BookmarkSubscribeRSS Feed

SAS Viya 3.5 Compute Server Service Accounts

Started ‎01-29-2020 by
Modified ‎10-01-2021 by
Views 14,740

SAS Viya 3.5 introduces support for using service accounts with the SAS Compute Server. This enables the administrator to configure a SAS Compute Server context to be associated with a service account. Then all SAS Compute Server sessions for that context will run as the specified service account. This removes the need for end-users to have operating system accounts on the hosts where the SAS Compute Server is running. In this article we’ll examine some considerations for using service accounts and how this is configured.

 

The SAS Compute Server is used by several components within the SAS Viya 3.5 environment. Some of the components using the SAS Compute Server are:

  1. SAS Studio 5.2 (Enterprise)
  2. SAS Job Execution
  3. SAS Visual Data Mining and Machine Learning
  4. SAS Model Manager
  5. SAS Visual Forecasting
  6. CAS Formats service
  7. Import 9 service

On Linux, in the default configuration, the SAS Launcher service uses the end-user’s internal OAuth token, generated by SAS Logon Manager, to authenticate to the SAS Launcher Server and launch the SAS Compute Server session. Since the internal OAuth token only contains the end-user’s username no actual operating system authentication of the end-user is possible. This username is just used to launch the SAS Compute Server.

 

With SAS Viya 3.4 on Linux the alternatives to the default approach are to configure Kerberos unconstrained delegation or use a stored credential. With SAS Viya 3.5, in addition to these two approaches, administrators can use Kerberos constrained delegation or a service account.

Consideration for using Service Accounts

The use of a service account with the SAS Compute Server makes sense when the end-users do not have operating system accounts on the host(s) where the SAS Compute Server is running. This enables end-user, perhaps authenticated via third-party SAML or OpenID Connect providers, access to the SAS Compute Server.

 

Associating a service account with a SAS Compute Server context ensures all session will run on the operating system as that service account. However, the SAS Compute Server session will still have access to the end-user’s internal OAuth token generated by SAS Logon Manager. This means that any connections leveraging the SAS Viya service layer will be made as the end-user and not as the service account. But all operating system access will be as the service account and not the end-user.

 

A single SAS Compute Server context can only be associated with a single service account. Some applications, such as SAS Studio 5.2 (Enterprise) only function with a single SAS Compute Server context. This means that all users of SAS Studio 5.2 (Enterprise) will use the same service account. If the aim is to have different groups of end-users run the SAS Compute Server sessions as different host accounts, then using service accounts is not the correct approach. Instead a stored group credential should be used instead. This stored group credential is stored within the defaultAuth authentication domain.

 

The service account credential is stored with the Credentials microservice. The SAS Administration CLI is used to store the service account username and password. These credentials are stored in a new randomly generated credential domain. This domain is not visible within SAS Environment Manager. The SAS Administration CLI is the only mechanism to interact with the stored service account. The credentials for the service account are encrypted by the Credentials microservice and stored in the SAS Infrastructure Data Server. Only the SAS Compute Service can access the stored credentials via the Credentials microservice.

 

The service account credentials are passed through the Pluggable Authentication Module (PAM) stack when launching the SAS Compute Server. This means that if the PAM stack is integrated with Kerberos, then Kerberos credentials for the service account will be available to the SAS Compute Server session. These Kerberos credentials could then be used to access data sources from the SAS Compute Server session.

Configuring Service Accounts

There are two stages to configuring the use of service accounts. The first stage is storing the credentials for the service account and must be completed in the SAS Administration CLI. The second stage is updating the SAS Compute Server context and must be completed in SAS Environment Manager.

 

To store the service account credentials using the SAS Administration CLI you need to first authenticate to the SAS Viya 3.5 environment. This requires a SAS Administration CLI profile. This could be created manually as a text file using the following commands:

 

cat <<'EOF' > ~/.sas/config.json
{
  "Default": {
    "ansi-colors-enabled": "true",
    "output": "text",
    "sas-endpoint": "https://<<viya_http.customer.com>>"
  }
}
EOF
chmod 600 ~/.sas/config.json

 

Or by using the SAS Administration CLI as described in the Tools for Administrators documentation.

