BookmarkSubscribeRSS Feed
woo
Lapis Lazuli | Level 10 woo
Lapis Lazuli | Level 10

Hello - i am new to sas and hadoop. we have hadoop team with x number of nodes in a cluster. we have sas 9.4 on linux on grid cluster where some users are trying connecting to hadoop using filename statment with proc hadoop but hadoop team saying sas will need to enable kerberos so that sas eg users can be connected.

 

i tried to find some documentation on how to enable kerberos from sas end and found some but not specific, can somone please direct?

8 REPLIES 8
alexal
SAS Employee

@woo,

 

SAS do not directly interact with your authentication server, so you need to configure PAM/Kerberos authentication in Linux, then you can enable PAM authentication in SAS:

 

http://support.sas.com/kb/49/432.html

 

Do not forget that you need to uncomment the following line in /<SASHome>/SASFoundation/9.4/utilities/bin/sasauth.conf:

 

PAM_SETCREDENTIALS=TRUE

 

You can test PAM authentication and Kerberos ticket creation by using "proc permtest":

 

http://support.sas.com/kb/39/891.html

 

Let me know if you have any questions.

woo
Lapis Lazuli | Level 10 woo
Lapis Lazuli | Level 10

we have host authentication implemented at the moment for sas grid + that PAM_SET...option is already turned off,,,in that case, what can be done from sas end?

 

also, .odbc.ini file contains i believe three parameters for kerberos authentication and they are,

KrbRealm=

KrbFQDN=

KrbServiceName=

woo
Lapis Lazuli | Level 10 woo
Lapis Lazuli | Level 10

+

users are connecting to hadoop fine from server itself (like putty or so), issues comes in when users trying connect via sas eg,

alexal
SAS Employee

@woo,

 

>> we have host authentication implemented at the moment for sas grid + that PAM_SET...option is already turned off,,,in that case, what can be done from sas end?

 

In this case SAS sessions can use the Kerberos ticket that was created by issuing kinit command from the Linux console. If you want to generate the Kerberos ticket from SAS, you have to configure PAM authentication + uncomment that option in sasauth.conf. Also, WorkspaceServer_usermods.sh should have this script:

 

workspace_user=$(whoami)
workspace_user_ccaches=$(find /tmp -maxdepth 1 -user ${workspace_user} -type f -name "krb5cc_*" -printf '%T@ %p\n' | sort -k 1nr | sed 's/^[^ ]* //' | head -n 1)
if test ! -z "$workspace_user_ccaches"; then
echo "Most recent krb5 ccache found for '${workspace_user}' at '${workspace_user_ccaches}'."
echo "Cache last modified: $(stat -c%y ${workspace_user_ccaches})"
export KRB5CCNAME=$workspace_user_ccaches
echo "KRB5CCNAME has been set to ${KRB5CCNAME}."
else
echo "No krb5 credentials caches were found in /tmp for '${workspace_user}'."
fi
maheshtalla
Quartz | Level 8
Hi woo,
For configuring Kerberos, you need to make changes in /etc/krb5.conf. where in you need to add all your domains in the realms section.
for example:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = company.COM
#default_ccache_name = /tmp/krb5cc_%{uid}
[realms]
company.COM = {
kdc = xxxx.company.com:88
admin_server = xxxx.company.com
}
Can you please confirm to which DB you are connecting through ODBC?
Also in ODBC you no need to mention those parameters if you config krb5.conf.
maheshtalla
Quartz | Level 8
FYI: there is good article/post as in below link. please go through it once which might help you understand.
https://communities.sas.com/t5/SAS-Communities-Library/5-tips-for-SAS-ACCESS-TO-KERBERIZED-HADOOP/ta...
woo
Lapis Lazuli | Level 10 woo
Lapis Lazuli | Level 10

thank you so much alexal and maheshtalla for your input,

 

at the moment we are using

sas/access to imapala driver leveraging ODBC - users keeping their own .odbc.ini file

+

sas/access to hadoop driver leveraging hadoop jar files (filename statement) or webhdfs

 

Also, for Reading -> LDAP authenticaiton and for R+W -> Kerberos authentication

 

And yes, our etc/krb5.conf file has those details in it,

 

maheshtalla
Quartz | Level 8
Hi Woo,
If krb5.conf is correctly configured with required KDC then kerberos authentication should work.
Can you check basic test with kinit on linux server.
ex: kinit userid
it prompts for password

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 8 replies
  • 3925 views
  • 1 like
  • 3 in conversation