Are you a Python developer trying to get started with SAS Viya? Or maybe you have come across this guide in order to better understand what to do with all the different tokens required to interface with VIYA ? In this two part series we are going to walk through the very first steps in your VIYA API journey with Python. The focus of this post is going to be on the process of registering a client, getting and generating various tokens and explaining what it all actually means.

Registering a Client

Background:  The process of Registering a client is the first step in getting a Python developer access to the API. This step has to be performed by someone who has access to the head Viya node in Linux. This has to be done by someone who is a member of the SAS Administrators group, however if you have this level of access then you should be able to perform these steps without any issues.

Pre-requisites:

• Administrator (elevated/sudo) access to the VIYA Environment system
• Python compiler installed on the server
• Entry level understanding of Linux
• Basic understanding of python: functions and variables

• The only required library needed for this code is the requests library

  import requests

   

Check that python is installed by running the following command:

python --version

If the command is recognized, then you are all set. 

Step 1: Retrieve the Consul Token

A consult token is sort of like a “password” that lives on the head Viya file system. We need to retrieve in order to prove to the system that we do in fact have the right to Register a Client. The consul token is located in the /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/consul/default/ directory and is stored in a file called client.token (later referred to as a consul token). 

Note: The consul token is one of the most important and highly guarded assets for a SAS VIYA system. For this reason, it can only be accessed by someone with a elevated access on the machine. 

def getConsulToken():
    with open('/opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/consul/default/client.token', 'r') as file:
        data = file.read()
        print("The consul Token is: [" + str(data)+"]")
        return str(data)

consulToken = getConsulToken()

The expected output is:

Step 2: Get Authentication Token

Now that we have a consul token from the previous step. We need to supply an Application Name of our choice. For example, if the project your are working on is for Human Resources, you may want to name the application: HRApp. This information is passed in to the function/code below. After it runs, it will return yet another token called Oauth token. With this token in hand, the system has set aside the name of our application and is ready for the actual registration steps.

Note: The Application Name is created during this step and will be later used by the Python developer as well.

hostname = “example.com”

def registrationOauthTokenReuqest(appName, consulToken):
    print("Attempting to get a registration Oauth token")
    
    url = "http://" +str(hostname)+ "/SASLogon/oauth/clients/consul?callback=false&serviceId="+ str(appName)
    headers = {"X-Consul-Token":str(consulToken)}
    
    r = requests.post(url, headers=headers, timeout=30)
    
    if r.status_code == 200:
        return r.json()['access_token']

appName = "HRApp" #your Application Name
access_token = registrationOauthTokenReuqest(appName, consulToken)

The expected output is:

Step 3: Registering the Client

This is the final step in the registration process where we have supply a couple of bits of information that we already have (Application Name and Oauth token), along with a password of your choice (referred to as ‘secret’).

Note: By default, the validity is set to 12 hours (or 43199 seconds). This is the amount of time a python developer or program can be logged to this app until the login expires and needs to be re-signed in.

def registerNewClient(appName, secret, authToken, validity=43199):
    print("Attempting to register")

    url = "https://" + str(hostname) + "/SASLogon/oauth/clients"
   
    headers = {"Content-Type":"application/json",
               "Authorization": "Bearer " + str(authToken)}

    data = {"client_id":str(appName),
            "client_secret":str(secret),
            "scope": "openid",
            "authorized_grant_types":"password",
            "access_token_validity":validity
            }

    r = requests.post(url,headers=headers, json=data, timeout=30, verify=False)
    print(r)

    if r.status_code == 201:
      print("Register success")
      print(r.json())

secret = "passwordOfYourChoice" #supply a password
registerNewClient(appName, secret, access_token, validity=43199) 

The expected output is:

The registration is complete. The Administrator will need to provide the Application Name and Secret to the Developer to access the API.

How to make this example work for you

This example was created in a Viya 3.4. All code in this article is intended to be submitted in Python 3.6 within the Viya 3.4 environment with elevated access in order to complete these steps. 

The attachments for this post are:

• viya_api_register.py 

Run the file on the head Viya Server by sending the following command:

python viya_api_register.py

Next Steps:

Part 2 of Getting Python Talking with The SAS Viya REST API

REFERENCES 

• SAS Institute Inc. SAS Viya REST API. Available at https://developer.sas.com/apis/rest/.
• SAS Institute Inc. SAS REST APIs: Authentication & Authorizatio. Available at https://developer.sas.com/reference/auth/
• Furbee, Joe. “Authentication to SAS Viya: a couple of approaches” SAS Institute Inc, January 25, 2019. Available at https://blogs.sas.com/content/sgf/2019/01/25/authentication-to-sas-viya/