Security issue with TM1 REST API

Post Reply
Bhavana
Posts: 9
Joined: Mon Jun 22, 2020 9:50 pm
OLAP Product: Planing Analytics
Version: 2.0.9
Excel Version: 32 bit

Security issue with TM1 REST API

Post by Bhavana » Tue Jun 23, 2020 6:58 am

Hi All,

We noticed that users are able to cancel threads using tm1 REST API without having permission to OperationsAdmin or Admin group.

Based on the below IBM note only operationsadmin should able to access.

https://www.ibm.com/support/knowledgece ... group.html


How can we restrict access to tm1 REST API? Need your quick help on this

Planning analytics version : 2.0.9

Regards
Bhavana

User avatar
Steve Rowe
Site Admin
Posts: 2051
Joined: Wed May 14, 2008 4:25 pm
OLAP Product: TM1
Version: 10.2.2., PAW
Excel Version: Nearly all of them

Re: Security issue with TM1 REST API

Post by Steve Rowe » Tue Jun 23, 2020 7:15 am

Couldn't you amend your rest api code to test if the user was in the appropriate group?

Bhavana
Posts: 9
Joined: Mon Jun 22, 2020 9:50 pm
OLAP Product: Planing Analytics
Version: 2.0.9
Excel Version: 32 bit

Re: Security issue with TM1 REST API

Post by Bhavana » Tue Jun 23, 2020 7:33 am

Hi Steve,

Thanks for prompt reply!

We are in starting phase of using this rest API...before using it we wanted to set the security on architect so that in future we can extract the data based on operations group.. one of our developer reported this that he can cancel the threads without proper permission. even we extracted the admin and operations admin access from clientgroups and noticed none of the user is having access to operationadmin. but few of the users have other group access for accessing data in tm1 cubes

How can we test via rest api whether user is having access to appropriate group any support link would me more help to us to check on this.

David Usherwood
Site Admin
Posts: 1411
Joined: Wed May 28, 2008 9:09 am

Re: Security issue with TM1 REST API

Post by David Usherwood » Tue Jun 23, 2020 9:16 am

Working with TM1PY I have found the Rest API to honour security pretty well. Can you check your scripts to see whether you are using admin access? If you are not, please raise a ticket with IBM.

Bhavana
Posts: 9
Joined: Mon Jun 22, 2020 9:50 pm
OLAP Product: Planing Analytics
Version: 2.0.9
Excel Version: 32 bit

Re: Security issue with TM1 REST API

Post by Bhavana » Tue Jun 23, 2020 9:22 am

Thanks David!

No we are not using admin access in our scripts...sure will raise a ticket with IBM

David Usherwood
Site Admin
Posts: 1411
Joined: Wed May 28, 2008 9:09 am

Re: Security issue with TM1 REST API

Post by David Usherwood » Tue Jun 23, 2020 12:56 pm

Suggest you recheck your script.
I have just reproduced the situation with TM1PY and a non admin user can only see their own threads. There is a quirk in that the Github release of tm1py has a function 'cancel_all_running_threads' which is not in the release (py -m pip install) version - but looking at the code it iterates round the threads returned from the Rest API, so no difference really.

David Usherwood
Site Admin
Posts: 1411
Joined: Wed May 28, 2008 9:09 am

Re: Security issue with TM1 REST API

Post by David Usherwood » Tue Jun 23, 2020 2:51 pm

I've tested further at Steve Rowe's suggestion and my non-admin user can see and cancel their threads. (Updated - I was cancelling an Architect session - no change to the open view but the user had been logged out.)
(Further update)
If the (non-Admin) user is in the OperationsAdmin group they can cancel other users' threads as well.
Script:

Code: Select all

import configparser
from TM1py.Services import TM1Service
config = configparser.ConfigParser()
config.read(r'..\config.ini')
with TM1Service(**config['XXX']) as tm1:
    # Get all running threads
    threads = tm1.monitoring.get_threads()
    # Prints all running threads with their properties:
    for thread in threads:
        print(thread,'\n')
    # Find threads running in Architect and cancel them
    for thread in threads:
        if thread['Context'] == 'Architect':
            tm1.monitoring.cancel_thread(thread['ID'])

Bhavana
Posts: 9
Joined: Mon Jun 22, 2020 9:50 pm
OLAP Product: Planing Analytics
Version: 2.0.9
Excel Version: 32 bit

Re: Security issue with TM1 REST API

Post by Bhavana » Thu Jun 25, 2020 12:07 pm

Thanks David for providing the script.

We have also tested the same with non admin user after granting operations group he can now able to cancel other users threads. The issue has been fixed

Post Reply