LATEST VERSION: 3.3.1 - CHANGELOG
Pivotal Greenplum Command Center v3.3.1

Securing the gpmon Database User

The Greenplum Database gpmon user is a superuser role used to manage the gpperfmon database. The gpperfmon_install utility, which must be run once before you can create a Command Center Console instance, creates the gpmon role.

Greenplum Database uses the gpmon role to update the gpperfmon database with data collected by agents running on the segment hosts. The Command Center web server uses the gpmon role to connect to the gpperfmon database as well as databases monitored by the Command Center instance.

When gpperfmon_install creates the gpmon role, it prompts for a password, which it then adds to the .pgpass file in the gpadmin user’s home directory. The entry in the .pgpass file is similar to the following:

*:5432:gpperfmon:gpmon:changeme

See The Password File in the PostgreSQL documentation for details about the .pgpass file.

In the $MASTER_DATA_DIRECTORY/pg_hba.conf authentication file, gpperfmon_install creates these entries:

local    gpperfmon         gpmon         md5
host     all         gpmon         127.0.0.1/28    md5
host     all         gpmon         ::1/128    md5

The gpperfmon_install utility in Greenplum 4.3.x does not create the IPV6 entry. If IPV6 is enabled in you Greenplum cluster you may need to add this entry.

If you authenticate users with Kerberos, you can also set up Kerberos authentication for the gpmon role on the Greenplum master and standby hosts. Kerberos authentication is supported with TCP connections only; local entries use Linux sockets and authenticate with the .pgpass file password, even if you have enabled Kerberos for host entries.

Changing the gpmon Password

To change the gpmon password, follow these steps:

  1. Log in to Greenplum Database as a superuser and change the gpmon password with the ALTER ROLE command:

    # ALTER ROLE gpmon WITH ENCRYPTED PASSWORD 'new_password';
    
  2. On the Greenplum master host, update the password in the .pgpass file in the gpadmin home directory (~/.pgpass). Replace the existing password in the line or lines for gpmon with the new password.

    *:5432:gpperfmon:gpmon:new_password
    
  3. Ensure that the .pgpass file is owned by gpadmin and RW-accessible by gpadmin only.

    $ chown gpadmin:gpadmin ~/.pgpass
    $ chmod 600 ~/.pgpass
    
  4. Restart Greenplum Command Center with the gpcmdr utility.

    $ gpcmdr --restart
    

If Command Center is installed on the Greenplum standby master host or on a remote host other than the Greenplum master, be sure to also update the .pgpass file on those hosts.

Authenticating gpmon with Kerberos

If you authenticate Greenplum Database and Command Center users with Kerberos, you can also authenticate the gpmon user with Kerberos.

  1. On the KDC, create a keytab file containing the Kerberos principal for the gpmon user, just as you would for any Kerberos-authenticated client. Install the file on the Greenplum master and standby hosts.

  2. Update the entries for gpmon in the $MASTER_DATA_DIRECTORY/pg_hba.conf file to use the gss authentication method.

    host all gpmon 0.0.0.0/0 gss include_realm=0 krb_realm=GPDB.EXAMPLE.COM
    

    Note that local entries in pg_hba.conf cannot be authenticated with Kerberos. If there is a local entry for the gpmon user, it will use the .pgpass file to authenticate with the database. See The pg_hba.conf file in the PostgreSQL documentation for complete pg_hba.conf file documentation.

  3. Log in to the master host as gpadmin and authenticate the gpmon user.

    $ kinit gpmon
    
  4. Create the Kerberos-enabled Command Center Console instance. See Creating Greenplum Command Center Console Instances for steps to create an instance.