Skip to main content

Configure Security

This section provides an overview of security features of the Designer Cloud Powered by Trifacta platform and links to configuration tasks for each area.

Harden Alteryx node

The following sections cover how to enhance security for the Trifacta node.

User Access

Configure Password Criteria

By default, the Trifacta Application enforces very limited requirements on password strength.

Warning

By default, a password can be a single character with no other requirements. Please configure password requirements.

For more information, see Configure Password Criteria.

Change Admin Password

Warning

As soon as the Designer Cloud Powered by Trifacta platform is operational, you should change the password on the admin account.

See Change Admin Password.

Single Sign-On

The Designer Cloud Powered by Trifacta platform can integrate with Active Directory at the KDC/Kerberos level or directory level.

Note

SSO integration requires set up of an Apache server as a reverse proxy. Instructions are provided in the link below.

See Configure SSO for AD-LDAP.

Disable User Self-Register

Whether you use SSO or not, you should consider disabling user self-registration. When self-registration is disabled, an admin must provision individual users. See Configure User Self-Registration.

Application Timeouts

As needed, you can review and modify various application timeouts, which may need modification to meet your enterprise standards. For more information, see Configure Application Limits.

Client Security

Enable HTTP Strict-Transport security headers

HTTP Strict-Transport security headers force web browsers to use secure communications when interacting with the server and prevent any communications over insecure HTTP protocol.

Steps:

  1. You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.

  2. Set the following setting to true:

    "proxy.securityHeaders.httpsHeaders": true,
  3. Save changes and restart the platform.

Enable Secure cookies

The web application requires use of cookies. Set the following flag to ensure use of secure cookies.

Steps:

  1. You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.

  2. Set the following setting to true:

    "webapp.session.cookieSecureFlag": true,
  3. Save changes and restart the platform.

Enable Content Security Policy

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate some types of attacks, including cross-site scripting(XSS) and content injection attacks. CSP directives can be used to specify an allow-list of locations from which web applications may load resources.

Note

CSP is considered an optional, additional security measure for most applications. For the Trifacta Application, additional measures including thorough input validation are deployed as the first line of defense.

Optionally, you can choose to enable Content Security Policy and the following directives in your web server configuration.

For more information on Content Security Policy, see https://www.w3.org/TR/CSP2/.

Enable CSP:

You can enable the use of Content Security Policy as needed.

  • Login to the Trifacta node as an administrator.

  • Edit:

    • For Nginx (default) web server: /etc/nginx/conf.d/trifacta.conf.

    • For Tripache web server: /opt/trifacta/pkg3p/tripache/conf/httpd.conf.

  • Locate or insert the following header, which enables basic Content Security Policy.

    # Content-Security-Policy: default-src 'self';
  • The part after the colon is the directive. See below for additional information on the directives that you can insert.

  • Remove the hashmark (# ) at the front of the header to enable the policy.

  • Save the file and restart the platform.

Additional options are described below.

Frame ancestors:

To prevent unwanted framing of the Trifacta Application in other applications that may capture clicks and other behaviors, you can enable a content security policy that defines the accepted frame ancestors for use by the Tripache web server.

By default, the application sets the X-frame header to DENY. For additional security, you can enable one of the following content security policies for the Trifacta Application to use.

Note

This solution applies only to the Tripache web application server. This solution is not applicable to the default Nginx web server.

Steps:

  1. Edit the following file:

    /opt/trifacta/pkg3p/tripache/conf/httpd.conf
  2. Search for the Content-Security-Policy header in the file. If it is present, it may look like the following:

    # Content-Security-Policy: frame-ancestors <source>;
    1. If it is not present, insert the above line.

  3. Remove any leading hash marks (#) to enable it.

  4. Replace the <source> value with one of the following:

    Value

    Description

    a host source

    Internet host by name or IP address, plus an optional URL scheme and/or port number, separated by spaces.

    • The host address may include an optional asterisk character (* ) for a wildcard. You may use a wildcard again (* ) for the port number to indicate that all legal ports are valid for the source.

    • Single quotes surrounding the host are not allowed.

    Example:

    • http://*.example.com: Matches all attempts to load from any subdomain of example.com using the http: URL scheme.

    • mail.example.com:443: Matches all attempts to access port 443 on mail.example.com.

    • https://store.example.com: Matches all attempts to access store.example.com using https:.

    a scheme source

    A scheme such as http: or https:.

    • The colon is required and scheme should not be quoted.

    • You can also specify data schemes (not recommended).

    Other values:

    • data : Allows data: URLs to be used as a content source. This is insecure; an attacker can also inject arbitrary data: URLs. Use this sparingly and definitely not for scripts.

    • mediastream : Allows mediastream: URIs to be used as a content source.

    • blob: Allows blob: URIs to be used as a content source.

    • filesystem: Allows filesystem: URIs to be used as a content source.

    'self'

    Refers to the origin from which the protected document is being served, including the same URL scheme and port number.You must include the single quotes.

    Some browsers specifically exclude blob and filesystem from source directives. Sites needing to allow these content types can specify them using the data attribute.

    Example:

    Content-Security-Policy: frame-ancestors 'self' https://www.example.org;

    'none'

    Refers to the empty set of no URLs matches. The single quotes are required.

    Example:

    Content-Security-Policy: frame-ancestors 'none';

    For more information, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors.

  5. Save your changes and restart the platform.

Enable SSL

Deploy Platform SSL Certificate

To enable HTTPS communications with the web application of the Designer Cloud Powered by Trifacta platform, you must create and install an SSL certificate for use by the platform.

Note

After you have deployed an SSL certificate, you can enable secure headers and secure cookies to be used by the web application.

See Install SSL Certificate.

SSL for SMTP Server

If the platform is integrated with an SMTP email server, by default it assumes that the server supports SSL. If not, this capability must be disabled.

Note

Access to SMTP server is required for password reset communications.

See Enable SMTP Email Server Integration.

Session timeouts

For more information on these parameters, see Configure Application Limits.

Access logs

For some access logs, you can configure the fields that are included, which permits you to remove sensitive information like IP addresses. For more information, see Configure Logging for Services.

Databases

SSL for Alteryx databases

You can apply SSL secure access for connections to the Alteryx databases. For more information, see Enable SSL for Databases.

Configure Secure Access for Relational Connections

If you are enabling connections to relational databases, you must create and deploy a key file containing the credentials to use for your JDBC sources. These credentials are then used for encrypted access.

Note

Encrypted authentication with your JDBC resources is required.

Enhance Cluster Security

These options security options enhance the security of communications between the Trifacta node and the integrated cluster.

Configure for secure impersonation

Secure impersonation enables users to securely access the Hadoop cluster through a dedicated user or set of users, which enables use of cluster security features and permissions structures.

Note

Secure impersonation requires Kerberos applied to the cluster.

See Configure for Secure Impersonation.

Configure for Kerberos Integration

If user access on your Hadoop cluster is secured via Kerberos, you can configure the platform to leverage this cluster security feature.

See Configure for Kerberos Integration.

Configure for KMS

Hadoop supports the use of encrypted transport to and from the cluster KMS system. Depending on the software distribution, configuration steps may vary.

Note

If KMS is enabled on the cluster, you must configure KMS for the Designer Cloud Powered by Trifacta platform regardless of other security features enabled on the cluster.

See Configure for KMS.

Enable SSL for HttpFS

Optionally, you can enable SSL connections between the Designer Cloud Powered by Trifacta platform and the cluster's instance of HttpFS. See Enable HttpFS.

Enable SSL for Hive

You can configure SSL access to Hive. See Configure for Hive.