[
https://issues.apache.org/jira/browse/SLIDER-1035?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15089218#comment-15089218
]
Steve Loughran commented on SLIDER-1035:
----------------------------------------
What it looks like now, kinited in
{code}
$ slider kdiag
2016-01-08 13:43:17,903 [main] DEBUG utility.LaunchedWorkflowCompositeService
(bindArgs(80)) - Binding 1 Arguments:
2016-01-08 13:43:17,905 [main] DEBUG utility.LaunchedWorkflowCompositeService
(bindArgs(86)) - "kdiag"
2016-01-08 13:43:18,034 [main] DEBUG params.CommonArgs (validate(241)) -
action=kdiag
2016-01-08 13:43:18,339 [main] DEBUG tools.ConfigHelper (loadFromResource(515))
- loaded resources from
file:/Users/stevel/Projects/Hortonworks/Projects/clusterconfigs/clusters/devix/slider/slider-client.xml
== Kerberos Diagnostics scan at Fri Jan 08 13:43:18 GMT 2016 ==
Maximum AES encryption key length 2147483647
== System Properties ==
java.security.krb5.conf = "(unset)"
java.security.krb5.realm = "(unset)"
sun.security.krb5.debug = "(unset)"
sun.security.spnego.debug = "(unset)"
== Environment Variables ==
HADOOP_JAAS_DEBUG = "true"
KRB5CCNAME = "(unset)"
HADOOP_USER_NAME = "(unset)"
HADOOP_PROXY_USER = "(unset)"
HADOOP_TOKEN_FILE_LOCATION = "(unset)"
hadoop.kerberos.kinit.command = "kinit"
hadoop.security.authentication = "kerberos"
hadoop.security.authorization = "true"
hadoop.kerberos.min.seconds.before.relogin = "(unset)"
hadoop.security.dns.interface = "(unset)"
hadoop.security.dns.nameserver = "(unset)"
hadoop.rpc.protection = "authentication"
hadoop.security.saslproperties.resolver.class = "(unset)"
hadoop.security.crypto.codec.classes = "(unset)"
hadoop.security.group.mapping =
"org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback"
hadoop.security.impersonation.provider.class = "(unset)"
dfs.data.transfer.protection = "(unset)"
hadoop.kerberos.kinit.command = kinit
Executable kinit is relative -must be on the PATH
== Resolving SASL property hadoop.security.saslproperties.resolver.class ==
Resolver is class org.apache.hadoop.security.SaslPropertiesResolver
== Resolving SASL property dfs.data.transfer.saslproperties.resolver.class ==
Resolver is class org.apache.hadoop.security.SaslPropertiesResolver
== Logging in ==
Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config
2016-01-08 13:43:18,634 [main] DEBUG security.Groups
(getUserToGroupsMappingService(301)) - Creating new Groups object
2016-01-08 13:43:18,637 [main] DEBUG
security.JniBasedUnixGroupsMappingWithFallback (<init>(45)) - Group mapping
impl=org.apache.hadoop.security.ShellBasedUnixGroupsMapping
2016-01-08 13:43:18,752 [main] DEBUG security.Groups (<init>(112)) - Group
mapping impl=org.apache.hadoop.security.JniBasedUnixGroupsMappingWithFallback;
cacheTimeout=300000; warningDeltaMs=5000
[UnixLoginModule]: succeeded importing info:
uid = 503
gid = 20
supp gid = 20
supp gid = 501
supp gid = 12
supp gid = 61
supp gid = 79
supp gid = 80
supp gid = 81
supp gid = 98
supp gid = 399
