PAM-based Authentication in Tableau Resource Monitoring Tool (RMT)

Applies to: Tableau Advanced Management

Beginning with version 2025.2, PAM-based authentication for delegated users was added. This allows customers to implement custom authentication logic if needed.

Previously, RMT relied only on su for delegated user authentication, which could lead to inconsistencies if the underlying Linux authentication policies differed between Tableau Server and RMT. By adding support for PAM, RMT aligns with Tableau Server’s authentication flow, giving more flexibility and control.

RMT uses Local (RMT-specific passwords) or Delegated (Operating System-based credentials) authentication for user access, with delegated authentication requiring users to provide their standard network password for login. Authentication is configured on the RMT Server through its web interface or the rmtadmin command line tool, where users can be added or their existing authentication modes changed. Proper configuration includes ensuring the username is entered correctly (without domain for Delegated auth) and that the correct RMT server roles are assigned to users. For information on server roles, see Manage Users and Authentication in Tableau Resource Monitoring Tool (RMT).

How PAM-based authentication works in RMT

When RMT authenticates a delegated user, it follows the same authentication flow as Tableau Server:

  1. Custom PAM service (tableau)

    RMT will first attempt to authenticate the user using a custom PAM service named tableau, if present at:

    /etc/pam.d/tableau

    This allows customers to define their own authentication policies.

  2. Default PAM login service

    If the tableau service is not defined, RMT will fallback to using the standard PAM login service for authentication.

  3. su-based authentication

    If both PAM attempts fail, RMT will finally attempt authentication using su.

    This is the default method of authentication in pre-2025.2 versions and continues to be valid to ensure backward compatibility with earlier RMT versions and existing environments.

How to Enable PAM-based authentication in RMT

To use PAM-based authentication in RMT, the following prerequisites must be met:

  1. 1. Install pamtester

    RMT uses pamtester to perform non-interactive PAM authentication.

    Debian/Ubuntu:

    sudo apt install pamtester

    RHEL/CentOS:

    sudo yum install pamtester

  2. Set permissions for pamtester

    The pamtester binary must be granted appropriate permissions to allow authentication:

    sudo chown root:root /usr/bin/pamtester
    sudo chmod u+s /usr/bin/pamtester

    The setuid permission (u+s) ensures that pamtester can read /etc/shadow, which is required for most PAM modules to perform password checks.

Implementing a Custom PAM Service (Optional)

If you wish to implement your own custom authentication logic, you can define a PAM service named tableau:

 /etc/pam.d/tableau
Back to top
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!