HDDS-3128. Add ozone debug commands for Kerberos

[navinko]

What changes were proposed in this pull request?

HDDS-3128. Add support for kdiag and kerbname commands to ozone script

• This PR introduces two new subcommands under ozone debug kerberos to assist with Kerberos related troubleshooting in secure Ozone clusters.
• Added changes for verifying how Kerberos principals map to local Unix users and collecting kerberos diagnostic which is useful when debugging and troubleshooting in secure clusters.
• Implemented two subcommand 'daignose' and 'translate-principal' under ozone debug kerberos and multiple probe ,each one doing special job of getting configs and doing validation.
• Once the 'daignose' subcommand executed successfully it will present diagnostic summary with 'PASS', 'WARN' & 'FAIL'
• translate-principal will show the local user mapped with principal for auth_to_local rules.
• Injected fault and validated o/ps
  • FAULT-1: Invalid KRB5_CONFIG
  • FAULT-2: Revoked execute permission
  • FAULT-3: krb5.conf with empty contents
  • FAULT-4: Updated /etc with permission

1: ozone debug kerberos translate-principal .. one or many .
This command translates Kerberos principals to local user names using the configured hadoop.security.auth_to_local rules.
Features:

Displays the active auth_to_local rule
Supports multiple principals in a single invocation
Provides clear error messages for malformed principals
Helps diagnose identity mapping issues

2: ozone debug kerberos diagnose
This command provides Kerberos diagnostics for Ozone clusters similar to hadoop kdiag.
Features:

It validates and shows below diagnostics.
Host Information
Environment Variables
JVM Kerberos Properties
Kerberos Configuration
Kerberos kinit Command
Kerberos Ticket presence
Principal Mapping
Keytab Validation
Security Configuration
Authorization Configuration
HTTP Kerberos Authentication
== Diagnostic Summary ==
PASS : pass count
WARN : warn count
FAIL : failure count

• Fixed spotbugs + PMD issues and removed leftover configs.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-3128

How was this patch tested?

• Added test class (TestOzoneDebugKerberos)- for ozone debug kerberos translate-principal and ozone debug kerberos diagnose , validated all probe execution with success and failure cases.
• Tested both the functionality locally in (secure +insecure) cluster
• Attached diagnostic and o/p captured in- [ozone-debug-kerberos-features]
• Latest CI build - https://github.com/navinko/ozone/actions/runs/24403928422

[adoroszlai]

Thanks @navinko for working on this. I think we should add these new commands under ozone debug, not at the top-level. Also, please implement as a picocli @Command. See VersionDebug as an example. KDiag would need to be copied to Ozone and adapted.

[navinko]

I think we should add these new commands under ozone debug, not at the top-level. Also, please implement as a picocli @Command. See VersionDebug as an example. KDiag would need to be copied to Ozone and adapted.

Hi @adoroszlai Thank you for reviewing . I have one doubt

KDiag would need to be copied to Ozone and adapted.
Does it mean keeping the wrapper and reuse Hadoop KDiag and append Ozone diagnostics or copy the KDiag implementation into Ozone and extend it further ?

[adoroszlai]

KDiag would need to be copied to Ozone and adapted.

Does it mean keeping the wrapper and reuse Hadoop KDiag and append Ozone diagnostics or copy the KDiag implementation into Ozone and extend it further ?

The latter (copy to Ozone, change to use picocli instead of its own argument parsing, replace Hadoop-specific variables/properties with Ozone-specific ones, etc.).

[navinko]

KDiag would need to be copied to Ozone and adapted.

Does it mean keeping the wrapper and reuse Hadoop KDiag and append Ozone diagnostics or copy the KDiag implementation into Ozone and extend it further ?

The latter (copy to Ozone, change to use picocli instead of its own argument parsing, replace Hadoop-specific variables/properties with Ozone-specific ones, etc.).

Thank you , I will update the PR shortly.

[navinko]

Hi @adoroszlai
The review suggestions incorporated. Kindly review the PR once you get some time.

[adoroszlai]

Thanks @navinko for updating the patch. I'll need some time for the review.

[adoroszlai]

Thanks @navinko for updating the patch, and sorry for the delay in review.

In addition to inline comments, I have the following suggestions:

• create a grouping subcommand ozone debug kerberos (class: KerberosSubcommands)
• move the two new subcommands under ozone debug kerberos as
  • kerbname => ozone debug kerberos translate-principal
  • kdiag => ozone debug kerberos diagnose
• move all classes to a single package org.apache.hadoop.ozone.debug.kerberos (no need for separate authtolocal and kdiag packages)

[adoroszlai]

Please use constants from HddsConfigKeys, OzoneConfigKeys etc. where available.

