Поделиться через


How to setup Microsoft R Server One-box configuration to support AD account via LDAP

One of my customers was asking how to setup Microsoft R Server, basically there are two options:

  1. One-box Configuration
  2. Enterprise Configuration

In this step-by-step POC tutorial, I will show you how to setup One-box configuration to support AD account via LDAP, it covers:

  1. Setup One-box configuration on Server side
  2. Configure On-box configuration to support AD via LDAP
  3. Setup Client side to connect to R Server and test it

One-box Configuration Lab Environment:

  • Microsoft R Server 9.1.0/SQLLite3.7 - SQL2016N2
  • RStudio + Microsoft R Client 3.4.1 - SQL2014Client
  • DC: SQL2014DC.Features2014DC.local
  • All same password for test only: Corp123!

Steps tested in the Lab environment:

R Server configuration (SQL2016N2):

  1. Install R 9.1.0 in en_microsoft_r_server_910_for_windows_x64_10324119.zip (From </en-us/machine-learning-server/install/r-server-install-windows> )
  2. You can find the setup log (naming convention like this: Microsoft_R_Server_20171018143405.log) in %temp% to make sure installation are completed successfully
  3. Connect and validate R Server installation locally
  • R Server runs on demand as a background process, as Microsoft R Engine in Task Manager. Server startup occurs when a client application like R Tools for Visual Studio or Rgui.exe connects to the server.
  • As a verification step, connect to the server and execute a few ScaleR functions to validate the installation.

          1) Go to C:\Program Files\Microsoft\R Server\R_SERVER\bin\x64.
           2) Double-click Rgui.exe to start the R Console application.
           3) At the command line, type search() to show preloaded objects, including the RevoScaleR package.
           4) Type print(Revo.version) to show the software version.
           5) Type rxSummary(~., iris) to return summary statistics on the built-in iris sample dataset. The rxSummary function is from  RevoScaleR.

      4.  At this point, we know the R server installation are verified locally, let's configure the server, firstly, start Admin Utility -

          CD C:\Program Files\Microsoft\R Server\R_SERVER\o16n\Microsoft.RServer.Utils.AdminUtil\

          dotnet Microsoft.RServer.Utils.AdminUtil.dll

          From </en-us/machine-learning-server/operationalize/configure-use-admin-utility>

          Note: Local 'admin' account might be sufficient when trying to operationalize with a one-box configuration since everything is running within the trust boundary, it is insufficient for enterprise configurations.

      5.  Configure Server/Configure R Server for Operationalization

           A. One-box (web+compute nodes

           B. Set admin password: Corp123! ("admin" is the default admin account for One-box configuration, once you configure to use AD account, this admin account will not be used any more)

      6.  Run Diagnostic Tests to test the configuration - /en-us/machine-learning-server/operationalize/configure-run-diagnostics

           A. Test configuration for a 'health report' of the configuration including a code execution test. Result:

clip_image001

  • Review the test results. If any issues arise, a raw report appears. You can also investigate the log files and attempt to resolve the issues.
  • After making your corrections, restart the component in question. It may take a few minutes for a component to restart.
  • Rerun the diagnostic test to make sure all is running smoothly now.

Client Configuration (SQL2014Client):

      Microsoft R Client overview:

  • R Client allows you to work with production data locally using the full set of ScaleR functions, but there are some constraints. On its own, the data to be processed must fit in local memory, and processing is capped at two threads for RevoScaleR functions. +
  • To benefit from disk scalability, performance and speed, push the compute context using rxSetComputeContext() to a production instance of Microsoft R Server (or R Server) such as SQL Server Machine Learning Services and Machine Learning Server for Hadoop. Learn more about its compatibility.+
  • You can offload heavy processing to Machine Learning Server or test your analytics during their developmentYou by running your code remotely using remoteLogin() or remoteLoginAAD() from the mrsdeploy package.

           From </en-us/machine-learning-server/r-client/install-on-windows>

     Client Install:

  1. Rstudio - https://www.rstudio.com/products/rstudio/download/

           Or Visual Studio 2015 + R Add-on - /en-us/visualstudio/rtvs/installation

      2.  Download and install Microsoft R Client at https://aka.ms/rclient/

      3.  Taking Rstudio as example, set up Rstudio to use Microsoft R, go to Tools -> Global Options -> General -> R version to point to the Microsoft R Client: [64-bit] C:\Program Files\Microsoft\R Client\R_SERVER

           Reference: https://support.rstudio.com/hc/en-us/articles/200486138-Using-Different-Versions-of-R

      4.  Now you should be able to remotelogin the R Server SQL2016N2 and test it Test remote connection in R Studio from the client machine SQL2014Client:

           Refer to /en-us/machine-learning-server/operationalize/how-to-connect-log-in-with-mrsdeploy#authentication

> # EXAMPLE: LOGIN, CREATE REMOTE R SESSION, GO TO REMOTE PROMPT

> remoteLogin("https://SQL2016N2:12800")

# here it will prompt you to enter the username: admin and its password you defined

REMOTE> x <- 10 # Assign 10 to "x" in remote session

REMOTE> ls() # List objects in remote session

[1] "x"

REMOTE> pause() # Pause remote interaction. Switch to local

> y <- 10 # Assign 10 to "y" in local session

> ls() # List objects in local session

[1] "y"

> putLocalObject(c("y")) # Loads local "y" into remote R session's workspace

> resume() # Resume remote interaction and move to remote command line

REMOTE> ls() # List the objects now in the remote session

[1] "x" "y"

REMOTE> exit # Destroy remote session and logout

>

The below flow chart shows you how the client/server interacted with local and remote R Sessions using pause and resume:

clip_image002

From </en-us/machine-learning-server/operationalize/how-to-connect-log-in-with-mrsdeploy>

Now, the client can remotelogin the R server and write R code, train a model, score a model and publish a model as a web service, it is all good, but we have give out the admin password to all R Contributors, for POC it may be ok, but in real world, we need this to support AD account, not just admin/password pair. We also need ability to categorize the permissions in different groups. Below will explain you how to do this. At high level, Microsoft R Server 9.1 supports three security roles:

  1. Administrator/Owner - this role will be the owner of the R Server who have full control of the R server, can manage any service
  2. Contributor - this role will be the contributor of the R Server who can publish web services, such as R programmers, data scientists etc
  3. Reader - this role will be the reader of the R Server who can consumes the web services, such as application developers etc

Now, let's continue to configure this One-box R Server to support AD account via LDAP.

