During August’s Developer Sprint Demos, we introduced Sandboxed Extensions, a new type of locked-down extension that can’t send data outside of Tableau.
Michael Kovner, senior product manager, brought the audience up-to-date by explaining why Sandboxed Extensions was developed. Michael noted that in 2018 Tableau released the Extensions API, allowing developers to write new, third party functionality for dashboards. Starting from Tableau version 2018.2, customers were able to drag and drop these extensions into their dashboards. The extensions can interact with dashboards, and read data in the dashboards. Learn more about Extensions API in our documentation.
Extensions, as they are now, are hosted outside of Tableau– meaning data can be sent anywhere. This allows extensions like Data Robot or Narrative Science to process your data in their proprietary engines and then send you back more insights. But it also means admins have to be careful about which extensions they allow to run on their server. The Tableau Server Administrator has different levels of control on the server, and can decide whether to run extensions on the server. At a more granular level, the admin can decide which extensions are allowed to run or not. Learn more about the extension security.
Tableau Server Administrators need to understand what the extension is doing behind the scenes and be aware of any changes of the extension to ensure security. Sandboxed Extensions is going to solve this issue by preventing the extension from communicating with the outside world. Extensions are going to be hosted in the Tableau Cloud and will not be able to send data to, or request resources from, anything outside of Tableau.
To accomplish this, we built a public hosting service that enforces the prevention of network calls. Extensions developers will give their extension’s resources to us, we will upload those resources to our hosting service and users will then be able to add that extension to their dashboard. To allow Extensions to access their required resources, the extension can make network calls back to our public hosting service, but that is the only URL that it can make network calls to.
That said, it doesn’t mean all the extensions are going to Sandboxed Extensions. The other type of extension is Network-Enabled Extensions; these extensions will continue to be able to communicate with the outside world. It doesn’t mean that they are not secured—it means, for example, that they need to communicate with the outside word to take actions in other systems, or send your data to an artificial intelligence engine to be processed. By default, Sandboxed Extensions are going to be turned on in Tableau Server, and the Network-Enabled Extensions are going to be turned off. This means that the Tableau Server admin will need to explicitly enable any Network-Enabled extensions in their environment
Sean Mann, a senior software engineer, demoed the tool that developers can use to build Sandboxed Extensions and verify that they’re working. Read the steps. He also showed the audience how to debug issues they might encounter.
The team didn’t stop here. Software engineer Xavier Reid demoed how to use the brand-new RESTful APIs to programmatically update a site to enable/disable Sandboxed Extensions, and explained how new endpoints allow you to modify the server blocklist, site safelists, and set some default behavior for extensions. Download the Postman collection. If you don’t know how to import a Postman collection, we have a YouTube video going over the steps.
But wait, there’s more!
Developers, we invite you to join the Developer Program and be one of the first to know about our Developer Platform updates. Be sure to watch the Sprint demo recording, too. And get ready to sandbox your extension: the new Extensions API release is expected for 2019.4!