cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed

How to Score a SAS Decision Published to MAS Using Shell Commands

Started ‎01-10-2022 by
Modified ‎01-10-2022 by
Views 6,038

Read further to find out how to score (execute) a SAS decision published from SAS Intelligent Decisioning to Micro Analytic Service (MAS) by using shell commands.

 

The code was tested with SAS Viya 2021.2 deployed in Azure. In the following scenario, a user wants to score or execute a decision published to MAS. The user will need a SAS Viya access token. The token can be obtained by using a client id and secret registered by a SAS Administrator.

 

Client ID and Secret

 

The SAS Administrator registers a client id and secret and provides these two values to the user. While using a client id and secret is not the only option to get a SAS Viya access token, it has several advantages:

 

  • Decouples user credentials from the application. The scoring can function if the user changes the password, or if the user leaves the company.
  • Less risk. If the client id and secret leaks, it can be revoked without affecting the user credentials. The client is limited to the scope defined by the administrator.
  • Relatively modern approach used by many cloud providers. Therefore, we should be familiar with this method and use it more often.

 

Steps

 

The process can be broken down in several steps. Two roles are needed, an administrator and a regular user.

 

The SAS Administrator must:

  • Get the consul token.
  • Get the SAS Viya certificates.
  • Request an OAuth token.
  • Register a new client id and secret.
  • List the clients registered.
  • Provide the user the client id and the secret.

The user has to:

  • Get a SAS Viya access token using the client id and secret.
  • Score the decision published to MAS.

The SAS Administrator performs maintenance tasks, such as:

  • List the clients registered.
  • Revoke (delete) the client.

 

Register a New Client Id and Secret

 

(view in My Videos)

 

Needed Variables

# Initialize variables (change them as needed)
export MYUSER=myuser
export current_namespace=gelazure
export INGRESS_URL=https://${MYUSER}-gel.eastus.cloudapp.azure.com
export CLIENT_ID=MASClient
export CLIENT_SECRET=SASGl0bal$
export GRANT_TYPES=client_credentials

 

Get the SAS Consul Token

 

CONSUL_TOKEN=$(kubectl exec -n $current_namespace -it sas-consul-server-0 -- cat /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/consul/default/client.token)
echo $CONSUL_TOKEN

 

Get the SAS Viya Certificates

 

# Initialize $CURL_CA_BUNDLE.
# Otherwise you will get an error... curl: (60) Peer's Certificate issuer is not recognized. More details here: # http://curl.haxx.se/docs/sslcerts.html
# You will also need the certificates for SSL
cd ~
mkdir -p ~/.certs
kubectl cp $(kubectl get pod -l app=sas-logon-app  -o=jsonpath='{.items[0].metadata.name}'):security/trustedcerts.pem ~/.certs/${current_namespace}_trustedcerts.pem
export CURL_CA_BUNDLE=~/.certs/${current_namespace}_trustedcerts.pem 
echo $CURL_CA_BUNDLE

 

Request a Valid OAuth Token to Use on the Registration Call

 

 

# Specify -–http1.1 or else you will get an error…
OAUTH_TOKEN="$(curl --http1.1 -X POST "${INGRESS_URL}/SASLogon/oauth/clients/consul?callback=false&serviceId=${CLIENT_ID}" -H "X-Consul-Token: $CONSUL_TOKEN" | jq -r '.access_token')"
echo $OAUTH_TOKEN

 

Register a New Client Id and Secret

 

 

# Confirm important variables
echo $INGRESS_URL
echo $CLIENT_ID
echo $CLIENT_SECRET
echo $GRANT_TYPES

# Register a new client_id and secret with the OAuth token
curl -sk -X POST "${INGRESS_URL}/SASLogon/oauth/clients" \
	-H "Content-Type: application/json" \
	-H "Authorization: Bearer ${OAUTH_TOKEN}" \
	-d "{\"client_id\": \"${CLIENT_ID}\",
	\"client_secret\": \"${CLIENT_SECRET}\",
	\"scope\": [\"openid\", \"sasusers\"],
	\"authorized_grant_types\": [\"${GRANT_TYPES}\"],
	\"redirect_uri\": \"urn:ietf:wg:oauth:2.0:oob\",
	\"access_token_validity\": 3600}" | jq

 

In this example, the client id and secret are set to be valid for one hour.

