Users of SAS Studio and other SAS Viya programming clients are used to having their operating system home-directories available while they work.
Gerry Nelson in his article SAS Viya: making user home directories available to compute
My Personal Home Directory
System Administrators have been dealing with this scenario for decades now, and established methods of making a personalised, secure home directory available to users now usually rely on NFS or CIFS/SMB.
Viya provides the ability to make home directories served by NFS available to applications that use the Programming Run-Time Servers (such as SAS Studio). You do this by specifying the NFS server details during deployment. If your NFS server and Identity Provider are already used to serve home directories to other applications then the documented defaults will work great – but what if that isn’t the case?
Behind the Scenes
Under the covers, Viya is running in a Linux environment (within containers, within Kubernetes). Each user in Linux is assigned a unique User ID (uid). This uid is what allows a user to access their own personal home directory, among other things. Viya on its own has no idea what uid is assigned to what user, unless that information is provided by the Identity Provider. If you are leveraging an existing NFS Server backed by an Identity Provider that is already in use with that NFS Server, then there is a good chance (but not guaranteed) that your Identity Provider already has the required posix attributes to provide the uid to Viya.
Active Directory
If you are using Active Directory as your Identity Provider then there is a good chance that you don’t have these attributes. In this case Viya will generate a uid (and Group ID, or gid) for each user and store it internally. This allows Viya to kick off compute sessions using the uid it has generated, but for obvious reasons nothing outside Viya knows about this uid – which means when it comes to accessing a user’s home directory on NFS, the uid will most likely not match the uid on the home directory.
Home Directories Solved?
But there is a problem even before we get to the matching uid problem – how does the system know it even needs to create a home directory on NFS for the user? In a traditional Linux environment this is taken care of by PAM, leveraging methods such as pam_mkhomedir. This in turn relies on the Identity Provider of the operating system. In fact this is what the earliest solution to this problem used. In Viya 3.4 a more integrated solution was provided directly in the deployment process, followed by further updates in Viya 3.5. Unfortunately starting with Viya 2020.x these methods no longer work.
Sample Code
Thankfully, in November 2011 Sample 68620: Create user home directories from the identities service in SAS® Viya® 2020.x using a script was released, which provides a bash script that will extract the uid generated internally by Viya and then create home directories with the uid that Viya expects.
This script works great, but the “how to” of getting it running and integrated into your Viya Kubernetes environment is left to the user.
Home Directory Solution from Selerity
To make implementing this a bit easier, Selerity have created a Helm Chart that will deploy a Cron Job into Kubernetes to maintain home directories in NFS using the uid internally generated by Viya.
To install this solution you should be familiar with Kubernetes and Helm, as well as have the details of the NFS Server used during your Viya Deployment. Here is all that is needed to get this deployed:
helm repo add selerity https://selerity.github.io/helm-charts
helm repo update
helm upgrade -i -n[VIYA_NAMESPACE] \
[RELEASE_NAME] selerity/viya4-home-dir-builder \
--set viya.base_url=[VIYA_BASE_URL] \
--set nfs.server=[NFS_SERVER_NAME]This will create a Kubernetes Cron Job that must be triggered manually, and when you do trigger it will only report on what it will do (it won’t create or update anything). This will let you view the logs to see what it would do if it was enabled. The parameters above are:
VIYA_NAMESPACE– the namespace you have deployed Viya toRELEASE_NAME– any string you want to use as the name of this deploymentVIYA_BASE_URL– the URL to your Viya deploymentNFS_SERVER_NAME– the hostname/IP of the NFS Server you specified in your Viya deployment
Example:
helm upgrade -i -nviya \
thor selerity/viya4-home-dir-builder \
--set viya.base_url=https://viya.server.com \
--set nfs.server=mynfs.server.comAfter a successful install you will be presented with instructions on how to view/trigger/etc. the Cron Job. If you are happy that the process will work correctly in your environment (after reviewing the logs of a sample run) you can enable it to create/update home directories by adding the --set dry_run=0 option on the Helm command, and if you want to enable it to run on a schedule also add the --set suspend=false option. Further details are available in the Helm Chart.
Helm Chart on ArtifactHUB
If you find any issues with our Charts or have ideas for improvements, please raise an Issue here.
References