Product: TIBCO Spotfire®
TERR error in Web Player: "The data function 'Test' has been trusted, but it was executed in restricted execution mode." "restricted call to Native[.internal.scan]"
A data function that works when tested using the Spotfire desktop client's built-in local TERR engine fails with the following error when it is run from Spotfire Web Player or Automation Services:
-----
TIBCO Enterprise Runtime for R returned an error
The data function 'Test' could not be executed.
The data function 'Test' has been trusted, but it was executed in restricted execution mode.
TIBCO Spotfire Statistics Services and/or the TERR service are configured to enforce restricted execution mode. This configuration must be changed or the data function must be rewritten to work in restricted mode.
Error: restricted call to Native[.internal.scan]
-----
This error message indicates that the 'Test' data function is sending its TERR script to a TERR Service (TERRSRV) node or TIBCO Spotfire Statistics Services (TSSS) instance that has TERR restricted execution mode enabled (which is the default setting), and the data function is trying to call a function that calls .Native(), which won't work in TERR restricted execution mode.
Any call to .Native() will fail in TERR restricted execution mode, which is enabled by default in the TERR Service and in TSSS 7.11.1 LTS or later.
For example, this issue could be launched by a call to TERR's read.csv() function, which calls read.table(), which has called base:::.internal.scan(), which has called .Native(".internal.scan"):
read.csv
|_ read.table
. |_ base:::.internal.scan
. |_ .Native(".internal.scan")
See the TERR Console session (below) that illustrates this example.
Data functions with TERR scripts that lead to a call to .Native() will only work in TSSS or the TERR Service node if you disable TERR Restricted Execution Mode, using one of their configuration properties.
The value for a configuration property can be changed by editing and saving the TERR Service node's "custom.properties" configuration file or the TSSS instance's "spserver.properties" file, then doing a service restart to force a read of the modified file.
The following is the property for TERR restricted execution mode, as it appears in the default "custom.properties" or "spserver.properties" file:
terr.restricted.execution.mode=true
To be able to use such a data function's call to read.csv(text = "x,y,z") (for example) from the Web Player, you will need to change that line in the "custom.properties" or "spserver.properties" file to read as follows, save the file, and restart the TERR Service or the TSSS service:
terr.restricted.execution.mode=false
Note:
A TSSS instance's "spserver.properties" configuration file is located in its "conf" directory.
The "custom.properties" configuration file for a TERR Service (TERRSRV) node is located in that node's "conf" directory.
Note: TERR Restricted Mode must also be disabled if you need to be able to load user-contributed CRAN packages into a data function's TERR session (using a call to library(dplyr), for example).
Note: If a TERR Service (TERRSRV) node is available in the Spotfire Server environment, Spotfire Web Player and Automation Services will send their data functions' TERR scripts to the TERR Service. They will only look for a URL connection to TSSS/TERR if a TERR Service node is not available.
Example TERR Console session that illustrates a way to test for the ability to run a particular TERR command in TERR restricted execution mode:
=====
TIBCO Software Inc. Confidential Information
Copyright (C) 2011-2019 TIBCO Software Inc. ALL RIGHTS RESERVED
TIBCO Enterprise Runtime for R version 5.0.0 for Microsoft Windows 64-bit
Type 'help()' for help.
Type 'q()' to quit.
>
>
> version$version.string
[1] "TIBCO Enterprise Runtime for R version 5.0.0 (2019-02-06)"
>
>
> # This command opens the TERR help topic for restricted execution mode:
>
> ?terrUtils::evalREX
Starting httpd help server ... done.
>
>
> csvTest <- paste(LETTERS[1:5], collapse = ",")
>
>
> csvTest
[1] "A,B,C,D,E"
>
>
> read.csv(text = csvTest, header = FALSE)
. V1 V2 V3 V4 V5
1 A B C D E
>
>
>
> # This command tests the call to read.csv() shown above in restricted execution mode:
>
>
> terrUtils::evalREX( quote( read.csv(text = csvTest, header = FALSE) ) )
Error: restricted call to Native[.internal.scan]
>
>
> traceback()
4: read.table(file = file, header = header, sep = sep, quote = quote, dec = dec, fill = fill, comment.char = comment.char, ...)
3: read.csv(text = csvTest, header = FALSE)
2: eval(expr, envir, enclos)
1: eval(expr, envir, enclos)
>
>
=====
You may also find the information provided in the following public knowledge base articles helpful.
TIBCO Spotfire Statistics Services (TSSS) 7.11.1 LTS introduced several new features, which include TERR Restricted Execution Mode:
https://support.revvitysignals.com/hc/en-us/articles/4408236175252-Analysis-with-TERR-script-fails-with-TIBCO-Spotfire-Statistics-Services-returned-an-error-Error-restricted-call-to-Native-writeBin-
https://support.revvitysignals.com/hc/en-us/articles/4408240801172-TERR-library-load-error-in-TSSS-7-11-1-Error-restricted-call-to-find-package-for-package-data-table-
Spotfire Server 10.0.0 and TSSS 10.0.0 introduced the TERR Service (TERRSRV) node:
https://support.revvitysignals.com/hc/en-us/articles/4408236064148-Data-function-fails-with-TerrServiceClient-TERRSRV-error-TIBCO-Enterprise-Runtime-for-R-returned-an-error-Error-restricted-call-to-Native-dir-exists-
Spotfire 10.3.0 LTS introduced trust for data functions. The following references provide information about the Data Function Trust feature:
https://community.tibco.com/wiki/script-and-data-function-trust-spotfire-103-and-later
https://docs.tibco.com/pub/spotfire_server/10.3.0/TIB_sfire_server_10.3.0_relnotes.pdf?id=1
The discussion at the following URL provides important information on Long Term Support (LTS) releases:
https://docs.tibco.com/pub/spotfire/general/LTS/spotfire_LTS_releases.htm