HDDS-3128. Add ozone debug commands for Kerberos (#9868)

Author: navinko

hadoop-ozone/cli-debug/pom.xml

@@ -74,6 +74,10 @@
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-auth</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.apache.hadoop</groupId>
       <artifactId>hadoop-common</artifactId>

hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kerberos/AuthorizationProbe.java

@@ -0,0 +1,106 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.debug.kerberos;
+
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_ACL_ENABLED_DEFAULT;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED;
+import static org.apache.hadoop.ozone.OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY;
+
+import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
+import org.apache.hadoop.hdds.HddsConfigKeys;
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.ozone.OzoneConfigKeys;
+import org.apache.hadoop.ozone.om.OMConfigKeys;
+
+/**
+ * Validates Ozone and Hadoop RPC authorization configuration.
+ * Checks whether Hadoop authorization and Ozone ACL settings are enabled
+ * and properly configured.
+ * Missing or disabled authorization is reported as a warning.
+ */
+public class AuthorizationProbe extends ConfigProbe {
+
+  @Override
+  public String name() {
+    return "Authorization Configuration";
+  }
+
+  @Override
+  public ProbeResult test(OzoneConfiguration conf) {
+
+    // Print relevant configs
+    print(conf, OZONE_SECURITY_ENABLED_KEY);
+    print(conf, OZONE_AUTHORIZATION_ENABLED);
+    print(conf, OzoneConfigKeys.OZONE_ACL_ENABLED);
+    print(conf, OzoneConfigKeys.OZONE_ACL_AUTHORIZER_CLASS);
+
+    print(conf, CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION);
+    print(conf, OMConfigKeys.OZONE_OM_SECURITY_CLIENT_PROTOCOL_ACL);
+
+    print(conf, HddsConfigKeys.HDDS_SECURITY_CLIENT_DATANODE_CONTAINER_PROTOCOL_ACL);
+    print(conf, HddsConfigKeys.HDDS_SECURITY_CLIENT_SCM_CONTAINER_PROTOCOL_ACL);
+    print(conf, HddsConfigKeys.HDDS_SECURITY_CLIENT_SCM_BLOCK_PROTOCOL_ACL);
+    print(conf, HddsConfigKeys.HDDS_SECURITY_CLIENT_SCM_CERTIFICATE_PROTOCOL_ACL);
+
+    ProbeResult result = ProbeResult.PASS;
+
+    // Validate Ozone security if enabled
+    boolean ozoneSecurityEnabled = conf.getBoolean(OZONE_SECURITY_ENABLED_KEY,
+        OzoneConfigKeys.OZONE_SECURITY_ENABLED_DEFAULT);
+
+    // If security disabled, no need to check further.
+    if (!ozoneSecurityEnabled) {
+      warn("Ozone security is disabled ("
+          + OZONE_SECURITY_ENABLED_KEY + "=" +  ozoneSecurityEnabled + ". "
+          + "Authorization checks are not enforced in non-secure mode.");
+      return ProbeResult.WARN; // not a failure
+    }
+
+    // Validate Ozone authorization(master switch)
+    boolean ozoneAuthEnabled = conf.getBoolean(OZONE_AUTHORIZATION_ENABLED,
+        OzoneConfigKeys.OZONE_AUTHORIZATION_ENABLED_DEFAULT);
+
+    if (!ozoneAuthEnabled) {
+      warn("Ozone authorization is disabled ("
+          + OZONE_AUTHORIZATION_ENABLED + "=" + ozoneAuthEnabled + ". "
+          + "No admin or ACL checks will be enforced.");
+      result = ProbeResult.WARN;
+    }
+
+    // Validate Hadoop authorization
+    boolean hadoopAuthEnabled = conf.getBoolean(
+        CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHORIZATION, false);
+
+    if (!hadoopAuthEnabled) {
+      warn("Hadoop authorization is disabled");
+      result = ProbeResult.WARN;
+    }
+
+    // Validate Ozone ACLs enforcement
+    boolean ozoneAclEnabled = conf.getBoolean(
+        OzoneConfigKeys.OZONE_ACL_ENABLED, OZONE_ACL_ENABLED_DEFAULT);
+
+    if (!ozoneAclEnabled) {
+      warn("Ozone ACLs are disabled while authorization is enabled. "
+          + "Only admin privilege checks will be enforced.");
+      result = ProbeResult.WARN;
+    }
+
+    return result;
+  }
+}

hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kerberos/ConfigProbe.java

@@ -0,0 +1,116 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.debug.kerberos;
+
+import java.io.File;
+import java.io.InputStream;
+import java.nio.file.Files;
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+
+/**
+ * Base class for probes with common helpers.
+ */
+public abstract class ConfigProbe implements DiagnosticProbe {
+
+  /**
+   * Generic key-value printer (used everywhere).
+   */
+  protected void printValue(String key, String value) {
+    if (value != null && value.startsWith("to Local user")) {
+      System.out.println(key + " " + value);
+    } else {
+      System.out.println(key + " = " +
+          (value == null ? "(unset)" : value));
+    }
+  }
+
+  /**
+   * Config-specific printer.
+   */
+  protected void print(OzoneConfiguration conf, String key) {
+    printValue(key, conf.getTrimmed(key));
+  }
+
+  /**
+   * Warning message.
+   */
+  protected void warn(String msg) {
+    System.err.println("WARNING: " + msg);
+  }
+
+  /**
+   * Error message.
+   */
+  protected void error(String msg) {
+    System.err.println("ERROR: " + msg);
+  }
+
+  /**
+   * Validate that a file exists, is readable, and not empty.
+   */
+  protected boolean canReadFile(File file, String description) {
+    if (file == null) {
+      error(description + " is null");
+      return false;
+    }
+
+    if (!file.exists()) {
+      error(description + " does not exist: " + file);
+      return false;
+    }
+
+    if (!file.isFile()) {
+      error(description + " is not a file: " + file);
+      return false;
+    }
+
+    if (!file.canRead()) {
+      error(description + " is not readable: " + file);
+      return false;
+    }
+
+    try (InputStream fileInputStream = Files.newInputStream(file.toPath())) {
+      if (fileInputStream.read() == -1) {
+        error(description + " is empty or invalid: " + file);
+        return false;
+      }
+      return true;
+    } catch (Exception e) {
+      error(description + " is not readable: " + file +
+          " (" + e.getMessage() + ")");
+      return false;
+    }
+  }
+
+  protected File getKrb5ConfigFile() {
+    // 1. Check System Property (Highest priority)
+    String path = System.getProperty("java.security.krb5.conf");
+
+    // 2. Check Environment Variable
+    if (path == null || path.isEmpty()) {
+      path = System.getenv("KRB5_CONFIG");
+    }
+
+    // 3. Fallback to default
+    if (path == null || path.isEmpty()) {
+      path = "/etc/krb5.conf";
+    }
+
+    return new File(path);
+  }
+}

hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kerberos/DiagnoseSubcommand.java

@@ -0,0 +1,113 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.debug.kerberos;
+
+import java.io.ByteArrayOutputStream;
+import java.io.PrintStream;
+import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+import java.util.List;
+import java.util.concurrent.Callable;
+import org.apache.hadoop.hdds.cli.AbstractSubcommand;
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import picocli.CommandLine;
+
+/**
+ * Kerberos diagnostic command for Ozone.
+ * Usage:Validates each registered probe serially
+ * and prints diagnostic summary.
+ * Example: ozone debug kerberos diagnose
+ */
+@CommandLine.Command(name = "diagnose",
+    description = "Diagnose Kerberos configuration issues.")
+public class DiagnoseSubcommand extends AbstractSubcommand
+    implements Callable<Integer> {
+  @Override
+  public Integer call() throws Exception {
+    out().println("\n== Ozone Kerberos Diagnostics ==\n");
+    OzoneConfiguration conf = getOzoneConf();
+    List<DiagnosticProbe> probes = Arrays.asList(
+        new HostProbe(),
+        new EnvironmentProbe(),
+        new JvmKerberosProbe(),
+        new KerberosConfigProbe(),
+        new KinitProbe(),
+        new KeytabProbe(),
+        new KerberosTicketProbe(),
+        new PrincipalMappingProbe(),
+        new SecurityConfigProbe(),
+        new AuthorizationProbe(),
+        new HttpAuthProbe());
+
+    int pass = 0, warn = 0, fail = 0;
+
+    for (DiagnosticProbe probe : probes) {
+
+      out().println("-- " + probe.name() + " --");
+
+      ByteArrayOutputStream buffer = new ByteArrayOutputStream();
+      PrintStream ps = new PrintStream(
+          buffer, true, StandardCharsets.UTF_8.name());
+      PrintStream oldOut = System.out;
+      PrintStream oldErr = System.err;
+
+      System.setOut(ps);
+      System.setErr(ps);
+
+      ProbeResult result;
+      try {
+        result = probe.test(conf);
+      } catch (Throwable t) {
+        t.printStackTrace(System.err);
+        err().println("ERROR: Probe execution failed: " + t.getMessage());
+        result = ProbeResult.FAIL;
+      } finally {
+        System.setOut(oldOut);
+        System.setErr(oldErr);
+        ps.close();
+      }
+
+      String output = new String(buffer.toByteArray(), StandardCharsets.UTF_8);
+      out().print(output);
+
+      switch (result) {
+      case FAIL:
+        fail++;
+        out().println("[FAIL] " + probe.name());
+        break;
+      case WARN:
+        warn++;
+        out().println("[WARN] " + probe.name());
+        break;
+      case PASS:
+        pass++;
+        out().println("[PASS] " + probe.name());
+        break;
+      default:
+        throw new IllegalStateException("Unknown result: " + result);
+      }
+      out().println();
+    }
+    out().println("== Diagnostic Summary ==");
+    out().println("PASS : " + pass);
+    out().println("WARN : " + warn);
+    out().println("FAIL : " + fail);
+
+    return fail > 0 ? 1 : 0;
+  }
+}

hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kerberos/DiagnosticProbe.java

@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.debug.kerberos;
+
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+
+/**
+ * Interface for a diagnostic probe executed by ozone debug kerberos subcommands.
+ */
+public interface DiagnosticProbe {
+
+  /**
+   * Name of the probe (used in output headers).
+   */
+  String name();
+
+  /**
+   * Execute the diagnostic check and return probe result as enum.
+   */
+  ProbeResult test(OzoneConfiguration conf) throws Exception;
+}