Architecting, installing and maintaining your SAS environment

Enable kerberos for sas hadoop

Reply
Super Contributor
Super Contributor
Posts: 359

Enable kerberos for sas hadoop

Hello - i am new to sas and hadoop. we have hadoop team with x number of nodes in a cluster. we have sas 9.4 on linux on grid cluster where some users are trying connecting to hadoop using filename statment with proc hadoop but hadoop team saying sas will need to enable kerberos so that sas eg users can be connected.

 

i tried to find some documentation on how to enable kerberos from sas end and found some but not specific, can somone please direct?

SAS Employee
Posts: 285

Re: Enable kerberos for sas hadoop

@woo,

 

SAS do not directly interact with your authentication server, so you need to configure PAM/Kerberos authentication in Linux, then you can enable PAM authentication in SAS:

 

http://support.sas.com/kb/49/432.html

 

Do not forget that you need to uncomment the following line in /<SASHome>/SASFoundation/9.4/utilities/bin/sasauth.conf:

 

PAM_SETCREDENTIALS=TRUE

 

You can test PAM authentication and Kerberos ticket creation by using "proc permtest":

 

http://support.sas.com/kb/39/891.html

 

Let me know if you have any questions.

Super Contributor
Super Contributor
Posts: 359

Re: Enable kerberos for sas hadoop

we have host authentication implemented at the moment for sas grid + that PAM_SET...option is already turned off,,,in that case, what can be done from sas end?

 

also, .odbc.ini file contains i believe three parameters for kerberos authentication and they are,

KrbRealm=

KrbFQDN=

KrbServiceName=

Super Contributor
Super Contributor
Posts: 359

Re: Enable kerberos for sas hadoop

+

users are connecting to hadoop fine from server itself (like putty or so), issues comes in when users trying connect via sas eg,

SAS Employee
Posts: 285

Re: Enable kerberos for sas hadoop

@woo,

 

>> we have host authentication implemented at the moment for sas grid + that PAM_SET...option is already turned off,,,in that case, what can be done from sas end?

 

In this case SAS sessions can use the Kerberos ticket that was created by issuing kinit command from the Linux console. If you want to generate the Kerberos ticket from SAS, you have to configure PAM authentication + uncomment that option in sasauth.conf. Also, WorkspaceServer_usermods.sh should have this script:

 

workspace_user=$(whoami)
workspace_user_ccaches=$(find /tmp -maxdepth 1 -user ${workspace_user} -type f -name "krb5cc_*" -printf '%T@ %p\n' | sort -k 1nr | sed 's/^[^ ]* //' | head -n 1)
if test ! -z "$workspace_user_ccaches"; then
echo "Most recent krb5 ccache found for '${workspace_user}' at '${workspace_user_ccaches}'."
echo "Cache last modified: $(stat -c%y ${workspace_user_ccaches})"
export KRB5CCNAME=$workspace_user_ccaches
echo "KRB5CCNAME has been set to ${KRB5CCNAME}."
else
echo "No krb5 credentials caches were found in /tmp for '${workspace_user}'."
fi
Contributor
Posts: 66

Re: Enable kerberos for sas hadoop

Hi woo,
For configuring Kerberos, you need to make changes in /etc/krb5.conf. where in you need to add all your domains in the realms section.
for example:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = company.COM
#default_ccache_name = /tmp/krb5cc_%{uid}
[realms]
company.COM = {
kdc = xxxx.company.com:88
admin_server = xxxx.company.com
}
Can you please confirm to which DB you are connecting through ODBC?
Also in ODBC you no need to mention those parameters if you config krb5.conf.
Contributor
Posts: 66

Re: Enable kerberos for sas hadoop

Posted in reply to maheshtalla
FYI: there is good article/post as in below link. please go through it once which might help you understand.
https://communities.sas.com/t5/SAS-Communities-Library/5-tips-for-SAS-ACCESS-TO-KERBERIZED-HADOOP/ta...
Super Contributor
Super Contributor
Posts: 359

Re: Enable kerberos for sas hadoop

Posted in reply to maheshtalla

thank you so much alexal and maheshtalla for your input,

 

at the moment we are using

sas/access to imapala driver leveraging ODBC - users keeping their own .odbc.ini file

+

sas/access to hadoop driver leveraging hadoop jar files (filename statement) or webhdfs

 

Also, for Reading -> LDAP authenticaiton and for R+W -> Kerberos authentication

 

And yes, our etc/krb5.conf file has those details in it,

 

Contributor
Posts: 66

Re: Enable kerberos for sas hadoop

Hi Woo,
If krb5.conf is correctly configured with required KDC then kerberos authentication should work.
Can you check basic test with kinit on linux server.
ex: kinit userid
it prompts for password
Ask a Question
Discussion stats
  • 8 replies
  • 370 views
  • 1 like
  • 3 in conversation