HADOOP-15168. Add kdiag tool to hadoop command. Contributed by Bharat Viswanadham.

hadoop-common-project/hadoop-common/src/main/bin/hadoop

@@ -45,6 +45,7 @@ function hadoop_usage
   hadoop_add_subcommand "key" client "manage keys via the KeyProvider"
   hadoop_add_subcommand "trace" client "view and modify Hadoop tracing settings"
   hadoop_add_subcommand "version" client "print the version"
+  hadoop_add_subcommand "kdiag" client "Diagnose Kerberos Problems"
   hadoop_generate_usage "${HADOOP_SHELL_EXECNAME}" true
 }
 
@@ -148,6 +149,9 @@ function hadoopcmd_case
     kerbname)
       HADOOP_CLASSNAME=org.apache.hadoop.security.HadoopKerberosName
     ;;
+    kdiag)
+      HADOOP_CLASSNAME=org.apache.hadoop.security.KDiag
+    ;;
     key)
       HADOOP_CLASSNAME=org.apache.hadoop.crypto.key.KeyShell
     ;;

hadoop-common-project/hadoop-common/src/main/bin/hadoop.cmd

@@ -149,7 +149,7 @@ call :updatepath %HADOOP_BIN_PATH%
     exit /b
   )
 
-  set corecommands=fs version jar checknative conftest distch distcp daemonlog archive classpath credential kerbname key trace
+  set corecommands=fs version jar checknative conftest distch distcp daemonlog archive classpath credential kerbname key trace kdiag
   for %%i in ( %corecommands% ) do (
     if %hadoop-command% == %%i set corecommand=true  
   )
@@ -231,6 +231,10 @@ call :updatepath %HADOOP_BIN_PATH%
   set CLASS=org.apache.hadoop.security.HadoopKerberosName
   goto :eof
 
+:kdiag
+  set CLASS=org.apache.hadoop.security.KDiag
+  goto :eof
+
 :key
   set CLASS=org.apache.hadoop.crypto.key.KeyShell
   goto :eof
@@ -307,6 +311,7 @@ call :updatepath %HADOOP_BIN_PATH%
   @echo   credential           interact with credential providers
   @echo   jnipath              prints the java.library.path
   @echo   kerbname             show auth_to_local principal conversion
+  @echo   kdiag                diagnose kerberos problems
   @echo   key                  manage keys via the KeyProvider
   @echo   trace                view and modify Hadoop tracing settings
   @echo   daemonlog            get/set the log level for each daemon

hadoop-common-project/hadoop-common/src/site/markdown/CommandsManual.md

@@ -187,6 +187,12 @@ user name.
 
 Example: `hadoop kerbname user@EXAMPLE.COM`
 
+### `kdiag`
+
+Usage: `hadoop kdiag`
+
+Diagnose Kerberos Problems
+
 ### `key`
 
 Usage: `hadoop key <subcommand> [options]`

hadoop-common-project/hadoop-common/src/site/markdown/SecureMode.md

@@ -435,17 +435,12 @@ or a specific principal in a named keytab.
 The output of the command can be used for local diagnostics, or forwarded to
 whoever supports the cluster.
 
-The `KDiag` command has its own entry point; it is currently not hooked up
+The `KDiag` command has its own entry point; It is invoked by passing `kdiag` to
-to the end-user CLI.
+`bin/hadoop` command. Accordingly, it will display the kerberos client state
-
+of the command used to invoke it.
-It is invoked simply by passing its full classname to one of the `bin/hadoop`,
-`bin/hdfs` or `bin/yarn` commands. Accordingly, it will display the kerberos client
-state of the command used to invoke it.
 
 ```
-hadoop org.apache.hadoop.security.KDiag
+hadoop kdiag
-hdfs org.apache.hadoop.security.KDiag
-yarn org.apache.hadoop.security.KDiag
 ```
 
 The command returns a status code of 0 for a successful diagnostics run.
@@ -525,7 +520,7 @@ some basic Kerberos preconditions.
 #### `--out outfile`: Write output to file.
 
 ```
-hadoop org.apache.hadoop.security.KDiag --out out.txt
+hadoop kdiag --out out.txt
 ```
 
 Much of the diagnostics information comes from the JRE (to `stderr`) and
@@ -534,7 +529,7 @@ To get all the output, it is best to redirect both these output streams
 to the same file, and omit the `--out` option.
 
 ```
-hadoop org.apache.hadoop.security.KDiag --keytab zk.service.keytab --principal zookeeper/devix.example.org@REALM > out.txt 2>&1
+hadoop kdiag --keytab zk.service.keytab --principal zookeeper/devix.example.org@REALM > out.txt 2>&1
 ```
 
 Even there, the output of the two streams, emitted across multiple threads, can
@@ -543,15 +538,12 @@ name in the Log4j output to distinguish background threads from the main thread
 helps at the hadoop level, but doesn't assist in JVM-level logging.
 
 #### `--resource <resource>` : XML configuration resource to load.
-
+To load XML configuration files, this option can be used. As by default, the
-When using the `hdfs` and `yarn` commands, it is often useful to force
+`core-default` and `core-site` XML resources are only loaded. This will help,
-load the `hdfs-site.xml` and `yarn-site.xml` resource files, to pick up any Kerberos-related
+when additional configuration files has any Kerberos related configurations.
-configuration options therein.
-The `core-default` and `core-site` XML resources are always loaded.
 
 ```
-hdfs org.apache.hadoop.security.KDiag --resource hbase-default.xml --resource hbase-site.xml
+hadoop kdiag --resource hbase-default.xml --resource hbase-site.xml
-yarn org.apache.hadoop.security.KDiag --resource yarn-default.xml --resource yarn-site.xml
 ```
 
 For extra logging during the operation, set the logging and `HADOOP_JAAS_DEBUG`
@@ -580,9 +572,9 @@ nor `"/"` characters.
 ### Example
 
 ```
-hdfs org.apache.hadoop.security.KDiag \
+hadoop kdiag \
   --nofail \
-  --resource hbase-default.xml --resource hbase-site.xml \
+  --resource hdfs-site.xml --resource yarn-site.xml \
   --keylen 1024 \
   --keytab zk.service.keytab --principal zookeeper/devix.example.org@REALM
 ```