  1. Firstly, in order to configure the R Server SQL2016N2 to use AD/LDAP, you need to add this role to the server:

clip_image003

      2.  After the feature/role installed, you need to setup it via the Setup Wizard below: More details in - https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-step-guide-to-setup-ldaps-on-windows-server/

clip_image004

clip_image005

  • You don't have to setup SSL/TLS at this moment, because it will need appropriate certificate, I will put together another blog to configure LDAP-S, in this demo, it it just LDAP.

    3.  Now, back to AD, For demo purpose, I created the following Roles/Groups in AD (features2014dc.local) to use the R Server, you can refer to more details in https://blogs.msdn.microsoft.com/mlserver/2017/04/10/role-based-access-control-with-mrs-9-1-0/, in this demo, I created below AD groups and users:

Group: MRSAdmins - this group will be the owner of the R Server who have full control of the R server

Member: RAdmin1

Group: Rprogrammers - this group will be the contributor of the R Server who can publish web services

Member: RProgrammer1, RProgrammer2, …

Group: AppDevelopers - this group will be the reader of the R Server who consumes the web services

Member: AppDev1, AppDev2

        After you created the groups and demo users in AD, it will look like this:

clip_image006

   4.  Once this is completed, you need to setup R Server Role Configurations, you can reference to /en-us/machine-learning-server/operationalize/configure-roles (this is for Enterprise Configuration, but it is similar), or just simply follow the below steps.

   5.  Now we will need to make some changes in appsettings.json file for the web node, go to the folder (by default) C:\Program Files\Microsoft\R Server\R_SERVER\o16n\Microsoft.RServer.WebNode\

clip_image007

   6.  Find the file appsettings.json, make a backup (I made a backup file called appsettings-backup.json_for_admin as the above screenshot) of it before you making changes, just in case, so you don't need to re-configure previously completed steps, you can easily revert back to admin/password mode if you want to. Open the json file in notepad and find the section and make changes as below as the highlighted section according to your environment, I will explain it here:

  • Host - it is the IP of your DC
  • QueryUserDn - is a domain account that has permission to query Active Directory using LDAP, I am thinking a service account will be preferred here, so you don't need to update this when a user leaves the company.
  • QueryUserPassword - the domain account's password, which can be encrypted, if so, change to "QueryUserPasswordEncrypted": true
  • SearchBase - can be the parent directory where you have the groups/users created in the above step 3, in this example, all users and groups created for R Server are under the CN=Users directory.
  • In the Authorization section, add the AD groups indicating the different R Server roles.

"LDAP": {

"Enabled": true,

"Description": "Enable this section if you want to enable authentication via LDAP",

"Host": "<your_host_ip>",

"Port": 389,

"UseLDAPS": false,

"QueryUserDn": "CN=RDeployAmin,CN=Users,DC=FEATURES2014DC,DC=LOCAL",

"QueryUserPassword": "P@$$w0rd!",

"QueryUserPasswordEncrypted": false,

"SearchBase": "CN=Users,DC=FEATURES2014DC,DC=LOCAL",

"SearchFilter": "cn={0}",

"UniqueUserIdentifierAttributeName": "userPrincipalName",

"DisplayNameAttributeName": "name",

"EmailAttributeName": "mail"

},

"Authorization": {

"Owner": [ "MRSAdmins" ],

"Contributor": [ "RProgrammers" ],

"Reader": [ "App developers" ]

},

  7.  Now, go back to Admin Utility, we will need to stop web node and start web node to make the change affected.

clip_image008

      8.  Now, we can do Diagnostic Test, since it is not using AD Authentication, the original Admin would be disabled automatically, so you will need to enter the AD account to validate it, for example, you can enter the AD account: RAdmin1/Corp123! - which is the owner role of the R Server, it should work.

      9.  Local Diagnostic test passed. Great! Now, let’s test it from the Client machine SQL2014Client, in RStudio:

          Tested Owner - RAdmin1/Corp123! - it is in the MRSAdmins group in AD

clip_image009

          Tested Contributor - RProgrammer1/Corp123! - it is in Rprogrammers group in AD

clip_image010

Now you know how to make Microsoft R Server with One-box configuration to support AD account via LDAP.

References:

Role Based Access Control With MRS 9.1.0 - https://blogs.msdn.microsoft.com/mlserver/2017/04/10/role-based-access-control-with-mrs-9-1-0/

How to publish and manage R web services in Machine Learning Server with mrsdeploy - Owner/Contributors (Administrators or R Programmers) can publish R script as web service - /en-us/machine-learning-server/operationalize/how-to-deploy-web-service-publish-manage-in-r

App Developers - usually are the MSR Server Readers role, who can consume the service:

/en-us/machine-learning-server/operationalize/how-to-consume-web-service-interact-in-r

/en-us/machine-learning-server/operationalize/how-to-consume-web-service-asynchronously-batch

Thanks for reading, next, I will put up together a tutorial to configure One-box to support LDAP-S, which is LDAP over SSL/TLS.