SAS Viya 2020.1.1 (and later) Enabling Additional Batch Job Features

3 Likes

In this article, we will look at enabling access for SAS Batch Jobs and/or SAS Line Mode with SAS Viya 2020.1.1 and later. As described in the documentation the commands to submit non-SAS commands in batch and to start interactive SAS processing are disabled for all users by default. So, we will look at how we can use the SAS Viya CLI to enable these commands for members of specific groups.

Different Types of Jobs

The SAS Viya CLI allows users to submit different kinds of jobs to the SAS Viya 2020.1 (and later) environment. The three different types of jobs that can be submitted with the SAS Viya CLI are:

Command: sas-batch jobs submit-pgm [command options] [arguments...] which is: sas-batch jobs submit-pgm - Submit a SAS program to the cluster to run in batch mode.
Command: sas-batch jobs submit-cmd [command options] [arguments...] which is: sas-batch jobs submit-cmd - Submit an arbitrary command to the cluster to run in batch mode.
Command: sas-batch jobs run-saslm [command options] [arguments...] which is: sas-batch jobs run-saslm - Run SAS interactively in Line Mode

This means users can submit jobs that are either run without interaction (in batch) or with interaction which is interactive processing. Also, users can submit either SAS code jobs or non-SAS code jobs. This means we can consider three different types of jobs submitted with the SAS Viya CLI:

SAS Batch job
Non-SAS Batch Job
Interactive SAS job

Default Authorization

Out of the box SAS Viya 2020.1.1 and later includes a series of authorization rules that prevent batch processing of non-SAS code and the interactive SAS Line Mode. Only non-interactive processing of SAS code is allowed by default. Which given our three classifications of jobs above means:

	SAS Code	Non-SAS Code
Batch	Permitted	Prohibited (A)
Interactive	Prohibited (B)	Not Applicable

If a user attempts to run such a prohibited command, for example to run SAS Line Mode interactively with:

/opt/sas/viya/home/bin/sas-viya batch jobs run-saslm -c default

They will instead receive the following message:

The current user is not authorized to perform this task

These default rules all apply to the objectUri of /batch/jobs for everybody and prohibit create permissions. This means that users cannot submit a create request to the /batch/jobs endpoint – which means they cannot create a job. The differences between the rules are the contentType they apply to:

	Rule ID	Content Type
1	0031fb1c-7bbb-4163-a8a2-04300140f1eb	application/vnd.sas.batch.job.request.command.batch+json
2	b37a0835-c3ed-4a05-a8cf-8c6010a1ca4e	application/vnd.sas.batch.job.request.command.batch+json;version=1
3	276d3130-ac72-4a11-a95e-f8aea2ac805a	application/vnd.sas.batch.job.request.sas.line.mode+json
4	504be255-7b10-431d-87d6-a4169a7e2a19	application/vnd.sas.batch.job.request.sas.line.mode+json;version=1

The contentType allows the different rules applying to /batch/jobs to target the different types of jobs. Which means:

Rules 1 & 2: description = "Prohibits everyone the ability to run commands in batch" – item (A) in the table above
Rules 3 & 4: description = "Prohibits everyone the ability to run SAS interactively" – item (B) in the table above

Finally, there is a extra default rule that applies to authenticated-users for /batch/jobs which grants create permission without any contentType restriction. The description for this additional rule is "Grants authenticated users the ability to create jobs". Because this rule exists users can submit SAS code in batch (sas-viya batch jobs submit-pgm).

In the default setup the specific prohibit rules override the grant and so no users can use batch processing of non-SAS code and interactive SAS Line Mode processing. Even if the user is a member of SAS Administrators the prohibit rule will still apply to them. But if the specific prohibit rules are just changed to grants then any user is going to be able to use batch processing of non-SAS code and interactive SAS Line processing. This will occur even if the grant is applied to only a specific group or individual user, since there will no-longer be a prohibit rule

Also, all rules will be re-created the next time the SAS Batch service is restarted if they are deleted. Therefore, to make any changes to the authorization rules the existing rules must be edited rather than replaced. So today by default, it is not possible to utilise the Viya CLI to submit jobs for batch processing of non-SAS code and interactive SAS Line processing unless you complete the changes we will examine below.

Suggested Changes

Now that we understand the default authorization rules, we can work out how best to change them to provide controlled access for end-users to use batch processing of non-SAS code and interactive processing. I believe we should start with two custom groups that we can then apply authorization to:

ID	Name	Description
SASBatchCMD	SAS Enable Batch Command Session	Members can run SAS Batch non-SAS command sessions
SASLineMode	SAS Enable Line Mode Sessions	Members can run SAS Line Mode sessions

Then the prohibit rules should be updated:

Rules 1 & 2: Add condition that evaluates to false for members of SASBatchCMD
Rules 3 & 4: Add condition that evaluates to false for members of SASLineMode

Making the prohibit rules conditional will mean that the explicit prohibit will not apply to members of the defined custom group. However, the prohibit will still apply for all other end-users including members of SAS Administrators custom group. Setting the condition for the rule to the following will achieve this:

!(groupsForCurrentUser().contains('{{GROUPID}}'))

This condition means "NOT where user’s group list contains {{GROUPID}}" and all we need to do is replace {{GROUPID}} with one of the three custom group ID values. So, we would have:

Rules 1 & 2: condition = !(groupsForCurrentUser().contains('SASBatchCMD'))
Rules 3 & 4: condition = !(groupsForCurrentUser().contains('SASLineMode'))

Implementing Changes

These changes could be implemented with SAS Environment Manager. However, SAS Environment Manager at the moment does not show the contentType attribute for the authorization rules. This means that the only way to differentiate the rules is by their descriptions given above. This can make it awkward to manually change the rules in SAS Environment Manager.

