BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
avinashginjupal
Obsidian | Level 7

I wanted to know how the services will do hand shake between each other when a user login to web url and kick off a code or a report.

 

Assume a user open Web URL and wanted to run stored process or web report.

 

How the authentication will happen? Will the request directly goes to metadata? I believe there will be some other service that handles the request prior to metadata if the request is coming from Web page.

Which service will first take the request? How the service will pass the request to next service?

Which service will create the session for the request?

 

And also provide all the avilable SAS Services:

Example:

OLAP Server

Object Spawner

Connect Spawner

Framework Server

Metadata Server etc....

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
avinashginjupal
Obsidian | Level 7

After understating the process and background communication in my research, here is the back ground that SAS does for a request it receive via Web Application:

 

Please correct if I went wrong in understanding which is very helpful.

 

Step 1: User launches SAS Web Report Studio (page request). WRS prompts the user for the username and password (what user sees)

 

What SAS Does:

 

  1. A SAS component within the Web application server (the Logon Manager application) prompts the user for credentials.
  2. The Web container's Java Authentication and Authorization Service (JAAS) login module coordinates the verification of the credentials
  3. Verifies user credentials via authentication provider.
  4. JAAS then passes the authenticated ID to the SAS trusted login module
  5. A trusted connection is established to the SAS Metadata Server (SAS Authentication Service -> SAS Remote Services -> SAS Metadata Server)
  6. SAS Metadata Server identifies the user in the SAS metadata repository
  7. Resolves assignment of SAS metadata roles and access controls
  8. Connection is established between middle tier application and the metadata server

 

Step 2: Users requests a web report

 

What SAS Does:

 

  1. The request goes from the browser back to SAS Web Report Studio on the middle tier. SAS Web Report Studio must obtain both the structure for the report (how it will look) and the data.

 

  1. The structure for the report is stored in the SAS Content Server. SAS Web Report Studio sends a query to the SAS Metadata Server asking where the SAS Content Server resides and queries the SAS Metadata Server to make sure that your SAS ID is authorized to view this report and use the data sources that are associated with it.
  2. WRS sends a request to the SAS Content Server to retrieve the stored XML that describes the structure of the report.
  3. A request is sent to the SAS Metadata Server for information about where the data resides, the information map that is required to decode the query, and whether you have the authority to read that data.

 

  1. Once SAS Web Report Studio receives the required information, it asks the SAS object spawner to give it access to a SAS Workspace Server or SAS Stored Process Server. SAS Web Report Studio sends the query to the SAS session that it obtained.
  2. The SAS server then uses a configured data source engine, such as SAS/ACCESS, to contact the database, send the query, and receive the results.
  3. The ResultSet is rephrased into the business language that is used by the information map and is sent back to SAS Web Report Studio, which sends the report to your browser.

 

Step 3: User closes/ quits Web Report Studio

 

The workspace session that was opened on behalf of the user is shut down when their clients have completed their work.

View solution in original post

7 REPLIES 7
JuanS_OCS
Amethyst | Level 16

Hi,

 

I understand where is your question coming from, but something I could explain to you in 30 min face to face, it can take quite long to explain here.

 

Have you already read those?

Authentication Models: http://support.sas.com/documentation/cdl/en/bisecag/67045/HTML/default/viewer.htm#p0sajzx39gs312n18u...

Authentication mechanisms: http://support.sas.com/documentation/cdl/en/bisecag/67045/HTML/default/viewer.htm#n12nk3oh7y2himn141...

 

Host Authentication: http://support.sas.com/documentation/cdl/en/bisecag/67045/HTML/default/viewer.htm#p0rjglixjfbdokn12s...

 

Web Authentication: http://support.sas.com/documentation/cdl/en/bimtag/68217/HTML/default/viewer.htm#n1bhp608f0hsoen10i1...

 

I think one that it would be of your special interest is the Identity passing, as one of your main questions: http://support.sas.com/documentation/cdl/en/bisecag/67045/HTML/default/viewer.htm#p0unn7osq3uuvyn0zp...

 

All in all, please consider:

- Web Report (Web Report Studio): it runs on a Pooled Workspace Server session with a trusted connection, unless the report includes a stored process, then the stp will run on a stored process server.

- Stored Processes: it runs on a Stored process Server session, with a trusted connection.

 

Both of above, the trusted connection will happen with sastrust@saspw towards the metadata and your SAS General Servers service account (usually, sassrv)

 

- Workspace server: will authenticate agains the user account, unless you have SAS Token Authentication, then you will hace a trusted authentication (as on Stored Process and Pooled Workspace Server).

 

 

 

About Web Authentication

a) By default, SAS web applications use the form-based authentication that is provided by the SAS Logon Manager application. When credentials are provided to SAS Logon Manager, the credentials are sent to the SAS Metadata Server for authentication. The metadata server then authenticates the credentials against its authentication provider. The default provider is the host operating system.
 
b) As an alternative, you can configure the SAS web applications to authenticate on the middle tier. When users log on to a SAS web application, SAS Web Application Server handles the initial authentication for container-managed security.
Performing web authentication facilitates single sign-on. Most likely, your organization has several applications behind a common set of reverse proxy and HTTP servers. By having a common server handle authentication, users do not need to re-authenticate for access to each application.
Kurt_Bremser
Super User

> Assume a user open Web URL and wanted to run stored process or web report.

