-
Notifications
You must be signed in to change notification settings - Fork 246
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: HTTPS Requirement #49
Comments
Great demo today! Very excited to see what's to come with extensions. TL;DR - I think the options for https requirement and disallowing of redirects should be managed on and extention-by-extension basis as part of the TREX config. The ability to enforce these rules are great, but should be optional. Perhaps have them default as you suggest, but allow overrides in config. Or if that's not possible, maybe you could make it a Global server config option. We have lots of plans for extensions where I work but it seems like some of these options favor security over flexibility. In one use case, I would want to implement extensions on a small intranet where SSL isn't part of the current environment. (Yes, I wish everything was SSL but it's not always my call) In other cases I would absolutely want to enforce the above rules such as in internet environments facing clients. As for redirects, I see that as less of an issue - especially with allowing oAuth in a dialogue, but I'd still love to have the flexibility if the need arose. Thanks again! |
Disabling redirects would drop support for systems using SAML. |
What makes you assume tableau server being connected directly to the internet or even to the intranet? Bad idea without any advantages for us. Suggest you leave the implementation of https/redirection to your clients and focus on your API. Our load balancers take care of ssl. We are running multiple domains. Our tableau server is unreachable without load balancer. I don't want to configure all the certificate stuff in tableau server and I fear that your restrictions will require a lot of (unecessary) work or end up being incompatible with our setup. Disabling redirects is the same. For other clients it may be interesting but please give us the freedom to opt-out in the server config. |
Hi all, ( @sharif-zakhary @austinderrick @rulrich1 ) We also hear that forcing https could cause some deployment issues and perhaps isn't necessary for internal deployments of Server. The challenge is that, based on our conversations with various admins, we need to at least start with the default of forcing https. Allowing admins to turn that restriction off is a pretty good idea, but it might actually be a decent amount of work for us so we plan on adding it to our backlog and think it's unlikely that we will ship our first version of Extensions with that ability. If any of you three (or anyone else) would be up for talking about the deployment scenarios of Extensions, please email me at mkovner at tableau. |
Here is the new proposal I am closing this proposal, because of the opening of the new proposal. We are looking forward to more productive conversation on that issue. |
The text was updated successfully, but these errors were encountered: