hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Steve Loughran (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-12426) Add Entry point for Kerberos health check
Date Mon, 21 Sep 2015 18:23:04 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-12426?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14901132#comment-14901132
] 

Steve Loughran commented on HADOOP-12426:
-----------------------------------------

I'm just looking for some entry point that can be run in bin/hadoop to check keytab health
before you get odd errors; something vaguely useful for end users, and at least for people
fielding support calls.

{code}
bin/hadoop kerberos-check --keytab ~/keys --principal stevel@LOCAL
{code}

this could trigger
# verify keytab is there, readable, contains the named principal
# can actually generate keys the right length with JCE
# KDC is resolvable
# KDC exists (outages may be transient, but stil...)

and there'd be some different negative exit codes for failures.

I don't have the time to do this right now, I just think it'd be good for preflight checking.
If the class to run the tests was also made usable from as a library, I think checking JCE
key length and principal would be useful too -especially if it could generate some more useful
message than those we see today.


> Add Entry point for Kerberos health check
> -----------------------------------------
>
>                 Key: HADOOP-12426
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12426
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>    Affects Versions: 3.0.0
>            Reporter: Steve Loughran
>            Priority: Minor
>
> If we a little command line entry point for testing kerberos settings, including some
automated diagnostics checks, we could simplify fielding the client-side support calls.
> Specifically
> * check JRE for having java crypto extensions at full key length.
> * network checks: do you know your own name?
> * Is the user kinited in?
> * if a tgt is specified, does it exist?
> * are hadoop security options consistent?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message