spotfire security july 2017 · • tibco community wiki article: configuring anonymous access to...

Peter McKinnis

July 2017

Spotfire Security

© Copyright 2000-2017 TIBCO Software Inc.

• Authentication in Spotfire

• Spotfire Server 7.9 Sites Feature and Authentication

• Authorization in Spotfire

• Data Security

• Spotfire Statistics Services Security

• Q&A

Outline

Authentication in Spotfire



Spotfire Platform – Standards and Security


•Authentication is verifying you are who you claim to be.• Username (who you are) and password (verification)

•Authorization is verifying your rights to access something or perform actions within a specific environment after you have authenticated.• Administrative rights vs. Regular User

Defining Authentication and Authorization


Spotfire Server Authentication & Authorization

Authentication Authorization

Established:

• Group membership

• Preferences• Licenses• File permission• Routing• Deployments• And more …

Established:

Identity

User Directory• Spotfire

database• LDAP• Windows NT

Username and Password• Spotfire

database• LDAP• Windows NT• Custom JAAS

Single Sign On• NTLM• Kerberos• X.509 Client

Certificates• Web/External

Authentication

Anonymous


• Simple

• Username and password are stored in Spotfire database.

• Passwords are salted and hashed using the SHA-512 hash function. (KB article: Spotfire Server password security)

• User can change passwords from within Spotfire or Administrators can reset passwords

• Use Administration Manager or command-line tools to import/export large number of users

Username and Password: Spotfire Database


• Authentication verified by LDAP Server• No passwords stored in Spotfire• Supported LDAP Servers

• Microsoft Active Directory• Sun ONE Directory Server• Sun Java System Directory Server• Custom LDAP servers

Username and Password: Spotfire LDAP Mode

User Synchronization• By default only Users are

synced

Group Synchronization• Enable to allow group sync

and get hierarchy• Mention Explicit group

names or Context Names (for all groups )

• Can use wildcards to specify multiple groups

• Groups used for Authorization


• Most complex to configure and most complete• Very secure even over unsecure networks

• Can use Spotfire Database or LDAP as user directory• Allows passing of user credentials to data sources in Spotfire

• Users must be able to obtain a Kerberos ticket from the Key Distribution Center (KDC), usually Active Directory

Single Sign-On Authentication: Kerberos

Web browser

User’s Computer

TIBCO Spotfire Server

Active Directory1

2

4

3

1. The user logs into Windows.

2. The user’s computer tries to connect to the Spotfire Server.

3. The user’s computer receives a Kerberos ticket from the Active Directory to connect to Spotfire Server.

4. The user’s computer forwards the Kerberos ticket to the Spotfire Server.

5. The Spotfire Server decrypts the Kerberos ticket and authenticates the user.

5


• Kerberos seen a lot with Hadoop environments• Hortonworks, Cloudera, secure HBase, Hive, etc.

• Often times the Hadoop environment is Kerberized using MIT Kerberos and Spotfire is in a Windows domain that is not trusted by the MIT Kerberos

Kerberos Comments about Hadoop

• Can setup Spotfire to connect using a service account to Kerberized Hadoop environments

• If Spotfire client user token is needed in Hadoop, then proper trust and relationships must be configured between the environments outside of Spotfire

• See TIBCO Community Article -Connecting TIBCO Spotfire to a Kerberized Data Source


• Uses Windows session.

• If Domains don’t match or untrusted, user is prompted

• Authentication credentials cannot be passed to underlying data sources (NTLM does not support double hops). Use Kerberos instead.

• Supports NTLMv2

• Can use either LDAP or Spotfire for User Directory

Single Sign-On Authentication: NTLMv2


• Uses an X.509 Client Certificate from the Spotfire client to the Spotfire Server.

• A prerequisite for this authentication method is that the TIBCO Spotfire Server is set up with HTTPS and is set to require client certificates.

• Can have per-user certificates.

• Client certificates can be combined with other authentication methods for improved security (actually providing a form of two-factor authentication).

Single Sign-On Authentication: X.509 Certificates


• Spotfire Server supports one form of two-factor authentication.

• It is possible to combine a primary authentication method with X.509 certificates.

• Usually the primary method is Basic, but other methods are allowed.

