Step 4 - Safe list Input and Output locations

This topic describes the rules that apply to this feature and how to safe list the directories on your network.

Flow input and output connections may need to connect to databases or files in the directories on your network. You must safe list the directories you want to allow access to. Input and Output connections will only be allowed to connect to data in the safe listed locations. By default, no connections are allowed. You can still publish the flows and any data that is embedded in the flow file (tflx) to Tableau Server.

Who can do this?

Tableau Server Administrators who also are a member of the tsmadmin group can configure settings using tsm commands.

How to safe list input and output locations

The following rules apply and must be considered when configuring this setting:

  • The directory paths should be accessible by Tableau Server. These paths are verified during server startup and at flow run time and are not verified at the time of publishing the flow to Tableau Server.

  • Network directory paths have to be absolute and cannot contain wildcards or other path traversing symbols. For example, \\myhost\myShare\*or\\myhost\myShare* are invalid paths and would result in all the paths as disallowed. The correct way to safelist any folder under myShare would be \\myhost\myShareor\\myhost\\myShare\.

    Note:The \\myhost\myShare configuration will not allow \\myhost\myShare1. In order to safe list both of these folders safe list them as \\myhost\myShare; \\myhost\myShare1.

  • Windows:

    • The value can be either *, to allow any network directory, or a specified list of network directory paths, delimited by a semicolon (;). If the path contains spaces or special characters you will have to either use single or double quotes. Whether you use single or double quotes depends on the shell that you are using.

    • No local directory paths are allowed even when the value is set to *.

  • Linux:

    • The value can be either * meaning that any path, including local (with the exception of some system paths configured using “native_api.internal_disallowed_paths”), or a list of paths, delimited by a semicolon (;).
    • You must be using a kernel version of equal to or later than 4.7. Safe listing is not supported on kernel version earlier than 4.7. To check the kernel version, in the Linux terminal, type the command uname -r. This will display the full version of the kernel you are running on the Linux machine.

    Note: If a path is both on the flows allowed list and internal_disallowed list, internal_disallowed takes precedence.

Use the following commands to create a list of allowed network directory paths:

For input connections:

tsm configuration set -k maestro.input.allowed_paths -v your_networkdirectory_path_1;your_networkdirectory_path_2

tsm pending-changes apply

For output connections:

tsm configuration set -k maestro.output.allowed_paths -v your_networkdirectory_path_1;your_networkdirectory_path_2

tsm pending-changes apply

 

Important:
These commands overwrite existing information and replace it with the new information you provided. If you want to add a new location to an existing list, you must provide a list of all the locations, existing, and the new one you want to add. Use the following commands to see the current list of input and output locations:

tsm configuration get -k maestro.input.allowed_paths
tsm configuration get -k maestro.output.allowed_paths

Next step

Step 5 - Optional Server Configurations

Thanks for your feedback! There was an error submitting your feedback. Try again or send us a message.