SAS 9.1.3 Integration Technologies » Server Administrator's Guide

Security
Overview of Domains
Implementing Authentication
Host Authentication
Trusted Authentication Mechanisms
Alternative Authentication Providers
Defining Users, Groups, and Logins on the SAS Metadata Server
Implementing Authentication and Authorization for Xythos WFS WebDAV
Scenario
Implementing Encryption
Setting Up Additional Server Security
Planning the Workspace and Stored Process Server Security
Spawner Security
Scenario: Spawner and Load-Balancing
Pooling Security
Scenario: Pooling
Load Balancing Security
Scenario: Load-Balancing Across Two Machines
Implementing Security in Client Applications
Security

Scenario: Security Configuration for Load-Balancing SAS Stored Process Servers Across Two Machines

The following scenario shows a recommended setup for spawner and server security when load balancing across two machines. In this scenario, an object spawner runs on each server host, monitors client requests for each stored process server, and connects clients to the appropriate server process as determined by the load balancing algorithm.

The SAS Metadata Server contains the spawner, server, and security metadata for the load-balancing stored process server. The object spawner must connect to the SAS Metadata Server, and the metadata must be appropriately configured to enable each spawner to start the load-balancing stored process server.

Note: The users and groups that are used in this example correspond to the users that are set up in an Advanced or Personal installation as follows:

  • UserA (usera) corresponds to the SAS Trusted User (sastrust).
  • GroupABC (groupabc) corresponds to the SAS General Servers group (sassrv).

The following diagram shows the initial security setup and process flow for the load-balancing stored process servers and for the spawners' configuration:

Note: On Windows, all user IDs are machine- or domain-qualified. For example, europe\usera.

Diagram showing security for load-balancing across two stored process server machines

In the previous diagram, each object spawner obtains the metadata information to start a load-balancing stored process server as follows:

  1. When a spawner is started, it reads a metadata configuration file (omrconfig.xml) to access the SAS Metadata Server. This metadata configuration file specifies the location of the SAS Metadata Server and the user ID that the spawner will use to connect to the metadata server.

    In this example, the omrconfig.xml file contains the user ID usera, which is owned by the UserA user.

  2. The object spawner connects to the SAS Metadata Server using the user ID that is specified in omrconfig.xml. UserA's credentials are authenticated against the SAS Metadata Server's authentication provider.

  3. On the SAS Metadata Server, the connection from the object spawner is associated with the user metadata identity that owns the usera user ID, UserA. The spawner (as UserA) reads the metadata information for the server and spawner configurations.

    Note: The user metadata identity UserA can view the stored process server's multi-user login credentials, the operator login (groupabc), and the logical server credentials. This is because UserA is a member of the group metadata identity GroupABC, and GroupABC owns the server's multi-user login credentials, the operator login, and the logical server credentials (groupabc).

    The object spawner now has the necessary metadata to connect to other spawners and launch stored process servers.

When the first spawner has retrieved the metadata, it uses the logical server credentials and the port for its load-balancing connection to attempt to connect to the second spawner. This connection fails because the second spawner has not yet been started. When the second spawner starts and retrieves the metadata, it uses the logical server credentials and the port for its load balancing connection to connect to the first spawner. If the connection is successful, the spawners can now load balance client requests across server processes on two machines.

Note: The logical server credentials must be able to authenticate against the host authentication provider on both stored process servers' machines.

The following diagram shows the flow for a client request and load-balancing stored process server connection.

Diagram showing client/server sequence for SAS Configuration Wizard's load-balancing stored process server

  1. When the spawners are started, they retrieve metadata from the SAS Metadata Server, and communicate with each other to determine the load information for their respective servers.

  2. When a client requests a server, the client is authenticated against the host authentication provider for the server.

  3. The spawner returns the appropriate machine and port number to the client so that the client can connect directly to the server.

  4. If the spawner needs to launch a new stored process server, the spawner uses the server's multi-user login credentials (groupabc) to launch the load-balancing stored process server.

  5. The client connects directly to the server.

Note: Because the stored process server runs under the credentials for the multi-user stored process server, each client can only access information for which the multi-user credentials are authorized.