|
Security
Planning the Spawner Security
When you set up a spawner configuration, you specify login credentials or definitions in two
locations:
- Login definitions in the server and spawner configuration: When you configure the spawner and server definitions on the SAS Metadata Server, you can specify certain login definitions in the configuration.
- Login credentials in the spawner's metadata configuration file: When you use a spawner to start a server, you specify a metadata configuration file that contains information
to allow the spawner to access the SAS Metadata Server for server and spawner metadata information.
When you create a metadata configuration file for the
spawner to use to access the SAS Metadata Server, you specify a fully qualified user ID and password for connecting to the SAS Metadata Server.
Note: To simplify your configuration, use a common set of metadata server credentials for the spawner, SAS servers (if you specify the -metaprofile options), and for client programs.
The login credentials that you specify in the spawner's metadata configuration file must enable both of the following tasks:
- access the SAS Metadata Server
- view login definitions that are specified in the spawner and associated server definitions on the SAS Metadata Server.
Therefore, you must use the appropriate ID in the spawner's metadata configuration file, and use the appropriate login definitions in the server and spawner configuration.
In addition, you must define these login credentials on the appropriate authentication provider.
For details, see Understanding Spawner Authentication
For a scenario that shows an example security setup for the spawner, see Scenario: Security Configuration for Spawner and Load-Balancing .
Understanding Spawner/Server Login Configuration and Access
In the spawner and server definitions (on the SAS Metadata Server), you can specify the following login definitions:
- operator login definition for the spawner (specified in the spawner definition).
- for SAS Stored Process Servers, multi-user login definition (specified on the Credentials tab
of the server definition).
The login credentials that are used to access the SAS Metadata Server (for example, the user ID in the spawner's metadata configuration file) must enable to access the
previously mentioned
server and spawner login definition in the configuration's SAS Metadata Repository. The SAS Metadata Server allows a user ID to read login definitions if either of the following conditions are true:
- The login definitions are owned by the user ID's user or group metadata identity.
- The login definitions are group (shared) login definitions that the user ID can access as part of a group metadata identity.
Note: Do not specify an unrestricted user for the user ID
in the spawner's metadata configuration file.
The following table summarizes the credentials required for spawner security configuration:
Locations Where Credentials Are Specified for Spawner Configuration |
User ID or Login Definition |
Location Where Credentials Are Specified |
Description |
Requirements |
user ID in the spawner's metadata configuration file |
In the metadata configuration file Note: For an Advanced or Personal installation (using SAS Configuration Wizard), the metadata configuration file named OMRConfig.xml (located in the ObjectSpawner directory) contains the SAS Trusted User credentials. |
The credentials that the spawner uses to access the metadata server. |
The user ID that you specify must be able to access metadata for the operator login (ID) and if specified, the multi-user login definition.
Note: Do not specify an unrestricted user for the user ID in the metadata configuration file. |
operator login for spawners (optional) |
In the SAS Management Console spawner definition:
Initialization: Operator Login
Operator Login
Note: For an Advanced or Personal installation (using SAS Configuration Wizard), the operator login is not specified by default.
|
The Administrator login definition to access the operator port of the spawner. |
The login definition must be one of the following:
|
multi-user login for SAS Stored Process Servers |
In SAS Management Console stored process server definition:
Options Advanced Options Credentials Login
Note: For an Advanced or Personal installation (using SAS Configuration Wizard), the login for the SAS General Servers group is specified. |
The user ID that is used to launch SAS processes on a multi-user server. |
The login definition must be one of the following:
|
Enabling the User ID in the Spawner's Metadata Configuration File to View Spawner/Server Login Definitions
To enable the user ID in the spawner's metadata configuration file to access the spawner and server configuration
login definitions on the SAS Metadata Server, the user ID in the metadata configuration file must be one of the following:
In addition, if you are setting up load balancing,
then the user ID in the spawner's metadata configuration file must be able to access (under one of the above
three conditions) the user ID that you specify for the logical server credentials login definition
(on the load-balancing logical server definition). For details, see Planning the Load Balancing Security.
Note: Do not specify an unrestricted user for the user ID
in the spawner's metadata configuration file.
Note: For an Advanced or Personal installation (using SAS Configuration Wizard), the login in the spawner's metadata configuration file (for example, sastrust ) can view the multi-user login definition for the stored process server (for example, sassrv ) because the SAS Trusted User (which owns sastrust ) is a member of the SAS General Server group that owns the multi-user login definition (sassrv ). With an Advanced or Personal installation, no operator login is specified.
Understanding Spawner Authentication
When you implement a spawner and server configuration, the login definitions in the spawner and server configuration, and the clients who connect to the servers must be authenticated
against the appropriate authentication provider.
Depending on the type of spawner and server setup,
spawner and client authentication works as follows:
Locations Where Credentials Are Authenticated |
Type of Credentials |
User ID Role |
Authentication Location |
standard spawner and server configuration |
user ID of the operator login |
no authentication |
for SAS Stored Process Servers, the user ID of the multi-user login |
the host authentication provider for the SAS Stored Process Server |
connections to standard spawner and server |
the client user ID |
the host authentication provider for the SAS Workspace Server or SAS Stored Process Server |
connections to pooled server |
user ID of the puddle login |
the host authentication provider for the SAS Workspace Server |
user IDs that are associated with the user metadata identities that are members of the group metadata identity that is granted access to the pool |
the SAS Metadata Server's authentication provider |
user IDs that are associated with the pool administrator |
the SAS Metadata Server's authentication provider |
load-balancing logical server configuration |
user ID of the load-balancing logical server credentials |
the host authentication provider for the SAS Workspace or SAS Stored Process Server and the host authentication provider for the other spawners to which it connects |
connections to load-balancing server |
the client user ID |
the host authentication provider for the SAS Workspace or SAS Stored Process Server |
For details about defining users for authentication, see
Implementing Authentication
When the spawner starts the server process, the process runs under the following credentials
- for SAS Workspace Servers, the credentials of the connecting client
- for SAS Stored Process Servers, the multi-user login credentials that are
specified in the stored process server definition (Advanced Options Credential) in SAS Management Console.
|