Welcome

Tableau Server Security in Depth

Kacper Reiter

Sr. Software Engineer

Server and Cloud Platform

# T C 1 8

Dinç Çiftçi

Software Engineer

Server and Cloud Platform

Agenda

General security model

Transport Layer Security

Secure storage of secrets

Repository security

New nodes and upgrades

Hardening

Q&A

Implementing Tableau Server security

R E L AT E D S E S S I O N S

Oct 23 | 10:45am – 11:45am | MCCNO - L3 - 338

Introducing Tableau Services ManagerOct 23 | 2:15pm – 3:15pm | MCCNO – L3 - 398

Users and File System

Installation Directory

Run installer as Administrator Run rpm/deb with sudo

%PROGRAMFILES%\Tableau\Tableau

Server

/opt/tableau/tableau_server

Permissions

Inherited default permissions

Administrators – full permissions

Users – read & execute

Permissions

rwxr-x-r-x root root

rw-r---r-- root root

Installed packages are immutable, even by Tableau Server processes.

Linux—“run as” Users

tableau/tableauAll services

Windows—“run as” Users

Local SystemTableau Server Administration Agent

Local ServiceTableau Server License Manager

Network ServiceTableau Server Administration Controller

Tableau Server Coordination Service

Network Service or custom “run as” userTableau Server Service Manager

All “business” services

Tableau Server Data Directory

%PROGRAMDATA%\Tableau\Tableau Server

\appzookeeper

\filestore

\pgsql

\tabadminagent

\<other services>

/var/opt/tableau/tableau_server

/appzookeeper

/filestore

/pgsql

/tabadminagent

/<other services>

Permissions:Break inheritance at service level

Read & Write permission for the service user

Permissions:rwxrwx---- tableau tableau

rw-rw----- tableau tableau

Transport Layer Security(TLS/SSL)

Transport Layer Security

Chain of Trust

Transport Layer Security

Chain of Trust

Transport Layer Security

Chain of Trust

Transport Layer Security

Chain of Trust

Transport Layer Security

Transport Layer Security

Transport Layer Security

TLS Handshake

Transport Layer Security

TLS Handshake

Transport Layer Security

TLS Handshake

Transport Layer Security

TLS providesAuthentication (trust)

Privacy (encryption)

Message reliability (integrity)

Transport Layer Security

Tableau Components Supporting TLSGateway—external and mutualThe web server handling requests from various clients

RepositoryThe database where the vast majority of server content is persisted

TSM ControllerThe process orchestrating administrative actions

Gateway

Mobile

Tableau

Desktop

tabcmd

Gateway

VizPortal VizqlServer DataServer

Search

Server

Postgres(Repository)

Data Engine

Backgrounder

Transport Layer Security

Gateway (AKA Apache, httpd)Provides access to all server content

Browser client, REST API, tabcmd

No TLS by default

Transport Layer Security

GatewayProvides access to all server content

Browser client, REST API, tabcmd

No TLS by default

External SSL: Admin-provided certificate

Mutual SSL: Client certificates managed by CA

Secrets live in the server configuration

Gateway

Mobile

Tableau

Desktop

tabcmd

Gateway

VizPortal VizqlServer DataServer

Search

Server

Postgres(Repository)

Data

Engine

Backgrounder

Gateway

Mobile

tabcmd

Gateway

VizPortal VizqlServer DataServer

Search

Server

Postgres(Repository)

Data

Engine

Backgrounder

Tableau

Desktop

Transport Layer Security

GatewayProvides access to all server content

Browser client, REST API, tabcmd

No TLS by default

External SSL: Admin-provided certificate

Mutual SSL: Client certificates managed by CA

Secrets live in the server configuration

Gateway

Repository

Mobile

Tableau

Desktop

tabcmd

Gateway

VizPortal VizqlServer DataServer

Search

Server

Postgres(Repository)

Data

Engine

Backgrounder

Transport Layer Security

Repository (AKA postgres, PostgreSQL)Stores the vast majority of Server content

Workbooks, datasource credentials, user permissions, local auth credentials

Queried by other Server processes

No TLS by default

Transport Layer Security

Repository (AKA postgres, PostgreSQL)Stores the vast majority of Server content

Workbooks, datasource credentials, user permissions, local auth credentials

Queried by other Server processes

No TLS by default

Certificate is self–signed and generated internally

Secrets live in the server configuration

Repository

Mobile

Tableau

Desktop

tabcmd

Gateway

VizPortal VizqlServer DataServer

Search

Server

Postgres(Repository)

Data

Engine

Backgrounder

Repository

Mobile

Tableau

Desktop

tabcmd

Gateway

VizPortal VizqlServer DataServer

Search

Server

Postgres(Repository)

Data

Engine

Backgrounder

Repository

Repository

TSM Controller

TSM CLI

TSM Web UI

Installer

variants

TSM Controller

Transport Layer Security

Tableau Services Manager's ControllerTSM REST API, Web UI and CLI

Self–signed certificate

Set up by default

Tableau Server Administration Controller Security

Administrators Group tsmadmin group

Custom defined group

AuthenticationUser Name & Password -> the OS

Authorization

Transport Layer Security

Location%PROGRAMDATA%\Tableau\Tableau

Server\data\tabsvc\tabadmincontroller\0\keystores

Location/var/opt/tableau/tableau_server/data/tabsvc/tabadmincontroller/

0/keystores

PermissionsBreak inheritance at service level

Read & Write permission for Network Service

Permissions-rw-rw---- tableau tableau cakeystore.jks

-rw-rw---- tableau tableau tabadmincontroller.jks

TSM CLI needs the public certificate atWindows-ROOT Key Store

TSM CLI needs the public certificate at/etc/opt/tableau/tableau_server/tableauservicesmanagerca.jks

