HDDS-3128. Add support for kdiag and kerbname commands to ozone script

hadoop-ozone/cli-debug/pom.xml

@@ -74,6 +74,10 @@
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.apache.hadoop</groupId>
+      <artifactId>hadoop-auth</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.apache.hadoop</groupId>
       <artifactId>hadoop-common</artifactId>

hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/authtolocal/KerbNameDebug.java

@@ -0,0 +1,67 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.debug.authtolocal;
+
+import java.util.List;
+import java.util.concurrent.Callable;
+import org.apache.hadoop.hdds.cli.DebugSubcommand;
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+import org.apache.hadoop.security.authentication.util.KerberosName;
+import org.kohsuke.MetaInfServices;
+import picocli.CommandLine;
+
+/**
+ * Debug command to translate Kerberos principals into local user names
+ * using the configured auth_to_local rules.
+ *
+ * Example:
+ *   ozone debug kerbname testuser/om@EXAMPLE.COM
+ */
+@CommandLine.Command(
+    name = "kerbname",
+    description = "Translate Kerberos principal(s) using auth_to_local rules."
+)
+@MetaInfServices(DebugSubcommand.class)
+public class KerbNameDebug implements Callable<Void>, DebugSubcommand {
+
+  @CommandLine.Parameters(arity = "1..*",
+      description = "Kerberos principal(s) to translate"
+  )
+  private List<String> principals;
+
+  @Override
+  public Void call() throws Exception {
+    System.out.println("-- Kerberos Principal Translation --");
+    OzoneConfiguration conf = new OzoneConfiguration();
+    // Initialize auth_to_local rules
+    String rules = conf.get("hadoop.security.auth_to_local", "DEFAULT");
+    KerberosName.setRules(rules);
+    System.out.println("auth_to_local rules = " + rules);
+    for (String principal : principals) {
+      try {
+        KerberosName kerbName = new KerberosName(principal);
+        String shortName = kerbName.getShortName();
+        System.out.println(String.format(
+            "Principal = %s to Local user = %s", principal, shortName));
+      } catch (Exception e) {
+        System.out.println("Failed to translate principal: " + e.getMessage());
+      }
+    }
+    return null;
+  }
+}

hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/authtolocal/package-info.java

@@ -0,0 +1,21 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Auth to local debug related commands.
+ */
+package org.apache.hadoop.ozone.debug.authtolocal;

hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kdiag/AuthorizationProbe.java

@@ -0,0 +1,54 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.debug.kdiag;
+
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+
+/**
+ * Validates Ozone and Hadoop RPC authorization configuration.
+ */
+public class AuthorizationProbe implements DiagnosticProbe {
+
+  @Override
+  public String name() {
+    return "Authorization Configuration";
+  }
+
+  @Override
+  public boolean run() {
+    System.out.println("-- Authorization Configuration --");
+    OzoneConfiguration conf = new OzoneConfiguration();
+
+    print(conf, "ozone.acl.enabled");
+    print(conf, "ozone.acl.authorizer.class");
+    print(conf, "hadoop.security.authorization");
+    print(conf, "ozone.om.security.client.protocol.acl");
+
+    print(conf, "hdds.security.client.datanode.container.protocol.acl");
+    print(conf, "hdds.security.client.scm.container.protocol.acl");
+    print(conf, "hdds.security.client.scm.block.protocol.acl");
+    print(conf, "hdds.security.client.scm.certificate.protocol.acl");
+    return true;
+  }
+
+  private void print(OzoneConfiguration conf, String key) {
+    String value = conf.get(key);
+    System.out.println(key + " = "
+        + (value == null ? "(unset)" : value));
+  }
+}

hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kdiag/DiagnosticProbe.java

@@ -0,0 +1,28 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.debug.kdiag;
+
+/**
+ * Interface for a diagnostic probe executed by ozone debug kdiag.
+ */
+public interface DiagnosticProbe {
+
+  String name();
+
+  boolean run() throws Exception;
+}

hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kdiag/EnvironmentProbe.java

