Configure Users Authenticated by Kerberos

To use Kerberos authentication, each SAS Decision Manager user must have a valid Kerberos ticket to access SAS Decision Manager. However, users who are authenticated by Kerberos cannot write the publish results files to the SAS Content Server when publishing a model because they have not supplied a password to SAS Model Manager. Therefore, additional post-installation configuration steps are needed so that users can publish models to a database or a Hadoop Distributed File System (HDFS) from SAS Decision Manager:
  1. Create an internal user, such as sascs@saspw, and add the user to the Model Manager Advanced Users group. For more information, see Configuring Users, Groups, and Roles.
  2. Create an operating system group, if one has not been previously created. For more information, see Creating Operating System Accounts for Product Administrators and Users.
  3. Ensure that each user who publishes models is part of the operating system group that you created. Users in the Model Manager Advanced Users and Model Manager Administrator Users groups can publish models. Therefore, it is recommended that these users be included in the operating system group.
  4. As an operating system administrator, perform the following tasks:
    1. Create a directory and add Read permissions for the operating system group that you created. Only the operating system administrator should have Write permissions.
    2. Create an encoded password file using the PWENCODE procedure.
      LAX example:
      filename pwfile "<directory-path>/sascs.pwd";
      proc pwencode in="<internal-user-password>" out=pwfile;
      run;
      filename pwfile; /*closes the file*/
    3. Move the file into the directory that you created and set the permissions for the file. Set Read permissions for the operating system group that you created and Write permissions for the operating system administrator.
      LAX example:
      sudo mv "<directory-path>/sascs.pwd";
      sudo chgrp mdlmgr /sascs/sascs.pwd
      sudo chown root /sascs/sascs.pwd
      sudo chmod 750 /sascs/sascs.pwd
      
  5. After you have completed the rest of the required post-installation configuration and verification steps, sign in to SAS Decision Manager. Then edit the start-up code to specify to use the internal user for publishing to Hadoop.
    To edit the start-up code:
    1. Select Actionsthen selectEdit Start-up Code. The Edit Start-up Code window appears.
    2. Enter the SAS code.
      LAX example:
      filename pwfile "<directory-path>/sascs.pwd";
      data _null_;
      infile pwfile obs=1 length=l;
      input @;
      input @1 line $varying1024. l;
      call symput('_MM_Password',substr(line,1,l));
      run;
      filename pwfile; /*closes the file*/
      %let _MM_User=sascs@saspw;
      
    3. Click Run Now.
    4. Click the Log tab to see the SAS log. Ensure that there are no errors in the log.
    5. Click OK. The SAS code is saved in the Edit Start-up Code window.
      Note: If you save the code without running it (by clicking OK), the code is automatically added to the header of the PublishModel.sas code that is created when models are published.
Note: The internal user should be used only to publish models from SAS Decision Manager in an environment that is authenticated by Kerberos, and should not be used to perform any other tasks. Limit access to the password file as few users as possible.
Last updated: February 22, 2017