Tableau Server Security in Depth

Transcription

1

2 Welcome

3

4

5 # T C 1 8 Tableau Server Security in Depth Kacper Reiter Sr. Software Engineer Server and Cloud Platform Dinç Çiftçi Software Engineer Server and Cloud Platform

6 Agenda General security model Transport Layer Security Secure storage of secrets Repository security New nodes and upgrades Hardening Q&A

7 R E L AT E D S E S S I O N S Implementing Tableau Server security Oct 23 10:45am 11:45am MCCNO - L3-338 Introducing Tableau Services Manager Oct 23 2:15pm 3:15pm MCCNO L3-398

8 Users and File System

9 Installation Directory Run installer as Administrator Run rpm/deb with sudo %PROGRAMFILES%\Tableau\Tableau Server /opt/tableau/tableau_server Permissions Inherited default permissions Administrators full permissions Users read & execute Permissions rwxr-x-r-x root root rw-r---r-- root root Installed packages are immutable, even by Tableau Server processes.

10 Linux run as Users tableau/tableau All services

11 Windows run as Users Local System Tableau Server Administration Agent Local Service Tableau Server License Manager Network Service Tableau Server Administration Controller Tableau Server Coordination Service Network Service or custom run as user Tableau Server Service Manager All business services

12 Tableau Server Data Directory %PROGRAMDATA%\Tableau\Tableau Server \appzookeeper \filestore \pgsql \tabadminagent \<other services> /var/opt/tableau/tableau_server /appzookeeper /filestore /pgsql /tabadminagent /<other services> Permissions: Break inheritance at service level Read & Write permission for the service user Permissions: rwxrwx---- rw-rw----- tableau tableau tableau tableau

13 Transport Layer Security (TLS/SSL)

14 Transport Layer Security Chain of Trust

15 Transport Layer Security Chain of Trust

16 Transport Layer Security Chain of Trust

17 Transport Layer Security Chain of Trust

18 Transport Layer Security

19 Transport Layer Security

20 Transport Layer Security TLS Handshake

21 Transport Layer Security TLS Handshake

22 Transport Layer Security TLS Handshake

23 Transport Layer Security TLS provides Authentication (trust) Privacy (encryption) Message reliability (integrity)

24 Transport Layer Security Tableau Components Supporting TLS Gateway external and mutual The web server handling requests from various clients Repository The database where the vast majority of server content is persisted TSM Controller The process orchestrating administrative actions

25 Gateway Gateway Mobile VizPortal VizqlServer DataServer Tableau Desktop Postgres (Repository) Data Engine tabcmd Search Server Backgrounder

26 Transport Layer Security Gateway (AKA Apache, httpd) Provides access to all server content Browser client, REST API, tabcmd No TLS by default

27 Transport Layer Security Gateway Provides access to all server content Browser client, REST API, tabcmd No TLS by default External SSL: Admin-provided certificate Mutual SSL: Client certificates managed by CA Secrets live in the server configuration

28 Gateway Gateway Mobile VizPortal VizqlServer DataServer Tableau Desktop Postgres (Repository) Data Engine tabcmd Search Server Backgrounder

29 Gateway Gateway Mobile VizPortal VizqlServer DataServer Tableau Desktop Postgres (Repository) Data Engine tabcmd Search Server Backgrounder

30 Transport Layer Security Gateway Provides access to all server content Browser client, REST API, tabcmd No TLS by default External SSL: Admin-provided certificate Mutual SSL: Client certificates managed by CA Secrets live in the server configuration

31 Gateway

32 Repository Gateway Mobile VizPortal VizqlServer DataServer Tableau Desktop Postgres (Repository) Data Engine tabcmd Search Server Backgrounder

33 Transport Layer Security Repository (AKA postgres, PostgreSQL) Stores the vast majority of Server content Workbooks, datasource credentials, user permissions, local auth credentials Queried by other Server processes No TLS by default

34 Transport Layer Security Repository (AKA postgres, PostgreSQL) Stores the vast majority of Server content Workbooks, datasource credentials, user permissions, local auth credentials Queried by other Server processes No TLS by default Certificate is self signed and generated internally Secrets live in the server configuration

35 Repository Gateway Mobile VizPortal VizqlServer DataServer Tableau Desktop Postgres (Repository) Data Engine tabcmd Search Server Backgrounder

36 Repository Gateway Mobile VizPortal VizqlServer DataServer Tableau Desktop Postgres (Repository) Data Engine tabcmd Search Server Backgrounder

37 Repository

38 Repository

39 TSM Controller TSM CLI TSM Controller TSM Web UI Installer variants

40 Transport Layer Security Tableau Services Manager's Controller TSM REST API, Web UI and CLI Self signed certificate Set up by default

41 Tableau Server Administration Controller Security Authentication User Name & Password -> the OS Authorization Administrators Group tsmadmin group Custom defined group