• The user names provided by the primary authentication method and X.509 certificates must match.

Two-Factor Authentication


• Useful when embedding Spotfire into another web application

• Uses built-in guest@SPOTFIRE account

• Allows users access to only those resources that are accessible to the built-in guest account

• If users have a specific account, they can click the login button and enter their credentials to get access based on their user.

• TIBCO Community Wiki article: Configuring Anonymous Access to Analysis Files in Spotfire 7.5 and later

Anonymous Authentication


• Spotfire 7.8+ supports OpenID Connect protocol and Web Authentication.

• OpenID Connect protocol supported by various vendors (e.g. Google, Facebook, etc.). More modern than SAML.

• Configure OpenID Connect in Spotfire Server configuration.• Spotfire Analyst and Web Player Users can authenticate with OpenID.

• Before 7.8, ONLY Web Player users could use a web based authentication method.

• Spotfire 7.8 also supports Custom Web Authentication – again supported in Web Player AND Spotfire Analyst.• For Analyst, a web browser will appear where user can login.

OpenID Connect and Web Authentication


• Used when authentication is done external to Spotfire Server and a user identity can be passed to Spotfire.• For example, Site Minder, Custom Portals etc.• Delegated authentication such as when a user is authenticated via a proxy or load balancer.

• TIBCO Community Wiki Article: Custom Authentication in TIBCO Spotfire 7.5 and Later Versions

• Can be used as a supplementary authentication method with another main authentication method (e.g. internal users could use NTLM and external users use external authentication)

External and Custom Authentication

• Process:• User is authenticated by authentication service (1,2)• Token sent to browser (3) and passed onto Spotfire (4)• Token is sent to service for validation (5)• User identity can be returned (6) and used in Spotfire

for authorization


• Security Assertion Markup Language (SAML) is supported for authentication within Spotfire.• SAML based systems can be supported by using external and custom authentication and, if needed, JAAS on Spotfire Server.• The ultimate implementation of SAML is to pass around a “token” for each user that states whether that user is authorized to access particular data/documents, etc. within the environment.

SAML Considerations


• OOB authentication methods are implemented as Java Authentication and Authorization Service (JAAS) modules. Spotfire also supports third-party JAAS modules.

• You may therefore use a custom JAAS module, provided that it validates username and password authentication and that it uses JAAS’ NameCallback and PasswordCallback objects for collecting the usernames and passwords

• The jar file with the JAAS implementation is placed in the Spotfire Server Tomcat lib directory.

Username and Password: Custom JAAS


• Present for Legacy Support

• User authentication is delegated to Windows NT domain controllers

• If used for Authentication, you can have LDAP as user directory

• config-windows-userdir [-c value | --configuration=value] [-b value | --bootstrap-config=value] [-d value | --domains=value] [-t value | --sleep-time=value] [--schedules=value]

Username and Password: Spotfire Windows NT Domain


• Use HTTPS as much as possible (No clear text communication).• Use LDAPS communication for more security; usually requires importing

SSL certificate into cacerts file.• Post-authentication filter API is a quite useful feature that can be used to

perform several different kinds of tasks• Transform/map the name of the authenticated user (perhaps the

authentication method returns the name in a different format than the LDAP server provides)

• Filter/block users (e.g. based on source IP or some HTTP header, or based on what some other authorization service gives)

• Verify that authorization is set up correctly (e.g. by verifying, and possibly changing, the groups that the user is member of)

• Note: Post-authentication filter is called when Web Player node calls back to Spotfire Server

Additional security considerations

Sites and Authentication



Default Spotfire Server – Node Communication


• Sites feature added in Spotfire Server 7.9• Allows one to group Spotfire Server(s) and Node(s) into a Site with communication only within that site• Can be used for grouping Spotfire Server(s) and Node(s) in the same geography or for different authentication modes• Configured from the command-line by creating the site and then adding nodes and servers to the site

Sites Feature


Spotfire Server 7.9 Sites Feature


• Can have different authentication modes for each site• Can also have different user directories for each site• Configured from the command-line using the Site name

Sites and Authentication

Authorization in Spotfire



• The Spotfire User Directory is used to manage authorization in Spotfire• The User Directory maps users to Groups/Roles and in turn the groups

match to what users can access and do in Spotfire• Can use LDAP or Spotfire Database for User Directory.

• With Spotfire Database users are not tied to the External LDAP.

• Users/groups can be synchronized using LDAP and custom API hooks into Spotfire.

• Use Groups to control who has access to what in the Spotfire Library.• Use Groups to control what features (licenses) users can use in

Spotfire.• Use Groups to control default Preferences in Spotfire.• Groups also can be used for Deployment areas, routing, etc.

Spotfire Authorization


Spotfire Library – Controlling Access to Library ItemsControl Library folder access by group or user• Access• Browse + Access• Browse + Access + Modify• Full Control


Administration – Controlling access to features (licenses)

Can create customized groups with different / granular functionality


Administration – Controlling default Preferences (settings)

• Can set default settings by group

• Examples:• Web Player items to

show• Initial default

visualization• TSSS URLs• Font settings• And many more …


Spotfire Server Public Web Services for Security Integration

• Web Services API for User Directory• Create/Modify/Delete user accounts and groups• Set/Modify group membership for users

• Web Services API for Spotfire Library• Set/Modify permissions on folders in the Library

• Create/Move/Copy/Delete folders in the Library

• Useful for integrating non-LDAP security providers• Can be useful for automating and integrating Spotfire into other business processes and systems

Data Security



• Information Services• All methods of data

accessed secured• Data Source can have

central username/password or user can be prompted for username and password

Data Governance – Information Services


Spotfire Connectors• Store and control access to model

centrally• Provide management of connections

to data • Username/password can be

prompted to stored in connection• Publish certified connections and data

models - enforce a single version of the truth

• Limit end user access to only pre-configured connections and data models

• Protect source credentials within connection object

• ”Big Data” sources may contain hundreds of columns, a model should contain only the relevant ones • Use Save As to make personal

modifications • Publish, re-use and share – as

allowed by author

Data Governance – Spotfire Connectors


• All methods of data access are secured• Data sources can have central username/password or user can

be prompted for authentication• Kerberos can be used from client tier to database tier• Multiple row level security approaches

• Separate Information Links with secured Library access• Data source authentication• Pass-through user and group identities and domains

%CURRENT_USER%%CURRENT_GROUPS%%CURRENT_USER_DOMAIN%

Data Level Security

Scheduled Updates and Personalized Scheduled Updates

• Scheduled Updates• Pin critical analyses in memory of Web Player Instance for instant access• Periodic & Event driven refresh

• Refresh according to schedule, by Web Service call or EMS Map Message

• Data loads on background thread• Refresh appears instantaneous to clients• Cache Scheduled Updates to disk for quick restart• Optional Row Level security

• Individual queries/sources can beflagged to reload per user session

• Entitlement data can be used to limitprimary dataset

• Maximum data sharing on primarydataset + near-instant access +row level security

SHAREDDATA PRIVATEDATA

AddColumns/Rows/Tables/Pivot/etc.

SpotfireTable


Spotfire Statistics Services and Security (or lack thereof)



Spotfire Statistics Services Data Flow


• TSSS supports authentication using user properties, Active Directory (AD), or LDAP• User properties – Simplest form of user authentication using an in-memory authentication list read from the users.properties file• AD and LDAP controlled using the ldap.properties file• LDAP properties give information for connecting to AD/LDAP, LDAP search information, groups that user can be in• TSSS does NOT support any Authorization. Once you are authenticated to TSSS, you can do anything. • Did do custom work for a customer to impersonate users in TSSS calls

using Windows API.

Spotfire Statistics Services Security


• From Spotfire Analyst, user will be prompted for username and password if using secure TSSS• From Web Player, one will not be prompted so must configure service account login to use TSSS from Web Player and Automation Services• Spotfire.Dxp.Worker.Host.exe.config file contains configuration parameters:• TibcoSpotfireStatisticsServicesURLs• TibcoSpotfireStatisticsServicesUsernames• TibcoSpotfireStatisticsServicesPasswords

Spotfire Statistics Services Security (2)

Q & A


Thank you!

[email protected]


spotfire security july 2017 · • tibco community wiki article: configuring anonymous access to...

Documents