SAS中的ODBC密码安全性
我们想从SAS代码中的ODBC连接字符串中删除硬编码的密码,并且还要防止任何密码出现在SAS日志文件中.
We want to remove hardcoded passwords from ODBC connection strings in our SAS code, and also prevent any of the passwords from appearing in the SAS log files.
似乎有很多白皮书讨论如何解决此问题,但是我要么发现它们有问题,要么无法使它们工作.
There seems to be plenty of whitepapers discussing how to go about this but I either find problems with them, or can't get them working.
每次提示用户输入PW都不可行. 另外,将密码存储在宏变量中是一种可接受的方法,只要您有一种方法可以禁止在启用MACROGEN和SYMBOLGEN选项的情况下将其打印到日志中.
Prompting the user each time for the PW is not a viable alternative. Also, storing the password in a macro variable is an acceptable approach, as long as you have a way to suppress it from printing to the log with MACROGEN and SYMBOLGEN options turned on.
尝试1-编码(给予:
{sasenc}ACFD24061BF77D7D5362EE7C2D00D08B
如果将我的纯文本密码替换为代码中的编码值,则ODBC passthrough语句可以正常运行.
If I replace my plaintext password with the encoded value in my code then the ODBC passthrough statement runs fine.
proc sql noprint;
connect to odbc as remote (datasrc=cmg_report user=myuser password='{sasenc}68B279564BD2695538CDCDB301E8A357563480B0');
create table sqlo as
select *
from connection to remote
(
select top 1 * from application
)
;
disconnect from remote;
quit;
并且日志正确掩盖了带有XXXXXXX的值.
And the log correctly masks out the values with XXXXXXXs.
961 proc sql noprint;
962 connect to odbc as remote (datasrc=cmg_report user=&user_cmg password=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX);
963 create table sqlo as
964 select *
965 from connection to remote
966 (
967 select top 1 * from application
968 )
969 ;
971 quit;
NOTE: Table WORK.SQLO created, with 1 rows and 29 columns.
NOTE: PROCEDURE SQL used (Total process time):
real time 0.34 seconds
cpu time 0.01 seconds
上述方法的问题在于,如果某人可以访问该代码,则可以使用加密密码登录,而无需知道纯文本密码.因此,尽管它隐藏了实际的密码,但它不提供安全性.对我来说似乎很傻,还是我想念一些东西? 编辑:如果您的ODBC密码恰好在其他地方使用,则可以提供一定的安全性.
The problem with the above approach is that if someone has access to the code, they can login using the encrypted password, without needing to know the plain text password. So while it hides the actual password it doesn't provide security. Seems kind of silly to me or am I missing something? This provides some security if your ODBC password happens to be used elsewhere, that's about it though.
尝试2-使用符号(链接到这里白皮书)
与此有关的问题是,我根本无法获得所描述的在SAS中工作的技术.我在XP上运行SAS 9.2,试图连接到SQL Server数据库.
The problem with this is that I simply can't get the technique described to work in SAS. I'm running SAS 9.2 on XP, trying to connect to an SQL Server DB.
%let my_password = password;
proc sql noprint;
connect to odbc (dsn=cmg_report uid=myuser pwd=symget('my_password'));
create table sqlo as
select *
from connection to remote
(
select top 1 * from application
)
;
quit;
我收到以下消息,提示登录失败:
I get the below message saying that the login failed:
1034 proc sql noprint;
1035 connect to odbc (dsn=cmg_report uid=myuser pwd=XXXXXX('my_password'));
ERROR: CLI error trying to establish connection: [Microsoft][SQL Server Native Client 10.0][SQL
Server]Login failed for user 'myuser'.
似乎正在尝试使用"symget"作为实际密码(因为它已在日志中被屏蔽).对此白皮书有一些回应,说将symget包装在%sysfunc调用中,但是symget()函数是SAS在%sysfunc调用中不允许的少数函数之一,所以我不知道怎么可能
It looks like it is trying to use "symget" as the actual password (as it has been masked out in the log). There are some responses to this whitepaper saying to wrap the symget in a %sysfunc call but the symget() function is one of the few functions that SAS does not allow within a %sysfunc call so I don't see how that could be possible.
任何其他提示/建议/想法将不胜感激.
Any other tips/suggestions/ideas would be much appreciated.
谢谢
编辑:如果有一种在打开options symbolgen macrogen的情况下可以执行此操作的技术,那就特别好.
It would be especially good if there was a technique to do this that worked with options symbolgen macrogen turned on.
Rob,我们遇到了一个类似的问题,并提出了一种不同的方法,该方法允许我们所有的团队成员在没有ID/密码的情况下运行同一程序存储在程序中.它要求每个团队成员都有一个安全存储的文本文件(SAS不能访问,除了所有者以外没有其他权限).
