SAS Viya deployments use credentials for accessing databases and other third-party products that require authentication. In this blog post, I will look at how this sharing of credentials is implemented in SAS Environment Manager.
In SAS Viya, domains are used to store the:
- Credentials required to access external data sources.
- Identities that are allowed to use those credentials.
There are three types of domains:
- Authentication stores credentials that are used to access an external source that can then be associated with a caslib.
- Connection used when the external database has been set up to require a User ID but no password.
- Encryption stores an encryption key required to read data at rest in a path assigned to a caslib.
In this blog post we will focus on authentication domains which are typically used to provide access to data in a database management system. It is a pretty simple concept; an authentication domain makes a set of credentials available to a set of users. This allows SAS Viya to seamlessly access a resource. The diagram below shows a logical view of a domain. In this example, the domain PGAuth stores the credentials for a Postgres database, and makes those credentials available to two groups (and their members) and three users.
How does this work when a user accesses data in a database caslib? The following steps are performed:
1. Log on to SAS Viya using personal credentials: the user’s identity is established including group memberships.
2. Access a CASLIB for a database: using the user’s identity and the authentication domain of the CASLIB, Viya will look up the credentials associated with that identity in the domain.
3. Two results are possible. A credential match is:
- 1. Found: the credentials are passed to the database authentication provider to determine access to the data.
- 2. Not found: no access to the data is provided.
To manage domains in SAS Environment Manager you must be an administrator. In SAS Environment Manager select Security > Domains. There are two views available: Domains and Credentials. The Domains view lists all defined domains. You can access the credentials for a domain by right-clicking on the domain and selecting Credentials.
The Credentials view lists all credentials defined and the domains for which they are associated.
Whatever way you get to a credential, you can edit it by right-clicking and selecting Edit. In the edit dialog, you can specify the Identities (users and groups) that can use the credential, and the User ID and Password of the credential. Note that only users who are already listed in the Identities field will be able to edit this field, so make sure you are in this field (directly or through group membership) prior to saving.
To use an authentication domain, you reference it in the CASLIB definition. When defining a non-path based CASLIB you must select a domain to provide user credentials to connect to the database server. This can be done when creating a new CASLIB in SAS Environment Manager in the Data > Libraries area.
If you use code to create or access your caslib, use the authenticationdomain option. In this example, we specify authenticationdomain in the table.addcaslib action.
If a user is not attached to the authentication domain directly, or through a group membership, they will not be able to access the credentials. An error will occur when they attempt to access the data.
This has been a brief look at storing and using credentials to access databases from SAS Viya. You can find more detail in the SAS Viya Administration Guide in the section titled Authentication: External Credentials.