Tableau Services Manager's ControllerTSM REST API, Web UI and CLI

Self–signed certificate

Set up by default

Tableau Services Manager

Secure Storage of Secrets

Secure Storage of Secrets

https://onlinehelp.tableau.com/current/server/en-

us/security_secret_storage.htm

Secure Storage of Secrets

Encryption of Server secrets at restServer-wide secrets are persisted in encrypted formpgsql.adminusername: tblwgadmin

pgsql.adminpassword: ENC(w4c7e9rkR022ayv9GeWrb6Y3tSSqg5...SoEI0WFU1Xhs0jg7JSwLjg=)

Secure Storage of Secrets

Encryption of Server secrets at restServer-wide secrets are persisted in encrypted formpgsql.adminusername: tblwgadmin

pgsql.adminpassword: ENC(w4c7e9rkR022ayv9GeWrb6Y3tSSqg5...SoEI0WFU1Xhs0jg7JSwLjg=)

Secrets are managed by TSM, stored in ZooKeeper

Secure Storage of Secrets

Secure Storage of Secrets

Encryption of Server secrets at restServer-wide secrets are persisted in encrypted formpgsql.adminusername: tblwgadmin

pgsql.adminpassword: ENC(w4c7e9rkR022ayv9GeWrb6Y3tSSqg5...SoEI0WFU1Xhs0jg7JSwLjg=)

Secrets are managed by TSM, stored in ZooKeeper

The master key lives on disk, generated during install

Secure Storage of Secrets

Encryption of Server secrets at restServer-wide secrets are persisted in encrypted form:pgsql.adminusername: tblwgadmin

pgsql.adminpassword: ENC(w4c7e9rkR022ayv9GeWrb6Y3tSSqg5...SoEI0WFU1Xhs0jg7JSwLjg=)

Secrets are managed by TSM, stored in ZooKeeper

The master key lives on disk, generated during install

Symmetric key encryption: AES GCM 256

Each service decrypts the secrets in memory

Encryption in the Repository

The Repository (PostgreSQL)

Encryption of sensitive content in the RepositoryThe Repository contains data source credentials

The database tables containing this information are encrypted with asset keys

The Repository (PostgreSQL)

Encryption of sensitive content in the RepositoryThe Repository contains data source credentials

The database tables containing this information are encrypted with asset keys

Symmetric Key Encryption: AES CBC mode with PKCS5 padding

The key (“asset key”) is managed by TSM

Rolling the Secrets

Key Roll

Easy way to roll all the internal keys and secrets

tsm security regenerate-internal-tokens

Updates following secretsAll internal passwords (postgres, redis, etc…)

Master encryption keys

Internally generated SSL certificates (postgres, solr )

Asset keys

Re-encrypt secrets with new encryption keys

Nodes and Upgrades

Adding New Nodes

Establish 2 way trust through “bootstrapping”

“initialBootstrapSettings”: {

“configurationName”: “tabsvc”,“clusterId”: “tabsvc-clustered”,“nodeId”: “node1”,“machineAddress”: “hostname1”“port”: 8850,

“certificate”: “-----BEGIN CERTIFICATE----- <encoded cert> -----END CERTIFICATE-----”,“cryptoKeyStore”: “<encoded keystore>”

}

bootstrap.json

AuthN / AuthZ

Upgrades

Upgrade

Authentication

Generate new secrets

Operations that require admin/sudo privileges

Hardening

Hardening

https://onlinehelp.tableau.com/current/server/en-us/security_harden.htm

Hardening

Gateway SSLProtect your users

Maintain your certificate

Hardening

Gateway SSLProtect your users

Maintain your certificate

Postgres SSLEasy to set up, defense in depth

Hardening

Gateway SSLProtect your usersMaintain your certificate

Postgres SSLEasy to set up, defense in depth

FirewallRun Server within a subnetOnly expose the Gateway port externallySet up firewall rules to allow communication between nodes

Ports

$ tsm topology list-ports

Node Name Instance Port

node1 clientfileservice:primary 0 8218

node1 clientfileservice:status 0 8048

node1 licenseservice:vendor_daemon 0 8889

node1 tabadmincontroller:primary 0 8850

node1 appzookeeper:leader 0 13000

node1 appzookeeper:client 0 12000

node1 appzookeeper:peer 0 14000

node1 tabadminagent:filetransfer 0 9347

node1 tabadminagent:columbo 0 8729

Hardening

Gateway SSLProtect your usersMaintain your certificate

Postgres SSLEasy to set up, defense in depth

FirewallRun Server within a subnetOnly expose the Gateway port externallySet up firewall rules to allow communication between nodes

Restrict access to hostsOnly allow privileged personnel to access

Physical and over-the-network

Hardening

Gateway SSLProtect your usersMaintain your certificate

Postgres SSLEasy to set up, defense in depth

FirewallRun Server within a subnetOnly expose the Gateway port externallySet up firewall rules to allow communication between nodes

Restrict access to hostsOnly allow privileged personnel to access

Physical and over-the-network

UpgradeOS upgrades

Monitor Tableau security bulletins

Upgrade to get new security features

Please complete the

session survey from the

Session Details screen

in your TC18 app

Thank you!

#TC18

kreiter <at> tableau.com

dciftci <at> tableau.com

Relevant Documentation

https://onlinehelp.tableau.com/current/server/en-us/security_net.htm

https://onlinehelp.tableau.com/current/server/en-us/security_secret_storage.htm

https://onlinehelp.tableau.com/current/server-linux/en-us/config_firewall_linux.htm,

https://onlinehelp.tableau.com/current/server/en-us/requ.htm#firewall

https://onlinehelp.tableau.com/current/server/en-us/cli_security_tsm.htm#regenerate-tokens