Securing the gpmon Database User
The Greenplum Database gpmon role is a superuser role used to manage the gpperfmon database and to retrieve other information from Greenplum databases used in the Command Center interface. The Command Center installer creates the gpperfmon database and the gpmon database role if they do not already exist.
$MASTER_DATA_DIRECTORY/pg_hba.conf authentication file contains no entries for the gpmon role, the installer adds these entries:
local gpperfmon gpmon md5 host all gpmon 127.0.0.1/28 md5 host all gpmon ::1/128 md5 host all gpmon samenet md5
pg_hba.conf file already has one or more gpmon entries, the installer will add the
samenet entry if it is not already present. If
samenet does not work with your network configuration, you must manually edit the
pg_hba.conf file to allow gpmon access from all hosts in the cluster.
The Command Center Table Browser requires the
all entry in the database field to allow gpmon to retrieve table metadata and statistics from each database.
If you use a method other than
md5 to authenticate the gpmon role, such as LDAP or Kerberos, edit the
pg_hba.conf file manually to enable gpmon connections from all hosts and access to all databases.
If any of these entries are missing from
pg_hba.conf Command Center may fail to start, or some features may not work properly.
Administrators can view and update the
pg_hba.conf file in Command Center on the Admin> Authentication page. If you update the
pg_hba.conf outside of Command Center, be sure to use the
gpstop -u command to have Greenplum Database reload the file.
$ gpstop -u
If you run the
gpccinstall command with the
-W option, it prompts you to enter a password for the gpmon role. If you do not supply the
gpccinstall uses a default password. It adds the password to the
.pgpass file in the gpadmin user’s home directory. The entry in the
.pgpass file is similar to the following:
See The Password File in the PostgreSQL documentation for details about the
.pgpass file is required on the Greenplum Database master host to start the gpperfmon data collection agents. If you run Greenplum Command Center on the standby master host, you can copy the
.pgpass file to that host, or you can run the Command Center
gpcc management utility with the
-W option to request password entry each time you start or stop Command Center or request status.
To change the gpmon password, follow these steps:
Log in to Greenplum Database as a superuser and change the gpmon password with the
# ALTER ROLE gpmon WITH ENCRYPTED PASSWORD 'new_password';
On the Greenplum master host, update the password in the
.pgpassfile in the gpadmin home directory (
~/.pgpass). Replace the existing password in the line or lines for gpmon with the new password.
Ensure that the
.pgpassfile is owned by gpadmin and RW-accessible by gpadmin only.
$ chown gpadmin:gpadmin ~/.pgpass $ chmod 600 ~/.pgpass
Restart Greenplum Command Center with the
$ gpcc stop $ gpcc start
Be sure to also update the
.pgpass file on the standby master host.
If you authenticate Greenplum Database and Command Center users with Kerberos, you can also authenticate the gpmon user with Kerberos.
To prepare for installing Command Center with Kerberos authentication, follow these steps:
Create the gpperfmon database using the Greenplum Database
On the KDC, create a keytab file containing the Kerberos principal for the gpmon user, just as you would for any Kerberos-authenticated client. Install the file on the Greenplum master and standby hosts.
Update the entries for gpmon in the
$MASTER_DATA_DIRECTORY/pg_hba.conffile to use the
host all gpmon 0.0.0.0/0 gss include_realm=0 krb_realm=GPDB.EXAMPLE.COM
pg_hba.confcannot be authenticated with Kerberos. If there is a
localentry for the gpmon user, it will use the
.pgpassfile to authenticate with the database. See The pg_hba.conf file in the PostgreSQL documentation for complete
Log in to the master host as gpadmin and authenticate the gpmon user.
$ kinit gpmon
Install Greenplum Command Center to set up the Kerberos-enabled Command Center.