SAS Workload Orchestrator is a key component of SAS Grid Manager, initially released with SAS 9.4M6. Every interaction with this service happens through its REST API via HTTP; the REST endpoints are protected and require authentication. In this post, you can find an introduction to SAS Workload Orchestrator authentication, while additional posts will provide a more detailed description of each of the supported authentication methods.

SAS Grid Manager Authentication Concepts

The SAS Business Intelligence platform – including SAS Grid Manager – relies on two forms of user identity:

• Operating system user accounts, with properties such as user account, uid (numeric), OS group memberships.
• SAS metadata identities, with properties such as name, metadata group memberships, role associations, external logons.

All users who interact with SAS Grid Manager must have active operating system user accounts; since grid deployments usually involve multiple hosts, it is important to keep these user accounts consistent across all of them. In detail, user ids as well as numeric uid and gid values must be consistent on all UNIX grid hosts. It is a proven practice to implement operating system integration with third party authentication providers, such as LDAP servers, or Microsoft Active Directory.

All users who interact with the grid must also have valid SAS metadata identities. All validated OS users are matched to a corresponding metadata identity, which, in turn, must have authorization to access all required SAS resources (like SASApp, SAS libraries, tables, etc.)

The following diagram highlights how user identities flow in a grid environment:

Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

1. A SAS Client runs the code to enable grid processing. The client reaches out to the SAS Metadata Server to be authorized and get grid information. This connection requires metadata credentials to be exchanged between the SAS Client and the SAS Metadata Server
2. The SAS Client sends a job request to the grid controller. The grid controller requests user authentication and the client responds by sharing the OS credentials of the user.
3. The grid controller dispatches the request to the best grid server, forwarding the user's OS credential with the job.
4. The grid server starts a SAS session that runs under the OS credentials received from the controller.

SAS Workload Orchestrator Authentication

The SAS Workload Orchestrator communicates with clients and peer services using the standard HTTP(s) protocol, through a REST API exposed by REST endpoints. An example is /sasgrid/api/grid , which returns general information about the grid. Note: these endpoints are not for direct end-users' consumption and are not guaranteed to be consistent across releases, as such they are not officially documented.

All the REST endpoints are protected and require authentication. SAS Workload Orchestrator supports two authentication schemes:

• HTTP's Basic authentication, based on the validation of a username and password.
• Negotiate authentication, based on the exchange of Kerberos tickets.

Regardless of which authentication type is selected, end-users on Windows grids must have the “Log on as batch job” user right in order for their jobs to run on the grid.

It is possible to completely disable authentication by setting the Authorization disabled flag in the grid configuration (for example, for test environments), although it is not recommended for security reasons. When authentication is enabled, grid jobs run with the credentials of the authenticated user. If authorization is disabled, all incoming connections are automatically accepted and jobs run on the grid as the SAS Workload Orchestrator process user (on UNIX, by default, this is the SAS installer). If the Authorization disabled setting is changed, all grid daemons have to be restarted.

Supported Authentication Types by Client

All grid clients recognize the request for authentication and react by sending the user's credentials to the grid. But how do the clients get these credentials in the first place? Interactive clients can generally prompt the user with a "enter username and password" form, but there are other possibilities.

There are 4 ways in which user's credentials can be retrieved by a client, although not all clients support all of them:

• ask the user to enter a username and password (this could be in an interactive form, or as parameters on the command-line, or as options in a configuration file, depending on the client)
• retrieve username and password from SAS metadata (from a login associated with the user's metadata identity)
• retrieve username and password from an AUTHINFO file
• forward the user's Kerberos ticket (if available on the client)

The following table shows the available options per client type:

To summarize the options, administrative interfaces and SASGUB accept a direct specification of a username and password to connect to SAS Workload Orchestrator. Only end-user clients can retrieve username and password from metadata. Almost all clients support AUTHINFO files, and all client interfaces support Kerberos authentication.

Conclusion

Just as with every software solution, authentication plays an important role in securing your grid environment.

Being aware of how SAS software is configured for use in your environment and understanding its interaction with SAS Grid Manager is key to a successful implementation.