Delphix Products

 View Only
  • 1.  Unable to connect with API session and set apiUser=true for the user (manually or Cli)

    Posted 09-29-2021 08:52:00 AM


    I am trying to connect an API session for application but its getting failed for a user then i tried to update the set apiUser=true for the user and it doesn not allow me  and though this error 

    in central mangement i don't see any option where i can set the apiuser set to true nor it allow me from cli?

    steps followed : 
    Error: Management of users on this engine has been locked down.
    Action: Use Central Management to manage users on this engine. If Central Management is not available, ask a
    system administrator to disconnect the Engine from Central Management.

    localhost> user
    localhost user> select foo
    localhost user 'foo'> ls
        type: User
        name: foo
        apiUser: false
        authenticationType: NATIVE
        enabled: true
        firstName: (unset)
        homePhoneNumber: (unset)
        isDefault: false
        lastName: (unset)
        locale: en-US
        mobilePhoneNumber: (unset)
        passwordUpdateRequest: FIRST_LOGIN
        principal: foo
        publicKey: (empty)
        reference: USER-3
        sessionTimeout: 30min
        userType: DOMAIN
        workPhoneNumber: (unset)

    localhost user 'foo'> update
    localhost user 'foo' update *> set apiUser=true
    localhost user 'foo' update *> commmit


    Himanshu Sangwan
    DevOps Lead
    Ontario Teachers' Pension Plan Board

  • 2.  RE: Unable to connect with API session and set apiUser=true for the user (manually or Cli)

    Posted 09-29-2021 01:05:00 PM
    Good Afternoon Himanshu,
     how are you?  I will set up a working session with you soon so that we work on the issue.
    thanks and talk to you soon

    Jane-Glenna Anthony
    Technical Account Manager

  • 3.  RE: Unable to connect with API session and set apiUser=true for the user (manually or Cli)
    Best Answer

    Posted 10-06-2021 11:26:00 AM
    Hello Himanshu-

    I believe this concern is now understood, but for historical reference here I'd like to explain the findings and details in case other users come across this question.

    For Engines configured in Data Control Tower to leverage the Users + Groups feature, this feature by design moves all user management to the DCT interface.  This is mentioned on the Docs page

    Once U+G feature is enabled, the intention is that user API access is now controlled through DCT, though "legacy" API access (user/pass authentication on Engine) is maintained for those users on-engine that existed at the time of enablement.  Therefore, any users with apiUser=true will retain this setting; any new users added through DCT will have apiUser=false.

    "...users with legacy API (password-based authentication to the engine API or CLI)  access using name/password will retain this access. Future API access should be configured using API Keys. "

    Engine administrators will find that a local / legacy user can toggle the apiUser flag to false to remove the local (Engine) user/pass authentication, but it is not intended to allow users to be toggled back to true.

    Sean Nothdurft
    Senior Principal Technical Support Engineer