8 Replies Latest reply on May 11, 2015 3:52 PM by Dan Scott

    Keep Changes to pg_hba.conf

    Janusz Jasinski

      Hi,


      When I make changes to pg_hba.conf for access to other servers, it all runs fine. However when Tableau is restarted for whatever reasons, the file is reverted back to its original state i.e. all changes wiped

       

      Please can someone advise as it's really frustrating.

       

      Thanks

        • 1. Re: Keep Changes to pg_hba.conf
          Dan Scott

          The problem is that the pg_hba.conf file is getting regenerated, which is overwriting your changes.  So, the obvious question is, "Where is it getting overwritten from?"  The answer is, that there is a "template" file called pg_hba.conf.templ (search for it in the installation directory).  The template file is a mixture of ruby code and literal text that is used to create the pg_hba.conf file.

           

          If your desired change is a simple addition to the pg_hba.conf file, then you may find it fairly easy to alter the template file by just including the new content you want.  If you are trying to change the lines that the template file is designed to generate, then you will need to understand ruby, and making alterations will be somewhat more difficult.

           

          A word of caution: The pg_hba.conf file is how PostgreSQL controls which machines can access the Repository, which means it is an important security feature. Before making changes, be sure you understand the effects of those changes, and that they are not opening  you up to a possible exploit.

           

          Note: Any changes made to the template file will disappear when you upgrade Tableau Server, so you would need to re-do your changes then.

           

          Oh, and I really should have asked why you want to alter the pg_hba.conf file?  It is possible that Tableau Server might already support what you need, with the right configuration (or not).

          • 2. Re: Keep Changes to pg_hba.conf
            Matt Coles

            Hey Dan, is it also true that for multi-node Server instances, the template file must be altered on each of the hosts within the cluster, and not just the Primary?

            • 3. Re: Keep Changes to pg_hba.conf
              Toby Erkson

              Dan Scott wrote:

               

              ...

              Oh, and I really should have asked why you want to alter the pg_hba.conf file?  It is possible that Tableau Server might already support what you need, with the right configuration (or not).

              Yes, exactly, why the need to alter it?

              • 4. Re: Keep Changes to pg_hba.conf
                Matt Coles

                If you wish to enforce tighter security requirements for the readonly user beyond username/password auth, for example, restricting connections to specific IP addresses, this requires modifying the template files.

                • 5. Re: Keep Changes to pg_hba.conf
                  Janusz Jasinski

                  Ok thanks. Tableau doesn't do what we need it to. We have a web server specifically for our needs and its this what needs access.

                   

                  We bung it into our own framework, design etc with specific menu structure and so fourth.

                  • 6. Re: Keep Changes to pg_hba.conf
                    Dan Scott

                    Matt,

                    Yes, you would need to manually update the pg_hba.conf.templ file on each machine.  And, of course this kind of modification is not supported, so any changes are at your own risk.  I definitely recommend making sure you really need to alter pg_hba.conf before doing this.

                    • 7. Re: Keep Changes to pg_hba.conf
                      Geoff Nelson

                      Janusz,

                       

                      I concur with Dan that it is not supported at this time.  Before the "readonly" user became a supported feature, I did this after upgrades to allow access to a few trusted machines read only access to the Tableau Server Postgres repository.

                       

                      Would supporting passing IP address ranges and authentication method into the pg_hba.conf template for the "readnonly" user provide what's needed?

                       

                      Best, Geoff

                      • 8. Re: Keep Changes to pg_hba.conf
                        Dan Scott

                        Is this question actually still unanswered?