Users of SAS Studio and other SAS Viya programming clients are used to having their operating system home-directories available while they work.Gerry Nelson in his article SAS Viya: making user home directories available to compute
System Administrators have been dealing with this scenario for decades now, and established methods of making a personalised, secure home directory available to users now usually rely on NFS or CIFS/SMB.
Viya provides the ability to make home directories served by NFS available to applications that use the Programming Run-Time Servers (such as SAS Studio). You do this by specifying the NFS server details during deployment. If your NFS server and Identity Provider are already used to serve home directories to other applications then the documented defaults will work great – but what if that isn’t the case?
Under the covers, Viya is running in a Linux environment (within containers, within Kubernetes). Each user in Linux is assigned a unique User ID (
uid is what allows a user to access their own personal home directory, among other things. Viya on its own has no idea what
uid is assigned to what user, unless that information is provided by the Identity Provider. If you are leveraging an existing NFS Server backed by an Identity Provider that is already in use with that NFS Server, then there is a good chance (but not guaranteed) that your Identity Provider already has the required posix attributes to provide the
uid to Viya.
If you are using Active Directory as your Identity Provider then there is a good chance that you don’t have these attributes. In this case Viya will generate a
uid (and Group ID, or
gid) for each user and store it internally. This allows Viya to kick off compute sessions using the
uid it has generated, but for obvious reasons nothing outside Viya knows about this
uid – which means when it comes to accessing a user’s home directory on NFS, the
uid will most likely not match the
uid on the home directory.
But there is a problem even before we get to the matching
uid problem – how does the system know it even needs to create a home directory on NFS for the user? In a traditional Linux environment this is taken care of by PAM, leveraging methods such as pam_mkhomedir. This in turn relies on the Identity Provider of the operating system. In fact this is what the earliest solution to this problem used. In Viya 3.4 a more integrated solution was provided directly in the deployment process, followed by further updates in Viya 3.5. Unfortunately starting with Viya 2020.x these methods no longer work.
Thankfully, in November 2011 Sample 68620: Create user home directories from the identities service in SAS® Viya® 2020.x using a script was released, which provides a bash script that will extract the
uid generated internally by Viya and then create home directories with the
uid that Viya expects.
This script works great, but the “how to” of getting it running and integrated into your Viya Kubernetes environment is left to the user.
To install this solution you should be familiar with Kubernetes and Helm, as well as have the details of the NFS Server used during your Viya Deployment. Here is all that is needed to get this deployed:
helm repo add selerity https://selerity.github.io/helm-charts helm repo update helm upgrade -i -n[VIYA_NAMESPACE] \ [RELEASE_NAME] selerity/viya4-home-dir-builder \ --set viya.base_url=[VIYA_BASE_URL] \ --set nfs.server=[NFS_SERVER_NAME]
This will create a Kubernetes Cron Job that must be triggered manually, and when you do trigger it will only report on what it will do (it won’t create or update anything). This will let you view the logs to see what it would do if it was enabled. The parameters above are:
VIYA_NAMESPACE– the namespace you have deployed Viya to
RELEASE_NAME– any string you want to use as the name of this deployment
VIYA_BASE_URL– the URL to your Viya deployment
NFS_SERVER_NAME– the hostname/IP of the NFS Server you specified in your Viya deployment
helm upgrade -i -nviya \ thor selerity/viya4-home-dir-builder \ --set viya.base_url=https://viya.server.com \ --set nfs.server=mynfs.server.com
After a successful install you will be presented with instructions on how to view/trigger/etc. the Cron Job. If you are happy that the process will work correctly in your environment (after reviewing the logs of a sample run) you can enable it to create/update home directories by adding the
--set dry_run=0 option on the Helm command, and if you want to enable it to run on a schedule also add the
--set suspend=false option. Further details are available in the Helm Chart.
viya4-home-dir-builder: Create home directories for SAS Viya 4 Users— Open in Artifact Hub
If you find any issues with our Charts or have ideas for improvements, please raise an Issue here.
|Auto Creation of Linux Home Directories for SAS Users||Paul Homes|
|SAS Viya 3.4 Automatic Home Directories||Stuart Rogers|
|SAS Viya 3.5 Automatic Home Directories||Stuart Rogers|
|SAS Viya: making user home directories available to compute||Gerry Nelson|
|Sample 68620: Create user home directories from the identities service in SAS® Viya® 2020.x using a script||Greg Wootton|
|SAS Viya Operations 2022.1 | Deployment | Installation | Common Customizations | Change the Location of the NFS Server||SAS|
|SAS Viya Administration 2022.1 | Security | Identity Management||SAS|