Skip to main content
Delphix

TB066 Deletion of User on Masking Engine Removes Associated Jobs

 

 

Alert Type

Availability

Impact

After deleting a masking user, any jobs previously created by that user will be removed without warning. No recovery of these jobs is possible other than re-creating the jobs.  Other masking objects created by a user, e.g. including Connectors and Rulesets, are not impacted. 

A masking Job definition contains a number of configuration parameters that control the execution and performance characteristics of a Job. These parameters are not saved outside the context of a Job definition. Recreating this information, particularly when many jobs are affected, could be time-intensive. 

The unexpected removal of Jobs may impact future production runs or scheduling and could lead to protracted disruptions of masking workflows:

  • Scripts or API calls that attempt to execute an affected job will fail
  • Affected jobs will be removed from any configured masking Schedules without warning.  Schedules that contain only affected jobs will not result in any scheduled execution, and no warnings or alerts will occur to indicate that a Schedule is unable to execute now-removed jobs.  Schedules that contain a mixture of affected and unaffected jobs will continue to run, but will execute only the unaffected jobs.

Contributing Factors

The issue can only occur when using one of the following Delphix Dynamic Data Platform Releases:

Major Release

All Sub Releases

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.3.0, 5.3.3.1

Many customers employ a shared masking user to define configuration and control execution of jobs. The problem is less likely to occur in such configurations because there is less likelihood that a shared user would be deleted in the first place.  The issue may more commonly occur when single-sign-on (SSO) or multiple users are involved, as masking users are more often added and removed in such configurations. 

Symptoms

Previously defined jobs will be missing from the Delphix Masking application (UI), when navigating to the Environments / <environment> / Overview tab, where <environment> is the name of a configured environment on the masking engine. 

Affected jobs will be missing from the output of a REST GET operation to the /masking-jobs API endpoint.

Relief/Workaround

Do not delete masking users that have created masking jobs if such jobs need to be retained. Instead you may lock the user.

Although neither the user interface nor the API offer a method to explicitly lock a user, it's possible to lock a user by intentionally failing to login three times to a user with an incorrect password.   The account will then be locked, and the account can only be unlocked by a masking administrator.   It's possible to confirm that a user has been locked by navigating to Admin -> Users in the masking application, then selecting the edit (pencil) icon for the desired user. If the user is locked, a checkmark by the locked box will appear as in the example below:

lockeduser.png

 

Resolution

The issue is fully resolved in 5.3.4.0 and later Delphix releases.

Additional Information

The masking user which created a particular masking Job can be displayed using a REST GET operation on the /masking-jobs API endpoint.  The response to this endpoint will have a name/value pair with a name of createdBy. The value in this pair is the masking username for the user that created the associated masking Job. For example, a response from the /masking-jobs API endpoint might include:

{   
  "_pageInfo": {
     "numberOnPage": 1,
     "total": 1
   },
   "responseList": [
     {
       "maskingJobId": 3,
       "jobName": "daily_mask",
       "rulesetId": 1,
       "createdBy": "angela_sample",
       "createdTime": "2019-11-05T21:54:54.082+0000",
       "email": "asample@company.co",
       "feedbackSize": 50000
       "jobDescription": "",
       "maxMemory": 1024,
       "minMemory": 1024,
       "multiTenant": false,
       "numInputStreams": 1,
       "onTheFlyMasking": false,
       "databaseMaskingOptions": {
         "batchUpdate": true,
         "bulkData": false, 
         "commitSize": 10000,
         "disableConstraints": false,
         "dropIndexes": false,
         "disableTriggers": false,
         "numOutputThreadsPerStream": 1,
         "truncateTables": false
       },
       "failImmediately": false
     }
   ]
}

In this example, the masking user "angela_sample" is the user that created the associated Job with job name "daily_mask".

Each masking engine includes a web-based API client that can be used to make or test API calls. Using this mechanism, it's possible to enumerate masking job detail as shown in the above example:

  1. Using a Web browser, navigate to the API client URL on the desired masking engine, e.g.

    http://<server>>/masking/api-client

    where <server>is the DNS name or IP address of a Delphix masking engine
  2. Select the login  API endpoint, then select the POST /login operation and endpoint. 
  3. In the login value field under Parameters, enter JSON text (similar to the Example shown to the right of the Value field) substituting a valid username and password credential for the masking engine. Use double quotation marks to surround each of the strings, as shown in the example. 
  4. Select the "Try it out!" button.
  5. Copy/Paste the string for the "Authorization" property passed back under the green "Response Body" label. Do not copy the double quotation marks in the value of the "Authorization" property
  6. Scroll the browser window back to the top and select the "Authorize" button at the top right of the window. 
  7. In the "value" box of the Available authorizations dialog, paste the value of the Authorization property from step 5. Do not include double quotation marks included from the return value or the subsequent steps will fail.
  8. Select the Authorize button on the Available authorizations dialog.
  9. Select the maskingJob endpoint
  10. Select the GET /masking-jobs operation and endpoint
  11. Select the "Try it out!" button in the expanded dialog for the GET /masking-jobs operation and endpoint
  12. Review the Response Body for detailed job information that includes the createdBy property detailed earlier.