As a follow-on from my previous post, where we looked at some Kerberos Principles, in this blog I want to explorer further what is required to enable Kerberos out-bound authentication from SAS Cloud Analytic Services to a Secured Hadoop environment.
Specifically, in this blog I want to focus on the first Use Case we presented previously. As a reminder, here is the picture we presented:
In the previous post I was quite vague on just what is required to setup this form of authentication. I merely stated we need to provide some credentials in the form of a Kerberos keytab to the CAS Controller. We will look at this in a little more detail.
This keytab needs to contain the Kerberos long-term key(s) for a specific principal.
In SAS Viya 3.2 we are restricted in the form of this principal. This principal must be in the form of a Service Principal Name, so of the form <Service Class>/<Fully Qualified Hostname>. The default Service Class is sascas, but this can be changed by defining an environment variable for CAS. If we set the following environment variable in the casconfig.lua:
We can change the value of the Service Class. However, this must still be a Service Principal Name format. Even if we skip the "/HOSTNAME.COMPANY.COM" the CAS Controller will automatically substitute its own fully qualified hostname.
So, in this use case what is the CAS Controller going to do with this credential in the Keytab? We need the CAS Controller to be able to obtain a Kerberos Ticket-Granting Ticket (TGT) using these credentials. Which means that we need to be able to perform a kinit using those credentials. Specifically, if we want to test we need to be able to do the following:
And should see something like the following:
That seems simple enough.
But what does this mean when we are using Active Directory as the Kerberos Key Distribution Center? For Active Directory if we want to be able to kinit as a principal, then that principal must be a User Principal Name. This means that the account which has the CAS Service Principal Name registered against it must have the User Principal Name set to the same value.
By default the CAS Controller is going to look for the keytab in the /etc directory and will expect the file to be called sascas.keytab, therefore the default is going to be /etc/sascas.keytab. However, the /etc directory is normally locked down and you might not want to put a file specific to the CAS Controller in the /etc directory. Again, by setting an environment variable in the casconfig.lua we can put the keytab anywhere on the system. We can use the following to point to the keytab:
Finally, we need to tell the CAS Controller to use this keytab to initialize the Kerberos credentials. To do this we need to update the provider list in the casconfig.lua. The value initkerb needs to be added to the existing list so that the result looks like the following:
With all this in place we can restart the CAS Controller and during startup it will read the keytab and initialize the Kerberos credentials. Then we will be able to use the Visual Interfaces to access the Secured Hadoop environment.
However, what if something is wrong? If the provider list is updated, but we either get the environment variable for the keytab wrong, or the file permissions wrong so the CAS Controller cannot access the keytab then the CAS Controller will abort. This means the CAS Controller will start and then stop. In the log file for the CAS Controller we will see:
Alternatively, if the keytab is present and readable, but the principal is incorrect the CAS Controller will start and continue running. However, we won’t have any Kerberos credentials to access the Secured Hadoop environment and in the CAS Controller log we will see:
Both these sets of messages are available at the default level of logging. No additional logging needs to be enabled to see these messages.
I hope that this assists you in getting Kerberos authentication working outbound from SAS Cloud Analytic Services. In future posts we will look at the use case of Remote HDFS and look at what changes in Viya 3.3.
Secure your spot at the must-attend AI and analytics event of 2024: SAS Innovate 2024! Get ready for a jam-packed agenda featuring workshops, super demos, breakout sessions, roundtables, inspiring keynotes and incredible networking events.
Register by March 1 to snag the Early Bird rate of just $695! Don't miss out on this exclusive offer.
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.