Step 4: Safe list Input and Output locations

This topic describes the rules that apply to this feature and how to safe list the directories on your network.

Flow input and output connections may need to connect to databases or files in the directories on your network. You must safe list the directories you want to allow access to. Input and Output connections will only be allowed to connect to data in the safe listed locations. By default, no connections are allowed.

Note: You can still publish the flows and any data that is embedded in the flow file (tflx) to Tableau Server, but the flow will fail to run if the directories aren't included in your organization's safe list.

How to safe list input and output locations

The following rules apply and must be considered when configuring this setting:

  • The directory paths should be accessible by Tableau Server. These paths are verified during server startup and at flow run time and are not verified at the time of publishing the flow to Tableau Server.

  • Network directory paths have to be absolute and cannot contain wildcards or other path traversing symbols. For example, \\myhost\myShare\* or \\myhost\myShare* are invalid paths and would result in all the paths as disallowed. The correct way to safelist any folder under myShare would be \\myhost\myShare or \\myhost\\myShare\.

    Note: The \\myhost\myShare configuration will not allow \\myhost\myShare1. In order to safe list both of these folders safe list them as \\myhost\myShare; \\myhost\myShare1.

  • Windows:

    • The value can be either *, (for example, tsm configuration set -k maestro.input.allowed_paths -v "*") to allow any network directory, or a specified list of network directory paths, delimited by a semicolon (;). If you specify a list of directory paths, be sure to specify particular directories rather than the root of the file share.

    • If the path contains spaces or special characters you will have to either use single or double quotes. Whether you use single or double quotes depends on the shell that you are using.
    • No local directory paths are allowed even when the value is set to *.

    • To save flow output to a network share, you must first configure a Run As user(Link opens in a new window) service account on Tableau Server. You cannot save flows to a network share using the default system account. Then configure the target directory on the network share for Full Control permissions for the Run As user account you created.

      Depending on how your organization manages nested folder permissions, you may need to grant additional permissions in the folder hierarchy, with a minimum of Read, Write, Execute, Delete, and List Folder permission, to allow the Run As user account access to the target folder.

  • Linux:

    • The value can be either *, (for example, tsm configuration set -k maestro.input.allowed_paths -v "*") meaning that any path, including local (with the exception of some system paths configured using “native_api.internal_disallowed_paths”), or a list of paths, delimited by a semicolon (;).

    • You must be using a kernel version equal to or later than 4.7. Safe listing to or from a network share is not supported on kernel versions earlier than 4.7. On earlier versions, when the output is written to a network share, hyper fails to output files, resulting in flows failing at runtime. When reading input files from a network share on earlier versions, flow executions fail. To check the kernel version, in the Linux terminal, type the command uname -r. This will display the full version of the kernel you are running on the Linux machine. Note that for Red Hat Enterprise Linux, kernel version 4.7 and later is only available with Red Hat Enterprise Linux version 8.

    • To save flow output to a network share, the local Linux account that has access to Tableau Server resources must be given Full Control permissions to the target directory on the network share. If a path is both on the flows allowed list and internal_disallowed list, internal_disallowed takes precedence.
      The mount points for both input and output paths used by flows must to be configured using the native_api.unc_mountpoints configuration key. For example:
      tsm configuration set -k native_api.unc_mountpoints -v 'mountpoints'
      For information about configuring this, see this Tableau Knowledge Base article: Tableau Server on Linux - How to Connect to a Windows Shared Directory(Link opens in a new window).

Use the following commands to create a list of allowed network directory paths:

For input connections:

tsm configuration set -k maestro.input.allowed_paths -v your_networkdirectory_path_1;your_networkdirectory_path_2

tsm pending-changes apply

For output connections:

tsm configuration set -k maestro.output.allowed_paths -v your_networkdirectory_path_1;your_networkdirectory_path_2

tsm pending-changes apply

 

Important:
These commands overwrite existing information and replace it with the new information you provided. If you want to add a new location to an existing list, you must provide a list of all the locations, existing, and the new one you want to add. Use the following commands to see the current list of input and output locations:

tsm configuration get -k maestro.input.allowed_paths
tsm configuration get -k maestro.output.allowed_paths

Next step

Step 5: Optional Server Configurations

Who can do this

On Windows, members of the local computer Administrators group can run tsm commands.

On Linux, members of the tsmadmin group can run tsmcommands. The tsmadmin group can be configured using the tsm.authorized.groups setting.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!