Support Personal access token method for Tableau Connection

[baruch-shteken]

Description

In Tableau Online, you can use user name and password method for REST API calls, only if you don't use MFA.
Thus, organizations that enabled MFA in Tableau, have to use Personal Access Tokens for API calls to Tableau.
However, Airflow deprecated the usage of Personal Access Tokens in airflow.providers.tableau.hooks.tableau, since there is a problem that each time you try to open a parallel connection, the previous one would be invalidated.

Use case/motivation

I would like to use the Personal Access Token method for API calls to Tableau.
I see 2 solutions that might be applicable:

1. Create 1 connection to Tableau and use that for all API calls from Airflow in a specific timeframe. I am not sure if this is feasible
2. Create a pool of tokens and for each connection to Tableau from Airflow, create a new connection id with 1 of the unused tokens. I saw that on Airflow, you can generate connection on the fly. I am not sure how to handle the token pool though

I am open to other solutions and guidance. Also, I am not sure I can submit a PR since I have never contributed to an open source project but I can try.

Related issues

No response

Are you willing to submit a PR?

• Yes I am willing to submit a PR!

Code of Conduct

• I agree to follow this project's Code of Conduct

[boring-cyborg]

Thanks for opening your first issue here! Be sure to follow the issue template!

[eladkal]

Create 1 connection to Tableau and use that for all API calls from Airflow in a specific timeframe. I am not sure if this is feasible
Create a pool of tokens and for each connection to Tableau from Airflow, create a new connection id with 1 of the unused tokens. I saw that on Airflow, you can generate connection on the fly. I am not sure how to handle the token pool though

These are not the way to go.

You need to research how Tableau Python SDK is expecting to make the connection and then add support for it from Airflow side. For example in Google we support 2 options for authentications:
https://airflow.apache.org/docs/apache-airflow-providers-google/stable/connections/gcp.html#authenticating-to-google-cloud
We can probably support any method that the SDK allows. So the action item here is to check what the SDK allows and add proper support for it from Airflow side.

[baruch-shteken]

As I understand from Tableau Python SDK docs, there are no parameters for PersonalAccessTokenAuth class that we can use to mitigate the issue.
The problem is that only 1 connection can be used for each token simultaneously.
Again, I am not sure how to solve it but Tableau Python SDK doesn't seem to hold the answer.

[baruch-shteken]

I looked at this issue again and when an authentication is made with a PAT then the site_id and credentials_token are obtained. credentials_token is valid for 4 hours and should be able to be used with parallel processes. Hence, for PATs, the Airflow code should use the obtained site_id and credentials_token after the first authentication and not create a new ones from the PATs (unless 4 hours passed)

[eladkal]

feel free to submit PR if you have a fix.
you can also write code that regenerate token before it expire. Example: #17951

[Rociogonzalez]

Hi,
I have the same problem to use Tableau with PAT. Any progress on this? Which option have you chosen?
We were thinking of putting the tasks in airflow pools and having a pool of tokens

[Michae94]

Hey, I am posting a comment here as, now, MFA is enforced on Tableau cloud. Thus, user/password is not available anymore for Tableau connection with a service account.
For now, I am using multiple token (1 for each concurrent task).

[TRBaldim]

Yeah, that is the same here. With the MFA enforced, we are using multiple tokens. But the library with the tokens is pretty broken and not even recommended by Airflow to be used. Would love to see a solution for this and ensure a better handling of this weird:

401002: Unauthorized Access
		Invalid authentication credentials were provided.

[potiuk]

Yeah, that is the same here. With the MFA enforced, we are using multiple tokens. But the library with the tokens is pretty broken and not even recommended by Airflow to be used. Would love to see a solution for this and ensure a better handling of this weird:

401002: Unauthorized Access
		Invalid authentication credentials were provided.

Yeah. submitting a PR to this one is most welcome. Also (not sure how tableau does it) but various services usually allow to generate token - usually with limited capabilities - and use it as a password when MFA is enabled (for example GitHub does it - you can authenticate with your login (which is not really needed and can be anything) and provide the token as password. Maybe (guessing) Tableau has similar feature.

[TRBaldim]

Thanks @potiuk for your comment about the generated tokens. I will check and try to keep this updated.

[baruch-shteken]

I opened a PR for this with an idea, I would like to get feedback on it 🙏

[simonprydden]

@baruch-shteken would Sign in with JSON Web Token (JWT) work with multiple connections?

[Michae94]

@baruch-shteken would Sign in with JSON Web Token (JWT) work with multiple connections?

I do think so indeed, as you could dynamically create different JWT tokens for one connected app (Airflow).
https://help.tableau.com/current/online/en-us/connected_apps_direct.htm