Rob, we ran into a similar issue and came up with a different method that allows all of our team members to run the same program without having our id/passwords stored in the programs. It requires that each team member have a text file stored safely (no permissions except for owner) that SAS can access.
以下是ID/PW文件内容的示例:
Here is an example of contents of an ID/PW file:
machine odbc login XX_odbc_id_XX password XXodbc_pw_XX
machine oracle login XX_oracle_id_XX password XX_oracle_pw_XX
我们在UNIX服务器上运行,因此我们将锁定的个人id/pw文件存储在我们的主目录中,因此没有其他人可以访问它,在这种情况下,该文件名为".netrc".该线程末尾的宏应存储在某个位置,然后程序将如下所示:
We operate on a UNIX server, so we store our indivual id/pw files locked up in our home directory so no one else can access it, in this case it is named ".netrc". The macros at the end of this thread should be stored somewhere, then the program would look like the following:
%let id_pw_text_file = ~/.netrc;
%ODBC_Acct;
proc sql;
%ODBC_Connect
create table sqlo as
select * from connection to odbc
(
/* [ Insert ODBC query here ] */
);
%ODBC_Disconnect
quit;
run;
我试图修改宏以使其在您的环境中工作,并删除了许多特定于我们系统的代码,但是显然我无法对其进行测试以确保其正常工作.如果您有问题,请告诉我,我们将尽力解决.希望这会有所帮助.
I tried to revise the macros to work in your environment and to remove a lot of code specific to our systems, but obviously I wasn't able to test it to make sure it works. Let me know if you have an issue and I'll try to help fix it. Hope this helps.
/*********************************************************************
* Name: ODBC_Acct *
* Desc: Set global macro vars containing a users ODBC username *
* and password. Retrieves this information from a users *
* specific ID/PW file. *
*********************************************************************/
%macro ODBC_Acct( mprint );
%local __mprint __symbolgen __mlogic;
%if ( %length( &mprint ) = 0 ) %then %let mprint = NO;
%if ( %upcase( &mprint ) = NO ) %then %do;
%let __mprint = %sysfunc( getoption( mprint ));
%let __symbolgen = %sysfunc( getoption( symbolgen ));
%let __mlogic = %sysfunc( getoption( mlogic ));
options nomprint nosymbolgen nomlogic;
%end;
%global odbc_user odbc_pw;
%Get_ID_PW( &id_pw_text_file , odbc , odbc_user , odbc_pw )
%if ( %upcase(&__mprint) ne NOMPRINT ) %then %do;
options &__mprint &__symbolgen &__mlogic;
%end;
%mend;
/*********************************************************************
* Name: ODBC_Connect, ODBC_Disconnect *
* Desc: Returns SAS/Access connect or disconnect statements *
* for accessing ODBC. *
*********************************************************************/
%macro ODBC_Connect( mprint=no );
%local __mprint __symbolgen;
%if ( %upcase(&mprint) = NO ) %then %do;
%let __mprint = %sysfunc( getoption( mprint ));
%let __symbolgen = %sysfunc( getoption( symbolgen ));
options nomprint nosymbolgen;
%end;
connect to odbc as remote (
datasrc=cmg_report
user = "&odbc_user"
password = "&odbc_pw"
);
%if ( %upcase(&__mprint) ne NOMPRINT ) %then %do;
options &__mprint &__symbolgen;
%end;
%mend;
%macro ODBC_Disconnect;
disconnect from odbc;
%mend;
/*******************************************************************************
* Name: GetID_PW *
* Desc: Get loginid and password from a secured file *
*------------------------------------------------------------------------------*
* Arguments: *
* 1st Required. Source file containing IDs and passwords. *
* 2nd Required. Host id. *
* 3rd Required. Specify the macro variable to put the loginid. *
* 4th Required. Specify the macro variable to put the password. *
*------------------------------------------------------------------------------*
*******************************************************************************/
%macro Get_ID_PW( source , rhost , usrvar , pw_var );
%let source_file = &source
%if ( %sysfunc( fileexist( &source_file ) ) ) %then %do;
%let rc = %sysfunc( filename( dummy , &source_file ) );
%let fid = %sysfunc( fopen( &dummy ) );
%do %while( %sysfunc( fread( &fid ) ) = 0 );
%let rc = %sysfunc( fget( &fid , inrec , 500 ) );
%let machine = %scan( &inrec , 2 , %str( ) );
%if ( %upcase( &machine ) = %upcase( &rhost ) ) %then %do;
%let &usrvar = %scan( &inrec , 4 , %str( ) );
%let &pw_var = %scan( &inrec , 6 , %str( ) );
%goto Break;
%end;
%end;
%Break: %*;
%let rc = %sysfunc( fclose( &fid ) );
%let rc = %sysfunc( filename( dummy ) );
%end;
%else %do;
%put ::: ID/PW file "&source_file" not found;
%end;
%mend;