static final String CAT_TOKEN

See Also:

Constant Field Values

ARG_KEYLEN

public static final String ARG_KEYLEN

See Also:

Constant Field Values

ARG_KEYTAB

public static final String ARG_KEYTAB

See Also:

Constant Field Values

ARG_JAAS

public static final String ARG_JAAS

See Also:

Constant Field Values

ARG_NOFAIL

public static final String ARG_NOFAIL

See Also:

Constant Field Values

ARG_NOLOGIN

public static final String ARG_NOLOGIN

See Also:

Constant Field Values

ARG_OUTPUT

public static final String ARG_OUTPUT

See Also:

Constant Field Values

ARG_PRINCIPAL

public static final String ARG_PRINCIPAL

See Also:

Constant Field Values

ARG_RESOURCE

public static final String ARG_RESOURCE

See Also:

Constant Field Values

ARG_SECURE

public static final String ARG_SECURE

See Also:

Constant Field Values

ARG_VERIFYSHORTNAME

public static final String ARG_VERIFYSHORTNAME

See Also:

Constant Field Values

Constructor Detail

KDiag

public KDiag(Configuration conf,
     PrintWriter out,
     File keytab,
     String principal,
     long minKeyLength,
     boolean securityRequired)

KDiag

public KDiag()

Method Detail

close

public void close()
           throws IOException

Specified by:

close in interface Closeable

Specified by:

close in interface AutoCloseable

Throws:

IOException

run

public int run(String[] argv)
        throws Exception

Description copied from interface: Tool

Execute the command with the given arguments.

Specified by:

run in interface Tool

Parameters:

argv - command specific arguments.

Returns:

exit code.

Throws:

Exception

execute

public boolean execute()
                throws Exception

Execute diagnostics.

Things it would be nice if UGI made accessible

1. A way to enable JAAS debug programatically
2. Access to the TGT

Returns:

true if security was enabled and all probes were successful

Throws:

KDiag.KerberosDiagsFailure - explicitly raised failure

Exception - other security problems

isSimpleAuthentication

protected boolean isSimpleAuthentication(Configuration conf)

Is the authentication method of this configuration "simple"?

Parameters:

conf - configuration to check

Returns:

true if auth is simple (i.e. not kerberos)

validateKeyLength

protected void validateKeyLength()
                          throws NoSuchAlgorithmException

Fail fast on a JVM without JCE installed. This is a recurrent problem (that is: it keeps creeping back with JVM updates); a fast failure is the best tactic.

Throws:

NoSuchAlgorithmException

validateShortName

protected void validateShortName()

Verify whether auth_to_local rules transform a principal name

Having a local user name "bar@foo.com" may be harmless, so it is noted at info. However if what was intended is a transformation to "bar" it can be difficult to debug, hence this check.

printDefaultRealm

protected void printDefaultRealm()

Get the default realm.

Not having a default realm may be harmless, so is noted at info. All other invocation failures are downgraded to warn, as follow-on actions may still work. Failure to invoke the method via introspection is considered a failure, as it's a sign of JVM compatibility issues that may have other consequences

dumpTokens

public void dumpTokens(UserGroupInformation ugi)

Dump all tokens of a UGI.

Parameters:

ugi - UGI to examine

exec

public static int exec(Configuration conf,
       String... argv)
                throws Exception

Inner entry point, with no logging or system exits.

Parameters:

conf - configuration

argv - argument list

Returns:

an exception

Throws:

Exception

main

public static void main(String[] argv)

Main entry point.

Parameters:

argv - args list