Securing a Greenplum Command Center Console Instance
A Greenplum Command Center Console instance can be secured by encrypting network traffic between the web server and users’ browsers, authenticating Command Center users, and managing users’ permissions to access Command Center features.
Greenplum Command Center supports SSL/TLS encryption to secure connections between browsers and the Command Center web server. When SSL is enabled, Command Center uses the WebSockets API, enabling long-lived, full-duplex connections, in addition to encryption.
To enable SSL, you should have a signed certificate for the Command Center web server in place when you create the Command Center instance. Place your certificate on the server where Command Center is installed, for example in the
/etc/ssl/certs directory of the Greenplum master host. You import the certificate when you create a Command Center instance with the
gpcmdr --setup command. The locations of the certificate and private key files are saved in the
$GPPERFMONHOME/instances/<instance_name>/webserver/conf/app.conf configuration file for the command center instance. See Command Center Console Parameters for details.
You can request a certificate from your organization’s internal certificate authority or a commercial certificate authority, or you can use a self-signed certificate you create yourself with a cryptography suite such as OpenSSL. If you create a self-signed certificate, note that clients will have to override a security warning when they first connect to the Command Center web server.
Users logging in to Greenplum Command Center are authenticated with the Greenplum Database host-based authentication system. Users can enter credentials as a user name and password or, if Kerberos authentication is configured, by authenticating with Kerberos on their workstation before browsing to the Command Center web server.
Note: Greenplum Command Center does not accept logins from the gpadmin user, or from local users configured with trust authentication in the
pg_hba.conf file. Allowing trust authentication for remote logins is discouraged because it is insecure.
Database users must first be added to the Greenplum Database by using commands such as
CREATE ROLE or
CREATE USER. The
LOGIN privilege is required. This example creates a login user with an encrypted password:
CREATE ROLE cc_user WITH LOGIN ENCRYPTED PASSWORD 'changeme';
pg_hba.conf configuration file determines how authentication will proceed. This file contains a list of entries that are compared to attributes of the user’s connection request, including the type of connection, network location of the originating host, database name, and login user name. When a match is found, the authentication method specified in the entry is applied.
pg_hba.conf file can be viewed by Operators and edited by Admins in the Command Center console on the Admin>Authentication page.
password authentication methods authenticate the user name and password with the Greenplum Database
pg_roles system table. The
md5 method requires the password to be MD5-encoded when sent over the network, so it is preferred over the
password method, which sends the password in clear text.
ldap authentication method authenticates the user name and password with an LDAP server. The LDAP server and parameters are specified in the options field of the
pg_hba.conf entry. See the PostgreSQL LDAP authentication documentation for the format of the LDAP options.
gss authentication method is used for Kerberos authentication. To use Kerberos with Command Center, Kerberos authentication must be enabled for the Greenplum Database system and the Command Center instance must also be configured. Users authenticate with the Kerberos KDC on their workstations (using
kinit, for example) before connecting to the Command Center web server. The role name in Command Center is the user’s Kerberos principal name.
For details about setting up Kerberos authentication, see Enabling Kerberos Authentication with Greenplum Command Center.
See the PostgreSQL Authentication methods documentation for additional details of the authentication options.
Command Center manages permission levels using Greenplum Database roles and groups. The Basic, Operator Basic, and Operator permission levels correspond to the
gpcc_operator group roles in the database. The Admin permission level is conferred to roles that have the
SUPERUSER privilege. A user who has not been added to any of the groups and does not have
SUPERUSER privilege has the most restrictive permission level, Self Only.
Greenplum Database superusers can manage permission levels on the Command Center Admin>Permissions page. Superusers can also directly assign users roles in the database by using the
ALTER GROUP, and related commands to add or remove users from groups and add or remove the
SUPERUSER privilege. If a role is configured for more than one permission level, Command Center uses the highest permission level.
Command Center users have the following capabilities, according to their permission levels:
Any Greenplum Database user successfully authenticated through the Greenplum Database authentication system can access Greenplum Command Center with Self Only permission. Higher permission levels are required to view and cancel other’s queries and to access the System and Admin Control Center screens.
Users with Basic permission are members of the Greenplum Database
Users with Operator Read-only permission are members of the Greenplum Database
Users with Operator permission are members of the Greenplum Database
Greenplum Database users with the
SUPERUSER privilege in Greenplum Database have Superuser permissions in Command Center.