 

Web Report:

User clicks, HTTP daemon (usually apache) receives request and hands it over to web application server (jboss).

WRS module in jboss realizes no login was done yet and activates SAS Logon Manager. Logon Manager gets data from Metadata Server and authenticates against auth domain (usually the operating system, could also be LDAP) - this involves a lot of back-and-forth between browser, apache and jboss.

Once login as been done, WRS module is again active.

Available reports are stored in SAS Folders in the metadata, so once again the Metadata Server is contacted when selecting and reports and reading report metadata.

Once a report is opened, depending on the type of report and source data (MDDB or dataset), a connection to the OLAP server is made, or a workspace server is started (this is done through the Object Spawner; the OLAP server is started at system startup). Both server types also talk to the metadata server.

SAS server processes the request for data.

Data is sent to the WRS module in jboss and formatted as HTML, displayed via apache.

 

 

 

avinashginjupal
Obsidian | Level 7

KurtBremser - Thanks for your prompt response and would you able to tell remote services role in this?

 

Remote services running on Web Server will contact metadata server?

Kurt_Bremser
Super User

The role of the SAS remote Services can be found here: http://support.sas.com/documentation/cdl/en/bimtag/65708/PDF/default/bimtag.pdf (page 2).

A description of RMI can be found here: http://docs.oracle.com/javase/tutorial/rmi/overview.html

The start sequence of the processes suggests that all SAS services need the Metadata Server, so I can't rule out that there will be some communication between the remote Services and the Metadata Server.

If you positively need deep insight into the operation of the SAS Middle Tier, I suggest you get in contact with your SAS representative so they get you someone with the technical expertise to help you on.

 

Here (SAS communities) we are mostly concerned with installing and setting up the processes (which is fairly automated) and then using them. For me it is only important to have the services starting in the right order and see if they're still working. If something in the WAS fails, I stop jboss and RemoteServices, and then start RemoteServices and jboss in that order.

avinashginjupal
Obsidian | Level 7

Thanks, I would like to know the communication of these services not only knowing wether they are started or not.

Will see if I find something intresting.

avinashginjupal
Obsidian | Level 7

After understating the process and background communication in my research, here is the back ground that SAS does for a request it receive via Web Application:

 

Please correct if I went wrong in understanding which is very helpful.

 

Step 1: User launches SAS Web Report Studio (page request). WRS prompts the user for the username and password (what user sees)

 

What SAS Does:

 

  1. A SAS component within the Web application server (the Logon Manager application) prompts the user for credentials.
  2. The Web container's Java Authentication and Authorization Service (JAAS) login module coordinates the verification of the credentials
  3. Verifies user credentials via authentication provider.
  4. JAAS then passes the authenticated ID to the SAS trusted login module
  5. A trusted connection is established to the SAS Metadata Server (SAS Authentication Service -> SAS Remote Services -> SAS Metadata Server)
  6. SAS Metadata Server identifies the user in the SAS metadata repository
  7. Resolves assignment of SAS metadata roles and access controls
  8. Connection is established between middle tier application and the metadata server

 

Step 2: Users requests a web report

 

What SAS Does:

 

  1. The request goes from the browser back to SAS Web Report Studio on the middle tier. SAS Web Report Studio must obtain both the structure for the report (how it will look) and the data.

 

  1. The structure for the report is stored in the SAS Content Server. SAS Web Report Studio sends a query to the SAS Metadata Server asking where the SAS Content Server resides and queries the SAS Metadata Server to make sure that your SAS ID is authorized to view this report and use the data sources that are associated with it.
  2. WRS sends a request to the SAS Content Server to retrieve the stored XML that describes the structure of the report.
  3. A request is sent to the SAS Metadata Server for information about where the data resides, the information map that is required to decode the query, and whether you have the authority to read that data.

 

  1. Once SAS Web Report Studio receives the required information, it asks the SAS object spawner to give it access to a SAS Workspace Server or SAS Stored Process Server. SAS Web Report Studio sends the query to the SAS session that it obtained.
  2. The SAS server then uses a configured data source engine, such as SAS/ACCESS, to contact the database, send the query, and receive the results.
  3. The ResultSet is rephrased into the business language that is used by the information map and is sent back to SAS Web Report Studio, which sends the report to your browser.

 

Step 3: User closes/ quits Web Report Studio

 

The workspace session that was opened on behalf of the user is shut down when their clients have completed their work.

Kurt_Bremser
Super User

One slight addendum:


@avinashginjupal wrote:

.....

 

  1. Once SAS Web Report Studio receives the required information, it asks the SAS object spawner to give it access to a SAS Workspace Server or SAS Stored Process Server. SAS Web Report Studio sends the query to the SAS session that it obtained.

 



At this point, WRS will send the query to the OLAP server if the source of the report is a MDDB (OLAP cube).

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 7 replies
  • 3056 views
  • 2 likes
  • 3 in conversation