POSIX attributes like UID and GID, and Secondary GID are vital elements of an operating system-level security model. In SAS Viya POSIX attributes can often be returned from the identity provider.  But what if your identity provider does not return POSIX attributes? In this post, I will look at the current default Viya behavior and how you can still use POSIX attributes to secure access to shared resources even when your identity provider does not return them.

 

The two main POSIX attributes we will focus on are UID and GID. UID and GID are the numerical equivalents of the username and primary group name referenced by the operating system and applications when determining access privileges. For example, every file and directory on a Linux system has an owning user and group.  When you want to share folders or files between groups of users or with another system you often use UID, GID, and Secondary GID information to determine who can access file system resources like SAS programs, CSV files, and SAS datasets.  In a previous blog post, I discussed securing OS resources that reside on the file system in SAS Viya 4.

 

Viya and POSIX attributes default behavior

During the lifetime of SAS Viya, there have been some changes in how POSIX attributes are returned and managed. Let's first look at the current (2023.04) defaults. The identities service is the service that manages POSIX attributes. The following properties of the identities service determine the behavior:

 

• sas.identities.identifier.disableGids : disables the lookup and generation of GIDs for users and groups. The default value is false
• sas.identities.identifier.generateGids: generates GIDs for users and groups. The default value is false.
• sas.identities.identifier.generateUids:  generates UIDs for users. The default value is true.

 

The default values for a Viya Deployment can be viewed in Environment Manager or surfaced using the configuration plug-in of the sas-viya cli.

 

 

sas-viya configuration configurations show --id $(sas-viya configuration configurations list --definition-name sas.identities | jq -r '.items[0]["id"]') | grep identifier

 

 

 

 

identifier.generateUids : true
identifier.generateGids : false
identifier.disableGids : false

 

 

As you can see, by default, with SAS Viya platform 2022.10 and later releases the identities service:

• always provides a generated UID
• allows you, as a SAS Administrator, to provide GID values

 

In our SAS Viya Administration course environment, we have an LDAP server that can return POSIX attributes and we keep the default settings for the identities.identifier properties. Let's use the user Delilah to demonstrate the resulting behavior. In SAS Environment Manager we see that Delilah is a member of the GELCorp Power Users, HR, and SAS Users groups.

 

 

We can check the POSIX attributes of Users and Groups using the identities plug-in of the sas-viya CLI. Here using the show-group command and --show-advanced option we see that HR has a GID of 3001, SAS Users has a GID of 2003 and Power Users has a GID of 3007. These values were read from our LDAP server because it can return the POSIX attribute and we are using the default setting identifier.generateGids : false.

 

 

sas-viya --output text identities show-group --id HR --show-advanced sas-viya --output text identities show-group --id sasusers --show-advanced sas-viya --output text identities show-group --id powerusers --show-advanced

 

 

 

Using the show-user command and the --show-advanced option we can see that the UID of the user Delilah is a generated value.

 

 

sas-viya --output text identities show-user --id Delilah --show-advanced

 

 

 

The default behavior when the UID is generated for a user is their primary GID (returned as just gid from the identifier endpoint) is always set to the same value as the UID. At first glance, this can be confusing. However, notice that secondaryGid values are populated with the GID’s read from LDAP for the groups that the user is a member of sasusers[2003], powerusers[3007], and HR[3001]

 

The default settings where GID is provided but UID is generated are useful when accessing data where a file system security model already exists and is developed based on Secondary GIDs. There might be times when the actual UID is important to the security mode. In these cases, we can just update the value of identifier.generateUids to true. In our case where LDAP does provide the POSIX attributes the UID values will then also be read from LDAP.

 

Generating POSIX Attributes

In Viya environments where the identities service is configured to use SCIM, and in many where it is configured to use Active Directory, POSIX attributes are not returned. In this situation, where the identity provider cannot return the POSIX attributes, the SAS Viya Identities service will, for each user, automatically generate a UID and optionally a GID.

 

To generate the POSIX attributes the identities service will:​​

 

• use the identity type (either USER or GROUP) along with the identity name  (e.g Delilah) and generate an SHA hash
• Map the SHA hash onto numerical space to generate the UID and GID values

 

Let’s look at the attributes for Delilah in another environment where the POSIX attributes are not available from LDAP. In this Viya on Azure environment, POSIX attributes are not available and Delilah has a slightly different group membership.

 

 

In this environment, in order to generate the POSIX attributes(UID and GID )the identities.identifier properties are set as follows.

• identifier.generateUids : true
• identifier.generateGids : true
• identifier.disableGids : false

Let's look at what is returned for Delilah and the two Groups. The output shows we are returned both generated UID and GID values.