[navinko]

there were few fields not available and i tried avoiding cyclic dependency , used as it is string .

[adoroszlai]

Please reuse code across various probes. The same logic also appears in HttpAuthProbe, OzonePrincipalProbe and SecurityConfigProbe. Maybe a parent class ConfigProbe?

[navinko]

Thanks @adoroszlai tried incorporation suggestions.

[adoroszlai]

I think test() would be a better name.

[navinko]

updated

[adoroszlai]

I think warnings and errors should be printed to System.err.

[navinko]

used error stream , was using out only ealier .

[adoroszlai]

Let KerbNameDebug extends AbstractSubcommand, then configuration can be obtained via getOzoneConf(). It allows setting specific properties, as well as alternative config files.

The same applies to OzoneKDiag.

[navinko]

Thanks @adoroszlai tried incorporation suggestions.

[adoroszlai]

All DiagnosticProbe implementations have name() that could be automatically printed instead of duplicating the title in run().

[navinko]

renamed to test.

[adoroszlai]

We may want to set non-zero exit code if there are any failures. I think it can be done by using Callable<Integer> instead of Callable<Void>.

[navinko]

Thanks @adoroszlai tried incorporation suggestions.

[adoroszlai]

I tried introducing problems, e.g. by making kinit non-executable, removing permissions from /etc/krb5.conf, etc. The probes returned false, which resulted only in warnings. But the system is non-functional with this setup. Shouldn't it give errors instead of warnings?

-- Kerberos kinit Command --
Executable kinit must be available on PATH
PATH = /opt/hadoop/libexec:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/jdk-21.0.2/bin:/opt/hadoop/bin
kinit not found on PATH
[WARN] Kerberos kinit Command

-- Kerberos Ticket --
ERROR checking kerberos credentials: Can't get Kerberos realm
[WARN] Kerberos Ticket

[navinko]

fixed .

[adoroszlai]

Thanks @navinko for updating the patch.

[adoroszlai]

Please remove leftover references to DebugSubcommand (now translate-principal is under KerberosSubcommand).

[navinko]

I am really sorry ,my bad:)
I am still working on the pr din't realised it is not draft anymore.

Will update the PR shortly.

[navinko]

Thanks @navinko for updating the patch, and sorry for the delay in review.

In addition to inline comments, I have the following suggestions:

• create a grouping subcommand ozone debug kerberos (class: KerberosSubcommands)

• move the two new subcommands under ozone debug kerberos as

  • kerbname => ozone debug kerberos translate-principal
  • kdiag => ozone debug kerberos diagnose

• move all classes to a single package org.apache.hadoop.ozone.debug.kerberos (no need for separate authtolocal and kdiag packages)

Thanks @adoroszlai tried incorporation suggestions.

[navinko]

Hi @adoroszlai thank you for reviewing and suggestions .
The changes has been updated and tried incorporating . Please do review once you get some time.

[adoroszlai]

Thanks a lot @navinko for updating the patch, LGTM. Let's give others some time to take a look.

patch updated

[adoroszlai]

@Gargi-jais11 would you like to take a look?

[Gargi-jais11]

@Gargi-jais11 would you like to take a look?

Sure @adoroszlai will take a look into this.

[Gargi-jais11]

Thanks @navinko for working on the patch. This will really be helpful change.
Please find inline comments.

[Gargi-jais11]

A BufferedWriter is created that wraps the ByteArrayOutputStream buffer. writer is created and closed in finally — that's it. The stream that actually captures probe output is PrintStream ps. Only ps is ever used.
BufferWriter is a dead code and can be remove Line 67-68 and Line 89.

[navinko]

My bad , din't realise while fixing spotbugs issues. Fixed now.

[Gargi-jais11]

This subcommand impliments Callable<Void> and always returns null (exit code 0), even when a principal fails t o translates.
It should be Callable<Integer> and return a non-zero code if any principal translation fails — consistent with how DiagnoseSubcommand which returns 1 on failures.

[navinko]

Thanks @Gargi-jais11 I just fixed it. I initially thought to keep it simpler since we are not doing many things here but keeping it consistent with diagnose design overall will be great .

[Gargi-jais11]

Right now FAIL is infferred with output.contains("ERROR:") while WARN/PASS use probe.test()’s boolean return. Those two signals can disagree (e.g. a probe prints ERROR: but still returns success, or the opposite).
It is better to have one source of truth and drop the string scan.

