The SAS Scripting Wrapper for Analytics Transfer (SWAT) package for Python was first released with Viya 3.1, and it has been hugely popular. My GEL colleague Mark Thomas published a great post explaining how to use it with CAS late last year. He showed us how to install and set up Python SWAT for use interactively and from a Jupyter Notebook.

Changes in the new version for Viya 3.3 keep it up to date: version 1.3.0 and version 1.3.1 of Python SWAT now require you set an additional environment variable, CAS_CLIENT_SSL_CA_LIST, so that it can find certificates needed for improvements to encrypted communication.

In this article, we'll see a quick way to install the latest Python SWAT package, which assumes some of the packages Mark showed us how to install are already present. They often are. The quick setup script also sets the CAS_CLIENT_SSL_CA_LIST environment variable, and I'll explain how to make sure it is set in Jupyter Notebook sessions too.

Finally, I want to show my favourite way to use Python SWAT: in an executable .py script.

Quick command-line Python SWAT setup

Below is a tiny script which installs Python SWAT if it's not already installed, and sets the CAS_CLIENT_SSL_CA_LIST environment variable for the current user.

Once you have deployed Anaconda and Jupyter Hub, you can install the current Python SWAT package using the script below, if you have not already installed it. If you have, it's fine to run the script below anyway, as it will skip the Python SWAT installation if it is already installed, and just set the environment variable for the user who runs the script.

Save this to a Linux host and make sure it is executable (chmod u+x filename), and run it - or just copy-and-paste the contents to a bash command line and run them interactively. The script assumes you already have Python installed (you probably do) and pip installed (you might not), and some other things. If any of the required components are not present, follow the steps in Mark's post. But the following may be all you need.

setup_python_swat.sh:

#!/bin/sh

if [[ $(pip list --disable-pip-version-check | grep swat) ]]; then
    echo "Python swat package is already installed"
else
    echo "Installing Python swat package"
    pip install https://github.com/sassoftware/python-swat/releases/download/v1.3.0//python-swat-1.3.0-linux64.tar.gz
fi

# Add the following line to ~/.bash_profile if it is not already present
LINE='export CAS_CLIENT_SSL_CA_LIST=/opt/sas/viya/config/etc/SASSecurityCertificateFramework/cacerts/vault-ca.crt'
FILE=~/.bash_profile
grep -qF -- "$LINE" "$FILE" || echo "$LINE" >> "$FILE"

source $FILE

Notice something the script does at the end, which was not required for earlier versions of the Python SWAT package: it adds an environment variable to your .bash_profile, called CAS_CLIENT_SSL_CA_LIST, pointing to Viya's CA certificates. It then 'sources' (i.e. runs) your .bash_profile, so that you get the new environment variable set in your current shell session, as well as in sessions you start in the future.

This script assumes that the .../cacerts/vault-ca.crt file is on the machine where SWAT is installed. If it isn't, you'll need to copy it to that machine (in a sensible filepath) and point the environment variable to wherever you put it. Also note that I have hardcoded the path /opt/sas/viya/config in the script. You will need to change this if your deployment is not called 'viya'.

• Note for future reference: the directory path, or the name of this certificate file may change slightly in future versions of viya. A pre-production Viya 3.4 deployment I looked at recently had the certificate file in the same directory as above, but named "vauit-hostname-ca.crt' where hostname is the name of the host machine on which the directory was located, instead of 'vault-ca.crt'. See the current documentation for the version of Viya you are using - e.g. for Viya 3.3, see Encryption in SAS® Viya® 3.3: Data in Motion.

Run this once, as the user who will run Python scripts. If pip cannot not install the packages, you might need to try running the script with sudo, or as root, or if that's not a good idea in your environment, look at the permissions required to perform the installation and try again.

Anaconda/Jupyter Notebook and Python SWAT setup

If you intend to use Jupyter Hub to run Python code which accesses your Viya 3.3 deployment, you should configure Jupyter Hub to 'pass on' the new CAS_CLIENT_SSL_CA_LIST environment variable to the Python sessions it spawns for user's notebooks. For this to work, you must have added the environment variable to the profile of the user who launches Jupyter Hub. You can do this in lots of ways, but one way is to run my setup_python_swat.sh script above.

Then, once you have deployed Jupyter Hub, edit /opt/anaconda3/etc/jupyterhub/jupyterhub_config.py and add this line near the end of that file, but make sure it is before c.Spawner.cmd = ['/opt/anaconda3/bin/jupyterhub-singleuser']:

c.Spawner.env_keep.append('CAS_CLIENT_SSL_CA_LIST')

See Encryption in SAS® Viya® 3.3: Data in Motion for more on certificates and encrypted communication in SAS. It includes an explanation of CAS TLS Environment Variables, including env.CAS_CLIENT_SSL_CA_LIST=<'path/certificates-file'>.

What can you do with Python and CAS?

The SAS Viya 3.3 Action Programming documentation contains lots of great examples of calling CAS actions from Python. Here is one for the Aggregation Action Set:

Mark showed you in his post how to run commands in CAS from Python, interactively from a command line. Analysts also use like Jupyter Notebook, from Jupyter Hub for following a train of thought to investigate data and its characteristics in CAS.

Going off script

But sometimes you just want to write a plain old script, never mind all that interactive Jupyter stuff. For that, all you need is the SWAT package for Python, an environment variable to take care of certificates, and you're ready to go.

Now you can write and run scripts like the one below. This example connects to CAS with a password in the clear, which is <British understatement>probably not a good idea</British understatement> in production, but makes for a simpler example.

Thanks to the shebang (#!..) on the first line, you don't need to prefix this with 'python'. Just make it executable (chmod u+x SetCasAccess.py) and run it like you would any other script.

SetCASAccess.py:

#!/usr/bin/python

import swat

conn = swat.CAS('intcas01',5570,'sasadm','lnxsas', caslib="hrdl")
conn.SessionName(name="mySession")

r=conn.accessControl.updSomeAcsTable(
  acs=[
   {'caslib':'hrdl',
    'table':'hr_summary.csv',
    'identity':'Sales',
    'identityType':'Group',
    'permType':'Grant',
    'permission':'Select'}])
print(r)

r=conn.session.endSession()
print(r)

print("Done")

You should really use an authinfo file to log on to CAS, instead of including the username and password in the line beginning 'conn = '.

That said, this code probably won't work on your environment, unless you also have a CAS library called 'hrdl', which contains a table with a source file called 'hr_summary.csv', and a group called 'Sales'. (We have those things in the internal workshops I have been delivering to SAS staff recently). But that's not really the point of this post - write your own script to do what you want! Then, make your Python script executable, and run it. Easy*.

Thanks to Mark Thomas, Gerry Nelson and Erwan Granger for reviewing early drafts of this post and for their feedback. Any errors are my own.

* Your definition of ‘easy’ may differ from mine.