 

Note: do not create the ~/.sas/config.json as the root user in the root user's home directory.

 

With the profile created you can log into the SAS Viya 3.5 environment with a user who is a member of the SAS Administrators group:

 

source /opt/sas/viya/config/consul.conf;
/opt/sas/viya/home/bin/sas-admin auth login -u <<username>> -p "<<password>>"

 

Use the following command to store the credentials for the service account:

 

/opt/sas/viya/home/bin/sas-admin compute credentials create

 

You will then be prompted for the Userid, password, and a description. Once the credentials have been stored the following message will be displayed:

 

2019/11/11 05:17:12 The shared service account credential for <<service_account>> was created successfully.

 

The SAS Administration CLI can also be used to list the stored credentials for the service accounts:

 

/opt/sas/viya/home/bin/sas-admin compute credentials list

 

You will see the following:

 

Shared Service Account Credentials:
1. <<service_account>> - <&ltYour description>>

 

Once you have finished with the SAS Administration CLI you should logout:

 

/opt/sas/viya/home/bin/sas-admin auth logout

 

The second stage is completed in SAS Environment Manager where the SAS Compute Server context is updated. You must log into SAS Environment Manager as a member of SAS Administrators and assume the SASAdministrators role. Then complete the following:

  1. Select Contexts
  2. Select Compute contexts from the drop down
  3. Select SAS Studio compute context
  4. Select Edit
  5. Select Add against Attributes
    1. Enter runServerAs as the Attribute
    2. Enter <<service_account>> as the Value
    3. Select Save
  6. Select Save

This completes the changes required in SAS Environment Manager. With both the credential stored and the context updated the Launcher Server can be restarted with the following command:

 

sudo systemctl restart sas-viya-runlauncher-default

Validate Service Accounts

To validate the use of the service account you can both confirm that the credential has been stored correctly with the Credentials microservice and confirm it is used correctly by SAS Studio 5.2 (Enterprise). To validate the new credential domain log into SAS Environment Manager as a member of the SAS Administrators group and assume the SASAdministrators role. Open the following URL in a new tab:

 

https://<<viya_http.customer.com>>/credentials/domains?start=10&limit=10

 

Scroll down the returned JSON and you will see the new credential domain with the following properties:

  • id = a UUID such as 6801a691-1589-4c8b-a98c-de5ed5f1ff46
  • type = compute-password
  • label = <<service_account>>

To validate SAS Studio 5.2 (Enterprise) log in with an end-user and then examine the operating system processes on the host(s) where the SAS Compute Server is deployed. For example, the following command will display the SAS Compute Server processes:

 

ps axo user:20,pid,pcpu,pmem,vsz,rss,tty,stat,start,time,comm |grep compsrv

 

You should see the following:

 

<<service_account>>          14845  0.0  0.0 113316  1644 ?        Ss   09:37:06 00:00:00 compsrv_start.s
<<service_account>>          14866 13.4  0.1 1710648 53052 ?       Sl   09:37:06 00:00:01 compsrv

Conclusion

The option of using a service account with the SAS Compute Server in SAS Viya 3.5 adds a simplifying option when end-users of SAS Viya 3.5 do not have host operating system accounts. As we’ve shown it is straight-forward to configure the use of a service account and behaves as you would expect. This option is not going to be a good fit for all deployment types, but certainly makes administration simpler for this use-case.

Comments

Hello All,

 

I thought I would add a short comment following some feedback on the article above.  Remember, this magic service account clearly must exist on the hosts where your compute server session is going to run; and must have a valid home directory and other user attributes.  The password defined using the CLI must match the operating system password and will need to be updated if the operating system password is updated.

 

Thank you for reading the article.

Stuart

Hi @StuartRogers 

Thanks for this blog. During implementation I found, we need to include --profile <profile-name> with each sas-admin cli command. without profile option, the error can be below...

Failed to determine if the shared service account credential to be created already exists. Reason: The user token is expired. Login again before attempting any commands.

sanket_mitra_corecompete_com_0-1590046364519.png

after adding the profile option.

sanket_mitra_corecompete_com_1-1590046544043.png

Hello @sanketmitra_ACN 

Thank you for taking the time to comment.  You make a very good point about the use of the --profile option.  As per the documentation if you have either defined a named profile or have setup a number of different profiles you will need to include this each time.  The use of the profiles makes it much easier to manage several SAS Viya 3.5 environments from a single client with the SAS Administration Command-Line Interfaces deployed.

