How to Get Online-Accessible TabPy Instance with Heroku

Although it is very easy to install TabPy on your laptop, desktop, VM, and so on with just pip install --upgrade tabpy command there are some limitations and additional work which needs to be done. Some examples are:

  • You environment has to be configured – supported Python version (3.6 or newer at the moment this post is written) needs to be installed.
  • To isolate TabPy from other Python applications you may want to use Anaconda (additional reading – How to run TabPy with Anaconda on Linux), Python virtual environment or similar solution.
  • The machine with TabPy on it cannot be accessible outside of you work/home network.
  • You don’t want to expose the machine with TabPy on it to the whole internet.
  • and so on…

And there is a way to quickly create TabPy instance available everywhere via the internet just in minutes. It is done with Heroku which by their own words is

Heroku is a cloud platform that lets companies build, deliver, monitor and scale apps — we’re the fastest way to go from idea to URL, bypassing all those infrastructure headaches.

In simple words Heroku allows you to have accessible with internet applications running on their side which lifetime you control. What languages are supported and other documentation is available at

For what I am demonstrating here free Heroku account is sufficient – register at

When you have registered and successfully logged to your Heroku account go to TabPy GitHub page at and click Deploy to Heroku (purple button on the screenshot below) button or use this link –

On the first screen provide your application name (it has to be unique across Heroku applications) and click Deploy app:

Wait for application to be installed, configured and started (all steps should succeed as shown on the screenshot below):

To access the application click View button or use URL https://<your-app-name> (in the example above it is

That is it! You have TabPy instance accessible via the internet. Hostname for it is <your-app-nme> and port is 80:

For secure connection use port 443 and set Require SSL checkbox as screenshot below demonstrates:

Secure connection uses certificate from Heroku issued by DigiCert:

There are some limitations to this solution:

  • You may use your own certificate, but it is not free.
  • The port is not configurable – it is always 80 or 443.
  • There is no authentication.

To resolve the limitations above you may configure and create your own Heroku application based on TabPy. What you have instead in easy and fast way to get TabPy up and running available from anywhere when you need it.

Share the post if you liked it

TabPy: Using Deployed Functions from Deployed Functions

If you don’t know what deployed functions in TabPy are consider reading the following:

With this post I’ll demonstrate with extremely simplified code how to use already deployed functions in other deployed functions.

Assuming TabPy is running on localhost machine and port 9004 in Python session I create and deploy simple function which capitalizes first letter of each string in the input parameter:

def my_func_1(s):
  return [x.capitalize() for x in s]

from tabpy.tabpy_tools.client import Client
client = Client('http://localhost:9004')
client.deploy('MyFunction1', my_func_1, 'Capitalize first letter of each string')

When the above is executed there is a function deployed which is accessible with Tableau SCRIPT_...('return tabpy.query('MyFunction1', _arg1)['response']', ...) expression. But what we are looking for is calling that function from another function.

When a function is deployed it is available in TabPy context for user script meaning you can use function name (the name the function was declared with, not the name given to when deployed). Here is how the function can be called:

def my_func_2(s):
  c = my_func_1(s)
  return ['_' + x + '_' for x in c]

client.deploy('MyFunction2', my_func_2, 'Underscore and capitalize each string')

Things to pay attention in the code sample above:

  1. The first deployed function is called by its Python name my_func_1 and not with the name it deployed with.
  2. Deployed functions (both MyFunction1 and MyFuction2) are used in Tableau calculations with their deployed names:

One caution I need to make here: How deployed functions are presented and accessible in the context of a script running in TabPy is not documented and not guaranteed to work in the future. The recommended way to reuse Python code is to create packages or use standalone modules as explained in How to use Python modules for TabPy scripts in Tableau post.

Share the post if you liked it

How to install certificates on Linux


When running Tableau Server on Linux and need it to connect to secure TabPy or secure Rserve instances (or any other analytics extension over secured channel) for Tableau Server to trust the connection it need to know to trust the certificate analytics extension is using. Some more details about Tableau and trusted certificates are in this post – Tableau and Trusted Certificates for Analytics Extensions.

