Installation Note 68865: Secondary group identifiers are not returned by default by the identifier endpoint in SCIM configured environments
 |  |  |  |
The identities service in SAS® Viya® 2021.2.2 through 2021.2.5 introduced changes to the way that secondary group identifiers (gids) are generated and/or returned by the identifier endpoint. These changes can cause problems with file system access in any Launcher Pod that is created, because that pod will not have gids for secondary groups.
The changes impact environments where the identities service is configured to use LDAP or System for Cross-domain Identity Management (SCIM).
The behavior might go unnoticed at first because the names of secondary groups from the Identity Provider (LDAP or SCIM) show in the Member/Member Of columns on the Users page in SAS® Environment Manager. However, a GET request to the identifier endpoint might show no secondary gids. You can test this using a URL with the following format: protocol://name-of-ingress-host:port/identities/users/identity-id/identifier. Here is an example for the user viyademo1:
For SAS Viya 2021.2.2, the following configuration property controls the generation and return of secondary gids.
- If the property is not defined, the default value of false is used.
- If the property is set to false, the identities service retrieves secondary gids only for groups in LDAP that have gid values. Gids are not generated and returned for LDAP groups without gid values or for Custom groups.
- If the property is set to true, the identities service retrieves secondary gids for groups in LDAP that have gid values, and generates and returns secondary gids for LDAP groups without gid values and for Custom groups.
To change the value to true and thereby enable the generation of secondary gids, set a general Java Virtual Machine (JVM) option. You can do this in SAS Environment Manager by editing the JVM configuration instance for the identities service.
- Open the Configuration page in SAS Environment Manager.
- Select View: All services and select Identities service from the listing.
- Open the JVM configuration instance for editing.
- Select + Add property.
- Enter the following into the specified fields:
Name: java_option_identifier_loadAllSecondaryGids
Value: -Dsas.identities.identifier.alwaysGenerateSecondaryGids.enabled=true - Save the changes.
- Restart the identities service to implement the new configuration setting.
For SAS® Viya® 2021.2.3, the behavior of the sas.identities.identifier.alwaysGenerateSecondaryGids.enabled configuration property was changed, and a new property was added. Together they allow for separate control over the generation of and fetching of secondary gids.
This property was added and controls whether to fetch secondary gids that are generated for a user's identifier. Secondary gids that are already defined in LDAP are returned regardless the setting of this property:
- If the property is not defined, the default value of false is used.
- If the property is set to false, secondary gids are returned only for LDAP groups that already have gid values. Secondary gids are not returned for LDAP groups without gid values or for Custom groups.
- If the property is set to true, secondary gids that are generated for LDAP groups without gid values and for Custom groups are all returned, as well as for LDAP groups that already have secondary gids.
This property was changed to control only whether to generate (or not generate) gids for secondary group memberships.
- If the property is not defined, the default value of false is used.
- If the property is set to false, gids are not generated for LDAP groups without gid values or for Custom groups.
- If the property is set to true, the identities service generates secondary gids for LDAP groups without gid values and for Custom groups.
Note: The value of this property is relevant only if sas.identities.identifier.fetchSecondaryGids.enabled is set to true.
To change the values of these properties, set a general JVM option for the respective property. You can do this in SAS Environment Manager by editing the JVM configuration instance for the identities service:
- Open the Configuration page in SAS Environment Manager.
- Select View: All services, and select Identities service from the listing.
- Open the JVM configuration instance for editing.
- Select + Add property.
- Enter the following into the specified fields:
Name: java_option_identifier_fetchSecondaryGids
Value: -Dsas.identities.identifier.fetchSecondaryGids.enabled=true - Save the changes.
- Repeat steps 4 through 6 for the next property.
Name: java_option_identifier_GenerateSecondaryGids
Value: -Dsas.identities.identifier.alwaysGenerateSecondaryGids.enabled=true - Restart the identities service to implement the new configuration setting.
Note: The name your provide is arbitrary, though it must begin "java_option".
For SAS Viya 2021.2.5, the default value of sas.identities.identifier.fetchSecondaryGids.enabled is true. See the above description of this property.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Viya | Linux for x64 | 2021.2.2 | Viya | ||
| Type: | Installation Note |
| Priority: | high |
| Date Modified: | 2022-04-06 07:36:41 |
| Date Created: | 2022-02-01 17:15:08 |