3 Replies Latest reply on Jan 31, 2018 12:31 PM by scott.steesy

    Tableau SDK Extract API doesn't play nice with impersonation

    scott.steesy

      If I have a Windows process running with limited privileges, and it has a thread impersonating a user.

      That thread can initialize the SDK, but if you try to create an extract it blows up.

      Seems to be a named pipe security access or timeout exception for the DLL trying to talk to the TDEServer64.exe it uses.

      I'm guessing this is because the DLL uses the normal process start API which causes the EXE to run with the same identity as my process.

      Since they are different identities the 2 side of the pipe can't talk.

       

      I haven't checked the new Extract API 2.0, but I'm going to bet it has exactly the same problem.

       

      I see two possible ways that Tableau could use to fix the SDK:

      1) Create the pipe with rights for anyone, then both identities could use it.

      2) Start the EXE process using one of the 2 windows API process start that take a user token, so that the process will run as the same user the thread is impersonating.

       

      Anyone have any ideas to work around this problem?

        • 1. Re: Tableau SDK Extract API doesn't play nice with impersonation
          Patrick A Van Der Hyde

          Hello Scott,

           

          Thank you for your feedback. This might be a good item to add to the Ideas  area as well since this is reviewed by the Product Management team for product improvements. 

           

          Regards,

           

          Patrick

          • 2. Re: Tableau SDK Extract API doesn't play nice with impersonation
            scott.steesy

            After much experimentation I have found a work around.

            1) Create a temp folder that both the process identity and impersonated identity have full rights to.

            2) In the thread with impersonation wanting to create an extract. First de-impersonate. Second call CreateExtract specifying the desired file name, but use the temp folder (from #1). Finally re-impersonate after the extract is created.

            3) Allow all other code to run as normal until the extract is complete and closed. I've had no problems doing anything to the extract once it is open no matter whom the thread is impersonating.

            4) Finally, move the created extract to the destination the calling code actually desired (and was likely only write-able by the impersonated identity.  Moving it (instead of copy) keeps the temp folder clean.

             

            FYI, I ran into another place in my program where I ran a program and it was also a problem that it got the process identity. I found that there are 4 Windows API calls for started a process. The most commonly used one does allow you to specify credentials to "run as" a user, but my process doesn't know those. But there was one that would take an identity "token", the same thing used when un-impersonating and re-impersonating. I was able to use that call to launch a process as the impersonated user.

             

            Therefore, I believe the proper fix for Tableau would be to check if the thread calling CreateExtract or OpenExtract is impersonation, and if so launch the external "server" executable just as I did, then the 2 sides of the pipe would be using the same (impersonated) identity and it should work without having to use my work around above. NOTE: the Tableau Extract API 2.0 has exactly the same problem.

            • 3. Re: Tableau SDK Extract API doesn't play nice with impersonation
              scott.steesy

              I posted my C# work combining the SDK and Extract API 2.0 as an update to my original work at DataExtract API ported to Dot.Net (C#)