Tableau Services Manager Overview
This article provides an overview of Tableau Services Manager (TSM), which you can use to configure and administer Tableau Server.
Functionality
TSM gives server administrators command-line and web-based options for configuring and maintaining Tableau Server, including performing administrative task like backing up server data, restoring backups, creating log archives, and managing multi-node clusters. For example, you use TSM to perform the following tasks:
- Initial configuration of Tableau Server after installation
- Ongoing configuration management, including editing settings and changing the server topology
- Running administrative tasks such as backup, restore and ziplogs
For administrators familiar with earlier versions of Tableau Server, TSM replaces the following tools from previous versions of Tableau Server:
- Tableau Server Configuration utility
- tabadmin command line utility
- Tableau Server Monitor
Components
TSM consists of services (called processes in this documentation) and clients. TSM processes are administrative services which manage Tableau Server processes. TSM processes run continuously after TSM is initialised, even when the rest of Tableau Server is offline.
TSM processes that run, even when Tableau Server is stopped include:
- Administration Agent
- Administration Controller
- Client File Service
- Coordination Service (based on Apache Zookeeper™)
- Service Manager
- Licensing Service
For more information about TSM processes and Tableau Server processes, see Tableau Server Processes.
TSM Authentication
Whether you use the TSM Web UI, the command line interface, or the TSM API, you need to authenticate to Tableau Server before you can perform administrative tasks. This user account is distinct from Tableau Server user accounts, including Tableau Server administrators and site administrators.
TSM delegates authentication of users to the underlying operating system. On Linux, this means that authentication is handled using Pluggable Authentication Modules (PAM). PAM is the standard on all Linux distributions on which Tableau Server is supported. If your organisation has configured PAM to authenticate with your directory service (Active Directory, LDAP), then you can authorise any user from that directory service to access TSM. In this scenario, any authenticated PAM user that is a member of the tsmadmin group is authorised to access TSM.
In the 2019.1 release, TSM authentication process uses PAM directly and then falls back to an authentication scheme using substitute user (su) if PAM fails or is not configured with a directory service. If PAM is not configured with a directory service then local accounts must be managed on the Linux computer. In these cases, TSM will use the su method of authentication: passing the user-provided credentials to run the true command in the /bin directory. If that command succeeds, then authentication is verified. Therefore, if the user is a member of the tsmadmin group, then the authenticated user is granted access to TSM.
Custom PAM service definition
TSM uses the standard PAM login service to authenticate. You can further customise TSM authentication behaviour by creating a tableau PAM service file in /etc/pam.d. If this file exists, then it will be consulted instead of the PAM login service.
TSM authorisation group
You authenticate to TSM with a user that exists on the Tableau Server computer. The TSM user account must use password-based authentication. By default, the TSM user account must be a member of the tsmadmin group on the computer where Tableau Server is running. Alternatively, you can specify a different authorisation group for TSM administration. To specify a different default group during the install process, see Help Output for initialise-tsm Script. To specify a different authorisation group after you have installed Tableau Server, see Configure a Custom TSM Administration Group.
Connecting TSM clients
As a security measure, you can only connect to TSM with clients (CLI, Web UI, Rest API) over HTTPS. This is because TSM allows you to perform administrative tasks and to connect to TSM from other computers.
When you are connecting with a TSM client, you must connect to the Tableau Server instance running the TSM Administration Controller service.
Note: The TSM CLI tool does not require admin credentials in some scenarios. Specifically, if the account you are logged in as is a member of the TSM-authorised group, you do not need to provide credentials to run commands when running tsm CLI locally. For more information, see Authenticating with tsm CLI.
TSM HTTPS connections rely on a self-signed certificate generated by the Tableau Server installer. This certificate is the Tableau installation CA certificate that signs the SSL certificates Tableau creates for encrypting traffic over HTTP. The Tableau installation CA certificate must be trusted by the systems connecting to TSM Administration Controller.
The TSM CLI client validates certificate trust from a different store than the TSM Web UI uses. The TSM CLI client refers to the trusted store in the local Java keystore to validate trust for CA certificates. Since the TSM Web UI must establish connection with a web browser, trust is validated with the operating system's trusted keystore. The difference in how CA certificates are stored determines different trust configuration scenarios as outlined here:
- For TSM CLI communications on Tableau Server, the certificate trust is configured by default as part of the installation, node bootstrap, and upgrade processes. The Tableau installation CA certificate is added to the trusted store in the Java keystore. This allows you to access TSM using the CLI from any computer in the cluster without additional configuration. However, when accessing TSM Web UI, the browser will prompt you to trust the host running TSM Administration Controller service.
- For TSM CLI connections from remote computers, you will be prompted to trust the Tableau installation CA certificate the first time you connect to the Tableau Server running TSM Administration Controller. You can choose to trust the CA certificate, in which case you will not be prompted again on that computer until the certificate expires (default is 3 years). Or you can connect with a one-time trust by running your TSM command with the
--trust-admin-controller-certflag. - For TSM Web UI connections from remote computers, the browser will prompt you to trust the host running TSM Administration Controller service.