Troubleshooting identities and the identities service in SAS® Viya®


Overview

This SAS KB article includes information to help an administrator troubleshoot issues with the identities load and group membership in SAS Viya. For assistance configuring the SAS Viya Identities service, see Tips for Configuring the SAS® Viya® Identities Service for LDAP.

Here is the basic flow of the identities load and group membership determination:

  1. The identities service connects to your LDAP provider using the properties that are set in the sas.identities.providers.ldap.connection configuration instance.

  2. The identities service loads users to the identities cache by fetching LDAP entries from your LDAP provider. The fetch is performed by passing a filter to LDAP that is based on the accountID and objectFilter property values that are set in the sas.identities.providers.ldap.user configuration instance.

  3. The identities service loads groups to the identities cache by fetching LDAP entries from your LDAP provider. The fetch is performed by passing a filter to LDAP that is based on the accountID and objectFilter values that are set in the sas.identities.providers.ldap.group configuration instance.

  4. The identities service determines groups to which each user is a member by using the memberOf property value that is set in the sas.identities.providers.ldap.user configuration instance.

  5. The identities service determines members (both users and groups) that are members of each group by using the member property value that is set in the sas.identities.providers.ldap.group configuration instance.

Most users discover that there is a problem loading identities when they view the Users information in SAS® Environment Manager. For example, the listing of Users or of Groups might contain one or more of the following issues:

To troubleshoot the cause of the behavior, it is helpful to view the configuration properties of the identities service and a log of the identities service that contains debug- and trace-level data.

Generate a Listing of Identity Configuration Property Values

For SAS® Viya® 3.3 and earlier, use the following command to return a listing of identity configuration properties. You should submit this command as a single line from a shell prompt on the machine running the SAS® Configuration Server.

$ sudo -u sas /opt/sas/viya/home/bin/sas-bootstrap-config --token-file /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/consul/default/client.token kv read --recurse config/identities > /tmp/identconfig.txt

 

For SAS Viya 3.4 and later, use the following commands to return a listing of configuration properties. The commands should be run as the sas user (or a user with sudo privileges) and be run on the machine running the SAS Configuration Server.

 

Linux:

source /opt/sas/viya/config/consul.conf

export CONSUL_HTTP_TOKEN=$(sudo cat /opt/sas/viya/config/etc/SASSecurityCertificateFramework/tokens/consul/default/client.token)

/opt/sas/viya/home/bin/sas-bootstrap-config kv read --recurse config/identities > /tmp/identconfig.txt

Windows: 

"C:\Program Files\SAS\Viya\bin\sas-bootstrap-config.exe"
--token-file C:\ProgramData\SAS\Viya\etc\SASSecurityCertificateFramework\tokens\consul\default\client.token kv read
--recurse config/identities > "C:\temp\identconfig.txt"

 

Note: For SAS Viya 3.4 on Linux, you use three separate commands. On Windows systems, you use one command. The command should be submitted on a single line. It is displayed here on several lines for readability.

For the SAS Viya platform, use the following kubectl command to return a listing of configuration properties:

kubectl -n namespace exec -it sas-rabbitmq-server-0 -c sas-rabbitmq-server -- sas-bootstrap-config kv read --recurse config/identities > /tmp/identconfig.txt

The result helps you identify property values that might be incorrect.

Enable DEBUG- and TRACE-Level Logging

The following steps enable DEBUG- and TRACE-level logging in the identities service. These logging levels add details to the identities service log about the identities cache load and refresh, including filters passed to LDAP.

  1. Log on to SAS Environment Manager as sasboot or a SAS Administrator. Opt in to the assumable group SASAdministrators.
     
  2. Open Configuration from the Side menu.
     
  3. From the View drop-down menu at the top left of the page, select Definitions.
     
  4. Select logging.level from the list. A list of configuration instances then populates the right pane within SAS Environment Manager. It is easier to get an overview of the current logging levels if you click the Collapse all icon (double up arrows) that is positioned at the top right of the Configuration window.​​​​​​

    If configuration instances named identities: com.sas.identities and identities: org.springframework.ldap do not exist, you must create them. Continue with step 5.

    If either configuration instance already exists, confirm that identities: com.sas.identities has a level of TRACE, and identities: org.springframework.ldap has a level of DEBUG. Make changes to the logging level if needed by editing the current instance. Continue with step 5 or 8 to create new instances or to step 9 if both instances already exist.
     
  5. Create a new configuration instance by clicking the New icon (star within a square) that is positioned at the top right of the Configuration window.
     
  6. In the New logging.level Configuration window, click the Edit icon to edit the Services value.

    In the Choose Services window, select Identities service from the Available items column and move it to the Selected items column. Click OK.

    Set level to TRACE.

    Set name to com.sas.identities, as shown in the following screen capture:


     
  7. Click Save to save and exit the logging.level configuration.
     
  8. Repeat steps 4 through 7 to create a configuration instance named identities: org.springframework.ldap with a level of DEBUG.


     
  9. Stop and then restart the identities service to force a new log file to be created.
     
  10. Launch a new browser instance and log on to SAS Environment Manager as sasboot or a SAS Administrator. Opt in to the assumable group SASAdministrators.
     
  11. Perform the steps that you took previously to see the errant behavior, such as an empty list of users or groups.

The identities service log should now contain debug and trace data to help troubleshoot the problem.

Note: It is important to return loggers to their previous levels after you have collected the needed data. Log files will grow rapidly in size, potentially consuming all available disk space, which can cause unexpected results and corruption. 

Set the logger's level to its previous value or to INFO by editing the Configuration instance on the Configuration page in SAS Environment Manager. SAS Environment Manager does not currently support deleting a configuration instance. 

Working with SAS Technical Support

If you are working with SAS Technical Support, perform the above steps and then send the following to your Technical Support case:

Note: The text file might include password values in plain text. If a password is present in the file, mask the password value before sharing the file with SAS Technical Support. There could be up to three occurrences of the password in the result set. Here is an example of a line in the result set that contains a password:

config/identities/sas.identities.providers.ldap.connection/password=Password123