SAS Workload Orchestrator is a key component of SAS Grid Manager, initially released with SAS 9.4M6. Every interaction with this service happens through its REST API via HTTP; the REST endpoints are protected and require authentication. In this post, you can find an introduction to SAS Workload Orchestrator authentication, while additional posts will provide a more detailed description of each of the supported authentication methods.
The SAS Business Intelligence platform – including SAS Grid Manager – relies on two forms of user identity:
All users who interact with SAS Grid Manager must have active operating system user accounts; since grid deployments usually involve multiple hosts, it is important to keep these user accounts consistent across all of them. In detail, user ids as well as numeric uid and gid values must be consistent on all UNIX grid hosts. It is a proven practice to implement operating system integration with third party authentication providers, such as LDAP servers, or Microsoft Active Directory.
All users who interact with the grid must also have valid SAS metadata identities. All validated OS users are matched to a corresponding metadata identity, which, in turn, must have authorization to access all required SAS resources (like SASApp, SAS libraries, tables, etc.)
The following diagram highlights how user identities flow in a grid environment:
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.
The SAS Workload Orchestrator communicates with clients and peer services using the standard HTTP(s) protocol, through a REST API exposed by REST endpoints. An example is /sasgrid/api/grid
, which returns general information about the grid. Note: these endpoints are not for direct end-users' consumption and are not guaranteed to be consistent across releases, as such they are not officially documented.
All the REST endpoints are protected and require authentication. SAS Workload Orchestrator supports two authentication schemes:
Regardless of which authentication type is selected, end-users on Windows grids must have the “Log on as batch job” user right in order for their jobs to run on the grid.
It is possible to completely disable authentication by setting the Authorization disabled flag in the grid configuration (for example, for test environments), although it is not recommended for security reasons. When authentication is enabled, grid jobs run with the credentials of the authenticated user. If authorization is disabled, all incoming connections are automatically accepted and jobs run on the grid as the SAS Workload Orchestrator process user (on UNIX, by default, this is the SAS installer). If the Authorization disabled setting is changed, all grid daemons have to be restarted.
All grid clients recognize the request for authentication and react by sending the user's credentials to the grid. But how do the clients get these credentials in the first place? Interactive clients can generally prompt the user with a "enter username and password" form, but there are other possibilities.
There are 4 ways in which user's credentials can be retrieved by a client, although not all clients support all of them:
The following table shows the available options per client type:
Manually specify username & password | Get username & password from metadata | Get username and password from an authinfo file | Use Kerberos | |
SASGSUB | Y | Y | Y | Y |
Interactive coding | N | Y | Y | Y |
Object Spawner | N | Y | Y | Y |
CLI Admin Utility | Y | N | Y | Y |
Web UI | Y | N | N | Y |
To summarize the options, administrative interfaces and SASGUB accept a direct specification of a username and password to connect to SAS Workload Orchestrator. Only end-user clients can retrieve username and password from metadata. Almost all clients support AUTHINFO files, and all client interfaces support Kerberos authentication.
Just as with every software solution, authentication plays an important role in securing your grid environment.
Being aware of how SAS software is configured for use in your environment and understanding its interaction with SAS Grid Manager is key to a successful implementation.
Don’t miss the livestream kicking off May 7. It’s free. It’s easy. And it’s the best seat in the house.
Join us virtually with our complimentary SAS Innovate Digital Pass. Watch live or on-demand in multiple languages, with translations available to help you get the most out of every session.
The rapid growth of AI technologies is driving an AI skills gap and demand for AI talent. Ready to grow your AI literacy? SAS offers free ways to get started for beginners, business leaders, and analytics professionals of all skill levels. Your future self will thank you.