HDDS-3128. Add support for kdiag and kerbname commands to ozone script

[navinko]

What changes were proposed in this pull request?

HDDS-3128. Add support for kdiag and kerbname commands to ozone script

• Added changes for verifying how Kerberos principals map to local Unix users and collecting kerberos diagnostic which is useful when debugging and troubleshooting in secure clusters.

1. ozone kdiag - This is useful when troubleshooting authentication failures in Ozone services.
   Exposes the Hadoop KDiag diagnostic tool through the Ozone CLI.
2. ozone kerbname - Added a CLI utility to translate Kerberos principals into local user names using the configured hadoop.security.auth_to_local rules.

• Fixed checkstyle issues.

What is the link to the Apache JIRA

https://issues.apache.org/jira/browse/HDDS-3128

How was this patch tested?

• Added test class for ozone kerbname
• Tested both the functionality locally in secure cluster.
• CI build - https://github.com/navinko/ozone/actions/runs/22709788702

bash-5.1$ ozone kerbname om/om@EXAMPLE.COM
Name: om/om@EXAMPLE.COM to om
bash-5.1$ ozone kerbname om@EXAMPLE.COM
Name: om@EXAMPLE.COM to om
bash-5.1$ ozone kerbname om@EXAMPLE_ERORRCASE.COM
Exception in thread "main" org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to om@EXAMPLE_ERORRCASE.COM
at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:429)
at org.apache.hadoop.ozone.kerberos.KerbName.main(KerbName.java:50)

bash-5.1$ ozone kdiag | grep -i login
JVM Kerberos Login Module = com.sun.security.auth.module.Krb5LoginModule
java.security.auth.login.config = "(unset)"
hadoop.kerberos.min.seconds.before.relogin = "60"
Ticket based login: true
Keytab based login: false

[adoroszlai]

Thanks @navinko for working on this. I think we should add these new commands under ozone debug, not at the top-level. Also, please implement as a picocli @Command. See VersionDebug as an example. KDiag would need to be copied to Ozone and adapted.

[navinko]

I think we should add these new commands under ozone debug, not at the top-level. Also, please implement as a picocli @Command. See VersionDebug as an example. KDiag would need to be copied to Ozone and adapted.

Hi @adoroszlai Thank you for reviewing . I have one doubt

KDiag would need to be copied to Ozone and adapted.
Does it mean keeping the wrapper and reuse Hadoop KDiag and append Ozone diagnostics or copy the KDiag implementation into Ozone and extend it further ?

[adoroszlai]

KDiag would need to be copied to Ozone and adapted.

Does it mean keeping the wrapper and reuse Hadoop KDiag and append Ozone diagnostics or copy the KDiag implementation into Ozone and extend it further ?

The latter (copy to Ozone, change to use picocli instead of its own argument parsing, replace Hadoop-specific variables/properties with Ozone-specific ones, etc.).

[navinko]

KDiag would need to be copied to Ozone and adapted.

Does it mean keeping the wrapper and reuse Hadoop KDiag and append Ozone diagnostics or copy the KDiag implementation into Ozone and extend it further ?

The latter (copy to Ozone, change to use picocli instead of its own argument parsing, replace Hadoop-specific variables/properties with Ozone-specific ones, etc.).

Thank you , I will update the PR shortly.