Dev Space

Customize & extend the power of Alteryx. SDKs, APIs, custom tools, and more!
SOLVED

Decrypting Passwords using Python SDK

chrisha
11 - Bolide

In my plugin GUI created with the HTML GUI SDK, I have a field for passwords:

 

 

// --- main.js ---
// ...

function setupItem(manager, AlteryxDataItems, name, element, password = false) {
    // Create a new DataItem for Alteryx
    var dataItem = new AlteryxDataItems.SimpleString(name)
    dataItem.setValue("")
    dataItem.setPassword(password)

    // Add DataItem to Alteryx Manager
    manager.addDataItem(dataItem)

    // Connect input to DataItem
    element.change((event) => dataItem.setValue(element.val()))

    // If we have a password, we need to asynchronous get the password
    dataItem.registerPropertyListener('value', function(propertyChangeEvent) {
        element.val(propertyChangeEvent.value)
    })
}

Alteryx.Gui.BeforeLoad = (manager, AlteryxDataItems, json) => {
    setupItem(manager, AlteryxDataItems, "userPassword", $("#password"), true)
}
Alteryx.Gui.AfterLoad = (manager) => {}

The password is stored, persistent and I can easily use it in the HTML frontend for connecting to an API.

 

 

My backend, however, is supposed to rely on the Python SDK in which I cannot get the decrypted password:

 

 

    def pi_init(self, str_xml: str):
        """
        Called when the Alteryx engine is ready to provide the tool configuration from the GUI.
        :param str_xml: The raw XML from the GUI.
        """
        setting_tree = Et.fromstring(str_xml)

        # Getting the user-entered settings from the GUI
        self.username = setting_tree.find("userEmail").text
        self.password = self.alteryx_engine.decrypt_password(setting_tree.find("userPassword").text, 0)

        self.alteryx_engine.output_message(self.n_tool_id, Sdk.EngineMessageType.error,
                                            'Password: {}'.format(self.password))

Sending the decrypted password through the output message is certainly wrong, but used here only for testing purposes. The documentation (https://help.alteryx.com/developer/current/Python/use/AlteryxEngineClass.htm) gives me three options for the decryption. Value 0 as above does not work, yielding the error

 

Spoiler
Error: Data Hub Import (v1.0) (2): Traceback (most recent call last):
File "SKOPOSDataHubImport_v1.0Engine.py", line 43, in pi_init
RuntimeError: DecryptPassword only works with User and Machine encrypted passwords.

For values 2 and 3 I get no error, but still an encrypted password.

 

If I read @TashaA's post here correctly, the API method for decrypting passwords should be available in 2018.2 - am I missing something?

 

25 REPLIES 25
cam_w
11 - Bolide

Hi @TashaA

 

I'm hitting the exact same error message as @chrisha with my custom python tool created to connect to MongoDB with SSL (ca.pem key needed). My version of Designer is: 2018.2.6.51223. The tool is working nicely in Designer with either 'machine' or 'user' encryption.

 

However, my question is around the 'user' encryption on the server. I understand that I can't have someone else run my workflow on the server, but we use Windows authenication to the server and I can see that my 'Network Name' on the Alteryx Server is the same domain and user as on my Win7 laptop. However, I can't run my own workflow on the server even though it's the same 'user'. I have the password encrypted as 'user' in the GUI interface file (.html), and with decrypt_password(self.password,0) in the python engine file (.py). Both of which are in accordance with the documentation you linked.

 

Am I missing something? Seems like it should work if the same user is trying to run on the server. We have set the option to 'log on as batch job' on the server. Would that influence this result?

 

Thank you,

 

Cameron

cam_w
11 - Bolide

Update - I have checked that the "Run Mode" of the workflow on the server was "Unrestricted", per the notice about "Python tools on Server":

 

https://help.alteryx.com/developer/current/Python/Overview.htm?Highlight=encryption

 

Also, that SDK document makes me think I should be using 'machine' encryption, not 'user'. But then I would need to pass the password to the workflow at run time on the server, which would mean using Interface controls (no scheduling?).

 

My server colleague has left for today, so I'll switch back to 'machine' tomorrow and try an Analytic App, but I tried with 'user' today and passed the password from an Interface text box to the custom python tool using both the masked and unmasked options. Both options returned the same error message:

 

Traceback (most recent call last): File "PyMongo SSLEngine.py", line 124, in pi_push_all_records RuntimeError: DecryptPassword only works with User and Machine encrypted passwords. (Tool Id: 9)

I see the following recommendation on the Python SDK page:

 

"Recommended for scheduling and uploading to local instances of Alteryx Analytics Gallery"

 

Is there any documentation on how that is supposed to work? Do we have to use Interface controls in an Analytic App? If so, how are we supposed to schedule the App with the password if it needs to be supplied at run time?

 

Thanks,

 

Cameron

TashaA
Alteryx Alumni (Retired)

Thanks for the questions! Tagging @BlytheE , she will have the most up to date information for this use case.

wthompson
Alteryx
Alteryx

The encryption methodology requires that the password decryption be done on the same machine that the encryption was done. This means that the password can not be decrypted on a different machine.

 

If you select USER mode, only the user that encrypted the password can decrypt it and it has to be on the same machine.

 

If MACHINE mode is selected, then any user on the same machine where the encryption was done can decrypt the password.

 

The HIDE mode, is not allowed, because it does not use encryption.

cam_w
11 - Bolide

Hi @wthompson,

 

So that would mean, if I'm understanding, deploying a tool with password encrypted to the Server would never work.

 

+ @BlytheE

 

I've also tried deploying the tool inside an Analytic App to the Server with the intent that the user encrypt and decrypt the password on the same machine (i.e. the Server). However, this resulted in the above "DecryptPassword only works with User and Machine encrypted passwords." error message.

 

What am I doing wrong? Is the Interface control text box with password masking causing an issue when passing that value to the custom Python tool that also does some encryption? Should I remove the encryption from the custom Python tool GUI html?

wthompson
Alteryx
Alteryx

Hi @cam_w,

 

The only encryption mode that would work (if at all), is MACHINE mode and have the encryption and decryption done on the server side.  Not sure how you would be able to do that, but that is how it would have to work.

cam_w
11 - Bolide

Thanks @wthompson and @BlytheE!

 

It's my understanding that we can't schedule Apps where we pass the password to the custom python tool on the server, so that 'machine' encryption can be used on the server. Our only option would be to run an App version manually on the server. Or I'm going to try removing encryption from the custom python tool, saving the password in 'clear' text, and then encrypting the entire workflow when saving it to the server.

 

Has anyone from the Alteryx team done this? Or are we breaking new ground here?

Calliecobbs
8 - Asteroid

So is current state on this we still can't schedule anything to the Gallery using this functionality? I'm leveraging the ThoughtSpot connector (which leverages Python) and am getting the same error. I don't have the option of setting User vs Machine within this prebuilt tool.

BlytheE
Alteryx Alumni (Retired)

Hi @Calliecobbs that is correct. We have determined that neither encryption type can be used on the Gallery or when scheduled because they both depend on being run by the same user, which will rarely be the case in a server environment. We are looking into ways to fix this, but I don't really have a time frame for it. 

niravparikh
5 - Atom

 

Any updates to this?