1 Reply Latest reply on Jan 10, 2019 5:18 AM by Dan Redican

    401: Unauthorized after upgrade to 2018.3.2

    Dan Redican

      Hi All,

       

      After upgrading to 2018.3.2 VizAlerts has stopped working; the error "401 Client Error: Unauthorized for the url http://<server>/vizportal/api/web/v1/signin?path=<original_request_path>" is received when running VizAlerts.

       

      Tableau is setup to use kerberos, and trusted tickets work fine via the URL if I visit them in a browser.

       

      No issues with 2018.3

       

      If I visit either URL in a web browser it appears to work.

       

      I can see that in the release notes for 2018.3.1 there were a number of security related changes applied.

        • 1. Re: 401: Unauthorized after upgrade to 2018.3.2
          Dan Redican

          I snooped the http requests between a browser and Tableau, and got viz_alerts running on my local workstation again using;

           

          Changed export_view

           

          # build final URL
          non_trusted_url = u'http://' + server + '/vizportal/api/web/v1/auth/kerberosLogin?path=' + urllib.quote(sitepart + u'/views/' + viewurlsuffix + extraurlparameter + formatparam)

          url = protocol + u'://' + server + u'/trusted/' + ticket + sitepart + u'/views/' + viewurlsuffix + extraurlparameter + formatparam

          if force_refresh:

            url = url + u'&:refresh=y'  # force a force_refresh of the data--we don't want alerts based on cached (stale) data
             non_trusted_url = non_trusted_url + urllib.quote(u'&:refresh=y')

           

          log.logger.debug(u'Getting vizdata from: {}'.format(non_trusted_url))

           

          Then replaced the actual request code with;

           

          response = requests.get(non_trusted_url, auth=HTTPKerberosAuth(), verify=False, timeout=timeout_s)

           

          Where HTTPKerberosAuth is referenced via:

           

          from requests_kerberos import HTTPKerberosAuth, OPTIONAL

           

          (pip install requests-kerberos)

           

          Note that I cannot reference the trusted ticket url directly - this always throws a 302 error (although I'll investigate that next).

           

          Hope this helps towards finding a solution - I'm going to struggle with this in prod as will need to work out which credentials the linux host uses.