From 2013-2017, I worked for Avalon Consulting, LLC as a Hadoop consultant. During this time I worked with a lot of clients and secured (TLS/SSL, LDAP, Kerberos, etc) quite a few Hadoop clusters for both Hortonworks and Cloudera. There have been a few posts out there about debugging Kerberos problems like @steveloughran “Hadoop and Kerberos: The Madness beyond the Gate”. This post covers a few of the tips I’ve collected over the years that apply to Kerberos in general as well as to Apache Hadoop.
kinit doesn’t display any debug information and will typically come back with an obscure error on failure. The following command will enable verbose logging to standard out which can help with debugging.
KRB5_TRACE=/dev/stdout kinit -V
Java Kerberos/KRB5 and SPNEGO Debug System Properties
Java internal classes that deal with Kerberos have system properties that turn on debug logging. The properties enable a lot of debugging so should only be turned on when trying to diagnose a problem and then turned off. They can also be combined if necessary.
The first property handles Kerberos errors and can help with misconfigured KDC servers,
krb5.conf issues, and other problems.
The second property is specifically for SPNEGO debugging for a Kerberos secured web endpoint. SPNEGO can be hard to debug, but this flag can help enable additional debug logging.
These properties can be set with
*_OPTS variables for Apache Hadoop and related components like the example below:
Hadoop Command Line Debug Logging
Most of the Apache Hadoop command line tools (ie:
yarn, etc) use the same underlying mechanism for logging
Log4j doesn’t allow dynamically adjusting log levels, but it does allow the logger to be adjusted before using the commands. Hadoop exposes the root logger as an environment variable
HADOOP_ROOT_LOGGER. This can be used to change the logging of a specific command without changing
HADOOP_ROOT_LOGGER=DEBUG,console hdfs ...
Debugging Hadoop Users and Groups
Users with Apache Hadoop are typically authenticated through Kerberos as explained here. The username of the user once authenticated is then used to determine groups. Groups with Apache Hadoop can be configured in a variety of ways with Hadoop Groups Mappings. Debugging what Apache Hadoop thinks your user and groups are is critical for setting up security correctly.
The first command takes a user principal and will return what the username is based on the configured
hadoop org.apache.hadoop.security.HadoopKerberosName USER_PRINCIPAL
The second command takes the username and determines what the groups are associated with it. This uses the configured Hadoop Groups Mappings to determine what the groups are.
hdfs groups USERNAME
The third command is uses the currently authenticated user and prints out the current users UGI. It also can take a principal and keytab to print information about that UGI.
hadoop org.apache.hadoop.security.UserGroupInformation hadoop org.apache.hadoop.security.UserGroupInformation "PRINCIPAL" "KEYTAB"
The fourth command
KDiag is relatively new since it was introduced with HADOOP-12426 and first released in Apache Hadoop 2.8.0. This command wraps up some additional debugging tools in one and checks common Kerberos related misconfigurations.
# Might also set HADOOP_JAAS_DEBUG=true and set the log level 'org.apache.hadoop.security=DEBUG' hadoop org.apache.hadoop.security.KDiag
More than half the battle of dealing with Kerberos and distributed systems is knowing where to look and what logs to generate. With the right logs, it becomes possible to debug the problem and resolve it quickly.