Instead we can use the SAS Viya CLI to apply a JSON file containing our changes. The following commands will create a JSON file containing our changes:

mkdir -p ${PROJECT_DIR}/site-config/JSON
tee  ${PROJECT_DIR}/site-config/JSON/batchAuthorization.json > /dev/null << EOF
[    {   "op": "replace",
        "path": "/authorization/rules/0031fb1c-7bbb-4163-a8a2-04300140f1eb",
        "value": {
            "id": "0031fb1c-7bbb-4163-a8a2-04300140f1eb",
            "type": "prohibit","permissions": ["create"],
            "principalType": "everyone","objectUri": "/batch/jobs",
            "contentType": "application/vnd.sas.batch.job.request.command.batch+json",
            "condition": "!(groupsForCurrentUser().contains('SASBatchCMD'))",
            "reason": "Only SAS Batch users should run commands in batch.",
            "description": "Updated: Only SASBatch members have the ability to run commands in batch.",
            "enabled": true}},
    {   "op": "replace",
        "path": "/authorization/rules/b37a0835-c3ed-4a05-a8cf-8c6010a1ca4e",
        "value": {
            "id": "b37a0835-c3ed-4a05-a8cf-8c6010a1ca4e",
            "type": "prohibit","permissions": ["create"],
            "principalType": "everyone","objectUri": "/batch/jobs",
            "contentType": "application/vnd.sas.batch.job.request.command.batch+json;version=1",
            "condition": "!(groupsForCurrentUser().contains('SASBatchCMD'))",
            "reason": "Only SAS Batch users should run commands in batch.",
            "description": "Updated: Only SASBatch members have the ability to run commands in batch.",
            "enabled": true}},
    {   "op": "replace",
        "path": "/authorization/rules/276d3130-ac72-4a11-a95e-f8aea2ac805a",
        "value": {
            "id": "276d3130-ac72-4a11-a95e-f8aea2ac805a",
            "type": "prohibit","permissions": ["create"],
            "principalType": "everyone","objectUri": "/batch/jobs",
            "contentType": "application/vnd.sas.batch.job.request.sas.line.mode+json",
            "condition": "!(groupsForCurrentUser().contains('SASLineMode'))",
            "reason": "Only SAS Line Mode users should run SAS interactively.",
            "description": "Updated: Only SASLineMode members have the ability to run SAS interactively.",
            "enabled": true}},
    {   "op": "replace",
        "path": "/authorization/rules/504be255-7b10-431d-87d6-a4169a7e2a19",
        "value": {
            "id": "504be255-7b10-431d-87d6-a4169a7e2a19",
            "type": "prohibit","permissions": ["create"],
            "principalType": "everyone","principal": "SASBatch","objectUri": "/batch/jobs",
            "contentType": "application/vnd.sas.batch.job.request.sas.line.mode+json;version=1",
            "condition": "!(groupsForCurrentUser().contains('SASLineMode'))",
            "reason": "Only SAS Line Mode users should run SAS interactively.",
            "description": "Updated: Only SASLineMode members have the ability to run SAS interactively.",
            "enabled": true}}]
EOF

Which will create the batchAuthorization.json file in the ${PROJECT_DIR}/site-config/JSON/ directory. Once you have authenticated the SAS Viya CLI as an administrator you can use the following command to load the updated authorization rules:

/opt/sas/viya/home/bin/sas-viya authorization create-rules \
--file ${PROJECT_DIR}/site-config/JSON/batchAuthorization.json

You should see the following output:

0 rules were created.

Which is because we were only updating rules and not creating rules.

The SAS Viya CLI can also be used to create the two custom groups as well. So long as you have authenticated with the SAS Viya CLI as an administrator you could use the following to create the two groups:

/opt/sas/viya/home/bin/sas-viya identities create-group \
--id SASBatchCMD --name "SAS Enable Batch Command Session" \
--description "Members can run SAS Batch non-SAS command sessions"; \
/opt/sas/viya/home/bin/sas-viya identities create-group \
--id SASLineMode --name "SAS Enable Line Mode Sessions" \
--description "Members can run SAS Line Mode sessions"

Then you could use the SAS Viya CLI to add members to the new groups:

/opt/sas/viya/home/bin/sas-viya identities add-member \
--group-id SASBatchCMD \
--user-member-id Bill; \
/opt/sas/viya/home/bin/sas-viya identities add-member \
--group-id SASLineMode \
--user-member-id Ted; \

With this in place:

Only Bill would be able to run non-SAS commands in batch
Only Ted would be able to run SAS interactively

Conclusion

Starting with SAS Viya 2020.1.1, two out of the three ways to use the batch tools are secured by default. Remember end-users can still, by default, submit batch processing of SAS code. In this article we have shown an example of how you could relax this restriction slightly and still easily control which of your users have access to these advanced batch processing features. For more details on running SAS code in batch see: Run SAS programs in batch in Viya 4. Also, for more details on general authorization rules see: SAS VIYA follow the rules.

Find more articles from SAS Global Enablement and Learning here.