supp gid = 33
supp gid = 100
supp gid = 204
supp gid = 395
supp gid = 398
Debug is true storeKey false useTicketCache true useKeyTab false doNotPrompt
true ticketCache is null isInitiator true KeyTab is null refreshKrb5Config is
false principal is null tryFirstPass is false useFirstPass is false storePass
is false clearPass is false
Acquire TGT from Cache
>>>KinitOptions cache name is /Users/stevel/krb5cc_stevel
>> Acquire default native Credentials
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
>>> Obtained TGT from LSA: Credentials:
client=stevel@COTHAM
server=krbtgt/COTHAM@COTHAM
authTime=20160108125614Z
startTime=20160108125614Z
endTime=20160109125612Z
renewTill=20160108125614Z
flags: FORWARDABLE;RENEWABLE;INITIAL
EType (int): 18
Principal is stevel@COTHAM
2016-01-08 13:43:18,780 [main] DEBUG security.UserGroupInformation (login(221))
- hadoop login
[UnixLoginModule]: added UnixPrincipal,
UnixNumericUserPrincipal,
UnixNumericGroupPrincipal(s),
to Subject
Commit Succeeded
2016-01-08 13:43:18,783 [main] DEBUG security.UserGroupInformation
(commit(156)) - hadoop login commit
2016-01-08 13:43:18,784 [main] DEBUG security.UserGroupInformation
(commit(170)) - using kerberos user:stevel@COTHAM
2016-01-08 13:43:18,784 [main] DEBUG security.UserGroupInformation
(commit(192)) - Using user: "stevel@COTHAM" with name stevel@COTHAM
2016-01-08 13:43:18,785 [main] DEBUG security.UserGroupInformation
(commit(202)) - User entry: "stevel@COTHAM"
== Log in user ==
2016-01-08 13:43:18,786 [main] DEBUG security.UserGroupInformation
(loginUserFromSubject(826)) - UGI loginUser:stevel@COTHAM (auth:KERBEROS)
UGI=stevel@COTHAM (auth:KERBEROS)
Has kerberos credentials: true
Authentication method: KERBEROS
2016-01-08 13:43:18,795 [TGT Renewer for stevel@COTHAM] DEBUG
security.UserGroupInformation (getTGT(857)) - Found tgt Ticket (hex) =
Real Authentication method: KERBEROS
== Group names ==
0000: 61 82 01 42 30 82 01 3E A0 03 02 01 05 A1 08 1B a..B0..>........
0010: 06 43 4F 54 48 41 4D A2 1B 30 19 A0 03 02 01 02 .COTHAM..0......
0020: A1 12 30 10 1B 06 6B 72 62 74 67 74 1B 06 43 4F ..0...krbtgt..CO
0030: 54 48 41 4D A3 82 01 0E 30 82 01 0A A0 03 02 01 THAM....0.......
0040: 12 A1 03 02 01 01 A2 81 FD 04 81 FA 80 6D 38 5E .............m8^
0050: F6 F4 27 A3 64 35 AD 58 7A CE 83 82 A6 6D C9 D8 ..'.d5.Xz....m..
0060: 8C 52 10 35 8B 86 1F 12 E4 2A 27 F2 57 E5 8D 0C .R.5.....*'.W...
0070: 7E 25 FB 77 C7 24 1F FF 39 C8 9F 34 47 96 28 8C .%.w.$..9..4G.(.
0080: 07 5B 80 D5 1E 6E 37 64 A4 D0 B1 80 74 83 0C F4 .[...n7d....t...
0090: 95 95 F0 C3 31 D8 C8 BF 15 99 83 F4 FF 87 FC 02 ....1...........
00A0: 65 1A 83 80 6D 29 5E 31 24 9A 27 A1 10 F1 7B 14 e...m)^1$.'.....
00B0: 07 CB 91 44 F2 7F 72 BD 9B 7E 86 A5 87 20 74 E5 ...D..r...... t.
00C0: 16 4B 7D 5E 75 C2 92 AA E5 DF BE B2 D8 63 6A 05 .K.^u........cj.
00D0: 34 01 DB FE BD 73 18 C0 B6 17 0E F9 58 6F 92 F3 4....s......Xo..
00E0: 7C C2 3F 4E 4A CE 04 BE 5E 2D F6 8F 6E 81 0F 29 ..?NJ...^-..n..)