42 Transport Layer Security Tableau Services Manager's Controller TSM REST API, Web UI and CLI Self signed certificate Set up by default Location %PROGRAMDATA%\Tableau\Tableau Server\data\tabsvc\tabadmincontroller\0\keystores Location /var/opt/tableau/tableau_server/data/tabsvc/tabadmincontroller/ 0/keystores Permissions Break inheritance at service level Read & Write permission for Network Service Permissions -rw-rw---- tableau tableau -rw-rw---- tableau tableau cakeystore.jks tabadmincontroller.jks TSM CLI needs the public certificate at Windows-ROOT Key Store TSM CLI needs the public certificate at /etc/opt/tableau/tableau_server/tableauservicesmanagerca.jks

43 Tableau Services Manager

44 Secure Storage of Secrets

45 Secure Storage of Secrets

46 Secure Storage of Secrets Encryption of Server secrets at rest Server-wide secrets are persisted in encrypted form pgsql.adminusername: tblwgadmin pgsql.adminpassword: ENC(w4c7e9rkR022ayv9GeWrb6Y3tSSqg5...SoEI0WFU1Xhs0jg7JSwLjg=)

47 Secure Storage of Secrets Encryption of Server secrets at rest Server-wide secrets are persisted in encrypted form pgsql.adminusername: tblwgadmin pgsql.adminpassword: ENC(w4c7e9rkR022ayv9GeWrb6Y3tSSqg5...SoEI0WFU1Xhs0jg7JSwLjg=) Secrets are managed by TSM, stored in ZooKeeper

48 Secure Storage of Secrets

49 Secure Storage of Secrets Encryption of Server secrets at rest Server-wide secrets are persisted in encrypted form pgsql.adminusername: tblwgadmin pgsql.adminpassword: ENC(w4c7e9rkR022ayv9GeWrb6Y3tSSqg5...SoEI0WFU1Xhs0jg7JSwLjg=) Secrets are managed by TSM, stored in ZooKeeper The master key lives on disk, generated during install

50 Secure Storage of Secrets Encryption of Server secrets at rest Server-wide secrets are persisted in encrypted form: pgsql.adminusername: tblwgadmin pgsql.adminpassword: ENC(w4c7e9rkR022ayv9GeWrb6Y3tSSqg5...SoEI0WFU1Xhs0jg7JSwLjg=) Secrets are managed by TSM, stored in ZooKeeper The master key lives on disk, generated during install Symmetric key encryption: AES GCM 256 Each service decrypts the secrets in memory

51 Encryption in the Repository

52 The Repository (PostgreSQL) Encryption of sensitive content in the Repository The Repository contains data source credentials The database tables containing this information are encrypted with asset keys

53 The Repository (PostgreSQL) Encryption of sensitive content in the Repository The Repository contains data source credentials The database tables containing this information are encrypted with asset keys Symmetric Key Encryption: AES CBC mode with PKCS5 padding The key ( asset key ) is managed by TSM

54 Rolling the Secrets

55 Key Roll Easy way to roll all the internal keys and secrets tsm security regenerate-internal-tokens Updates following secrets All internal passwords (postgres, redis, etc ) Master encryption keys Internally generated SSL certificates (postgres, solr ) Asset keys Re-encrypt secrets with new encryption keys

56 Nodes and Upgrades

57 Adding New Nodes Establish 2 way trust through bootstrapping AuthN / AuthZ bootstrap.json initialbootstrapsettings : { } configurationname : tabsvc, clusterid : tabsvc-clustered, nodeid : node1, machineaddress : hostname1 port : 8850, certificate : -----BEGIN CERTIFICATE----- cryptokeystore : <encoded keystore> <encoded cert> -----END CERTIFICATE-----,

58 Upgrades Upgrade Authentication Generate new secrets Operations that require admin/sudo privileges

59 Hardening

60 Hardening

61 Hardening Gateway SSL Protect your users Maintain your certificate

62 Hardening Gateway SSL Protect your users Maintain your certificate Postgres SSL Easy to set up, defense in depth

63 Hardening Gateway SSL Protect your users Maintain your certificate Postgres SSL Easy to set up, defense in depth Firewall Run Server within a subnet Only expose the Gateway port externally Set up firewall rules to allow communication between nodes

64 Ports $ tsm topology list-ports Node Name Instance Port node1 clientfileservice:primary node1 clientfileservice:status node1 licenseservice:vendor_daemon node1 tabadmincontroller:primary node1 appzookeeper:leader node1 appzookeeper:client node1 appzookeeper:peer node1 tabadminagent:filetransfer node1 tabadminagent:columbo

65 Hardening Gateway SSL Protect your users Maintain your certificate Postgres SSL Easy to set up, defense in depth Firewall Run Server within a subnet Only expose the Gateway port externally Set up firewall rules to allow communication between nodes Restrict access to hosts Only allow privileged personnel to access Physical and over-the-network

66 Hardening Gateway SSL Protect your users Maintain your certificate Postgres SSL Easy to set up, defense in depth Firewall Run Server within a subnet Only expose the Gateway port externally Set up firewall rules to allow communication between nodes Restrict access to hosts Only allow privileged personnel to access Physical and over-the-network Upgrade OS upgrades Monitor Tableau security bulletins Upgrade to get new security features

67 Please complete the session survey from the Session Details screen in your TC18 app

68 #TC18 Thank you! kreiter <at> tableau.com dciftci <at> tableau.com

69 Relevant Documentation

70