Post on 23-Jul-2020
Welcome
Tableau Server Security in Depth
Kacper Reiter
Sr. Software Engineer
Server and Cloud Platform
# T C 1 8
Dinç Çiftçi
Software Engineer
Server and Cloud Platform
Agenda
General security model
Transport Layer Security
Secure storage of secrets
Repository security
New nodes and upgrades
Hardening
Q&A
Implementing Tableau Server security
R E L AT E D S E S S I O N S
Oct 23 | 10:45am – 11:45am | MCCNO - L3 - 338
Introducing Tableau Services ManagerOct 23 | 2:15pm – 3:15pm | MCCNO – L3 - 398
Users and File System
Installation Directory
Run installer as Administrator Run rpm/deb with sudo
%PROGRAMFILES%\Tableau\Tableau
Server
/opt/tableau/tableau_server
Permissions
Inherited default permissions
Administrators – full permissions
Users – read & execute
Permissions
rwxr-x-r-x root root
rw-r---r-- root root
Installed packages are immutable, even by Tableau Server processes.
Linux—“run as” Users
tableau/tableauAll services
Windows—“run as” Users
Local SystemTableau Server Administration Agent
Local ServiceTableau Server License Manager
Network ServiceTableau Server Administration Controller
Tableau Server Coordination Service
Network Service or custom “run as” userTableau Server Service Manager
All “business” services
Tableau Server Data Directory
%PROGRAMDATA%\Tableau\Tableau Server
\appzookeeper
\filestore
\pgsql
\tabadminagent
\<other services>
/var/opt/tableau/tableau_server
/appzookeeper
/filestore
/pgsql
/tabadminagent
/<other services>
Permissions:Break inheritance at service level
Read & Write permission for the service user
Permissions:rwxrwx---- tableau tableau
rw-rw----- tableau tableau
Transport Layer Security(TLS/SSL)
Transport Layer Security
Chain of Trust
Transport Layer Security
Chain of Trust
Transport Layer Security
Chain of Trust
Transport Layer Security
Chain of Trust
Transport Layer Security
Transport Layer Security
Transport Layer Security
TLS Handshake
Transport Layer Security
TLS Handshake
Transport Layer Security
TLS Handshake
Transport Layer Security
TLS providesAuthentication (trust)
Privacy (encryption)
Message reliability (integrity)
Transport Layer Security
Tableau Components Supporting TLSGateway—external and mutualThe web server handling requests from various clients
RepositoryThe database where the vast majority of server content is persisted
TSM ControllerThe process orchestrating administrative actions
Gateway
Mobile
Tableau
Desktop
tabcmd
Gateway
VizPortal VizqlServer DataServer
Search
Server
Postgres(Repository)
Data Engine
Backgrounder
Transport Layer Security
Gateway (AKA Apache, httpd)Provides access to all server content
Browser client, REST API, tabcmd
No TLS by default
Transport Layer Security
GatewayProvides access to all server content
Browser client, REST API, tabcmd
No TLS by default
External SSL: Admin-provided certificate
Mutual SSL: Client certificates managed by CA
Secrets live in the server configuration
Gateway
Mobile
Tableau
Desktop
tabcmd
Gateway
VizPortal VizqlServer DataServer
Search
Server
Postgres(Repository)
Data
Engine
Backgrounder
Gateway
Mobile
tabcmd
Gateway
VizPortal VizqlServer DataServer
Search
Server
Postgres(Repository)
Data
Engine
Backgrounder
Tableau
Desktop
Transport Layer Security
GatewayProvides access to all server content
Browser client, REST API, tabcmd
No TLS by default
External SSL: Admin-provided certificate
Mutual SSL: Client certificates managed by CA
Secrets live in the server configuration
Gateway
Repository
Mobile
Tableau
Desktop
tabcmd
Gateway
VizPortal VizqlServer DataServer
Search
Server
Postgres(Repository)
Data
Engine
Backgrounder
Transport Layer Security
Repository (AKA postgres, PostgreSQL)Stores the vast majority of Server content
Workbooks, datasource credentials, user permissions, local auth credentials
Queried by other Server processes
No TLS by default
Transport Layer Security
Repository (AKA postgres, PostgreSQL)Stores the vast majority of Server content
Workbooks, datasource credentials, user permissions, local auth credentials
Queried by other Server processes
No TLS by default
Certificate is self–signed and generated internally
Secrets live in the server configuration
Repository
Mobile
Tableau
Desktop
tabcmd
Gateway
VizPortal VizqlServer DataServer
Search
Server
Postgres(Repository)
Data
Engine
Backgrounder
Repository
Mobile
Tableau
Desktop
tabcmd
Gateway
VizPortal VizqlServer DataServer
Search
Server
Postgres(Repository)
Data
Engine
Backgrounder
Repository
Repository
TSM Controller
TSM CLI
TSM Web UI
Installer
variants
TSM Controller
Transport Layer Security
Tableau Services Manager's ControllerTSM REST API, Web UI and CLI
Self–signed certificate
Set up by default
Tableau Server Administration Controller Security
Administrators Group tsmadmin group
Custom defined group
AuthenticationUser Name & Password -> the OS
Authorization
Transport Layer Security
Location%PROGRAMDATA%\Tableau\Tableau
Server\data\tabsvc\tabadmincontroller\0\keystores
Location/var/opt/tableau/tableau_server/data/tabsvc/tabadmincontroller/
0/keystores
PermissionsBreak inheritance at service level
Read & Write permission for Network Service
Permissions-rw-rw---- tableau tableau cakeystore.jks
-rw-rw---- tableau tableau tabadmincontroller.jks
TSM CLI needs the public certificate atWindows-ROOT Key Store
