community
cancel
Showing results for 
Search instead for 
Did you mean: 

Dev Space

Customize & extend the power of Alteryx. SDKs, APIs, custom tools, and more!
SOLVED

Decrypting Passwords using Python SDK

Comet

Hi @TashaA

 

I'm hitting the exact same error message as @chrisha with my custom python tool created to connect to MongoDB with SSL (ca.pem key needed). My version of Designer is: 2018.2.6.51223. The tool is working nicely in Designer with either 'machine' or 'user' encryption.

 

However, my question is around the 'user' encryption on the server. I understand that I can't have someone else run my workflow on the server, but we use Windows authenication to the server and I can see that my 'Network Name' on the Alteryx Server is the same domain and user as on my Win7 laptop. However, I can't run my own workflow on the server even though it's the same 'user'. I have the password encrypted as 'user' in the GUI interface file (.html), and with decrypt_password(self.password,0) in the python engine file (.py). Both of which are in accordance with the documentation you linked.

 

Am I missing something? Seems like it should work if the same user is trying to run on the server. We have set the option to 'log on as batch job' on the server. Would that influence this result?

 

Thank you,

 

Cameron

Comet

Update - I have checked that the "Run Mode" of the workflow on the server was "Unrestricted", per the notice about "Python tools on Server":

 

https://help.alteryx.com/developer/current/Python/Overview.htm?Highlight=encryption

 

Also, that SDK document makes me think I should be using 'machine' encryption, not 'user'. But then I would need to pass the password to the workflow at run time on the server, which would mean using Interface controls (no scheduling?).

 

My server colleague has left for today, so I'll switch back to 'machine' tomorrow and try an Analytic App, but I tried with 'user' today and passed the password from an Interface text box to the custom python tool using both the masked and unmasked options. Both options returned the same error message:

 

Traceback (most recent call last): File "PyMongo SSLEngine.py", line 124, in pi_push_all_records RuntimeError: DecryptPassword only works with User and Machine encrypted passwords. (Tool Id: 9)

I see the following recommendation on the Python SDK page:

 

"Recommended for scheduling and uploading to local instances of Alteryx Analytics Gallery"

 

Is there any documentation on how that is supposed to work? Do we have to use Interface controls in an Analytic App? If so, how are we supposed to schedule the App with the password if it needs to be supplied at run time?

 

Thanks,

 

Cameron

Alteryx Alumni (Retired)

Thanks for the questions! Tagging @BlytheE , she will have the most up to date information for this use case.

Alteryx
Alteryx

The encryption methodology requires that the password decryption be done on the same machine that the encryption was done. This means that the password can not be decrypted on a different machine.

 

If you select USER mode, only the user that encrypted the password can decrypt it and it has to be on the same machine.

 

If MACHINE mode is selected, then any user on the same machine where the encryption was done can decrypt the password.

 

The HIDE mode, is not allowed, because it does not use encryption.

Comet

Hi @WilliamT,

 

So that would mean, if I'm understanding, deploying a tool with password encrypted to the Server would never work.

 

+ @BlytheE

 

I've also tried deploying the tool inside an Analytic App to the Server with the intent that the user encrypt and decrypt the password on the same machine (i.e. the Server). However, this resulted in the above "DecryptPassword only works with User and Machine encrypted passwords." error message.

 

What am I doing wrong? Is the Interface control text box with password masking causing an issue when passing that value to the custom Python tool that also does some encryption? Should I remove the encryption from the custom Python tool GUI html?

Alteryx
Alteryx

Hi @c2willis,

 

The only encryption mode that would work (if at all), is MACHINE mode and have the encryption and decryption done on the server side.  Not sure how you would be able to do that, but that is how it would have to work.

Comet

Thanks @WilliamT and @BlytheE!

 

It's my understanding that we can't schedule Apps where we pass the password to the custom python tool on the server, so that 'machine' encryption can be used on the server. Our only option would be to run an App version manually on the server. Or I'm going to try removing encryption from the custom python tool, saving the password in 'clear' text, and then encrypting the entire workflow when saving it to the server.

 

Has anyone from the Alteryx team done this? Or are we breaking new ground here?

Meteor

So is current state on this we still can't schedule anything to the Gallery using this functionality? I'm leveraging the ThoughtSpot connector (which leverages Python) and am getting the same error. I don't have the option of setting User vs Machine within this prebuilt tool.

Alteryx
Alteryx

Hi @Calliecobbs that is correct. We have determined that neither encryption type can be used on the Gallery or when scheduled because they both depend on being run by the same user, which will rarely be the case in a server environment. We are looking into ways to fix this, but I don't really have a time frame for it.