This SAS KB article describes the basic concepts of authenticating for SAS Cloud Analytic Services (CAS) for SAS Viya 3.x in a Linux environment. The article also discusses how CAS session processes run, depending on the type of authentication that is used to start them, and also advanced authentication and user settings.

Understanding CAS authentication and the process launch default configuration on Linux for SAS Viya 3.x full deployments

If you use SAS Viya web applications, such as SAS^® Environment Manager, SAS^® Visual Analytics, and SAS^® Studio (Enterprise) (SASStudioV), you authenticate to CAS with an OAuth token that is obtained during your initial login through SAS Logon Manager (SASLogon). The OAuth token contains only information such as your identity and group memberships, not your login password. CAS sessions started from applications that present OAuth tokens for CAS authentication are run in processes owned by the CAS server user (by default, this user is "cas"). In this article, this authentication path is called CAS authentication from visual interfaces. Although SAS Studio (Enterprise) is used for programming, it is included here because CAS authentication works in the same way from the SAS Studio (Enterprise) application as from these visual interfaces.

However, if you use SAS Studio (Basic) (SASStudio), you do not authenticate through SAS Logon Manager and do not obtain OAuth tokens that are sent to CAS for authentication. Instead, when CAS sessions are started in SAS Studio (Basic), the credentials that are used to log in to SAS Studio are sent to CAS. CAS uses these credentials to authenticate any user with SAS Logon Manager and also with the pluggable authentication module (PAM) on the CAS controller host machine. In this case, the CAS session processes run under the end-user identity. The same concepts apply from any CAS client where a user name and password are sent directly to CAS for authentication. Examples are when an authinfo file is used for authentication from SAS^® 9.4 or SPRE clients, when credentials are entered in SAS^® Enterprise Guide^® to authenticate to the object spawner in SAS Viya, or when credentials are sent from Python or Lua programs to CAS. In this article, this authentication path is called CAS authentication from programming interfaces.

 

Authentication path	Where user authentication occurs	The CAS session processes run as	File system access from CAS processes is performed by	End-user host account required on CAS hosts?	CASUSER caslib path
Visual interfaces (including SASStudioV)	LDAP configured in the Identities configuration settings in SAS Viya	cas (or custom casenv_user)	cas (or custom casenv_user)	No	/opt/sas/viya/config/data/cas/default/casuserlibraries/user-name
Programming interfaces (SAS Studio [Basic] and any client that provides the user name and password directly to CAS)	LDAP configured in the Identities configuration settings in SAS Viya and PAM authentication on the CAS controller host. Ideally, the user name and password must match at both authentication points, because PAM is configured to use the same LDAP as the Identities settings.	The end user	The end user	Yes	$HOME/casuser

 

Using the CASHostAccountRequired custom group to run CAS session processes under end-user identities

If you are a user of visual interfaces and need your CAS sessions to run under your own host identity instead of the cas user, a SAS Administrator can create the CASHostAccountRequired custom group in the Users administration area of SAS Environment Manager and then add your user identity to the membership of the newly created CASHostAccountRequired custom group. Here are common reasons for this setting:

• You need to use visual interfaces to read or write files that are accessible at the host level to you or your groups but that are not accessible to the cas user.
• Kerberos tickets for authentication to downstream resources need to be specific to each end user.
• Tokens and credential files for access to cloud resources, such as Microsoft Azure Data Lake Store (ADLS) or Amazon Simple Storage Service (S3), need to be specific to each end user.

When users are added to the CASHostAccountRequired group, the authentication path for visual interfaces from the chart above changes, as shown here:
 

Authentication path	Where user authentication occurs	The CAS session processes run as	File system access from CAS processes is performed by	End-user host account required on CAS hosts?	CASUSER caslib path
Visual interfaces (including SASStudioV)	LDAP configured in the Identities configuration settings in SAS Viya	The end user	The end user	Yes	$HOME/casuser

For more information, refer to The CASHostAccountRequired Custom Group in SAS^® Viya^® 3.5 Administration.
 

Disabling PAM authentication in CAS

If it is not possible to configure a PAM service such as the System Security Services Daemon (SSSD) on the CAS hosts so that user lookup and authentication are performed in the same LDAP that is used by the Identities service in SAS Viya, you can disable PAM authentication by setting the following property in the casconfig_usermods.lua file (located in /opt/sas/viya/config/etc/cas/default/):

After you set the property, restart sas-viya-cascontroller-default. The authentication path for programming interfaces from the chart above changes, as shown here:
 

Authentication path	Where user authentication occurs	The CAS session processes run as	File system access from CAS processes is performed by	End-user host account required on CAS hosts?	CASUSER caslib path
Programming interfaces (SAS Studio [Basic] and any client that provides the user name and password directly to CAS)	LDAP configured in the Identities configuration settings in SAS Viya	cas (or custom casenv_user)	cas (or custom casenv_user)	No	/opt/sas/viya/config/data/cas/default/casuserlibraries/user-name

 

Changing the CASUSER path

For the authentication paths listed above where the default CASUSER file system path is $HOME/casuser, an administrator can customize the file system path by setting the env.CASMAKEHOMEDIR and env.CASHOMEDIRLOC options in the casconfig_usermods.lua file and then restarting sas-viya-cascontroller-default. 

Example settings for casconfig_usermods.lua are as follows:

• env.CASMAKEHOMEDIR='ALL'
• env.CASHOMEDIRLOC='/opt/customhome'

Note: These options are available only in SAS Viya 3.5.

With these settings in place, directories are created for CAS session processes that run under end-user identities in /opt/customhome. If the directories already exist at this path, the existing directories are used. The full CASUSER path is /opt/customhome/user-name/casuser. These directories are owned by the end user.

For the authentication paths listed above where the default CASUSER file system path is /opt/sas/viya/config/data/cas/default/casuserlibraries/user-name, an administrator can customize the file system path by setting export SASUSERLOCDIR=path/%USER in /opt/sas/viya/config/etc/sysconfig/cas/default/sas-cas-usermods and restarting sas-viya-cascontroller-default.

Here is an example setting in sas-cas-usermods:

With this setting in place, directories are created for CAS session processes that run under the cas user identity in /mnt/customhome. If the directories already exist at this path, the existing directories are used. The full CASUSER path is /mnt/customhome/user-name, where the user name is supplied by the OAuth token that CAS received for authentication. These directories are owned by the cas user (or custom casenv_user).

The same concepts apply to multitenant CAS environments. However, the tenant CAS configuration files are found under /opt/sas/tenant-name and the CAS server start/stop script is sas-tenant-name-cascontroller-default.

For more information, refer to Authentication: Concepts in SAS^® Viya^® 3.5 Administration.