 

 

sas-viya --output text identities show-user --id Delilah --show-advanced
sas-viya --output text identities show-group --id HR--show-advanced
sas-viya --output text identities show-group --id PowerUsers --show-advanced

 

 

 

The generated UID and GID values can be problematic in managing access to file system content. If your filesystem content is shared with other applications and secured using existing UID, GID, and Secondary GIDs then the generated values will not match the existing values. As a result, many SAS processes will not be able to read the filesystem content. To address this problem Viya allows an administrator to provide POSIX attributes.

 

Providing POSIX Attributes

There are two ways to use existing POSIX attributes. We have seen the first one where the attributes are read from the Identity Provider. Now we will look at the second approach where we load POSIX Attributes. POSIX attributes can be loaded to SAS Viya using the sas-viya CLI. This can be done for individual users, or you can bulk-load multiple users and groups from a CSV file.

 

The first thing we need to do if we want to switch to loading UID and GID is update the identities.identifier properties so that the POSIX attributes are not generated. In SAS Environment Manager under Configurations, select Definitions and sas.identities. Toggle identifier.generateGids and identifier.generateUids to the OFF position.

 

 

You can also make the same change using the configurations plugin of the sas-viya CLI.

 

  

If we look at Delilah after we change the properties notice, we no longer have POSIX attributes returned. At this point, our identity provider does not return POSIX attributes and we have not loaded any to the identities service (NOTE: the display is a little misleading the value for the UID and GID are not actually the number zero).

 

 

The identities plugin of the SAS Viya CLI can update individual UID/GID information. The sas-viya identities update-user command will update UID and primary GID  for a user, the update-group command updates the GID  for a group. For example, to update Ahmed:

 

 

sas-viya --output text identities update-user --id Ahmed --uid 4005 --gid 2003

 

 

This is useful for updating a single user or group. Using the CLI after 2022.10 you can use the bulkload-user-identifiers command to update multiple the UID and GID for multiple users from a CSV file. The format of the CSV file for users is:

 

• Column 1: identity type (USER or GROUP)
• Column 2: identity name
• Column 3: numeric UID
• Column 4: numeric primary GID

Here are a few lines from an example CSV.

 

 

USER,sasldap,1003,1003
USER,sasadm,2002,2002
USER,sastest1,2003,2003
USER,sastest2,2004,2003
USER,geladm,4000,2002
USER,Douglas,4001,2003
USER,Delilah,4002,2003

 

 

 

 

sas-viya --output text identities bulkload-user-identifiers -f "gelcorp_user_csv.csv"

 

 

 

Similarly, there is bulkload-group_identifiers command The format of the CSV file for groups is:

 

• Column 1: identity type (USER or GROUP)
• Column 2: identity name
• Column 3: numeric GID

Here are a few lines from an example CSV.

 

 

GROUP,HR,3001
GROUP,Sales,3003
GROUP,Finance,3004
GROUP,Managers,3002
GROUP,powerusers,3007

 

 

To bulk-load user POSIX attributes use bulk-load-group-identifiers

 

 

sas-viya --output text identities bulkload-group-identifiers -f "gelcorp_group_csv.csv"

 

 

 

NOTE: if you are using a release before 2022.10 this can also be accomplished with the setposixattributes.py tool of the pyviyatools.

 

 

If we run the show-user command now we will see that the UID and GID have been loaded from our CSV files to the identities service and the Secondary GIDs are available.

 

 

sas-viya --output text identities show-user --id Delilah --show-advanced

 

 

 

There is not an easy way to do this for all users using the sas-viya CLI but we can use one of the pyviyatools getposixidentity.py to get a list of the attributes for all users and groups.

 

 

 /opt/pyviyatools/getposixidentity.py -o csv

 

 

 

Ongoing Maintenance

When using this model of providing UID and GID information to identities service the administrator needs to be aware of the ongoing maintenance task of setting the UID and GID values when a new user is added to the identity provider. Failure to override the POSIX attributes when a new user is added will most likely result in the user not being able to access resources in the Viya system.

 

Wrap-up

POSIX attributes like UID and GID, and Secondary GIDs are vital elements of an operating system-level security model. SAS Viya will often need to use POSIX attributes when accessing files on shared file systems. In this post, we looked at how Viya can access POSIX attributes. We looked at two scenarios, the first in which POSIX attributes were read from the LDAP identity provider. The second was where POSIX attributes were not available from the Identity Provider. In the latter case, we saw how Viya can generate POSIX attributes and how we can override the generated values. Thank you to my colleague Stuart Rogers for his input on this post. I have listed some additional resources below, in addition to these the Viya 4 Administration guide has an excellent section on "How to manage UIDs and GIDs with the identities service".

 

Additional Resources

SAS Viya 2022.10 UID and GID Changes

 

SAS Viya Secondary Groups & POSIX Considerations

 

Accessing AWS S3 as NFS from CAS and SAS – Part 3

 

Group-based access to Azure Files in the new SAS Viya