@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.debug.kdiag;
+
+/**
+ * Prints environment variables relevant to Kerberos and Ozone.
+ */
+public class EnvironmentProbe implements DiagnosticProbe {
+
+  @Override
+  public String name() {
+    return "Environment Variables";
+  }
+
+  @Override
+  public boolean run() {
+    System.out.println("-- Environment Variables --");
+    print("KRB5_CONFIG");
+    print("KRB5CCNAME");
+    print("OZONE_CONF_DIR");
+    print("HADOOP_CONF_DIR");
+    print("JAVA_SECURITY_KRB5_CONF");
+    return true;
+  }
+
+  private void print(String key) {
+    String value = System.getenv(key);
+    System.out.println(key + " = "
+        + (value == null ? "(unset)" : value));
+  }
+}

hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kdiag/HostProbe.java

@@ -0,0 +1,43 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.debug.kdiag;
+
+import java.net.InetAddress;
+
+/**
+ * Prints host and JVM information.
+ */
+public class HostProbe implements DiagnosticProbe {
+
+  @Override
+  public String name() {
+    return "Host Information";
+  }
+
+  @Override
+  public boolean run() throws Exception {
+    System.out.println("-- Host Information --");
+    System.out.println("Hostname = "
+        + InetAddress.getLocalHost().getCanonicalHostName());
+    System.out.println("User = "
+        + System.getProperty("user.name"));
+    System.out.println("Java version = "
+        + System.getProperty("java.version"));
+    return true;
+  }
+}

hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kdiag/HttpAuthProbe.java

@@ -0,0 +1,63 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.debug.kdiag;
+
+import org.apache.hadoop.hdds.conf.OzoneConfiguration;
+
+/**
+ * Prints HTTP Kerberos authentication configuration for Ozone services.
+ *
+ * This probe checks whether the HTTP endpoints (WebUI / REST services)
+ * of Ozone components are configured to use Kerberos authentication.
+ *
+ * It only prints configuration values for diagnostics and does not
+ * enforce validation. Validation can be added in future improvements.
+ */
+public class HttpAuthProbe implements DiagnosticProbe {
+
+  @Override
+  public String name() {
+    return "HTTP Kerberos Authentication";
+  }
+
+  @Override
+  public boolean run() {
+
+    System.out.println("-- HTTP Kerberos Authentication --");
+
+    OzoneConfiguration conf = new OzoneConfiguration();
+
+    print(conf, "ozone.om.http.auth.type");
+    print(conf, "hdds.scm.http.auth.type");
+    print(conf, "hdds.datanode.http.auth.type");
+    print(conf, "ozone.s3g.http.auth.type");
+    print(conf, "ozone.recon.http.auth.type");
+
+    return true;
+  }
+
+  /**
+   * Helper method to print configuration value.
+   */
+  private void print(OzoneConfiguration conf, String key) {
+
+    String value = conf.get(key);
+    System.out.println(key + " = " +
+        (value == null ? "(unset)" : value));
+  }
+}

hadoop-ozone/cli-debug/src/main/java/org/apache/hadoop/ozone/debug/kdiag/JvmKerberosProbe.java

@@ -0,0 +1,49 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.ozone.debug.kdiag;
+
+/**
+ * Prints JVM Kerberos related system properties.
+ */
+public class JvmKerberosProbe implements DiagnosticProbe {
+
+  @Override
+  public String name() {
+    return "JVM Kerberos Properties";
+  }
+
+  @Override
+  public boolean run() {
+
+    System.out.println("-- JVM Kerberos Properties --");
+    // Print JVM Kerberos related system properties
+    print("java.security.krb5.conf");
+    print("java.security.krb5.realm");
+    print("java.security.krb5.kdc");
+    print("sun.security.krb5.debug");
+
+    return true;
+  }
+
+  private void print(String key) {
+
+    String value = System.getProperty(key);
+    System.out.println(key + " = "
+        + (value == null ? "(unset)" : value));
+  }
+}