External hostname and multitenancy

m0rbid · Posted 10-08-2021 08:33 PM

So, i have set up a multitenancy sas viya environment, onboarded 4 tenants and everything is green. I can login in to the individual tenants with local hostnames and all services are onbared and my workers are connected to the controller.

However, the problem starts when exposing this to the internet trough a load balancer.

I have set up dns, followed this guide for setting external hostname How to Configure a Reverse Proxy in Front of SAS V... - SAS Support Communities

I find the request coming in in the ssl request log with correct header like so

10.245.96.228 - - [30/Sep/2021:21:15:10 +0200] develop0.****.****.****.no "GET /SASLogon/login HTTP/1.1" 200 2957 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0"
10.245.96.228 - - [30/Sep/2021:21:15:10 +0200] develop0.****.****.****.no "GET /SASLogon/resources/images/transparent.png HTTP/1.1" 304 - https://develop0.****.****.****.no/SASLogon/login "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0"
10.245.96.228 - - [30/Sep/2021:21:15:10 +0200] develop0.****.****.****.no "GET /SASLogon/resources/images/saslogo.svg HTTP/1.1" 304 - https://develop0.****.****.****.no/SASLogon/login "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0"
10.245.96.229 - - [30/Sep/2021:21:15:11 +0200] - "GET /" 302 229 "-" "-"

(i have "blurred" the actual hostname, but they are the external one

service url for viya and http are correct.

But all external tenant urls leads to the provider tenant and not the individual tenant the request stated above.

Any thoughts?

Sajid01 · Posted 10-08-2021 10:50 PM

While a proper answer would depend on your configuration details, here are some factors to be considered.
1.In a multi tenant deployment not all services are tenant specific. Services such as Apache Web Server are a part of shared services. What the individual tenants are sure to receive is a specific instance of CAS .

2.If you have configured your SAS Viya behind a reverse proxy and/or load balancer, then the external browser will only point to the reverse proxy. Any service behind the Viya Apache server will not be aware of the reverse proxy and vice versa. Thus any internal Viya service will only point to the Apache Service which may be operating from the provider tenant.
Perhaps a ticket to SAS Tech Support may be provide you with the an answer appropriate and relevant to your environment.

m0rbid · Posted 10-09-2021 08:21 AM

I'm not sure how to configure viya to live behind a reverse proxy. If i point my browser to tenant1.internal.hostname i can login with the tenant username and pass. If i point my browser to tenant1.external.hostname i get to the login page but cannot login to tenant1, only the provider tenant even tho my tenantid gets through to apache according to the request log above

Sajid01 · Posted 10-09-2021 08:45 AM

I think the best way is to approach SAS Tech Support.

gwootton · Posted 10-11-2021 08:59 AM

In a multi-tenancy configuration, SAS gets the tenant ID from the request. Given we can see the tenant ID in the request to apache I suspect Viya is not aware of the external hostname so is considering the entire hostname the base url instead of identifying the subdomain for the tenant separately.

Did you set the config/viya/sas.httpproxy.external.hostname and sas.httpproxy.external.port values using sas-bootstrap-config?

--
Greg Wootton | Principal Systems Technical Support Engineer