SAS Grid Manager and Kerberos Authentication

Transcription

1 SAS Grid Manager and Kerberos Authentication Learn the considerations for implementing Kerberos authentication so you can submit workload to SAS Grid Manager.

2 SAS Grid Manager and Kerberos Authentication SAS Webinar Presenters Rob Collum Principal Technical Architect, SAS Edoardo Riva Principal Technical Architect, SAS Stuart Rogers Architecture and Security Lead, SAS

3 SAS Grid Manager and Kerberos Authentication Welcome!

4 SAS Grid Manager with Kerberos Four Paths to Submit Jobs

5 PATH #1: Request TGT: Three Cases Grid-launched workspace servers Auto 1. Using user/password for authentication, the SAS Object Spawner calls kinit to create a Kerberos credential cache and sets KRB5CCNAME to specify the path to it for use by LSF - Using a specific name /tmp/krb5cc_sasgrid_<user>_* - You must set the SAS_GRID_USE_KERBEROS environment variable for this to occur Auto 2. Using IWA/SSPI for authentication, the SAS Object Spawner writes the credentials to a credential cache and sets KRB5CCNAME to specify the path to it for use by LSF - Using a specific name /tmp/krb5cc_sasgrid_<user>_* SAS Object Spawner-launched workspace servers Config 3. Code required in the script WorkspaceServer_usermods.sh - To find Kerberos credentials (created by PAM if SASAUTH is configured for PAM) or call kinit to create a Kerberos credential cache - And then set KRB5CCNAME to specify the path to that credential cache

6 PATH #1: Propagate TGT When the job is submitted by the Object Spawner, LSF copies the credentials pointed to by KRB5CCNAME to the LSF shared directory to keep it renewed. LSF must be configured as per documentation See Using Kerberos Authentication in a Grid Environment in Grid Computing in SAS 9.4, Fifth Edition More on this later

7 PATH #1: Propagate TGT LSF starts a job and copies the credential cache to the execution machine as /tmp/lsf_krb5cc_<job_id>.0.

8 PATH #1: Use TGT Now the SAS Workspace Server has KRB5CCNAME set to a cache that is a renewed copy of the credential cache created on the Object Spawner machine. Kerberos tickets are available in order for downstream SAS processes to authenticate to external resources.

9 PATH #2: Request TGT SASGSUB does not request a Ticket-Granting Ticket User Ticket must be available to the operating system session - Kinit or possibly SSH auto-generates a ticket The Environment Variable KRB5CCNAME must point to the credentials cache (the most reliable approach) The Environment Variable LSF_FULL_VERSION must be set to Should already be set by the installer or lsf.profile If not set Kerberos authentication fails

10 PATH #2: Propagate TGT When the job is submitted by SASGSUB, LSF copies the credentials pointed to by KRB5CCNAME to the LSF shared directory to keep it renewed. LSF must be configured as per documentation See Using Kerberos Authentication in a Grid Environment in Grid Computing in SAS 9.4, Fifth Edition More on this later

11 PATH #2: Propagate TGT LSF starts a job and copies the credential cache to the execution machine as /tmp/lsf_krb5cc_<job_id>.0.

12 PATH #2: Use TGT The corresponding SAS Batch Execution job must be Kerberos aware (if needed) Able to make use of the TGT from the ticket cache Ticket cache identified by KRB5CCNAME environment variable

13 PATH #3: Request TGT Grid-enabled signon of SAS/CONNECT does not request a Ticket-Granting Ticket User Ticket should be available to operating system session (kinit or ssh) - Identified by the KRB5CCNAME environment variable The Environment Variable LSF_FULL_VERSION must be set to Should already be set by the installer or lsf.profile If not set Kerberos authentication fails

14 PATH #3: Propagate TGT When the job is submitted by the Grid-Enabled SAS/CONNECT Client, LSF copies the credentials pointed to by KRB5CCNAME to the LSF shared directory to keep it renewed. LSF must be configured as per documentation See Using Kerberos Authentication in a Grid Environment in Grid Computing in SAS 9.4, Fifth Edition More on this later

15 PATH #3: Propagate TGT LSF starts a job and copies the credential cache to the execution machine as /tmp/lsf_krb5cc_<job_id>.0.

