topic Re: Enable kerberos for sas hadoop in Administration and Deployment

Enable kerberos for sas hadoop

woo — Mon, 19 Jun 2017 21:25:35 GMT

Hello - i am new to sas and hadoop. we have hadoop team with x number of nodes in a cluster. we have sas 9.4 on linux on grid cluster where some users are trying connecting to hadoop using filename statment with proc hadoop but hadoop team saying sas will need to enable kerberos so that sas eg users can be connected.

i tried to find some documentation on how to enable kerberos from sas end and found some but not specific, can somone please direct?

Re: Enable kerberos for sas hadoop

alexal — Mon, 19 Jun 2017 21:59:35 GMT

@woo,

SAS do not directly interact with your authentication server, so you need to configure PAM/Kerberos authentication in Linux, then you can enable PAM authentication in SAS:

http://support.sas.com/kb/49/432.html

Do not forget that you need to uncomment the following line in /<SASHome>/SASFoundation/9.4/utilities/bin/sasauth.conf:

PAM_SETCREDENTIALS=TRUE

You can test PAM authentication and Kerberos ticket creation by using "proc permtest":

http://support.sas.com/kb/39/891.html

Let me know if you have any questions.

Re: Enable kerberos for sas hadoop

woo — Tue, 20 Jun 2017 14:00:59 GMT

we have host authentication implemented at the moment for sas grid + that PAM_SET...option is already turned off,,,in that case, what can be done from sas end?

also, .odbc.ini file contains i believe three parameters for kerberos authentication and they are,

KrbRealm=

KrbFQDN=

KrbServiceName=

Re: Enable kerberos for sas hadoop

woo — Tue, 20 Jun 2017 14:35:13 GMT

users are connecting to hadoop fine from server itself (like putty or so), issues comes in when users trying connect via sas eg,

Re: Enable kerberos for sas hadoop

alexal — Tue, 20 Jun 2017 14:45:50 GMT

@woo,

>> we have host authentication implemented at the moment for sas grid + that PAM_SET...option is already turned off,,,in that case, what can be done from sas end?

In this case SAS sessions can use the Kerberos ticket that was created by issuing kinit command from the Linux console. If you want to generate the Kerberos ticket from SAS, you have to configure PAM authentication + uncomment that option in sasauth.conf. Also, WorkspaceServer_usermods.sh should have this script:

workspace_user=$(whoami)
workspace_user_ccaches=$(find /tmp -maxdepth 1 -user ${workspace_user} -type f -name "krb5cc_*" -printf '%T@ %p\n' | sort -k 1nr | sed 's/^[^ ]* //' | head -n 1)
if test ! -z "$workspace_user_ccaches"; then
echo "Most recent krb5 ccache found for '${workspace_user}' at '${workspace_user_ccaches}'."
echo "Cache last modified: $(stat -c%y ${workspace_user_ccaches})"
export KRB5CCNAME=$workspace_user_ccaches
echo "KRB5CCNAME has been set to ${KRB5CCNAME}."
else
echo "No krb5 credentials caches were found in /tmp for '${workspace_user}'."
fi

Re: Enable kerberos for sas hadoop

maheshtalla — Tue, 20 Jun 2017 15:27:24 GMT

Hi woo,
For configuring Kerberos, you need to make changes in /etc/krb5.conf. where in you need to add all your domains in the realms section.
for example:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = company.COM
#default_ccache_name = /tmp/krb5cc_%{uid}
[realms]
company.COM = {
kdc = xxxx.company.com:88
admin_server = xxxx.company.com
}
Can you please confirm to which DB you are connecting through ODBC?
Also in ODBC you no need to mention those parameters if you config krb5.conf.

Re: Enable kerberos for sas hadoop

maheshtalla — Tue, 20 Jun 2017 15:31:11 GMT

FYI: there is good article/post as in below link. please go through it once which might help you understand.
https://communities.sas.com/t5/SAS-Communities-Library/5-tips-for-SAS-ACCESS-TO-KERBERIZED-HADOOP/ta-p/358746

Re: Enable kerberos for sas hadoop

woo — Tue, 20 Jun 2017 16:03:31 GMT

thank you so much alexal and maheshtalla for your input,

at the moment we are using

sas/access to imapala driver leveraging ODBC - users keeping their own .odbc.ini file

sas/access to hadoop driver leveraging hadoop jar files (filename statement) or webhdfs

Also, for Reading -> LDAP authenticaiton and for R+W -> Kerberos authentication

And yes, our etc/krb5.conf file has those details in it,

Re: Enable kerberos for sas hadoop

maheshtalla — Wed, 21 Jun 2017 14:48:28 GMT

Hi Woo,
If krb5.conf is correctly configured with required KDC then kerberos authentication should work.
Can you check basic test with kinit on linux server.
ex: kinit userid
it prompts for password