Spotfire Security. Peter McKinnis July 2017

Transcription

1 Spotfire Security Peter McKinnis July 2017

2 Outline Authentication in Spotfire Spotfire Server 7.9 Sites Feature and Authentication Authorization in Spotfire Data Security Spotfire Statistics Services Security Q&A

3 Authentication in Spotfire

4 Spotfire Platform Standards and Security

5 Defining Authentication and Authorization Authentication is verifying you are who you claim to be. Username (who you are) and password (verification) Authorization is verifying your rights to access something or perform actions within a specific environment after you have authenticated. Administrative rights vs. Regular User

6 Spotfire Server Authentication & Authorization Authentication Authorization Username and Password Spotfire database LDAP Windows NT Custom JAAS Established: Identity User Directory Spotfire database Established: Group membership Preferences Single Sign On NTLM Kerberos X.509 Client Certificates Web/External Authentication LDAP Windows NT Licenses File permission Routing Deployments And more Anonymous

7 Username and Password: Spotfire Database Simple Username and password are stored in Spotfire database. Passwords are salted and hashed using the SHA-512 hash function. (KB article: Spotfire Server password security) User can change passwords from within Spotfire or Administrators can reset passwords Use Administration Manager or command-line tools to import/export large number of users

8 Username and Password: Spotfire LDAP Mode Authentication verified by LDAP Server No passwords stored in Spotfire Supported LDAP Servers Microsoft Active Directory Sun ONE Directory Server Sun Java System Directory Server Custom LDAP servers User Synchronization By default only Users are synced Group Synchronization Enable to allow group sync and get hierarchy Mention Explicit group names or Context Names (for all groups ) Can use wildcards to specify multiple groups Groups used for Authorization

9 Single Sign-On Authentication: Kerberos Most complex to configure and most complete Very secure even over unsecure networks Can use Spotfire Database or LDAP as user directory Allows passing of user credentials to data sources in Spotfire Users must be able to obtain a Kerberos ticket from the Key Distribution Center (KDC), usually Active Directory Web browser 2 User s Computer 3 1 Active Directory 1. The user logs into Windows. 2. The user s computer tries to connect to the Spotfire Server. 3. The user s computer receives a Kerberos ticket from the Active Directory to connect to Spotfire Server. 4. The user s computer forwards the Kerberos ticket to the Spotfire Server. 4 TIBCO Spotfire Server 5 5. The Spotfire Server decrypts the Kerberos ticket and authenticates the user.

10 Kerberos Comments about Hadoop Kerberos seen a lot with Hadoop environments Hortonworks, Cloudera, secure HBase, Hive, etc. Often times the Hadoop environment is Kerberized using MIT Kerberos and Spotfire is in a Windows domain that is not trusted by the MIT Kerberos Can setup Spotfire to connect using a service account to Kerberized Hadoop environments If Spotfire client user token is needed in Hadoop, then proper trust and relationships must be configured between the environments outside of Spotfire See TIBCO Community Article - Connecting TIBCO Spotfire to a Kerberized Data Source

11 Single Sign-On Authentication: NTLMv2 Uses Windows session. If Domains don t match or untrusted, user is prompted Authentication credentials cannot be passed to underlying data sources (NTLM does not support double hops). Use Kerberos instead. Supports NTLMv2 Can use either LDAP or Spotfire for User Directory

12 Single Sign-On Authentication: X.509 Certificates Uses an X.509 Client Certificate from the Spotfire client to the Spotfire Server. A prerequisite for this authentication method is that the TIBCO Spotfire Server is set up with HTTPS and is set to require client certificates. Can have per-user certificates. Client certificates can be combined with other authentication methods for improved security (actually providing a form of twofactor authentication).

13 Two-Factor Authentication Spotfire Server supports one form of two-factor authentication. It is possible to combine a primary authentication method with X.509 certificates. Usually the primary method is Basic, but other methods are allowed. The user names provided by the primary authentication method and X.509 certificates must match.

