Tableau Services Manager Overview
This article provides an overview of Tableau Services Manager (TSM), which you can use to configure and administer Tableau Server.
Functionality
TSM gives server administrators command-line and web-based options for configuring and maintaining Tableau Server, including performing administrative task like backing up server data, restoring backups, creating log archives, and managing multi-node clusters. For example, you use TSM to perform the following tasks:
- Initial configuration of Tableau Server after installation
- Ongoing configuration management, including editing settings and changing the server topology
- Running administrative tasks such as backup, restore and ziplogs
For administrators familiar with earlier versions of Tableau Server, TSM replaces the following tools from previous versions of Tableau Server:
- Tableau Server Configuration utility
- tabadmin command line utility
- Tableau Server Monitor
Components
TSM consists of services (called processes in this documentation) and clients. TSM processes are administrative services which manage Tableau Server processes. TSM processes run continuously after TSM is initialised, even when the rest of Tableau Server is offline.
TSM processes that run, even when Tableau Server is stopped include:
- Administration Agent
- Administration Controller
- Client File Service
- Coordination Service (based on Apache Zookeeper™)
- Service Manager
- Licensing Service
For more information about TSM processes and Tableau Server processes, see Tableau Server Processes.
TSM Authentication
Whether you use the TSM Web UI, the command line interface, or the TSM API, you need to authenticate to Tableau Server before you can perform administrative tasks. This user account is distinct from Tableau Server user accounts, including Tableau Server administrators and site administrators.
You authenticate to TSM with a user that exists on the Tableau Server computer. The TSM user account must use password-based authentication. By default, the TSM user account must be a member of the Administrators group on the computer where Tableau Server is running. Alternatively, you can specify a Windows group for TSM administration after you have installed Tableau Server. See Configure a Custom TSM Administration Group.
Connecting TSM clients
As a security measure, you can only connect to TSM with clients (CLI, Web UI, Rest API) over HTTPS. This is because TSM allows you to perform administrative tasks and to connect to TSM from other computers.
When you are connecting with a TSM client, you must connect to the Tableau Server instance running the TSM Administration Controller service.
As a security best practice, do not expose the TSM port (by default, 8850
) to the internet.
Note: The TSM CLI tool does not require admin credentials in some scenarios. Specifically, if the account you are logged in as is a member of the TSM-authorised group, you do not need to provide credentials to run commands when running tsm CLI locally. For more information, see Authenticating with tsm CLI.
TSM HTTPS connections rely on a self-signed certificate generated by the Tableau Server installer. This certificate is the Tableau installation CA certificate that signs the SSL certificates Tableau creates for encrypting traffic over HTTP. The Tableau installation CA certificate must be trusted by the systems connecting to TSM Administration Controller.
The TSM CLI client validates certificate trust from a different store than the TSM Web UI uses. The TSM CLI client refers to the trusted store in the local Java keystore to validate trust for CA certificates. Since the TSM Web UI must establish connection with a web browser, trust is validated with the operating system's trusted keystore. The difference in how CA certificates are stored determines different trust configuration scenarios as outlined here:
- For TSM Web UI and CLI communications on Tableau Server, the certificate trust is configured by default as part of the installation, node bootstrap, and upgrade processes. The Tableau installation CA certificate is added to the trusted store in both the Java keystore and in the Windows trusted root keystore. This allows you to access TSM from any computer in the cluster without additional configuration.
- For TSM CLI connections from remote computers, you will be prompted to trust the Tableau installation CA certificate the first time you connect to the Tableau Server running TSM Administration Controller. You can choose to trust the CA certificate, in which case you will not be prompted again on that computer until the certificate expires (default is 3 years). Or you can connect with a one-time trust by running your TSM command with the
--trust-admin-controller-cert
flag. - For TSM Web UI connections from remote computers, the browser will prompt you to trust the host running TSM Administration Controller service.