16 PATH #3: Use TGT Now the SAS Grid Server has KRB5CCNAME set to a cache that is a renewed copy of the credential created on the SAS/CONNECT Client machine. Kerberos tickets are available in order for SAS processes to authenticate to external resources.

17 Config Process Manager PATH #4: Request TGT User/password login: the Platform Process Manager Server initializes the credentials via PAM Platform Process Manager periodically renews the credentials Uses the LSF Master configuration to define how often credentials are renewed Can only renew up to Kerberos max lifetime - To schedule beyond this time period a Kerberos keytab should be used to provide credentials

18 PATH #4: Propagate TGT When the job is scheduled to run Platform Process Manager Server forwards the ticket to LSF Master LSF must be configured as per documentation See Using Kerberos Authentication in a Grid Environment in Grid Computing in SAS 9.4, Fifth Edition More on this later

19 PATH #4: Propagate TGT LSF starts a job and copies the credential cache to the execution machine as /tmp/lsf_krb5cc_<job_id>.0.

20 PATH #4: Use TGT Now the SAS Batch Server has KRB5CCNAME set to a cache that is a renewed copy of the credential created on the Platform Process Manager Server machine. Kerberos tickets are available in order for SAS processes to authenticate to external resources.

21 SAS Grid Manager with Kerberos Authentication ALL PATHS: Configuring LSF Master to Propagate TGT The Kerberos key distribution center (KDC) and the client configuration must allow ticket forwarding. In the lsf.conf file, specify the parameter LSB_KRB_TGT_FWD=Y Ensure that the required krb5 libs (libkrb5.so, libcom_err.so, libk5crypto.so, and libkrb5support.so) are in the default directories, or use LSB_KRB_LIB_PATH= to specify where they are. In the lsf.conf file, also specify any of these optional parameters: LSB_KRB_CHECK_INTERVAL LSB_KRB_RENEW_MARGIN LSB_KRB_TGT_DIR specifies the time interval for TGT checking; default value is 15 minutes specifies the amount of time that elapses before the TGT is renewed; default value is 1 hour specifies where to store the TGT on the execution host; default value is /tmp

22 SAS Grid Manager with Kerberos Authentication ALL PATHS: Additional Considerations Kerberos ticket forwarding using LSF works well on Linux & UNIX platforms Job submission with Kerberos is not supported on Windows Kerberos Tickets must be forwardable This allows for authentication forwarding without requiring a password to be typed in again The Kerberos Ticket-Granting Ticket must be address-less to ensure ticket forwarding works correctly This is the default setting for Microsoft Active Directory and MIT Kerberos

23 SAS Grid Manager with Kerberos Authentication ALL PATHS: Troubleshooting Enable Kerberos debugging SAS Object Spawner update $SASCFG/$LEV/ObjectSpawner/logconfig.xml - App.tk.tkegrid logger, with Trace or Debug - Audit.Authentication logger, with Trace or Debug LSF update $LSFTOP/conf/lsf.conf add the following LSB_LOG_MASK=LOG_DEBUG LSB_DEBUG_CMD="LC2_KRB" LSB_CMD_LOGDIR=logging_directory LSF_LOG_MASK=LOG_DEBUG LSF_DEBUG_CMD="LC2_KRB" LSF_CMD_LOGDIR=logging_directory SAS Technical Support, support.sas.com, (U.S. and Canada) and outside the U.S., contact your local SAS office.

24 SAS Grid Manager with Kerberos Authentication References Grid Computing in SAS 9.4, Fifth Ed. SAS 9.4 Intelligence Platform: Security Administration Guide, Third Ed. IBM Administering Platform LSF IBM Administering Platform Process Manager

25 Q&A Please submit your questions in the Q&A window

26 SAS Grid Manager Resources Watch it On Demand!

27 @SASSoftware, #SASGrid SAS Software, SASUsersgroup SASSoftware SAS, SAS Users Group communities.sas.com blogs.sas.com/content

28

29 Thank you