14 Anonymous Authentication Useful when embedding Spotfire into another web application Uses built-in account Allows users access to only those resources that are accessible to the built-in guest account If users have a specific account, they can click the login button and enter their credentials to get access based on their user. TIBCO Community Wiki article: Configuring Anonymous Access to Analysis Files in Spotfire 7.5 and later

15 OpenID Connect and Web Authentication Spotfire 7.8+ supports OpenID Connect protocol and Web Authentication. OpenID Connect protocol supported by various vendors (e.g. Google, Facebook, etc.). More modern than SAML. Configure OpenID Connect in Spotfire Server configuration. Spotfire Analyst and Web Player Users can authenticate with OpenID. Before 7.8, ONLY Web Player users could use a web based authentication method. Spotfire 7.8 also supports Custom Web Authentication again supported in Web Player AND Spotfire Analyst. For Analyst, a web browser will appear where user can login.

16 External and Custom Authentication Used when authentication is done external to Spotfire Server and a user identity can be passed to Spotfire. For example, Site Minder, Custom Portals etc. Delegated authentication such as when a user is authenticated via a proxy or load balancer. TIBCO Community Wiki Article: Custom Authentication in TIBCO Spotfire 7.5 and Later Versions Can be used as a supplementary authentication method with another main authentication method (e.g. internal users could use NTLM and external users use external authentication) Process: User is authenticated by authentication service (1,2) Token sent to browser (3) and passed onto Spotfire (4) Token is sent to service for validation (5) User identity can be returned (6) and used in Spotfire for authorization

17 SAML Considerations Security Assertion Markup Language (SAML) is supported for authentication within Spotfire. SAML based systems can be supported by using external and custom authentication and, if needed, JAAS on Spotfire Server. The ultimate implementation of SAML is to pass around a token for each user that states whether that user is authorized to access particular data/documents, etc. within the environment.

18 Username and Password: Custom JAAS OOB authentication methods are implemented as Java Authentication and Authorization Service (JAAS) modules. Spotfire also supports third-party JAAS modules. You may therefore use a custom JAAS module, provided that it validates username and password authentication and that it uses JAAS NameCallback and PasswordCallback objects for collecting the usernames and passwords The jar file with the JAAS implementation is placed in the Spotfire Server Tomcat lib directory.

19 Username and Password: Spotfire Windows NT Domain Present for Legacy Support User authentication is delegated to Windows NT domain controllers If used for Authentication, you can have LDAP as user directory config-windows-userdir [-c value --configuration=value] [-b value --bootstrap-config=value] [-d value -- domains=value] [-t value --sleep-time=value] [--schedules=value]

20 Additional security considerations Use HTTPS as much as possible (No clear text communication). Use LDAPS communication for more security; usually requires importing SSL certificate into cacerts file. Post-authentication filter API is a quite useful feature that can be used to perform several different kinds of tasks Transform/map the name of the authenticated user (perhaps the authentication method returns the name in a different format than the LDAP server provides) Filter/block users (e.g. based on source IP or some HTTP header, or based on what some other authorization service gives) Verify that authorization is set up correctly (e.g. by verifying, and possibly changing, the groups that the user is member of) Note: Post-authentication filter is called when Web Player node calls back to Spotfire Server

21 Sites and Authentication

22 Default Spotfire Server Node Communication

23 Sites Feature Sites feature added in Spotfire Server 7.9 Allows one to group Spotfire Server(s) and Node(s) into a Site with communication only within that site Can be used for grouping Spotfire Server(s) and Node(s) in the same geography or for different authentication modes Configured from the command-line by creating the site and then adding nodes and servers to the site

24 Spotfire Server 7.9 Sites Feature

25 Sites and Authentication Can have different authentication modes for each site Can also have different user directories for each site Configured from the command-line using the Site name

26 Authorization in Spotfire

27 Spotfire Authorization The Spotfire User Directory is used to manage authorization in Spotfire The User Directory maps users to Groups/Roles and in turn the groups match to what users can access and do in Spotfire Can use LDAP or Spotfire Database for User Directory. With Spotfire Database users are not tied to the External LDAP. Users/groups can be synchronized using LDAP and custom API hooks into Spotfire. Use Groups to control who has access to what in the Spotfire Library. Use Groups to control what features (licenses) users can use in Spotfire. Use Groups to control default Preferences in Spotfire. Groups also can be used for Deployment areas, routing, etc.

