cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed

SAS Viya 3.4 Kerberos with Admin CLI

Started ‎04-16-2019 by
Modified ‎04-16-2019 by
Views 1,949

In this article I would like to follow on from the previous posts where we discussed using Kerberos authentication with SAS Viya 3.4. This time I’d like to examine in more detail Kerberos with the SAS Admin Command Line Interface (CLI). Kerberos can be used in two ways with the SAS Admin CLI; first Kerberos can be used to authenticate to the SAS Viya 3.4 environment. Secondly, Kerberos can be used from within the SAS Administration CLI to authenticate to other parts of the SAS Viya 3.4 environment.

 

Kerberos authentication to the SAS Viya 3.4 environment is only supported with version 1.1.12 of the SAS Administration CLI. Currently the version installed on a Linux SAS Viya 3.4 environment is 1.1.11. Therefore, to be able to use Kerberos authentication on Linux a newer version of the SAS Administration CLI must be installed. This can be download from here: https://support.sas.com/downloads/package.htm?pid=2133.

 

Kerberos support for logging in with the SAS Administration CLI is split based on the execution platform (Windows, Linux, OS-X):

  • The Windows support utilizes the Windows SSPI via system calls.
  • The Linux support utilizes a GSSAPI implementation using CGO to call the underlying GSSAPI C libraries.
  • The direct OS-X support is currently disabled.

Kerberos authentication from the SAS Administration CLI is available when either Kerberos or username & password is used to login. When using Kerberos to login, the end-user’s credentials are delegated to SAS Logon Manager and the Ticket-Granting Ticket (TGT) is stored with the Credentials microservice. Alternatively, when logging in with a username & password SAS Logon Manager initializes the Kerberos credentials for the end-user using the username & password. Then, the TGT is again stored with the Credentials microservice. Once the TGT has been stored with the Credentials microservice it can be used for onward Kerberos connections. For example, to authenticate to SAS Cloud Analytic Services.

 

Regardless of which option is used, an internal OAuth token is generated by the login to SAS Logon Manager, and this internal OAuth token is cached on the disk. This internal OAuth token has a default lifetime of 12 hours (configurable via sas.logon.jwt in SAS Environment Manager). This lifetime is longer that the usual 10 hours for the Kerberos TGT stored with the Credentials microservice. As a result, there is a possible 2-hour timeframe where you have a valid internal OAuth token but cannot make outbound Kerberos connections. Therefore, SAS recommends changing the default internal OAuth token lifetime to 10 hours, so the times are in sync. In the next release of SAS Viya this will be done by default. However, even this is not ideal since if you use Kerberos authentication from the SAS Administration CLI, your TGT may have much less than 10 hours left on it’s lifetime.

 

Kerberos Prerequisites

As always with Kerberos there are a number of prerequisites that must be completed before it can be used with the SAS Administration CLI. First and most obviously, SAS Logon Manager must be configured for Kerberos authentication, including delegation. I have discussed this in detail in my previous article, SAS Viya 3.4 Kerberos with SAS Logon Manager. Also it is worth remembering that Kerberos is the only supported authentication mechanism on Windows. Equally, if Kerberos will be used with either the SAS Compute Server or SAS Cloud Analytic Services, these will need to be configured for Kerberos as well.

 

Next if the SAS Administration CLI will be run from a Linux host, the correct underlying GSSAPI C libraries must be installed. On a RedHat system this can be completed with the following command as root:

 

yum install -y krb5-devel

 

which will provide the /usr/lib64/libgssapi_krb5.so library. On a SUSE system this can be installed with the following command as root:

 

zypper install krb5

 

This provides the necessary infrastructure for the SAS Administration CLI to leverage Kerberos for authentication.

 

Finally, if Kerberos will be used to authenticate from the SAS Administration CLI to the SAS Viya 3.4 environment, then an initial Kerberos credential (TGT) needs to be available. On Windows since the SAS Administration CLI leverages the standard Windows SSPI this will be the credentials of the end-user currently logged into the Windows host.

 

For Linux an initial Kerberos credential needs to be obtained before running the SAS Administration CLI. This could be obtained via the Pluggable Authentication Module (PAM) stack, as the end-user connects to the Linux host; for example, by using SSH to connect to the Linux host. Or this could be obtained by manually running kinit on the host. The kinit could either be interactive, where the end-user enters their credentials, or could leverage a Kerberos keytab to provide the credentials. Whichever mechanism is used the Kerberos TGT must be available in the default ticket cache location.

 

Before using the SAS Administration CLI that you have downloaded you need to install the CLI plug-ins and setup the profile. These steps are covered in detail in the documentation. Even if using the SAS Administration CLI on a Linux host where the original version has been run you must still setup the profile again.

 

Kerberos Authentication to SAS Administration CLI

Using Kerberos authentication to log into the SAS Administration CLI requires that you change the initial command to log into the SAS Viya 3.4 environment. You must use the following:

 

./sas-admin auth kerberos

 

You should see the following message:

 

Login succeeded. Token saved.

 

If you include --verbose on the command, you can review the HTTP requests/responses sent to SAS Logon Manager. You will then see the 401 HTTP response from the request to SAS Logon Manager with the Www-Authenticate: Negotiate header, notice this GET request is to /SASLogon.

 

Alternatively, when using username & password the command line is:

 

./sas-admin auth login

 

Again, including --verbose, now shows a POST message sent to /SASLogon/oauth/token after entering your username & password.

 

Kerberos Authentication from SAS Administration CLI

After logging into the SAS Administration CLI using either Kerberos or username & password Kerberos can be used for further connections. For example, the CAS plug-in can leverage Kerberos for the connection to SAS Cloud Analytic Services. The following command will list the CAS sessions for the specified SAS Cloud Analytic Services server:

 

export SAS_CLI_DEFAULT_CAS_SERVER=cas-shared-default; ./sas-admin cas sessions list

 

If this command is run as a non-administrative user, then only the current session will be listed for example:

 

Name                                                                           Session ID                             Owner         State       Authentication Type
casManagement sessions getSessionsSummaryCollection:Fri Jan  4 12:18:20 2019   c6e4433c-63ba-9e41-aef3-a4f691b4ff02   gatedemo003   Connected   OAuth/Kerberos

 

We have only examined logging into the SAS Administration CLI. If you want to further explore what tasks you can complete within the SAS Administration CLI see the documentation SAS® Viya® 3.4 Administration: Using the Command-Line Interfaces.

Comments
SimonDawson
‎04-16-2019 07:48 AM
‎04-16-2019 07:48 AM

Great write up @StuartRogers! Thanks.

0 Likes
Version history
Last update:
‎04-16-2019 06:35 AM
Updated by:
SAS Employee
Contributors

SAS Innovate 2025: Save the Date

 SAS Innovate 2025 is scheduled for May 6-9 in Orlando, FL. Sign up to be first to learn about the agenda and registration!

Save the date!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Labels
Article Tags