 

Thank you

Stuart

Lco

hi Stuart,

I tried to configure the service account in a VIYA environment in HA with Multitenant, I can configure the shared service account credentials successfully, as well as the configuration in EVM, but after restarting the runlauncher and entering SASStudioV I get this message:
There was an error while starting SAS® Studio
Unable to create compute server session.
The attempt to run a compute server as user "dtsimsvc" failed because a service account credential could not be found for that user.

The DTSIMSVC user exists on the operating system and in LDAP, with passwords aligned, I forgot something?

 

On another VIYA in HA, but without MULTITENANT, I was able to correctly configure the service account.

 

thanks

Luca

 

@Lco you need to ensure when you register the credentials you have authenticated to the correct tenant and ensuring you are using the correct profile for SAS Admin CLI.  I would advise working with SAS Technical Support to ensure you are adapting the steps outlined above correctly for your multi-tenant environment.

 

Thank you for your time.

 

Stuart

Lco

Thank you Stuart, 

obviously you are right, 😉 I was authenticated in the PROVIDER and therefore the tenants did not see the service accounts.

 

Once I authenticated in the various tenants I was able to create the credentials, configure the contexts correctly, restart the tenant runlaunchers and everything went smoothly.


Thank you
Luca

Lco

hi Stuart,

I've an environment with 5/6 groups and my goal is to permit to each user that belong the relative groups to access only to its reources: how can I achieve this?

Do I need to define several service accounts and several SAS Studio compute context?

Application users are LDAP only

 

thanks

Luca

@Lco you could use that approach; but as you say this might be overkill for this number of groups.  The alternative, would be to leverage storing credentials in the DefaultAuth authentication domain for the different groups.  I mention this in the section "Consideration for using Service Accounts" with the statement:

Instead a stored group credential should be used instead. This stored group credential is stored within the defaultAuth authentication domain.

As a member of SAS Administrators you can store the username/password for DefaultAuth and then assign a group to that credential.  This means that only that group is able to read that credential.  SAS Compute & SAS Cloud Analytic Services will both leverage this credential stored in DefaultAuth.

 

Thank you for your time

Stuart

Lco

hi Stuart,

thank you for your quick reply, you know that I've configured a SSO with SAML, and all users come from their OAM.

I've defined 6 Custom Groups, and then in Credentials I've associated each Custom Group with the relative User ID defined locally on system, and in each groups I inserted the correct LDAP users, and now I suppose I've to remove the service account from "SAS Studio compute context" and change in "Basic properties" the "Identity type" from "Identities" to "Authenticated users", is it?

But I also need to remove the service account from the credentials using the SAS Admin CLI?

 

In this configuration VIYA is able to associate the user coming from OAM, and inserted in the Custom Group, with the User ID associated in CREDENTIALS to that group, and run SASStudioV with this user, right?

 

thank you for your time

Luca

@Lco , yes from what you have written you should have the DefaultAuth credentials for 6 users available to your 6 custom groups.  So your next steps would be to back-out the changes to the "SAS Studio compute context" which means removing the "runServerAs" property, and ensuring the authorization allows all "Authenticated Users" access to that compute context.  As you have said to keep things tidy you should also remove the credential using the SAS Admin CLI - it won't be used but it will be sitting there in the credentials microservice otherwise.

 

With this all complete, your SAML users will be able to access SAS Studio V and their compute session will launch using the corresponding DefaultAuth credentials.  One thing you need to ensure is that an individual SAML user does not have access to two different DefaultAuth credentials.  So you must ensure they are not members of more than one of your custom groups.

 

Thank you for your time.

Stuart

Version history
Last update:
‎10-01-2021 12:46 PM
Updated by:
Contributors

SAS Innovate 2025: Register Now

Registration is now open for SAS Innovate 2025 , our biggest and most exciting global event of the year! Join us in Orlando, FL, May 6-9.
Sign up by Dec. 31 to get the 2024 rate of just $495.
Register now!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Tags