LATEST VERSION: 3.3.1 - CHANGELOG
Pivotal Greenplum Command Center v3.2.2

Securing a Greenplum Command Center Console Instance

A Greenplum Command Center Console instance can be secured by encrypting network traffic between the web server and users’ browsers, authenticating Command Center users, and managing users’ permissions to access Command Center features.

SSL/TLS Encryption

Greenplum Command Center supports SSL/TLS encryption to secure connections between browsers and the Command Center web server. To enable SSL, you should have a signed certificate for the Command Center web server in place when you create the Command Center instance.

Place your certificate on the server where Command Center is installed, for example in the /etc/ssl/certs directory of the Greenplum master host. You import the certificate when you create a Command Center instance with the gpcmdr --setup command. The locations of the certificate and private key files are saved in the $GPPERFMONHOME/instances/<instance_name>/webserver/conf/app.conf configuration file for the command center instance. See Command Center Console Parameters for details.

You can request a certificate from your organization’s internal certificate authority or a commercial certificate authority, or you can use a self-signed certificate you create yourself with a cryptography suite such as OpenSSL. If you create a self-signed certificate, note that clients will have to override a security warning when they first connect to the Command Center web server.

Authentication Options

Users logging in to Greenplum Command Center are authenticated with the Greenplum Database host-based authentication system. Users can enter credentials as a user name and password or, if Kerberos authentication is configured, by authenticating with Kerberos on their workstation before browsing to the Command Center web server.

Note: Greenplum Command Center does not accept logins from the gpadmin user, or from local users configured with trust authentication in the pg_hba.conf file. Allowing trust authentication for remote logins is discouraged because it is insecure.

Database users must first be added to the Greenplum Database by using commands such as CREATE ROLE or CREATE USER. The LOGIN privilege is required. This example creates a login user with an encrypted password:

CREATE ROLE cc_user WITH LOGIN ENCRYPTED PASSWORD 'changeme';

The pg_hba.conf configuration file determines how authentication will proceed. This file contains a list of entries that are compared to attributes of the user’s connection request, including the type of connection, network location of the originating host, database name, and login user name. When a match is found, the authentication method specified in the entry is applied.

The pg_hba.conf file can be viewed by Operators and edited by Admins in the Command Center console on the Admin>Authentication page.

The md5 and password authentication methods authenticate the user name and password with the Greenplum Database pg_roles system table. The md5 method requires the password to be MD5-encoded when sent over the network, so it is preferred over the password method, which sends the password in clear text.

The ldap authentication method authenticates the user name and password with an LDAP server. The LDAP server and parameters are specified in the options field of the pg_hba.conf entry. See the PostgreSQL LDAP authentication documentation for the format of the LDAP options.

The gss authentication method is used for Kerberos authentication. To use Kerberos with Command Center, Kerberos authentication must be enabled for the Greenplum Database system and the Command Center instance must also be configured. Users authenticate with the Kerberos KDC on their workstations (using kinit, for example) before connecting to the Command Center web server. The role name in Command Center is the user’s Kerberos principal name.

For details about setting up Kerberos authentication, see Enabling Kerberos Authentication with Greenplum Command Center.

See the PostgreSQL Authentication methods documentation for additional details of the authentication options.

Authorization

Command Center manages permission levels using Greenplum Database roles and groups. The Basic, Operator Basic, and Operator permission levels correspond to the gpcc_basic, gpcc_operator_basic, and gpcc_operator group roles in the database. The Admin permission level is conferred to roles that have the SUPERUSER privilege. A user who has not been added to any of the groups and does not have SUPERUSER privilege has the most restrictive permission level, Self Only.

Greenplum Database superusers can manage permission levels on the Command Center Admin>Permissions page. Superusers can also directly assign users roles in the database by using the ALTER USER, ALTER GROUP, and related commands to add or remove users from groups and add or remove the SUPERUSER privilege. If a role is configured for more than one permission level, Command Center uses the highest permission level.

Command Center users have the following capabilities, according to their permission levels:

Self Only
Users can view metrics and view and cancel their own queries.

Any Greenplum Database user successfully authenticated through the Greenplum Database authentication system can access Greenplum Command Center with Self Only permission. Higher permission levels are required to view and cancel other’s queries and to access the System and Admin Control Center screens.

Basic
Allows users to view metrics, view all queries, and cancel their own queries.

Users with Basic permission are members of the Greenplum Database gpcc_basic group.

Operator Basic
Allows users to view metrics, view their own and others’ queries, cancel their own queries, and view the System and Admin screens.

Users with Operator Read-only permission are members of the Greenplum Database gpcc_operator_basic group.

Operator
Allows users to view their own and others’ queries, cancel their own and other’s queries, and view the System and Admin screens.

Users with Operator permission are members of the Greenplum Database gpcc_operator group.

Admin
Allows users access to all views and capabilities in the Command Center.

Greenplum Database users with the SUPERUSER privilege in Greenplum Database have Superuser permissions in Command Center.