Right Approach would be:
step1: create them as an enum

public enum ProbeResult {
  PASS,   // probe ran cleanly, everything looks healthy
  WARN,   // probe ran, something is misconfigured but not broken
  FAIL    // probe detected a critical problem
}

Step2: Update the DiagnosticProbe interface to:

  ProbeResult test(OzoneConfiguration conf) throws Exception;  // was: boolean

step3: then you can Update DiagnoseSubcommand — remove the string scan entirely and use the Enum created
step4: Update probes to return ProbeResult explicitly
Here are examples of all three cases:

Purely informational probe (was always return true) — EnvironmentProbe
WARN probe (suboptimal but not broken) — AuthorizationProbe
FAIL probe (critical, system broken) — KerberosConfigProbe
A probe with both WARN and FAIL paths — KerberosTicketProbe

[navinko]

Used enum and updated the code.

[Gargi-jais11]

Please use constant here: HADOOP_SECURITY_AUTHENTICATION

[navinko]

fixed

[Gargi-jais11]

Nit: Duplicate this can be removed.

[navinko]

Removed.

[Gargi-jais11]

I think you need to update the comment as java.security.krb5.conf is for jvm kerberos probe to fail and accordingly assertion should check for -- JVM Kerberos Properties -- not Kerberos configuration.
DiagnoseSubcommand prints a banner for every probe:
So "-- Kerberos Configuration --" is always printed when that probe runs, whether it PASS, WARN, or FAIL.
Asserting that string only proves “this section appeared,” not that KerberosConfigProbe was the thing that failed.
So: the test works for “something Kerberos-related failed,” but the intent and assertions don’t match what really broke.

[navinko]

Updated the comment , although the failure case i was testing for KerberosConfigProbe ,thats is why i was checking "-- Kerberos Configuration --
Now updated it to -- JVM Kerberos Properties --

[Gargi-jais11]

That's fine you could have also done it either way.

[Gargi-jais11]

We should also add "ozone.authorization.enabled" in the authorisation probe,since this acts as a master switch to enable/disable authorization checks in Ozone(admin privilege checks and ACL checks).

Suggested change

	print(conf, OzoneConfigKeys.OZONE_ACL_ENABLED);
	print(conf, OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED);
	print(conf, OzoneConfigKeys.OZONE_ACL_ENABLED);

[navinko]

thanks it make sense , added.

[navinko]

Thanks @Gargi-jais11 for the review, tried addressing review suggestions.
Once you get sometime please review .

[Gargi-jais11]

Thanks @navinko for updating the patch. Just few more minor comments.

[Gargi-jais11]

Instead of hardcoding please use the constants for key and value:

"Ozone security is disabled (" + OZONE_SECURITY_ENABLED_KEY + "=" +  OZONE_SECURITY_ENABLED_KEY_DEFAULT + ". Authorization checks are not enforced in non-secure mode."

[Gargi-jais11]

Similarly use the constants for ozone.authorization.enabled and its default value.

[navinko]

Thanks @Gargi-jais11
Updated the changes .

[Gargi-jais11]

Thanks @navinko for updating the patch. LGTM!
Please document this tool as well. Is there any tracking jira for documenting this new tool added?

[navinko]

Thanks @navinko for updating the patch. LGTM! Please document this tool as well. Is there any tracking jira for documenting this new tool added?

Thanks @Gargi-jais11
I have created https://issues.apache.org/jira/browse/HDDS-14991

[adoroszlai]

Can use CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTH_TO_LOCAL.

[navinko]

changed.

[adoroszlai]

Just noticed that this is a duplicate of:

ozone/hadoop-hdds/server-scm/src/main/java/org/apache/hadoop/hdds/scm/server/SCMHTTPServerConfig.java

Lines 79 to 80 in 3daabc8

	public static final String HDDS_SCM_HTTP_AUTH_TYPE =
	HDDS_SCM_HTTP_AUTH_CONFIG_PREFIX + "type";

[navinko]

My bad , removed and reused exiting.

[adoroszlai]

Suggested change

	OzoneConfigKeys.OZONE_ACL_ENABLED, false);
	OzoneConfigKeys.OZONE_ACL_ENABLED, OzoneConfigKeys.OZONE_ACL_ENABLED_DEFAULT);

[navinko]

updated.

[navinko]

Thanks @adoroszlai ,
I have just updated the changes.

[adoroszlai]

Thanks @navinko for the reminder that the patch is updated.

[adoroszlai]

Thanks @navinko for the patch, @Gargi-jais11 for the review.

[navinko]

Thanks @navinko for the patch, @Gargi-jais11 for the review.

Thank you so much @adoroszlai , @Gargi-jais11 for your continued support through the review process and for getting this PR merged.