10 Replies Latest reply on Nov 2, 2017 9:34 AM by Jamieson Christian

    whitelist

    jens.bruckmann

      Hi all,

       

      I hope you can help me answering my question.

       

      I built webdataconnector which I want to whitelist. Let´s say the tableau server has the IP 192.168.0.1 (as example) my webadataconnector Server has the IP 192.178.0.1 (as example) and the files I need has the names connector.html and connector.js

       

      Now I have added the files to the whitelist by using the command

       

      tabadmin whitelist_webdataconnectors -a http:\\192.178.0.1\test\connector.html

       

      and the same for the js file.

       

       

      I have uploaded the the connecotrs to the server and tried to get an automated refresh but for any reason it is not working. I am getting back: "unknown error"

       

      So I read through the documentation and found the part with the secondary whitelist and found following:

       

      "For each connector that you add to the safe list, you must also create a secondary safe list specific to that connector. This secondary safe list determines which domains the connector can send requests to and receive requests from. This helps ensure that connectors do not send information to untrusted domains."

       

      To be honest I do not understand this part. I have no idea what this means for my setup or what I need to do. Is there someone out there who can help me explaing this?

        • 1. Re: whitelist
          Glen Robinson

          Hi Jens

          Just checking that the command you are using has forward slashes, and not back slashes

          tabadmin whitelist_webdataconnectors -a http:\\192.178.0.1\test\connector.html

          should be

          tabadmin whitelist_webdataconnectors -a http://192.178.0.1/test/connector.html

           

          All the best

          Glen

           

          • 2. Re: whitelist
            jens.bruckmann

            Sorry Glenn,

             

            this was a simple typo

             

             

            nevertheless do I really need the second whitelist?

            • 3. Re: whitelist
              Glen Robinson

              Hi Jens

              Is that a typo you made when running tabadmin or when you posted to this site?

               

              The documentation states that you need to add the second whitelist.

               

              For each connector that you add to the safe list, you must also create a secondary safe list specific to that connector. This secondary safe list determines which domains the connector can send requests to and receive requests from. This helps ensure that connectors do not send information to untrusted domains.

               

              However, I just tested using the EarthQuake Example connector, haven't  added the secondary, and it works fine.

              So, I dont know. I guess it wouldn't cause any harm to add it..

               

              So your commands would be something like

               

              tabadmin whitelist_webdataconnectors -a http://192.178.0.1/test/connector.html

              tabadmin whitelist_webdataconnectors -s http://192.178.0.1/test/connector.html https://aaa.bbb.com

               

              Hope this works

              Glen

               

              • 4. Re: whitelist
                jens.bruckmann

                Typo by Posting not in the tabadmin command

                 

                 

                you know I understand I can add them, but I really don´t know for which purpose I need to add them. This is something which I do not understand. Maybe I simply need some detailed examples and some more words to understand this

                • 5. Re: whitelist
                  Patrick A Van Der Hyde

                  Jens - I moved this thread to Web Data Connector where some of our devs and others specifically focused on the WDC are on the lookout for questions/issues with the WDC. 

                   

                  Patrick

                  • 6. Re: whitelist
                    Brendan Lee

                    Hey Jens,


                    The purpose of the secondary whitelist is to provide increased security for our users and give our Server Admins more peace of mind.  You must use the secondary whitelist to whitelist any endpoint that your connector talks to.  For example, if your connector (at http://someIPaddress/test/connector.html) is trying to access a GET rest api  from http://restapi/api/resource, you would need to add a secondary whitelist entry for http://restapi/api/resource (or http://restapi/api/*).  Without that entry, we will not let the request succeed on Tableau Server.

                     

                    Consider this potential attack vector if this wasn't required:

                    • Mal (a malicious user) creates a WDC and hosts it at http://abc/wdc.html.  This WDC is harmless and just pulls from some public REST API.

                     

                    Because of the secondary whitelist, that attack vector is not possible. Does that help?

                     


                    -Brendan

                    1 of 1 people found this helpful
                    • 7. Re: whitelist
                      jens.bruckmann

                      Hi Brendan,

                       

                      thanks a lot for this explanation. It definitly makes sense and I understand now for what I need the whitelist. So in my case it is:

                      whitelist the webdataconnector itself anf whitelist the domain where the webdataconnector is getting the Data from.

                       

                       

                      So I made this happen and now I am getting every day a mail the refresh did not work. Now we come to the interesting bit. When I do the refresh manually it works without issues.

                       

                      Any Idea?

                      • 8. Re: whitelist
                        Lasse Thorenfeldt

                        Hi Jens,

                         

                        When you say "do the refresh manually", do you mean from Tableau Desktop, or by initiating a "run now" on the Refresh Schedule on Server? I'm just trying to find out if your issue is the same as the one I'm currently seeing.

                         

                        Lasse

                        • 9. Re: whitelist
                          jens.bruckmann

                          hi Lasse,

                          no I did not speak about refreshing in tableau desktop. a run now on the refresh schedule

                          • 10. Re: whitelist
                            Jamieson Christian

                            Brendan Lee can you clarify whether a secondary domain whitelist is moot when the WDC is imported? In other words, does the act of importing the WDC remove all restrictions with regard to the domains that the WDC can talk while gathering its data?

                             

                            In reading the documentation, I noticed that The Import Method made no mention of configuring a secondary domain whitelist. But I don't want to have IT run an experiment until I know exactly what does and does not need to be configured to ensure access to external domains for an imported WDC.

                             

                            Thanks!