28 Spotfire Library Controlling Access to Library Items Control Library folder access by group or user Access Browse + Access Browse + Access + Modify Full Control

29 Administration Controlling access to features (licenses) Can create customized groups with different / granular functionality

30 Administration Controlling default Preferences (settings) Can set default settings by group Examples: Web Player items to show Initial default visualization TSSS URLs Font settings And many more

31 Spotfire Server Public Web Services for Security Integration Web Services API for User Directory Create/Modify/Delete user accounts and groups Set/Modify group membership for users Web Services API for Spotfire Library Set/Modify permissions on folders in the Library Create/Move/Copy/Delete folders in the Library Useful for integrating non-ldap security providers Can be useful for automating and integrating Spotfire into other business processes and systems

32 Data Security

33 Data Governance Information Services Information Services All methods of data accessed secured Data Source can have central username/password or user can be prompted for username and password

34 Data Governance Spotfire Connectors Spotfire Connectors Store and control access to model centrally Provide management of connections to data Username/password can be prompted to stored in connection Publish certified connections and data models - enforce a single version of the truth Limit end user access to only preconfigured connections and data models Protect source credentials within connection object Big Data sources may contain hundreds of columns, a model should contain only the relevant ones Use Save As to make personal modifications Publish, re-use and share as allowed by author

35 Data Level Security All methods of data access are secured Data sources can have central username/password or user can be prompted for authentication Kerberos can be used from client tier to database tier Multiple row level security approaches Separate Information Links with secured Library access Data source authentication Pass-through user and group identities and domains %CURRENT_USER% %CURRENT_GROUPS% %CURRENT_USER_DOMAIN%

36 Scheduled Updates and Personalized Scheduled Updates Scheduled Updates Pin critical analyses in memory of Web Player Instance for instant access Periodic & Event driven refresh Refresh according to schedule, by Web Service call or EMS Map Message Data loads on background thread Refresh appears instantaneous to clients Cache Scheduled Updates to disk for quick restart Optional Row Level security Individual queries/sources can be flagged to reload per user session SHARED DATA PRIVATE DATA Entitlement data can be used to limit primary dataset Maximum data sharing on primary dataset + near-instant access + row level security Add Columns/Rows/Tables/Pivot/etc. Spotfire Table

37 Spotfire Statistics Services and Security (or lack thereof)

38 Spotfire Statistics Services Data Flow

39 Spotfire Statistics Services Security TSSS supports authentication using user properties, Active Directory (AD), or LDAP User properties Simplest form of user authentication using an in-memory authentication list read from the users.properties file AD and LDAP controlled using the ldap.properties file LDAP properties give information for connecting to AD/LDAP, LDAP search information, groups that user can be in TSSS does NOT support any Authorization. Once you are authenticated to TSSS, you can do anything. Did do custom work for a customer to impersonate users in TSSS calls using Windows API.

40 Spotfire Statistics Services Security (2) From Spotfire Analyst, user will be prompted for username and password if using secure TSSS From Web Player, one will not be prompted so must configure service account login to use TSSS from Web Player and Automation Services Spotfire.Dxp.Worker.Host.exe.config file contains configuration parameters: TibcoSpotfireStatisticsServicesURLs TibcoSpotfireStatisticsServicesUsernames TibcoSpotfireStatisticsServicesPasswords

41 Q & A

42 Thank you! Peter McKinnis Senior Enterprise Architect TIBCO