There is a similar problem with exporting the settings. The run-as password is exposed and has to be encrypted using GPG (requiring the installation and scripting of GPG). Can someone explain how TSM is better? How about building a backup scheduler into the TSM web-app? Not having to write DOS/PowerShell scripts... that would be better. This seems a step backwards in ease-of-use and not what I have come to expect from Tableau.
2 of 2 people found this helpful
We're having the same issues. Tabadmin made backups extremely easy. It was a single line of code. Now, because TSM doesn't authenticate in the same way, we'd need to store a password somewhere? We're not going to backup our Tableau Server with TSM until this is resolved. We have machine-level backups that will work for now, but we won't tolerate this degradation of security. The solution we would implement, if we HAD to do back ups this way, would involve using PowerShell scripts to encrypt the log-in keys from a safer location, then passing that information to TSM.
Tableau has been famous for going two steps forward, one step back as they focus so much on new features and less on making sure old ones work. This is yet another instance.
If we could run TSM from a different machine, this might feel a bit safer. The worry is still the practice of storing a password instead of using the already-logged-in AD user and running the batch from the built in scheduler.
If we are to move away from Windows-like dependencies in preparation for a unified Linux-compatible codebase, then TSM needs a built in scheduler of its own where we could either schedule reboots, backups, scaling, or even updates. If I need to open up the TSM site to make a backup schedule which would afterward kick off a batch file to move the backup file - that's ok. The issue is that we need both the system to move the files around our network and the software to do the backup.
For what it is worth, Tableau Support sent me the following links for how to script this:
I will probably attempt the method described in the first link. Good luck.
Same... this is a way to obfuscate the password, but if the script can retrieve the plain-text password, so can the attacker who has access to the script.
It's the same only in the method used, however, it's better because the Tabwiki document spoon feeds the user, there is no need for them to figure out the batch files and how to implement the process themselves. I readily admit that in the document.
The intro of the document (in the .zip file) lets the reader know the method isn't very secure but it is better than nothing.
Have you contacted Tableau Support about how they recommend doing this? You bring up a pretty strong security point and it seems like a real...big...OOPS!...on Tableau's part.
1 of 1 people found this helpful
Here's a streamlined way to do the same thing (in Powershell)
$x = get-credential
# you are not logging in, username doesn't matter and password is not verified
# just make sure you type the password correctly
$y = convertfrom-securestring $x.password
# save $y somewhere, it's a long hex string
# now retrieve that long string - let's recover the plain text password
$z = ConvertTo-SecureString $y
$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($z)
$PlainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)
I consider this as safe as rot13. It's more convenient in a way, because the functions are readily available in Powershell. On the other hand, the encrypted string is inconveniently long.
Toby Erkson I contacted Tableau via their liaison for the company i work for. Several other admins in the same company joined their complaints to mine. I was assured someone in the development group would look into this.
Also, pigs will fly.
Allright... i toyed with the idea of using rot13 just for the cuteness factor, but it's not a good choice because it doesn't process the non-alphabetical characters that are so popular in passwords today. For the moment, i'm using base64 to obfuscate the password.
And no, this is not secure. Just a tiny bit better than having the password in plain text.
base64 cheat sheet: