Securing the gpmon Database User
The Greenplum Database
gpmon user is a superuser role used to manage the
gpperfmon database. The
gpperfmon_install utility, which must be run once before you can create a Command Center Console instance, creates the
Greenplum Database uses the
gpmon role to update the
gpperfmon database with data collected by agents running on the segment hosts. The Command Center web server uses the
gpmon role to connect to the
gpperfmon database as well as databases monitored by the Command Center instance.
gpperfmon_install creates the
gpmon role, it prompts for a password, which it then adds to the
.pgpass file in the
gpadmin user’s home directory. The entry in the
.pgpass file is similar to the following:
See The Password File in the PostgreSQL documentation for details about the
$MASTER_DATA_DIRECTORY/pg_hba.conf authentication file,
gpperfmon_install creates these entries:
local gpperfmon gpmon md5 host all gpmon 127.0.0.1/28 md5 host all gpmon ::1/128 md5
gpperfmon_install utility in Greenplum 4.3.x does not create the IPV6 entry. If IPV6 is enabled in you Greenplum cluster you may need to add this entry.
If you authenticate users with Kerberos, you can also set up Kerberos authentication for the
gpmon role on the Greenplum master and standby hosts. Kerberos authentication is supported with TCP connections only;
local entries use Linux sockets and authenticate with the
.pgpass file password, even if you have enabled Kerberos for
To change the
gpmon password, follow these steps:
Log in to Greenplum Database as a superuser and change the
gpmonpassword with the
# ALTER ROLE gpmon WITH ENCRYPTED PASSWORD 'new_password';
On the Greenplum master host, update the password in the
.pgpassfile in the
gpadminhome directory (
~/.pgpass). Replace the existing password in the line or lines for
gpmonwith the new password.
Ensure that the
.pgpassfile is owned by
gpadminand RW-accessible by
$ chown gpadmin:gpadmin ~/.pgpass $ chmod 600 ~/.pgpass
Restart Greenplum Command Center with the
$ gpcmdr --restart
If Command Center is installed on the Greenplum standby master host or on a remote host other than the Greenplum master, be sure to also update the
.pgpass file on those hosts.
If you authenticate Greenplum Database and Command Center users with Kerberos, you can also authenticate the
gpmon user with Kerberos.
On the KDC, create a keytab file containing the Kerberos principal for the
gpmonuser, just as you would for any Kerberos-authenticated client. Install the file on the Greenplum master and standby hosts.
Update the entries for
$MASTER_DATA_DIRECTORY/pg_hba.conffile to use the
host all gpmon 0.0.0.0/0 gss include_realm=0 krb_realm=GPDB.EXAMPLE.COM
pg_hba.confcannot be authenticated with Kerberos. If there is a
localentry for the
gpmonuser, it will use the
.pgpassfile to authenticate with the database. See The pg_hba.conf file in the PostgreSQL documentation for complete
Log in to the master host as
gpadminand authenticate the
$ kinit gpmon
Create the Kerberos-enabled Command Center Console instance. See Creating Greenplum Command Center Console Instances for steps to create an instance.