Configuring Authentication for the Command Center Console

Greenplum Command Center users are Greenplum Database users, authenticated using the standard Greenplum Database host-based authentication system. When authentication is properly configured, a user can use the same credentials to log into a database with a database client such as psql and into the Command Center web interface with a browser.

To create a new Command Center user, first you have to create a Greenplum Database user, then edit the Greenplum host-based authentication configuration file (pg_hba.conf) to give that user access to Command Center.

A Greenplum Database user who can authenticate via the pg_hba.conf file can log in to Greenplum Command Center and view or cancel their own queries and view metrics screens. A user’s Command Center permission level determines if additional Command Center features are accessible. See Authorization for information about permissions.

Note: Greenplum Command Center does not accept logins from the gpadmin user, or from local users configured with trust authentication in the pg_hba.conf file. Allowing trust authentication for remote logins is discouraged because it is insecure.

The following are steps to create new Command Center users in an interactive psql session. With the exception of the CREATE ROLE command to create a new database user, all of these steps can be performed in the Command Center on the Admin>Permissions or Admin>Authorization screens.

See the Greenplum Database Administrator Guide for more detailed information about creating database users and roles.

  1. Login as gpadmin on the master host.
  2. Start psql:

    $ psql
    
  3. Enter the CREATE ROLE command to create a user:

    # CREATE ROLE cc_user WITH LOGIN ENCRYPTED PASSWORD 'changeme';
    

    To create an Admin user - a role with superuser privileges in the database and Greenplum Command Center:

    # CREATE ROLE cc_admin WITH LOGIN ENCRYPTED PASSWORD 'changeme' SUPERUSER CREATEDB;
    
  4. For users other than Admin, set the permission level by adding the user to a Command Center group role:

    To create a Basic user: add the user to the gpcc_basic role:

    # GRANT gpcc_basic TO cc_user;
    

    To create an Operator Basic user - add the user to the gpcc_operator_basic role:

    # GRANT gpcc_operator_basic TO cc_user;
    

    To create an Operator user - add the user to the gpcc_operator role:

    # GRANT gpcc_operator TO cc_user;
    
  5. Grant permissions to a group by granting the role to the group:

    # CREATE ROLE cc_users;
    # GRANT cc_users to cc_user;
    # GRANT gpcc_operator to cc_users;
    
  6. Verify that roles were created successfully using the following command:

    # \du
    

    The new users you created are returned along with the attributes you specified.

  7. Edit the pg_hba.conf file to give new users access to databases and the Command Center. Open the file in an editor:

    $ vi $MASTER_DATA_DIRECTORY/pg_hba.conf
    
  8. Scroll to the bottom of the file and insert the following lines to give the new users access from any IP address using password authentication:

    host     gpperfmon    cc_user    127.0.0.1/28     md5
    host     gpperfmon    cc_admin   127.0.0.1/28     md5
    

    List additional databases the users can access after gpperfmon, or replace gpperfmon with all to allow the users to access any database.

    Note: If you subsequently have issues logging in to Command Center it may be due to your specific environment; check the $GPPERFMON/instances/instance_name/logs/gpmonws.log log file for authentication errors. Edit the pg_hba.conf file based on the error message and your specific environment.

  9. Save the file and exit the editor.

  10. Enter the following command to reload Greenplum Database processes.

    # gpstop -u