10 Replies Latest reply on Nov 2, 2017 9:34 AM by Jamieson Christian

whitelist

jens.bruckmann Jan 25, 2017 10:57 PM

Hi all,

I hope you can help me answering my question.

I built webdataconnector which I want to whitelist. Let´s say the tableau server has the IP 192.168.0.1 (as example) my webadataconnector Server has the IP 192.178.0.1 (as example) and the files I need has the names connector.html and connector.js

Now I have added the files to the whitelist by using the command

tabadmin whitelist_webdataconnectors -a http:\\192.178.0.1\test\connector.html

and the same for the js file.

I have uploaded the the connecotrs to the server and tried to get an automated refresh but for any reason it is not working. I am getting back: "unknown error"

So I read through the documentation and found the part with the secondary whitelist and found following:

"For each connector that you add to the safe list, you must also create a secondary safe list specific to that connector. This secondary safe list determines which domains the connector can send requests to and receive requests from. This helps ensure that connectors do not send information to untrusted domains."

To be honest I do not understand this part. I have no idea what this means for my setup or what I need to do. Is there someone out there who can help me explaing this?

1. Re: whitelist

Glen Robinson Jan 26, 2017 6:04 AM (in response to jens.bruckmann)

Hi Jens
Just checking that the command you are using has forward slashes, and not back slashes
tabadmin whitelist_webdataconnectors -a http:\\192.178.0.1\test\connector.html
should be
tabadmin whitelist_webdataconnectors -a http://192.178.0.1/test/connector.html

All the best
Glen
Like Show 0 Likes(0)

Actions
2. Re: whitelist

jens.bruckmann Jan 26, 2017 6:09 AM (in response to Glen Robinson)

Sorry Glenn,

this was a simple typo

nevertheless do I really need the second whitelist?
Like Show 0 Likes(0)

Actions
3. Re: whitelist

Glen Robinson Jan 26, 2017 6:22 AM (in response to jens.bruckmann)

Hi Jens
Is that a typo you made when running tabadmin or when you posted to this site?

The documentation states that you need to add the second whitelist.

For each connector that you add to the safe list, you must also create a secondary safe list specific to that connector. This secondary safe list determines which domains the connector can send requests to and receive requests from. This helps ensure that connectors do not send information to untrusted domains.

However, I just tested using the EarthQuake Example connector, haven't added the secondary, and it works fine.
So, I dont know. I guess it wouldn't cause any harm to add it..

So your commands would be something like

tabadmin whitelist_webdataconnectors -a http://192.178.0.1/test/connector.html
tabadmin whitelist_webdataconnectors -s http://192.178.0.1/test/connector.html https://aaa.bbb.com

Hope this works
Glen
Like Show 0 Likes(0)

Actions
4. Re: whitelist

jens.bruckmann Jan 26, 2017 6:28 AM (in response to Glen Robinson)

Typo by Posting not in the tabadmin command

you know I understand I can add them, but I really don´t know for which purpose I need to add them. This is something which I do not understand. Maybe I simply need some detailed examples and some more words to understand this
Like Show 0 Likes(0)

Actions
5. Re: whitelist

Patrick A Van Der Hyde Jan 26, 2017 11:44 AM (in response to jens.bruckmann)

Jens - I moved this thread to Web Data Connector where some of our devs and others specifically focused on the WDC are on the lookout for questions/issues with the WDC.

Patrick
Like Show 0 Likes(0)

Actions
6. Re: whitelist

Brendan Lee Jan 26, 2017 11:57 AM (in response to jens.bruckmann)
Hey Jens,

The purpose of the secondary whitelist is to provide increased security for our users and give our Server Admins more peace of mind. You must use the secondary whitelist to whitelist any endpoint that your connector talks to. For example, if your connector (at http://someIPaddress/test/connector.html) is trying to access a GET rest api from http://restapi/api/resource, you would need to add a secondary whitelist entry for http://restapi/api/resource (or http://restapi/api/*). Without that entry, we will not let the request succeed on Tableau Server.

Consider this potential attack vector if this wasn't required:
Mal (a malicious user) creates a WDC and hosts it at http://abc/wdc.html. This WDC is harmless and just pulls from some public REST API.

Because of the secondary whitelist, that attack vector is not possible. Does that help?

-Brendan
1 of 1 people found this helpful
Like Show 0 Likes(0)

Actions
7. Re: whitelist

jens.bruckmann Jan 30, 2017 3:35 AM (in response to Brendan Lee)

Hi Brendan,

thanks a lot for this explanation. It definitly makes sense and I understand now for what I need the whitelist. So in my case it is:
whitelist the webdataconnector itself anf whitelist the domain where the webdataconnector is getting the Data from.

So I made this happen and now I am getting every day a mail the refresh did not work. Now we come to the interesting bit. When I do the refresh manually it works without issues.

Any Idea?
Like Show 0 Likes(0)

Actions
8. Re: whitelist

Lasse Thorenfeldt Feb 27, 2017 4:32 PM (in response to jens.bruckmann)

Hi Jens,

When you say "do the refresh manually", do you mean from Tableau Desktop, or by initiating a "run now" on the Refresh Schedule on Server? I'm just trying to find out if your issue is the same as the one I'm currently seeing.

Lasse
Like Show 0 Likes(0)

Actions
9. Re: whitelist

jens.bruckmann Mar 1, 2017 4:52 AM (in response to jens.bruckmann)

hi Lasse,
no I did not speak about refreshing in tableau desktop. a run now on the refresh schedule
Like Show 0 Likes(0)

Actions
10. Re: whitelist

Jamieson Christian Nov 2, 2017 9:34 AM (in response to Brendan Lee)

Brendan Lee can you clarify whether a secondary domain whitelist is moot when the WDC is imported? In other words, does the act of importing the WDC remove all restrictions with regard to the domains that the WDC can talk while gathering its data?

In reading the documentation, I noticed that The Import Method made no mention of configuring a secondary domain whitelist. But I don't want to have IT run an experiment until I know exactly what does and does not need to be configured to ensure access to external domains for an imported WDC.

Thanks!
Like Show 0 Likes(0)

Actions