Scenario: Security Configuration for Spawner and Load-Balancing

The following scenario shows a recommended setup for spawner and server security. In this scenario, an object spawner runs on the server host, monitors client requests for the stored process and workspace server, and connects clients to the appropriate server process. (For a scenario that shows how to set up load-balancing security across spawners, see Scenario: Security Configuration for Load-Balancing SAS Stored Process Servers Across Two Machines).

The SAS Metadata Server contains the spawner, server, and security metadata for the load-balancing stored process server and workspace server configuration. The object spawner must connect to the SAS Metadata Server, and the metadata must be appropriately configured to enable the spawner to start the load-balancing stored process server or workspace server.

Note: The users and groups that are used in this example correspond to the users that are set up in an Advanced or Personal installation as follows:

• UserA and usera correspond to the SAS Trusted User and its user ID (for example, sastrust).
• GroupABC and groupabc correspond to the SAS General Servers group and its user ID (for example, sassrv).

The following diagram shows the initial security setup and process flow for the load-balancing stored process server, workspace server, and spawner configuration:

Note: On Windows, all user IDs would be machine- or domain-qualified. For example, europe\usera.

In the previous diagram, the Object Spawner obtains the metadata information to start a load-balancing stored process server or workspace server as follows:

1. When the spawner is started, it reads a metadata configuration file (omrconfig.xml) to access the SAS Metadata Server. This metadata configuration file specifies the location of the SAS Metadata Server and the user ID that the spawner will use to connect to the metadata server.

   In this example, the omrconfig.xml file contains the user ID usera, which is owned by the UserA user.

2. The object spawner connects to the SAS Metadata Server using the user ID that is specified in omrconfig.xml. UserA's credentials are authenticated against the SAS Metadata Server's authentication provider.

3. On the SAS Metadata Server, the connection from the object spawner is associated with the user metadata identity that owns the usera user ID, UserA. The spawner (as UserA) reads the metadata information for the server and spawner configurations.

   Note: The user metadata identity UserA can view both the stored process server's multi-user login credentials and the operator login (groupabc) because UserA is a member of the group metadata identity GroupABC, and GroupABC owns both the server's multi-user login credentials and operator login (groupabc).

The object spawner then has the necessary metadata to launch a workspace or stored process server. The following diagrams show the flow for a client request and a stored process server or workspace server launch.

1. When a client requests a server, the client is authenticated against the host authentication provider for the server.

2. If the object spawner needs to launch a new stored process server, the object spawner uses the server's multi-user login credentials (groupabc) to launch the load-balancing stored process server.

   If the object spawner needs to launch a new workspace server, the object spawner uses the client's credentials to launch the workspace server. All further communications between the client and the server are direct, rather than through the object spawner.

Note: Because the stored process server runs under the credentials for the multi-user stored process server, each client can only access information for which the multi-user credentials are authorized.