In this post I want to depart briefly from just writing about pure authentication options. This time I want to talk about home directories. As Dorothy said, "There’s no place like home". Several SAS Viya 3.4 components require the end-user to have a home directory. Namely, SAS Cloud Analytic Services, SAS Studio 4.4, and the SAS Compute Server.
Ideally, in an enterprise environment, end-user home directories will be automatically mounted from some central file server. Meaning that your home directory will follow you around any system that you access. This enterprise class system will also account for any differences in operating system and still enable access to your files.
However, it appears a growing number of environments do not live in this idealized world. It seems quite common that end-user home directories are expected to be local to the system and not pre-created for the end-users. System administrators are relying on PAM integration tools to create home directories as end-users first log into the system. This works great if the end-users first connect to the system using SSH but fails completely when they use SAS Viya. This is because the SAS Viya components do not call all the way through the PAM stack to initialize a session.
This is covered in part in the official documentation here. This only covers one of the use cases. So, let’s examine each use case in turn.
SAS Launcher Server & SAS Compute Server
This first use case is the one addressed in the documentation. End-user’s accessing SAS Studio 5.1 or leveraging other solution components such as SAS Model Studio will have their SAS Compute Server session launched by the SAS Launcher Server. As the documentation states we can set a configuration property within SAS Configuration Server that will trigger the automatic creation of the home directory. Unfortunately, at this time there is no-way to complete this within SAS Environment Manager and SAS Bootstrap Config tool needs to be used.
First initialize the environment variables required by the SAS Bootstrap Config tool:
source /opt/sas/viya/config/consul.conf
export CONSUL_TOKEN=`cat /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/consul/default/client.token`
With the environment variables set the SAS Bootstrap Config tool can be used to set the configuration property:
/opt/sas/viya/home/bin/sas-bootstrap-config kv write --force --key config/launcher-server/global/environment/SASMAKEHOMEDIR --value 1
Optionally, the default home directory permissions 0700 can be changed as well by setting another property:
/opt/sas/viya/home/bin/sas-bootstrap-config kv write --force --key config/launcher-server/global/environment/SASHOMEDIRPERMS --value <permissions>
Where the <permissions> are the required permissions on the home directory. These permissions are specified in UNIX Octal format. So, the default 0700 permissions provide read/write/execute to the user only. If you’d like more information or to calculate the correct Octal value, try this site: http://permissions-calculator.org/. Supported values are between 0700 and 0777.
Finally restart the runlauncher operating system process, for example:
systemctl restart sas-viya-runlauncher-default
Now as end-user log into SAS Studio 5.1, so long as their POSIX user attributes include a home directory specification, their home directory will be created for them.
SAS Studio 4.4
SAS Studio 4.4 does not use the SAS Launcher Server, instead this leverages a SAS Object Spawner to launch a SAS Workspace Server as the end-user logs in. The changes above will have no impact on end-users accessing SAS Studio 4.4. However, the same environment variables can be set for the SAS Studio 4.4 users to trigger the automatic home directory creation.
For SAS Studio 4.4 users we need to edit the SAS Object Spawner launch script to set the environment variables. So, edit the file:
/opt/sas/viya/config/etc/spawner/default/spawner_usermods.sh
And add the environment variables:
export SASMAKEHOMEDIR=1
export SASHOMEDIRPERMS=<permissions>
Where the <permissions> are the required permissions on the home directory, just as we discussed above.
Then just restart the SAS Object Spawner, for example:
/etc/init.d/sas-viya-spawner-default restart
So now we have the same behavior for the SAS Studio 4.4 end-users, as they log in their home directories will be automatically created for them assuming the end-user’s POSIX attributes include a home directory specification.
SAS Cloud Analytic Services
Our final use case is SAS Cloud Analytic Services. I have left this to last as this is slightly more complex. With SAS Viya 3.4 SAS Cloud Analytic Services will not prevent end-users starting a session if they do not have a home directory but will impact the personal CASUSER caslib. In several cases we do not care about home directories for the users of SAS Cloud Analytic Services.
For the following cases it does not matter:
- Default users of the SAS Viya visual interfaces, these users authenticate with their internal OAuth token and the SAS Cloud Analytic Services session runs as the operating system account that launched the SAS Cloud Analytic Services Controller.
- Any users of distributed SAS Cloud Analytic Services with co-located HDFS, these SAS Cloud Analytic Services sessions have their personal caslib defined against HDFS and so will not be accessing the operating system files system directly.
So, the only users we are concerned about are those in the custom group CASHostAccountRequired or those accessing SAS Cloud Analytic Services from a programming client such as SAS Studio 4.4. For these end-users we might like SAS Cloud Analytic Services to be able to assign their personal caslib to their home directories to enable these end-users to store or load from their CASUSER caslib.
Unfortunately, at this time SAS Cloud Analytic Services does not make use of the two environment variables available to the SAS Foundation sessions. This will be available in the next release of SAS Cloud Analytic Services. So, for the time being if you are in this final use case you can follow the brilliant steps recommended by Paul Homes of Metacoda and platformadmin.com: https://platformadmin.com/blogs/paul/2017/04/sas-user-linux-home-dir-auto-creation/.