Their scope is SAS Users. The scope can be assigned to another group. The group should be restricted to the minimal set of users.

The users can get a SAS Viya access token just by using the client and the secret.

 

List the Clients Created

 

curl -sk -X GET "${INGRESS_URL}/SASLogon/oauth/clients" \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${OAUTH_TOKEN}" | jq | grep "client_id"

 

Get a SAS Viya Access Token

 
 

Key Variables

 

# Initialize variables (change them as needed)
export MYUSER=myuser
export INGRESS_URL=https://${MYUSER}-gel.eastus.cloudapp.azure.com
export CLIENT_ID=MASClient
export CLIENT_SECRET=SASGl0bal$
export GRANT_TYPES=client_credentials

 

Get a SAS Viya Access Token Using the Client Id and the Secret

 

# Get SAS Viya token
ACCESS_TOKEN="$(curl -X POST "${INGRESS_URL}/SASLogon/oauth/token" \
	-H "Content-Type: application/x-www-form-urlencoded" \
	-d "grant_type=${GRANT_TYPES}&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}" | jq -r '.access_token')"
echo $ACCESS_TOKEN

 

Score a SAS Decision Published to MAS

 

# Execute Decision
DECISION_URL="${INGRESS_URL}:443/microanalyticScore/modules/autoauctiondec1_0/steps/execute"
echo $DECISION_URL

curl -X POST "${DECISION_URL}" \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
	-H "Content-Type: application/json;charset=utf-8" \
    -H "Accept: application/json" \
	--data '{
	"version":1,
	"inputs":[
	{"name":"BLUEBOOKPRICE_","value":80000},
	{"name":"CURRENTBID_","value":90000},
	{"name":"MAKE_","value":"Tesla"},
	{"name":"MILES_","value":5000},
	{"name":"MODEL_","value":"X100D"},
	{"name":"ORIGINALINVOICE_","value":100000},
	{"name":"ORIGINALMSRP_","value":100000},
	{"name":"STATE_","value":"CA"},
	{"name":"VIN_","value":"12345678901234562"},
	{"name":"YEAR_","value":2017}
	]}' | jq

 

Client Maintenance Tasks

 

When the scoring process is no longer necessary, or when the client id and secret have been exposed or compromised, the SAS Administrator can revoke the client and secret.

 

Delete the Clients

 

curl -sk -X DELETE "${INGRESS_URL}/SASLogon/oauth/clients/${CLIENT_ID}" \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${OAUTH_TOKEN}"

 

List the Clients and Confirm the Deletion

 

curl -sk -X GET "${INGRESS_URL}/SASLogon/oauth/clients" \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${OAUTH_TOKEN}" | jq | grep "client_id"

 

Conclusions

 

It is entirely possible to score a SAS decision published to Micro Analytic Service (MAS), by using shell commands. A SAS Viya access token can be obtained by registering a client id and secret.

Resources

 

If you want to know more about authentication:

Acknowledgements

@XavierBizoux@joeFurbee

 

Thank you for your time reading this post. If you liked the post, give it a thumbs up! Please comment and tell us what you think about this post, the client and secret method and scoring in MAS using curl. If you wish to get more information, please write me an email.

 

Find more articles from SAS Global Enablement and Learning here.

Version history
Last update:
‎01-10-2022 07:19 PM
Updated by:
SAS Super FREQ
Contributors

SAS Innovate 2025: Call for Content

Are you ready for the spotlight? We're accepting content ideas for SAS Innovate 2025 to be held May 6-9 in Orlando, FL. The call is open until September 25. Read more here about why you should contribute and what is in it for you!

Submit your idea!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Labels
Article Tags