In this article I would like to follow on from the previous posts where we discussed using Kerberos authentication with SAS Viya 3.4. This time I’d like to examine in more detail Kerberos with the SAS Admin Command Line Interface (CLI). Kerberos can be used in two ways with the SAS Admin CLI; first Kerberos can be used to authenticate to the SAS Viya 3.4 environment. Secondly, Kerberos can be used from within the SAS Administration CLI to authenticate to other parts of the SAS Viya 3.4 environment.
Kerberos authentication to the SAS Viya 3.4 environment is only supported with version 1.1.12 of the SAS Administration CLI. Currently the version installed on a Linux SAS Viya 3.4 environment is 1.1.11. Therefore, to be able to use Kerberos authentication on Linux a newer version of the SAS Administration CLI must be installed. This can be download from here: https://support.sas.com/downloads/package.htm?pid=2133.
Kerberos support for logging in with the SAS Administration CLI is split based on the execution platform (Windows, Linux, OS-X):
Kerberos authentication from the SAS Administration CLI is available when either Kerberos or username & password is used to login. When using Kerberos to login, the end-user’s credentials are delegated to SAS Logon Manager and the Ticket-Granting Ticket (TGT) is stored with the Credentials microservice. Alternatively, when logging in with a username & password SAS Logon Manager initializes the Kerberos credentials for the end-user using the username & password. Then, the TGT is again stored with the Credentials microservice. Once the TGT has been stored with the Credentials microservice it can be used for onward Kerberos connections. For example, to authenticate to SAS Cloud Analytic Services.
Regardless of which option is used, an internal OAuth token is generated by the login to SAS Logon Manager, and this internal OAuth token is cached on the disk. This internal OAuth token has a default lifetime of 12 hours (configurable via sas.logon.jwt in SAS Environment Manager). This lifetime is longer that the usual 10 hours for the Kerberos TGT stored with the Credentials microservice. As a result, there is a possible 2-hour timeframe where you have a valid internal OAuth token but cannot make outbound Kerberos connections. Therefore, SAS recommends changing the default internal OAuth token lifetime to 10 hours, so the times are in sync. In the next release of SAS Viya this will be done by default. However, even this is not ideal since if you use Kerberos authentication from the SAS Administration CLI, your TGT may have much less than 10 hours left on it’s lifetime.
As always with Kerberos there are a number of prerequisites that must be completed before it can be used with the SAS Administration CLI. First and most obviously, SAS Logon Manager must be configured for Kerberos authentication, including delegation. I have discussed this in detail in my previous article, SAS Viya 3.4 Kerberos with SAS Logon Manager. Also it is worth remembering that Kerberos is the only supported authentication mechanism on Windows. Equally, if Kerberos will be used with either the SAS Compute Server or SAS Cloud Analytic Services, these will need to be configured for Kerberos as well.
Next if the SAS Administration CLI will be run from a Linux host, the correct underlying GSSAPI C libraries must be installed. On a RedHat system this can be completed with the following command as root:
yum install -y krb5-devel
which will provide the /usr/lib64/libgssapi_krb5.so library. On a SUSE system this can be installed with the following command as root:
zypper install krb5
This provides the necessary infrastructure for the SAS Administration CLI to leverage Kerberos for authentication.
Finally, if Kerberos will be used to authenticate from the SAS Administration CLI to the SAS Viya 3.4 environment, then an initial Kerberos credential (TGT) needs to be available. On Windows since the SAS Administration CLI leverages the standard Windows SSPI this will be the credentials of the end-user currently logged into the Windows host.
For Linux an initial Kerberos credential needs to be obtained before running the SAS Administration CLI. This could be obtained via the Pluggable Authentication Module (PAM) stack, as the end-user connects to the Linux host; for example, by using SSH to connect to the Linux host. Or this could be obtained by manually running kinit on the host. The kinit could either be interactive, where the end-user enters their credentials, or could leverage a Kerberos keytab to provide the credentials. Whichever mechanism is used the Kerberos TGT must be available in the default ticket cache location.
Before using the SAS Administration CLI that you have downloaded you need to install the CLI plug-ins and setup the profile. These steps are covered in detail in the documentation. Even if using the SAS Administration CLI on a Linux host where the original version has been run you must still setup the profile again.
Using Kerberos authentication to log into the SAS Administration CLI requires that you change the initial command to log into the SAS Viya 3.4 environment. You must use the following:
./sas-admin auth kerberos
You should see the following message:
Login succeeded. Token saved.
If you include --verbose on the command, you can review the HTTP requests/responses sent to SAS Logon Manager. You will then see the 401 HTTP response from the request to SAS Logon Manager with the Www-Authenticate: Negotiate header, notice this GET request is to /SASLogon.
Alternatively, when using username & password the command line is:
./sas-admin auth login
Again, including --verbose, now shows a POST message sent to /SASLogon/oauth/token after entering your username & password.
After logging into the SAS Administration CLI using either Kerberos or username & password Kerberos can be used for further connections. For example, the CAS plug-in can leverage Kerberos for the connection to SAS Cloud Analytic Services. The following command will list the CAS sessions for the specified SAS Cloud Analytic Services server:
export SAS_CLI_DEFAULT_CAS_SERVER=cas-shared-default; ./sas-admin cas sessions list
If this command is run as a non-administrative user, then only the current session will be listed for example:
Name Session ID Owner State Authentication Type casManagement sessions getSessionsSummaryCollection:Fri Jan 4 12:18:20 2019 c6e4433c-63ba-9e41-aef3-a4f691b4ff02 gatedemo003 Connected OAuth/Kerberos
We have only examined logging into the SAS Administration CLI. If you want to further explore what tasks you can complete within the SAS Administration CLI see the documentation SAS® Viya® 3.4 Administration: Using the Command-Line Interfaces.
Registration is open! SAS is returning to Vegas for an AI and analytics experience like no other! Whether you're an executive, manager, end user or SAS partner, SAS Innovate is designed for everyone on your team. Register for just $495 by 12/31/2023.
If you are interested in speaking, there is still time to submit a session idea. More details are posted on the website.
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.