Thanks Zhe Zhang for the review! Patch 3 is attached.
It's better to add some error handling in checkKerberosAndInit: what if DFS_BALANCER_KERBEROS_PRINCIPAL_KEY or the keytab file key is not set.
That's handled in SecurityUtil#login
It'll throw IOE with details if keytab is given incorrectly, and will use system username if principal is not provided
Looks like getAddress can be folded into the checkKerberosAndInit method?
Maybe checkKeytabAndInit is a better name?
assertTrue(ugi.isLoginKeytabBased()) should be UserGroupInformation.isLoginKeytabBased() since the method is static
This can be a follow-on: ideally we can verify the behavior when used with the hdfs --daemon option.
Makes sense, I assume --daemon would be the same for all commands though.
Another follow-on idea is to verify the relogin after TGT "max renew time" expires. It could be hard to control KDC TGT config though.
I manually verified this, but I guess I could borrow your patch from
HADOOP-12559 to do it programmatically.