TSM CLI needs the public certificate at/etc/opt/tableau/tableau_server/tableauservicesmanagerca.jks
Tableau Services Manager's ControllerTSM REST API, Web UI and CLI
Self–signed certificate
Set up by default
Tableau Services Manager
Secure Storage of Secrets
Secure Storage of Secrets
https://onlinehelp.tableau.com/current/server/en-
us/security_secret_storage.htm
Secure Storage of Secrets
Encryption of Server secrets at restServer-wide secrets are persisted in encrypted formpgsql.adminusername: tblwgadmin
pgsql.adminpassword: ENC(w4c7e9rkR022ayv9GeWrb6Y3tSSqg5...SoEI0WFU1Xhs0jg7JSwLjg=)
Secure Storage of Secrets
Encryption of Server secrets at restServer-wide secrets are persisted in encrypted formpgsql.adminusername: tblwgadmin
pgsql.adminpassword: ENC(w4c7e9rkR022ayv9GeWrb6Y3tSSqg5...SoEI0WFU1Xhs0jg7JSwLjg=)
Secrets are managed by TSM, stored in ZooKeeper
Secure Storage of Secrets
Secure Storage of Secrets
Encryption of Server secrets at restServer-wide secrets are persisted in encrypted formpgsql.adminusername: tblwgadmin
pgsql.adminpassword: ENC(w4c7e9rkR022ayv9GeWrb6Y3tSSqg5...SoEI0WFU1Xhs0jg7JSwLjg=)
Secrets are managed by TSM, stored in ZooKeeper
The master key lives on disk, generated during install
Secure Storage of Secrets
Encryption of Server secrets at restServer-wide secrets are persisted in encrypted form:pgsql.adminusername: tblwgadmin
pgsql.adminpassword: ENC(w4c7e9rkR022ayv9GeWrb6Y3tSSqg5...SoEI0WFU1Xhs0jg7JSwLjg=)
Secrets are managed by TSM, stored in ZooKeeper
The master key lives on disk, generated during install
Symmetric key encryption: AES GCM 256
Each service decrypts the secrets in memory
Encryption in the Repository
The Repository (PostgreSQL)
Encryption of sensitive content in the RepositoryThe Repository contains data source credentials
The database tables containing this information are encrypted with asset keys
The Repository (PostgreSQL)
Encryption of sensitive content in the RepositoryThe Repository contains data source credentials
The database tables containing this information are encrypted with asset keys
Symmetric Key Encryption: AES CBC mode with PKCS5 padding
The key (“asset key”) is managed by TSM
Rolling the Secrets
Key Roll
Easy way to roll all the internal keys and secrets
tsm security regenerate-internal-tokens
Updates following secretsAll internal passwords (postgres, redis, etc…)
Master encryption keys
Internally generated SSL certificates (postgres, solr )
Asset keys
Re-encrypt secrets with new encryption keys
Nodes and Upgrades
Adding New Nodes
Establish 2 way trust through “bootstrapping”
“initialBootstrapSettings”: {
“configurationName”: “tabsvc”,“clusterId”: “tabsvc-clustered”,“nodeId”: “node1”,“machineAddress”: “hostname1”“port”: 8850,
“certificate”: “-----BEGIN CERTIFICATE----- <encoded cert> -----END CERTIFICATE-----”,“cryptoKeyStore”: “<encoded keystore>”
}
bootstrap.json
AuthN / AuthZ
Upgrades
Upgrade
Authentication
Generate new secrets
Operations that require admin/sudo privileges
Hardening
Hardening
https://onlinehelp.tableau.com/current/server/en-us/security_harden.htm
Hardening
Gateway SSLProtect your users
Maintain your certificate
Hardening
Gateway SSLProtect your users
Maintain your certificate
Postgres SSLEasy to set up, defense in depth
Hardening
Gateway SSLProtect your usersMaintain your certificate
Postgres SSLEasy to set up, defense in depth
FirewallRun Server within a subnetOnly expose the Gateway port externallySet up firewall rules to allow communication between nodes
Ports
$ tsm topology list-ports
Node Name Instance Port
node1 clientfileservice:primary 0 8218
node1 clientfileservice:status 0 8048
node1 licenseservice:vendor_daemon 0 8889
node1 tabadmincontroller:primary 0 8850
node1 appzookeeper:leader 0 13000
node1 appzookeeper:client 0 12000
node1 appzookeeper:peer 0 14000
node1 tabadminagent:filetransfer 0 9347
node1 tabadminagent:columbo 0 8729
Hardening
Gateway SSLProtect your usersMaintain your certificate
Postgres SSLEasy to set up, defense in depth
FirewallRun Server within a subnetOnly expose the Gateway port externallySet up firewall rules to allow communication between nodes
Restrict access to hostsOnly allow privileged personnel to access
Physical and over-the-network
Hardening
Gateway SSLProtect your usersMaintain your certificate
Postgres SSLEasy to set up, defense in depth
FirewallRun Server within a subnetOnly expose the Gateway port externallySet up firewall rules to allow communication between nodes
Restrict access to hostsOnly allow privileged personnel to access
Physical and over-the-network
UpgradeOS upgrades
Monitor Tableau security bulletins
Upgrade to get new security features
Please complete the
session survey from the
Session Details screen
in your TC18 app
Thank you!
#TC18
kreiter <at> tableau.com
dciftci <at> tableau.com
Relevant Documentation
https://onlinehelp.tableau.com/current/server/en-us/security_net.htm
https://onlinehelp.tableau.com/current/server/en-us/security_secret_storage.htm
https://onlinehelp.tableau.com/current/server-linux/en-us/config_firewall_linux.htm,
https://onlinehelp.tableau.com/current/server/en-us/requ.htm#firewall
https://onlinehelp.tableau.com/current/server/en-us/cli_security_tsm.htm#regenerate-tokens