To use Kerberos authentication,
each SAS Decision Manager user must have a valid Kerberos
ticket to access SAS Decision Manager. However, users who
are authenticated by Kerberos cannot write the publish results files
to the SAS Content Server when publishing a model because they have
not supplied a password to SAS Model Manager. Therefore, additional
post-installation configuration steps are needed so that users can
publish models to a database or a Hadoop Distributed File System (HDFS)
from SAS Decision Manager:
-
-
-
Ensure that each user
who publishes models is part of the operating system group that you
created. Users in the Model Manager Advanced Users and Model Manager
Administrator Users groups can publish models. Therefore, it is recommended
that these users be included in the operating system group.
-
As an operating system
administrator, perform the following tasks:
-
Create a directory and
add Read permissions for the operating system group that you created.
Only the operating system administrator should have Write permissions.
-
Create an encoded password
file using the PWENCODE procedure.
LAX example:
filename pwfile "<directory-path>/sascs.pwd";
proc pwencode in="<internal-user-password>" out=pwfile;
run;
filename pwfile; /*closes the file*/
-
Move the file into the
directory that you created and set the permissions for the file. Set
Read permissions for the operating system group that you created and
Write permissions for the operating system administrator.
LAX example:
sudo mv "<directory-path>/sascs.pwd";
sudo chgrp mdlmgr /sascs/sascs.pwd
sudo chown root /sascs/sascs.pwd
sudo chmod 750 /sascs/sascs.pwd
-
After you have completed
the rest of the required post-installation configuration and verification
steps, sign in to SAS Decision Manager. Then edit the
start-up code to specify to use the internal user for publishing to
Hadoop.
To edit the start-up
code:
-
Select
ActionsEdit Start-up Code. The
Edit Start-up Code window
appears.
-
Enter the SAS code.
LAX example:
filename pwfile "<directory-path>/sascs.pwd";
data _null_;
infile pwfile obs=1 length=l;
input @;
input @1 line $varying1024. l;
call symput('_MM_Password',substr(line,1,l));
run;
filename pwfile; /*closes the file*/
%let _MM_User=sascs@saspw;
-
-
Click the Log tab
to see the SAS log. Ensure that there are no errors in the log.
-
Click OK.
The SAS code is saved in the Edit Start-up Code window.
Note: If you save the code without
running it (by clicking OK), the code is
automatically added to the header of the PublishModel.sas code that
is created when models are published.
Note: The internal user should
be used only to publish models from SAS Decision Manager
in an environment that is authenticated by Kerberos, and should not
be used to perform any other tasks. Limit access to the password file
as few users as possible.