In this post, I will show you how to install a trusted certificate (root or self-signed certificate) on Linux. Remember Rserve sends to Tableau leave certificate only so you may need to install the whole chain as trusted certificates.

NOTE: Instructions below may not work for your specific Linux version – check with documentation for your exact system.

Certificate formats: PEM, DER, PFX, etc.

There are a few different formats certificate file can be stored in. For the instructions below only PEM and DER are used. Some details about specific formats and how they are related can be found at

PEM and DER are just different encoding for the same data. DER is binary and PEM is Base64 encoded DER.

One format can be converted to another with OpenSSL. E.g. to convert DER to PEM run

openssl x509 -inform der -in cert.der -out cert.pem

More examples for how to convert certificate commands are at

NOTE: you only need certificates (public part) and not private key for it.

RPM-based Linux Steps

The following are the instructions for RPM-based Linux (CentOS, Fedora, Red Hat, etc.).

Copy PEM certificate to /etc/pki/ca-trust/source/anchors:

sudo cp cert.pem /etc/pki/ca-trust/source/anchors/cert.pem

Run the following command:

sudo update-ca-trust

For the certificate to be picked up by Tableau Server it is recommended to restart the whole machine. Restarting just Tableau Server may work as well but is not guaranteed.

Debian-based Linux Steps

For Debian-based Linux (Debian, Ubuntu, Kubuntu, etc.) use PEM certificate in .crt file. It means the format for the certificate file is PEM, but the file extension is required to be .crt.

First copy certificate file to /usr/local/share/ca-certificates:

sudo cp cert.crt /usr/local/share/ca-certificates/

Now run the following command:

sudo update-ca-certificates

For the certificate to be picked up by Tableau Server it is recommended to restart the whole machine. Restarting just Tableau Server may work as well but is not guaranteed.

Additional reading

Related posts:

Share the post if you liked it

TabPy v2.2.0 Released

TabPy version 2.2.0 is released:

To install or update to the latest version as usual run

pip install --upgrade tabpy

The release includes fixes for authentication:

  • Fixed bug for scripts with tabpy.query(...) calls for when authentication is configured for TabPy.
  • Fixed bug for TabPy reporting 500 error instead of 401 when it runs without the attached console.
  • Improved authentication security (this is breaking change) – now TabPy returns authentication error when credentials are provided, but it is not configured for it.

Additional reads:

Share the post if you liked it

How to Install Trusted Certificate on Mac

With new Tableau Server and Desktop certificate validation happens on Tableau side as explained in Tableau and Trusted Certificates for Analytics Extensions post. So for a certificate to be trusted either the certificate itself (self-signed certificate scenario) or certificate(s) it signed with have to be installed on the client machine as trusted.

This post demonstrates how to install certificate as trusted on Mac OS.

NOTE: This post is just an example and shouldn’t be used as a manual. The steps and UI can be different for your OS version and how it is configured.

First step would be to download the certificate you want to install as trusted on your computer. Remember for Rserve you may need to install the whole chain.

Then start Keychain Access application (Finder -> Applications -> Utilities):

In the app go to System Keychains, then Certificates, and drag and drop the certificate you want to install there.

You will see a message about newly installed certificate to be not trusted:

Right-click the certificate and select Get Info menu item:

In the dialog which appears for the certificate information open Trust section and set Secure Sockets Layer (SSL) option to Always Trust. Close the window and confirm the red icon and warning message for the certificate is gone.

Next select New Certificate Preference… item in the context menu for the certificate:

And in the pop-up dialog enter the exact fully qualified domain name (FQDN) the certificate is issued for. Click Add button.

Now the certificate is installed as trusted and for it to be validated and accepted it is recommended to reboot the machine. In general most of certificates modifications on a machine are recommended to have following reboot.

It may be enough (but not guaranteed to be) to restart Tableau Desktop. For how to configure secure connection in Tableau Desktop read Tableau Desktop 2020.1: Advanced Analytics Improvements and How to configure TabPy with authentication and use it in Tableau.

Share the post if you liked it