This section provides an overview of security features of the Designer Cloud Powered by Trifacta platform and links to configuration workflows for each area.
The following sections cover how to enhance security for the Trifacta node.
By default, the Trifacta Application enforces very limited requirements on password strength.
Warning
By default, a password can be a single character with no other requirements. Please configure password requirements.
For more information, see Configure Password Criteria.
Warning
As soon as the Designer Cloud Powered by Trifacta platform is operational, you should change the password on the admin account.
The Designer Cloud Powered by Trifacta platform can integrate with Active Directory at the KDC/Kerberos level or directory level.
Note
SSO integration requires set up of an Apache server as a reverse proxy. Instructions are provided in the link below.
Whether you use SSO or not, you should consider disabling user self-registration. When self-registration is disabled, an admin must provision individual users. See Configure User Self-Registration.
As needed, you can review and modify various application timeouts, which may need modification to meet your enterprise standards. For more information, see Configure Application Limits.
HTTP Strict-Transport security headers force web browsers to use secure communications when interacting with the server and prevent any communications over insecure HTTP protocol.
Steps:
You can apply this change through the Admin Settings Page (recommended) or
trifacta-conf.json. For more information, see Platform Configuration Methods.Set the following setting to true:
"proxy.securityHeaders.httpsHeaders": true,Save changes and restart the platform.
The web application requires use of cookies. Set the following flag to ensure use of secure cookies.
Steps:
You can apply this change through the Admin Settings Page (recommended) or
trifacta-conf.json. For more information, see Platform Configuration Methods.Set the following setting to true:
"webapp.session.cookieSecureFlag": true,Save changes and restart the platform.
To enable HTTPS communications with the web application of the Designer Cloud Powered by Trifacta platform, you must create and install an SSL certificate for use by the platform.
Note
After you have deployed an SSL certificate, you can enable secure headers and secure cookies to be used by the web application.
If the platform is integrated with an SMTP email server, by default it assumes that the server supports SSL. If not, this capability must be disabled.
Note
Access to SMTP server is required for password reset communications.
For more information on these parameters, see Configure Application Limits.
For some access logs, you can configure the fields that are included, which permits you to remove sensitive information like IP addresses. For more information, see Configure Logging for Services.
You can apply SSL secure access for connections to the Alteryx databases. For more information, see Enable SSL for Databases.
If you are enabling connections to relational databases, you must create and deploy a key file containing the credentials to use for your JDBC sources. These credentials are then used for encrypted access.
Note
Encrypted authentication with your JDBC resources is required.
For more information on enablement, see Relational Access.
For more information on security, see Configure Security for Relational Connections.
These options security options enhance the security of communications between the Trifacta node and the integrated cluster.
Secure impersonation enables users to securely access the Hadoop cluster through a dedicated user or set of users, which enables use of cluster security features and permissions structures.
Note
Secure impersonation requires Kerberos applied to the cluster.
If user access on your Hadoop cluster is secured via Kerberos, you can configure the platform to leverage this cluster security feature.
Hadoop supports the use of encrypted transport to and from the cluster KMS system. Depending on the software distribution, configuration steps may vary.
Note
If KMS is enabled on the cluster, you must configure KMS for the Designer Cloud Powered by Trifacta platform regardless of other security features enabled on the cluster.
See Configure for KMS.
Optionally, you can enable SSL connections between the Designer Cloud Powered by Trifacta platform and the cluster's instance of HttpFS. See Enable HttpFS.
You can configure SSL access to Hive. See Configure for Hive.