00F0: CC 2E E5 AD 7F E3 C5 55 00 3A 02 95 34 BF 97 5F .......U.:..4.._
0100: A3 F3 9B 3C 46 7D 5C 03 E9 BE FA 3B 01 87 DD B1 ...<F.\....;....
0110: 81 7B F2 56 D6 D8 DB B8 ED F5 46 67 11 40 F2 2E ...V......Fg.@..
0120: 4C 23 F0 9E 73 13 A1 4D CF D1 E2 5A D4 5C DF E4 L#..s..M...Z.\..
0130: BE B4 8A 59 65 B3 BF 20 CC F1 8F 8B 1B 7D BB 6E ...Ye.. .......n
0140: 51 C0 0A DA 02 96 Q.....
staff
access_bpf
everyone
Client Principal = stevel@COTHAM
localaccounts
Server Principal = krbtgt/COTHAM@COTHAM
_appserverusr
admin
_appserveradm
_lpadmin
Session Key = EncryptionKey: keyType=18 keyBytes (hex dump)=
com.apple.access_ssh
_appstore
_lpoperator
_developer
0000: 93 67 38 D6 E2 27 80 01 94 9B 45 B8 59 E4 CB 52 .g8..'....E.Y..R
com.apple.access_ftp
com.apple.access_screensharing
== Credentials ==
0010: E1 42 1D C3 19 6A A4 CB E8 51 E5 EA 4C DB BB 86 .B...j...Q..L...
== Secret keys ==
Forwardable Ticket true
(none)
Forwarded Ticket false
== Token Count: 0 ==
Proxiable Ticket false
Proxy Ticket false
Ticket based login: true
Keytab based login: false
Postdated Ticket false
== Locating Kerberos configuration file ==
Renewable Ticket true
Initial Ticket true
Kerberos configuration file = /etc/krb5.conf
Auth Time = Fri Jan 08 12:56:14 GMT 2016
[libdefaults]
default_realm = COTHAM
renew_lifetime = 7d
Start Time = Fri Jan 08 12:56:14 GMT 2016
forwardable = true
End Time = Sat Jan 09 12:56:12 GMT 2016
ticket_lifetime = 24h
dns_lookup_realm = false
Renew Till = Fri Jan 08 12:56:14 GMT 2016
dns_lookup_kdc = false
Client Addresses Null
[realms]
COTHAM = {
kdc = devix
admin_server = devix
}
EXAMPLE.COM = {
2016-01-08 13:43:18,795 [TGT Renewer for stevel@COTHAM] DEBUG
security.UserGroupInformation (run(892)) - Current time is 1452260598795
admin_server = stevel-spark-3.openstacklocal
kdc = stevel-spark-3.openstacklocal
}
No keytab: logging is as current user
2016-01-08 13:43:18,795 [TGT Renewer for stevel@COTHAM] DEBUG
security.UserGroupInformation (run(893)) - Next refresh is 1452326892400
{code}
> Kdiag enhancements
> ------------------
>
> Key: SLIDER-1035
> URL: https://issues.apache.org/jira/browse/SLIDER-1035
> Project: Slider
> Issue Type: Improvement
> Components: client, security
> Affects Versions: Slider 0.90.2
> Environment: Kerberos
> Reporter: Steve Loughran
> Assignee: Steve Loughran
> Fix For: Slider 0.91
>
>
> Proposed enhancements
> # make easier to run server-side. the sysprops to enable com.sun debugging
> should be cached and then restored —and only set if a -verbose flag is set.
> # check for Java Crypto Extensions having full key length; fail fast if not
> # list tokens
> # add option to check networking (hostname resolves)
> # look up KDCs and fail if none are reachable
> # maybe each {{title()}} call should force flush stderr, to try and keep JDK
> output in sync with stdout.
> # am to have option to display this and also fail fast
> # implement `--services` probes for : yarn, hdfs, registry, timeline. This
> can't go into any hadoop-common lib, a list of probes classes can be provided
> to execute as the provided UGI.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
