SAS Workload Orchestrator is a key component of SAS Grid Manager, initially released with SAS 9.4M6. Every interaction with this service happens through its REST API via HTTP; the REST endpoints are protected and require authentication. In this post, you can find an introduction to SAS Workload Orchestrator authentication, while additional posts will provide a more detailed description of each of the supported authentication methods.
The SAS Business Intelligence platform – including SAS Grid Manager – relies on two forms of user identity:
All users who interact with SAS Grid Manager must have active operating system user accounts; since grid deployments usually involve multiple hosts, it is important to keep these user accounts consistent across all of them. In detail, user ids as well as numeric uid and gid values must be consistent on all UNIX grid hosts. It is a proven practice to implement operating system integration with third party authentication providers, such as LDAP servers, or Microsoft Active Directory.
All users who interact with the grid must also have valid SAS metadata identities. All validated OS users are matched to a corresponding metadata identity, which, in turn, must have authorization to access all required SAS resources (like SASApp, SAS libraries, tables, etc.)
The following diagram highlights how user identities flow in a grid environment:
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.
The SAS Workload Orchestrator communicates with clients and peer services using the standard HTTP(s) protocol, through a REST API exposed by REST endpoints. An example is
/sasgrid/api/grid , which returns general information about the grid. Note: these endpoints are not for direct end-users' consumption and are not guaranteed to be consistent across releases, as such they are not officially documented.
All the REST endpoints are protected and require authentication. SAS Workload Orchestrator supports two authentication schemes:
Regardless of which authentication type is selected, end-users on Windows grids must have the “Log on as batch job” user right in order for their jobs to run on the grid.
It is possible to completely disable authentication by setting the Authorization disabled flag in the grid configuration (for example, for test environments), although it is not recommended for security reasons. When authentication is enabled, grid jobs run with the credentials of the authenticated user. If authorization is disabled, all incoming connections are automatically accepted and jobs run on the grid as the SAS Workload Orchestrator process user (on UNIX, by default, this is the SAS installer). If the Authorization disabled setting is changed, all grid daemons have to be restarted.
All grid clients recognize the request for authentication and react by sending the user's credentials to the grid. But how do the clients get these credentials in the first place? Interactive clients can generally prompt the user with a "enter username and password" form, but there are other possibilities.
There are 4 ways in which user's credentials can be retrieved by a client, although not all clients support all of them:
The following table shows the available options per client type:
|Manually specify username & password||Get username & password from metadata||Get username and password from an authinfo file||Use Kerberos|
|CLI Admin Utility||Y||N||Y||Y|
To summarize the options, administrative interfaces and SASGUB accept a direct specification of a username and password to connect to SAS Workload Orchestrator. Only end-user clients can retrieve username and password from metadata. Almost all clients support AUTHINFO files, and all client interfaces support Kerberos authentication.
Just as with every software solution, authentication plays an important role in securing your grid environment.
Being aware of how SAS software is configured for use in your environment and understanding its interaction with SAS Grid Manager is key to a successful implementation.
Registration is open! SAS is returning to Vegas for an AI and analytics experience like no other! Whether you're an executive, manager, end user or SAS partner, SAS Innovate is designed for everyone on your team. Register for just $495 by 12/31/2023.
If you are interested in speaking, there is still time to submit a session idea. More details are posted on the website.
Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning and boost your career prospects.