hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12426) Add Entry point for Kerberos health check
Date Tue, 19 Jan 2016 04:58:40 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12426?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15106241#comment-15106241
] 

Steve Loughran commented on HADOOP-12426:
-----------------------------------------

thx for the comments. 

# you should know that I'm stabilising some jenkins-test-run-failures on the slider branch:
that test run is failing if there's no default realm, i.e. you are testing on a machine that
isn't set up for kerberos.
# ...I see what you mean about keytab contents —and that I can get at them. timestamp would
be good

> A try-the-best model might be desired

I see that...it's already handling the situation where security is off in core-site.xml but
has been set on the command line; Checking principals and keytabs is something you can do
without worrying about cluster security.

Maybe the {{failif()}} method could be made something that a {{--nofail}} option would downgrade
to error log; have it return a boolean so that those followon operations which depend on the
condition could be skipped. 

{code}
 if (failif(!keytab.exists(),CAT_CONF, "no keytab %s", keytab)) {
   loginFromkeytab()
}
{code}

of course, I'd have to invert the condition, to something like "require(... )"

Regarding dumping, there's a --out option which can save it to a file. But as half the log
info goes to stderr (all the sun.java stuff), you do need to capture both streams, ideally
interleaved. And while I could briefly cache the System.out and System.err streams & replace
them with something to catch the output, loggers really hate that.

As for startup, I think services would need to do the login stuff themselves. You start trying
to log in once and not only does UGI lock down, so do bits of the JVM internal state. (that
is, {{UGI.reset()}} doesn't completely reset things. So I don't think I'd want to have it
all there. 

What could be possible? 

* keylength
* keytab existing
* dump a keytab
* look for principal in a keytab
* All the relevant env vars and properties could be logged 

> Add Entry point for Kerberos health check
> -----------------------------------------
>
>                 Key: HADOOP-12426
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12426
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 2.7.1
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Minor
>         Attachments: HADOOP-12426-001.patch, HADOOP-12426-002.patch, HADOOP-12426-003.patch,
HADOOP-12426-004.patch
>
>
> If we a little command line entry point for testing kerberos settings, including some
automated diagnostics checks, we could simplify fielding the client-side support calls.
> Specifically
> * check JRE for having java crypto extensions at full key length.
> * network checks: do you know your own name?
> * Is the user kinited in?
> * if a tgt is specified, does it exist?
> * are hadoop security options consistent?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message